“DoD Reporter’s Notebook” is a biweekly feature focused on news about the Defense Department and defense community, as gathered by Federal News Radio DoD Reporter Jared Serbu.
Submit your ideas, suggestions and news tips to Jared via email.
There are still at least six weeks to go before the public unveiling of the federal budget for 2019, but the Navy is already sending strong signals that it’s planning for the sort of personnel growth it might need in order to eventually field a fleet of 350 ships and to fill the manning shortfalls it has today.
Over the last two weeks, the service has pushed out several policy changes designed to hold onto as many of its existing sailors as possible, reversing programs that culled personnel from its ranks in prior years.
In one of the changes, the Navy told sailors last week that it was relaxing previous rules under which servicemembers could be kicked out by reason of physical fitness. The service ordered commands to put a stop to any actions they’ve taken to separate sailors simply because they’ve failed the Navy’s physical fitness assessment (PFA), a twice-a-year screening process that combines medical checkups with the Navy’s physical readiness test and body fat limits.
Instead, those servicemembers will be allowed to fail the PFA at least twice. Although they will be ineligible for promotions until they pass a PFA, they will continue to serve until they’ve lived up to their previously-agreed-on military service obligations.
Sailors who have already been ordered to leave the Navy because of a PFA failure can now also request that those orders be cancelled, and anyone who’s already failed a PFA before will have that record zeroed-out at the beginning of January.
“Adjustments to physical readiness program policies reflect a continued emphasis to invest in and retain our most important resource, our sailors,” Vice Adm. Robert Burke, the chief of naval personnel, wrote in a message to the fleet. “Retention of every capable Sailor is critical to the operational readiness of the Navy. The goal of the Navy’s physical readiness program is to maintain a minimum prescribed level of fitness necessary for world-wide deployment and to maintain a sailor’s long-term health and wellness.”
A few days earlier, officials also did away with a pair of programs that had allowed early-outs for servicemembers who wanted to leave the Navy of their own volition.
One, the Enlisted Early Transition Program, was instituted while the Navy was in a period of high retention and low demand for growth. It let sailors apply to exit the military as much as two years before the end of their obligated service.
The Navy also explicitly cancelled a program that had allowed officers to apply for early retirement, but said its intention was to do away with all programs that let military members depart prior to their obligations.
“We are in a growing Navy. This requires more people at a time when we are still working our way back to desired sea duty manning levels, and when the competition for talent is especially keen. We will certainly recruit and train many more sailors to help meet these demands, but that will not be enough,” Burke wrote. “It has been decades since the last period of major personnel growth in our Navy. You will see many additional policy changes in the coming weeks and months to set us on the right course.”
Indeed, the Navy’s active duty end strength has been slowly and steadily declining since its last peak in 2002, when 385,000 sailors were on duty. It closed out 2017 with 319,000, below its authorized end strength.
The service requested a modest increase in its 2018 budget: 329,000 sailors, or 4,000 more than it’s currently authorized. But Defense officials said at the time of that budget rollout that they were focused on restoring readiness to all of the military services, and that the military growth President Trump promised on the campaign trail would be reflected in budgets for 2019 and later.
Speaking to reporters last week, Patrick Shanahan, the deputy secretary of Defense, said the 2020 budget rollout will actually be the first year that fully reflects the president’s national security strategy, but glimmers of growth will begin to appear in the 2019 edition.
“We’ll actually start building the 2020 budget in January, but ‘19 is a step up,” he said. “We had to build up ’19 concurrently with doing the NDS, trying to do those in parallel and adjusting in real time.”
On the campaign trail, the president pushed for a much larger Navy, an objective senior Navy officials also laid out a year ago when they called for a fleet of 350 ships in their latest force structure assessment.
Officials have been less clear about the manpower requirements involved in the fleet buildup, but a strategic review the Navy released this month in the aftermath of four at-sea collisions earlier this year noted that the service already faces challenges in meeting its current requirements for personnel with a fleet of 279 ships.
Excessive demands on personnel — both from operational requirements and administrative tasking from higher headquarters — are a significant component of the Navy’s declining readiness, wrote the authors, former chief of naval operations Gary Roughead and Defense Business Board chairman Michael Bayer. They added the service’s past plans to reduce personnel requirements through on-board technological improvements have not tended to come to fruition.
