The Defense Department has been talking about the Cybersecurity Maturity Model Certification (CMMC) standards for more than three years.

And while the final version 2.0 standards aren’t going to be ready until next summer, the impact of just talking about improving cybersecurity among contractors is real.

Stacy Bostjanick, the chief of implementation and policy and deputy CIO for cybersecurity for the Defense Department, said contractors are definitely more accepting of the need to protect their data. But, she quickly admitted, they may not have fully embraced CMMC.

“The 7012 [Defense acquisition regulations] clause started that in earnest in 2013. We got a ton of pushback and finally got it into a rule in 2017. And then after that, we had a few incidents like SolarWinds, the Colonial pipeline, and now people are like, ‘Oh, yeah, maybe people are coming after me. Oh, maybe it is an issue,’” Bostjanick said at the recent AFCEA NOVA Small Business IT Day.

Dr. Kelly Fletcher, the principal deputy chief information officer for the Defense Department, said the current approach, based on self-attestation, creates a potentially unleveled playing field for contractors who choose to take the right steps to secure their data and those that just say they do.

“We know we have totally divergent compliance. If you’re complying now with what is in your contract, you’re competing against folks that aren’t, and I think CMMC is trying to get after that,” Fletcher said. “I don’t think CMMC is perfect. I think any solution we come up with isn’t going to be perfect. But it is our first attempt to get after that.”

25% of DIB met cyber requirements

While the problem may not be new, the data collected by the Defense Contract Management Agency (DCMA) shows just how troubling it is.

John Ellis, the technical directorate’s software division director at DCMA, said out of 300 assessments the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) did over the last few years, only 25% of the companies were compliant with the 110 requirements in the National Institute of Standards and Technology’s Special Publication 800-171.

“If roughly 25% of companies were fully compliant when we assess them, now, if you extrapolate that across the DIB, that’s why we’re informing some of the decisions. So if what CMMC is going to do for us in the future that we can’t do today is what we do today is largely a post-assessment activity. There are holes in those mechanisms, things are not fully implemented,” Ellis said at the Coalition for Government Procurement spring conference in Falls Church, Virginia. “CMMC is going to let us address some of that stuff that does lead to stronger prevention of ransomware attacks because it’s going to require companies to become far more fully compliant. If 75% of your companies can’t meet the requirements and they’re required to meet all of those before they can be awarded a contract, what does that mean, in terms of who can compete for contracts? It doesn’t bode well.”

Ellis said the DIB’s shortcoming based on their assessments and the need to bring more companies up to par faster is why DCMA is launching the early adopter program for CMMC. This is for defense companies to work with certified third-party assessment organizations (C3PAOs) before the CMMC 2.0 is finalized. Ellis said DCMA auditors would look over the C3PAO’s shoulder and offer feedback and insights, but not an official DIBCAC review.

“We started the planning for the early adopter program a couple of months ago, but we haven’t started the assessments yet. I expect us to start them later this summer,” Ellis said. “The assessments are on site, but also include a lot of coordination ahead of time with the company, the C3PAO and our folks. It’s a 45-60 day process that happens at the company’s site.”

Ellis said the C3PAO and the DCMA auditors will conduct a medium or high confidence assessment, which is more like a document review, where they, with the company, to through the system security plan to ensure that they’ve documented their requirements in a way that that articulates that they understand the requirements.

Benefits for DoD, vendors alike

The early adopter program is part of several ongoing initiatives DoD is pursuing to get a head start on CMMC. Bostjanick said earlier this year that DoD will do a series of tabletop exercises to test out the cyber standards.

Bostjanick said the early adopter program benefits the C3PAOs, DCMA and the DIB because all will get experience with CMMC standards.

“You will be given a DIBCAC high assessment in supplier performance risk system (SPRS), and our intent, which means our hope because lawyers told me we can’t promise anything because rulemaking is that, when CMMC becomes a thing, either as an interim thing next May or a final thing the following May, that companies certifications will still be good for an additional three years,” she said. “One of the things that you’re going to see in CMMC 2.0 is each company has a requirement to do an annual affirmation. Which states ‘Yep, I’m still good. I’m still in compliance. Nothing has changed. Nothing has caused me to go out of compliance. I affirm I still meet the requirements.’”

Ellis said there are about 20,000 companies in SPRS today and if, based on the DCMA review of about 300 companies, approximately 75% are not in compliance with the 110 controls detailed in NIST 800-171 today, there is a lot of work that still needs to be done.

“The data is in SPRS says the opposite. We see an awful lot of scores that are very, very, very high, and we’re a little concerned about that for a couple of reasons,” Ellis said. “One, we’re concerned about companies not really doing the things that they said they were going to do. And two, it gives a false sense of security both to the companies and to the government in the procuring activities that are relying upon that information.”

DoD is facing similar questions about its own systems’ compliance. A recent Government Accountability Office highlighted in late May the Pentagon’s struggles in meeting the same NIST 800-171 standards for internal systems.

Ellis said DCMA started reviewing about 300 contractors’ compliance to the NIST standards in 2019 and the hope is that those companies that were among the first, would be part of the early adopter program.

He said the NIST reviews alone have improved vendor cybersecurity.

“We had one company that was in the negative 200 range and now they are in the mid-two digit range, meaning they have improved remarkable over the last few years,” he said. “It’s really important that folks understand, this is not meant as a threat. We’re looking at it to derive knowledge and insight. We’re going to anonymize the results, unless we were to stumble into something that’s fraudulent and then that’s a whole another can of worms, by the way. But what we will do is share that information of what we learned with the companies that we’ve assessed so that people can see the goodness of the information that’s actually in the system. It should inform both government folks and quite honestly, it should inform the DIB. You don’t ever want to be in a position where you think you’re much better than you are, and then either the DIBCAC shows up or a C3PAO assessment is conducted, and you find that you’ve missed the mark, significantly. That’s not good for you as a company. And it’s certainly not good for us to rely upon somebody that doesn’t have that understanding.”

To prepare for the influx of work coming from CMMC, the DIBCAC is staffing up. DCMA plans to grow its staff in the DIBCAC to about 150 employees from 50 a few years ago.

But that preparation focused mainly around kinetic warfare where Marines or soldiers would have to face an enemy that was, relatively speaking, close and understood.

Todd Harrison, a senior associate in the Aerospace Security Project and Defense Budget Analysis for the Center for Strategic and International Security (CSIS) wrote in a 2021 report that “For some types of non-kinetic attack, third parties may not be able to see that an attack has occurred, or the party being attacked may not know right away who is attacking. For these reasons, non-kinetic attacks may be perceived as less escalatory in some situations, although this remains a point of debate. It can be difficult to determine if some non-kinetic forms of attack are effective, particularly if the effects are not publicly visible. And some methods of attack — such as exploiting zero-day vulnerabilities in a cyberattack — may have a limited period of effectiveness before an adversary develops defenses against them.”

The non-kinetic attacks are not limited to just weapons systems, but logistics to move supplies and troops, communications to make data sharing more difficult and GPS jamming and spoofing.

Today, the Marines are preparing for an environment that is disconnected, denied, intermittent and/or with limited bandwidth (DDIL) where the enemy could be hundreds of miles away, behind screens and impacting both kinetic and non-kinetic capabilities.

The Marine Corps awarded General Dynamics IT (GDIT) a task order under the Defense Enterprise Office Solutions (DEOS) contract to test out how they can receive Microsoft Office capabilities both on-premise and in the cloud in a classified environment approved at the secret level.

The Defense Information Systems Agency and the General Services Administration awarded GDIT the 10-year DEOS contract that has a $7.6 billion ceiling in August 2019. DISA began migrating users to DEOS in January 2021 after protests and corrective action delayed the implementation.

Navy leading DDIL working group

Jim Matney, vice president and general manager of the DISA and Enterprise Services Sector for GDIT’s defense division, said in an email to Federal News Network that GDIT already is supporting an unclassified environment for these services that is rated at impact level 5 (IL5). He said through this proof of concept that mainly will be done in a lab environment, the Marines will be able to see how the enterprise collaboration tools can work in DDIL environments.

The six-month project is worth under $1 million.

The Marine Corps Tactical Systems Support Activity (MCTSSA) has put together a DoD DDIL lab environment where GDIT will evaluate these proposed architectures and developed capabilities.

GDIT says it also will partner with Microsoft to test capabilities, investigate scenarios and provide applicable recommendations for mission partners deployed in a DDIL environment.

“[T]hese collaboration services must also operate on-premises. As cloud service providers are providing more software-as-a-service (SaaS) offerings to support collaboration, such as Office 365, users must have access to the cloud to leverage these capabilities,” Matney said. “The challenge then becomes ensuring the on-premises solution used to support DDIL in an outside the continental U.S. (OCONUS) environment can interface with the enterprise capability that is being used in CONUS.”

Matney said the on-premises collaborative capabilities, such as Microsoft Exchange, Skype for Business and SharePoint, must remain and integrate with the cloud-based services.

GDIT says the proof of concept will include testing several different scenarios to access capabilities including word processing and spreadsheets, email and calendar and file sharing and instant messaging.

All of this is helping the DoD figure out how to deploy DEOS in DDIL environments, where reliable and timely connectivity to warfighters at the tactical edge is critical.

Refine requirements, develop use cases

This task order proof of concept with the Marines is part of the DoD chief information officer’s effort to find technology capabilities that provide seamless operations in denied, degraded, intermittent and limited bandwidth environments.

In 2021, the DoD CIO designated the Department of Navy CIO as the executive agent to lead a cross-service joint working group focused on DDIL.

“These low bandwidth and high latency conditions are prevalent at the tactical edge and experience regular disconnects from the broader network, including cloud services, often for substantial periods of time,” the DON CIO’s office wrote in late 2021. “Network server software and hardware exist at the tactical edge to provide critical IT services and data in these DDIL environments, along with a variety of spectrum communications and unclassified and classified network transports leveraging satellite links and low-Earth Orbit (LEO), Wi-Fi, cellular/4G LTE, millimeter wave/5G and others.”

The working group is leaning on industry for help in refining DoD requirements and use cases to develop standardized architectures and capabilities in these austere environments.

“These tools operate as a hybrid capability, which will allow users access to the full feature set when cloud connectivity is available, but remain productive locally within the DDIL environment,” the DON CIO wrote.

Matney said GDIT is currently supporting multiple agencies across the DoD, civilian, and intelligence sectors with on-premises collaborative capabilities that may be considered and tested as potential DDIL approaches.

The challenge that the Marines are trying to solve isn’t just a Marines or DoD challenge. It’s one nearly every agency from the departments of Treasury to Homeland Security to Justice face. And with so much dependency on email communication and collaboration tools, having access no matter the network environment is critical.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Army is expecting fiscal 2023 to be a big year for its digital transformation efforts.

The question, as with most agency programs, is whether Congress will deliver on the Army’s budget request.

“Fiscal 2023, for us, is that year of inflection when it comes to our digital transformation journey,” said Raj Iyer, the Army’s chief information officer, during a press briefing on June 9. “We need to make sure that the investments that we have are appropriately aligned to the Army’s priorities and to the Defense Department priorities, quite honestly through the release of the National Defense Strategy.”

The Army will have to support those priorities, as Iyer and Lt. Gen. John Morrison, the Army’s G6, laid them out in the October digital transformation strategy, through mostly a flat budget request and buttressed by savings from IT modernization efforts.

Iyer said the Army’s IT and cybersecurity budget request is $16.6 billion in 2023, which is the largest of all DoD services. The request makes up slightly less than 10% of the Army’s total budget request of $180 billion.

This was the first time the Army detailed its 2023 IT and cyber budget request since President Joe Biden sent his spending wish list to Congress in March.

Inside that $16.6 billion request is $2 billion for cybersecurity, including offensive and defensive operations, network operations and research and development.

