This year I asked all of our Program Executive Officers (PEOs) to provide short assessments and recommendations to me directly.
The result, as it was for the Program Manager Assessments I’ve received for the last 2 years, has been a treasure trove of observations and recommendations covering a wide range of topics. I thought it would be useful and insightful for the entire workforce to see some of these professional, and very frank, comments. I’ve removed most inputs that were about specific programs and edited lightly to make some of the inputs less Service specific. Arranged alphabetically by topic, and presented without comment, here is a sampling of the topics on our senior line managers’ minds as they confront the many challenges we face.
Acquisition Education: Cybersecurity requirements continue to grow impacting virtually everything we do in acquisition from daily workplace activities, to Enterprise Resource Planning (ERP) system development, to weapon system development. Additionally, the Department of Defense (DoD) is required to certify audit readiness in Fiscal Year (FY) 2017. Audit readiness affects every career field in acquisition, not just financial management professionals. Ensure that the Defense Acquisition University curriculum is updated to reflect audit readiness and cybersecurity considerations and requirements for all of the career fields.
Also, an executive-level Acquisition seminar for our senior General/Flag Officers, especially those assigned in the Pentagon, would advance acquisition reform. We consistently find ourselves answering questions to our Service Chiefs and members of Congress that are far outside of acquisition responsibilities. This is a team sport, and DoD would be better served if all of our most senior leaders had a basic understanding of the Defense Acquisition process and their respective roles in it.
Business Cases and AoAs (Analysis of Alternatives): Why would we do both? There is too much complexity and lack of clarity between the Deputy Chief Management Officer and the role of the Office of Acquisition, Technology, and Logistics.
Clinger-Cohen Act (CCA) Compliance: CCA mandates the completion and approval of numerous other programmatic documents as supporting documentation before a program’s CCA can be certified. The Army Chief Information Officer (CIO)/G6 estimates the staffing and approval for a program CCA compliance determination to take up to 120 days to complete. Two supporting documents required for submission for a CCA compliance determination are (1) Test and Evaluation Master Plan (TEMP) and (2) Acquisition Program Baseline (APB). Because of the potential lead time required to support a CCA determination (120 days), we recommend that draft versions of the TEMP and APB be authorized for submission for CCA compliance purposes. We also recommend that significant programmatic changes identified during documentation staffing that would alter the CCA compliance determination be presented during an abbreviated and accelerated update to allow programs to simultaneously staff critical documents without delaying program schedules.
Configuration Steering Boards (CSBs) and Testing: CSBs have been especially helpful in adjusting requirements (both to provide a forum for the deliberate addition of some requirements as well as removing some requirements where they don’t make sense). This process should be extended to include using the CSB process to adjust test plans and requirements as well rather than allowing independent members of the test community virtually unlimited authority to commit programs to cost and schedule of tests that the operational leaders of the Service do not believe are warranted. Similarly, it would provide a forum for those same uniformed leaders to insist on testing that might otherwise be overlooked.
COTS and NDI Acquisition: Financial Management Regulation must be clarified to provide consistent guidance on the use of procurement funds in lieu of research, development, test and evaluation (RDT&E) funds to test Commercial Off the Shelf (COTS) and Non-Developmental Items (NDI). This has tremendous impacts across my portfolio, which is heavily reliant on COTS/NDI and could mitigate additional funding stability risks if properly clarified where both the budget analysts and the lawyers agree on the flexibility to use either procurement or RDT&E to test COTS/NDI.
Cyber Security Testing: Cyber testing and the ability to achieve a “Survivable” rating in an official operational test environment continues to be nearly impossible for a Program of Record (POR) to achieve. Test criteria are not well defined and, even if requirements are met, the standards and scope is “independently” determined by the OTA or DOT&E for success. The threat portrayal often exceeds the capabilities of a Blue Force Team (i.e., nation-state threat going against a brigade-level formation), focuses more on “insider” threat of unreasonable proportions, and minimizes the importance of “defense in depth” approach. Recommend better definition for standard cyber rules of engagement at operational test, the allowance for external cyber protection teams, and that test reports focus on the program under test (not the overall “network”).
Fiscal Law Constraints: It is likely pie in the sky, but to operate with a single color of money would greatly improve our efficiency and effectiveness. We spend far too much time trying to discern the gray areas that exist between the appropriations. Functioning with Operation and Maintenance dollars during periods of continuing resolutions and severe cash distribution challenges, makes continuity of support a challenge and results in all sorts of bizarre contract actions. If we operated primarily in an Other Procurement world with narrow definition on true RDT&E (introduction of truly new functional envelopes), we would be much more efficient and effective stewards.
