FARNBOROUGH, England — During the six years Raytheon has developed a new GPS control station, the company fell prey to one of the pitfalls that have plagued many acquisition programs throughout history, a key Air Force official said Tuesday.
It simply didn't understand the requirements, or at least how to execute them as cybersecurity challenges evolved, Winston Beauchamp, deputy under secretary of the Air Force for space, said at the Farnborough International Airshow.
The Defense Department is now deliberating whether to restructure the Operational Control Segment (OCX) program or cancel it altogether. But Raytheon's performance problems embody the wider challenge of how to develop hardened space technologies in a rapidly evolving cyber landscape, he said.
For example, a requirement to detect and refuse access to all potential intrusions "might have been four things eight years ago, but it's 4,000 things right now," he said.
"The distribution of exploits and hackers, it evolved considerably, to the point where we're much more sophisticated now than we were before."
The Pentagon declared a Nunn-McCurdy breach for OCX on June 30 after it found the company would exceed its planned cost by at least 20 percent. The department plans to announce by October whether the Air Force will rework the program and apply a new cost baseline or to terminate it, Defense Department acquisition chief Frank Kendall said earlier this week.
Should the OCX program be canceled, the Air Force has several options in front of it: modifying the existing GPS system or recompeting the contract, Beauchamp said.
"It would be difficult, it would be challenging" to restart the program, he said. "But it would be challenging in either case. Both of them have challenges."
The GPS enterprise contains hundreds of points of entry into the internet, Beauchamp said. The hope with OCX was to strengthen the system's cyber architecture and add a suite of new capabilities that would improve its performance.
"That's a lot to have to do, and hardening the software from a cyber perspective and closing off these hundreds of entry points to the internet has proven to be extremely challenging, as you could imagine," he said.
Another major risk area is software integration, which is always a challenge but was especially so for this program because the cyber requirements covered a lot of new ground, he said.
"It is a complicated program. It has a lot of facets to it, and it's one where once you identify the problem, then there's work to be done to figure out how to resolve [it]," he said. "And they discovered a lot of these problems in testing, which is not where you want to find problems."
Beauchamp said the major lesson learned is to work with the contractor up front to understand the environment and requirements as much as possible in the beginning. Once the company begins writing code, it's harder to reverse course and debug it.
But baking that knowledge into an acquisition strategy is more challenging.
"How do you find a way to be specific enough that your contractor can go ahead and start work on it, but flexible enough to be able to respond as the environment evolves? That's the challenge," he said. "I think we certainly have a better handle on it now than we did 8 years ago. The question is going to be can we structure a program such that it accounts for that level of flexibility?"
Correction: The original version of this story stated Raytheon had the contract for eight years. It was actually awarded the contract in 2010.