One of the major initiatives that U.S. Cyber Command has been working on for two years is going to cost five times more than what military officials originally estimated, according to a Government Accountability Office report.
The program, a software platform called Unified Platform (UP), is meant to help forces and military services working with Cyber Command to reduce the amount of data silos, and to streamline data processing, storage, queries, and information-sharing to enhance overall mission effectiveness.
One of the main contributing factors to the miscalculation is that the overall cost of UP was not based on any independent analysis, GAO found.
“UP did not have several key elements of its business case approved at the time of program initiation, such as approved requirements, a cost estimate informed by independent analysis, or a formal schedule risk assessment,” the GAO said. “Our prior work has shown that this type of information is important to help decision makers make well-informed decisions about middle-tier program [initiation].”
Cyber Command has historically had spending issues — in 2017, for instance, the commander told the House Armed Services Committee the command had not yet used its acquisition authorities. The underestimate of this program’s expenditures raises questions about whether the command is managing its expectations properly three years later.
The Air Force Cost Analysis Agency has now independently assessed the UP will cost more than previously estimated in part because Cyber Command has changed its requirements along the way.
“The new cost estimate includes costs beyond the completion of this middle-tier acquisition. Program officials attribute this cost increase to new U.S. Cyber Command requirements,” the GAO report said.
The program also runs the risk of running costs up further — and encountering cybersecurity issues — because it did not form a cybersecurity strategy for the program, which was initiated in 2018.
“Not addressing cybersecurity issues sooner may increase risk to the program,” the GAO found. “Our past work has shown that not focusing on cybersecurity until late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning.”
The program office, which was supposed to roll out the cybersecurity strategy last month, expects to have it approved by August. Cyber Command did not immediately return request for comment on the contents and timing of the strategy.
Currently, the program also does not adhere to industry best practices when it comes to software development, GAO found.
“[T]he UP program is utilizing Agile and DevSecOps software development methodologies,” the report said. “However, the program’s current approach allows for fielding new features at the end of each 3-month increment, an approach that differs from industry’s Agile practices, which encourage the delivery of working software to actual users on a continuing basis.”
Moving forward, the program does not plan to complete a technology risk assessment or a schedule risk assessment, which would help military officials make well-informed decisions about the program, GAO said.