Funding Concerns (10 USC Section 2282): I continue to bring this up to anyone who will listen to me. This pseudo-Foreign Military Sales (FMS) funding is an excellent tool in that it allows us to deliver capability and build Combat Command (COCOM) military partnerships, particularly in countries that can’t afford to invest in our weapon systems. That said, the funding is restrictive in that we need to figure out what we’re going to buy, put together an acquisition strategy, and get it on contract in the year appropriated (which drives some bad acquisition behaviors). The biggest challenge is that we can only use Section 2282 funding to sustain the system for 2 years. After that, the receiving country must create/fund an FMS case or the COCOM must provide funding. Bottom line is that there is a high risk that these great capabilities will be left to rot and quickly become useless.
Funding Stability and Flexibility: For the last several years, we have started each fiscal year under Continuing Resolution Authority (CRA) for 3 to 4 months before the budget is enacted and funding begins to flow. The CRA creates instability in the year of execution because we can’t have any new start programs and the amount of funding available under CRA typically is some percentage of our prior year funding. This instability is exacerbated by the fact that our funding execution is measured against the Office of the Secretary of Defense (OSD) obligation and expenditure goals that do not take into consideration the delay in receipt of funding caused by operating under a CRA. As a result of missing OSD execution goals, funding often is rephased in the out-years, which perpetuates the situation as the cycle has consistently repeated itself and is likely to do so in the future. It would be helpful if the OSD Comptroller could adjust the OSD obligation and expenditure goals to “start the 12-month clock” when the Defense budget is actually passed and not on Oct. 1, as they do now.
Hiring Authority: The agility of a PEO to support its portfolio with appropriate personnel is not adequate with the formal billeting and staffing process and needs to move to a management to budget construct that allows the hiring of additional government personnel.
Human Capital: As the military service begins to reduce force structure, similar reductions are taking place across the civilian workforce. Additionally, there is pressure from Congress to reduce the number of support contractors across DoD. My workforce is comprised of military members (4 percent), core DoD civilians (15 percent), matrixed DoD civilians—combining the traditional and product organization structure—(46 percent) and support contractors (35 percent). With all of these components being driven to reduce numbers and no relief from the mission requirements and expectations, my PEO organization will be challenged severely, even after realizing process efficiencies, to effectively perform the mission unless some portion of the workforce can be stabilized.
Innovation: In intelligence, surveillance and reconnaissance and in working with Special Operations Forces, we are working hard at giving people the tools to bring out their innovative side and give them the confidence to be creative. It is probably the most enjoyable part of my job. I have numerous examples of recent initiatives, but will mention just two of them. First, the Rapid Development and Integration Facility (RDIF) continues to grow as a place where government program managers (PMs) and engineers (sometimes in partnership with small business) are rapidly modifying everything from gunships to B-2s to helicopters. They are taking back the technical baseline, learning how to innovate and growing confidence in our government teams. Second, is the Revolutionary Acquisition Techniques Procedures and Collaboration (RATPAC) forum run jointly between the Air Force and Special Operations Command. Twice a year we select about 50 junior acquisition professionals to attend an intense week of engagement with our most innovative acquisition, warfighter and congressional thinkers. They leave RATPAC fired up to be acquisition combat enablers, and it is really special to see.
Obsolescence: We face an ever-growing challenge dealing with obsolete parts when we build on a COTS-based infrastructure. Components over the life cycle of our programs become obsolete when supply chain providers move on to next efforts or divest in the business area. We have seen cases where we are replacing obsolete components on a system prior to fielding the initial capability. Many vendors are updating their products at an increasing rate and do not maintain or support older versions of their equipment. This is true for both software and hardware. Programs need to ensure they adequately budget for these activities and have the correct personnel to address these issues throughout the life cycle of programs. We also need to engage with vendors early to ensure we have long term sustainment strategies that may include extended lifetime buys for key components early in a program to ensure long-term supportability as well, and address the ability to upgrade at the component level to meet any potential obsolescence issues. Help is needed in supporting continuous low-level modification lines to deal with obsolescence issues.
Protests: I recommend that there be a penalty for protesting to discourage weak protests. Example: paying the DoD’s legal costs, or paying some penalty for the program disruption.
Quality and Clarity of High Level Taskers: I would like to address the quality of taskers or assignments received at my level. Often a broad-based tasker is issued and, as it flows down the chain of command, it is interpreted in various ways by a number of different people to the point where nobody really understands what information is required. These taskers should be clear and concise from the beginning and follow established staffing chains to ensure that we are not wasting precious resources (time, money and people) providing data and information that does not properly respond to the issue.