“The annual cost per sailor has increased by more than 25 percent since 1998, making manpower reductions a tempting way to reduce costs in the long-term,” they wrote.” However…history shows the potential for technology-enabled manpower savings were routinely overestimated. Three of the last four ship classes required increases to crew size after fleet delivery. Overly optimistic workload assessments create a cycle of unbalanced manpower allocations, unachievable individual ship workloads, and eventual increases in ships’ crew size. Sailors being overworked, or perceiving themselves to be overworked, also effects retention, leading to a fleet with less average experience and requiring increased recruiting expense.”
A fair amount of attention has been paid in recent years to the problem of aging stateside Defense facilities that are descending into substandard condition because of shortfalls in maintenance and military construction dollars.
But a handful of recent reports from the DoD inspector general are beginning to make clear that this is also a problem even with brand new buildings at overseas bases, where military construction dollars have flowed more freely through DoD’s overseas contingency operations budget.
The IG’s latest report, describing a detailed health and safety inspection at Al Udeid Air Base in Qatar, found examples of warehouses and other buildings that the Air Force accepted from building contractors even though they didn’t meet DoD’s own standards for building safety, such as having fire sprinklers installed. Some of the failures to comply with construction requirements were in mission-critical facilities, including the base’s Combined Air and Space Operations Center and Wing Operations Center.
In all, the audit found 253 deficiencies that inspectors said could put DoD personnel’s life or safety at risk, including some that resulted from a failure to perform adequate maintenance, not just inadequate construction. They included five that the office deemed so serious that it issued the base commander a “notice of concern” before the report was finished, insisting that the problems be fixed immediately.
Among those, inspectors noted a pair of 11,000 volt electrical transformers with no barriers around them that could have easily been hit by a vehicle and were accessible to unauthorized personnel, live, unshielded electrical wires that posed shock risks to patrons using a steam table at a base dining hall, electric panels that were designed for indoor use installed outdoors, and electrocution hazards at the base’s swimming pool.
“Although the DoD OIG understands the inherent danger in military operations, we do not view the identified safety issues as acceptable risks in the operational environment at Al Udeid,” Randolph Stone, the deputy inspector general for policy and oversight wrote in a letter to base officials, noting that the problems posed a “significant risk of fire, electrocution, loss of life and/or property.”
The Air Force says has fixed or is in the process of fixing the most critical problems inspectors identified, and that it’s taken steps to address and identify the root causes of all 253 deficiencies.
But other reports show that the facility shortfalls aren’t isolated to Al Udeid, and that similar construction and maintenance deficiencies have been a problem at other overseas bases that function as relatively permanent military installations, not temporary forward operating bases.
A June report found some of the facilities at Camp Lemonnier, Djibouti, were accepted from building contractors even though they didn’t comply with mandatory health, safety and electrical standards. That inspection resulted in another notice of concern to the Navy, pointing out five immediate problems, including shoddily-installed electrical wiring throughout the base that posed severe electrocution hazards and improperly-constructed high explosive magazines that presented “a significant and immediate risk of explosion during adverse weather.”
A September 2016 inspection at Camp Buehring, Kuwait found 538 electrical and fire safety problems, mostly resulting from what auditors said was a failure by the Army to maintain its facilities and oversee its contractors. In that case, the IG found the installation had no government-employed master electricians or fire protection engineers to check and inspect its contractors’ work, and that contractors weren’t required to perform electrical maintenance to any specific standard.
And another 2016 report described 286 fire and electrical deficiencies at King Abdullah II Special Operations Training Center in Jordan, including 77 that were critical enough to require immediate fixes. At that installation, auditors found troops’ sleeping quarters were built with highly-flammable materials. Some were protected by fire alarms, but the alarm systems tended to be disconnected, or were never installed in a way that would alert emergency responders or security officials.
Sometime during the next week, the Army expects to convene a selection board to pick its first-ever cadre of newly-minted service members to move directly from the civilian cyber workforce to its officer corps. The fast track to a military commission means a theoretical full stack engineer working in Silicon Valley as of this moment could be a uniformed military officer within Army Cyber Command by next Memorial Day.
But the Army — acting under an explicit authorization from Congress, which has expressed a keen interest in boosting military accessions of cyber experts — is dipping its toe into the program very, very slowly. It will only accept five new officers per year via the new direct commissioning route, despite the fact that it has deep and longstanding experience in doing precisely the same thing for other specialized professions: doctors, lawyers and chaplains, on a routine basis.
There are reasons to proceed cautiously, Army officials argued, because questions abound about how this particular pilot program will end up working out. For one thing, the Army is targeting a slice of a slice of the American population: more than 70 percent don’t meet the physical or educational standards for military service under any circumstance.
