Category Archives: Small Business

DIU(X) Pentagon Outreach Program To Tech Startups Is Here to Stay

Standard

DIU(X) Web Site:   https://www.diux.mil/portfolio

“BREAKING DEFENSE”

“DIU(X) has spent $100 million on projects from 45 companies. These are not traditional defense contractors but commercial tech companies, mostly small ones, backed by about $1.8 billion in venture capital.

The whole idea is to reach beyond the often stodgy military-industrial complex to the thriving, innovative tech sector, especially to start-ups that lack the time, connections, or specialized manpower to penetrate the defense procurement labyrinth.


How does Trump’s Defense Secretary feel about one of the Obama Pentagon’s more controversial aus, the outreach to tech start-ups known as DIU(X)?

“I don’t embrace it,” Jim Mattis told reporters en route to Silicon Valley yesterday. “I enthusiastically embrace it, and I’m grateful that Secretary Carter (Ash Carter, Obama’s last SecDef) had the foresight to put something in place to anchor the Department of Defense out there.”

“I want to see results. I want to see what they’re doing with their location and the ideas that they’re bringing, they’re harvesting — what are we getting out of it?” Mattis continued when pressed by a skeptical press. “Absolutely, I want to see them in their mission. I’m not coming out here questioning the mission.” (Emphasis ours).

Mattis’s embrace of this Obama-era idea is just the latest sign that there’s a lot more continuity at the Pentagon in some policy areas than President Trump’s Twitter barrages would suggest. Trump blasted the F-35 stealth fighterMattis committed to continued production. Trump called NATO “obsolete” and said South Korea should pay for US missile defenses; Mattis reached out to allies. Trump campaigned on pledges of a Reaganesque defense buildup; his actual budget proposal has been modest. Trump promised new Navy ships and Army units; Mattis has prioritized better training and maintenance for the forces we already have. Trump said he’d made US nuclear forces stronger but they’re actually still shrinking under Obama-era arms control treaties. All modernization to nuclear delivery systems was started under Obama.

In this context, Mattis keeping his predecessor’s Defense Innovation Unit (Experimental) isn’t so surprising. Congressional Republicans have been ambivalent about DIU(X), which has offices in three strongholds of Democrat-leaning techies: Palo AltoAustin and Boston. (Note the persistent attacks by the far right on Google and other tech companies.) House Armed Services chairman Mac Thornberry has worried aloud that DIU(X) duplicates longstanding high-tech efforts such as DARPA.

One of Work’s last acts, on July 14, was to give DIU(X) new legal authorities. One of the most significant is rapid hiring authorities that let DIU(X) bypass cumbersome federal regulations and bring tech expert onboard in as little as a day. (Similar authorities have been proposed in Congress) Another expanded the unit’s ability to set up Cooperative Research & Development Agreements (CRADAs) with private companies. Still other authorities gave DIU(X) new abilities to advertise, run prize competitions, host conferences, all methods of getting geniuses’ attention for its projects.”

http://breakingdefense.com/2017/08/diux-is-here-to-stay-mattis-embraces-obama-tech-outreach/

What has DIU(X) done to deserve more money and power? The unit’s signature achievement so far is new planning software for Air Force flight operations previously run with Microsoft Excel and markers on whiteboards. The new software cost $1.5 million, but by scheduling sorties more efficiently, it will save an estimated $131 million year in fuel and maintenance for tanker aircraft, DIU(X) says. The DIU(X) project also delivered in 120 days what a multi-year, $745 million dollar Air Force program could not.

Other DIU(X) contracts range from robotic sailboats (“saildrones”) to collect data on the ocean – vital for naval planning – to military simulations derived from commercial games.

All told, after a rough start which prompted Carter to reboot the unit, DIU(X) has spent $100 million on projects from 45 companies. These are not traditional defense contractors but commercial tech companies, mostly small ones, backed by about $1.8 billion in venture capital. The whole idea is to reach beyond the often stodgy military-industrial complex to the thriving, innovative tech sector, especially to start-ups that lack the time, connections, or specialized manpower to penetrate the defense procurement labyrinth. [UPDATE: Mattis also visited Google on Friday, but the tech giant has been leery of military contracts.] This strategy lets the military ride a train whose locomotive is massive private investment the Pentagon doesn’t have to pay for.

