21 September 1998
Source:
http://www.access.gpo.gov/su_docs/aces/aaces002.html
PDF version available at source (461K)
Defense Information Superiority: Progress Made, But Significant Challenges Remain (Letter Report, 08/31/98, GAO/NSIAD/AIMD-98-257). Pursuant to a congressional request, GAO reviewed the Department of Defense's (DOD) progress in implementing certain key information superiority activities to provide an indication of how well DOD is progressing toward its information superiority goals, focusing on DOD's progress in: (1) establishing a DOD-wide architecture for the information systems known as Command, Control, Communications, Computers (C4), Intelligence, Surveillance, and Reconnaissance (C4ISR) systems; (2) developing and implementing the Global Command Control System (GCCS); (3) establishing the Joint Tactical Radio Systems (JTRS); and (4) implementing recommendations of the Defense Science Board Task Force on Information Warfare-Defense. GAO noted that: (1) DOD faces many challenges in achieving its information superiority goals and objectives and may need many years of concerted effort to reach them; (2) one of the key challenges is to complete the development of a C4ISR architecture, maintain it, and ensure that the many systems that make up the C4ISR infrastructure comply with the architecture; (3) without an established architecture and the ability to enforce its use, DOD will find it difficult to make cost-effective development and acquisition decisions and ensure that the systems work with each other, perform as expected, and are adequately protected; (4) DOD has been trying unsuccessfully to establish some form of Department-wide C4ISR architecture; (5) in the past 6 years DOD refocused its efforts and made progress by building Department-wide consensus on what should be accomplished by the architecture and how it should be built; (6) DOD also established the architectural component that defines technical standards for C4ISR systems; (7) the most important component, which defines the information needs that are the basis for setting system standards and acquiring and protecting systems, is not completed; (8) furthermore, plans for developing and implementing the remainder of the architecture are still being formulated; (9) DOD has been developing a number of critical C4ISR systems and information assurance measures without the benefit of a completed and approved architecture; (10) enforcing compliance with the C4ISR architecture will be an important factor in achieving information superiority; (11) DOD said that compliance with the architecture will be achieved through a combination of new and existing oversight organizations and processes; (12) however, DOD has had difficulty in achieving compliance with related C4ISR policies and decisions in the past; (13) in the absence of a C4ISR architecture, DOD has had mixed success in developing and fielding GCCS, its premier strategic C4ISR system; (14) although some of its features are well liked by users, GCCS has encountered problems; (15) it also has potential year 2000 problems that could cause systems failure; (16) DOD officials told GAO that the Department has suspended development of the JTRS program until Congress approves and funds the program; and (17) to meet interim needs, DOD has allowed the services to acquire a limited number of service-unique radios until the joint radios become available. --------------------------- Indexing Terms ----------------------------- REPORTNUM: NSIAD/AIMD-98-257 TITLE: Defense Information Superiority: Progress Made, But Significant Challenges Remain DATE: 08/31/98 SUBJECT: Command/control/communications/computer systems Requirements definition Computer security Military communication Systems design ADP procurement Strategic information systems planning Military radio IDENTIFIER: JCS Joint Vision 2010 DOD Command, Control, Communications, and Computer Systems DOD Global Command and Control System DOD Future Years Defense Program Worldwide Military Command and Control System DOD Joint Tactical Radio System DOD C4 Intelligence, Surveillance, and Reconnaissance Systems DOD Defense Information Assurance Program Y2K ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO report. Delineations within the text indicating chapter ** ** titles, headings, and bullets are preserved. Major ** ** divisions and subdivisions of the text, such as Chapters, ** ** Sections, and Appendixes, are identified by double and ** ** single lines. The numbers on the right end of these lines ** ** indicate the position of each of the subsections in the ** ** document outline. These numbers do NOT correspond with the ** ** page numbers of the printed product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ** A printed copy of this report may be obtained from the GAO ** ** Document Distribution Center. For further details, please ** ** send an e-mail message to: ** ** ** ** <info@www.gao.gov> ** ** ** ** with the message 'info' in the body. ** ****************************************************************** Cover ================================================================ COVER Report to the Chairman, Subcommittee on Military Research and Development Committee on National Security, House of Representatives August 1998 DEFENSE INFORMATION SUPERIORITY - PROGRESS MADE, BUT SIGNIFICANT CHALLENGES REMAIN GAO/NSIAD/AIMD-98-257 Defense Information Superiority (707294) Abbreviations =============================================================== ABBREV C3 - Command, Control, and Communications C3I - Command, Control, Communications, and Intelligence C4 - Command, Control, Communications, and Computers C4I - Command, Control, Communications, Computers, and Intelligence C4ISR - Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance DISA - Defense Information Systems Agency DOD - Department of Defense GCCS - Global Command and Control System IA - Information Assurance JTRS - Joint Tactical Radio System Letter =============================================================== LETTER B-278201 August 31, 1998 The Honorable Curt Weldon Chairman, Subcommittee on Military Research and Development Committee on National Security House of Representatives Dear Mr. Chairman: In 1996, the Chairman of the Joint Chiefs of Staff issued a conceptual framework for the Department of Defense's (DOD) war fighting called Joint Vision 2010.\1 The document identifies information superiority over the enemy as a key element for the success of this vision. DOD defines information superiority as "the capability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary's ability to do the same." DOD believes that information superiority can provide significant advantages over the enemy during a conflict and increase the efficiency of peacetime and wartime operations. However, greater reliance on information systems may also make DOD vulnerable to intrusion and attack on those systems, damaging its war-fighting capability.\2 As requested, we evaluated DOD's progress in implementing certain key information superiority activities to provide an indication of how well DOD is progressing toward its information superiority goals. Specifically, you asked us to evaluate DOD's progress in establishing a DOD-wide architecture for the information systems known as Command, Control, Communications, Computers (C4), Intelligence, Surveillance, and Reconnaissance (C4ISR) systems; developing and implementing the Global Command and Control System (GCCS); and establishing the Joint Tactical Radio System (JTRS). In addition, you asked us to evaluate DOD's progress in implementing recommendations of the Defense Science Board Task Force on Information Warfare-Defense.