“And within the 29 percent that’s available to us, we’re looking at a very discrete population that brings technical expertise to the table,” said Maj. Gen. Patricia Frost, the principal cyber adviser to the Army’s chief of staff. “We want to look for the right individuals who are ready and willing to defend our nation in cyberspace — people who may not have been looking to be an infantryman or an artilleryman. This is a way to serve your nation and defend the nation in the cyberspace domain.”
One primary goal for the new program is to get a jump on the amount of time it normally takes to develop new officers into ones that have the technical aptitude to lead and command the Army’s share of the 133 teams that make up the Defense Department’s Cyber Mission Force.
To that end, the Army is mostly looking for applicants who already have years of prior experience in fields like computer engineering, software development, auditing code for security vulnerabilities and architecting and deploying networks.
And while it’s widely accepted that a sense of mission is a bigger motivator than pay for most of the DoD’s current cyber professionals, it remains to be seen how many of applicants of that caliber the Army will be able to attract, considering its decision to commission the first crop of direct-commissioned officers as second lieutenants.
That’s the same initial rank given to fresh graduates from West Point, ROTC, or the Army’s Officer Candidate School. The annual basic pay is just over $36,000 (although, with housing allowances included, total cash compensation could go as high as $64,000 in Washington, D.C., a high cost of living area).
“This is a pilot program, and after year one, we’ll take a look at the lessons learned and whether we were able to attract the talent at that rank considering the kind of experience we try to go after,” said Lt. Gen. Paul Nakasone, the commander of Army Cyber Command. “It’s not a final determination yet.”
But Nakasone emphasized that direct-commissioned cyber officers would only remain as second lieutenants for the first few weeks of their new military careers, during which they’d technically be serving within the Army Reserve. After completing the Army’s four-week Direct Commissioning Course, they would get a slight pay bump to the rank of first lieutenant. They will then go through a 12-week Basic Officer Leader Course for cyber officers, meaning the entire process from initial accession to reporting to their first official duty station could be as short as four months.
The cadre the new officers will be joining is, altogether, a relatively new, selective and small club. Even via its more traditional accession routes — the U.S. Military Academy, ROTC and Officer Candidate School — the Army only plans to add a total of 87 cyber officers in 2018.
But those officers will have had substantial experience and preparation in acclimating themselves to military culture. The five who are coming directly from the outside world will have suddenly become officers with just a few weeks of acclimation.
“One of the things we’re going to do in Army Cyber is partner them up with a mentor,” Nakasone said. “It’ll be someone who has experience and the wherewithal and who’s been in our force for a little while, just so they can ask, ‘Hey, what’s my first experience going to be like, what should I expect, what’s it mean to be an officer, what are my responsibilities? We find that to be an effective way of developing talent.”
In 2017, the majority of cyber officers (55) joined the Army via ROTC programs, another 20 were West Point graduates, and 12 gained their commission through Officer Candidate School, a pathway the Army primarily uses for incoming cyber officers with prior experience as enlisted soldiers.
But officials said the new direct commissioning route differs from each of those in that successful applicants are guaranteed to be cyber operations officers, a pledge the Army does not make to OCS candidates. Also, under the pilot program, the Army will accept applicants up to 41-years old. Applicants to OCS are generally cut off at age 32.
Last week, Ellen Lord, the Defense Department’s new undersecretary for acquisition, technology and logistics, appeared before the Senate to give her first progress report on the department’s implementation of congressional acquisition reform. In passing, she made a new reform request of her own: a potentially-fundamental change to the way DoD handles sole-source procurements.
Since 1962, when Congress passed the Truth in Negotiations Act (TINA), the government has generally been required to demand that contractors provide it with their cost and pricing data when that company is the only bidder that can fulfill the military’s requirements. The rationale is that without a competition between vendors, the government needs some insight into its contractor’s actual costs to make sure it’s not getting gouged.
But Lord said Thursday that DoD wants “flexibility” to cut down the amount of data it requires companies to cough up, a step she said was necessary as part of her goal to reduce the department’s lead time for procurements by 50 percent. Contractors tend to view those data requirements as burdensome, particularly since they’re subject to government audits, and especially when DoD is buying items that are sold on the commercial marketplace..
