The U.S. Navy requires an agile and adaptable acquisition process that can field new information technology capabilities and services in relatively short and responsive time frames. A RAND study sought to identify ways to accelerate or bypass the traditional acquisition process in response to the unique demands of information technology and cyber programs.
Rapid Acquisition and Fielding for Information Assurance and Cyber Security in the Navy
Published Dec 21, 2012
Purchase Print Copy
|Add to Cart
- How can the information technology acquisition process best support the mission of the U.S. Navy's Program Executive Office for Command, Control, Communications, Computers, and Intelligence with regard to computer network defense programs of record?
- What existing authorities, processes, and organizations can be used to support the Navy's Program Manager, Warfare (PMW) 130, Information Assurance and Cyber Security Program Office, in the rapid acquisition of critical information technology?
- What new authorities, processes, or organizations are needed to support PMW 130's rapid acquisition objectives?
- How can PMW 130, and the Navy more generally, build or leverage a dynamic operational test and evaluation environment?
- How can budgeting and resourcing challenges to agility in all parts of the acquisition process be mitigated?
Identifying an agile and adaptable acquisition process that can field new information technology capabilities and services in relatively short and responsive time frames is a pressing issue for the U.S. Navy. Damaging malware can mutate within hours or days, requiring a defense that is sufficiently responsive to mitigate each variant. The Navy's Program Manager, Warfare (PMW) 130, an office in the Navy's Program Executive Office for Command, Control, Communications, Computers, and Intelligence, is focused on rapidly and proactively fielding innovative capabilities to stay ahead of cyber threats. It requires an acquisition and fielding cycle that can deliver hardware security products within 12–18 months, software security products within six to 12 months, and incremental development for both hardware and software every three months. These time frames are far shorter than the Navy's traditional acquisition cycle time, which can be 36 months from concept approval to initial operational capability or eight to ten years for full operational capability. With a focus on these goals, a RAND study sought to identify ways to accelerate or bypass the traditional acquisition process in response to the unique demands of PMW 130 information technology and cyber programs, with lessons derived from and recommendations applicable to programs across the U.S. Department of Defense.
Acquisition Processes for Information Technology and Cyber Capabilities in the U.S. Navy Need to Be Faster and More Adaptable
- The Navy's traditional acquisition process takes far too long for information technology and cyber programs that must develop and field capabilities within very short time frames.
- Navy programs in these areas require processes capable of handling two distinct processing speeds: one for all information systems and one for emergent needs.
- The testing phase, as well as certification and accreditation, can cause significant delays for time-sensitive programs in the traditional acquisition process.
- Successful rapid acquisition programs in the Army, Air Force, Marine Corps, and joint organizations offer lessons for the Navy as it develops its own streamlined processes for computer network defense and similar program areas.
Information Technology and Cyber Programs Require Stable Funding and Unique Governance and Authority Arrangements to Ensure Efficiency and Sustainability
- New authorities at the program executive office and program manager levels are needed to better address the assessment, validation, sourcing, resourcing, and fielding of operationally driven urgent requests.
- The current budgeting process takes too long. However, there are many potential funding sources outside the traditional process for incremental acquisition like that required for cyber programs. Certain initiatives might warrant dedicated budget lines.
- On a related note, several contracting solutions are available to Navy programs that could be amenable to short cycle times, allowing programs to leverage the agility of the private sector.
- The Navy should establish business rules that harmoniously allow two processing speeds for certification and accreditation packages for its Computer Network Defense program. It should also work directly with the required authorities to streamline acquisition, give more oversight to the program manager, allocate testing facilities to the organization that manages the program, and create a dedicated certification authority staff position.
- The Navy's Program Manager, Warfare (PMW) 130, Information Assurance and Cyber Security Program Office, should be involved in changes to the Navy Modernization Process and make use of best practices to get through the process more quickly.
- Navy programs that require rapid acquisition, particularly those involved with cyber issues, should ensure that they have a stable source of funding and that they have explored all available funding options. Similarly, they should investigate rapid contracting options, including incentives for contractors.
- Throughout the Navy, programs would benefit from a culture that fosters agile governance and is responsive to the rapid-response needs of information technology programs. Thus, the Navy should implement continuous fielding strategies for these capabilities, focus on integrating authorities and processes, and ensure that processes are efficient and that funding is available to fulfill incremental upgrade needs that must be handled outside the traditional acquisition process.