DoD Reporter’s Notebook

jared_notebook_notext“DoD Reporter’s Notebook” is a biweekly feature focused on news about the Defense Department and defense contractors, as gathered by Federal News Network DoD Reporter Jared Serbu.

Submit your ideas, suggestions and news tips to Jared via email.

Sign up for our Reporter’s Notebook email alert.

TRICARE extends waiver for specialty care amid tumultuous transition to new contractors

Defense health officials say they’ve extended a waiver process for millions of TRICARE beneficiaries in the Western U.S. through the end of this month, letting them get specialty care without an explicit authorization from the health plan.

The extension follows a tumultuous transition period for TRICARE and its beneficiaries that began on Jan 1., the day the health system simultaneously underwent a consolidation of its regions, a switchover to two new multibillion dollar contracts to manage the program and a restructuring of the health benefit itself that was mandated in the 2018 National Defense Authorization Act (NDAA).

The new East and West regions both saw problems with long call center wait times, backlogged enrollments and referrals and delayed payments to providers. But the issues have proven to be longer-lasting in the Western region, where Health Net Federal Services assumed responsibility for administering the TRICARE system in January.

“As we started, both contractors were not meeting standards on performance,” said Ken Canestrini, the acting director of the TRICARE health plan said during an online Q&A hosted by the Military Officers Association of America.

But he said Humana, the East region contractor, has since begun meeting most of the contract’s requirements, including one which requires beneficiaries’ calls to be answered within 30 seconds. Health Net has not, particularly on the busier Mondays and Tuesdays of each week, when call volumes surge beyond its current capacity of about 19,000 per day.

“The demand was more than they could output. So basically every day we started seeing a backlog creep up, creep up, and what’s happening is we aren’t moving those referrals through the system like we should for our beneficiaries so they can go get care.”

In an email to beneficiaries, Health Net said TRICARE Prime patients could get outpatient care from outside specialty providers without a prior authorization as long as their primary care provider issues the referral before March 31, and as long as the specialty care is scheduled to take place before June 30. Instead of going through Health Net’s approval process to request an authorization, they’ll be able to use a blanket approval letter posted on the company’s website.

Ordinarily, TRICARE wants specialty care referrals to go through the prior authorization process – not just to control costs — but to make sure DoD isn’t letting its own clinicians and military treatment facilities go underutilized.

“We have the system so that we can maximize an MTF. It’s all about reviewing that referral and seeing if we could put them back into the MTF,” Canestrini said. “The problem [with the waiver] is it does not allow me to get those referrals back into the MTF as an opportunity for readiness. But the primary goal is to ensure that the patient’s going to get care in a timely manner, so we’re meeting that obligation. We also want to make sure the quality control is good on the referrals – that they’re going to the right provider, the right specialty, the right zip code, etc., and that Health Net can indeed sustain the demand.”

Health Net is not new to the TRICARE business. Prior to winning the contract for the West region as part of DoD’s TRICARE T-2017 contracts, it had managed the former North region, prior to that area’s absorption into the new East region.

Call volume

To deal with the large call volumes, the company is adding employees and cross-training some of its existing workers in some of the unique aspects of the TRICARE system.

But Canestrini acknowledged the volume of calls that began to flow into the TRICARE contractors’ call centers after Jan. 1 was larger than either DoD or its contractors planned for.

Calls were also longer and more complicated: eight minutes in duration, on average, compared to three minutes prior to the transition. That’s due, in some part, to the fact that DoD was making significant changes to the structure and co-pays involved in its health plans at the same time, and beneficiaries had a lot of questions about how the new system worked.

“Vice Adm. [Raquel] Bono (the Defense Health Agency’s director) made the decision to combine the transition to T-2017, three regions to two, and all the NDAA activities, which had a lot of requirements for the healthcare community, into one plan and move this all through together. The goal was to avoid doing this two times — going through one transition and then turning around and telling people, ‘Oh, by the way, here’s some more changes.’”

Some of the problems were also inextricably linked to the complexity and inflexibility of DoD’s own IT systems.

