The Defense Department released a long-awaited update to its Better Buying Power initiative Thursday, issuing a wide range of marching orders to the acquisition community on how to reestablish a technological advantage that officials worry is being rapidly erased by other nations’ militaries. And for the first time in the five-year effort, the Pentagon also raised cybersecurity as a major issue of concern for the acquisition system.
Defense officials have long signaled that the third edition of their acquisition improvement program would center mostly on their worries about military modernization: that the U.S. is losing its technological edge, partially due to an under-investment in new research and development.
“But now we’re talking constantly about the fact that other countries have been investing very, very heavily in advanced capabilities while we have been constrained in doing so because of our budget,” Bob Work, the deputy secretary of Defense told reporters Thursday. “Since they can study the way we go to war and the way we do business, they can apply their resources in a very, very targeted way. So Better Buying Power 3.0 is primarily about providing dominant capabilities to try to maintain the technological over-match that we’ve always enjoyed, and to try to extend it if at all possible.”
One of the ways adversaries have been “studying” the U.S. approach to military capability has been through the exfiltration of system designs via cyberspace, hence the new emphasis on IT security.
Among the directives in the latest edition is for the DoD chief information officer and the department’s acquisition leadership to draft an update to the department’s main acquisition guidebook, DoD Instruction 5000.02, making clear that program managers must build in plans to ensure cybersecurity throughout an acquisition program’s life cycle.
“Cybersecurity is a pervasive problem for the department,” said Frank Kendall, the undersecretary of Defense for acquisition, technology and logistics. “It is a source of risk for our programs from inception all the way through retirement, and it includes the industrial base that supports us and their databases and their information. It includes what we hold in government. It includes the logistics support information, the sustainment information, the design information, the tactical information. Everything associated with the product is a potential point of attack. We are under attack in the cyber world, and we’ve got to do a better job. All of our managers need to be much more conscious of this and be much more attentive about best practices that let us stay ahead of the threat.”
Extra precautions needed
The implementing instructions DoD issued Thursday ordered the military services to catalog especially critical acquisition programs that ought to be receiving more cybersecurity attention than they’re getting.
They also express special concern about the vulnerability of technical data hosted on the systems of Defense contractors. Despite an update to acquisition regulations last year, which required contractors who hold that sort of data to take extra precautions and report any potential breaches immediately, the department continues to see that data as a significant vulnerability, even in unclassified forms.
“Before that, there were no security requirements on industry,” Kendall said. “We’re going to revisit those and see if they’re tight enough. We’re losing a lot of time advantage and a lot of financial advantage by having this data extracted from us. We need to think about every interface that a weapons system has and whether it’s accessible through cyber methods or not. We need to think about all of the systems that weapons system touches or is dependent upon. So there’s a discipline we have to put into our management of this. And we’re finding, as we look at weapons systems that were built a long time ago, that very little thought was given to this. We’re having to react in a few cases because of things that were done then.”
Thursday’s guidance also told the military services, the DoD chief information officer, the Defense Security Service and the Defense Intelligence Agency to create a new joint analysis capability which uses intelligence and counterintelligence information to predict cyber threats to acquisition programs and to better protect them.
More broadly, Better Buying Power 3.0 envisions a much tighter linkage between DoD’s acquisition system and its intelligence components than exists today. The guidance told managers to work with the intelligence community throughout their programs’ life cycles to identify “Critical Intelligence Parameters,” measures that can help DoD determine whether the large systems it’s building are still relevant to the threats it might face.
If one of those parameters is breached, it might suggest that a program needs to change its design or be cancelled altogether.
“We have to react to the threats,” Kendall said. “If the threat is changing, we can’t ignore that. Because threats are now moving at a rate that we’ve gotten a little complacent about, frankly, we have to pay closer attention, and we have to make intelligent adjustments. We’re already starting to do follow-on development for the F-35, and the reason we need to start follow-on development is that the threats are changing, and we have to respond to them.”
Giving VOLT to sharing
As part of the integration push, the acquisition and intelligence directorates within the Office of the Secretary of Defense are working with the Defense Intelligence Agency to keep the acquisition system up to date with what other countries are doing through a consolidated library termed Validated Online Lifecycle Threat (VOLT). A plan to transition to that joint system is due to DoD acquisition leaders by August.
Among the 34 major points in the final version of Better Buying Power 3.0, only two are new additions to the draft version DoD has been circulating for comment since last fall; the bulk of the directives Kendall issued Thursday involve specific implementing instructions for initiatives the department already has announced.
Besides the cybersecurity addition, the department also included an initiative to use the Better Buying Power process to find ways to reduce unnecessary paperwork the department’s regulations currently impose on Defense suppliers.
But DoD also thinks that in some cases, it needs to impose new requirements.
Under the banner of making more productive use of its limited research-and-development dollars, the Pentagon says it plans to tighten policies on how it reimburses companies for independent research and development (IRAD).
Kendall said he has concluded that over the last two decades, the department has taken an excessively laissez-faire approach toward what counts as reimbursable IRAD, and that companies have used the process to enhance their competitive position without much evidence that they’re returning value to the government. Going forward, any R&D dollars that companies are reimbursed for will need to be part of a project that has gotten the prior sign-off of a DoD official.
“You just need to find anybody, anywhere in the Defense Department who will do that for you. I don’t think it’s a very high hurdle for people to get over,” Kendall said. “It also enhances the communication between industry and government to have that requirement in place. I have seen some behaviors where people have made what I think are de minimus investments that are designed more to create intellectual property than to actually advance technology. We want that balance restored a little bit. In other cases, people are asserting that they will use future IRAD expenditures in order to lower the evaluated price on a bid. That’s not really what we want people to be doing with IRAD.”