THE PENTAGON – As the Defense Department continues its push to speed up and simplify acquisition, it’s doing so in part by allowing select subsystems within larger programs to be exempt from more stringent rules on acquisition and cybersecurity.
The trend of looking at subsystems individually rather than at the larger program in which they reside is meant to allow the Office of the Secretary of Defense and the services to apply authorities that normally wouldn’t come into play for major defense acquisition programs (MDAPs), such as rapid prototyping and rapid fielding efforts.
“On middle tier of acquisition, since November 2018 we have expanded from zero to more than 50 programs,” Under Secretary of Defense for Acquisition and Sustainment Ellen Lord told reporters this week, noting that a program has to be reviewed by her office and deemed appropriate to leverage middle-tier acquisition authorities.
“We’re scheduled to publish formal policy in December, and I’m happy that we’re seeing positive results for our warfighters, taking an average of over two years out of each of the programs.”
Even for larger programs that require more oversight and would not be eligible for these rapid acquisition authorities, Lord said that, “because you can take a subcomponent of an MDAP, whether it be a center system or something else, and you can do mid-tier acquisition on that one subsystem, that can buy you a lot of time back in the program and mature it.”
Noting that her office needs to be “careful” in how they allow these authorities to be used, Lord said that ultimately “I think we are getting capability down-range to the warfighter faster because of this.”
Lord’s office is taking a similar approach to cyber standards, which are being overhauled within the Pentagon but risk alienating small businesses that can’t afford to comply with some cyber standards.
Lord said in April that “cybersecurity is probably the largest emerging threat we have” but that “we have these high-level [National Institute of Standards and Technology] standards that we say industry has to comply with. It is not particularly easy to understand how to comply with a hundred and twenty-some separate requirements.”
Instead, this year the Pentagon is establishing its own cyber standards and creating the Cybersecurity Maturity Model Certification program.
“The CMMC establishes security as the foundation to acquisition and combines the various cyber-security standards into a unified standard,” she told reporters Monday.
“The CMMC framework will be made fully available in January 2020, and by June 2020 industry will see CMMC requirements as part of requests for information. By fall of 2020, CMMC requirements will be included in requests for proposals and will be a go/no go decision.”
Lord told reporters that her office had met with industry to talk about these new cyber standards and “how we will apply them, what that will mean to procurement, how we have industry audited and so forth.”
Additionally, she said, “what is particularly utilitarian about how we’re doing this is there are five levels of this standard, and when you have a program, different subsystems can be held at different levels. So in other words, the entire system doesn’t require a rating of a 4. Different parts can have a lower and then higher amount. So if you have a hardware portion that really doesn’t have a cyber-security requirement, there won’t be much levied on that,” she said, which presumably could allow programs to save cost or to bring in companies that may not be able to support working on a higher cyber risk program but could work on that subsystem with a lower cyber risk.
“That being said, we are extremely concerned that we support small business with this, because we know small business is where most of our innovation comes from. So to that end, we’ve been encouraging small businesses to work with the industry associations to learn about it,” she continued.
“I always think of our industrial policy team as the big help desk for DoD. So I’m hoping that industry will call in where they have challenges. Our small business group is particularly focused on it. So we are trying to help people help themselves and work with us.”