The significant changes the NDAA called for in TRICARE benefits aren’t simple to accomplish in the Defense Enrollment Eligibility Reporting System (DEERS), the back-end system the department uses to manage and track who is eligible for various types of benefits.

In most cases, even a relatively simple policy change can force TRICARE to stop all new enrollments for a few days while DEERS is updated and restructured with new database fields. In this case, the changes were so significant that all enrollments were frozen for three full weeks leading up to the Jan. 1 transition, leaving the new contractors with a massive backlog of new paper-based enrollments that had to be entered into the system.

“Most of those are caught up now, but it took about 60 days of work to bring those in. It was another wrinkle that was out there,” Canestrini said.


Pentagon quashes DIUx’s billion dollar cloud agreement

The Pentagon on Monday abruptly walked back a nearly $1 billion cloud computing agreement its Silicon Valley outpost had signed only a month earlier, saying officials had determined the terms of the arrangement were excessively broad.

The $950 million other transaction agreement (OTA) with Herndon, Virginia-based REAN Cloud, and brokered by the Defense Innovation Unit-Experimental (DIUx), was supposed to have made the company’s services available to the entire Defense Department. But the deal will now be capped at $65 million, and its only authorized user will be U.S. Transportation Command.

“After reviewing the production agreement, the department has determined that the agreement should be more narrowly tailored to the original scope of the prototype agreement, which was limited to USTRANSCOM applications,” Col. Rob Manning, a Pentagon spokesman said. “We applaud DIUx’s efforts to advance the department’s initiative to accelerate adoption of cloud technologies.”

REAN’s relationship with DoD began last year, when it began helping TRANSCOM migrate its legacy systems as part of a mandate by its commander, Gen. Darren McDew, to move all of its logistics applications to the cloud.

Much of the preliminary work was conducted under a more traditional OTA in which the scope is limited to prototypes. But using authority Congress recently granted DoD to carry those prototypes forward into production OTAs without any further competition, DIUx decided to make the same REAN services available to all the military services and Defense agencies, a step the Pentagon decided was too far beyond the original intent of the prototype.

The deal DIUx announced in February was only the third production OTA the organization had signed since its official launch in 2016, and came just two weeks before the quiet departure of Raj Shah, who had served as its managing partner for the past two years.

The REAN OTA is separate from another large cloud computing contract currently being worked on by DoD’s Cloud Executive Steering Group. The department has revealed few details about its plans for what it has termed the “JEDI” (Joint Enterprise Defense Infrastructure) initiative, but plans to do so Wednesday at an industry day in Arlington, Virginia.

Also on Monday, the Defense Information Systems Agency announced that its MilCloud 2.0 service had attained a key security approval, another major step toward DoD’s adoption of commercial cloud computing.

The provisional authorization for what DoD classifies as “impact level 5” data means accreditors have determined the service offering to be secure enough to handle the most sensitive types of non-secret information.

Officials have previously said they expect MilCloud 2.0, which is operated entirely by a private vendor (CSRA) but housed within DISA’s computing centers, to achieve a PA for secret (level 6) data by the end of the year.

Read more of the DoD Reporter’s Notebook.


Military seeks seasoned industry professionals as next cyber warriors, but they’ll have to start at the bottom

Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The likely next commander of U.S. Cyber Command told Congress last week that a pilot program lawmakers established to recruit more seasoned cyber experts into the military’s uniformed workforce is making some headway. But, he strongly suggested it’s been hampered by its inability to commission new officers at ranks that are commensurate with their experience.

Lt. Gen. Paul Nakasone, currently the commander of Army Cyber Command, was referring to the direct commissioning pilot program lawmakers authorized as part of the 2017 Defense authorization bill, letting all of the military services onboard new officers in cyber specialty areas after about 18 weeks of military training.

The Army began implementing its program in December, but said the first inductees would be commissioned as lieutenants,  irrespective of the skills and experience they’d already amassed in the private sector.

“What we have seen in the Army is we need greater constructive credit,” Nakasone said at his confirmation hearing Thursday. “So, if you are a high-end big data or forensics malware analyst, being able to get more credit for that service to bring you in at a higher rank will allow us to probably bring in higher level of talent. This is an early program. We’ve only started it within the past 90 days, but that’s the early results that we’ve seen.”