Now Mattis is publicly embracing this approach. In the words of a press release the Defense Innovation Unit (Experimental) put out to celebrate the secretary’s visit, it looks like “DIU(X) is here to stay.”

http://breakingdefense.com/2017/08/diux-is-here-to-stay-mattis-embraces-obama-tech-outreach/

 

 

 

 

Pentagon To Unveil New Acquisition Structure

Standard

Pentagon Reorganization

“DEFENSE NEWS”

“The Pentagon is scheduled to deliver its new acquisition structure to Congress,  a major step toward redesigning how the building researches and procures equipment.

The 2017 National Defense Authorization Act instructed the Pentagon to devolve the undersecretary of acquisition, technology and logistics, or AT&L, into two separate jobs: undersecretary for acquisition and sustainment, or A&S; and a new undersecretary for research and engineering, or R&E, essentially a chief technology officer.

Those changes are expected to be in place by Feb. 1, 2018.

Congress purposefully allowed time for the Department of Defense to come up with its own road map on how the split should occur, which the department is supposed to deliver to Capitol Hill on Aug 1[2017].

Sources say there were discussions about delaying that delivery, in order to allow newly installed Deputy Secretary of Defense Patrick Shanahan a chance to weigh in. However, all indications are that the department intends to hit its Tuesday deadline.

It is important to note that this report will not be the final say in the issue. Its purpose is to inform Congress of how the department will split the duties of AT&L and the broad organizational strategy, but does not need to detail the nuts and bolts of currently shared services. That also means that Shanahan and Ellen Lord, the longtime Textron executive-turned-AT&L nominee who may be confirmed this week, will have a chance to continue to give input going forward.

An interim, two-page memo to Congress was delivered March 1, which contained few details about how the building is approaching the question of devolving AT&L into the new offices.

Congress, meanwhile, is trying to balance out how to give senior leaders a chance to weigh in and making sure the DoD meets the Feb. 1 deadline. And while the report will be happily received in Congress, there is skepticism about what the DoD will actually deliver and how closely it will hew to Congress’ vision of how the new structure should look.

Bill Greenwalt, a longtime defense acquisition expert who spent two years as a staffer on the Senate Armed Services Committee where he had a central role crafting McCain’s acquisition changes, emphasized that the Pentagon’s thoughts are recommendations and that Congress will have final say.

“I think it will be a back and forth between the Congress and administration in terms of how to make this work,” he told Defense News. “The key thing for Congress is R&E should be driving innovation. A&S should be providing the oversight structure. The boxes shouldn’t be transferred around, it should be a cultural shift.”

SCO, DIUx likely folded under R&E

While the majority of the changes to the AT&L structure will entail a reshuffling of offices already under central control, there are two notable offices that may be brought in house, whether they desire it or not.

The Strategic Capabilities Office, or SCO, and the Defense Innovation Unit Experimental, or DIUx, were two pet projects of former Secretary of Defense Ash Carter. The SCO is focused on finding innovative solutions to near-term challenges, while DIUx is charged with creating ties between the DoD and the commercial technology sector.

Notably, both offices have existed as quasi-independent entities. DIUx actually started as a report inside the AT&L structure before being relaunched a year ago following a lack of progress in its mission; it then became a direct report to Carter. The SCO, meanwhile, was created by Carter during his time as deputy secretary of defense and was formally introduced to the world by Carter during the fiscal 2017 budget rollout.

With Carter gone and Congress seeking to improve innovation inside the building, there is pressure from the Hill to see those groups folded into the new R&E portfolio. In a May 18 interview, Mary Miller, acting assistant secretary of defense for research and engineering, said SCO and DIUx “would naturally fit in the USDR&E, that’s the intent.”

“If we set this undersecretary up as we believe we will, as we’re hoping this turns out to be and it will be a select-in to this whole new culture we’re establishing, we don’t need to have special groups that were set up just to be different, because that will be the undersecretary mission,” Miller said during the interview.

Greenwalt said that if the Pentagon crafts the R&E spot “right,” groups like DIUx, SCO, the various rapid capabilities offices and perhaps the Defense Advanced Research Projects Agency should all fall under its control.

When it was pointed out to him that regardless what the Pentagon says, Congress could step in and demand those groups fall under R&E’s control, Greenwalt smiled. “Right. That’s the back and forth,” he said. ”We’ll have to see how it works.”

