More than two years after the Pentagon first stood up the Defense Innovation Unit-Experimental (DIUx), the outfit crossed a major threshold at the end of October, using its expertise in non-traditional acquisition authorities not just for prototypes and experimentation, but to ink a potentially huge contract for widespread deployment.
The deal, with Emeryville, California-based endpoint security company Tanium and systems integrator World Wide Technology, is worth up to $750 million, and represents the first time DIUx has used DoD’s “other transaction” authority (OTA) to do an end-run around the traditional acquisition system for a production contract.
Tanium is not exactly the poster child for the type of “non-traditional” firm DoD created DIUx in order to target. Although it’s dwarfed by the Symantecs and McAfees of the world, it hasn’t been averse to government work. It had respectable federal revenue prior to its work with DIUx, and had already put itself through some of the pain involved in DoD’s traditional IT acquisition process, like earning Security Technical Implementation Guide (STIG) approvals for its products.
Nonetheless, as the first company out of the DIUx gate, the company is a massive fan of the process, and not just because it’s faster than the traditional acquisition system.
Ralph Kahn, the president of Tanium Federal, said acquisition approaches like this also represent the best hope for mostly-commercial companies to make a meaningful breakthrough into an IT market that’s heavily dominated by the relative handful of companies that hold most of the department’s contracts.
“The incumbents have a lot of very useful information about what’s going on inside [the government]. They have relationships, and in many cases, agencies are very reluctant to try new things unless their large integrators are willing to get behind them,” Kahn said in an interview. “We’ve run into a lot of pushback from incumbents, who aren’t comfortable with new technologies coming in, and the current process gives these companies an effective veto. That’s because the military is very dependent on those contractors to operate their systems for them.”
That wasn’t an issue under the DIUx process, because the Army — the contract’s ultimate customer — worked directly with the Tanium’s engineers to figure out whether its products would work on its networks, starting with a prototype contract DIUx brokered in early 2016.
Kahn argues the process was still competitive, because the Army and DIUx only selected his company after describing what the service wanted out of a computer security monitoring product and inviting various companies to submit white papers. But he said it represented a massive difference from the traditional IT acquisition scheme, in which program offices and vendors spend months or years exchanging formal written documents throughout the course of multiple requests for information and requests for proposals.
“They actually came up with real-world use cases in a really short period of time and said, ‘These are the problems that we have that we want to see if you can help us with.’ We did that, and we did it really quickly,” he said. Tanium’s software was deployed on hundreds of thousands of Army computers during the pilot phase.
“When DIUx changes the speed of things and lets you do that production pilot, you cut through a lot of risk of things for DoD, because they can see right away whether it works in their environment,” Kahn said. “And then on the back end, you can still compete among other vendors who do similar things, you can still compete among resellers to make sure you’re getting a good price, there are a lot of other ways to inject competition in the process. But what you’re doing is guaranteeing that what you’re buying is going to work as advertised and do what you need.”
The $750 million figure for the production OTA contract is a ceiling, not a guarantee, but the Army has already placed its first $35 million task order to start deploying Tanium’s software across a broader swath of its IT enterprise. The five-year agreement is open to ordering by other federal agencies.
The system is designed to let Army network defenders simultaneously monitor potentially millions of computing devices to search for indications of a cyber intrusion. The company says its approach is markedly different from traditional antivirus software. Instead of watching for files that are known to contain malware, it lets cybersecurity personnel conduct deep scans of the computing activity across an entire network in a matter of seconds to see if a newly-identified hacking technique is being employed. The system also can keep detailed historical records of each computer’s processes and network activity that let defenders pinpoint the origin of an attack before it spreads to more devices.