\3 At your request, we reported on DOD's implementation of these recommendations and other activities to protect its C4ISR systems in a separate letter to the Subcommittee for a June 11, 1998, joint hearing with the Military Procurement Subcommittee on the fiscal year 1999 national defense authorization request on Critical Infrastructure Protection-Information Assurance.\4 -------------------- \1 Joint Vision 2010 recognizes the need to modernize DOD's war-fighting concepts and respond to advancing technologies for the 21st century. It translates information superiority and the technological advances that are changing traditional war-fighting concepts into new concepts through changes in weapon systems, doctrine, culture, and organization. It also describes the improved intelligence and improved command and control available in the information age as the basis of four operational concepts--dominant maneuver, precision engagement, full dimensional protection, and focused logistics. \2 Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84, May 22, 1996) and Critical Foundations: Protecting America's Infrastructures, Report of the President's Commission on Critical Infrastructure Protection (Washington, D.C.: Oct. 1997). \3 The recommendations were presented in Report of the Defense Science Board Task Force on Information Warfare-Defense (IW-D), Office of the Under Secretary of Defense for Acquisition and Technology (Washington, D.C.: Nov. 1996). The task force determined that DOD's information systems were highly vulnerable to intrusions and attacks and made over 50 recommendations for improving their protection. \4 DOD's Information Assurance Efforts (GAO/NSIAD-98-132R, June 11, 1998). BACKGROUND ------------------------------------------------------------ Letter :1 Achieving information superiority will be expensive and complex. Based on its analysis of the fiscal year 1999 through 2003 Future Years Defense Plan, DOD estimates it will budget an average of $43 billion a year (nearly 17 percent of the $257 billion budget request for fiscal year 1999) for C4ISR systems and activities during the plan period. Achieving information superiority is complex because it involves thousands of decentralized C4ISR systems and information networks. Furthermore, the systems, networks, and information superiority activities are managed by many different offices of the Secretary of Defense, Joint Chiefs of Staff, services, unified commands, and defense agencies throughout DOD. One of DOD's key activities to achieve information superiority is the development of a Department-wide C4ISR information systems architecture. An information systems architecture is a blueprint that guides and controls the development and maintenance of many related systems. Another key activity is the development and deployment of a Department-wide Defense Information Infrastructure\5 that features GCCS as DOD's principal worldwide command and control system. GCCS has more capabilities and functions (such as almost real-time knowledge of battlefield conditions, or situational awareness)\6 than the system it replaced. DOD is also trying to consolidate the services' programmable, modular tactical radio development and acquisition programs into a single JTRS program to reduce costs and increase the ability of the services to communicate with each other. JTRS is intended to become one of the Department's key tactical-level C4ISR systems. Finally, DOD is developing and implementing a Department-wide program to protect and defend its C4ISR systems from intrusion and attack; this activity is known as information assurance. -------------------- \5 DOD describes this infrastructure as all of the information systems and networks used to support the war fighter. \6 DOD defines situational awareness as knowledge of one's location, the location of friendly and hostile forces, and external factors such as terrain and weather that may affect one's capability to perform a mission. RESULTS IN BRIEF ------------------------------------------------------------ Letter :2 DOD faces many challenges in achieving its information superiority goals and objectives and may need many years of concerted effort to reach them. One of the key challenges is to complete the development of a C4ISR Architecture, maintain it, and ensure that the many systems that make up the C4ISR infrastructure comply with the Architecture. Without an established architecture and the ability to enforce its use, DOD will find it difficult to make cost-effective development and acquisition decisions and ensure that the systems work with each other, perform as expected, and are adequately protected. For over 30 years (since 1967) DOD has been trying unsuccessfully to establish some form of Department-wide C4ISR Architecture. In the past 6 years DOD refocused its efforts and made progress by building Department-wide consensus on what should be accomplished by the Architecture and how it should be built. DOD also established the architectural component that defines technical standards for C4ISR systems. However, the most important component, which defines the information needs that are the basis for setting system standards and acquiring and protecting systems, is not completed. Furthermore, plans for developing and implementing the remainder of the Architecture, to define systems and information flows, are still being formulated. Meanwhile, DOD has been developing a number of critical C4ISR systems and information assurance measures without the benefit of a completed and approved architecture. Enforcing compliance with the C4ISR Architecture will be an important factor in achieving information superiority. DOD said that compliance with the Architecture will be achieved through a combination of new and existing oversight organizations and processes. For example, DOD recently reorganized the Office of the Assistant Secretary of Defense for C3I to better focus on visibility, support, and responsibility for information technology architectures. It also stated that it will rely on program reviews conducted within traditional planning, budgeting, and acquisition oversight processes to achieve compliance. However, DOD has had difficulty in achieving compliance with related C4ISR policies and decisions in the past. Therefore, it remains to be seen whether the new organization and traditional oversight processes will be effective in achieving architectural compliance. DOD's experience with two key C4ISR systems is indicative of the types of challenges ahead. In the absence of a C4ISR architecture, DOD has had mixed success in developing and fielding GCCS, its premier strategic C4ISR system. Although some of its features are well liked by users, GCCS has encountered problems. These include problems with some key functions that cause the system to perform less effectively than expected. It also has potential year 2000 problems that could cause system failure.