Lord offered few details about the extent to which the department wants Congress to modify TINA, but suggested the changes should be modeled on a pilot program lawmakers authorized as part of the 2017 Defense authorization bill. That language was meant to speed up the department’s facilitation of foreign military sales with 10 test cases eliminating the need to gather certified cost and pricing data for arms sales to other countries, and instead, rely on the actual costs DoD had already paid for the same items to determine whether the prices were reasonable.
“Key to our success would be to have the same flexibility for our U.S. procurements,” she said. “If we were granted the statutory authority on sole-source procurements, it would allow us to use our judgment to reduce the cost and pricing data we would require when we have cost transparency with the companies with which we do business.”
In the meantime, Lord said she has used authority DoD already has to launch six other pilot programs, all with the goal of reducing acquisition timelines. In one such program, the department is reinterpreting its legal authorities to try to reduce procurement times for foreign sales of retrofit kits for C-130 aircraft to 180 days; in another, she said the department is “pre-positioning” its own production contracts so that they can be reused to “fill in the blank” when those items are sold to other countries.
As a general matter, Lord said her objective is to reduce acquisition timelines to an average of 12 months for major Defense programs, down from the current 2 ½ years. As one way to do that, she said her guidance to the acquisition workforce is to use the flexibilities DoD already has in order to find the least complicated path possible through he government’s maze of acquisition regulations.
“We are working on streamlined acquisition processes, where you basically have a flow chart and you use the simplest methodology possible to get things on contract so that we’re not held up in this do loop of, you want to do something but you can’t get it on contract,” she said. “That means you need to understand what you’re buying and how to tailor the process, and that’s what we have our contracting people doing right now, using real-life examples of how we’ve done this.”
Many of those examples come from DoD’s various non-traditional acquisition organizations, including the Defense Innovation Unit-Experimental, the Strategic Capabilities Office, and the Army’s Rapid Capabilities Office.
“We’re trying to learn from [the offices] who have taken the authorities that Congress has provided and applied them appropriately to speed things up, be more cost effective, thereby allowing smaller companies that couldn’t afford to go through this multi-year process to participate,” Lord said. “What we’re trying to do is scale all of those activities, but we’ve got to educate our acquisition workforce to be able to do that, and that is a huge issue. So I’m taking a fundamental relook at how the Defense Acquisition University operates, and we’re looking at more one or two day sessions where we teach people skillsets that they use the next day. But we’ve got to give people the tools, and then we have to train them. I am very optimistic that we can do that.”
The Defense Department has a new official overseeing its sprawling information technology enterprise as of late last week.
Essye Miller became the Pentagon’s acting chief information officer on Friday, the department announced via Twitter. She’ll continue to serve concurrently as DoD’s deputy CIO for cybersecurity, a position she’s held since last year. Miller previously held several IT leadership positions with in the Army and Air Force.
The DoD CIO role opened up in October, when John Zangardi left the department to become CIO at the Homeland Security Department. Zangardi had been the acting Defense CIO for several months, but DoD has not had a permanent CIO since Terry Halvorsen retired from government in May.
Miller’s appointment comes just after DoD announced a change of leadership at another of its major IT organizations, the Defense Information Systems Agency.
Navy Rear Adm. Nancy Norton, currently DISA’s vice director, has been nominated for promotion to vice admiral and to become DISA’s next director. Like the past two DISA directors, she will wear a second hat as the commander of Joint Task Force-DoD Information Networks.
Norton joined DISA only this past August; prior to that, she was the Navy’s director of warfare integration for information warfare. On a date still to be announced, she’ll take over for Lt. Gen. Alan Lynn, who has been DISA’s director since July 2015.
The Defense Department is taking what one might call a deliberative approach to the construction of the Cyber Excepted Service, the new, more flexible personnel system Congress authorized for civilian employees who work in cyber defense and some other IT fields.
The Pentagon says it is implementing CES in three separate stages, and the final, full-implementation phase won’t come into play until the end of 2018, nearly three years after Congress passed a measure to let DoD bypass ordinary federal hiring and pay procedures to make it a more competitive employer of cyber specialists.
Phase one started just a few weeks ago, after DoD successfully modified the software in its HR systems to accommodate its first new hires into the excepted service. The first employees were inducted shortly thereafter, and include a relatively small group of workers at U.S. Cyber Command, the Joint Force Headquarters-DoD Information Networks and in the office of the DoD chief information officer.
