GAO Highlights Key Tech Security Efforts—and Gaps—at DOD, Confirming Major Government Role
This month, the Government Accountability Office (GAO) published a report assessing the Department of Defense’s (DOD) approach to identifying and securing critical technologies. While DOD has been operating programs to protect critical technologies for decades, the 2019 John S. McCain National Defense Authorization Act required the Secretary of Defense to develop, maintain and update annually a list of acquisition programs, research and development initiatives, technologies, and manufacturing capabilities that are essential to the national security of the United States. This list is likely to inform DOD and interagency efforts to prevent the export, theft or counterfeiting of such capabilities by foreign adversaries and to help guide federal investment in future emerging technologies.
The list, and how DOD plans to share it with other agencies, may also affect other efforts related to the security of products, services and technologies used and procured by the government, from the Federal Acquisition Security Council (FASC) to the new Internet of Things (IoT) Cybersecurity Law, to Binding Operational Directives issued by the Department of Homeland Security to other agencies restricting use of technology. Indeed, a particular program or technology identified on DOD’s list as critical to national security may draw a higher level of, or more immediate, scrutiny by these and other entities as they work to shore up supply chain and technology security. FASC in particular has emphasized information sharing and risk analysis as key to its evaluation and potential recommendation of sources and covered articles for removal or exclusion. Similarly, DHS has focused on critical technologies in the federal cyber ecosystem and may look to DOD’s list to inform risk mitigation standards and directives, including on internet-connected, IoT devices.
DOD is a Central Player in Several Overlapping Efforts to Secure Critical Technology Government
In framing the report, GAO identified eight government-wide efforts, including the Committee on Foreign Investment in the United States (CFIUS), the arms export control system and the National Industrial Security Program, that all aim to protect dual-use technology, research and other intellectual properties that are vital to the U.S. military advantage. Many of these programs are administered by civilian federal agencies, with the Departments of State, Commerce, Treasury, and Homeland Security, having principal responsibilities. DOD, however, is the only department with an identified role in each of these programs and the agency a vital source of information for their successful administration. The GAO notes that unfortunately, these programs do not “function collectively as a system,” but deconfliction and harmonization have been emphasized to policymakers for some time. Recent efforts like the prior administration’s National Strategy for Critical and Emerging Technologies have attempted to increase coordination across the interagency community.
Internally, DOD has utilized two programs — the Military Critical Technologies Program and the Joint Acquisition Protection and Exploitation Cell — to secure critical acquisition programs and to identify related critical technologies. More recently, the Department established the Protecting Critical Technology Task Force to coordinate across DOD components and better identify technologies and programs central to the U.S. war fighting advantage. In addition to structural changes, DOD recently implemented an updated four-step process to secure critical acquisitions and technologies. The four pillars to the revised process are: 1) identifying and prioritizing programs and acquisitions to develop list of critical technologies; 2) communicating the prioritized list to essential programs and components across DOD and the interagency; 3) developing programs to protect critical acquisitions and programs; and 4) developing processes to oversee and evaluate implementation. According to GAO, the Department expects to complete pilar 1 by March, with full implementation expected by September of 2021.
GAO Concluded that Process Changes in Assessing Critical Technology Require Additional Attention
Despite the decades-long effort at DOD to secure critical technologies and acquisition programs, GAO found that the Department’s programmatic improvements would benefit from additional measures to strengthen coordination and implementation efforts both within the Department and across agencies:
First, GAO recommends that DOD formalize the process for disseminating and communicating the list of prioritized critical technologies through the Department’s operational components. Formalizing this process would not only ensure consistent application of protection measures throughout Department but also assist interagency efforts, e.g. export control and CFIUS, to secure U.S. technological advantages.
Second, GAO recommends the development of metrics to assess both the implementation of protection measures and the performance of those measures across the DOD mission space.
Finally, GAO recommends the Department select and designate a permanent office to oversee the program when the Protecting Critical Technology Task Force completes their work.
In written comments it provided on a draft of the report, DOD concurred with GAO’s first recommendation that the agency formalize the process for disseminating the list. According to DOD, the agency is “in the process of doing so.” DOD partially concurred with GAO’s recommendations on metrics and oversight, but has not made any final decisions on implementing those measures into this initiative beyond the current program.
Takeaways for Technology Sector Participants
Though DOD’s internal strategy for coordinating the communication of a list of critical technologies might seem removed from contractors’ day-to-day experience, contractors should keep tabs on DOD’s efforts to implement GAO’s recommendations. As a threshold matter, it will be important for companies pursuing procurements involving emerging technologies to understand whether the procuring agency has implemented or plans to implement protection measures for that particular technology or program. As GAO points out in its report, DOD officials have at least notionally identified several potential uses for the 2020 list, including uses that could implicate the availability of the Foreign Military Sales program, the inclusion of anti-tamper measures in the development phase of emerging technology procurements, and the selection of particular contractors for compliance reviews. How and to whom that list is disseminated, how any related protection measures are implemented and assessed by the government, and how oversight is achieved could have a more direct impact on contractors’ performance, not to mention implications for internal compliance programs.
* * * * *
Wiley will continue to monitor DOD and interagency efforts affecting the tech sector, including the extent to which the new administration pursues related policies, legislation, and procurements. Wiley remains at the forefront of federal activity on critical and emerging technologies and innovation policies, as well as U.S. government review of foreign investment through CFIUS, Team Telecom, and other related regulatory processes. Our Telecom, Media & Technology (TMT), Government Contracts, International Trade, and National Security Practices help companies and industries work with the government and anticipate federal scrutiny and regulation.