Iyer said the bulk of their IT and cyber investment will go to network support and modernization.

“This is about $9.8 billion. This is clearly supporting all the way from the tactical edge, including the support of current operations, all the way to investments we’re making the cloud,” Iyer said. “Gen. Morrison has spoken about the unified network at a number of events…but 2023 really is also our opportunity to scale our cloud efforts that we have made some tremendous progress in 2021 and 2022. We’re seeing about a $290 million investment in cloud in 2023 to continue to further our cloud migration journey. There’s some tremendous activity across the Army right now in terms of operationalizing the cloud that we’ve established in what we call c-Army.”

Spending less on legacy technology

The Army also is asking for about $220 million for artificial intelligence and data related initiatives.

Iyer said he expects his operations and maintenance (O&M) budget to support current and legacy IT to be slightly lower in 2023 compared to this year as well.

Over the last few years, the Army has been on a path to reduce reliance on old technology and consolidate tools.

Iyer said by moving to Office 365 and through other consolidation efforts, his office has found money to reinvest in modernization.

“One is the convergence of our networks as part of our unified network strategy. We’re looking at converging 42 networks across the Army into that single, unified network. What that will do really is start to consolidate all of the tools into a common service catalog, get us to a common set of processes and to standardization across the network. That will inherently result in in cost savings into 2023,” Iyer said. “Beyond that, there’s some other things that we have done in terms of reducing our bills for 2023 based on our current spending. One of them really is the recent decision to complete or finish out our enterprise IT-as-a-service pilots. We had three contracts in place at three pilot locations that we had selected. Most recently, based on the results and the lessons learned, we have come to a conclusion that we have good data in order to be able to deploy some common services that are cloud enabled across all Army locations worldwide.”

He said O365 is one example of those services. He said his office deploy a standard virtual desktop infrastructure as well in the coming years.

Morrison added that some of the decisions to find savings means getting rid of technology altogether like video teleconferencing hardware and software since the Army can use the capabilities through O365.

“As enterprise capabilities come online, we just need to be ruthless in our governance of it to make sure that we did keep the best of legacy capabilities and we don’t hang on to something just to hang on to it,” Morrison said. “I think we are putting the mechanisms in place to really start getting after that. We’re continuing to shut data centers. We are continuing to leverage the great capabilities that come with c-Army. We’re not doing it at the speed and tempo that we probably can. And quite frankly, Dr. Iyer and I had a discussion just earlier [on June 9] about reinvigorating those efforts because even though we’re past what the goals that had been set for the Army from an efficiency perspective, but I would submit to you more importantly from an operational effectiveness perspective, we need to move a little bit faster and harmonize with this hybrid cloud operational environments. That will only drive us faster toward data centricity. It will only drive us toward a unified network that can support multi-domain operations.”

5 ERPs, 150 support systems

One of Iyer’s biggest and boldest priorities for 2023 that, over the long term, should result in significant cost savings is modernizing the Army’s business systems.

The Army plans to spend $1.4 billion on maintaining five enterprise resource planning (ERP) systems for financial management, human resources and the like as well as 150 support systems.

Iyer said many of these ERP and related systems are more than 20 years old and ready to be updated and moved the cloud.

The Army has been focused on reducing and modernizing its business systems for the last decade. In 2017, the service reported it cut the number of business systems to 400 from 800. In 2020, it upgraded the General Fund Enterprise Business System to be more of a shared service for other Defense agencies and had plans to take the system to the cloud.

“Our marquee effort in 2023 is going to be our implementation or initial prototyping for our new enterprise business systems convergence,” he said. “We’re trying to converge them into a single architecture or into a single system if we can. If we have one integrated capability, then, more importantly, the data that we can pass across that spectrum of operations for analytics. It is a massive, multi-year modernization effort. We fully expect that it will be as high as 10 years for us to get to that modernization effort. But the approach that we’re taking isn’t a big bang approach that we’ve typically used in the past. This is going to meet be more of an evolutionary modernization approach.”

Along with the budget request, Iyer said the Army will take another key step this summer when the Program Executive Office-Enterprise Information Systems (PEO-EIS) will release a call for white papers under an other transaction agreement (OTA) approach to better understand what industry has to offer.

“Since we are going to use an OTA process for this acquisition, there is going to be a lot of interaction with the industry to figure out what’s out there that the Army can adopt rapidly, as well as, ensure we have a future proof architecture,” Iyer said. “We expect to award multiple prototypes in early 2023. These would run anywhere from 12-to-18 months. Then at the end of that effort, just like any OTA, we will get to a production contract by down selecting one of those prototypes to be our production solution.”

Iyer said while the OTA will not be prescriptive, the Army wants to see how industry responds with ideas that include using a modular architecture, supports data exchange through application programming interfaces (APIs) and micro services and is cloud native.

“We’ll be looking at how flexible the solution will be in terms of its ability to implement Army unique processes wherever we have them, without the need to customize commercial off the shelf products,” he said. “This is going to be evolutionary modernization as we are doing this in an agile approach. We will let the functional priorities define what those increments will be, and then we will look at the risk profile to look at how quickly we can get those turned on. That will determine the level of funding and the timeline for implementation. From an implementation perspective, one of the things that we’re going to we’re going to be pushing an industry for is to truly do this using dev/sec/ops and in an agile manner, which means that we are looking for functionality to be available or released to users on rapid sprints, not taking years to do this. This is all about getting functionality in the hands of the user rapidly through agile development.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Ask the CIO on Apple Podcasts or PodcastOne.

The impact of the Defense Innovation Unit shouldn’t be measured in the number of agreements awarded or the amount of dollars obligated. Both, by the way, are breaking new records each year.

Rather, the impact of DIU should be measured in number of problems it helps solve for the Defense Department.

Mike Madsen, the deputy director of Defense Innovation Unit, said one of the best examples came during the early days of the COVID-19 pandemic. DIU was overseeing the development of a new application called the rapid the assessment of the threat environment (RATE).

“It was a prototype used to predict when men and women in uniform are going to come down with an infectious disease like flu. This was pre-pandemic,” Madsen said on Ask the CIO. “Those kinds of things that would impact readiness and can spread potentially through your organization. Well, we were almost complete with that prototype when the COVID pandemic started. Instead of going back through a requirements process, we just pivoted, and applied it to COVID environment and ran the prototype of RATE in the COVID environment.”

Madsen said about 10,000 service members participated and the app collected data from devices like wearable watches and other on-person devices.

The application detects biometric measurements of various the service members and feeds the information into a database where it applies artificial intelligence to predict when folks would get sick.

“We were able to perfect it to the point where we were able to identify folks who are going to get sick with COVID 48 hours before testing or symptoms indicated that they actually had COVID,” Madsen said. “From a unit perspective, if I’m a commander, now I have awareness of someone who is potentially going to bring that into the larger unit and we can pull them out, isolate them before they’re even infectious. From our DIU operations perspective, [the pandemic] was relatively seamless, but there were opportunities to help leverage commercial technology to solve Defense Department problems.”

Record year in 2021

Solving those problems for warfighters is DIU’s ultimate goal, and that by which is the organization constantly is proving its value.

Madsen said this is why DIU is always looking for the companies that are on the leading edge and doing innovative work that could help some solve some of DoD’s biggest challenges.

Since 2016, when DoD launched the innovation office, it has awarded 279 contracts and brought in 240 non-traditional vendors, based on the definition in the law.

In 2021, DIU published 26 solicitations for commercial solutions for which it received 1,100 proposals. The solicitations on average received 43 proposals each.

DIU says 86% of companies that have received awards are considered nontraditional vendors with 73% being small businesses and 33% being first-time DoD vendors.

Madsen said 2022 also is looking strong. As of March, DIU has awarded $1.5 billion in total contract value. Between 2016 and 2021, DIU obligated $893 million.

“What that tells me is that we have proven our value to our DoD partners as a way to rapidly bring in that commercial technology to bear on DoD problems and provided our return on investment to them,” he said. “It also tells me that not only have we proven value to our DoD partners, but we’re proving value to our commercial partners as well as a way to simplify that process of working with the department. So we’re pretty excited about that.”

Madsen said DIU is seeking to continue to improve its process and prove its value. He said currently it takes about 100 days to award a prototype, but DIU would like to get that timeline down to as little as 60 days.

“We increase the transparency with a commercial partner. We increase competition for our DoD partners, lower the time the vendor has to obligate to the solicitation,” he said. “We’re able to get more solicitations in, which is great because we can cast a pretty wide net. We’re able to use our commercial engagement team to go out into the ecosystem and really understand where is that that large magnitude of commercial investment taking place in the technology ecosystem, who are the companies that are really on the leading edge and doing really some of the fantastic innovation and development in that areas that we think are going to help some solve some of DoD problems.”

Expanding DIU’s reach

DIU is expanding its reach with offices in Silicon Valley, in Mountain View, California, in Austin, Texas, Boston, Washington, D.C. and the newest regional office in Chicago.

The reason for the six regional offices is two-fold. First, DIU wants to search out companies that are outside the typical technology corridors. Second is to promote more competition.

“We also accelerate cooperation. In this era of the broader strategic competition, demands collective cooperation so we are shifting to a regional focus to align government innovation entities within those geographic regions to make sure we’re getting the best technology from across the country, not just the technology hubs,” Madsen said. “We want to find the best technology that the U.S. has to offer. We also want to demystify the complex procurement process. If we can get all the government innovation folks together and rowing in the same direction, and engaging with our commercial partners, in one voice that it’s going to help us demystify that.”

Over the last few years, DIU has moved several projects that are showing promising results in the prototype phase.

Madsen highlighted the development of a 5G tactical network for the California Air National Guard.

“We’re able to rapidly set up a secure 5G mesh network for humanitarian assistance, disaster relief and first responders. If you think about forest fires, now we’re able to set up a very rapidly a 5G network for cellular coverage for those folks that is discreet and secure for them to continue executing their activities,” he said. “We’re using AI for predictive maintenance. The commercial sector saw this a long time ago, not just the airline industry, but other industries that use very, very expensive machines with a lot of moving parts and failure of any of those parts would result in a catastrophic outcome. What we’ve been able to do is apply predictive maintenance using AI to multiple platforms across the Air Force. We’ve seen an increase in machine capable rates and a decrease in unscheduled maintenance time. We are looking to continue scaling that one across all the platforms.”

A third example is around drones and making sure they are both built securely from a cyber perspective and by American-owned companies.

“We’ve had several prototypes with the Army that resulted in CyberSecure drones,” he said. “We were able to field those in less than 48 hours in response to the humanitarian refugee situation in Germany when the US pulled out of Afghanistan.”

Sharon Woods, the director of the Host and Compute Center at DISA, said her team successfully transitioned 120 accounts off of milCloud 2.0 ahead of the June 8 deadline. Of the 120 accounts, 95 were on milCloud 2.0 and the rest were in a commercial cloud already and didn’t need to be transferred.

“Of the 95, 60 of those went to Stratus, DISA’s private cloud offering, 18 of them went to commercial cloud, and then there were 17 whose accounts they just let expire. They were typically research and development or sandbox environments that had already served their purpose. In total, it’s over 1,700 terabytes of data and 820 virtual machines,” Woods said in an exclusive interview with Federal News Network. “milCloud 2.0 is sunsetting and milCloud 1.0 is sunset as well. That, as a capability, no longer exists. For Stratus, we did consume some of that very basic underlying infrastructure of milCloud 1.0, but then immediately layered on a lot of new capabilities so that it became a new capability unto itself.”

DISA’s decision in December to end its milCloud relationship with GDIT was surprising and unexpected. DISA awarded a contract to CSRA in June 2017 to develop and run the commercial cloud offering. GDIT bought CSRA in April 2018 for $9.7 billion. The milCloud 2.0 contract included a three-year base with five one-year options, and it was worth as much as $498 million. This June would have been the third option period for the program.