\7 Similarly, requirements for JTRS have not been defined in the context of an established C4ISR architecture. Also, DOD officials told us that the Department has suspended development of the JTRS program until Congress approves and funds the program. To meet interim needs, DOD has allowed the services to acquire a limited number of service-unique radios until the joint radios become available. -------------------- \7 Year 2000 problems are difficulties that may be encountered by many information and computer systems that were programmed to use two digits to identify years (98 for 1998), causing a year identified as 00 to be misinterpreted as 1900 instead of 2000 and resulting in program malfunctions or failure. PROGRESS MADE WITH THE ARCHITECTURE, BUT MUCH WORK REMAINS ------------------------------------------------------------ Letter :3 A single C4ISR architecture is critical for achieving information superiority. After more than 30 years, DOD has begun to make progress toward establishing such an architecture but needs to complete its development, establish adequate information assurance measures, and enforce compliance by the services, unified commands, and agencies. C4ISR ARCHITECTURE IS CRITICAL TO ACHIEVING INFORMATION SUPERIORITY ---------------------------------------------------------- Letter :3.1 To construct a building it is necessary to have a plan that shows the building's features, its systems and their functions, the way different components interrelate, and the way the components should be built. The architects and engineers must also take into account building codes, rules, and standards. The effective and efficient development and management of an organization's information systems require a similar architectural blueprint. An information systems architecture can be viewed as having both logical and technical components. At the logical level the architecture includes a high-level description of the organizational mission being accomplished, the different functions being performed, the relationships between functions, the information needed to perform these functions, and the flow of information among functions. At the technical level the architecture provides rules and standards to ensure that interrelated systems are interoperable, portable, and maintainable.\8 These rules and standards include specifications for hardware, software, communication, data, security, and performance characteristics. DOD is developing, managing, and maintaining an extremely complex system of C4ISR information systems and networks. Establishing an overall architecture under which these information systems and networks will operate is critical for achieving information superiority. Without one, DOD will have difficulty identifying, establishing, and prioritizing (1) the information and information links needed among the services, war fighters, intelligence sources, and national command authorities; (2) the processes and technical standards to be used to communicate information among them; (3) the systems and interoperability needed to achieve the timely transfer of information from where it is maintained to where it is needed; and (4) the measures needed to protect the systems, their information, and the infrastructure supporting them. Establishing information and information link requirements for conducting operations is particularly important because they are needed to design and develop systems. Information requirements include the amount, type, source, frequency, and speed at which data and information must be gathered, edited, correlated, fused, updated, displayed, printed, and transmitted. Many system developers and program managers have identified ill-defined or incomplete information requirements and requirements growth as root causes of system failure.\9 Without adequately defined, organizationally approved information requirements, a system may need extensive and costly reengineering before it can become fully operational. For example, we recently reported that the Federal Aviation Administration had to spend over $38 million to overcome incompatibilities between air traffic control systems, a problem that may have been avoided if the Administration had a complete information systems architecture.\10 System requirements such as security, reliability, availability, and maintainability must be accurately defined because they drive subsequent choices (such as hardware and software) and have a significant impact on system development cost, schedule, and performance. As for the security provisions of a C4ISR architecture, a March 1997 report of a DOD task force on information assurance stressed the importance of having the architecture drive information assurance.\11 The report concluded that adequate information assurance is critical for achieving information superiority and that U.S. forces are at increasing risk of failing in their mission without it. It also concluded that DOD's C4ISR Architecture must support security and that security must be addressed in an integrated way when the system is first designed and not later with add-on products or services. The report further concluded that DOD must provide security links throughout a C4ISR architecture to show what, when, where, and why security should be applied; where, what, and how it will be applied; and the codes and standards for what and how security will be applied. -------------------- \8 Interoperable means that systems or programs are capable of exchanging information and operating together effectively. Portable means that a computer program can be transferred from one hardware and/or software configuration to another. Maintainable means that errors in an operational program can be located and fixed with reasonable effort. \9 Strategic Information Planning: Framework for Designing and Developing System Architectures (GAO/IMTEC-92-51, June 1992). \10 Air Traffic Control: Complete and Enforced Architecture Needed for FAA Systems Modernization (GAO/AIMD-97-30, Feb. 3, 1997). \11 Improving Information Assurance: A General Assessment and Comprehensive Approach to an Integrated IA Program for the Department of Defense (ASD C3I, Mar. 28, 1997). PAST ARCHITECTURE EFFORTS NOT SUCCESSFUL ---------------------------------------------------------- Letter :3.2 DOD has had an official requirement for C4ISR interoperability and for a Department-wide architecture since 1967, when it encountered communications interoperability problems during the Vietnam War. However, it has never adequately met that requirement, even though it experienced similar problems during military operations in Grenada, Panama, and the Persian Gulf. In 1987\12 and again in 1993\13 we reported that DOD had made little progress in meeting the requirement because it lacked centralized or joint managerial and funding control over individual service priorities, which often took precedence over interoperability priorities. We also reported that all of DOD's component commands, services, and agencies had been unable to agree on what such an architecture should accomplish or what it should consist of. -------------------- \12 Interoperability: DOD's Efforts to Achieve Interoperability Among C3 Systems (GAO/NSIAD-87-124, Apr. 27, 1987). \13 Joint Military Operations: DOD's Renewed Emphasis on Interoperability Is Important but Not Adequate (GAO/NSIAD-94-47, Oct. 21, 1993). RECENT PROGRESS MADE ---------------------------------------------------------- Letter :3.3 In 1992, after serious interoperability problems with command, control, communications, computers, and intelligence (C4I) systems in the Persian Gulf War, the Joint Staff began an initiative called C4I for the Warrior to stress joint interoperability, stimulate solutions, and guide the services toward a global information system. This initiative gave stimulus to a number of C4ISR development efforts, including the Defense Information Infrastructure, the overall C4ISR Architecture, and the concept of information superiority described in Joint Vision 2010. Before an effective architecture could be developed, however, DOD had to forge an agreement among the services, commands, and agencies on what that architecture should