The Defense Information Systems Agency says it’s committed to making its acquisition processes a lot more agile, even if that might mean accepting more risk as the agency spends the next year with a focus on accelerating the way it delivers technology.
The Pentagon’s lead agency for IT says it’s long since realized it no longer has the market power it once did to shape the technology landscape, and with the commercial marketplace now in the driver’s seat, the military can’t afford to let bureaucratic hurdles keep it behind the technology curve, nor can it expect every system it uses to meet its gold-plated standards for testing and security straight out the gate.
Lt. Gen. Ronnie Hawkins, DISA’s director, says more agile acquisition is one of the agency’s main focus areas for the coming year.
“What I’ve asked the staff to do is to focus on being able to pivot and deliver capability in short periods of time. Rather than it taking us years to do it, we’re going to be doing it in sprints,” he told vendors at the agency’s annual industry conference.
Those sprints will have to come in a federal acquisition landscape that’s often criticized as being poorly-suited for IT. But like it or not, the regulations are what they are, said Jennifer Carter, DISA’s acquisition executive.
“There’s a budget process that has its own pace, there’s a contracts process that has its pace, there’s a requirements process, but one of the things we need to learn how to do is to work within the existing processes we have within government that aren’t going to change rapidly and still deliver,” she said. “That requires us to have a set of programs that have baselines with the capability to be agile built into them.”
Carter says that means giving program managers more flexibility in what capabilities they deliver though each cycle of an acquisition, in case commercial capabilities don’t deliver exactly as they were envisioned on the first go-round; developing a centralized, repeatable strategy for multiple-award contracts; and crafting contracts that are flexible enough that work can be done as needs arise.
The agency says vendors should expect to see more competition via task orders on existing contract vehicles rather than in full-and-open competitions. But DISA also expects its award periods to last for shorter durations.
Carter said the agency’s recent one-year base period award to manage mobile devices and its app store is an example.
“Most of our approaches going forward are probably going to be of that nature. We’re trying to keep out ahead and have opportunities to introduce the next generation of tools. If we waited for a product to be mature and completely proven before we started the process to offer it to our users, we’d always be buying our devices off of eBay because they’re no longer sold. We can’t afford to be in that mode,” she said. “We have to move more into a risk environment where we’re willing to accept products that are more cutting-edge and work with industry to get them to work in our environment. We have to get out of this mode that says, ‘everybody else has been using it for five years, now we can bring it into DoD.'”
The agency says it’s already begun steps to introduce flexibility into its contracts with industry. For example, it’s using a capacity services model for capabilities in its worldwide computing centers, letting administrators quickly scale computing services up when it needs them and stop paying for them when it doesn’t. Mark Orndorff, DISA’s program executive officer for mission assurance, cited a recent blanket purchase agreement for cybersecurity services as another example.
“We found, through a competition, the three best small businesses in the cyber defense space. The up-front work is already done, and now we can go to the best in the business and turn around a task order in two weeks,” he said. “It’s just amazing. It would have taken six to nine or even 12 months before to do that same kind of tasking.”
DISA officials say their accelerated acquisition goals involve accepting more risk, including that a given new capability won’t meet DoD’s needs as quickly as hoped, but also some cybersecurity risk. As Orndorff puts it, DISA will have the flexibility to accept “informed” risk in ways it wouldn’t have considered in the past.
“But only for missions that are more open to a higher level of risk acceptance,” he said. “Under mobility today, we’re accepting more risk than we would have under previous constructs where we were looking to meet every security requirement on day one. We’re not meeting all of them perfectly, but we’ve got some informed risk decisions that say, ‘let’s go ahead and move it out in a limited way while we continue to improve it.’ We’ll continue to do that, and then open up the potential use cases that the technology can be applied to.”
On mobility in particular, DoD has decided to move ahead with a mobile device architecture that will let Defense employees use iPhones and Android devices, even though it still hasn’t determined exactly how users will verify their identities via two-factor authentication. Orndorff said implementing PKI authentication on the new crop of mobile devices is still a very high priority — but not high enough to keep those devices off of DoD networks.
“We’re going to solve it as fast as we can solve it,” he said. “In the documents DISA provides to the department, we’re documenting the risk factors. And then the local authorizing officials make local decisions as to whether that risk is acceptable in their operational environment.”
DISA officials say they’ve already had several successes in implementing agile IT acquisition practices. The challenge over the next year will be to institutionalize those lessons in a way that’s applicable across the diverse array of products and services the agency buys on DoD’s behalf.
But Kathleen Miller, DISA’s director of procurement, says it can be done.
“The acquisition process is a very long process with very many stakeholders that all have a role at different points. You can go back and look at various think tank reports that talk about how to improve acquisition, and we know how to improve acquisition. We just have to work together better,” she said. “It’s the people challenge that’s going to continue to be a challenge. But we’re all driven to support the mission.”