Greenwalt isn’t the only one who thinks those outside groups should come inside. Frank Kendall, whose tenure of four-plus years as AT&L ended with the Obama administration, believes that for the R&E spot to work, it must include all the research groups scattered around the department.

“It would have basic research, 6.1, 6.2 and 6.3, it would have DARPA, it would have SCO and DIUx, it would have the existing office that does experimentation,” Kendall said in April, adding that he had provided that recommendation to Deputy Secretary of Defense Bob Work.

Andrew Hunter, an analyst with the Center for Strategic and International Studies, noted that the Senate clearly has been leaning toward putting SCO, DIUx and DARPA into the R&E portfolio. But that may be an imperfect fit, he warned.

“DARPA, by mandate, deals with that leap-ahead tech, 6.1, 6.2, 6.3 work, research that is early stage. Once it gets to prototypes, that’s no longer DARPA territory. SCO is on the other end,” Hunter said. “Both have a fit in the R&E position. But it seems the department is heading towards having R&E have more of an early stage focus, so they might come to a different answer.”

Leadership questions

While the future of the R&E office is uncertain, the A&S job appears to be more stable — in part because its leadership seems intact.

Lord, the former Textron executive, has already gone through a confirmation hearing for the AT&L job, during which she reaffirmed she would be sliding over to A&S once the AT&L office goes away in February.

The Senate’s version of this year’s defense authorization bill would require Lord to be reconfirmed for the A&S job, but given how little headwind she faced in her confirmation hearing, the assumption is she would easily be reconfirmed for the new title.

Which brings up the question of who her counterpart would be. It is understandable that no names have been put forth for the job, as the White House and Pentagon have been focused on filling existing roles, plus the R&E job does not exist. But waiting too long to put forth a nominee could have “risk,” Hunter said.

“You might not be able to get the quality person you want because of how it is cast. The earlier you name a person, the more they have a chance to shape the structure of the office,” he added. “However you slice the piece, what used to be one really powerful job is now two jobs, each of which is slightly less powerful — so how appealing are they for someone who wants to put their stamp on the future?”

http://www.defensenews.com/pentagon/2017/07/31/pentagon-to-unveil-new-acquisition-structure-on-aug-1/

 

 

 

Pricing Small Business Federal Government Service Contracts

Standard

Pricing Govnernment Contracts - Copy

Integrate Long-term Company Strategy With Short Term Proposal Pricing Objectives

INTRODUCTION

Small businesses entering or growing into federal contacting often struggle with developing a pricing approach. They must design a pricing structure to pass an audit and win competitively. A winning strategy for federal services contracting must involve a view of the horizon as well as the instant bid on the table.

If you are a small enterprise selling off-the-shelf commercial items under FAR Part 12 or marketing commercial products on a GSA schedule, you may be initially challenged by the government contracting venue. With persistence you will establish selling relationships through agencies and prime contractors. Your pricing challenge is minimal. A service contractor faces a far greater challenge in understanding the nature of government contact pricing and winning at it.

Strategic thinking must therefore be applied to structuring a government service contracting cost center in your company. It must involve long term planning and designing a business system as well as establishing rates and factors to bid new work.

LONG TERM COMPANY STRATEGY

Build a Business System With Pricing in Mind:

We have previously discussed the basics of small business government contracting business system design: Job Cost Accounting Basics

The structure or your pricing approach from the cost element level through burdens must use the same template as your job cost accounting and billing. The parallel mapping provides the consistency required to pass audits or get your billings approved on a service contract.

Please read the above article and its related references. Then design your processes recognizing the guidance there and applying it to your company organization, and the way you produce your supplies and services:

Sculpt the DCAA Auditor

As you begin submitting government contracting proposals you will encounter your local DCAA audit office. They learn about your company by auditing your cost proposal rates, job cost processes and systems, billings and contract closeouts.

Keep in mind that you are shaping opinions in these encounters on the part of these government personnel that will influence your future and be passed on in reports to contracting officers. Your unique company business system structure must be carefully explained to them against what they know best; their DCAA Audit manual and FAR Cost Accounting Standards:

DCAA Audits and Job Cost Accounting Systems

Protect Rate Information

Your fully loaded rates will appear on your GSA schedule in the public domain, in subcontracts from prime contractors and in data acquired under the Freedom of Information Act (FOIA) by competitors.