The Navy, however, has had a similar program in place for much longer, based on an earlier authorization from Congress.

The Navy first announced it would begin direct commissioning of civilians into its Cyber Warfare Engineer career field in 2010, but it’s recruited just 25 new officers via that route since then, according to a spokesman for the Navy’s Fleet Cyber Command. That’s compared to the 30 new officers who are expected to become CWEs after graduating from the U.S. Naval Academy in 2019 alone.

Like the Army, the Navy’s program initially commissions officers as O-1s (ensigns), regardless of their outside experience. As of 2018, basic pay at that rank is just over $37,000 per year, not including housing and other cash allowances.

Vice Adm. Robert Burke, the chief of naval personnel, indicated at a Senate hearing in January that those pay rates are nowhere close to competitive with what people of the caliber the military is seeking are currently earning in industry.

“These [CWEs] are the folks that write the software, do the coding for the offensive operations, and they’re very much in high demand within other government organizations as well as in the civilian community,” he said. “You gave us some relaxed authority to give three years of constructive credit, but that’s still kind of O-1 to O-3 pay, which still leaves them in the mid-$40,000 initial salary range, give or take. And what we’re finding is those folks are in high demand elsewhere, and they’re being hired in the hundreds of thousands of dollar-a-year salary range.”

The Navy has long expressed interest in recruiting new officers from the private sector in something that more closely resembled a lateral entry program which would not require highly-skilled cyber professionals to start their military careers at the bottom. It had previously asked Congress to let it directly commission the new officers at ranks all the way up to captain (O-6).

“I think it would mean a lot to us operationally to be able to recognize people’s expertise, because right now, when we’re doing operations, the rank someone’s wearing on their collar might not have much of a correlation with how much expertise or ability they’re delivering in our cyber operations,” Vice Adm. Jan Tighe, the deputy chief of naval operations for information warfare, said in 2016. “We need to resolve that, either with incentives or promotions or rewards, or bringing them in at the right level to begin with. I think there’s a lot of opportunity there for us.”

Read more of the DoD Reporter’s Notebook.


Marines are latest to create specialized career field for cyber

The Marine Corps became the latest of the military services to stand up a dedicated series of occupational specialties for cyber late last week, calling it a key step toward improving its readiness and retention of cyber talent.

The move comes almost exactly a year after Gen. Robert Neller, the commandant of the Marine Corps, directed his service to create the new occupational field during an offsite meeting of senior leaders.

And it reflects the growing recognition among senior military officials that they must give service members the option to stay engaged in cyber operations for an entire military career if they have any hope of hanging onto their best talent for more than a couple of years. The new specialties begin at the Marines’ lowest ranks, and go up through lieutenant colonel on the officer side and master gunnery sergeant on the enlisted side.

“’Trigger fingers turn to Twitter fingers’? Not exactly, but this is the next step in professionalizing our cyber force, which will be critical to our success, now and in the future,” Neller wrote in a Twitter message Thursday.

Marine officials have previously said they planned to begin assigning troops to the new occupational field sometime in fiscal 2018, but the announcement formally establishes what the service has designated the Cyberspace Occupational Field and lays out the specific specialties available for service members to begin transferring into.

The new “1700” field creates seven cyber-specific military occupational specialties (MOS), including two for commissioned officers up to the rank of lieutenant colonel, two for warrant officers and three for enlisted personnel. Officials said they would release more information later this year about how Marines could apply for lateral movements into the new MOS positions, but a message released last week laid out high-level job descriptions and the corps’ overall intent.

“The (Cyberspace Occupational Field) provides the Marine Corps with a professionalized, highly skilled workforce that can effectively employ cyberspace capabilities and create effects across the Marine Air-Ground Task Force and support joint requirements,” wrote Lt. Gen. D. J. O’Donohue, the deputy commandant for information. “The OccFld supports the maturation of the Marine Corps’ cyberspace workforce through the establishment of specific career paths, standardized training continuum, and mechanisms to retain trained and qualified Marines within the cyberspace community.”