accomplish and how it would be constructed. Thus, a working group of service, command, and DOD agency representatives in June 1996 established a C4ISR Architecture Framework, which outlined a coordinated, Department-wide approach to C4ISR Architecture development, presentation, and integration. The Framework was updated in December 1997 and agreed on by the services, the Joint Staff, and the Office of the Assistant Secretary of Defense for C3I. According to DOD, the Framework is now required to be used by all DOD organizations. The Framework describes an overall architecture comprised of three interdependent, interlocking components: an operational, a systems, and a technical subarchitecture. The operational component--known as the Joint Operational Architecture--is supposed to identify and document war-fighting information needs. The system component--known as the Joint Systems Architecture--is supposed to describe which systems, common information flow, and system interfaces will be used to meet war-fighting needs. Finally, the technical component--known as the Joint Technical Architecture--is supposed to specify the characteristics and standards for hardware, software, communications, data, security, and performance.\14 Underlying the building of the information infrastructure and technical subarchitecture was a common operating environment, in which all DOD component organizations would be required to develop, acquire, and deploy C4ISR systems that operate under a common set of standards and protocols to permit interoperability. The creation of this framework was an important step--it was the first DOD-wide consensus on what a C4ISR architecture should do and how it should be built. The three-part Architecture also conforms to the generally accepted architectural definition described earlier: DOD's operational subarchitecture corresponds to the logical definition, while the technical and system subarchitectures together correspond to the technical definition. Multiple DOD organizations are involved in the development of the three-part Architecture. The Joint Staff's C4 Systems Directorate (J6) is responsible for developing the operational subarchitecture, the component services and unified commands are responsible for developing the systems subarchitecture, and the Defense Information Systems Agency (DISA) is responsible for developing the technical subarchitecture. The Office of the Assistant Secretary of Defense for C3I is responsible for overall coordination and integration of the DOD-wide C4ISR Architecture. Of the three subarchitectures, only the technical subarchitecture has been officially established. In August 1996, DOD completed a first version of the technical subarchitecture and mandated that all new C4ISR systems and major upgrades comply with the standards and guidelines it prescribed. DOD completed a second, expanded version of the technical subarchitecture in February 1998. -------------------- \14 In comments on a draft of this report, DOD described the C4ISR Architecture as being comprised of three subarchitectural "views"--the Joint Operational, Joint Technical, and Joint Systems Views. It also used the terms Joint Operational Architecture and Joint Technical Architecture. Because the meaning of the term "view" may be confusing to some readers, we have used only the terms "architecture" or "subarchitecture" when referring to the three architectural components. THREE-PART ARCHITECTURE AND INFORMATION ASSURANCE PROGRAM REMAIN INCOMPLETE ---------------------------------------------------------- Letter :3.4 Although DOD has established a technical subarchitecture, we believe the operational subarchitecture is the most important of the three subarchitectures and should have been completed first because it determines the basis for information needs, thereby forming the foundation for the other subarchitectures and for determining systems' development and acquisition needs. The operational subarchitecture is still being developed, and DOD officials estimate that its overall structure will be completed in the second quarter of fiscal year 1999. DOD plans to have each unified command develop its own operational architecture and to have a working group under Joint Staff leadership oversee the integration of all the different architectures into a single Joint Operational Architecture. As for the systems subarchitecture, no plans have been set for its development, according to a DOD official. The need for establishing an overall C4ISR Architecture is highlighted by the architecture's close relationship with information assurance activities. In our June 1998 letter to the Subcommittee on DOD's C4ISR systems protection activities, we noted that DOD's organizations had undertaken a variety of information assurance measures that were not meeting the Department's needs. For example, a DOD internal analysis and a subsequent report in November 1997 concluded that the Department's decentralized information assurance management could not deal with information assurance adequately because of the proliferation of networks across DOD and that some assurance efforts were only minimally effective. In our letter, we also noted that to improve information assurance management (1) in December 1997 the Assistant Secretary of Defense for C3I established an Information Technology Security Certification and Accreditation Process that requires comprehensive information assurance evaluations of all information technology systems in accordance with standard analytical procedures and (2) in January 1998 the Deputy Secretary directed the Assistant Secretary of Defense for C3I to develop and implement the DOD-wide Defense Information Assurance Program proposed in the November 1997 report. We concluded that the effectiveness of these new activities remains to be determined but also noted that DOD's information assurance efforts are moving forward without a completed and approved C4ISR Architecture in place. EFFECTIVE MANAGEMENT STRUCTURE TO ENFORCE COMPLIANCE IS ESSENTIAL ---------------------------------------------------------- Letter :3.5 Creating the C4ISR Architecture in itself is not enough to build the Defense Information Infrastructure and its attendant systems. An effective management structure to enforce compliance with the Architecture is essential. In December 1996 the Chairman of the Joint Chiefs of Staff, observing that no formal enforcement mechanism existed for the implementation of the C4ISR Architecture Framework, cited the need for a management structure to carry out this task. Specifically, no one had responsibility for enforcing compliance with the Framework. At about the same time, a DOD C4ISR Integration Task Force made a number of recommendations to improve C4ISR management, including a recommendation that DOD establish oversight mechanisms to ensure that the Department's organizations comply with the Architecture Framework. An example of the sort of problem created by lack of an enforcement mechanism was provided by a Joint Staff biennial assessment of DISA.