It is generally recognized by all industries participating in federal government contracting that internal overhead and G&A rates and the data that support them are proprietary data. The reason for the proprietary nature of rate data between companies is that in government work firms are teaming with each other exclusively on one project and competing against each other on additional contracts or projects at the same time.

Companies do not disclose the details of their rates to other companies and they do not expect to see another company’s proprietary rate information. So companies view each others rate information on a fully loaded basis, meaning the total of the base cost, any proprietary indirect cost and an agreed upon profit percent.

If a prime contractor requests that subcontractor proprietary rate information be supplied with a proposal the detail should be double wrapped and the package stamped, ‘Government Eyes Only’. The prime will then hand the package off to DCAA without opening it and receive only the fully loaded result of the burdened rate pricing.

For further information on intellectual property protection and protective markings on government contract proposals please see the following article:

Protecting Intellectual Property

Recognize Overhead and G&A Rates Are Critical

Assuming your competition pays a generally similar labor rate to their employees as you do and that fringe costs about the same for everyone, then overhead and G&A are what wins and loses contracts.

Please read the following articles carefully with regard to long range planning and setting your overhead and G&A rates:

FAR and CAS Compliant Systems

Provisional Indirect Rates

Keep in mind that if you are performing work inside a government facility the government will expect to be charged a lower overhead rate than if you were paying the space and occupancy costs and the light bill. This is normally achieved by establishing a separate cost center for “On site” (Internal to government quarters) work with lower overhead expenses applied to project direct labor dollars in that cost center.

Price Set Aside Contracts the Same as Full and Open Competitions

If you are a small business lucky enough to receive a sole source set aside contract under an 8(a) or Hub Zone award, or if you are participating in limited competition under a small business set aside designation, use the same sharp pencil you use on the full and open market. Your goal is to compete for the long haul and inflating estimates on particular jobs due to limited competition has an inflationary effect on your business as a whole.

Your company past performance is being constantly evaluated by the government and prime contractor community. Consistency attains and retains new business. You will eventually grow to the point where set asides and sole sourcing will no longer be available; prepare early.

Know the True Value of Your Proposal

Develop risk thresholds (ceiling and floor) for your bids. The ceiling is the price for which you can bid a job, perform to meet specifications and win. A floor is the lowest possible price for which you can accept a contract and survive.

Do not bid or be negotiated out of these thresholds. “Buying In” does not work and sacrificing the future of your company by “Low Balling” cost proposals and hoping to get well on scope changes later is dangerous.

In government contracting the only worse scenario than losing a contract is winning it, performing poorly (cost, schedule or technical) and getting a black eye on your company past performance record that takes a long time to go away.

Understand a Proposal is the Opening Chapter a Baseline for Your Contract

Your proposal represents an initial offer to a government agency or a prime contractor. Please read the following articles on how this baseline is initially set and controlled through the negotiation process and ultimately through careful contract management.

Project Baseline Managment

Contract Negotiation

SHORT TERM PROPOSAL OBJECTIVES

Make Bid/No Bid Decisions Wisely

Conduct your bid/no bid decisions effectively. Please see the bid/no bid analysis process at the beginning of the following article:

Contract Negotiation

Be Conservative in Rough Order of Magnitude Pricing

A common government planning technique in the early phases of marketing is to ask questions and review and approve a concept paper by a company then informally request for “Planning Purposes”, a rough order of magnitude cost estimate (ROM).

If you provide a ROM be very careful. It tends to get cast in concrete in the customer’s mind, even though it is not the final, formal proposal. Make it conservative in cost content and schedule duration, then plan to beat it with your formal proposal.

Make sure you caveat the ROM if you are asked for it with the statement in your cover letter that it is for planning purposes only and is not a commitment on the part of your company. State that you will be happy to make a full formal proposal/commitment upon receipt of a formal RFP from an authorized contracting officer. Keep in mind that contracting officers are the only people who can commit the government:

Customer Relations

The government usually goes forward with the concept paper and the ROM for approval of the funding necessary for the job. The “Agency Higher Ups” either give the project personnel the approval to do a set aside or they require a competitive procurement.

You may want to read the following article on Statements of Work:

Contract Statement of Work and Technical Specifications

Know the Difference Between Firm, Fixed Price, Time and Materials and Cost Plus Contracting

During the solicitation and proposal process the contract type is specified.