Within the seven new specialties, some are expected to serve as generalists; others will focus on either offensive or defensive operations in cyberspace.

The two new specialties for commissioned officers (Cyberspace Officer and Cyberspace Warfare Development Officer) fall into the former category, as does one of the new MOS positions for senior enlisted personnel (Cyberspace Operations Chiefs). They’re expected to supervise and direct “all aspects” of cyberspace operations and “possess an overall knowledge of the capabilities, effects, systems, platforms and resources required to conduct” them.

The remaining specialties include two each for offensive and defensive operations. Within those, there is one each for warrant officers and another for enlisted personnel from  private to gunnery sergeant.

The offensive billets are to focus on developing and using tools, tactics, techniques and procedures for attacking enemy targets via cyberspace and “conduct detailed planning and analysis of targets of interest in support of Joint and Marine Corps’ requirements.”

The Marines’ Defensive Cyberspace Weapons Officers and Cyberspace Defensive Operators, meanwhile, are charged with defending networks, detecting and mitigating attacks and cyber vulnerabilities. But they’re expected to work closely with their counterparts on the offensive side and others, O’Donohue wrote.

“CDOs recognize and leverage the application of offensive cyberspace operations in order to implement an effective defensive strategy. CDOs coordinate with network and system administrators to ensure the implementation of security controls in support of (DoD Information Network) operations.”

Read more of the DoD Reporter’s Notebook.


Pentagon issues FAQ on upcoming cloud procurement, but answers are few

Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Few Defense IT acquisitions in recent memory have generated as much industry and public attention as the cloud computing project that’s come to be known as JEDI (Joint Enterprise Defense Infrastructure). Late last week, in one of only a handful of instances of public disclosure about the initiative to date, DoD acknowledged some of the questions that surround it, but didn’t do a lot to answer them.

For instance, what sorts of organizations has the Cloud Executive Steering Group that’s spearheading the project been meeting with? “Numerous” ones, according to the eight-item “Frequently Asked Questions” list DoD issued last week.

What has the CESG determined as part of its mandate from Deputy Defense Secretary Patrick Shanahan to examine the military’s existing cloud efforts and make recommendations? It’s too early to say.

How large will the JEDI contract be, and how many years will it cover? Again, TBD.

Perhaps most significantly, the department declined to add any detail around one of industry’s biggest concerns about the project: whether the new cloud contract will create a vehicle for multiple companies to handle DoD’s cloud needs, or whether it will wind up as a winner-take-all arrangement awarded to Amazon, Microsoft or another large vendor.

“The CESG is still assessing relevant data in an effort to determine final acquisition strategies,” Defense officials wrote, adding that they would lay out more details on those strategies at a previously-announced industry day on March 7.

The department acknowledged the authenticity of a November 2017 information sheet, first publicly reported by NextGov, which said that the JEDI contract would be a single-award contract. But, without elaborating, officials quibbled with anyone who would interpret that document to conclude the award would be made without a meaningful competition: it will be full and open, they insisted.

The referenced JEDI document does not mention sole source award; it mentions a single award. This is one of many draft documents used to spark discussion and debate in an effort to determine the acquisition strategy that will best meet the Department’s requirements. Most importantly the CESG is still in the analysis and fact finding phase of this process to determine how many contracts will best meet DoD’s needs.

However, the FAQ did provide a few glimmers of insight into the CESG’s thinking.

For instance, whatever form the JEDI contract takes is meant to be “additive” to the cloud migration activities DoD and its components already have underway. While the department plans to make it available to any military service or agency who wants to use it, it will not supplant or preempt anything those components are already doing.

Those statements are likely to provide some degree of relief to IT officials within the military services. Multiple government and industry sources told Federal News Radio that while the CESG has been asking a lot of questions about the cloud projects DoD already has underway, it has told them very little about its own intentions or how the JEDI project might affect their existing cloud efforts.