Quick Reaction Capabilities: This year alone, I had 42 Quick Reaction Capabilities (QRCs) that I managed and reviewed as separate programs and resolved that 5 be closed, had 10 pending closure once 100 percent accountability of assets is resolved, 7 transitions to existing Programs of Records (PORs), and 20 that will continue to be managed as stand-alone QRCs. Note that no QRC comes with organic personnel resources and must be managed with allocated POR resources and the heavy use of matrix and contractor support. This is not a sustainable model. The military Service is working the requirements process that supports these transitions.
However, the alignment with the Program Objectives Memorandum (POM) process inherently results in a 2-year gap that we have only been able to solve because of the availability of supplemental appropriations. If supplemental dollars did not exist, we would have been unable to transition and/or retain QRC capabilities to the degree we have successfully done to date.
The delay in obtaining updated requirements documents hinders the ability to compete in the POM process and exacerbates the gap. A second issue with QRC transitions is balancing the adequacy of testing to support POR transition and milestone decisions. In many cases, these capabilities have been operated effectively for thousands of hours in combat—meeting requirements as specified for military utility, which ought to be the goal of an Operational Test event. Testing a QRC now for integration into a POR, should only verify any changes caused by modifying/integrating on platforms or needed changes to address usability/human factors of the system when we transition from contractor to green suit sustainment/operations. In many cases, we are spending extensive resources (time, money, test ranges, personnel expertise) to retest basic sensor performance on capabilities which have been operating in combat for more than 10 years as a QRC. The Service Test and Evaluation Organization, the OSD Offices of Developmental Test and Evaluation and of Operational Test and Evaluation need to adjust to a more continuous evaluation process and away from the big bang, all-inclusive testing. Finally, overall, the DoD Instruction (DoDI) 5000 series guidance does not address the process of the transition of QRCs to PORs. For example, personnel Concept Plans to support program office manning take forever, material release tailoring is all but nonexistent to deal with COTS, and timely requirements documentation and integratiion of funding into the appropriate Program Evaluation Groups/base are challenging tasks. The aforementioned conditions cause PMs to focus on near-term resourcing and not effective/efficient program management. Help is needed from an institutional perspective to take lessons learned and update policies and provide tailoring procedures for improved transitions.
Reprogramming Authority: Another way to provide additional flexibility would be to allow greater reprogramming thresholds (this requires approval from Congress). Higher Below Threshold Reprogramming limits go hand in hand with giving PEOs/PMs greater authority to move cost savings realized from successful Better Buying Power (BBP) initiatives within our funding lines. This would also act as a strong incentive for the Defense Acquisition Workforce to inculcate BBP principles into our programs.
Requirements Process: I suggest that both the operational and acquisition communities focus serious attention at the most senior levels on implementing a simplified requirements process which better facilitates the rapid technology/threat cycles within the cyber domain.
Risk Management Framework (RMF): The construct has added time to the process with, in my opinion, no added benefit to date. This process needs quick efficiency reviews and updating. Help is needed in making the RMF more efficient and shorter.
The new RMF process (which replaced the DoD Information Assurance Certification and Accreditation Process), providing for certification and accreditation of weapon systems, has been too unwieldy for the speed and agility needed in approving cybersystem solutions. Specifically, we have identified the following issues with the RMF process as applied to cyber weapon systems:
- RMF levies heavy requirements for monitoring, software updates and policy controls that are less bound by operational concerns than previous systems.
- RMF causes a large resource burden of time and manpower. With the volume of work entailed in RMF, it is difficult to make consistent progress or to develop reliable schedules to inform our operational user. Additionally, the unplanned burden on program offices to apply RMF is taking resources from fixing user issues and addressing modernization needs.
There was little structure put into phasing the RMF requirement into weapon systems. The full requirement was mandated with less than 2 years to prepare, with limited waiver opportunities provided.
While new systems in development can accommodate RMF during the design process, legacy systems were not designed with RMF security controls in place, so there are significant programmatic and operational impacts to meeting the RMF controls. Thus, applying RMF to currently fielded operational systems puts undue burden on the operational user.
Control of and accountability for system cybersecurity is spread over numerous organizations and is poorly integrated, resulting in diminished accountability and unity of command and control for cybersecurity. These overlapping roles create ambiguity regarding whether the commander or the authorizing official can make the final decisions regarding risk to a mission.
The coordination process for RMF approval packages continues to evolve. Changes in expectation, standards and formats are not communicated well, and this often creates much rework, further delaying approval and impacting program cost and schedule.
The vast majority of our systems currently are accredited under the old structure and the RMF process does not allow previous accreditations to be easily absorbed into the new structure.