Woods said the self-imposed six-month deadline created an urgency that required people and resources from across DISA to help meet.

“I think some of the things that helped make this work was when I say it was an all hands on deck within DISA, it wasn’t just the team that historically had worked on milCloud 2.0, we surged a lot of our personnel in order to help customers do this,” she said. “We know that this was difficult for customers to receive, this was not desired news. So DISA really made a commitment to serve as many people as possible to try and alleviate as much burden on the customers themselves. We’ve had relationships with all of these customers for years. We know their capabilities and we know their applications. With us having more resources at the table, I think that was really key in making the transition, and our customers were all so collaborative. That is also something that I think was a key driver in the success.”

There were some applications that Woods and her team weren’t sure could transition in six months. While she wouldn’t offer any specifics, she said some customers with an “enormous amount of data in their applications” took more effort, especially those that were on outdated or legacy versions of software.

“I will admit that we were a little nervous about the timing because of how much data was in certain applications,” Woods said.

Of the 18 workloads that went to a commercial cloud, it was a final step the services or Defense agencies had been preparing for over the last few years to get the applications “cloud ready.”

“I see that as a positive move, if commercial cloud is the right environment for a mission partner, then that’s where they should be to meet their requirements,” she said. “At the Hosting and Compute Center, one of our key philosophies is being an honest broker. So sometimes that means consuming an offering that we’re providing, like Stratus as a private cloud environment, but other times it may mean going to a commercial cloud provider. We have the expertise to help guide customers in the different ways they could meet their requirements and which ones might be the best for them.”

DISA refunding money still a question

One big question that emerged after DISA’s decision to sunset milCloud 2.0 was what would happen to the funding already transferred by DoD customers to pay for the services.

Woods said for the 60 workloads that went to Stratus and the 17 that sunset altogether, there were no refund questions or challenges. But for the 18 that left DISA altogether, she said her office is working through the specifics around the period of performance and funding type for each particular task order.

“They may end up returning money, but I don’t have the exact numbers. We’re still just finalizing the exact numbers, but we’ve been working on that with them since the very beginning,” she said. “We have done everything we possibly can to make sure that customers have control over their funding. And I mentioned this before, this was a surprise and unexpected announcement to the customers. So DISA searched every resource that we had to be creative and figure out how to make this work for customers.”

The National Security Innovation and Industrial Base (NSIB) is the bedrock upon which American military strength is built, drawing its strength from the economic power of the U.S. economy. In recent years, however, a strange and disturbing trend has emerged. The NSIB is becoming detached from the greater U.S. economic base as private industry increasingly opts not to work with the federal government in general, and the Defense Department in particular.

According to the Government Accountability Office, from fiscal 2011 to fiscal 2020, the number of small businesses receiving DoD contract awards decreased by 43% even as obligations to small businesses increased by approximately 15%. GAO stated that the phenomenon extends to all businesses, finding that the number of larger businesses receiving contract awards fell by 7.3% per year on average from 2011–2020.

According to Blomberg, “The federal industrial base is shrinking even as contractors are asked to respond efficiently to increasingly complex requirements and crises … A decade-long, 23% increase in contract spending since fiscal 2012 means larger and fewer contracts are going to larger and fewer companies.”

The decline in industry participation in the government marketplace stands in sharp contrast to the overall U.S. economy. U.S. GDP grew by 34% from 2011 to 2020 and the total number of businesses increased 7% from 2010 to 2019.

This drifting of private industry is occurring precisely at a time that the federal government increasingly relies on commercial technologies. In 2022, DoD’s list of 14 critical technology areas vital to national security identified only three that are defense-specific: hypersonics, directed energy, and integrated sensing and cyber. The other 11 technologies are either the result of “existing vibrant commercial sector activity” or emerging technologies being developed in the private sector or in collaboration with the DoD. The 2018 National Security Strategy noted, “technologies that are part of most weapon systems often originate in diverse businesses as well as universities and colleges.”

As ominous as the foregoing recitation of the state of affairs is, the situation is perhaps even more dire. At the same time the federal government is losing access to leading commercial solutions, those companies committed to remaining in the NSIB are hamstrung by statutes and government policies that inhibit innovation, efficiency, and speed. Members of the NSIB, such as traditional defense contractors, are at a severe disadvantage when competing with industry for high-skill talent critical to innovation, dedicating internal resources to R&D, and staying ahead of the technology and innovation curve.

In some cases, the U.S. is behind the technology curve and needs innovation and R&D in the NSIB to catch up to potential adversaries, such as in hypersonics, as Gen. David Thompson, Vice Chief of Space Operations, admitted at the Halifax International Security Forum in October 2021 when he stated “We’re not as advanced as the Chinese or the Russians in terms of hypersonic programs.”

Despite this reliance on commercial capabilities and the need for NSIB innovation, defense acquisition and business processes continue to become more complex, more heavily regulated, and out of synch with the private sector. The consequences are that DoD and other national security agencies are not harnessing the most advanced technologies and capabilities that commercial markets and the NSIB can offer, while at the same time, many of our competitors and potential adversaries are.

DoD, to its credit, recognizes the need to expand the base, writing in the recent report, “State of Competition within the Defense Industrial Base,” that to “counteract the trend of overall shrinking of the DIB, DoD should endeavor to attract new entrants to the defense marketplace by reducing barriers to entry. This will be accomplished through small business outreach, support, and use of acquisition authorities like other transaction (OT) authority and commercial solutions opening (CSO) that provides DoD the flexibility to adopt and incorporate commercial best practices to reduce barriers and attract new vendors.”

Unfortunately, “outreach” is not the problem, and other proposed DoD solutions do not address the root causes of what is happening. As the largest buyer on the continent (and perhaps the world), companies of all stripes are well aware of the buying power of DoD. They also, however, are aware of the challenges in working with the department. Increasing the use of different contracting vehicles like other transactions, while a positive step, is not a solution. In addition, as DoD slowly puts more regulation and bureaucracy on OTs, middle tier authorities, and other flexibilities, the value proposition of these contracting vehicles decreases.

The most important step to reverse these trends and strengthen, expand, and revitalize the NSIB is for DoD (and Congress) to understand that it has the largest impact on the NSIB and marketplace behavior. As Secretary of Defense Lloyd Austin said at the Reagan Forum, “for far too long, it’s been far too hard for innovators and entrepreneurs to work with the department.” Until the federal government looks inward and matches policies to the realization that it cannot dictate to industry the terms of contracts, DoD will often get what it pays for: Less innovation, less access to leading commercial companies, fewer commercial capabilities incorporated into national security capabilities, and a loss of ground in the race for technology overmatch.

Companies eschew working with DoD for several reasons, but based on our research and experience, some of the primary, recurring factors are:

• Intellectual property (IP) rights,
• Cash flow and risk return alignment,
• Bureaucracy that slows down both acquisition timelines and transitions to scaling up contracts,
• Policies that inhibit good-business decision-making, and
• Failure to structure meaningful follow-on procurement opportunities.

Some of these factors also inhibit traditional defense contractors from being more innovative and delivering capabilities quicker, more efficiently, and at better price points. Additional factors inhibiting current members of the NSIB from being more innovative, include being unable to compete with the private sector for highly skilled workers, and adhering to poorly thought-out and developed requirements.

We believe that DoD’s report, “State of Competition within the Defense Industrial Base,” got it backwards. The question is not, to what extent are companies competing to do business with DoD? The question is to what extent is DoD, and Congress, taking steps to compete with the commercial market to induce industry to do business with it?

We use the term National Security Innovation and Industrial Base because we believe that innovation and industrial strength both matter, and the term defense industrial base does not capture the full gamut of national security, to include intelligence services and other agencies that support national security.

Moshe Schwartz is the president of Etherton and Associates

Keep an eye on the Defense Department this summer to see just how well designers of version 2.0 of the Cybersecurity Maturity Model Certification (CMMC) did.

The first real test of the revamped effort comes in the form of tabletop exercises in mid-to-late June or early July.

“We’re going to be doing some tabletop exercises where we actually fabricate a program and walk the dog, making sure we look at a proposal, that we’re looking for the right information and we’re going to have members from the Defense Industrial Base (DIB) sector participate with us,” said Stacy Bostjanick, the chief of implementation and policy in the DoD’s Office of the DoD Chief Information Officer, at the AFCEA NOVA Small Business IT Day event on May 5. “We want to hear from your perspective, whether that’s a bridge too far or that’s too hard for us. We need to read wicker it a different way to make sure that what we put together is an executable program that people can participate in and understand from the get go what your requirements are and how you have to manage and handle things.”

DoD revamped its approach to securing controlled unclassified information (CUI) in November and is going through the federal rulemaking process. These tabletop exercises, Bostjanick said, are an important step toward DoD’s goal of launching CMMC in 2023.

One big area of interest for DoD is the use of CUI. Bostjanick said contractors who hold certain kinds of CMMC Level 2 CUI will just need to do a self-assessment while others who hold more sensitive Level 2 data will need to get a third-party assessment.

“What we are working through with those tabletop exercises that we’re working on today is going to ferret out where we feel that we can bifurcate Level 2, where we have prioritized and non-prioritized CUI. If you are a company that has federal contract information (FCI), you got to do the 15 [security controls], you got to do that annual self assessment and affirm that you’re compliant to those. Then, you would have to do the self assessment once every three years,” she said. “What we’ve said when we started looking at the universe of companies because there’s about 80,000 companies that are anticipated to be CUI holders, and undoubtedly you will not be bidding on just one contract, I think the thought process is eventually everybody will end up wanting to participate on a procurement that needs a third-party certification. But if you’re lucky enough to be only in receipt of non-prioritized CUI, you’ll be able to do that.”

As for FCI, the National Archives and Records Administration’s Information Security Oversight Office wrote in a 2020 blog that “the definition of FCI which mentions information that is ‘provided by or generated for the government under a contract to develop or deliver a product or service to the government.’ In other words, FCI is more about what the government gives to you as part of the contract or what you create for them under the contract, while CUI protected under the General Procurement and Acquisition category is mostly proprietary information and sensitive information that is provided to the government and protected throughout the contracting/award process.”

Securing data is the ultimate goal

By shifting to CMMC 2.0, DoD hopes the process to secure CUI and other more sensitive data will be less onerous and more streamlined than version 1.0. In this second iteration, DoD combined five levels into three and focused on the type of data that vendors must protect and reduced the requirement for third-party assessments.

Dr. Kelly Fletcher, the principal deputy DoD CIO, said at the AFCEA NoVA event that the Pentagon understands what they are asking contractors to take on isn’t easy and will require time and patience. DoD estimates it could take two years from when the final rule is out in mid-2023 for CMMC to hit full operational capability.

Fletcher said as the program rolls out over the next year DoD, the ultimate goal is for contractors to do more to protect their network, systems and data, most immediately ensuring they meet the cybersecurity practices laid out by the National Institute of Standards and Technology in Special Publication 800-171.

“We’re writing a proposed rule change to Sections 32 and 48 of the Code of Federal Regulations (CFR). That is happening behind the scenes, there are people working super, super hard on this, but you are not going to see it. We, the DoD CIO, we’re going to submit these draft rules to the Office of Management and Budget (OMB), and then they’re going to enter into the rulemaking process,” Fletcher said. “We think that the rule will be published for public comment in March 2023. The reason that’s really important is this is public comment. You have the opportunity to comment, and we want your comments. We want you to say ‘this is too onerous. This is expensive. This isn’t onerous enough.’ We want those comments, and the way that you can do that is through the OMB website, and that’ll be in March about.”

After the proposed rule is out, and it’s likely to be an interim rule with a request for comments, DoD will start adding CMMC requirements to contracts.

