The U.S. Defense Department is falling behind on a plan that was intended to allow it to buy critical cyber tools quickly. The delay is due to concerns that the strategy’s bureaucracy would only slow the purchasing process, sources familiar with the plan and the internal deliberations said.
The delay, at a minimum a significant postponement for reconsideration of sections of the plan and at worst a complete rethink, casts into doubt how the Pentagon will keep up with the rapid pace of technical innovation in a rapidly changing world.
The Pentagon was directed to come up with a strategy as part of the National Defense Authorization Act for Fiscal Year 2011. It was supposed to be done by the middle of 2011, but was not sent to congressional committees until this April. It has become known as the “933 report,” because it was mandated in section 933 of the authorization act.
The plan calls for the creation of a “senior-level” committee to oversee cyber acquisition, called the Cyber Investment Management Board (CIMB), chaired by the defense undersecretary for acquisition, technology and logistics, the defense undersecretary for policy, and the vice chairman of the Joint Chiefs. In addition, a Cyber Capabilities Team (CCT) would be created to look at broader technology developments to help guide department policy, as well as a number of policy shifts that would need to be implemented to allow the bodies to fully function.
These bodies would oversee the creation of two separate cyber acquisition tracks, one called “rapid” and the other “deliberate,” designating acquisition needed in under a year vs. longer time frames.
The CIMB has been formed and has met, a DoD spokesperson said.
But sources said that the vast majority of the framework has yet to materialize, held up by lingering doubts.
In a statement, a DoD spokesperson said the agency is working on a plan to implement the rapid acquisition initiatives.
“The implementation activities are on-going with no intention to delay,” the statement read. “The department is currently coordinating and finalizing the details of an implementation plan. The implementation plan is intended to be the foundational document where all information and/or guidance from other products in support of the new framework are integrated and synchronized.”
The 933 report broke implementation of all of the major components of the plan into three-month and six-month time frames following the delivery of the report, a source who has seen the document said. That schedule would mean large chunks of the plan should have been implemented by now, with others nearing readiness, although sources said they had seen no evidence that most of the meaningful components of the program are in progress.
DoD has created rapid acquisition programs before, notably to supply troops in Iraq and Afghanistan with critical equipment such as mine-resistant vehicles. But in the past, rapid acquisition has been limited to circumstances in which the equipment was technically straightforward, unlike the cyber domain where items can be experimental in nature, and rapidly evolving.
While the intent behind the plan is good, the additional committees would likely slow down acquisition, a conclusion that has stalled the implementation, said a former senior defense official familiar with the 933 report and internal deliberations.
“I agree with rethinking the strategy,” the former official said. “Adding bureaucracy doesn’t speed up anything. It never does.”
While the 933 report is not the ideal solution, the problem is not only significant but dates back years, the former official said.
“We’ve struggled with this,” the former official said. “This is at least a two- or three-decade-old problem.”
The plan allows for the circumventing of some standard acquisition reports and protocols for the “rapid” track.
Nonetheless, if the strategy were implemented, it would likely fail to yield significant improvements in the acquisition process, another source who has seen the full report said.
“I’m not convinced they’re going to be getting anything different, because it’s just a different name on the same thing,” the source said. “You do the same thing with the same people the same way, you’re going to get the same results. These guys are hoping to get something different out of it. That’s not going to work.”
The full 933 report has been given the security designation “For Official Use Only,” and has not been made publically available by the Defense Department. But the report’s executive summary was provided upon request. Sources who have seen the document provided details of its content.
While other organizational concerns may be playing a role in the delay, the possibility of slowed procurement as a result of bureaucracy has driven DoD to reconsider the entire plan, sources said.
“I don’t know if this will happen,” one of the sources said, “but I’d like to see something happen.”