Firm, Fixed Price (FFP) is the riskiest type of contracting and should be undertaken only when you have a definitive grasp of a precise statement of work with known variables and end products. You should have achieved similar work scope in the past or be delivering follow-on products and services that are mature in nature to undertake a firm, fixed price contract.

FFP is particularly risky in software development contracts or high technology program pressing the state of the art. You will receive no more in the form of funding than your bid price on a firm, fixed price contract.

Time and Materials (T&M) contracting places the risk on the government and is suited to long term service contracts of a development nature. T&M may be contracted with fixed labor rates, making the hours and pass through materials and other direct costs the only variables.

Cost Plus (CP) contracting is the least risky of all contract types and you are assured of receiving every dollar of cost incurred under this type of contract.

The lower the risk to the contractor the lower the expected negotiated profit rate you can expect, since the government considers risk the principal factor in profit negotiation.

For further explanation of contract types in more detail, please see the following article:

Government Contract Types

Develop a Price Profile of the Competition

Use a copy of your own forward pricing long range plan (LRP) to model your strongest competitors. Profile your best intelligence regarding their size, location, contract base and estimated overhead and G&A expenses. Then interpolate, from your knowledge of the market, their labor and fringe costs, as well as other direct costs as you prepare your proposal. Incorporate any unique approaches you estimate your competition may offer that impact cost.

Modeling Your Competition

Adjust your competitor cost model to perform “What If Analysis” during your risk assessment and proposal review process. For an example of an LRP cost model please see the Box Net Cube in the left margin of this site: Small Business Federal Government Contracting It is Appendix B to the book, “Small Business Federal Government Contracting” and is available as a free download in Adobe format from the BOX in the right margin of the site.

Understand “Best Value” Source Selection

When the government declares a “Best Value” proposal award process the agency will perform a weighted trade study of cost verses technical and management factors in reviewing proposals. They will announce the weight of each factor in relative terms within the solicitation so contractors can focus on the most important elements.

What best value means quite simply is that if you are the low price bidder you may not win. If a competitor proposes a superior technical and management approach, a higher weighted rating in those factors may offset an otherwise non-competitive bid price, resulting in an award. This is a fact you must keep in mind when preparing your own proposal. In short you must perform your own trade study on your own bid.

Past performance has also become a significant weight factor in proposal evaluations in recent years. To address this challenge, please see the following article:

Past Performance Challenge

A balanced proposal, with specific, heavy emphasis on government-designated weight factors and an economical, yet realistic cost/price usually wins. Offsetting weaknesses in any designated government weighted area by proposing excellence in other weighted areas is vital.

Beware of Unallowable Costs

Over the years the federal government has determined that certain costs cannot be allowed in prices, cost reimbursements or settlements under contracts with the US Government. The government is unwilling to pay for these costs as direct charges to federal government contracts or through indirect expense pools applied to federal government contracts.

A company is not prohibited from incurring unallowable costs, but they cannot be recovered either directly or indirectly under federal government contracts. To manage unallowable costs, separate accounts must be established for these type expenses and they must not be priced directly into federal government contracts during the proposal process.

Such costs cannot be made a part of the expense pools which are applied to federal government contracts through an overhead, material handling or G&A cost allocation at accounting period close or during forward pricing rate planning. For more detail on unallowable costs please see the following article:

Unallowable Costs

Integrate Pricing With Technical and Management Approaches

Establish price targets as soon as possible for major tasks, evolve a program plan, or if you are bidding a T&M, IDIQ type program develop a sample work order for a typical representative effort.

As the technical and management proposal move toward completion, use established checkpoints to evaluate the efficiency of your cost estimate, escalation factors, labor, material and other direct costs. Then apply your indirect rates and subject your total proposal to a credibility check with regard to a believable cost estimate considering your solution and its time frame.

Run your competition price model and bring in some outside experts to review the end product proposal “Cold” before it is submitted.

Manage Best and Final Offers (BAFO) Carefullly

Most government solicitations require a format and terms and conditions with submission that permit contract award without further discussion. However, many involve a down-select process, briefings by those selected in the “Competitive Range”, a call for best and final offer (BAFO) or negotiation to achieve a final price.

