[nickpsecurity]

It could and they almost certainly do. Probably a combo of projects and profit. We have no way to test that, though, for this program. I'll note that black projects already have a way to get tons of money without much accountability: SAP's, USAP's, and waived USAP's.

https://en.wikipedia.org/wiki/Special_access_program

I know in the 90's that Aviation Week reported that they spend around $100 million a day on these with a House committee admitted they review only 5-10% of them. So, plenty of money slushing around to who knows what. Every now and then we get details such as NSA's exploit development and subversion program costing around $212 million a year.

[engi_nerd]

Not all SAPs are black. Some are publicly acknowledged.

[nickpsecurity]

I forgot to add that I learned quite a bit from SAP security thanks to Uncle Sam publishing it:

http://www.dss.mil/documents/odaa/nispom2006-5220.pdf

It's not the end all but it was a nice start to organizational security. Just had to... de-bureaucratize it into something a person could comprehend lol. Then worked from there based on expert writings in each subfield, spy vs spy literature, and what worked for organized crime dodging LEO's. And that's how one learns real security. :)

[nickpsecurity]

Yep. That's why they add "Unacknowledged" and "Waived [from extra reporting]" in front of SAP for those that are. I usually only call USAP's, esp waived, black programs in my usage. Seems most accurate, eh?