WASHINGTON — The way U.S. Cyber Command procures and tests new capabilities for cyber operations lacks a test and evaluation strategy as well the proper authority and resources to manage new tools, which the Pentagon’s weapons tester has said could result in fielding capabilities without demonstrating or understanding their effectiveness, suitability or survivability.
Cyber Command created the Joint Cyber Warfighting Architecture, or JCWA, in 2019 as a means of guiding capability development. When the command was initially created, it lacked resources and capabilities, thus having to rely upon systems used by the National Security Agency. Given the two have distinctly different missions — intelligence collection versus warfighting — Cyber Command needed to build its own tools and infrastructure.
The fiscal 2021 annual report of the Office of the Director, Operational Test and Evaluation assessed this architecture lacked governance, the latest in a series of government watchdog assertions alleging as much.
“[A] lack of governance has led to an ad-hoc alignment of [test and evaluation] efforts for the systems JCWA encompasses. This will result in fielding capabilities without demonstrating or understanding their contribution to JCWA operational effectiveness, suitability, or survivability,” the report said. “USCYBERCOM has not designated an Operational Test Agency to define and develop metrics needed to conduct integrated JCWA‑level OT&E. T&E strategies and processes are maturing, but not fast enough to support initial delivery of capability and features.”
Following criticism from government agencies and Congress, Cyber Command created a JCWA integration office and a JCWA capabilities management office. Moreover, to address interoperability concerns, Cyber Command created a concept of operations that defines a vision for employing and integrating various capabilities.
Despite these efforts, DOT&E said both the integration office and the capabilities management office lack authority or resources to effectively manage JCWA activities.
“Each program has different release and deployment schedules and there are no validated JCWA‑level mission thread requirements or plans for an integrated JCWA-level operational test,” the report said.
Cyber Command declined to comment on the report.
While Cyber Command does possess some level of acquisition authority, it continues to rely on the services as executive agents to procure major tools, systems and infrastructure that will be used by all cyberwarriors across the Department of Defense.
Officials have acknowledged ongoing integration challenges.
“We are evolving and we are beginning some initial direct integration across the different programs,” Col. Ben Ring, director of the JCWA, said in November. “You’re integrating across multiple services, multiple programs, and each of the services — they have different personnel systems, different training systems, and trying to bring that together is working, we’re evolving. But it’s, as you can imagine, it’s taking some time to bring that together. We’re continuously gathering feedback from the force and continuing to evolve, as we are one team to try to achieve unified mission.”
However, the effort overall is rapidly evolving with constant improvements and iterations.
DOT&E did note that in fiscal 2020, the JCWA integration office initiated the development of a test and evaluation strategy establishing multiple working groups to inform test infrastructure requirements and develop test scenarios based on mission threads. However, that strategy is still maturing and needs greater support from Cyber Command and the services, DOT&E said.
What’s more, the report asserted that each of the programs are developing test and evaluation strategies independent of the JCWA’s, which could lead to inefficiencies and test inadequacies.
DOT&E recommended the Pentagon identify, resource and empower a JCWA acquisition management organization to coordinate the integration of capabilities.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.