The U.S. faces increasingly sophisticated cyber threats, such as the 2019 SolarWinds security breach. To mitigate these threats, DOD is continually developing new software-based capabilities.
In response to previous Government Accountability Office (GAO) recommendations, Cyber Command—the Department of Defense (DOD) command responsible for cyberspace operations—is maturing its Joint Cyber Warfighting Architecture (JCWA) to integrate systems that enable the cyber warfighting mission. In December 2020, the command identified JCWA roles and responsibilities, and, in September 2021, it approved a JCWA Concept of Operations to define interoperability goals and intended outcomes of the programs.
On March 30, 2022, GAO reported that Cyber Command has initiated efforts to assess JCWA acquisitions. DOD policy requires outcome-based evaluations, called Value Assessments, for programs within one year of fielding capabilities to determine whether they result in mission outcomes that are worth the investment. DOD clarified its Value Assessment guidance after GAO raised Cyber Command’s confusion regarding its role in scheduling these assessments. The command subsequently initiated the JCWA program Value Assessments, once it understood it was responsible for doing so, and these assessments were underway as of March 2022.
GAO’s review found that Cyber Command has not yet developed the required outcome-based metrics to support the Value Assessments. DOD policy and guidance call for such metrics to help programs understand mission improvements. For example, measuring improvements in the speed of operations could help Cyber Command determine whether programs are delivering intended outcomes.
GAO notes in its report that the command has been slow to determine metrics, in part because of inexperience conducting Value Assessments and the challenge of accounting for other factors—like new cyber operations tactics—on mission outcomes. Though this process is new, DOD guidance encourages experimentation and learning, so that metrics can continue to be refined over time. While the command is unlikely to have outcome-based metrics for the first three assessments that are underway, GAO believes there is sufficient time for it to do so for those it has not yet initiated.
GAO is recommending that Cyber Command develop outcome-based metrics to inform future Value Assessments. DOD concurred and reported that it has requested additional resources from within the Department to assist this effort.