The best and final offer period is a sensitive time. Most contracting agencies that call for a BAFO will cite weaknesses or concerns in the selected contractor proposals. They wish to hear about solutions to those weaknesses during BAFO briefings and require a re-submitted offer to correct them. The price may be adjusted as well and that is a key consideration. Pay particular attention to the way the BAFO instructions and concerns, specific to your down-selection, are worded. Look for hints that indicate critical opinion about your pricing, and then adjust your costs.

Consider the cost, schedule, technical and past performance implications of the BAFO request letter from the government and revise your proposal by the required submission date. Close the loop on all matters with your suppliers, subcontractors and prime contractors, and then conduct your briefing to the customer when it is scheduled. Present a united front to win. Your price should be your best. You will not be offered a chance to bid another competitively on that program.

On some procurements you may be asked to undertake additional discussions to determine final contract pricing. Please see the negotiation template at the following article for guidance on that process:

Government Contract Negotiation

SUMMARY

This discussion has conveyed how pricing should be a natural outgrowth of the organization structure, market strategy, competitive analysis, business system design and long range planning.

We have further explained how your long and short term pricing factors should be integrated with the management and technical elements of any given proposal. Take the long and the short view of your business by integrating long-term company strategy with short term proposal objectives

Flush Times for Hackers in Booming Cyber Security Job Market

Standard
A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas

A recruiter advertises a QR code to attract hackers to apply for jobs at the Black Hat security conference in Las Vegas, Nevada, U.S. July27, 2017.     Joseph Menn

“REUTERS”

“One of the outside firms that handle such programs, HackerOne, said it has paid out $18.8 million since 2014 to fix 50,140 bugs, with about half of that work done in the past year.

Mark Litchfield made it into the firm’s “Hacker Hall of Fame” last year by being the first to pull in more than $500,000 in bounties through the platform, well more than he earned at his last full-time security job, at consulting firm NCC Group.”


“In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

Reporting by Joseph Menn and Jim Finkle; additional reporting by Dustin Volz; Editing by Jonathan Weber and Grant McCool

The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security.

The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting.

“Hosting big parties has enabled us to meet more talent in the community, helping fill key positions and also retain great people,” said Jen Ellis, a vice president with cybersecurity firm Rapid7 Inc, which filled the hip Hakkasan nightclub on Wednesday at one of the week’s most popular parties.

Twenty or even 10 years ago, career options for technology tinkerers were mostly limited to security firms, handfuls of jobs inside mainstream companies, and in government agencies.

But as tech has taken over the world, the opportunities in the security field have exploded.

Whole industries that used to have little to do with technology now need protection, including automobiles, medical devices and the ever-expanding Internet of Things, from thermostats and fish tanks to home security devices.

More insurance companies now cover breaches, with premiums reduced for strong security practices. And lawyers are making sure that cloud providers are held responsible if a customer’s data is stolen from them and otherwise pushing to hold tech companies liable for problems, meaning they need security experts too.

The non-profit Center for Cyber Safety and Education last month predicted a global shortage of 1.8 million skilled security workers in 2022. The group, which credentials security professionals, said that a third of hiring managers plan to boost their security teams by at least 15 percent.

For hackers who prefer to pick things apart rather than stand guard over them, an enormous number of companies now offer “bug bounties,” or formal rewards, for warnings about vulnerabilities that leave them exposed to criminals or spies.

In the old days, “The only payout was publicity, free press,” Litchfield said. “That was the payoff then. The payoff now is literally to be paid in dollars.”

There are other emerging ways to make money too. Justine Bone’s medical hacking firm, MedSec, took the unprecedented step last year of openly teaming with an investor who was selling shares short, betting that they would lose value.

It was acrimonious, but St Jude Medical ultimately fixed its pacemaker monitors, which could have been hacked, and Bone predicted others will try the same path.

“Us cyber security nerds have spent most of our careers trying to make the world a better place by engaging with companies, finding bugs which companies may or may not repair,” Bone said.

“If we can take our expertise out to customers, media, regulators, nonprofits and think tanks and out to the financial sector, the investors and analysts, we start to help companies understand in terms of their external environment.”

Chris Wysopal, co-founder of code auditor Veracode, bought in April by CA Technologies, said that he was initially skeptical of the MedSec approach but came around to it, in part because it worked. He appeared at Black Hat with Bone.

“Many have written that the software and hardware market is dysfunctional, a lemon market, because buyers don’t know how insecure the products they purchase are,” Wysopal said in an interview.

