With a growing number of cyber programs chasing a finite number of dollars, the Army is creating a new governance process designed to prioritize its cyber spending much closer to the time when dollars actually head out the door.
The Cyber Acquisition Requirements and Resourcing Group will be made up of two-star generals with stakes in Army cyber investments under the larger banner of the Army Cyber Council. Its task will be to sift through spending requests that have come in from various corners of the Army under the long, traditional budget process and reshuffle them just before the start of the fiscal year in which the money’s going to be spent.
“Right now, the Army’s working on its 2018 budget proposal. If I told you exactly what we’re going to spend money on in cyber in 2018, I’d be exactly wrong,” Kevin Fahey, the director of the Army’s System of Systems Integration and Engineering directorate told reporters Wednesday. “This is going to let us come up with an execution plan that’s responsive to the real requirements, as we know them, the year prior.”
The council’s main tool will be the Army’s own spin on a resourcing construct known as IT Box, first launched by DoD in 2008 and customized by the Army for cyber-specific software and hardware investments earlier this year. Fahey said his service will use the “box” to outline its general objectives as part of the Defense budget process, but then direct funding to more specific purchases close to the point of execution rather than attempting to forecast which items will be needed three years hence.
Most of the spending reprioritization the Army’s new oversight group will conduct will be able to be done without additional reprogramming permission from Congress.
“The main areas that we focus on in the cyber budget are offensive, defensive and situational awareness. Probably 90 percent of that will be funneled through three of our program executive offices: PEO-EIS, PEO-C3T and PEO-EIWS,” Fahey said. “We’ve created one cyber program element, but the budget submission we send to Congress will have six pieces under it: three will part of the research, development, test and evaluation budget and three will be for production aligned with the PEOs. There may be some things — like a major software patch on the Abrams tank — where we’d have to request a Congressional reprogramming, but for the most part we believe we’d be below the dollar threshold that requires that. We’ve been thinking hard about how we maximize flexibility and how we make spending decisions in the year of execution.”
Fahey said members of Congress have been supportive of what amount to miniature reprogrammings within the Army’s cyber budget, partially because the service has been careful to craft its IT Box in such a way that it does not resemble a slush fund for whimsical computing projects. Any program the new resourcing group decides to fund will first need to have its requirements approved by the military’s Joint Requirement’s Oversight Council.
“The other thing you get approved along with your requirements is how the Army is going to govern the annual capability drops we’re planning as part of any program,” he said. “The big thing with Congress is transparency of what we’re doing, and we think the process we’re setting up is going to give everyone that confidence.”
The process is scheduled to debut in fiscal 2017. The Army expects to use it for various purposes, including developing military-specific hardware and software, repairing newly-discovered problems on its networks and buying commercial-off-the-shelf technologies it wants to procure right away.
“For example, a lot of the products we’re going to be interested in for situational awareness of our networks are already being developed for the banking industry. A lot of the tools and infrastructure we’re deploying for our cyber protection teams are things that we’re buying as COTS, but they’ve been justified as urgent operational needs,” he said.
Fahey said the Army is also creating a “cyber consortium” to help its acquirers decide which commercial tools are most relevant to its missions. The idea is to communicate the service’s cyber needs to broad swaths of industry at roughly the same time the DoD acquisition system determines something to be a formal requirement.
“Then, we can get white papers back from industry that can help us make decisions, because right now it’s hard for us to say whether any one industry member’s innovative tools are better than any other,” he said. “It’s really focused on prototypes for our cyber protection teams. We just ran our first challenge where we asked industry to create deployable kits for those teams that will need to respond around the world. We got about ten white papers, we downselected to four of them and the industry guys demonstrated what they had at Fort Gordon, Georgia. We selected two of those, and we’re in the process now of deploying them as prototypes so that we’ll know the future capabilities we’ll need. The Department of Defense can be agile within the processes we’ve got. You just have to align the resources with the requirements and the acquisition programs, and we’re working hard to do that.”