\15 The assessment found that the services often experienced joint interoperability, connectivity, and configuration management problems with DISA's core program systems after they were fielded. DISA relies on the services at the base, post, station, and camp levels to integrate the systems after they are fielded. The Chairman of the Joint Chiefs of Staff believed that such problems occurred because of so-called "Title 10 concerns"\16 and DISA's lack of authority to require the services to adequately fund the integrations needed. The tendency to give individual service requirements higher priority was also noted in a November 1997 DOD Inspector General report,\17 which observed that the sense of urgency or importance of implementing the Joint Technical Architecture is not apparent in the plans and approaches of the Navy and the Air Force, while the Army has shown greater commitment to implementation. In comments on a draft of this report, DOD indicated that it will rely on a combination of recently established and traditional oversight organizations and processes to achieve compliance with the C4ISR Architecture. These consist of the Architecture Coordination Council, established in 1997 and cochaired by the Under Secretary of Defense for Acquisition and Technology, the Joint Staff's Director for C4 Systems, and the Assistant Secretary of Defense for C3I; the Joint Requirements Oversight Council, supported by requirements analyses provided by a Joint C4ISR Decision Support Center; the Joint Strategic Planning System; the Planning, Programming, and Budgeting System; and the acquisition system. DOD also indicated that it will rely on program reviews conducted within the planning, budgeting, and acquisition oversight processes to achieve compliance with the C4ISR Architecture. Finally, DOD stated that it recently reorganized the Office of the Assistant Secretary of Defense for C3I to better focus on visibility, support, and responsibility for DOD information technology architectures. It is not yet clear whether these oversight organizations and processes will be effective in achieving compliance with the C4ISR Architecture. As indicated earlier, DOD has had a long history of being unable to override service-unique priorities and establish C4ISR interoperability and a DOD-wide architecture. In addition, other reports we have recently issued on related subjects disclose a similar inability of DOD to attain compliance with C4ISR policies and decisions.\18 Finally, we believe it is too early to gauge the potential impact the reorganization may have on DOD's ability to enforce compliance with the Architecture. -------------------- \15 This biennial assessment is required by 10 U.S.C. Section 193. \16 This phrase refers to the independent funding authority granted the military departments under 10 U.S.C. and a tendency for them to fund their own service-unique requirements before funding joint requirements. \17 Implementation of the DOD Joint Technical Architecture (DOD Inspector General Report No. 98-023, Nov. 18, 1997). \18 For example, Defense IRM: Poor Implementation of Management Controls Has Put Migration Strategy at Risk (GAO/AIMD-98-5, Oct. 20, 1997) and Joint Military Operations: Weaknesses in DOD's Process for Certifying C4I Systems' Interoperability (GAO/NSIAD-98-73, Mar. 13, 1998). GCCS AND JTRS IMPLEMENTATION EFFORTS ILLUSTRATE CHALLENGES FACING DOD ------------------------------------------------------------ Letter :4 DOD is facing tough challenges in developing and implementing GCCS and JTRS. Although GCCS has greater capabilities and functions--such as almost real-time situational awareness of the battlefield--than its predecessor, the development, fielding, and performance of GCCS have been hampered by fragmented management. DOD is also trying to consolidate the services' programmable, modular tactical radio development and acquisition programs into a single joint radio program to increase interoperability among services and efficiency in acquisition. While awaiting approval and funding of the JTRS Program, the services are procuring interim radios. GCCS IS AN EVOLVING SYSTEM ---------------------------------------------------------- Letter :4.1 GCCS began as a system of existing command and control components that was to be implemented rapidly to replace DOD's outdated World Wide Military Command and Control System and fulfill the most urgent user requirements. DOD plans to further develop GCCS as an "evolutionary system," which means that DOD will continue to develop its capabilities incrementally as it reacts to user feedback or rapidly evolving new technology. As new GCCS versions are fielded, DOD intends to have added capabilities replace other existing C4ISR systems. While initially developing GCCS, DOD did not clearly define the system's goals, requirements, and schedules. For example, a 1997 Institute for Defense Analysis report on this evolutionary process said that the GCCS architecture was designed, developed, and fielded not as a single system but through periodic additions of functionality and capability over the past 3 years.\19 It described GCCS as a "set of long-term goals established by DOD senior leadership, the attainment of which does not have a well defined trajectory." -------------------- \19 Richard H. White et al., An Evolutionary Acquisition Strategy for the Global Command and Control System (GCCS), Institute for Defense Analysis (Sept. 1997). MIXED SUCCESS WITH GCCS ---------------------------------------------------------- Letter :4.2 DOD has experienced a mixture of successes and problems in implementing GCCS. For example, users like some of the additional features it provides compared to the old system and found them productive. These features include mission-related communications by e-mail, internet-like web pages, and on-line discussion groups. Users also like the idea of being provided situational awareness of the battlefield. However, some key capabilities, such as the system's operational planning function and the situational awareness function, have experienced problems and are performing less effectively than expected. Also, operator training is deficient, data exchange procedures with coalition partners have not been defined, and the system is at risk of failure because year 2000 problems have not been fully resolved. If GCCS encounters year 2000 problems, the United States and its many allies who use GCCS could have difficulty conducting a Desert Storm-type engagement.\20 We believe these problems exist partly because DOD does not have a set of clearly defined goals, requirements, and schedules for the system. -------------------- \20 Defense Computers: Year 2000 Computer Problems Threaten DOD Operations (GAO/AIMD-98-72, Apr. 30, 1998). GCCS MANAGEMENT IS FRAGMENTED ---------------------------------------------------------- Letter :4.3 A May 1995 report by DOD's Office of Inspector General expressed concern about GCCS management and oversight and said that GCCS management is scattered among the Joint Staff, DISA, and the services.\21 It noted that although DISA is the project manager for GCCS, it does not have the authority to provide overall direction and control of the program. A similar issue was raised in a 1997 study commissioned by DISA on the technical foundation of GCCS.