And 2018 happens to be a year in which there’s already a fair amount of cloud activity throughout the department, separate and apart from the JEDI project (although officials in the military services also acknowledge the deputy secretary’s direct interest in cloud has helped kick those efforts into high gear).

For example, the Navy recently delegated more authority to lower-level CIOs as one way to speed up its commercial cloud adoption. DoD also reached a potential $1 billion agreement earlier this month to support cloud migrations to multiple vendors. And MilCloud 2.0, the commercially-run successor to the Defense Information Systems Agency’s government-run cloud service is expected to earn a provisional authority to operate (ATO) for the highest levels of unclassified data (“impact level 5”) within the next several days.

That offering, operated by prime contractor CSRA but run inside DISA’s data centers, is expected to be 60 to 70 percent less expensive for Defense customers than the original MilCloud, John Hale, DISA’s cloud portfolio chief said in an interview.

“For MilCloud 2.0, we let a contract where the contractor is responsible for the hardware, the day-to-day operations and maintenance of the capability,” he said. “By picking a vendor who does it on a day-to-day basis, there’s a lot of cost savings there because they already have the capabilities in place.”
By the end of the year, DISA expects MilCloud 2.0 to be fully up-and-running, and also to have achieved an ATO to handle classified data. By that time, it will likely be one of three options DoD components have to choose from in addition to the JEDI project.

Amazon Web Services is likely to come first: It’s already built a secret-level “region” under a contract with the National Geospatial Intelligence Agency, and earned a joint provisional authorization by both DoD and the intelligence community for classified — impact level 6 — data. The DoD side of the accreditation was initially intended only for U.S. Transportation Command, which has been aggressively migrating all of its logistics systems to the commercial cloud.

“But the approving official who signed that provisional authorization has said that if there’s significant demand from other portions of the DoD for that capability, it can be opened up for other services,” Hale said. “Microsoft has also been doing the same thing with regard to Microsoft Azure for the federal government. So I think by the end of the year, you’re basically going to have three options: on-premises cloud, along with two off-premises cloud providers who can meet all of the requirements for secret-level data.”

Despite the department’s heavy focus on commercial cloud capabilities and the department’s confidence in vendors’ ability to keep critical Defense information safe, recently-articulated DoD policy also makes clear that there are at least a handful of critical security responsibilities the Pentagon is not ready to outsource, even in cases where it is longer directly hosting its applications or its data.

In a document the DoD CIO’s office distributed to Defense components late last year, the department laid out what it sees as ongoing “inherently governmental” activities for securing data in commercial cloud environments that will need to be performed by government cybersecurity service providers (CSSPs).

Among those responsibilities: DoD’s own cyber experts will still need to be in charge of running “red team” vulnerability assessments against systems that reside in the cloud.

Likewise, the government will need to retain its own expertise to notify mission owners when malware or security breaches are found in their cloud-hosted systems and deliver assistance, maintain classified information sharing relationships between CSSPs, implement urgent IT security orders from U.S. Cyber Command and monitor the “INFOCON” — or DoD’s own confidence level — in the security of any particular system.

Read more of the DoD Reporter’s Notebook.


Navy sees upcoming NGEN contract as opportunity to ‘rip and replace’ NMCI’s fundamental architecture

In less than a year, when the Navy begins to make what are expected to be massive contract awards for the latest iteration of its Next Generation Enterprise Network, it won’t merely be a restructuring of the business arrangements involved in delivering the Navy-Marine Corps Intranet.

Officials say that’s because NMCI is long overdue for some foundation changes to its architecture, something that hasn’t changed much since the network — now among the world’s largest intranets —was first conceived two decades ago.

That’s a contrast, said Capt. Ben McNeal, the program manager for naval enterprise networks, to how the Navy manages its afloat networks, which are not part of NMCI.

“Every four to six years, if we have the dollars, we do a full rip-and-replace of the network we have on board a ship,” McNeal said at the Department of the Navy chief information officer’s annual west coast gathering in San Diego. “We’ve never done that with NMCI. What we’ve done is a lot of obsolescence replacement intended to keep pace with the cybersecurity threat, but not a wholesale look at the architecture to figure out how it will meet our future needs. That’s ultimately where we want to be.”