Fletcher said the CIO’s office is strongly encouraging contracting offices to release requests for information and other pre-solicitation notices if the upcoming request for proposal will include CMMC requirements.

“The way that you will know that CMMC is required is when you look at an RFI and RFP or solicitation it’s going to tell you very clearly, CMMC certification is required at this level. So it’ll never be a surprise, and it’s not going to be backwards compatible,” she said.

Project Spectrum focuses on small businesses

Fletcher added that companies, especially small firms, should begin as soon as possible to prepare for CMMC no matter the level.

DoD is providing help to small companies through Project Spectrum.

Kareem Sykes, the program manager of Project Spectrum, said the initiative aims to help small firms, through their Mentor-Protégé relationships improve cybersecurity and meet CMMC standards.

He said the current pilot effort has about 13 companies but they want to expand it over the next year.

“As we get companies in, we educate them about what the [CMMC] requirements are and how it relates to them as a company. We get an idea of what they’re doing in the space and an understanding what their goals are. Are they looking for Level 1, Level 2 or Level 3? Once they have an understanding of what those encompass, we talk about cyber curriculum development. A big piece of what we do is cyber coursework,” Sykes said at the AFCEA NoVA event. “I heard a lot of talk about plan of action and milestones (POA&Ms), which obviously, under the 2.0 model will be more time bound and where companies have a little more leeway and flexibility. So to that end, as it relates to courses, we have a POA&M course, we’re hot and heavy and developing and it should be very out very, very soon.”

Sykes said participating companies need both a mentor-protégé agreement and a sponsoring DoD agency.

He said the first step for companies who want to participate is to apply for the program and complete a cyber readiness check, specifically with a focus on NIST 800-171 and CMMC requirements.

Once they are accepted into the program, then comes the training based on the results of the readiness check.

“We’re going to schedule a tech review call, want to make sure that they, in no uncertain terms, know they have access to our live cyber advisors, and then within two business days of that call, that’s when we get into the actual customized compliance plan or the training plan,” he said. “They have actionable data and information from which to move forward in their journey.”

Incentives for contractors

Additionally, Congress approved, but have not funded, DoD to provide grants or loans to companies to meet the CMMC requirements. Bostjanick said there are constant conversations about how best to help small firms improve their cyber postures.

In the meantime, companies can help offset the costs of CMMC in other ways.

“CMMC is an allowable cost. It’s a cost of doing business,” she said. “You can include that in your overhead and general and accounting rates to be able to recoup the cost that you’ve spent implementing CMMC.”

DoD also is hiring more assessors through the Defense Contract Management Agency (DCMA). Bostjanick said DCMA received funding to hire 140 new assessors for the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) team, and has started to bring them on board.

“[DCMA wants to] make sure that they have the capacity to handle the CMMC Level 3 certifications. They are also the ones that are doing the CMMC Level 2 certifications for the certified third-party assessment organizations (C-3PAOs),” she said. “We are quite confident that the DIBCAC does have the bandwidth and the capability to handle anything that we are going to need in the future.”

Fletcher said despite the challenges with CMMC 1.0 and the move to 2.0, companies are understanding today more than ever why they must do a better job securing data.

“By the summer, if you know that you’re CMMC compliant, if you feel confident in your networks and you’ve done, perhaps, some of this early actions, you’re going to be super well postured for when you’re going to start seeing RFIs and RFPs that call for CMMC requirements” she said. “If it were me, I would want to be some one of the early adopters, and I think it’s going get rid of a lot of competition, although I could be wrong. I think not in the long term. But certainly initially.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The defense industrial base faces a lot of long-term challenges, many of which have been well documented in studies generated both inside and outside the government. But here and now concerns like inflation and the war in Ukraine have introduced a lot of new ones, ones that need to be dealt with this fiscal year. David Berteau is president of the Professional Services Council. He testified before the Senate Armed Services Committee last week on the health of the industrial base, and he joined Jared Serbu on the Federal Drive with Tom Temin to share some of those insights.

Interview transcript:

Jared Serbu: And, David, there’s a lot to talk about this week. But let’s start with some industrial base health issues since you were just on Capitol Hill last week to testify about exactly that. It was a really wide-ranging hearing, it’s worth watching, I would tell our listeners if they’ve got the time to do it. But I was struck at how much of it was focused on the here and now and the myriad issues that contractors are dealing with in this fiscal year, as opposed to just long-term health issues. What’s kind of on your radar in terms of the near term?

David Berteau: Well, thanks, Jared, and you’re right. Typically the Armed Services Committee, when they’re having their hearings at this time of year is thinking about the FY ’23 National Defense Authorization Act and the FY ’23 spending for the Pentagon. That’s six months away, five months away, really, and maybe eight months away, or 10 months away, depending how many [continuing resolutions] we have. But the reality is that in a whole host of areas, the issue is today, not next year. Two obvious examples in a quarter sort of benchmark, the whole thing is number one, lots of drawdown of US stocks of both munitions and materiel for Ukraine, not only for Ukraine, but also to send to other countries who have sent their stuff to Ukraine, typically Russian-based materiel, and we’re replacing it with U.S.-based materiel. There’s no plan for replenishing that, and really no funds for that replenishment in the FY ’22 supplemental or in the appropriations. Then at the other end of the spectrum, there’s the contractors across the board, who are seeing dramatic increases in their cost, both for material and supplies, supply chain issues and that sort of thing. But even more importantly, in wages, where we’ve seen wage growth, 8% year over year, and for a company that’s operating on a 5% margin on a contract, it’s pretty hard to absorb 8% growth in wages and still stay in business.

Jared Serbu: The munition stocks issue is kind of an interesting one, because it does point to industrial base health and the long term and the short term a little bit, I think because, and you certainly know more about this than me. But I’ve heard of a couple instances in which these particular munitions just have not been produced in so long the production lines don’t exist at the moment. So you would have to kind of restart that do some retooling. So it’s not as easy as just plugging money into the system.

David Berteau: That’s absolutely the case and even where there is an existing production line. In many cases, that production line is now for foreign military sales, which is a lesser capability, and it has some constraints on it in terms of what you can include in the system. But more importantly, it’s not the kind of system you need going forward. So one of the comments I made in before the Senate Armed Service Committee last week is that, to the best of my knowledge, there is yet to be a contract for replenishing any of these supplies. There have been contracts issued for delivering stuff directly to Ukraine, but that doesn’t rebuild the U.S. stock. Keep in mind, these stocks are sometimes not assigned to a particular theater. But in many cases, we’re drawing down European stocks set up for NATO for scenarios that haven’t disappeared yet. So timeliness, I think in one example, it’s the javelins, the anti-tank missiles. Public reports have indicated we’ve already gone down and given away 1/3 of our stock in barely two months of combat. It doesn’t take long to see that you’re gonna get to zero before the war is over. You could get to zero before the war’s over.

Jared Serbu: Well, let’s talk a bit specifically about the effects of wage inflation and how that’s affecting contractors again in the current year. Because at some point, those costs are going to get theoretically passed on to the government through some sort of request for equitable adjustment. Do we have any idea what that process looks like or what the magnitude of the of the dollar hit might be?

David Berteau: Well, let’s first talk about the magnitude and how you size the magnitude, right? So there’s really two aspects to this. Number one is for the employees you currently have and the employees you’re hiring, wages are going up. They’re going up to the employees you hire because they have plenty of options. There are 11 million jobs opening in America today and 6 million people looking for work. That says the odds favor the person looking for work, not the not the person trying to hire. But secondly, there’s the cost of retaining the people you have. We had 4% of the workforce, over 4% of the workforce each month is leaving their job and going to the Great Resignation, right? And so you add that up, 4% per month, that’s 50% over the course of a year are people leaving. And so you’ve got to retain people you have. Oftentimes companies just say it’s cheaper for me to pay the guy I have more now than it is for me to pay somebody else more and have a vacancy. Then the second piece is, all those vacant jobs that are out there are actually work not being done that’s already contracted for. And you have to ask yourself what work’s not getting done? Well, there’s no central location for that. So that problem has two aspects to it: How do you resolve this? Well, it depends. If you’ve got a fixed price contract, there’s very little opportunity for you to say, well, now I have more costs, and I need to pass those costs on to the government. As you and I were discussing earlier, many contracts used to have a clause called the economic price adjustment clause, the EPA clause, which gave the contracting officers program the flexibility to consider changes in costs. But inflation has been so stable for so long, so low and stable for so long, that many contracts now, no one has idea how many but a lot, no longer have that clause in them, which makes the case even harder to make up front. And then the third piece is, even if you file a request for an adjustment based on increased costs, if the government doesn’t have the money, they can’t pay that anyway. And all that request really is an opening round of negotiations over how much you’re gonna get and when you’re gonna get it. There’s a tight time limit at the front end for filing the request shortly after you’ve incurred the costs, but a no real time limit on that back end for how quickly the government gets it to you. These are putting companies at real risk, both in the contract arena, and in the bidding and future on future contracts. So it’s a whole host of problems. And you can’t wait ’til next year to address this.

Jared Serbu: But it is likely to still be a problem next year, which it strikes me means it’s important for the government to get its arms around how big the magnitude of this problem might be, so that they can start programming it for FY ’23. If we’re still in CR mode for the first five months of fiscal year ’23, the problem is exponentially worse isn’t it?

David Berteau: It is very much worse and as you know, for 12 of the last 13 years and likely to be 13 in the last 14 years, we start the year with a continuing resolution and it lasts at least two or three months. Now, there’s an additional problem here, which is if you do it one contract at a time, these adjustments for the wage inflation and the inflation growth in general, you do it one contract at a time, it’s almost an insurmountable challenge. But what we would like to have, what PSC has been arguing for is agencies should issue general guidance to their programs and contracting officers that would say something along the lines of it’s important to let companies recover their costs to do the work you’re contracted to do. And you need to do put the flexibility in place to both speed up the process. In the case of one agency, the General Services Administration, they remove the cap on the number of times you can make a request for an equitable adjustment, thereby freeing up a little bit of one of the constraints here, but it doesn’t make more money available. And it doesn’t say if you’ve got the money, this is what you should do with it. We think that kind of general guidance needs to go out. Contracting officers need to realize that they have both an affirmative responsibility on the individual contract, but also a responsibility to maintain the long term viability of the business base that’s supporting the government across the board.

Jared Serbu: What would agencies actually need to do mechanically to enable that flexibility? Does it require a mass contract mod or a class deviation or just simple guidance?

David Berteau: I would think it’s simple guidance. We saw, for example, back at the beginning of the pandemic, guidance from OMB, under the auspices of the Office of Federal Procurement Policy that just instructed contracting officers across the federal government to maximize teleworking for contractors, even if there was no clause in the contract that permitted such teleworking. We didn’t need to mod the contracts. All that guidance did was freed up the contracting officers to make a judicious and correct decision on their benefits that clearly benefits the government. You could do the same thing with recovering costs from inflation.

Jared Serbu: One last thing, we’ve been mostly focused on wage inflation here, because I think that probably is one of the biggest drivers for your members. But what are you hearing about other inputs whose prices are being driven up and how much of an effect that’s currently having in the current year?

David Berteau: This started actually, obviously, before the invasion of Ukraine, because under COVID, we had both supply problems from generating material, raw materials and components, but also from delivering them, right, the backlog in the transportation system. Nothing that’s happened in the global economy in the last few years has sped that up. Everybody keeps thinking, well, maybe the end is in sight here, but it hasn’t been. We hear reports across the board from our member companies of delays in in raw materials, delays in components, substitutions for components that may or may not meet the requirements of the contract. Whenever you can get them they’re going to cost more, both for providing them and for delivering them.

Jared Serbu: David Berteau, president of the Professional Services Council, thanks as always for sharing your insights, David.

David Berteau: Appreciate it very much, you’re welcome.