\22 That study said that DOD had not established an adequate foundation for enabling full interoperability among DOD computer systems because DISA lacks resources and does not have the formal mission of implementing a complete strategy to achieve interoperability. The study concluded that there is little likelihood of the pieces coming together as envisioned for full interoperability. DOD recognizes that GCCS needs a more structured acquisition management process and is considering ways to provide this structure, including a strategy proposed in the September 1997 report by the Institute for Defense Analysis. Under this strategy, future GCCS acquisitions would take place in phases so that resources would be applied to meet mission requirements in discrete time periods. Each phase would be controlled by a contract that would describe cost, performance, scheduling, testing, economic, and budgetary issues and identify deliverable command and control capabilities. However, the strategy would still accept the current roles and missions of organizations involved in GCCS. -------------------- \21 Management of the Global Command and Control System (DOD Inspector General Report No. 95-201, May 24, 1995). \22 Defense Information Infrastructure Common Operating Environment I&RTS Review and Assessment, prepared by GARTNER Consulting for the Defense Information Systems Agency (Nov. 4, 1997). ESTABLISHMENT OF JTRS PROGRAM ---------------------------------------------------------- Letter :4.4 The Secretary's Defense Planning Guidance for fiscal years 1999-2003 directed the Assistant Secretary of Defense for C3I, in coordination with the Chairman of the Joint Chiefs of Staff and the services, to define DOD-wide requirements for a high-capacity, next-generation, digital, programmable tactical radio. It also directed the Assistant Secretary to establish a joint program for a family of radios that would consolidate similar programs under development by the services--the Army's Future Digital Radio, the Navy's Digital Modular Radio, and the Air Force's Airborne Integrated Terminal. In response to this directive, DOD officially established the JTRS Program in September 1997.\23 In December 1997, the Under Secretary of Defense for Acquisition and Technology appointed the Army as the program's permanent component acquisition executive and lead service and directed that a joint program office be established to manage the development of an evolutionary architecture and perform JTRS management functions. According to DOD officials, a joint program manager has been appointed, and the services and the Office of the Secretary have agreed on an organizational structure for the joint program office. However, according to the officials, the activation of the program and joint program office are on hold pending congressional approval of the program and reprogramming action to fund it. DOD plans to begin fielding JTRS radios between 2002 and 2004. In addition, DOD has established the program's joint operational requirements but, as with the GCCS and other systems, these have been established without a fully established and approved C4ISR Architecture. To meet interim needs, the services plan to acquire limited numbers of their own radios. The Air Force told us it plans to spend $133 million for 330 less expensive, reduced capability Airborne Integrated Terminals needed for aircraft operating in Europe to comply with European air traffic control requirements. The Navy told us it plans to spend $211 million for 352 digital modular radios to comply with a Joint Staff directive to meet Demand Assigned Multiple Access\24 standards for satellite communications terminals. The Army told us it plans to begin buying 3,157 radios in fiscal year 2000 to support its digitization program. The JTRS Program's objectives are to provide a family of digital, modular, software-programmable radios that will allow military commanders to communicate with their forces through voice, video, or data formats as needed and that will range in configuration from a low-cost joint tactical radio to a higher capability, joint multiband, multimode radio. This approach is being used to accommodate the services' many individual requirements, including space and size, and the many different conditions--airborne, ground mobile, fixed station, maritime, and personal communications--in which the radios will be used. The concept is that the radios can be programmed or configured to function in a number of modes and frequencies to fit a user's specific needs. By combining functions and using common components, DOD believes the services will be able to reduce unit costs and the number of radios needed. -------------------- \23 The program was originally named the Programmable Modular Communications System. It was renamed JTRS in December 1997. \24 This is a technology for gaining efficiency in the use of ultra-high frequency satellite communication channels through automated channel sharing by users. CONCLUSIONS ------------------------------------------------------------ Letter :5 DOD faces many challenges in achieving its information superiority goals. These challenges are exemplified by the difficulty DOD has experienced in its efforts to develop and implement the C4ISR Architecture, establish system requirements and operational effectiveness for GCCS, and develop the JTRS Program. DOD's C4ISR architectural and other information superiority activities are complex undertakings and involve considerable investments in C4ISR systems. In addition, they will require overcoming difficult and long-standing institutional problems and organizational boundaries to be successful. Consequently, it may take many years of concerted effort for DOD to reach its information superiority objectives. DOD's recent efforts to establish a C4ISR Architecture have begun to show progress. However, much work remains to be done. In particular, DOD needs to complete the C4ISR Architecture, follow through with information assurance plans, ensure that efforts resulting from those plans are linked to requirements established by the Architecture, and make certain that established oversight processes are effective in achieving C4ISR systems' compliance with the Architecture. Completion of these activities should enable DOD to make cost-effective decisions for C4ISR systems development and acquisition and make sure that the systems perform as expected. In our opinion the complexity, magnitude, and cost of DOD's information superiority efforts warrant a comprehensive overview, to be completed annually, of the state of the Department's management and oversight of C4ISR acquisitions. We believe that conveying such an overview, describing to Congress DOD's progress toward achieving a Department-wide C4ISR strategy and compliance with the C4ISR Architecture, would enhance Congress' understanding of this important subject as well as the basis on which decisionmakers consider future C4ISR investment needs. RECOMMENDATIONS ------------------------------------------------------------ Letter :6 To enhance DOD's ability to achieve its information superiority goals and objectives, we recommend that the Secretary of Defense (1) establish milestones for completing the C4ISR Architecture and information assurance program and (2) ensure the C4ISR management structure has sufficient authority to enforce compliance with the C4ISR Architecture and is effective in achieving that compliance. A consideration the Secretary should give to achieving that compliance is to ensure that Architecture compliance is incorporated into DOD's planning, programming, and budgeting process and C4ISR systems funding decisions. MATTERS FOR CONGRESSIONAL CONSIDERATION ------------------------------------------------------------ Letter :7 Congress may wish to consider having DOD report, in conjunction with annual budget requests, on the progress being made Department-wide in implementing the information superiority concept and its attendant key C4ISR systems development and acquisitions. In such reports, Congress may wish to require DOD to describe its progress in (1) completing and maintaining the C4ISR Architecture, including progress toward established milestones; (2) establishing information assurance and its compliance with the Architecture; and (3) developing and implementing key C4ISR systems, such as GCCS and JTRS, and the ways and degree to which they are complying with the Architecture