“It may seem like this has been a slow process, but it’s a significant change for us and we’ve been really hammering away at it,” Maj. Gen. Ed Wilson, the deputy principal cyber advisor to the secretary of defense, said in a recent roundtable with reporters. “We want to start small, and start with what we thought was our highest need, which is U.S. Cyber Command. The way we’ve set it up, it gives us a headquarters function here in the Pentagon, a headquarters function out in the field and a tactical component as well.”
In phase two, due to start sometime next year, the department plans to begin extending the CES to current and prospective employees in the military services and in the Defense Information Systems Agency.
During that broader rollout, one of the biggest hurdles the military departments are likely to face is one of education, since none of DoD’s current employees can be forced to move into the new excepted service without their consent, said Gary Wang, the Army’s deputy CIO.
That assessment, he said, is based on DoD’s previous experience with other alternative personnel systems such as the Defense Intelligence Civilian Personnel System, the program the Pentagon has used as one of its models for the CES.
“We need to demystify the process, because a lot of people are very hesitant about moving into an excepted service,” he said. “A lot of the groundwork is going to be about reducing peoples’ anxiety. I say that as someone who’s moved three-or-four times in and out of the intel community. The other area we have to work on is to prevent stovepiping between the two systems, because you have folks that want to be able to move back and forth to kind of provide a different perspective. We want to be sure those impediments aren’t there. We want people to move back and forth between the two systems.”
Officials declined to hazard an estimate as to how many current employees would move into the excepted service or what proportion of the current cyber workforce the CES would represent once it’s fully implemented.
That’s partially because DoD is still in the process of determining precisely which employees should be counted as part of its cyber workforce and coding their positions to accord with the National Institute of Standards and Technology’s Cyber Workforce Framework, an obligation Congress placed on all agencies as part of the Federal Cybersecurity Workforce Assessment Act in 2015.
“I think as we go through this, we’ll find it’s much broader than the IT community,” said Essye Miller, DoD’s deputy chief information officer for cybersecurity. “We need to make sure we’ve got the full gamut covered, including pieces like the legal and contracting community.”
Congress gave the department wide latitude to set its own rules in establishing the new personnel system, and DoD finally published those rules in August, telling Defense components that they should adhere to them as-written and refrain as much as possible from layering on their own mission-or-service-specific caveats.
As to recruiting, the rules bypass the government’s traditional requirement that all available jobs be posted to the government’s USAJobs.gov website, and makes clear that DoD components can advertise postings via “any legal means.” They also set a three-year probationary period and other measures that make it easier for the military to fire civilian employees who don’t perform as expected.
As to pay, the system is largely modeled on the existing General Schedule, but with provisions that officials say are designed to make the CES more “market-based” so that DoD can come closer to competing with private-sector salaries.
The CES, for example, introduces the idea of Local Market Supplements, additional pay incentives that will be set each year by the CIO and DoD personnel officials to reflect both the cost of living in a geographic area and DoD’s demand for specialists in high-demand career fields “that require separate interventions” in support of “the cyber mission.”
Employees who work in the excepted service do not fall under Title 5 of U.S. Code — the body of law that governs almost all other federal civilian employees — but under Title 10, which gives the Defense Department much more control to set its own personnel rules.
Nonetheless, the department has insisted the CES will follow merit system principles and will retain other common features of the civilian personnel system, such as veterans preference.
In a recently published fact sheet, the department also said employees who opt into the new system will maintain the career status they’d achieved under Title 5, and that it would continue to honor existing collective bargaining agreements, personnel protections and appeal rights.
The Defense Information Systems Agency is the latest federal agency to decide to follow in the Homeland Security Department’s footsteps by organizing a one-day event to hear directly from industry about its concerns in doing business with the government.
DISA’s spin on what DHS and other agencies have called “reverse industry days” will happen during the first week of December, and will be termed “Inside Industry.”
Doug Packard, DISA’s senior procurement executive, said the agency is still working through the final details, but wants the event to be tailored to the particular types of products and services that fall within the agency’s $5.8 billion contracting budget, and not simply a repeat of the forums DHS has already hosted.
“I’m not sure yet who the right players are, but I think what we need is for a consortium that represents ‘X’ — the commercial satellite or IT services or circuits sector — sit on a panel, and tell us, for example, ‘Your CLIN structure is stupid because of this particular reason,’ and be very candid,” he said Monday at the agency’s annual forecast to industry in Washington.
Packard said DISA is leaning toward speakers that are representatives of industry groups rather than of particular companies, because it’s “awkward” for individual firms to be openly critical of the agency because of fears that they’ll be punished on future contracts.