To a significant extent, that likely means focusing less on hosting data within NMCI itself, and more on making sure the network’s users can access information wherever it’s hosted — particularly in commercial cloud environments — from wherever those users happen to be, and from a wide array of devices. And for most of their communications, those users would take advantage of a unified, IP-based platform that would replace the Navy’s legacy circuit-switched architecture.

“We have a ways to go to get there, but ultimately we want a network that can flex, be able to withstand the cyber security threats in our joint environment and provide bandwidth almost on demand,” McNeal said. “We also need a virtualized fabric to support those applications and services that we continue to host, and obviously you want that to be all automatic, automated and orchestrated as well.”

However, since building its own services for unified capabilities and other modern and “cloud like” enterprise services would require a healthy amount of up-front investment, there’s also a significant likelihood that some of those technologies won’t be provided by NMCI under the NGEN contract at all, but as shared services with other DoD organizations.

The Navy has already publicly floated the idea of using the Defense Information Systems Agency’s forthcoming Defense Enterprise Office Solutions for email and other productivity services, but McNeal said budget considerations over the last several months had led the Navy to more seriously consider a wider array of shared services than it’s used in the past.

“The budget has pressurized us to make us look at [DISA] as an option where we had not been forced to previously,” he said. “When you can’t buy your own, you’re forced to go leverage what’s already in place. In previous times, we may not have looked at those capabilities because we want to be in control of our own destiny, but now we’re in a world where we don’t have a choice … I don’t know that we’ve always held DISA in the eye of being a good partner to us in terms of the capabilities that they provide, so that’s a relationship that we’re going to need to evolve and mature. But whether it’s the unified capabilities piece, the joint piece, the mobility piece, those are all areas where we’re not going to be able to afford to be redundant in terms of the dollars that we spend.”

As part of the NGEN recompetition, the Navy plans to split its current contract into several segments. The largest, for end-user hardware and service management, integration and transport are expected to be awarded in the first and second quarter of fiscal 2019, respectively. Another, for cloud computing services, is expected by the fourth quarter of 2018.

The Navy also plans to use the upcoming contract to begin building more commonality between its mostly-continental U.S. NMCI network and the overseas shore networks known as ONE-NET, and eventually “converge” those networks into a single, relatively seamless enterprise.

“But we’re not going to make ONE-NET totally like [today’s] NMCI, because there are a number of things that we have on ONE-NET that we need to be able to fold into NMCI,” McNeal said. “So how do we get the best of both worlds? If you talk to the operational commanders out in theater, they want to be able to make the changes they need to support the day to day mission. So convergence ultimately means that we will have the benefit of those operational processes and tools combined with the mature vendor management that we have on the CONUS side to deliver the best future state network that we can.”

Read more of the DoD Reporter’s Notebook.


IG says ‘outliers’ in Military Health System have fixed their problems

An exhaustive 2014 review into the quality of health care delivered by military treatment facilities found there were no systematic problems across the military services, although there were a few “outliers.” Four years later, the Defense Department has essentially eliminated those specific deficiencies.

The findings, part of a newly-published progress report by the Pentagon’s inspector general, showed that the Military Health System has already completed 22 broad action plans MHS put into place to address the 2014 quality of care review, but still needs to finish four others before the IG considers the matter closed.

But the IG said the military treatment facilities that were specifically called out for substandard care in various practice areas had generally fixed their problems.

For instance, as of 2014, eight separate hospitals had significantly worse rates of post-surgical health problems than a national average of civilian hospitals, as determined by the National Surgical Quality Improvement Program. By this year’s review, seven improved their ratings from “needs improvement” to “as expected,” and an eighth — Mike O’Callaghan Military Medical Center in Nevada — was marked as “exemplary.”

By another measure — the ability of patients to consistently see a single medical provider — four DoD facilities were marked as needing improvement in 2014. But primary care provider “continuity rates” had improved markedly at three facilities by 2018, and a fourth (the Air Force’s former Menwith Hill Clinic in the United Kingdom) has since been closed.

