The U.S. military is employing a mixture of procurement contracts and innovative
practices to speed up the acquisition of defensive and offensive cyber technology as the volume and intensity of cyber attacks and threats against government agencies — both civilian and Defense — continues to rise.
Cyberspace is a warfighting domain that is critical to ensuring the military’s capability to operate going forward. The concept of operations for defensive cyber is complex because capabilities are dispersed across the battlespace and must continually adapt to evolving threats. The capabilities must protect data, networks and net-centric operations as well as be interoperable with other IT and software-dependent systems, according to Lt. Col. Scott Helmore, director of the Army Defensive Cyber Operations office (DCO).
Traditional requirements, funding, development, production and fielding of capabilities usually span years. However, technology is advancing so rapidly, and cyber threats are becoming so much more sophisticated, that cyber weapons and tools can become obsolete within months after deployment. As a result, Army DCO is looking to reduce the acquisition process to 30 days.
“In general, technology is changing every 90 days. So, if your contract process takes 60 to 90 days to do, by the time you order the contract, it has already been subsumed by another technology,” Helmore said.
Launched in 2017 under the Program Executive Office of Enterprise Information Systems, DCO oversees programs for insider threat monitoring, cyber tools, cyber analytics, forensics and malware analysis, two platform-based programs and a cyber mission planning program. To that end, DCO is a capability provider for the Army’s cyber protection brigades, teams and other cyber mission forces operating in a complex multi-domain battlespace. To manage and speed up acquisition of defensive cyber capabilities, the office is employing a mixture of Federal Acquisition Regulation (FAR)-based procurement contracts and Other Transaction Authority (OTA) agreements.
Described by some as the next cool thing in defense acquisitions, OTAs can be used for basic, applied, advanced research and prototype projects when it has been determined that it is in the government’s best interest to enter into an agreement that is not a contract, grant or cooperative agreement.
Additionally, DCO is using the Consortium for Command, Control and Communications in Cyberspace (C5), established in September 2011 by Army Contracting Command – New Jersey, to foster a collaborative prototyping model to provide innovative solutions quickly to the soldiers. DCO also has forged partnerships with various organizations including the Army Rapid Capabilities Office, which enables the Army to experiment, evolve and deliver technologies in real-time to address both urgent and emerging threats, while supporting acquisition reform efforts.
The C5 OTA provides government offices with the necessary problem-solving environment, leveraging nontraditional defense contractors, small businesses and more traditional defense partners. “Under the OTA process, we found we needed a way to collaborate,” Helmore said. “The fastest way to help the industry understand what the government needs is to have a lot of communication with them. That led us down the pathway to a consortium approach.”
Being in a consortium, DCO staff can converse freely with industry experts. If one industry member has a superior piece of software and another has superior hardware, the DCO can recommend they come together.
The Navy’s Space and Naval Warfare Systems Command is also looking at OTAs to deliver technology to its cyber teams in a timely manner. SPAWAR plans to spend about $100 million though a forthcoming OTA structure called the Information Warfare Research Project (IWRP), according to a draft copy of the program announcement distributed to industry. Awards for specific projects could
begin as soon as fall 2018. The proposed OTA would pay firms for prototype work across 14 different “technology areas,” including warfare, cloud computing, data analytics, assured command and control, and embedded systems in the “internet of things.” The Air Force also is seeking to make it easier to use OTAs throughout the service via its Rapid Capabilities Office.
Using a mix of OTAs and FAR-based contracts makes sense under certain situations, Helmore said. DCO deploys the two approaches when innovation and stability are needed. A FAR-based contract is for stability because DCO knows the contractor will be there for a while and there will be a long-term relationship. That means the contractor will be familiar with the environment, users, training and all the technology regardless of the manufacturer. It is best to have a systems integrator rather than a production contractor, Helmore added.
There are situations, though, in which an organization can get stuck with the capabilities a defense contractor has to offer, and they might exclude good, innovative ideas from another defense contractor or a smaller business. The new OTAs will make sure that doesn’t happen, Helmore said.
Rutrell Yasin is a freelance writer.
New risk management framework expected to improve DoD cybersecurity