That sort of thing doesn’t happen, he insisted.
“But if you think it does, create a panel, name unknown, and tell us what you don’t like,” he said. “You can wire brush us, it’s all good, but I want to tailor it to what we buy. When it comes to exactly how we buy telecommunications circuits, no one knows or cares about that at a typical reverse industry day, but we know and we care.”
The DISA engagement represents a growing trend within the federal government of agencies hosting forums where the speakers are members of industry and the audience is government leaders and agency personnel. The purpose tends to be several-fold: to gather industry concerns about what makes the government an unnecessarily troublesome customer, to learn about current industry practices, including how businesses conduct their own procurements, and to reverse what many government and industry officials see as an unhealthy trend of arms-length communication between agency and vendors.
At least four federal agencies have held reverse industry days in 2017. DHS recently conducted its third after having pioneered the idea in 2016.
More than two years after the Pentagon first stood up the Defense Innovation Unit-Experimental (DIUx), the outfit crossed a major threshold at the end of October, using its expertise in non-traditional acquisition authorities not just for prototypes and experimentation, but to ink a potentially huge contract for widespread deployment.
The deal, with Emeryville, California-based endpoint security company Tanium and systems integrator World Wide Technology, is worth up to $750 million, and represents the first time DIUx has used DoD’s “other transaction” authority (OTA) to do an end-run around the traditional acquisition system for a production contract.
Tanium is not exactly the poster child for the type of “non-traditional” firm DoD created DIUx in order to target. Although it’s dwarfed by the Symantecs and McAfees of the world, it hasn’t been averse to government work. It had respectable federal revenue prior to its work with DIUx, and had already put itself through some of the pain involved in DoD’s traditional IT acquisition process, like earning Security Technical Implementation Guide (STIG) approvals for its products.
Nonetheless, as the first company out of the DIUx gate, the company is a massive fan of the process, and not just because it’s faster than the traditional acquisition system.
Ralph Kahn, the president of Tanium Federal, said acquisition approaches like this also represent the best hope for mostly-commercial companies to make a meaningful breakthrough into an IT market that’s heavily dominated by the relative handful of companies that hold most of the department’s contracts.
“The incumbents have a lot of very useful information about what’s going on inside [the government]. They have relationships, and in many cases, agencies are very reluctant to try new things unless their large integrators are willing to get behind them,” Kahn said in an interview. “We’ve run into a lot of pushback from incumbents, who aren’t comfortable with new technologies coming in, and the current process gives these companies an effective veto. That’s because the military is very dependent on those contractors to operate their systems for them.”
That wasn’t an issue under the DIUx process, because the Army — the contract’s ultimate customer — worked directly with the Tanium’s engineers to figure out whether its products would work on its networks, starting with a prototype contract DIUx brokered in early 2016.
Kahn argues the process was still competitive, because the Army and DIUx only selected his company after describing what the service wanted out of a computer security monitoring product and inviting various companies to submit white papers. But he said it represented a massive difference from the traditional IT acquisition scheme, in which program offices and vendors spend months or years exchanging formal written documents throughout the course of multiple requests for information and requests for proposals.
“They actually came up with real-world use cases in a really short period of time and said, ‘These are the problems that we have that we want to see if you can help us with.’ We did that, and we did it really quickly,” he said. Tanium’s software was deployed on hundreds of thousands of Army computers during the pilot phase.
“When DIUx changes the speed of things and lets you do that production pilot, you cut through a lot of risk of things for DoD, because they can see right away whether it works in their environment,” Kahn said. “And then on the back end, you can still compete among other vendors who do similar things, you can still compete among resellers to make sure you’re getting a good price, there are a lot of other ways to inject competition in the process. But what you’re doing is guaranteeing that what you’re buying is going to work as advertised and do what you need.”
The $750 million figure for the production OTA contract is a ceiling, not a guarantee, but the Army has already placed its first $35 million task order to start deploying Tanium’s software across a broader swath of its IT enterprise. The five-year agreement is open to ordering by other federal agencies.
The system is designed to let Army network defenders simultaneously monitor potentially millions of computing devices to search for indications of a cyber intrusion. The company says its approach is markedly different from traditional antivirus software. Instead of watching for files that are known to contain malware, it lets cybersecurity personnel conduct deep scans of the computing activity across an entire network in a matter of seconds to see if a newly-identified hacking technique is being employed. The system also can keep detailed historical records of each computer’s processes and network activity that let defenders pinpoint the origin of an attack before it spreads to more devices.