and information assurance requirements. Congress also may wish to take DOD's progress into consideration when deliberating the authorization and funding of C4ISR systems. In discussions with us about these suggestions, DOD officials acknowledged that such perspectives are not available and agreed that such information may be useful to Congress and DOD in overseeing C4ISR investments. They stated that DOD is working to establish such perspectives and could modify existing reports to Congress to include them. Rather than establishing a separate reporting requirement, Congress may wish to have DOD modify the reports it already provides to include the information we suggest. AGENCY COMMENTS ------------------------------------------------------------ Letter :8 In commenting on a draft of this report, DOD generally concurred with our recommendations. It also affirmed its commitment to achieving information superiority and stated that it is making significant progress toward that goal. For example, it noted that the Office of the Assistant Secretary of Defense for C3I had recently been reorganized to enhance visibility, support, and responsibility for information technology architectures to achieve information superiority. It also cited the Defense-wide Information Assurance Program as a recent step it has taken to focus attention on the importance of information assurance and to establish a means for achieving that assurance. DOD agreed with our recommendation that milestones be established for completing the C4ISR Architecture and information assurance program. It also provided additional details on how it plans to complete the development and implementation of the Architecture and Information Assurance Program and pointed out that establishing and maintaining them will be a continuous process involving all levels of the Department. Based on this information, we updated the estimated completion date for the operational subarchitecture. However, DOD did not provide details of how or when the systems subarchitecture would be completed. DOD also agreed with our recommendation that the Secretary take steps to ensure that an effective management structure is in place with the authority and responsibility to enforce compliance with the C4ISR Architecture. DOD described the oversight organizations and processes it will rely on to achieve compliance with the C4ISR Architecture Framework and its architectures. We incorporated this information and our evaluation of it into the report as appropriate. DOD also commented on our matters for congressional consideration. DOD stated that it already provides information to Congress on the Department's progress toward milestones through documents such as congressional justification books for C4ISR programs, which are submitted in conjunction with annual oversight hearings. In reviewing the documents referred to by DOD, we found that they do not provide a comprehensive overview of the progress DOD is making, Department-wide, on the C4ISR Architecture and on C4ISR systems within the context of the Architecture and information superiority goals. In further discussions with DOD officials about these matters, the officials acknowledged that such a Department-wide perspective is not available and agreed that such information may be useful to Congress and DOD in overseeing C4ISR investments. They stated that DOD is working to establish such perspectives. However, these officials also stated that they were concerned that our suggestion of the matters for congressional consideration would require an additional reporting mechanism separate from annual budget submissions and believed existing reports to Congress could be modified to provide the information. We have clarified that the congressional reporting we are suggesting could be done within the context of existing reports. SCOPE AND METHODOLOGY ------------------------------------------------------------ Letter :9 To determine the progress of DOD's efforts in establishing an overall C4ISR Architecture, we obtained and reviewed the initial documents and latest drafts of DOD's C4ISR Architecture Framework and Joint Technical Architecture. To evaluate the issues DOD faces in implementing the framework, we reviewed its C4ISR Integration Task Force Executive Report (Dec. 23, 1996) and the Joint Chiefs of Staff's Combat Support Agency Review of the Defense Information Systems Agency (Dec. 30, 1996). To confirm our analysis of these documents and to determine the latest progress in implementing a DOD-wide C4ISR Architecture, we interviewed senior officials of the headquarters offices of the Assistant Secretary of Defense for C3I; the C4I Integration Support Activity, including the Director and Deputy Director; and the Joint Staff, including the Director for C4 Systems. We also relied on our previous reports on DOD's C4I interoperability efforts for our analysis of DOD's past architectural efforts. In addition, we relied on information in our separate June 11, 1998, letter to the Subcommittee concerning DOD's information assurance efforts for perspectives on these efforts. The scope and methodology of our efforts for that work are contained in the letter. To determine the progress of GCCS, we reviewed relevant reports, briefings, and other documents from and interviewed appropriate officials within the headquarters offices of the Assistant Secretary of Defense for C3I; the Joint Staff; DISA's GCCS program office; and the Army, the Navy, the Marine Corps, and the Air Force. We also interviewed and received briefings from appropriate officials and reviewed relevant program documents during visits to the U.S. Atlantic Command and U.S. Central Command with respect to the commands' experiences with GCCS and users' points of view on its development and progress. In addition, we observed the use of GCCS in Unified Endeavor 98-1, a simulated joint task force war game exercise at the U.S. Atlantic Command's Joint Training, Analysis, and Simulation Center in Suffolk, Virginia; in the U.S. Central Command war room; and in the Army's Task Force XXI Advanced Warfighting Experiment in Fort Hood, Texas. We also reviewed relevant studies and reports from the Defense Science Board, the DOD Inspector General, and the Institute for Defense Analysis. Finally, we interviewed a former Assistant Secretary of Defense for C3I and a former DISA director who were involved in GCCS conceptualization, development, and initial implementation. At the time of our interviews, these two officials held executive positions with DOD information technology contractors. To determine DOD's progress in developing and implementing JTRS, we interviewed appropriate JTRS program officials within the headquarters offices of the Assistant Secretary of Defense for C3I; the Under Secretary of Defense (Comptroller); and the Army, the Navy, and the Air Force. We reviewed relevant correspondence, cost and schedule data, and other documents pertaining to the JTRS program. In addition to the work described above, we sought perspectives on information superiority implementation management in general through interviews with a former Assistant Secretary of Defense for C3I; a panelist and several staff members responsible for C4ISR issues on the National Defense Panel; a former Joint Staff C4 Systems and DISA director; and staff members of a National Research Council of the National Academy of Sciences review of Department of Defense C4I programs. We received briefings and reviewed relevant documents from appropriate senior and other officials within the headquarters offices of the Assistant Secretary