This is part one of a two-part series on how the Army is looking to acquire and field capabilities faster.
In cyberspace, seconds matter. That’s why the Army is looking to a new construct to acquire defensive cyber capability to pace advanced threats on the network.
By leveraging a contract vehicle known as the IT box, the Army is hoping to cut down timelines from over 500 days to 30.
“If it takes 574 days to get a requirement approved in cyberspace, you’re done before you start,” Maj. Gen. John Morrison, commander of the Army’s Cyber Center of Excellence, said during a keynote presentation May 16 at the AFCEA Defensive Cyber Operations Symposium in Baltimore, Maryland.
“It is a fool’s errand. It will not work in a dynamic battlespace like the cyber domain.”
To illustrate the benefits of IT box, Morrison recounted how the Army desired a defensive cyber capability, got the initial requirements document approved in December and had the first two discrete capabilities approved through the process in February. The initial prototypes already showed up in the Army’s cyber protection brigade and by June are going to make a decision on whether or not to field that kit to the full cyber protection brigade.
“That is moving with some speed inside cyberspace,” Morrison said. “That is the only way that we’re going to be able to do capabilities development in such a dynamic environment where, quite frankly, our adversaries don’t need to follow the [Joint Capabilities Integration and Development System] process.”
Providing more granularity, Russell Fenton — who works in the Army’s Training and Doctrine Command’s capability manager office for cyber — described how the service is looking to improve further to a 30-day prototyping process during a separate presentation at the conference.
When a cyber protection team has a need, they’re going to fill out a form asking for a broad capability to fill that need, not a solution. Once the request is received, it will be sent within 10 days to industry for a contract through other transactional agreements. Then, within 20 days of the request, a “shark tank” will take place to allow industry to pitch ideas, and the Army will select solutions that it believes will best meet that requirement. Additional prototyping will take place, followed by an operational assessment in the 30-day time frame.
This IT box construct has been around for roughly 10 years, but Morrison said the Army never operationalized it despite the benefits.
According to Fenton’s presentation, the IT box streamlines the requirements process by delegating requirements down to lower levels; provides greater flexibility to incorporate evolving technologies and achieve faster responses; and enables potential streamlining of acquisition processes to be at the discretion of the milestone decision authority.
It can be for procurement or modification of commercial or government off-the-shelf technology, if additional production of previously developed technologies are appropriate and for development and acquisition of customized software.
However, it is limited more to software, not hardware solutions.
Morrison said the new direction the Army is moving is iterative, adopting a devops model seen in Silicon Valley.
“The key is it never, ever stops. It is incremental improvements that we continue to spin into these capabilities and just as important, when we don’t need a capability we spin it out,” he said. “Ever changing, ever evolving.”
He also noted this will be applied to offensive capability and defensive capability inside tactical formations.
However, Fenton noted that capability under the IT box must have a projected life-cycle cost that exceeds $15 million, which will most likely apply to defensive capability that can be continuously applied. This could limit certain offensive capability, as often offensive capability in cyberspace is time sensitive, exploiting vulnerabilities that in days or even hours might not exist anymore, making the tool useless. As such, these tools are typically single use and are unlikely to meet a total life-cycle cost over $15 million.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.