Senior Army leaders said Monday they’re pushing toward what’s likely to wind up as the service’s largest organizational shake-up in 40 years: standing up a brand-new command to centralize many of the bureaucratic tasks required to buy new equipment.
The motivation: the Army has too many organizations that own some small piece of the Defense Department’s famously complex acquisition process, officials say, making all of the procedures that happen between the time a need is identified and the point at which the service buys a solution more complicated than necessary, and more to the point, too slow.
In creating a new “modernization command,” officials say they want soldiers to be involved in the acquisition process from beginning to end, the theory being that previous efforts have asked for feedback from end users far too late in the acquisition process, prompting changes that are difficult and expensive to make once a system has progressed too far into its development lifecycle.
“With a few exceptions, what we have is essentially a linear process — going from an idea, writing up a big requirements document and then vetting it through multiple steps — it takes years, and it’s just not going to be effective going into the future,” Gen. Mark Milley, the Army’s chief of staff, told reporters. “So we’re going to re-engineer the corporation.”
Almost everything about what the newly-engineered corporation will look like is firmly in the “to be determined” category, but the Army’s senior leaders are planning a fairly aggressive schedule.
Starting this week, Lt. Gen. Edward Cardon, the director of the Office of Business Transformation, will convene a task force to look at the current Army modernization bureaucracy and return with final recommendations on how to structure the new modernization command. The recommendations are due four months from now, and the new command is supposed to be up and running by next summer.
At the end of the process, the Army wants to have all of the organizations that currently have a hand in developing and fielding new capabilities under “one roof,” said Ryan McCarthy, the acting secretary of the Army.
“We want to enable rapid prototyping, accept failure early, insert the end-user early in the process and keep them engaged throughout,” he said.
The changes are most likely to affect the current acquisition roles performed by Army Materiel Command, Army Forces Command and Army Training Doctrine Command, some of the largest organizations that currently have a large hand in defining the Army’s requirements and managing their sustainment costs long after acquisition decisions have been made.
“We look at this as a restructuring, not creating something new,” McCarthy said. “It’s merging roles and responsibilities together in the way you’d merge companies, or divisions within a company. When the economy changes, a company divests capabilities it doesn’t need, it merges to get economies of scale to fuse people and information so that it moves faster. We haven’t done that in 40 years. We haven’t even looked at it. What we’ve done periodically is put pieces in place: we created the Army Research and Development Command, we created the Army Capabilities Integration Center and other things. We’ve upgraded the pieces, but fusing them together to make the system go faster is our goal in this particular case.”
Whatever Cardon’s task force decides, it will not do much to change the chain of command for the Army’s senior civilian acquisition leadership: program managers and program executive officers will still report to the service’s assistant secretary for acquisition, logistics and technology; that person will still be the Army’s gatekeeper that controls when programs are allowed to move beyond major milestones, a circumstance that’s mandated by law.
Although McCarthy deferred most questions about what the new modernization command will actually do until Cardon’s team completes its work, he said it would need to incorporate new “cross-functional teams” that focus on the Army’s top six modernization priorities: long-range precision weapons, a next-generation combat vehicle, future vertical lift platforms, missile defense, and a better-protected and more mobile tactical network.
The push for a new command builds off of two directives McCarthy signed within a few weeks of being confirmed as undersecretary of the Army, and Milley said some of the initiatives had been underway for several months before that.
One ordered the acquisition community to begin to develop new procedures to shave two years off of the requirements development process, which currently takes between three and five years, and to create pilot versions of the cross-functional teams the Army wants to use in the new command.
A second was focused on improving talent management within the Army’s acquisition community.
“We want our people to have an appropriate set of experiences,” he said. “We want our program managers and officers to have fellowships with industry, masters degrees within certain disciplines. It’s also about the tenures for people in program management. We’re looking at tours of three-to-four years, so more continuity and the right set of experiences so that they have a broader perspective than the ones we’ve had previously.”
Despite what may have been the best of intentions over the last several years, the Navy, like the rest of the Defense Department, has struggled mightily to migrate its systems to the cloud over the last several years. Although most of its public-facing websites have made the move, all but about 20 of its internal applications are still operating in legacy Navy-owned data centers.
But officials say they’re taking several steps over the coming year that are meant to remove cloud transition bottlenecks.
