Way back in February, I wrote a blog about President Obama\u2019s proposed Cybersecurity National Action Plan (CNAP). In the plan, the President called for $19 billion for cybersecurity as part of the 2017 fiscal year federal budget, a 35 percent increase over 2016 spending.\u00a0While CNAP has a lot of thoughtful and positive proposals, I\u2019m troubled by the fact that federal cybersecurity programs seem to have a life of their own with little oversight or ROI benefits. I often cite the Department of Homeland Security's\u00a0Einstein project as an example of this type of government cybersecurity waste. In my humble opinion, the feds are spending hundreds of millions of dollars on custom research and development for Einstein when commercial off-the-shelf (COTS) network security products could do the same job at a fraction of the cost.+ Also on Network World:\u00a0My 2 cents on CNAP +As a part-time federal cybersecurity spending watchdog, I\u2019ve come across another program that deserves public scrutiny: the Software Assurance Marketplace (SWAMP).The SWAMP was first announced in 2014, supported by a $23 million-plus grant from the DHS Science and Technology Directorate. The program is described as follows:The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of\u00a0open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation.\u00a0OK\u2014so far, so good, since insecure software is a big and underappreciated problem in the overall cybersecurity spectrum. For example, ESG research indicates that 33 percent of critical industry organizations have experienced a security incident directly related to internally developed software.\u00a0So, the SWAMP project was certainly appropriate and well-intended when it was introduced. Since then, however, this federal program has been fraught with numerous problems, such as:A limited and buggy feature set.\u00a0The SWAMP hasn\u2019t kept up with its original vision and now lags behind in terms of features and code support (for example, support for RHEL is way behind current versions). From what I\u2019ve read, users tend to complain about the site\u2019s usability and its overall number of software bugs. (I\u2019ve seen screen shots that seem to lead to nowhere.) It seems like the SWAMP was designed for scale rather than usability, which is a real problem when you are trying to build an online service and attract a broad array of users.\u00a0 There have also been a few concerns about security issues related to the site. I\u2019ve heard that the VM set-up has some potential for abuse, and it's uncertain whether the SWAMP team has adequately mitigated the risks.Project mismanagement.\u00a0I\u2019ve heard that the project has featured consistent turnover since its inception. Thus the SWAMP now suffers from project team deficiencies in terms of leadership, team coherency, vision and execution. \u00a0A lack of users.\u00a0While the SWAMP was announced with lots of fanfare, it failed to attract a significant user base. In the fall of 2015, the SWAMP sent an email to all users that accidentally exposed the entire user population. More than a year into this federally funded project, there were only 600 to 700 users listed, and many of these were either involved with the project itself or those who\u2019d registered but weren\u2019t using the service. Part of the problem here is that developers don\u2019t want to submit their code to a \u201cbig brother\u201d government cloud service. (Note: This may be paranoia on the part of developers, but this viewpoint is a reality that government programs should consider.) For those who don\u2019t trust a government-sponsored cloud service, there is an open source version of the SWAMP that can be run on site. Unfortunately, there is no indication that it has gained any market traction.So, as it stands now, the SWAMP seems to be a buggy mismanaged service that provides infrastructure to run open source software (and a very limited number of commercial offerings) for software assurance on old (and sometimes antiquated) versions of development languages like Java and Ruby. Furthermore, it seems like the SWAMP has very few actual users. Not exactly a demonstration of efficient use of taxpayer money.\u00a0I have no doubt that DHS\u2019s heart was in the right place when it funded the SWAMP, but its ongoing project management seems to have turned this program into an irreversible failure. Instead of throwing good money after bad, Congress should hold DHS accountable, assess the true ROI and future of the SWAMP, and move on to bigger and better things if necessary. Personally, I\u2019d rather see the next $23 million go toward NSF-sponsored cybersecurity scholarships than another mismanaged boondoggle.