Four months after NSA lost what many believe to be its first ever protest of a contract award at the Government Accountability Office, it re-awarded the 10-year cloud contract, known by the distinctive moniker, which could be worth as much as $10 billion to Amazon Web Services.

The spy agency made the re-award in February, but details just surfaced in the last week.

An NSA spokesperson confirmed the agency’s decision.

“This contract is a continuation of NSA’s Hybrid Compute Initiative to modernize and address the robust processing and analytical requirements of the agency,” the spokesperson wrote in an email to Federal News Network. “Consistent with the decision in [the GAO protest] case, the agency has reevaluated the proposals and made a new best value decision.”

Sources also confirmed that Microsoft, which won the initial protest at GAO in October, decided not to protest the re-award to AWS, despite what many believe is a titled playing field.

A source, who requested anonymity in order to speak to the press, said a new protest would’ve just delayed the process, which would be detrimental to NSA and possibly national security.

But the source added, NSA’s decision does raise concerns about another single award contract for cloud services, in this case classified and top secret instances. Experts continue to question NSA’s decision especially after the controversial JEDI acquisition collapsed under immense pressure and scrutiny of its single award plan, and the move by the intelligence community from a single vendor — AWS — under the C2S vehicle to multiple cloud vendors under the C2E vehicle.

Additionally, sources highlight NSA’s decision again continues to, at least, offer the perception of special treatment for AWS. Sources says under the C2S contract, NSA and its intelligence community partners supported the development of AWS’s secret cloud instance while other cloud service providers received no financial or other type of benefit.

15 month acquisition saga

As for Wild and Stormy, NSA issued the solicitation in November 2020 and made the award to AWS in July under a two-phased best-value trade off approach.

AWS and Microsoft advanced to phase 2. NSA rated AWS higher and offered more value than Microsoft despite a base price of $482 million compared to $422 million, according to GAO’s bid protest decision.

Microsoft filed a protest on July 21 claiming NSA misevaluated proposals under the technical factor, under the management factor and around total price. Microsoft claimed that “the agency’s best-value selection decision was improper, and that NSA failed to meaningfully consider Microsoft’s lower price as part of the price/ technical tradeoff.”

GAO sustained Microsoft’s protest and recommended “NSA reevaluate technical proposals, consistent with this decision, and based on that reevaluation, perform a best value tradeoff and make a new source selection decision.”

NSA declined to offer any more details about how it reevaluated the proposals and how it came to the new award decision.

Joe Petrillo, an attorney with Smith Pachter McWhorter, told the Federal Drive with Tom Temin in December that GAO’s recommendation didn’t require NSA to reopen discussions or the Microsoft and AWS to revise bids.

“It’s up to NSA to decide how to implement this. They may have valid reasons for wanting to reopen and reevaluate the proposals,” Petrillo said. “One of the issues, interestingly enough, that wasn’t successful, although GAO did note, NSA should take it into account was there was a question about how the evaluated prices were developed, and how they were evaluated. They consisted of three sample task orders, and then prices for five different benchmarks. Those were all totaled, although it seemed that the benchmark prices, which were very small in comparison to the task order prices, in actual performance, those benchmark prices would constitute much more of the total price. Somehow the evaluation system didn’t take that into account. And NSA might want to fix that, but that would probably require a new round of proposals.”

What NSA exactly did this second time around may only be known by a handful of people involved in the procurement, but given the lessons learned with JEDI, C2S and the broad move to multi-cloud in the public and private sector, the single award is perplexing. It may make perfect sense to NSA now, but it’s hard to imagine locking any organization in to even one top secret cloud offering when others are obviously available is a smart decision over the long term.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Acquisition University and the Defense Innovation Unit have teamed up to offer what you might call an acquisition baptism. It’s what they call an immersive course to get procurement people trained in commercial practices for buying goods and services faster. As DIU officials like to put it, at the speed of relevance. For more about the course to be offered this fall, the Defense Innovation Unit Director of Acquisition Cherissa Tamayori spoke to the Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Ms. Tamayori, good to have you on.

Cherissa Tamayori: Hi, thank you for having me.

Tom Temin: What is an immersive experience for acquisition? It sounds like you put goggles on and walk around in a room or what’s going on here?

Cherissa Tamayori: Yeah, so one of the things that we noticed that the DIU’s mission really is to accelerate the adoption of commercial technology across the Department of Defense, we do that by really having a deep understanding of the commercial sector and through our acquisition process. And what we’ve seen as we’ve been executing our other transaction authorities, and our prototypes is that although the OT’s, the other transaction authority, has been around for a while, a lot of the contracting and acquisition professionals across the DoD really don’t have a thorough understanding of how to use the authority, or how DIU utilizes the authority to really reach these nontraditional vendors. And so what immersive means when it comes to this program is we are, we want our fellows we want our ICAP fellows – our Immersive Commercial Acquisition Program fellows – to really gain hands-on experience. I think there’s a multitude of online classes, I think, out there. But we really think that the experiential learning is really needed to get those throughout the Department of Defense a thorough understanding on how to actually utilize the the authority as well as the process.

Tom Temin: So that means this course will take place in person?

Cherissa Tamayori: So this program will actually be virtual, however, they will be working alongside our agreements officers on actual problem sets that diu is working on, which aligns to all the problems that we’ve worked on across the services. So we are still in a virtual environment, but we’ve been still been able to execute successfully even virtually.

Tom Temin: Okay. And just to make sure we understand he will be talking specifically in this course about other transaction authorities, but not necessarily or not at all FAR regular, FAR-based acquisitions or DFAR?

Cherissa Tamayori: Correct, correct. So DIU solely utilizes the other transaction authority to execute prototypes. And that’s where we really are able to create such an expertise in that areas, because that’s all that we focus on when we execute our prototypes.

Tom Temin: And also just to, again, make sure we understand the parameters. You can’t use OTA, for like emergency rapid acquisition, that’s a whole different area of acquisition.

Cherissa Tamayori: Correct. We utilize the other transaction authority to prototype efforts. There are some instances, like we recently seen with the coronavirus, where you can rapidly prototype solutions to field very quickly. So I guess it depends on what what we’re coming for. But we’re not a quick way to get to an end item.

Tom Temin: If you’re an emergency response agency and you need 10 million water bottles the next day, you still have a FAR way to do that, but not an OTA way.

Cherissa Tamayori: Correct.

Tom Temin: Who can come to this course? Not every agency has OTA, most of them do have that authority. So who can come to the course?

Cherissa Tamayori: For this initial launch, we’re really targeting government, civilian as well as military contracting professionals that are mid- to senior-level contracting officials. We really want to make sure that those coming to experience the program to work with us have a baseline understanding of government procurement. I think that’s really important because you need to know what your baseline rules are in order to know why certain aspects are in place. And then to know that, knowingly deviate from those things and what those consequences are and or some of the benefits of deviating from from those baseline requirements. We are really targeting initially contracting professionals, the GS 13 to 14 range and military officers 04 to 05.

Tom Temin: All within DoD?

Cherissa Tamayori: All within DoD.

Tom Temin: We’re speaking with Cherissa Tamayori, she’s director of acquisition at the Defense Innovation Unit. There is, as you point out a history to OTA, it goes back quite a number of decades, really. And there’s a good deal of case law and regulatory information available about it. But is it fair to say that DIU has gotten really good at it and maybe have paved new ground for how it can be used legally, ethically and also effectively for a mission?

Cherissa Tamayori: Yes, I believe that is the case 100%. Because we solely focus on executing OT’s, we have really been able to hone in on on that specific skill set. We think outside of the box while still being cognizant of the rules and regulations that we have to follow and maintaining an ethical, fair process. And our process is very highly competitive. As we’ve seen I think the latest numbers, I think are, last year we received over 1,000 submissions on our projects. And so it’s very highly competitive. But at the same time we keep an open mind and we partner. A lot of the DIU personnel are former commercial executives. So that provides us with insight that you don’t typically get within your typical acquisition office. So we are able to understand a little bit about the venture capitalist community a little bit about the motivations of some of these private companies that you may not otherwise get exposed to in your traditional acquisition organization. That’s really important, because the more that we understand how the commercial sector works, and their motivations, the better that we can, as contracting professionals craft better agreements, and create agreements that are mutually beneficial both to the government as well as to commercial industry.

Tom Temin: And I think a lot of people are mystified by the next step, once you have acquired a prototype with all this competition, and say, the Army or the Air Force says “Great, we love it, we’d like 10,000 of them,” whatever it is. And that is called the Valley of Death, or there’s different terms for it, but moving to the production level, where OTA is no longer the methodology of choice for the acquisition, is that part of the course too, how to navigate that next step?

Cherissa Tamayori: Yeah, so the acquisition team here at DIU, we do a lot of work working with our partner organizations. So that will definitely be a part of that experience, because they’re going to be working alongside our agreements officers. On all of our prototype efforts, we do reach out to the contracting entity that will be performing the production contract, whether it be a FAR contract or an OT – an other transaction agreement of production, other transaction agreement. And so they can see the work that we do internally, the highly competitive process, how we meet all the statutory requirements, and then how we communicate that and share our documents with the follow-on contracting activity to help smooth that process. And one of the things that we’re hoping to get out of this program is to just share that information. So share the process, shared DIU’s, what DIU does, how DIU does it and just share the information across the Department of Defense, there is a better understanding and a better comfort level, I think, with those who will then execute the production efforts. There are real 11-02s, we are actually, it’s very experienced contracting officers that have had experience across the DoD and just having that comfort level I think will help significantly with some more transitions.

Tom Temin: And just to detail, there is a mechanism for the occasional production OTA-type of award that does exist?

Cherissa Tamayori: Correct. Follow-on contracts for production can either be FAR type or they can be a production OT assuming the production, or assuming the contracting office executing the production OT has OT authority.

Tom Temin: How are you selecting the people that will participate? And how many will participate? And I guess my compound question is, do you expect those people to become kind of train-the-trainer-type folks?

Cherissa Tamayori: Yes, exactly. So we are initially selecting six ICAP fellows for this initial round. We chose six because that is the number of portfolios that we have. So DIU is split up into six portfolio areas, which really aligned to where the commercial sector is leading in innovation. Those portfolio areas are artificial intelligence and machine learning, autonomy, cyber, energy, human systems and space. And we have one agreements officer who works on each portfolio. And because we really want this to be a learning opportunity, and we want to make sure that our ICAP fellows have a mentor, we’re aligning each ICAP selectee to one of the portfolio areas and aligned with our agreements officers. So they’re going to work alongside with that person on actual projects. To your question about a selection, so we’re really looking for highly motivated people who are willing to think critically and think outside of the box. Obviously, contracting professionals to begin with, assuming the program is successful, we’re very excited about it, as well as the partnership that we’re having that we’re doing with the Defense Acquisition University on this, that assuming it’s successful we’re looking to expand to maybe other career fields outside of contracting. But for the initial round, it will be just for contracts.

Tom Temin: You said that it would be a virtual class, but what are the time requirements and time of day requirements and so forth, really? And how long will this whole thing run when the people are selected?

Cherissa Tamayori: Yeah, great question, thank you. So this will be a 12-month program. It’s a full-time, 12 month virtual program so we’re not asking anyone to move locations, but we are asking for them to be 100% dedicated during the work day to this effort. The primary focus of the experience, we’ll be working on projects, but we will also have quarterly training in partnership with the Defense Acquisition University and they recently launched a new credentialing program. So we’re incorporated their other transaction credentialing program as a part of this program. There will also be constant collaboration, like I mentioned, with the DIU’s commercial engagement team, which will really provide much more in-depth understanding of the commercial market. And some of the concerns, some of the constraints that the commercial industry has to deal with that will expose our fellows to some of the concerns and some of just the items that we all need to be aware of as we craft agreements, as we negotiate with these companies.

