When it comes to pushing the Defense acquisition system to move as quickly as the military’s appetite for technology, other transaction authorities (OTAs) are in high fashion at the moment, both in the Pentagon and on Capitol Hill.
But OTAs, in and of themselves, are not the magic bullet for speedier acquisitions. That, at least, is the Army’s take when it comes to acquiring new tools to defend its networks.
The Army now has a framework in place that it believes will let it acquire new cyber defensive tools within cycle times of no more than 30 days. And although OTAs are a vital component of that rapid acquisition strategy, the service had to start by spending a full year reworking the other essential components of the bureaucratic machinery that goes into military capability development, including its requirements and budgeting processes.
Insight by Lookout: Learn the steps CIOs from the VA, NSF and the Drug Enforcement Administration in the Justice Department took to achieve the balance of security and accessibility as employees worked outside the office in this exclusive ebook.
The effort began when the Army decided it needed to centralize the responsibility for acquiring those cyber capabilities within a new product office for Defensive Cyberspace Operations (DCO), part of its Program Executive Office for Enterprise Information Systems (PEO-EIS). The office plans to acquire between six and 24 prototype systems each year via a new OTA consortium it’s currently in the process of setting up, called Cyberspace Real-time Acquisition Prototyping Innovation Development (C-RAPID).
OTAs are generally a much faster way to sign agreements with vendors, since they bypass most of the usual rules involved in the government’s traditional procurement system. But the Army reasoned that the quicker OTA process wouldn’t do much good if it still took months or years for its senior leaders to complete the separate, paperwork-intensive, front-end process of settling on specific requirements for its defensive systems.
So, at the end of 2016, officials decided to move all of those cyber requirements into a much more flexible framework known as the Information Technology Box.
“It delegates approval for requirements down to lowest level,” Lt. Col. Scott Helmore, the product manager for DCO said in an interview for Federal News Radio’s On DoD. “Traditionally, all requirements [for programs of record] would be approved by the Joint Staff via the JCIDS process.”
Instead, under IT Box, requirements approval authority for the 11 official IT portfolios DCO now manages were first delegated to the Army, then to two-star officials within Army Cyber Command and Training and Doctrine Command.
“So you’re still having senior leader involvement, but what you’re really getting at is, ‘What’s the level that really understands the requirements the most, and understands its implications across offensive, defensive, and training?’” Helmore said. “What we found is that the two-star level is right about at that sweet spot, where you’re not trying to educate them. They know what’s going on, and they can make a decision fairly rapidly. So what we are seeing now, as we’re going faster and faster, is that we’re spinning out new requirements every two months. As far as I know, we have never seen anything faster.”
However, the Army didn’t have a budgeting process that could allocate funding to new priorities every two months. So that, too, needed to change.
Army leaders and Congress agreed to move all of the programs DCO manages into a single line of appropriations in the Army’s budget, and give it flexibility to move money around within that budget during the course of a fiscal year.
“So now, there are not separate funding lines for deployable capabilities, tools, analytics, things along those lines,” Helmore said. “What that allows us to do is when the requirement comes in very quickly, we can take a look at our own internal budget without having to go back to (Army headquarters). At the program management level, we have the ability to quickly look at the trade space and say, ‘Well, there’s an urgent requirement for analytics,’ which is an example that we just had recently. It let us take money from mission planning and apply it very quickly to analytics. And that can be done instantaneously.”
As for the mechanics of how it would sign its agreements with industry, DCO decided that other transaction agreements would be a key part of its process, but not the only one.
Helmore’s team determined that the ways in which the DoD had been using OTAs up until that point still weren’t fast enough to meet its objectives, and that OTAs needed to be blended with traditional contracts.
To speed up the OTA process, DCO decided it needed all of its decision makers to be co-located, at least in an administrative sense, if not in a physical one.
“In the traditional approach, what happens is we send out a request for information to industry, they come back with their responses a few weeks later, we digest that over a couple of weeks, then we go back out again with a performance of work statement that takes several more weeks. Then the proposals take several more weeks of review, which goes to a contracting office, which they then review, and you can see the iteration,” Helmore said.