of Defense for C3I, including the Deputy Assistant Secretary of Defense for C3 and the Director and Deputy Director of the C4I Integration Support Activity; DISA; and the Joint Staff, including the Director for C4 Systems. We also obtained and reviewed relevant studies and reports from the Congressional Research Service, Defense Science Board, DOD Inspector General, Institute for Defense Analysis, and National Defense Panel. We performed our review from July 1997 to June 1998 in accordance with generally accepted government auditing standards. ---------------------------------------------------------- Letter :9.1 We are sending copies of this report to the Ranking Minority Member of the Subcommittee; the Chairman and Ranking Minority Member of the House Committee on National Security; other interested congressional committees; and the Secretaries of Defense, the Army, the Navy, and the Air Force. We will also make copies available to others upon request. This report was prepared under the direction of Allen Li, Associate Director, Defense Acquisitions Issues, National Security and International Affairs Division, and Jack L. Brock, Jr., Director, Governmentwide and Defense Information Systems Issues, Accounting and Information Management Division. Please contact Mr. Li on (202) 512-4841 if you or your staff have any questions concerning this report. Other major contributors to the report are listed in appendix II. Henry L. Hinton, Jr. Assistant Comptroller General National Security and International Affairs Gene L. Dodaro Assistant Comptroller General Accounting and Information Management (See figure in printed edition.)Appendix I COMMENTS PROVIDED BY THE DEPARTMENT OF DEFENSE ============================================================== Letter and 5. [Figures are images of DoD letter and comments; see PDF version at source site.] (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) (See figure in printed edition.) The following are GAO's comments on the Department of Defense's (DOD) letter dated July 29, 1998. GAO COMMENTS ----------------------------------------------------------- Letter :10 1. We have incorporated discussions of the reorganization into the report. 2. In discussions with DOD officials about these statements, the officials said that DOD was referring specifically to the Congressional Justification Book for Command, Control, and Communications; Information Technology Exhibit for the budget submission (Exhibit 43); three volumes of congressional justification books on joint military and tactical intelligence programs and related activities; congressional budget justification books submitted by the Director of Central Intelligence on national intelligence programs; and Command C4ISR Architectures produced by each unified command. However, we reviewed these documents (with the exception of the national intelligence-related document, which has restricted access) and did not find the comprehensive overview of DOD's C4ISR systems that we think would enable Congress to fully understand and oversee the Department's information superiority-related authorization and funding requests. For example, these submissions do not provide a Department-wide overview of DOD's progress in developing, implementing, and achieving compliance with the C4ISR Architecture; compliance is a key to achieving and managing information superiority effectively and efficiently. In addition, the documents do not provide sufficient information about (1) how the various C4ISR systems for which authorizations and funding have been requested comply with the Architecture, (2) how the C4ISR systems relate to one another in the overall scheme of the C4ISR Architecture (providing a perspective on potential system redundancies and relative need), or (3) how and to what extent the systems comply with information assurance requirements dictated by the Architecture and DOD's Defense-wide Information Assurance Plan. Currently, the information provided by DOD is scattered among multiple and voluminous documents. Although we did not assess the usefulness of these documents for other purposes, such as command-wide guidance to system developers that may be provided by the command architectures, we found that they do not provide a comprehensive overview of the progress DOD is making, Department-wide, on the C4ISR Architecture and on C4ISR systems within the context of the Architecture and information superiority goals. For example, congressional justification books summarize progress of individual systems. In subsequent discussions with DOD officials on the content and purpose of the documents referred to by DOD, the officials acknowledged that a Department-wide perspective is not available and agreed that such information may be useful to Congress and DOD in overseeing C4ISR investments. They stated that DOD is working to establish such perspectives. However, these officials also stated that they were concerned that our suggestion of the matters for congressional consideration would require an additional reporting mechanism separate from annual budget submissions and believed existing reports to Congress could be modified to provide the information. We recognize that current DOD reports to Congress could form a viable framework within which to incorporate our suggestion for a Department-wide overview and progress description. Consequently, we have clarified that the congressional reporting we suggest could be accomplished within the context of existing reports. 3. DOD continues to use the terms Joint Operational Architecture, Joint Technical Architecture, and Joint Systems Architecture in conjunction with the terms Joint Operational View, Joint Technical View, and Joint Systems View. We believe the use of both sets of terms may be confusing to some readers. Consequently, we have used only the terms "architecture" or "subarchitecture" when referring to the three architectural components in this report. 4. Based on the information provided, we updated the estimated completion date for the operational subarchitecture. However, DOD did not provide details of how and when the systems subarchitecture would be developed and completed. Therefore, it remains to be seen how DOD will develop and implement this portion of the Architecture. 5. We incorporated information DOD provided on Architecture compliance mechanisms and recognized the reorganization initiatives. As stated in the report, it is not yet clear whether these mechanisms and the reorganization will be effective in achieving compliance. For example, DOD has a long history of being unable to use its review processes effectively to overcome service-unique priorities and attain compliance with policies and decisions in joint C4ISR systems matters. While the organizational changes may enhance DOD's success in achieving architectural compliance, we believe it is too early to gauge their potential effectiveness in this regard. MAJOR CONTRIBUTORS TO THIS REPORT ========================================================== Appendix II NATIONAL SECURITY AND INTERNATIONAL AFFAIRS DIVISION, WASHINGTON, D.C. Charles F. Rey, Assistant Director Charles R. (Randy) Climpson, Evaluator-in-Charge Robert R. Hadley, Senior Evaluator Gregory K. Harmon, Senior Evaluator Bruce H. Thomas, Senior Evaluator Stefano Petrucci, Communications Analyst ACCOUNTING AND INFORMATION MANAGEMENT DIVISION, WASHINGTON, D.C. -------------------------------------------------------- Appendix II:1 Keith A. Rhodes, Technical Director Joseph T. (Mickey) McDermott, Assistant Director Joseph A. DeBrosse, Senior Evaluator *** End of document. ***