“I’d like to see someone fixing this broken market. Profiting off of that fix seems like the best approach for a capitalism-based economy.”

https://www.reuters.com/article/us-cyber-conference-business-idUSKBN1AD001

Pentagon Product Acquisition Focus Must Be On Requirements Document

Standard

Pentagon requirements

“DEFENSE NEWS” By Gen. John Michael Loh (retired)

“The most important, yet most overlooked product in the defense acquisition system is a succinct operational requirements document.

The Defense Department’s acquisition process is so overloaded with Office of the Secretary of Defense as well as Joint Staff bureaucracy, unqualified personnel, multiple reviews and councils, and duplication of the service’s requirements organizations, the requirement gets lost.”


“The operational requirements document, or ORD, is the foundation of the acquisition process from concept development through system development.That series of processes — the Joint Capabilities Integration and Development System, or JCIDS — in place since 2003, adds little value and never focuses on the ORD as the centerpiece.In fact, the requirements document isn’t called the “requirements document” in JCIDS. As the lengthy JCIDS process proceeds at a snail’s pace, what substitutes for a requirements document goes by various names like “initial capability document,” then, the “capability development document,” then the “capability production document,” without having a clear owner for each. An end-to-end ORD just doesn’t exist in JCIDS.

Instead of the top-down, JCIDS-based requirements process, the requirements process should be bottom-up with single ownership by the service’s major operating commands throughout. Putting together and managing an airtight, bulletproof ORD should be the first priority and main focus of activity during concept development leading to milestone one. After milestone one, the ORD should stay in the forefront of every decision and remain unchanged. That is the way the system worked before JCIDS.

We need to learn from the past and get back to basics in the acquisition system starting with the requirements process. From the start of the F-15 and F-16 programs in the early 70s through the F-22 start in the late 80s, concept development began with small, smart teams working together from the operating and developing commands; understanding the need; conducting trade-off analyses to assess risk and cost, in continuous dialogue, producing a requirements document unfettered by top-down micromanagement or wall-to-wall reviews and nitpicking.

The teams were manned by smart operators from the major operating command, who understood the capability needed, and by technical experts from the development command, who understood the state of the art and the risk to go beyond it. They worked in harmony in horizontal dialogue, not having to go through vertical chains of command to communicate with each other, as is the case today. Nor did the Pentagon interfere.

This process worked to produce remarkably well-constructed ORDs in less than a year in most cases. The ORD, approved by the operating and development command, went directly to the service chief and secretary for validation, then to the Joint Requirements Oversight Council, which made sure it included joint service support.

Typically, the work in the Pentagon took less than six months to validate the requirement and put it on the street to industry. The key was the work done by the small teams, freed from bureaucratic tyranny and micromanagement by non-experts.

The ORD served as the main product and basis for the system specification, request for proposals and the source selection process. It kept discipline in the acquisition system throughout all pre-full-scale development milestones.

However, building small, smart teams is essential but difficult. Experience and expertise are prerequisites. Experts in development command teams must know technical and cost risks, and have a working knowledge of operational matters. Experts in the operational command teams must know threats and concepts of operations, and a working knowledge of acquisition matters. But, these experts must be trained and educated for their roles.

Today, particularly in the major operating commands, the officers defining requirements are good operators but not expert in the requirements business. To make matters worse, the responsibility for defining requirements has been subordinated in many operational commands under the plans and programming functions.

Many things need fixing in the defense acquisition system. Reform should start with eliminating JCIDS and returning to what worked — making the ORD the foundational document and driving force in acquisition programs created by small, smart teams from the responsible commands in the services The result will be an acquisition cycle that is years shorter than JCIDS, and systems that meet needed capabilities on cost and schedule.”

https://www.defensenews.com/opinion/2017/07/26/defense-acquisition-focus-on-the-requirement-document-not-the-process-commentary/

About the author: (wikipedia)

“John Michael Loh (born March 14, 1938)[1] is a retired four-star general in the United States Air Force who last served as Commander, Air Combat Command from June 1992 to July 1995. His other four-star assignment include being the 24th Vice Chief of Staff of the Air Force from June 1990 – March 1991, and Commander, Tactical Air Command from March 1991 – June 1992.”

https://en.wikipedia.org/wiki/John_M._Loh

John Loh, official military photo.JPEG

NASA Seeks Certified 8(a) Minority-Owned Contractors for $100M Headquarters IT Contract

Standard

sba-8a

“WASHINGTON TECHNOLOGY”

“NASA has kicked off the bidding on a potential five-year, $100 million contract for IT services at the agency’s headquarters in Washington.