Tom Temin: And over this year, it’s all day for the year or is it just an hour a day for the year?

Cherissa Tamayori: It will be all day for the year.

Tom Temin: So it’s a major commitment on somebody’s part really for career development, and the agency has to give them leave from their regular workload.

Cherissa Tamayori: Correct.

Tom Temin: Cherissa Tamayori is director of acquisition at the Defense Innovation Unit. Thanks so much for joining me.

Cherissa Tamayori: Thank you.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Navy’s littoral combat ship program has never lived up to its promises. Although it scaled back, the Navy still plans to field 35 of the ships, but they have serious and persistent problems.  Federal Drive with Tom Temin  spoke with Diana Maurer,  the director of defense capabilities and management issues at the Government Accountability Office, for an update on the program.

Interview transcript:

Tom Temin: Diana, good to have you back.

Diana Maurer: It’s great to be back on the show, Tom.

Tom Temin: So the littoral combat ship program, it seems like we’ve been talking about it forever. What is the status of it now? It’s not going away. But it’s not expanding? It’s kind of a steady state at this point?

Diane Maurer: Right. Yes, this is a program that’s been around for going on 20 years. At this point, the Navy has awarded contracts to purchase a grand total of 35 of these ships. And just as a reminder to the folks listening that the littoral combat ship is a relatively small combat ship that’s designed to operate in relatively shallow waters. So the initial concept they are thinking a lot about, for example, the Persian Gulf, or the Caribbean, other places around the world. It’s designed to perform multiple missions. So some of them are meant to sweep up minds. Others are designed to hunt for enemy submarines, and others are designed to combat other naval ships of opposing forces. The program has had a lot of significant challenges along the way, there was essentially a near reset of the program back in 2016, and our report looked at the Navy status and addressing a number of significant changes to the program that came out of Navy review six years ago.

Tom Temin: Sure. And how many hulls do they actually have, at this point out of the planned 35?

Diana Maurer: They have about two dozen of those, the others are in production. And they’ll be continuing to be taking deliveries over the course of the next several years.

Tom Temin: And in this report, you found that they just have trouble on the sustainability of them, and also just basic performance.

Diana Maurer: Yeah, exactly. So our report was focused on how well is the littoral combat ship performing in the real world. And we found a number of significant challenges. The folks at the Defense Department who test weapons systems before they’re actually deployed had found a number of serious deficiencies pretty much across the board. So they found problems in the weapons that the LCS is designed to use, they found problems with reliability in key systems. The testing community within DOD had concerns about the fundamental ability of the LCS to perform its missions and survive in a combat situation. These were serious and significant problems that were identified during testing, we found that the Navy was picking sort of a whack-a-mole approach to address these problems. We recommended that the Navy take a more comprehensive approach to triage, focus on the areas of greatest concern, and start working through them in a comprehensive, coordinated way.

Tom Temin: And does the Navy in your opinion, know what to triage? What would come up in a triage? Because if there’s reliability, say with propulsion? Well, that’s pretty much a deal killer for everything else. And if the weapons don’t work? Well, in some sense, that’s a deal killer for everything else. So where do they begin? Do you think?

Diana Maurer: Well, I think that there’s a long list of problems that still need to be addressed and to give them some credit where credit is due, they are taking steps to address those problems, propulsion, I think would rise towards the top of the list. And one of the things that we found in our reported in our review was that 10 out of 11, recent operational missions had to be scrubbed early because of problems with engines. That’s a deal breaker. If your engines don’t work properly, then you can’t perform your mission. And big picture what that means is the LCS is still far from delivering the combat capability that was promised what the military wants it to do.

Tom Temin: I guess there’s no oars long enough fora littoral combat ship if the engine should fail. We’re speaking with Diana Mauer. She’s director of defense capabilities and management issues at the Government Accountability Office, and is one of the issues trying to be new technology for everything? In other words, the littoral combat ship, the hull shape is unusual, there’s a couple of different ones. I think there’s even a double-hull in one of the series and different materials than conventional ships. But did they try to innovate everything, and therefore, maybe they could have used a conventional engine even in an unconventional hull and avoided that issue?

Diana Maurer: Well, certainly, if they could go back in a time machine, when this program started around 2004, I think they would do a lot of things differently. And the complexity that was baked into the system from day one is something that’s come to haunt the program for all the all the years since I mean, you’re right, there are multiple versions of the hull. There are multiple versions of these mission packages. There are different mission modules within mission packages. There were ways that they plan to actually maintain the ship that at the time were meant to be cutting edge, but in practice proved to be wildly impractical and expensive to implement. They’re trying to undo all of that, but it’s difficult to do. To some extent, this is a system that was designed to be a very complicated Swiss Army knife. And the problem is you couldn’t necessarily pull out the blades when you needed them, and it proved to be very expensive to maintain and operate. You know, the cost estimates on this ship, the lifetime lifecycle cost estimates of the ship went from $38 billion to over $60 billion from 2011 to 2018. And the final cost is probably likely to be much higher than that now.

Tom Temin: And looking at your list of recommendations this time from January of this year, I’m struck by who it is that you’re recommending to; secretary of the Navy, secretary of the Navy, secretary of the Navy, secretary of the Navy, and on and on, maybe the chief of Naval Operations, but that’s about as low as it goes. So I think, reading between the lines, you’re saying the Navy really should consider the whole program, whether to continue with it. If you have all these recommendations for the secretary level, and the chief of Naval Operations, to do these assessments.

Diana Maurer: Yes, we were very intentional about directing our recommendations at the very top of the Navy. And that’s a function of the concerns that we found not only in the ability of the system to perform operationally, but also in updating the cost estimates, right? Those are way out of whack and need to be updated to ensure good visibility within the Navy as well as with Congress. And also we had we had recommendations around ensuring that all of the findings from the 2016 review were fully implemented. Probably our most impactful recommendation was number six in our report, which was that they maybe think long and hard about deploying this system operationally, until it had figured out a way to close the gaps between what it wants to do with the LCS, and what the LCS can actually do in the real world.

Tom Temin: And at the start of the interview, you mentioned some of the original intentions for this that had to do with the war on terror era, if you will. And now we’re in the era of great powers competition and naval doctrine and military doctrine have all been updated. But it strikes me that the littoral combat ship could, as a concept, survive into the new era of competition, because you know, Taiwan, Odessa, there are lots of areas where we have conflict with mainly with China, but who knows with Russia, other countries, Iran, that are littoral in nature, so it’s not as if the idea is obsolete.

Diana Maurer: No, the idea is definitely not obsolete. And it’s certainly a critical capability that the Navy needs to develop. The Navy, for example, currently has MCM mine countermeasure ships that are extremely old and extremely difficult to maintain, and it needs the capability to find mines and sweep them out of the way. The LCS was designed in part to address that vital mission need. The LCS has not demonstrated the ability to perform that mission. That’s a major problem. It’s also not clear whether the LCS in its current state, and what its current capabilities would be able to fully execute its desired missions and the high-end conflict. And that sort of gets to the heart of the testing problems the duty testing community has identified. And that’s the heart of our of our recommendations that the Navy take serious and significant actions to address those problems. And the Navy to its credit, agreed and is in the process of doing that. But it’s gonna take some years before everything is completely wrapped up.

Tom Temin: Diana Mauer is director of defense capabilities and management issues at the Government Accountability Office. As always, thanks so much.

Diana Maurer: Thank you very much.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

To fight and win the nation’s wars, the Defense Department needs the best possible armaments. The National Armaments Consortium brings together contractors, researchers and academics in the development of new armament technologies for the military to acquire and test. Now the consortium has a new vice president of customer engagement, retired Army Brigadier General Al Abramson. The Federal Drive with Tom Temin spoke with him.

Interview transcript:

Tom Temin: Good to have you on.

Al Abramson: Thanks for having me, Tom.

Tom Temin: And you bring a long background in the Army and in the armaments area particularly, what are some of the big challenges in armaments? Because it seems like kind of a basic thing. You’ve got cannons and rifles and pistols and bombs that are well understood technologies.

Al Abramson: That’s a great question and the background I bring. So I’ve served in the military for just over 30 years, and quite recently, and quite recently is a relative term, but about four years ago, the Army made a decision to really focus in on modernizing the Army as it is today. And so if we go back a little bit, we’ve been fighting counterinsurgent war for 20 years in Iraq and Afghanistan, and so those have kind of trickled away. But now we have other threats that we need to focus on. And the question is, are our troops, are our war fighters, have the proper capabilities to fight that particular war, peace through strength, but fight that particular war, if and when necessary in the defense of our nation, and that’s really what the focus is all about.

Tom Temin: And armaments, the term refers to give us a sense of what types of equipment and what types of technologies that actually covers.

Al Abramson: You hit the nail on the head again at the beginning. So armaments really comprises weapon systems. So handgun is an armament, a rifle is an armament, a tank, the Abrams tank not named after me is an armament, so field artillery pieces are armaments. But also the munitions that go along with it, field artillery, munitions, small caliber, medium caliber, large caliber, those all things that make up the weapon system itself, we call armaments.

Tom Temin: And so that includes the ordinance the actual projectile?

Al Abramson: Absolutely, absolutely.

Tom Temin: And if you get down to the most basic level, the thing that actually causes the chemical reaction you want, either to fire a projectile or to explode, that is actually something that is not a static industry, either, is it?

Al Abramson: It’s not a static industry. And so I called it a very delicate ecosystem of these chemicals that our nation brings together to either provide the explosives that we want, or the propellant that we need. And so those two things propellant and explosives are really the building blocks to creating a more capable, more lethal weapon system. It goes and then it does something that you want it to do.

Tom Temin: And if you were to increase, say, through some good chemical research and some good testing the explosive power of a particular propellant, for example, that could I imagine back upstream to how you handle the system that is using the propellant because you don’t want it to blow up from too much propellant.

Al Abramson: Yeah. So a great analogy, if you have a basketball, put into a basketball. And so today’s basketball, 50% propellant and 50% explosive, well, let’s just say we want to take that basketball and throw it a little bit further. And we have to increase the amount of propellant. And so now we have a little bit less space for explosives. So we’ve got to do something with the explosive component to make it a little bit more lethal, if you will, because what you don’t want to do is if you throw that basketball a certain distance, you don’t want it to be like a paintball, you still want to have the intended effect on target at a greater distance. So that requires some chemical equations that we need to work on.

Tom Temin: And from your experience, how much of this research is conducted by say, in the case of the Army, Army personnel, versus how much is contracted out to the research organizations or to industry.

Al Abramson: So at Picatinny, I called it the Center of Excellence for Lethality. Because Picatinny although I wore my Army uniform, it really focused on the lethality effects across the services. So there’s a great bunch of folks, about 6,500 contractors, civilians and military uniforms that work at Picatinny, but also with the NAC, there are about 950-ish industry partners that also are all focused on getting after building these greater capabilities.

Tom Temin: We’re speaking with retired Army Brig. Gen. Al Abramson. He’s now vice president of customer engagement for the National Armaments Consortium. And tell us about your new job now as the vice president of customer engagement.

Al Abramson: Well, yeah, thanks for that. So, in my previous role as the commanding general of Picatinny, I came across and spoke at the National Armaments Consortium general membership meeting, and my eyes were open to how this consortium brought all of those smart folks together, the large business, small business, academia, nontraditionals coming together to collaborate together in an environment that they may not have been able to come across and speak to each other, all with a singular focus of being able to build better capabilities for our warfighters. And so being part of that effort was a great opportunity for me, and I look forward to continuing to work with them.

Tom Temin: And if you think about some of the national challenges, of which there are big priorities for the federal government, cybersecurity, quantum computing is even one, satellite technology, armaments would seem kind of basic or low tech compared to those. But in reality, I imagine you can tell me, from your point of view, does it look like some of the adversary nations are also doing research, say China, which invented fireworks. We know they’re ahead and quantum, and they’re very big and satellites and cyber. Are they also pursuing armaments and greater power there, also?