There has been a shift in focus from simply managing risk to now ensuring all facets of system vulnerabilities are addressed. While this will improve cybersecurity, there is simply not enough manpower to adequately perform all of the required processes, specifically within the Approving Official and the Security Compliance Assessor communities.
Approving Officials have not been issuing Plans of Actions and Milestones during this transition process, which has led to an expiration of Authority To Operate during the lengthy process.
In considering improvement opportunities since RMF has been in use and lessons learned have become available, I suggest that the application of RMF to currently fielded cyber weapon systems be re-examined and tailored to reduce heavy RMF resource demands and impact to the operational user. In addition, as stated earlier, it is imperative that the acquisition and life-cycle management tools and processes for both new and fielded cyber weapons systems be streamlined to maximize speed and agility within reasonable levels cybersecurity risk.
Sustainment in DoDI 5000.02: I see a difference between a system in the sustainment phase and a sustainment program. Because DoDI 5000.2 is silent on sustainment programs, we sometimes treat sustainment programs the same as efforts to modernize a program in the sustainment phase, in terms of systems engineering, milestones and documentation.
Modernizing a program in the sustainment phase usually fits pretty clearly into one of the “Defense Acquisition Program Models.” But a sustainment program such as a Service Life Extension Program, Diminishing Manufacturing Sources Program or a Contractor Logistics Sustainment Program doesn’t fit well within those models. Yet there are some nuances, best practices and common tailoring that could apply to these types of programs. I thought the “model” concept was a great addition to the DoDI 5000 series, so I think adding a model for sustainment type programs would be helpful. I have also recommended this at the military Service level to address in our documents. I see a lot of teams struggle in this area.
Tailoring: However, although you and other senior leaders continue to reinforce the importance of tailoring the acquisition process to the specific and unique characteristics of the product being acquired, the rules and policy are frequently interpreted as inflexible and prescriptive. As additional acquisition reform provisions are considered, we should look for ways to better institutionalize the expectation for tailoring, particularly as it applies to the acquisition of non-developmental or minimally modified COTS systems.
Workforce Development Ideas
Acquisition “Whiteboard” Sessions: I found that often when I received milestone packages through the staffing process, the acquisition strategies weren’t tailored to the most effective approach to develop or acquire the system. In order to prevent frustration of the workforce and get the top level concepts right from the beginning, I began hosting “Whiteboard” sessions to ensure everyone had a common understanding of the strategy. I run these much like the military Service runs After Action Reviews by serving as a facilitator—asking shaping level questions of the program stakeholders (from the PM, legal, contracting, etc.) and allowing them to shape the strategy through their answers. The level of innovation and quality of the milestone packages has dramatically improved. I’ve received very positive feedback on the learning value of these sessions and encouraged my subordinates to replicate the process at lower levels.
Acquisition Categories II and III Configuration Steering Boards (CSBs): Much of the equipment we acquire is commercial or commercially based. On several occasions, we received approved requirements documents that specified requirements substantially outside commercially available features. Our engineers conduct industry Requests for Information, coordinate with commercial testing facilities, and employ analytical tools to identify requirements that are driving cost and risk. We then organize a CSB with the appropriate one-star level operational community proponent, along with virtual representation from the Service staff to review the data analysis. In each case, we’ve been able to temper the requirements to only the critical capabilities, thereby reducing programs’ costs and technical risks while allowing them to move forward without risking lost funding or schedule delays.
Junior Employee Shadowing Program: Each PM within the PEO nominates high potential GS-12/13 employees to shadow me for 2 weeks. These employees can attend all meetings that the PEO participates in and get a good sense of how to think critically about the unique facets of each program and how these considerations shape acquisition strategy, contract type, contract incentives, and source selection approaches. To date, I have had 24 shadow participants, and I have already seen evidence of grassroots movement inside their home organizations in taking more innovative approaches to acquisition strategies.
Topical Town Hall Meetings: I have held town hall meetings quarterly, and I always highlight a number of innovative accomplishments in acquisition from several of our individual PMs. As an overarching theme, I’ve suggested that our acquisition professionals should treat every decision they make as if it was their own money. I’ve continued to encourage them to challenge requirements and approaches that don’t make sense based on their personal experiences both in acquisition and in their daily lives.
As with the Program Manager Assessments, I have responded to each of the PEOs individually. In addition, I have asked some of the writers to work on follow-up actions to explore solutions to the problems they raised, or to implement their specific suggestions. My last article and e-mail to the workforce talked about how real acquisition reform has to come from within and it has to take the form of continuous improvement on many fronts. This is one more example of what that looks like in practice.