Unified Platform, a software platform designed to consolidate cyber capabilities and data processing led by the U.S. Cyber Command (CYBERCOM), is set to cost five times its initial program estimate and the program has skipped over key assessments, according to a June 3 Government Accountability Office (GAO) report.
Since awarding contracts to five different companies in March 2019, the program has engaged in rapid prototyping through delivering software in three-month increments. CYBERCOM accepted “Increment 1,” the first of these prototypes, in April 2019 and has since accepted three additional increments. According to an independent analysis by the Air Force Cost Analysis Agency, however, the program’s actual cost for this rapid prototyping greatly exceeds initial estimates.
“The program’s cost estimate was more than five times its initial estimate at program initiation, which had not been independently assessed,” the GAO report states. “The new cost estimate includes costs beyond the completion of this middle-tier acquisition. Program officials attribute this cost increase to new U.S. Cyber Command requirements,” the report adds.
The Unified Platform program has also failed to complete both the schedule risk and technology risk assessments. GAO wrote that the schedule risk assessment could not be completed because “the program’s schedule does not link the sequence of activities required to achieve a specific result,” key information necessary to the assessment. In lieu of this assessment, Unified Platform relies on collaboration with stakeholders to plan and prioritize the content of each increment.
CYBERCOM did not do a technology risk assessment for Unified Platform because “officials said they do not have any critical technologies,” per the GAO report.
Unified Platform also lacks a complete cybersecurity strategy, although it was expected to be completed by April 2020. GAO raised concerns that the lack of a cybersecurity strategy for a full year since developing its initial prototypes could increase risk. “Our past work has shown that not focusing on cybersecurity until late in the development cycle or after a system has been deployed is more difficult and costly than designing it in from the beginning,” GAO notes.
GAO received responses about middle tier acquisition programs such as Unified Platform between September 2019 and December 2019, but it is unclear in the report if CYBERCOM met its April 2020 goal for development of a cybersecurity strategy.
In response to the report, the Department of Defense wrote that it is continuing to improve oversight of its middle tier acquisition programs and is implementing the directions for improvement recommended by GAO.