CyberWarfare / ExoWarfare

7 ways the USMC Systems Command’s Cyber Advisory Team wants US DoD to improve IT acquisition

The Marine Corps Systems Command’s Cyber Advisory Team completed its first emergency cyber acquisition as part of a new process designed to more quickly respond to the cyber warfighting needs of the force.The move is in line with broader Department of Defense measures to improve technology acquisition. (U.S. Marine Corps illustration by Jennifer Sevier)


A new study from a Department of Defense task force highlights the need for the military to act more like commercial industry when it comes to buying software.

Specifically, DoD officials should abandon buying practices that date back as far as the 1970s and institute an iterative, agile approach to acquiring software, a new Defense Science Board report said.

Doing so means changing the culture at the Pentagon, where systemic problems in culture and internal processes – including an emphasis on detailed requirements and large-scale, completed systems – discourage contractors from employing more software-friendly buying practices in the military, according to the report.

It’s not a new issue.

“Problems associated with software development continue to plague major DoD acquisition programs. This results in long delays in fielding, significant cost overruns, and, in some cases, program cancellation,” the report’s authors wrote. “The problems appear to be caused by the same software development issues that have occurred in programs over the last two decades.”

The report detailed seven recommendations for improving software acquisition at DoD, including:

Carefully examining the “software factories” of contractors: “The Under Secretary of Defense for Research and Engineering should immediately task the Defense Digital Service, the U.S. Air Force Life Cycle Management Center, the Software Engineering Institute Federally Funded Research and Development Center, the U.S. Naval Air Systems Command, and the Army Materiel Command with establishing evaluation criteria for potential contractors’ software factory capabilities.” Software factories are sets of software tools that programmers use to write code and collaborate.

· Adopt continuous iterative development best practices: “Service acquisition executives, with the program executive officers, the program managers, and the Joint Staff/J-8 should, over the next year, identify minimum viable product approaches and delegate acquisition authority to the PM” to deliver a series of viable products, establish d the equivalent of a product manager for each program in its formal acquisition strategy, and arrange for the warfighter to adopt the initial operational capability for evaluation and feedback; and engage Congress to change statutes to support rapid iterative approaches.

· Institute risk reduction and metrics for all new programs, starting immediately: Officials, including major decision authorities, should allow multiple vendors to begin work, with a down-select happening after at least one vendor has proven they can do the work. Multiple vendors should be retained through development to reduce risk.

· Evaluate for transition current and legacy programs: PMs and PEOs should plan transition to a software factory and continuous iterative development. Defense prime contractors should transition execution to a hybrid model, and incorporate iterative continuous development within the constraints of their current contracts. For legacy programs where development is complete, PMs and PEOs should make the business case for whether to transition the program. Over the next year PMs should brief best practices and lessons learned.

· Develop workforce competency: Military acquisition commands “should acquire or access a small cadre of software systems architects with a deep understanding of iterative development. Services acquisition commands should use this cadre early in the acquisition process to formulate acquisition strategy, develop source selection criteria, and evaluate progress.”

· Incorporate software emphasis in contracting: Requests for proposals should specify the basic elements of the software framework supporting the software factory, including code and document repositories, test infrastructure, software tools, check-in notes, code provenance, and reference and working documents informing development, test, and deployment. These should then be reflected in the source selection criteria for the RFP. Availability, cost, compatibility, and licensing restrictions of such framework elements to the government and its contractors should also be part of the selection criteria for contract award.

· Verify and validate machine learning: The Defense Advanced Research Projects Agency (DARPA), the SEI FFRDC and the DoD laboratories “should establish research and experimentation programs around the practical use of machine learning in defense systems with efficient testing, independent verification and validation, and cybersecurity resiliency and hardening as the primary focus points. They should establish a machine learning and autonomy data repository and exchange along the lines of the U.S. Computer Emergency Readiness Team to collect and share necessary data from and for the deployment of machine learning and autonomy.”