The 2014 study also found that more than two dozen of DoD’s facilities were “outliers” on some measures of care quality relating to child delivery and the care of newborn babies and their mothers.

But 25 that had been identified as worse than the national average for postpartum hemmoraging, according to measures maintained by the National Perinatal Information Center, had “met or exceeded” NPIC’s benchmarks by this year. The IG reported similar results for seven hospitals that had reported higher-than-average rates of birth trauma and 11 previous outliers for shoulder dystocia.

Read more of the DoD Reporter’s Notebook.


Pentagon testing office urges DoD to pause rollout of Joint Regional Security Stacks

Subscribe to Federal Drive’s daily audio interviews on iTunes or PodcastOne.

The Pentagon’s ambitious project to consolidate its network defenses into a relative handful of regional operations centers around the world has been in the works since 2013, but last year was the first time the multibillion dollar Joint Regional Security Stacks have been subjected to a formal operational assessment. The results were not exactly glowing.

In its annual report, released last week, DoD’s independent Director of Operational Test and Evaluation said DoD should halt any further deployments of JRSS for the time being, calling its performance in securing DoD networks “poor,” partly because of what DOT&E concluded were severe staffing shortfalls, difficulties integrating various network defense technologies and a failure to get various Defense components to cohere around a common understanding of tactics, techniques and procedures for how to employ JRSS.

The security stacks are “unable to help network defenders protect the network against operationally realistic cyber-attacks,” the report found. “Although the JRSS uses mature, commercial-off-the-shelf technologies, JRSS operator training lags behind JRSS deployment, and is not sufficient to prepare operators to effectively integrate and configure the complex, room-sized suite of JRSS hardware and associated software.”

DOT&E’s evaluation focused on the 1.5 version of JRSS, the iteration that’s primarily used by the Army and Air Force, with overall integration work led by the Defense Information Systems Agency. A forthcoming JRSS 2.0 is intended to converge the Navy’s cybersecurity protections into the same regionalized security structure.

Basing its findings largely on an internal July assessment by DISA’s Joint Interoperability and Test Command, DOT&E said DoD’s use of the security stacks is hampered by a serious lack of personnel who are trained to make use of the systems: Air Force manning levels are at 50 percent of what they should be; DISA, meanwhile was attempting to manage nine of the stacks during 2017 even though it only had adequate staff for five of them.

The Defense Department believes the JRSS construct is inherently more secure than its network defense architectures of the past. Among the reasons: it consolidates thousands of separately-managed network defense points into one coherent structure that can be monitored at all times by U.S. Cyber Command, and relies almost exclusively on commercial-off-the-shelf technology, reducing overall costs and ensuring that the military services are protected by the best-of-breed in private industry.

But DOT&E said the department has struggled to harmonize all of those commercial technologies — supplied by three dozen different vendors — into something that its personnel can manage.

“The services, DISA, and USCYBERCOM have not codified JRSS joint tactics, techniques, and procedures to ensure unity of defensive effort and enhance defensive operations,” the authors wrote, adding that DoD needs to ensure its personnel are trained to use the commercial capabilities it’s been buying.

The report also makes clear that DOT&E has found more problems than it’s comfortable discussing in a publicly-releasable document, saying the office intends to deliver more details in a classified report on JRSS by the end of January.

Read more of the DoD Reporter’s Notebook.


Navy plans to spend $100 million on cyber through new other transaction authority

The Navy’s Space and Naval Warfare Systems Command is the latest DoD organization to look to Other Transaction Authority as a work-around to the traditional acquisition system in pursuit of new cyber capabilities.

SPAWAR plans to spend about $100 million though a forthcoming OTA structure it calls the Information Warfare Research Project (IWRP), according to a draft copy of the program announcement distributed to industry last week. Awards for specific projects could begin as soon as fall 2018.

The proposed OTA would pay firms for prototype work across 14 different “technology areas,” among them: cyber warfare, cloud computing, data analytics, assured command and control, and embedded systems in the “Internet of Things.”