Al Abramson: I would say the answer to that question is yes. And so, although armaments, in terms of the complexity of those different enterprises that you spoke about, each one is challenging in and of itself, and I would put that the armaments, our ability to provide greater capability for the future is just as challenging, but it has different challenges, if you will. So it’s just as challenging.

Tom Temin: What are the big challenges in terms of the next round, say, of armaments? Is it a chemical issue? Is it a physics issue, or what is it?

Al Abramson: I would say all of the above. One, I’ll go back to the ecosystem of the supply chain of bringing ammunition together as a very quick example. And so one of those piece parts that go into a munition, our ability to evolve it, modernize it, to ensure that it provides a greater capability for that particular weapon system is very delicate, meaning if we don’t have it, if we don’t have that supply chain coming in, then it’s just not going to work. On another piece, to your point about being able to create greater explosive capability at longer ranges, we’ve got to be able to work on that chemical equation, that chemical structure so that we can have a smaller amount but have the same explosive component of where we want to go.

I’ll add one more, because you talked about satellites. Our munitions today are no longer what I would call dumb. Meaning we fire them from a munition, or weapon system or fill artillery round, and it was a dumb weapon, meaning it didn’t have to look at satellites and know where it is in time and space. Well, I will tell you today that some of our munitions today, once you fire them, it’s got to acquire the satellite, it’s got to acquire the satellite so it knows where it is in time and space, and can have an accurate targeting capability where we didn’t have that 10 years ago.

Tom Temin: And maybe it’s my imagination, but I thought I recall seeing somewhere, a video or something on the idea that actually an individual bullet can change course and go around a corner, or am I making that up?

Al Abramson: It depends on the size of the bullet, I’ll leave it at that. So small arm, we’re not quite there yet, but larger ones can change their trajectory without going too far into classifications and things.

Tom Temin: OK, all right. That is something that’s real, though the idea of —

Al Abramson: That is real.

Tom Temin: — Guiding something smaller and smaller —

Al Abramson: That is a correct.

Tom Temin: — As opposed to, you know, intercontinental missile, which has a trajectory and so forth. And by the way, does armaments go up to that level to the guided missile level of weapon?

Al Abramson: So the answer to that question is yes, armaments does. So PEO missiles in space deals with rockets and things like that, that are particularly guided. Now, your example that you use, we would call a conventional, can a conventional munition change its trajectory? And the answer to that question is, we’re developing that capability as we speak. But the rocket, as you’ve mentioned, has always been able to do that.

Tom Temin: All right, so as the customer engagement person, point man for their for the consortium, you’ll be visiting, it sounds like, and dealing with the vendor base with the supply base issues, from again, I guess, looking back to the Army standpoint, but now you can see it from the vendor side. Are the supply chain issues that affect so much of industry, also affecting the armaments industry?

Al Abramson: It does. And again, I go back to a very, I called it a very delicate ecosystem, because it would come in from many different pipelines. And I can only imagine due to our real life situation with the COVID virus and supply chain things. It’s becoming more and more increasingly challenging to ensure that our industry partners, both large small mom and pop shops, if you will, are being able to get the things that they need so they can continue to feed that pipeline of many different directions to build that weapon system and that lethal capability that our warfighters need.

Tom Temin: Well, it seems like things are improving. You can get nine millimeter rounds now for less than 50 cents apiece. So I guess that’s a good trend. They were a buck. You know, a year and a half ago. Retired Army Brig. Gen. Al Abramson is vice president of customer engagement for the National Armaments Consortium. Thanks so much for joining me.

Al Abramson: Thanks for having me.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The government looks like it’s doing everything possible to discourage companies from selling to it, especially small businesses who lack the manpower or intestinal fortitude, to slog through a growing number of rules. That’s the view of longtime federal sales and marketing consultant, Larry Allen, who joined Federal Drive with Tom Temin for more.

Interview transcript:

Tom Temin: And when you stack them all up, Larry, some of the old and new rules really do look like kind of a mountain for new businesses to climb over.

Larry Allen: Tom, they really are a new mountain and the mountain keeps getting higher, whether we’re talking about the re-imposition of CMMC requirements or companies selling cloud services to DoD, whether we’re talking about where you get your telecommunications equipment from, for any type of prime contractor, and on the books coming forward are going to be more rules on secure supply chain and new rules on environmental assessment for the products you’re offering that you somehow get a benefit from if you are offering a certain type of green-certified product. So the rules and regulations are not going away. In fact, they’re growing, and each one creates a higher barrier to market entry for any new business. And as you pointed out, that’s really true for small businesses who don’t have the time to understand all these things. They don’t have the money to pay for the tests and certifications. And they may just decide, the federal government isn’t worth the time and aggravation, I’m going to go somewhere else.

Tom Temin: In many ways you see this creating, this is not a brand new phenomenon but maybe it’s accelerating. And that is small businesses are often started by serial Small Business starters who do know the rules, sell a company and find a partner in whose name the new company will be. But the new partner doesn’t really know anything, but the existing partners just takes what they learned from earlier ventures and just carries it over to it. So it’s an insider’s game in some ways.

Larry Allen: I think it really is an insider’s game in a lot of ways. First of all, the insiders know the process. This is kind of the point of my article, with specialized processes and new processes coming in to play if you’re experienced, and you understand what these things mean, you’ve got an edge. But also, what makes you a good insider, Tom, is the relationships. Remember that this is a very risk averse government market. And except for a small handful of a couple of really innovative acquisition areas, we’re talking about a risk averse government market where people like buying from the companies they know, they like the assurance that the companies they’re buying from will be able to meet the new requirements and the existing requirements, because very few if any of the old requirements are going away, Tom. So it favors the people who know other people who know the lay of the land, and you have the infrastructure necessary to do the compliance checks and put the processes in. So that while they’re trying to sell and make money, they’re not putting their company or their investors at risk.

Tom Temin: And there are some new rules coming as a result of the NDAA, the National Defense Authorization Act. And those rules often are not only for Defense Department acquisition, sometimes the NDAA is a way of getting governmentwide requirements into place.

Larry Allen: Right. And, Tom, there are a slew of them. I’m going to keep them general this morning. But they really kind of prove what we’ve been talking about already. And that is there’s a section of the defense bill, section 807 that says we want to really make sure that commercial item providers and commercial procurements are being used and used well. It’s fast acquisition relative to other things. And it’s the rapid adoption of commercial advances in technology. That’s what Congress says they want in that section. And then if you go down to another section, 213 talks about increasing the activities of the Defense Innovation Unit, one of DoD/s premier entry points for people that are offering unique innovative solutions that are not yet in current production, i.e. they’re not commercial. So those two provisions, Tom, say we do want a streamlining government. We do want better technologies. We want new market entries. But then you look at other parts of the bill. And you look at right after section 807 you have two sections, 808 and 809 that say, well, we really want you federal agencies to report back to us on the Buy American Act, DoD. We think that you’re giving too many waivers to the Buy American Act. We also want to remind you, DoD, that you’re responsible for buying in accordance with both of Berry Amendment and the Specialty Metals Statute. And that really just shows that there’s an inherent conflict inside government acquisition. DoD, and this is just an example, Tom, of what happens in many other government agencies. They’ve got the one hand says “We want you,” on the other hand says, “We want you but only if you can do business with us this way.” So it’s a little contradictory.

Tom Temin: We’re speaking with Larry Allen, president of Allen Federal Business Partners. And now I imagine some of the Russian situation could even strengthen this requirement, especially foreign sourcing, not that much is bought from Russia directly that comes into the United States, much less by the government to begin with. But there are certain commodities, certain elements that might be embedded in other products that have Russian origin, like, I don’t know, sunflower oil or something.

Larry Allen: Well, you don’t really know but we’re going to find out, that’s for sure. Supply chain resource management has already been an increasing area of focus in government acquisition, right down to where you get your components from, and what the ease of access to those components is, if you are selling products to the federal government. And while Russia is certainly going to be concerned, we have some on-the-books prohibitions like the prohibition on buying solutions from Kaspersky Labs, which is Russian IT company. The NDAA itself, the defense bill also particularly calls out Chinese-made or Chinese-sourced items in multiple places. And most of them, though not all, are prohibitions on using Chinese-made components, except in those cases where there are no alternatives right now, which is kind of an another irony in another topic. But overall, what Congress is telling the Department of Defense and by extension, many other federal agencies is where you get your components from matters. You make sure your contractors know where their stuff comes from, before they bring it to the loading dock, whether it’s Russia, China, or another perceived bad state actor. We don’t want that stuff coming in to our office buildings sitting on our networks, unless really, there’s no possible alternative. And by the way, we want you to develop alternatives as quickly as possible.

Tom Temin: And if you’re having a State Department reception overseas, be careful of where your vodka comes from.

Larry Allen: You got to be domestically sourced, Tom.

Tom Temin: Alright, Larry Allen is president of Allen Federal Business Partners. As always, thanks so much.

Larry Allen: Tom, thank you and I wish your listeners happy selling.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Department’s mandated report from President Joe Biden’s July executive order on promoting competition would lead you to think the shrinking supply chain is putting the nation at risk.

“Since the 1990s, the defense sector has consolidated substantially, transitioning from 51 to 5 aerospace and defense prime contractors,” the Feb. 15 report stated. “As a result, DoD is increasingly reliant on a small number of contractors for critical defense capabilities. Consolidations that reduce required capability and capacity and the depth of competition would have serious consequences for national security.”

A week before that report dropped, the National Defense Industrial Association (NDIA) rang the alarm bells that played a similar tune.

NDIA’s 2022 Vital Signs report found the health of the DIB at its lowest point since the launch of the review with five of eight categories falling below the passing grade of 70 out of 100.

“Vital Signs 2022 also reflects the story of recent political and regulatory action against adversaries and their influence over the DIB, and the way in which that has shaped and will continue to shape the future of the warfighter,” the NDIA and Govini found in the report. “This past year has witnessed significant deterioration in the signs including ‘supply chain’ as well as ‘production capacity and surge readiness,’ which almost certainly is a result of the impact of the pandemic. Conversely, the only sign that significantly improved was ‘demand,’ reflecting recent growth in the defense budget.”

But these reports really only tell one side of the story.

Conversely, the data on overall spending, the rate of competition and the total revenue all point to an industrial base that is healthy, wealthy and, hopefully, a little wiser.

Bloomberg Government found in its fiscal 2020 report — the most recent data available — that most of the top 10 contractors across government, not just within DoD, saw their revenue increase over the previous year.

Lockheed Martin, for example, repeated as the top contractor in 2020, bringing in $75.8 billion in federal contracts, up from $43.4 billion in 2019. In 2021, NDIA reported Lockheed earned $74.9 billion, while the other top five DIB vendors, Raytheon, General Dynamics, Boeing and Northrop Grumman all saw decreases between 2021 and 2020.

It’s not just about straight revenue either. DoD reports that the overall competition rate among contractors reached 52% in 2021, more than 1% higher than 2020, but lower or equal to the rate each year since 2012.

The increased competition rate along with the revenue increases comes despite growing concerns about mergers and acquisitions negatively impacting the price for specific products like major weapons systems DoD pays as well as availability of products and services.

“Although studies of this trend have not found a strong correlation between consolidation and increased program pricing, additional risks beyond pricing come with consolidation,” DoD stated. “Growing concentration can reduce the availability of key supplies and equipment, diminish vendors’ incentives for innovation and performance in government contracts, and lead to supply chain vulnerabilities.”

The DoD and NDIA report are part of a growing drum beat across the defense sector warning lawmakers about the growing near peer competition coming from Russia, China and other countries and whether the defense industrial base can keep ahead of them.