One is to expand the number of cloud options available to Navy commands and system owners. As of now, the service still has just one broadly-available commercial cloud contract: the limited-scope agreement for Amazon Web Services that’s allowed it to migrate all of those public websites.
But the Navy expects to make a much larger “enterprise” contract award by June 2018 with the explicit purpose of accelerating cloud adoption throughout the service, said Dan Delgrosso, the technical director for the Navy’s Program Executive Office for Enterprise Information Systems. A draft request for proposals should be released to industry before the end of this calendar year.
“We have about 1,200 applications and systems scattered all across CONUS and overseas. Our job over the next five years is to fix that,” he said, at AFCEA Northern Virginia’s annual Navy IT Day. “Our goal, our position, is to move 100 percent of them to the commercial cloud. That means Amazon, that means Microsoft, that means Google, IBM and so on and so forth. We recognize the fact that that may not be the case for some of the applications and systems that are out there, but our default position is 100 percent of it will move to the commercial cloud.”
The Navy intends to release a draft request for proposals for the new enterprise cloud contract by the end of this calendar year, and wants the new vehicle to offer a wide variety of options, including infrastructure-as-a-service, platform-as-a-service and software-as-a-service. In addition, its San Diego-based SPAWAR Systems Center-Pacific awarded a cloud contract in September that the service intends to use for DevOps.
Officials have previously said they intend to treat 2018 as a “bridge year” during a five-year plan to move most systems (up to and including top secret ones) to commercially-operated cloud environments by 2021. In 2018, the Navy has enough capacity in its existing arrangement with Amazon (and Red River, its current cloud systems integrator) to move 50 more applications to the cloud before it starts to leverage the larger contract it plans to sign next year.
The Navy is also using the bridge period to tightly define its cybersecurity requirements for future cloud migrations, including by drafting new, standard contract language that will have to be incorporated into each of its cloud agreements with industry. Rear Adm. Danelle Barrett, the Navy’s new chief information officer, is leading that project.
“We shouldn’t have a whole lot of cloud contracts, because it gets real complicated in terms of responding to cybersecurity incidents, and less is more, but the contract language will put the service providers on notice that it is still our data even though it’s in your environment,” DelGrosso said. “At the same time, there will be a very close partnership with these providers in terms of being able to see our logs, being able to hunt, being able to do incident response in partnership as though we were sitting right next to them. In fact, I would not be surprised if there comes a day when we are physically sitting side-by-side with our providers watching our data in the cloud.”
Long before things get to that point though, the Navy needs to develop more of its own internal technical expertise on cloud computing, something DelGrosso said is sorely lacking at the moment and that will also have to be incorporated into future cloud contracts.
“Let’s just talk reality here: we don’t have a very deep bench when it comes to cloud experts inside the Navy. We have engineers at our warfare centers, we have some others scattered around that kind of know cloud, but don’t really know cloud. There’s probably a handful of those in the Navy,” he said. “So we’re going to put training in our cloud contracts, because we need to. The intelligence community does that today, and we’re going to replicate that.”
The intention is to disperse those newly-minted cloud experts broadly across the service so that the Navy has a multitude of entry points to help commands transition their systems to the commercial cloud.
Until this point, the Data Center and Application Optimization office within PEO-EIS has served as the Navy’s sole cloud broker. DCAO has been in charge of providing system owners with technical advice about how to transition their legacy applications to the cloud or other data center environments, and, at one point, planned to open its own “cloud store” to serve Navy customers with multiple service offerings from multiple commercial vendors.
But DCAO’s broader menu of cloud options never came to fruition, and DCAO itself will shut down in 2018 once it’s finished its primary mission of moving applications out of 118 data centers already targeted for closure.
After that, the Navy will move to a fee-for-service model in which it envisions a “franchised” network of cloud brokers working within various commands and functional areas to help system owners procure cloud services and migrate their systems. The Navy’s CIO office will oversee the decentralized model.
“We’re going to learn as we go, we’re going to work with DoD on how they’re doing business try to align with that to the greatest extent possible and then we’ll go from there,” DelGrosso said. “The goal between now and the end of 2018 is to build the landscape, build that highway for the app system and functional area managers to succeed from 2019 and beyond, until all of our data, to the greatest extent possible, is in the cloud. There will be exceptions, but those exceptions will have to show due diligence as to why someone or something or system cannot go to the commercial cloud. We are going to be very, very particular about that.”
|Jan 22, 2018||Close||Change||YTD|
|Closing price updated at approximately 6pm ET each business day. More at tsp.gov.|