A House Armed Services subcommittee has raised concerns regarding the Department of Defense cyber enterprise’s ability to procure cyber tools.
According to draft language in the annual defense policy bill released June 3, the Subcommittee on Intelligence and Emerging Threats and Capabilities believes “the nation’s cyber force could be hindered with tools and accesses being developed and stored by different components of the services and Department of Defense agencies and elements,” the draft states.
“For all the components under its authority, U.S. Cyber Command should maintain a comprehensive and dynamic inventory of subordinate elements’ accesses and tools, and emphasize the importance of sustaining these cyber-specific capabilities.”
The provision taking aim at the department’s cyber acquisition is located in the first draft of the bill, and changes could be expected during committee markup. However, it is included as an “item of special interest,” meaning the House committee is directing the secretary of defense to provide just the House Armed Services Committee a briefing no later than Feb. 1, 2020, on the DoD’s strategy for acquisition, development and sustainment of cyber-specific accesses and tools.
While in the past the individual services procured their own cyber tools on their own separate infrastructure, Cyber Command is changing this paradigm. The command created the Joint Cyber Warfighting Architecture (JCWA), established by Cyber Command within the last year to guide capability development priorities.
The architecture consists of five elements, which include:
- Common firing platforms to be used at the four cyber operating locations of the service cyber components. These platforms will be worked into a comprehensive suite of cyber tools;
- Unified Platform, which will integrate and analyze data from offensive and defensive operations with partners;
- Joint command and control mechanisms for situational awareness and battle management at the strategic, operational and tactical levels;
- Sensors that support defense of the network and drive operational decisions; and
- The Persistent Cyber Training Environment, which will provide individual and collective training as well as a way to rehearse for a mission. The Army is managing PCTE on behalf of Cyber Command and the joint force.
Concerning acquisition more broadly, the subcommittee has raised skepticism regarding Cyber Command’s use of acquisition authority Congress has given it.
Congress gave Cyber Command limited acquisition authority in 2016 following the model of Special Operations Command. It capped acquisition funds at $75 million per year, sunsetting in 2021. The command had previously asked for an increased ceiling of $250 million and a sunset of 2025.
However, this year, the command has only used a fraction of that — roughly $44 million, its commander told the committee in March — leading some to question if the options as currently established are appropriate.
“Certainly, since over the years we have worked to give the services more flexible acquisition authorities, can you provide this committee with an update on why you think you need this unique acquisition authority and what the current state of implementation is?” said Rep. Elise Stefanik, R-N.Y., the committee’s ranking member, during the hearing.
Maj. Gen. Karl Gingrich, director of capability and resource integration, J-8 at Cyber Command, told reporters in May that part of the problem is getting the right workforce in place within the acquisition shop to be able to manage contracts.
Additionally, he said he’s hopeful the command will use its acquisition funds by year’s end.
“We just don’t want to run into a situation where we’re in a June-July timeframe and we’ve already exhausted our $75 million acquisition authority for that year. Now what do we do?” he said. “When I said negotiating, it’s really discussion with Department of Defense, Congress and us to make sure that we have the appropriate level where we don’t over ask but that is balanced based on our maturity and our ability to execute because we see the value of it.”
The briefing the subcommittee is asking DoD for should include details of the processes, procedures, roles and responsibilities and sustainment plans for the DoD’s cyber capabilities. It should also include details on how DoD acquires tools, capabilities and accesses from non-governmental sources and conducts due diligence of these vendors.