“If you eliminate that by putting everyone into the same environment, you can streamline all of your activities, and that’s what we’re doing under the C-RAPID process. We’re putting the test people, the contracting folks, the user community, and the program manager in the same place. So everybody who’s a decision maker is in the room, and votes to say what they think the best solutions are as we move forward.”
To handle its contracting, DCO partnered with the Army Contracting Center at Rock Island, Illinois, which agreed to train and assign a dedicated cadre of contracting experts on the Army’s rapid cyber acquisition needs. The agreement includes a coding system to tell contracting officers exactly how urgent a particular need is, ranging from the requirement to have a contract signed within 72 hours up through 45 days.
And although DCO plans to use its new dedicated consortium and OTAs to rapidly prototype and insert new technologies into its 11 programs of record, the overarching programs themselves will be managed and integrated via traditional Federal Acquisition Regulation-based contracts.
“Really what we wanted was a mix of innovation and stability,” Helmore said. “When I say stability, what I mean is when you have a traditional FAR contract, you know that contractor is going to be there for a while, they’re focused on a certain mission. They’re familiar with our fielding environments, our users, and all of the materials, no matter the manufacturer. So for each program of record, we decided we will do a single award, which will go full-and-open.”
But DCO decided it did not want one contractor to have the responsibility for proposing or developing each of the specific technologies that would make up those larger programs of record.
“As an example, if you award that kind of contract to one major defense contractor, you may be stuck with whatever that contractor has for innovation, and you’re excluding all of the good ideas from another major defense contractor. Or you may be excluding all of the innovative ideas from small mom-and-pop businesses who really don’t want to be taken over by a larger business,” Helmore said. “That led us down the pathway of saying, ‘To focus on innovation, to focus on speed and relevance, on being ahead of our threats, let’s look at an OTA and its capabilities.’”
Under the OTA structure, the Army will hire a separate, third-party firm to administer the C-RAPID consortium, and then present the companies and other institutions that join that consortium with operational needs statements to fill the specific capability gaps it’s been given by TRADOC and ARCYBER, via the new, speedier requirements process.
Those companies will then have seven days to submit white papers describing how they would solve the particular problem in question. Four days after that, a panel of government and consortium experts will turn in their assessments of those proposals, and help narrow the field to a few candidates who can fill the Army’s needs.
The remaining candidates will then defend their ideas in a “shark tank” setting about 10 days later, and the four-to-five most promising would be invited to demonstrate their offerings at a “crucible” event at Fort Belvoir, Virginia. At that point, if the Army is happy with what it ultimately sees from any of the companies, they could be offered an OTA prototype agreement on-the-spot.
Despite the fast pace of the process, Helmore said the Army is confident that it has built sufficient checks into the system to ensure that vendors can actually deliver on the capabilities their white papers promise, and that their technologies can be successfully integrated in the Army’s programs of record without committing to months or years of additional integration and interface-building work.
“This entire process is designed to assess whether ideas are ready,” he said. “That’s what got us to this consortium model, because you have to understand our problems ahead of time [in order to become a member], otherwise you’ll never have a capability when we need it.”
Ensuring that the technologies can interoperate with the Army’s existing technology baseline will remain a government responsibility, one that DCO plans to achieve through a part of the C-RAPID process that it terms “The Forge.”
“It ensures that government has its own ability to demonstrate the integration of these different platforms, and that it only procures platforms that have already been demonstrated to have integration capabilities,” Helmore said. “To get there, what we’ve got to do is really concentrate on an open, modular design, with the intent being that we can pull out a single module and go out to industry with an innovative approach and replace it with a newer module, whatever that newer technology is.”
Separately, another contractor will have the sole responsibility of what DCO calls “mission planning.”
“For lack of a better term, the one I use is ‘the one ring to rule them all,’” Helmore said. “That contractor has the responsibility for integrating all of the capabilities seamlessly into a command and control platform that the operators operate in. They’ve got to build the interfaces between each of the tools, each of the platforms that we use so that an operator, when they get ready to do our mission, just goes in via that platform and can access the specific technology abilities of each of our other programs of record.”