After almost a year of special acquisition authority granted from Congress, Cyber Command has finally flexed those powers, awarding a contract in late September.
In a press release issued late Thursday, Oct. 12, Cyber Command said it has “begun executing its new ‘limited acquisition authority’ to speed up the acquisitions process for cyber-specific tools,” awarding “its first contract under this new authority Sept. 29 for information technology-related research and technical information services to enhance future acquisition decisions.”
Gartner, Inc., a research and advisory firm, was given nearly $580,000 for work to be performed from Sept. 29, 2017 to Sept. 28, 2018, according to the award notice and associated documents.
The contract will “provide IT research and executive advisory services, which includes web access to Gartner’s research including but not limited to executive IT management decisions, change management, IT architecture, security and risk management, and IT infrastructure and operations,” according to the award.
“Studies have shown that having access to other organizations who are experienced in the IT industry allows for better analysis and advice in making decision on direction and implementation,” associated documents assert.
Adm. Michael Rogers, commander of Cyber Command, testified before Congress in May that the types of contracts he is looking to award involved defensive capabilities.
[CYBERCOM elevation at heart of budget increase]
“There are some specific technical and oversight and control things I have to make sure are in place before we start spending the money … that will be finished in the next month or so,” Rogers told the House Armed Services Committee in late May, noting at the time the command had not exercised the limited acquisition authority granted by Congress.
[Cyber Command leverages acquisition model of special operations group]
Rogers told the panel in May that the command has been working with private industry, especially in Silicon Valley, and will soon begin purchasing, likely by the summer.
Cyber Command is looking to standardize all their kits for cyber protection teams, as each of the services – which are trained at the same joint standard regardless of offensive or defensive roles – are equipped with different kits.
[Cyber Command moves toward standardized cyber kits]
[For DoD cyber warriors, offense and defense is interchangeable]
Like many parallels drawn between the two, Rogers said Cyber Command thought Special Operations Command offered a good model for acquisition, even hiring two former SOCOM officials to help shepherd the command through this initial process.
“Our office spent 2017 putting the right people, processes and policies in place,” said Tony Davis, who until recently served as the acting command acquisition executive. CYBERCOM said Davis has now returned to SOCOM after having led efforts to stand up this authority.
Congressional aides have noted that this acquisition model was taken from SOCOM, describing it as a crawl, walk, then run. SOCOM enjoys rapid acquisition authority, which CYBERCOM eventually could get to but must first prove itself.
Michael Hayden, former director of the NSA and the CIA, told Fifth Domain in an interview that in order to develop a CYBERCOM of the future, one that is a fully unified combatant command and separate from the NSA, there must be a major force program 12 as SOCOM is MFP-11.
According to a DoD webpage, “In the context of the Future Years Defense Program (FYDP), a MFP is an aggregation of program elements that reflects a force or support mission of DoD and contains the resources necessary to achieve an objective or plan. It reflects fiscal time-phasing of mission objectives to be accomplished and the means proposed for their accomplishment.”
This acquisition authority was an important step considering the rapid and evolving nature of the cyber domain. Complicating matters, funding often comes collectively from the individual services, whose cyber components feed into the 133 cyber mission force teams at CYBERCOM.
“Typically, combatant commands and their subordinate units have to rely on the services – the Army, Air Force or Navy – or defense agencies to write and execute contracts and to acquire resources to accomplish their mission,” Cyber Command’s release said.
In some cases in the past, the services might put up a bit of a fight given that these authorities have typically come from their individual dollars and limited pots that they don’t want to give up.
Davis said this new authority provides CYBERCOM with greater agility and flexibility, facilitating “speed, flexibility and a technical knowledge base when providing capabilities for our cyberspace forces in a rapidly changing, worldwide domain.”
“This is important because of the dynamic nature of this contested domain,” Mike Zwiebel, Davis’ replacement said. “The threat environment changes rapidly in cyber, and our ability to respond must be equally agile.”
“One of the things I talk about is do we need to change the lifecycle approach to the development and fielding of capability in the department from a cyber perspective given the rate of change in this environment,” Rogers said during a presentation at the Air Force Association’s annual conference in September. “Right now, the acquisition world isn’t really set up to do that. It’s not a complaint, it’s an observation. It hasn’t had to really work in that world to the same extent.”
He continued: “You’ve already seen where Congress in the last 18 months on a kind of test basis has granted Cyber Command initial acquisition authority and initial set of funding as a matter of fact to kind of flesh and test this concept out. As a commander, I’m really interested for us as to how we flesh this out over time.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.