The Navy plans to provide more details on IWRP during an industry day on Feb. 1 in Charleston. South Carolina. Like other OTA arrangements across the department, it first plans to hire a third-party firm or institution to manage a consortium of both traditional and non-traditional Defense contractors who are capable of conducting prototype work in its various technology areas. Those members would then compete for individual projects by submitting proposals in response to SPAWAR’s technology needs.

The Army is in the process of establishing a similar cyber-focused OTA called C-RAPID that it hopes will be able to accomplish the acquisition process for any particular prototype project within just 30 days.

But the government’s use of OTA structures has expanded dramatically since Congress broadened DoD’s authority to use OTAs as part of the 2016 Defense authorization bill. There are now at least 19 OTA consortia across the federal government, according to a tally maintained by Bloomberg Government.

Read more of the DoD Reporter’s Notebook.


Defense Innovation Board to tackle DoD’s software acquisition problems, using software

When the Defense Innovation Board first came into existence a year and a half ago, its chairman, Eric Schmidt, and his fellow panelists vowed that they would not be in the business of writing reports. There are enough federal advisory committees that do that sort of thing already, they reasoned.

That abstention hasn’t lasted long, because Congress does not share the Silicon Valley-centric group’s distaste for voluminous, paper-based descriptions of problems and how to solve them. The DIB’s first official tasking from Capitol Hill, directed in this year’s Defense authorization bill, is spend the next year writing a report on one of the Defense Department’s thorniest problems: software acquisition.

At their quarterly meeting last week, members vowed to take the project seriously, but suggested the end product is not likely to be a PDF document that analyzes and explores DoD’s track record on acquisition.

Again, there are enough of those, said Richard Murray, one of the board members who’s been tasked with leading the study.

“Can’t we just go out and essentially grab all of those data and do machine learning on very large data sets and pull together stuff that’s already out there, whether that’s PowerPoint files, or spreadsheets or printed documents? Machine learning can do that these days,” said Murray, a professor at the California Institute of Technology who specializes in networked and autonomous systems. “Once we ingest that data, we could use modern data analytics techniques to try and get insight about things that are already being done. What are the types of features of a software acquisition program that make it really go wrong, versus those that seem to be working well?”

In theory at least, the board should have no trouble getting its hands on the large data sets it hopes to use for the study. The same section of the NDAA that ordered the board to deliver its report also directed the secretary of Defense to give the DIB “timely access to appropriate information, data, resources, and analysis.”

But Murray emphasized the board wanted to do all it can to eliminate the need for manual data calls — the type of personnel-intensive information requests that tend to inform traditional reports. Rather, it’s more interested in raw data. And the product the  DIB winds up producing might end up being helpful to the acquisition personnel who deliver the data, rather than just being a long read.

“Maybe what we end up coming out with, instead of a report, is a deep neural network that will answer questions, like, ‘Here’s the set of requirements for a piece of software. How late is it going to be, and how much over-cost is it going to be?’ I don’t know, but we do want to think about this differently,” he said. “In order to get these techniques to work, we’re going to need lots of data — raw data — in forms we can process that way, and we’re looking for ideas about how we can do that.”

The board’s search for new study techniques stems, in part, from the incredibly expansive mandate Congress gave it.

The NDAA challenged the panel to review all of the DoD regulations that have a bearing on software programs, examine a cross section of ongoing acquisition efforts based on their “application types, functional communities, and scale,” identify best and worst practices throughout the department, and then deliver a set of recommendations to make software procurement and development more streamlined, rapidly adopt new technologies and improve the expertise of the DoD workforce involved in software acquisition.

The study will need to take into account programs that DoD and its contractors build from scratch in order to support mission-critical weapons systems, business software the department buys straight off the shelf, and everything in between, said Dr. Michael McQuade, another board member who is leading the effort.

“It’s our working assumption that how one might offer suggestions on acquiring an ERP system for personnel records is a very different object that people who want to find software that can change an air tasking order at a forward operating base,” said McQuade, the senior vice president for science  and technology at United Technologies Corporation. “There’s not going to be one solution that fits all.”

Read more of the DoD Reporter’s Notebook.


« Older Entries

Newer Entries »