The Army Program Executive Office for Enterprise Information Systems is buying products at hyper speed for its defensive cyber operations.
PEO-EIS has already charted out a process to deliver new capabilities to the Army’s cyber protection teams in 30 days or less, using a combination of traditional procurement techniques and other transaction authorities. But now, its Defensive Cyberspace Operations (DCO) office has its own consortium of companies to call on for quick responses.
DCO paired up with System of Systems Security, Inc. (SOSSEC) on July 25 in an agreement called COBRA. The OTA vehicle — with a ceiling value of $100 million over five years — will support a rapid development approach the Army calls C-RAPID.
Previously, the Army relied mostly on another consortium, called C5, for its defensive cyber prototypes, but the overall goal remains the same, said Col. Chad Harris, the project manager for installation information infrastructure, communications and capabilities at PEO-EIS.
“One of our missions is to accelerate the delivery of capability for the defensive cyber operations force,” Harris told Federal News Radio. “While the OTAs are not a panacea — they don’t solve all the problems — they do help you speed up some of the steps with contracting.”
Agreement can expand beyond defensive cyber
OTAs, in many cases, are made for rapid prototyping and that’s exactly what DCO needs to do as it identifies emerging threats that the cyber force faces, Harris said.
The Cyber Operations Broad Responsive Agreement brings together like-minded companies to provide the products requested by cyber mission forces and to offer ideas to Army PEO EIS for DCO products they may want or need.
While it’s tailored specifically for DCO it can expand to other areas with administrative sign off.
Harris said the products will include mission planning, data analytics, tools, hardware, deployable kits, user activity monitoring, forensics and malware.
“[What] OTAs bring to you is the access to atypical defense contractors. Being able to get to those small businesses, somebody who might not be used to dealing with the Defense Department. OTAs give you an option to do that,” Harris said.
Lt. Col. Scott Helmore, the product manager for DCO said in one instance a nontraditional company DCO wanted to work with had not gone through some of the Commerce Department requirements for equal opportunity and delayed the buying process by 30 days. An OTA would be able to waive that issue.
A ‘broad swath of companies’ desired
Army DCO hopes to attract a broad swath of companies that can offer defensive cyber solutions.
“What we clearly know is that we don’t know everything. We don’t know all those great companies that might have the next great idea to protect the Army networks,” Harris said. “This is more general and more broad to where we can present problems and then the consortium then help us find those companies that we have not had contact with.”
Helmore added that the consortium adds diversity to the options from which DCO can choose.
“As an example, if you award that kind of contract to one major defense contractor, you may be stuck with whatever that contractor has for innovation, and you’re excluding all of the good ideas from another major defense contractor. Or you may be excluding all of the innovative ideas from small mom-and-pop businesses who really don’t want to be taken over by a larger business,” Helmore said. “That led us down the pathway of saying, ‘To focus on innovation, to focus on speed and relevance, on being ahead of our threats, let’s look at an OTA and its capabilities.’”
Katie Crompton-Silvis, the agreements officer at Army Contracting Command-Rock Island, said OTAs also strip away reporting metrics, which can take some pressure off companies.
“You take away a prescriptive ‘It shall’ to ‘show me what it can do’ and it really opens up innovation, it opens up technology,” she said. “It allows the government to get tools it normally wouldn’t get — or thinking it normally wouldn’t get in a Federal Acquisition Regulation (FAR) contract, because in FAR-based you have to be prescriptive in order to say that a contract was successful.”
DCO isn’t only working with the SOSSEC consortium, it’s also working with the C5 consortium on a more cursory level. DCO created the newest agreement so it would be more conducive to the 30 day acquisition cycle DCO wants. DCO is also working with other offices like the Defense Innovation Unit, formerly the Defense Innovation Unit Experimental.
Need for speed in procurement cycle
The 30-day cycle comes from the idea that defensive cyber technologies change every 90 days, so DCO needs to move rapidly to keep up with the pace of change.
The office plans to acquire between six and 24 prototype systems each year using a process called Cyberspace Real-time Acquisition Prototyping Innovation Development (C-RAPID).
Under C-RAPID, “we’re putting the test people, the contracting folks, the user community, and the program manager in the same place. So everybody who’s a decision maker is in the room, and votes to say what they think the best solutions are as we move forward,” Helmore told Federal News Radio in April.
To handle its contracting, DCO partnered with the Army Contracting Center at Rock Island, Illinois, which agreed to train and assign a dedicated cadre of contracting experts on the Army’s rapid cyber acquisition needs. The agreement includes a coding system to tell contracting officers exactly how urgent a particular need is, ranging from the requirement to have a contract signed within 72 hours up through 45 days.