Download

Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 0.9 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Summary Only

FormatFile SizeNotes
PDF file 0.2 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback102 pages $26.95 $21.56 20% Web Discount

Research Questions

  1. How can the information technology acquisition process best support the mission of the U.S. Navy's Program Executive Office for Command, Control, Communications, Computers, and Intelligence with regard to computer network defense programs of record?
  2. What existing authorities, processes, and organizations can be used to support the Navy's Program Manager, Warfare (PMW) 130, Information Assurance and Cyber Security Program Office, in the rapid acquisition of critical information technology?
  3. What new authorities, processes, or organizations are needed to support PMW 130's rapid acquisition objectives?
  4. How can PMW 130, and the Navy more generally, build or leverage a dynamic operational test and evaluation environment?
  5. How can budgeting and resourcing challenges to agility in all parts of the acquisition process be mitigated?

Identifying an agile and adaptable acquisition process that can field new information technology capabilities and services in relatively short and responsive time frames is a pressing issue for the U.S. Navy. Damaging malware can mutate within hours or days, requiring a defense that is sufficiently responsive to mitigate each variant. The Navy's Program Manager, Warfare (PMW) 130, an office in the Navy's Program Executive Office for Command, Control, Communications, Computers, and Intelligence, is focused on rapidly and proactively fielding innovative capabilities to stay ahead of cyber threats. It requires an acquisition and fielding cycle that can deliver hardware security products within 12–18 months, software security products within six to 12 months, and incremental development for both hardware and software every three months. These time frames are far shorter than the Navy's traditional acquisition cycle time, which can be 36 months from concept approval to initial operational capability or eight to ten years for full operational capability. With a focus on these goals, a RAND study sought to identify ways to accelerate or bypass the traditional acquisition process in response to the unique demands of PMW 130 information technology and cyber programs, with lessons derived from and recommendations applicable to programs across the U.S. Department of Defense.

Key Findings

Acquisition Processes for Information Technology and Cyber Capabilities in the U.S. Navy Need to Be Faster and More Adaptable

  • The Navy's traditional acquisition process takes far too long for information technology and cyber programs that must develop and field capabilities within very short time frames.
  • Navy programs in these areas require processes capable of handling two distinct processing speeds: one for all information systems and one for emergent needs.
  • The testing phase, as well as certification and accreditation, can cause significant delays for time-sensitive programs in the traditional acquisition process.
  • Successful rapid acquisition programs in the Army, Air Force, Marine Corps, and joint organizations offer lessons for the Navy as it develops its own streamlined processes for computer network defense and similar program areas.

Information Technology and Cyber Programs Require Stable Funding and Unique Governance and Authority Arrangements to Ensure Efficiency and Sustainability

  • New authorities at the program executive office and program manager levels are needed to better address the assessment, validation, sourcing, resourcing, and fielding of operationally driven urgent requests.
  • The current budgeting process takes too long. However, there are many potential funding sources outside the traditional process for incremental acquisition like that required for cyber programs. Certain initiatives might warrant dedicated budget lines.
  • On a related note, several contracting solutions are available to Navy programs that could be amenable to short cycle times, allowing programs to leverage the agility of the private sector.

Recommendations

  • The Navy should establish business rules that harmoniously allow two processing speeds for certification and accreditation packages for its Computer Network Defense program. It should also work directly with the required authorities to streamline acquisition, give more oversight to the program manager, allocate testing facilities to the organization that manages the program, and create a dedicated certification authority staff position.
  • The Navy's Program Manager, Warfare (PMW) 130, Information Assurance and Cyber Security Program Office, should be involved in changes to the Navy Modernization Process and make use of best practices to get through the process more quickly.
  • Navy programs that require rapid acquisition, particularly those involved with cyber issues, should ensure that they have a stable source of funding and that they have explored all available funding options. Similarly, they should investigate rapid contracting options, including incentives for contractors.
  • Throughout the Navy, programs would benefit from a culture that fosters agile governance and is responsive to the rapid-response needs of information technology programs. Thus, the Navy should implement continuous fielding strategies for these capabilities, focus on integrating authorities and processes, and ensure that processes are efficient and that funding is available to fulfill incremental upgrade needs that must be handled outside the traditional acquisition process.

Table of Contents

  • Chapter One

    Introduction

  • Chapter Two

    Testing (Certification and Accreditation): Challenges, Best Practices, and Recommendations

  • Chapter Three

    The Navy Modernization Process: Challenges, Best Practices, and Recommendations

  • Chapter Four

    Budgeting, Funding, and Contracts: Challenges, Best Practices, and Recommendations

  • Chapter Five

    Governance, Integration and Training, and Emerging Needs: Challenges, Best Practices, and Recommendations

  • Chapter Six

    Summary and Conclusions

  • Appendix A

    Survey of Rapid Acquisition Processes

  • Appendix B

    Navy Rapid Acquisition Options

  • Appendix C

    Case Studies of Successful Rapid and IT Acquisition

  • Appendix D

    JCIDS and Incremental Acquisition

  • Appendix E

    Review of Cyber and IT Acquisition Literature

  • Appendix F

    Air Force Cyber Acquisition

  • Appendix G

    Worms

The research described in this report was prepared for the United States Navy. The research was conducted within the RAND National Defense Research Institute, a federally funded research and development center sponsored by the Office of the Secretary of Defense, the Joint Staff, the Unified Combatant Commands, the Navy, the Marine Corps, the defense agencies, and the defense Intelligence Community.

This report is part of the RAND Corporation technical report series. RAND technical reports may include research findings on a specific topic that is limited in scope or intended for a narrow audience; present discussions of the methodology employed in research; provide literature reviews, survey instruments, modeling exercises, guidelines for practitioners and research professionals, and supporting documentation; or deliver preliminary findings. All RAND reports undergo rigorous peer review to ensure that they meet high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.