Navy: Faster acquisition key to cyber defense

Faced with a rapidly evolving cyber threat, the Navy is developing new strategies for acquiring cyber defense capabilities.

The problem is that the Defense Department’s existing acquisition model — DOD 5000 — is ill-equipped to meet the fast-moving needs of cyber defense.

“DOD 5000 doesn’t work for cyber defense,” said Kevin McNally, the Navy's program manager for information assurance and cybersecurity. “It’s built for the acquisition of ships, aircraft and weapons systems. Full operational capability can take seven years. Cyberattack tools progress far more rapidly than that.”

McNally, speaking June 28 at the IDGA Cyber Warfare and Security Summit in Washington, D.C., said the new acquisition approach would allow the Navy to work in six-month increments of spiral development, with multiple efforts working in parallel. A group composed of key naval departments will meet periodically to assess progress, identify new threats and re-evaluate needs, McNally said.

“Every six months, we’re looking at requirements, defenses and tools," he added. "We ask, ‘Do we need to field new capabilities? What capabilities do we need, and how should we deploy?’”

The Navy is also implementing DOD’s broader acquisition reform efforts but is taking a proactive approach with the new measures.

“There’s a big push to do acquisition reform, and we’re hoping that’s successful,” McNally said. “But I haven’t seen anything come out yet that simplifies acquisition for IT or cyber.”

For now, the Navy is looking forward to some of the advantages of its new approach, such as being better able to keep up with technology, introducing new commercial products more quickly and closing in on evolving threats. The department is also focusing on issues such as identifying network anomalies and behaviors, moving from reactive to predictive measures, and addressing advanced persistent and insider threats, McNally said.

“I don’t think we’ll ever close the gap [with rapidly evolving threats completely], but we can get closer,” he said.

Still, there are challenges, including securing resources and planning ahead for a future that is constantly changing. The broader DOD acquisition process is also cumbersome and can slow cyber development, he said.

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Thu, Jun 30, 2011

McNally needs to RTM for the DoD 5000 roadmap first as it pertains to DoD 8500. He would find out that the security mitigation efforts are there every step of the roadmap. It's the PM's that wait until MS B/MS C that they start to worry about security. Then PM's cry wolf when they try to wrap security around it, instead of security being embedded in it. These costs and risks could be mitigated in MS A. JITC, DISA, AT&L don't help either, they are supposed to make programs accountable, for IA instead they close their eyes to the obvious issues and let them slide. The whole IA effort needs a facelift.

Wed, Jun 29, 2011 A_COL

DOD 5000 – Just Good Program Management
Those criticizing DOD 5000 usually have never read it nor developed a system under rigorous Pentagon oversight so don’t know what they’re talking about. The DOD 5000 series simply forces a Major Acquisition Program Manager to employ good management practices that any good PM should be doing anyway. Granted, it is best suited to major weapons systems development but the basic tenants of good program management is equally applicable to Major Automated Information System (MAIS) acquisitions. DOD 5000 guidance does not impose onerous requirements and oversight but simply rolls up “into one tight shot group” all the already mandated requirements imposed in these Federal documents and applies them to a DOD environment:
OMB Cir A-109, Major Systems Acquisition
OMB Cir A-11, Preparation and Submission of Budget Estimates
OMB Cir A-130, Management of Federal Information Resources
OMB Cir A-123, Management’s Responsibility for Internal Control
Clinger-Cohen Act, Information Technology Management Reform Act (ITMRA), as Amended

As someone that has successfully taken 3 MAIS efforts through a Milestone C I can attest that DOD 5000 simply ensured I was performing effective management of my programs. The rules are sufficiently flexible to allow for incremental development rolling out spirals every 6 months but regardless what acquisition strategy a PM uses, he/she should have some idea of the desired end result and that they are satisfying a valid requirement.

Those criticizing Good PM techniques and DOD 5000 are usually folks that have not bothered to employ good management nor explored how to tailor the DOD 5000 process to suit their development effort.

Wed, Jun 29, 2011

The Navy would solve many of their acquisition needs for commerical services and products by their use of the GSA Schedule Contracts.There are over 15,000 contract vehicles ready when the need exists. On reoccuring and known requirements the Navy should negotiate BPAs. Will this solve all of their needs? The answer is NO - BUT this approach will serve the majority of their requirements. Everything stated above is a Ditto for the rest of DoD.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group