DOD officials say IT acquisition rules still woefully outdated

Lawmakers and Pentagon bureaucrats have talked of acquisition reform as a gradual, iterative process, but those changes seem to be taking effect far too slowly for some Defense Department officials, particularly when it comes to IT.

"The way we buy things in the DOD is a problem from the standpoint of we buy IT much like we buy a ship or an airplane," said Vice Adm. Ted Branch, deputy chief of naval operations for information warfare.

Officials should be smart about how they work with existing requirements, "but I also think there's some [need to] change…those requirements, particularly in the IT/cybersecurity world so we can get things on contract quicker," Branch said June 15 at a conference hosted by AFCEA's D.C. chapter.

"It is absolutely broken," Dave Mihelcic, the Defense Information System Agency's CTO, said of the acquisition system. He described a drawn-out process wherein five to six years might pass from the time a company pitches a new cyber product until it is deployed by DOD.

Mihelcic's and Branch's lament has been made countless times by officials across the military services. Congress, meanwhile, has used the annual defense policy bill to iteratively address the monumental challenge.

The fiscal 2016 National Defense Authorization Act, which became law in November 2015, requires the Defense secretary to find acquisition methods that circumvent the traditional system. It also allows DOD to use rapid acquisition authority for tools urgently needed to respond to a cyberattack.

Mihelcic offered the Defense Innovation Unit Experimental -- the Pentagon's outreach office in Silicon Valley -- as a salve for the department's acquisition woes.

The Army has used DIUX to generate interest in new requirements for micro clouds, with the goal of awarding a contract within 90 days of an initial industry day. That turnaround would be unusual but it is not unheard of: Army officials point out that a similar cyber challenge initiated last year led to the award of more than $4 million in micro-cloud contracts.

Bug bounty program could expand

The Pentagon recently hosted a first-ever bug bounty program that allowed vetted hackers to probe public DOD websites for vulnerabilities, and officials are now looking to expand the program.

Richard Hale, DOD's deputy CIO for cybersecurity, will attend a June 15 meeting with the Defense Digital Service, which hosted the bug bounty, to discuss options for expanding the program to other DOD websites, he told FCW after the AFCEA D.C. event.

Officials are considering adding to the bounty program some websites "that may not be completely publicly open but that are visible to the internet," Hale said.

Mihelcic also said an update is coming in August to the big data platform on which DOD runs a set of widgets and analytics known as the Cyber Situational Awareness Analytic Cloud. The update to CSAAC's big data platform will allow users to essentially separate datasets from the cloud and run custom analytics on top of them, he said.