As Congress looks to complete its fiscal 2022 spending bill and begins to work on 2023, the reports highlight both real and perceived threats for lawmakers to consider as they parse out the more than $700 billion DoD budget.

“Many of these challenges were there before COVID. The pandemic served to highlight and accelerate these challenges. But it is definitely a wake-up call for the decision and policymakers in our country,” said retired Air Force Gen. Herbert “Hawk” Carlisle, the president of NDIA, during a press briefing on Feb. 2. “The aggressive Russian military buildup on the Ukrainian border and the pacing threat, the rapid military modernization efforts of the People’s Republic of China remind us that our industries work of providing superior products and services to armed services so that they can compete and win and all domains of warfare can never be taken for granted. We owe it to the women and men that serve and defend this nation to give them the equipment, the capability and the training to do the mission we asked them to do and right now in the environment we’re operating in. It’s a challenge and we got a lot of work to do.”

Chinese investment in AI

Tara Murphy Dougherty, the CEO of Govini, added the Vital Signs 2022 report should serve as a “wake-up call” for DoD, Congress and the White House to better understand just how challenging the current federal procurement environment has become over the last decade.

“The challenging environment does not impact just the companies that the Department of Defense is already working with today. The more difficult the dynamics of working with DoD are, the more the department will continue to struggle to bring new entrants into this market. We know as a national security community that the Department of Defense has to bridge the gap between the traditional members of the defense industrial base who today continue to contribute so much into the emerging national security innovation base. DoD has to attract the companies that are working on a bleeding edge technology in the commercial sector of the United States economy,” Murphy Dougherty said. “If we cannot accomplish that, the techno military challenge and competition that we’re facing with China will continue to undoubtedly get more difficult. If you consider comparative investments between the United States and the Chinese Communist Party in these emerging technologies, and the commitment that China has to leveraging those technologies for warfare, it’s clear what DoD needs to do. That begins by improving the environment in which these companies operate in order to serve DoD and the national security efforts of our country.”

It’s the concerns about the gains China and Russia are making is helping to drive this mixed message about the DIB.

Both reports found the number of new entrants coming into the defense sector has steadily dropped. DoD says the reduction is felt most among weapons suppliers, which fell to 5 from 51 in the 1990s.

Wes Hallman, the senior vice president for strategy and policy for NDIA, said the lack of new entrants into the DIB is surprising and concerning, especially during the pandemic.

“Two different studies one from 2008 to 2018, and one that was 2011 through 2018 noted thousands of companies have left the defense industrial base. We’ve noted that the number of new entrants between 2019 and 2020 went from over 12,000 to just over 6,000. We saw another drop from 6,500 down to 6,300 new entrants over the last fiscal year [2020 to 2021],” Hallman said. “When you look at the supply chain issues and the many, many years of a dwindling supply base create more and more fragile networks. Then the pandemic really highlighted the fragility of that. As policymakers look at this, we need to look at what are the incentives and disincentives to come in into this marketplace and really adjust the marketplace so it’s so it’s easier to enter it easier to thrive in it and then produce some resilience.”

More vendors in R&D defense sector

Carlisle added that the drop in new entrants comes despite the defense sector being somewhat protected against the economic challenges brought on by the pandemic.

The one area that has bucked this shrinking trend is research and development where the use of other transaction authority has increased the number of vendors by 9% over the last decade, DoD reported.

Dr. Mark Lewis, the executive director of NDIA’s Emerging Technologies Institute (NDIA ETI), said DoD must reverse the spending decline on basic research as a way to address many of these growing DIB problems.

“We won’t have those the next set of emerging technologies if we’re not investing in the basic research that will, we’ll get there. I think we can certainly highlight some successes of the Defense Innovation Unit, which has been incredibly successful at kind of opening the door for new companies to come into the DoD,” Lewis said. “Very recently, Under Secretary of Defense, Heidi Shyu announced instead of reducing the number of modernization priorities, she’s actually into adding a few modernization priorities, which I think is wholly appropriate. So there’s still, obviously a very keen focus on these emerging technologies, and I think there’s a sense of alacrity, but again, we’re getting some mixed messages along those lines. So it remains to be seen. And I think we’ll certainly see when the 2022 National Defense Strategy is released if it continues to emphasize the importance of these emerging technologies, and especially with a focus on peer competitors, such as Russia and China.”

It’s clear there is no one solution to reinvigorating the defense industrial base. It’s clear the continuing resolutions, the long acquisition cycles and the complexity of the procurement process all play into the challenges. At the same time, DoD and its contractors haven’t done enough to help themselves as spending keeps increasing and companies keep winning more contracts.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Pentagon planners know the U.S. military needs new technologies, new innovations, if it hopes to stay on top. But many of the innovation initiatives don’t gain scale. Jerry McGinn says that’s because of the 1960s-era planning, programming, budgeting and execution (PPBE) process the Defense Department uses. He is executive director of the Center for Government Contracting at George Mason University, and he joined the Federal Drive with Tom Temin in studio.

Interview transcript:

Tom Temin: Jerry, good to have you back.

Jerry McGinn: Great to be here, Tom.

Tom Temin: Alright. So the PPBE dates back to 1960s. It’s work this long, what’s the matter with it?

Jerry McGinn: Well, as you said, it was state of the art in the 1960s when [Robert] McNamara and the Whiz Kids came into the Pentagon. It’s centralized planning, trying to build out and define requirements for defense programs and requirements going forward. And then planning in a centralized way. However, commercial industry has moved on long ago, and now does innovation through iteration. They set broad parameters, give portfolio budgeting or different approaches that allow much more dynamic development of products and concepts. And meanwhile, the Department of Defense is stuck with the ’60s approaches which requires three years to really plan and then program and then execute on a system which doesn’t really match well, without the needs of the department today.

Tom Temin: Well, just to play devil’s advocate some of the enduring systems that are still being used, still reliable F-15, F-16, F-18, a lot of these platforms were developed in that old PPBE process. Although if you’ve read the detailed history of them, they were all late, they were all over budget, they were all destined to failure and but nevertheless, they somehow got to fruition. But that’s not good enough now.

Jerry McGinn: No, I don’t think it is. Because with those programs, they sort of proved the point is that if you’re trying to set requirements for things that you need in five or six years, defining those unlocking those in five years in advance of the earliest prototypes is kind of silly. So you need a way to be able to do that and then scale it. So we need to sort of go back to the future and think about how the department did budgeting before PPBE and how commercial industry does it now, which is why it’s really timely that Congress passed this commission on the PPBE reform in the 2022 National Defense Authorization Act. And that commission, a lot of commissions just sort of yawn, those things sort of never kind of lead anywhere but the last couple of years, the effort on, the Solarium Commission on cybersecurity, and this Commission on artificial intelligence were both very impactful. So we’ve got some good recent history. And I like to think that PPBE could do the same.

Tom Temin: So this commission is at work now but it hasn’t issued what its findings are yet.

Jerry McGinn: Not quite. I think there are 14 commissioners to be named, and they’ve identified 11 of them. I think there are a few left to be named. However, it’s sort of caught up in the budget process, believe it or not. They can’t start the work until the ’22 budget is passed, which is not, so they have to appoint a new executive director for the staff. And then it’s a three-year kind of process for them. Earliest results will be in ’23. So it’s going to take a bit of time. But the nice thing to see is there’s strong bipartisan commitment and executive and congressional commitment to do something about this.

Tom Temin: Do you see, say, the possibility of dual systems because some things you can plan in advance, manpower for example. Planners know the cost of manpower, they know what the direct and indirect costs of that are going to be actuarily, pretty accurately way into the future. Whereas development of a new platform, for example, can go any of a million ways. So could it be that they need a dual system? And some part of the budget is set aside under a different planning system than the PPBE?

Jerry McGinn: Yeah, that’s a great point, Tom, and I think this is gonna have to be done through iteration and piloting. They’re gonna have to figure out where do we need this kind of push because there are some things where you don’t need this kind of flexibility that is very dynamic. But very much in the development of systems that our warfighters need for today and tomorrow, we need that because you see, there’s been a lot of innovation efforts over the past three administrations that bringing in new technology, and so on. But the challenge is a lot of those, as you mention the outset had been scale. And that’s because the budget was built three years ago, and trying to backfill or adjust to reprograms, it’s really hard to do. So we need to have the ability to do that in a more dynamic way.

Tom Temin: I think the explosive-resistant troop carriers of the Iraq War era are an example where Secretary Bob Gates said, “we need these now, because the conflict is killing soldiers in crazy numbers.” And that was developed and fielded for the Pentagon in a breathtakingly short time. That’s the kind of thing you mean.

Jerry McGinn: Exactly. Our colleague, Jim Hasik just put out a book on that case study on the MRAP development, the marketing to the military. It’s sort of an exception that proves the rule, that it was so hard to do. And it required Gates to really just grab people by the neck and drive it. And we need a way to do that which is not as Herculean of an effort required. And one of the important things about this is this has to be done in a transparent way. This is not something so the Pentagon gets their pot of money and they can go do what they want. It’s got to change how we do reporting, because Congress needs oversight, right? And that’s very appropriate. And we have very clear reporting ways to do it now into the PPBE, how does that impact it? So that’s an important part of this commission, a critical part because otherwise you’re not going to get buy-in on Capitol Hill and the executive branch.

Tom Temin: We’re speaking with Jerry McGinn, executive director of the Center for Government Contracting at George Mason University. And this issue then is not really a procurement issue, although procurement itself is a function that is under a lot of scrutiny in the Pentagon, always is every year in the NDAA. There’s something having to do with buying and procurement. But you’re really talking about a much wider system, of which procurement is only almost the tail end.

Jerry McGinn: I think so but I think my perspective is that you see the inadequacy of the PPBE system most dramatically in the procurement and R&D space, which, as you said, the personnel and operations maintenance are less impacted. So I encourage the commission not to take so much of a financial management approach to the commission, but really focus on where is this not allowing us to have the most capable military we need for today. And I posit that it’s in these areas in the procurement and research and development areas. And that’s where I think change would be the most beneficial for the department.

Tom Temin: Because you’ve got these units, AFWERX, and there’s several other “werx” throughout the Defense establishment. And you’ve got the Defense Innovation Unit. You’ve got all these different gambits to try to speed things up, but they all operate kind of at a low scale year after year. That’s what you’re arguing also?

Jerry McGinn: Yeah, and you saw this out in the Reagan [National] Defense Forum in December, Secretary [Lloyd] Austin gave remarks about the need, the department has to do better. And I would agree, because SBIR, the Small Business Innovation Research, or small efforts that are done by AFWERX and so on, which are great, but they don’t scale. And there was a real tension at the Reagan Defense forum where the Silicon Valley VC companies and others made it very clear, look, time’s running out. We need to be able to find some ways that we get production contracts out of these innovation efforts, and not just little prototypes that don’t go anywhere.

Tom Temin: And just to give credit to McNamara, he was a systems planner and production man. If you love the Ford Falcon than you love, Robert S. McNamara.

Jerry McGinn: I think it’s right. But that was a very different time. And I think the automobile industry has moved on.

Tom Temin: But what I mean is he came in as a radical change agent right at the very top. I mean, he was president of Ford I think three months before Kennedy tapped him to become Defense secretary, he was young and he took the entire thing and shook that building. And I think there are people that are still mad about it. But that kind of agent, I think, is needed probably to affect this type of change, if this commission says “here’s what we got to do.”

Jerry McGinn: That’s a fair point, it does come down to leadership. And I’m hopeful the commission delivers in a way that enables the department and Congress to run with it.

Tom Temin: Jerry McGinn is executive director of the Center for Government Contracting at George Mason University. As always, thanks so much.

Jerry McGinn: Thanks, Tom. It was so great to be with you.