In April 2012, the Washington Post reported Pentagon plans to fast-track acquisition of cyber weapons. Due to the rapidly changing nature of IT, conventional approaches of military acquisition are now considered too slow and cumbersome. The Pentagon dreamed up “Rapid Cyber Acquisition” in response. The remainder of this post cited some paragraphs that describe cyber acquisition by the US DoD.
Section 933 of Public Law 111-383 (.pdf, 2011) lays out the DoD’s strategy for acquisition and oversight of cyber warfare capabilities:
Subtitle D—Cyber Warfare, Cyber Security, and Related Matters
SEC. 933. STRATEGY FOR ACQUISITION AND OVERSIGHT OF DEPARTMENT OF DEFENSE CYBER WARFARE CAPABILITIES.
- (a) STRATEGY REQUIRED.—The Secretary of Defense, in consultation with the Secretaries of the military departments, shall develop a strategy to provide for the rapid acquisition of tools, applications, and other capabilities for cyber warfare for the United States Cyber Command and the cyber operations components of the military departments.
- (b) BASIC ELEMENTS.—The strategy required by subsection (a) shall include the following:
- (1) An orderly process for determining and approving operational requirements.
- (2) A well-defined, repeatable, transparent, and disciplined process for developing capabilities to meet such requirements, in accordance with the information technology acquisition process developed pursuant to section 804 of the National Defense Authorization Act for Fiscal Year 2010 (Public Law 111–84; 10 U.S.C. 2225 note).
- (3) The allocation of facilities and other resources to thoroughly test such capabilities in development, before deployment, and before use in order to validate performance and take into account collateral damage and other so-called second-order effects.
- (c) ADDITIONAL ELEMENTS.—The strategy required by subsection (a) shall also provide for the following:
- (1) Safeguards to prevent—
- (A) the circumvention of operational requirements and acquisition processes through informal relationships among the United States Cyber Command, the Armed Forces, the National Security Agency, and the Defense Information Systems Agency; and
- (B) the abuse of quick-reaction processes otherwise available for the rapid fielding of capabilities.
- (2) The establishment of reporting and oversight processes for requirements generation and approval for cyber warfare capabilities, the assignment of responsibility for providing capabilities to meet such requirements, and the execution of development and deployment of such capabilities, under the authority of the Chairman of the Joint Requirements Oversight Council, the Under Secretary of Defense for Policy, and other officials in the Office of the Secretary of Defense, as designated in the strategy.
- (3) The establishment and maintenance of test and evaluation facilities and resources for cyber infrastructure to support research and development, operational test and evaluation, operational planning and effects testing, and training by replicating or emulating networks and infrastructure maintained and operated by the military and political organizations of potential United States adversaries, by domestic and foreign telecommunications service providers, and by the Department of Defense.
- (4) An organization or organizations within the Department of Defense to be responsible for the operation and maintenance of cyber infrastructure for research, development, test, and evaluation purposes.
- (5) Appropriate disclosure regarding United States cyber warfare capabilities to the independent test and evaluation community, and the involvement of that community in the development and maintenance of such capabilities, regardless of classification.
- (6) The role of the private sector and appropriate Department of Defense organizations in developing capabilities to operate in cyberspace, and a clear process for determining whether to allocate responsibility for responding to Department of Defense cyber warfare requirements through Federal Government personnel, contracts with private sector entities, or a combination of both.
- (7) The roles of each military department, and of the combat support Defense Agencies, in the development of cyber warfare capabilities in support of offensive, defensive, and intelligence operational requirements.
- (8) Mechanisms to promote information sharing, cooperative agreements, and collaboration with international, interagency, academic, and industrial partners in the development of cyber warfare capabilities.
- (9) The manner in which the Department of Defense will promote interoperability, share innovation, and avoid unproductive duplication in cyber warfare capabilities through specialization among the components of the Department responsible for developing cyber capabilities.
- (d) REPORT ON STRATEGY.—
- (1) REPORT REQUIRED.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall submit to the appropriate committees of Congress a report on the strategy required by subsection (a). The report shall include a comprehensive description of the strategy and plans (including a schedule) for the implementation of the strategy.
- (2) APPROPRIATE COMMITTEES OF CONGRESS DEFINED.—In this subsection, the term ‘‘appropriate committees of Congress’’ means—
- (A) the Committee on Armed Services, the Committee on Appropriations, and the Select Committee on Intelligence of the Senate; and
- (B) the Committee on Armed Services, the Committee on Appropriations, and the Permanent Select Committee on Intelligence of the House of Representatives.
The DoD’s ACC Test & Evaluation Management Guide states that this strategy has been elaborated on, and mentions four cyber capability “need” timelines (2012):
[The] USD(AT&L) worked with the DoD cyber community to develop a common framework for the Services and Defense Agencies to acquire cyberspace operations capabilities.
The framework addresses requirements, acquisition, testing, and governance. To execute this new framework, the traditional defense acquisition framework will be aggressively streamlined to accommodate cyberspace operations’ quick reaction timelines, while at the same time managing risk. There are four cyber capability “need” timelines: A – less than 30 days; B – 30 days to 9 months; C – 9 to 18 months; D – greater than 18 months (likely to follow traditional acquisition processes).
An evaluation of operational risk to mission success is central to testing in all four cyberspace operations acquisition processes and will be the primary driver in determining the degree of testing appropriate for each capability. Whichever of the four processes is followed, an integrated team of testers, certifiers, and users must help develop the requirements, identify the significant operational risks, and work to address those risks through T&E. T&E of cyberspace operations capabilities must support risk management in any of the four acquisition paths by providing decision makers with credible, relevant, and efficient estimates of system and operational performance. T&E processes and products must be tailored to program need, risk, and risk tolerance; be fully integrated into capability development processes; leverage testing as a service; and efficiently synthesize developmental, operational, and specialty T&E perspectives to generate data for independent evaluation.