Only small businesses with the 8(a) designation are eligible to compete for the the Headquarters Information Technology Support Services III contract. The agency posted a request for proposals on July 18 and responses are due Aug. 18.

A selected contractor will provide integrated IT, systems engineering, operations and IT-related management support services mission directorates and mission support offices at NASA’s headquarters. The solicitation also calls for management of a cloud infrastructure program in a managed computing environment at headquarters.

HITSS III has one base year with four one-year options and is the successor contract to HITSS II won by Digital Management Inc. in 2012. Media Fusion Inc. also is an incumbent contractor through a task order awarded against a GSA Schedule contract, according to Deltek.

HITSS II expires on Sept. 30 and has a potential five-year value of $177 million. Deltek estimates NASA has spent approximately $145 million over that contract’s lifespan.”

https://washingtontechnology.com/articles/2017/07/25/nasa-8a-it-hq-rfp.aspx

 

Whistleblower Hotlines: A Valuable Tool

Standard
00_EthicsCorner

Photo: iStock

“NATIONAL DEFENSE MAGAZINE’

“An effective ethics reporting tool, implemented as part of an ethics and compliance program, can help an organization detect and resolve potential misconduct issues.

It can also help support a culture of integrity and responsibility within the workplace.

Misconduct in the workplace can be devastating. The Association of Certified Fraud Examiners’ “2016 Report to the Nations” estimates that, on average, organizations lose 5 percent of revenue per year due to fraud and other misconduct.

Many organizations have implemented active and deliberate misconduct-detection processes. “Active” means that a person, or an internal control method, has been put in place and is instrumental in looking for fraud and other misconduct. Compare that to “passive” detection, in which the organization learns of unethical activity only after the fact or by accident.

How does an ethics reporting tool, such as a whistleblower hotline, fit in? It could be labeled a “passive” tool because fraud or other misconduct is often reported after it has happened. However, an ethics reporting tool can help to shed light earlier on misconduct that might otherwise continue for any length of time and cause more damage.

Knowing about misconduct sooner enables an organization to put a stop to it earlier. According to the report, the median duration of fraud prior to detection is about 18 months. For smaller organizations, early detection could mean the difference between surviving or going out of business.

A whistleblower hotline doesn’t just help bring fraud to the forefront. Other types of misconduct commonly reported using these systems are harassment, discrimination, workplace health and safety violations, alcohol/drug abuse, violence in the workplace, and conflicts of interest — to name a few.

Once an ethics program has been implemented, it needs to engage every employee, from the top down. It can’t just exist as window dressing.

Senior management needs to be committed to the ethics program and sincere about sharing their commitment with employees. Employees learn acceptable workplace behavior by taking cues from leadership. If management doesn’t believe in the ethics program and model leading with integrity themselves, employees are not likely to use the reporting tool to report any unethical conduct.

Employees may also be skeptical about coming forward to report perceived misconduct. Many people are concerned that even if they do make a report, no corrective action will be taken. But the biggest fear for employees is retaliation by co-workers and management. Ethics program best practices, as well as regulatory standards, call for ethics hotlines to ensure confidentiality for employees who report concerns and offer the option for anonymity.

External third-party ethics hotlines, which often include a case management database, can help. Third-party programs provide the ability for management and the reporter to communicate with each other about the allegation securely, within the system, enabling management to gather more information while protecting the whistleblower’s identity. This ensures a more thorough investigation of the alleged misconduct, getting to the bottom of any serious issues sooner, before they escalate.

Customizable third-party whistleblowing systems allow companies to create a program that is best suited to meet the needs of their organization, regardless of industry. They log and date stamp every report and allow management of each case to closure.

The ability to include a company’s national or global locations as part of the reporting process enables all incidents to be funneled into the one system in an organized manner.

Every industry has its own unique risk concerns and customizable third-party systems help management spot and track issues and trends, no matter the location, the department or the issue.

If they are not comfortable talking with their supervisor, a whistleblower wants to know where they can go to report ethical concerns and remain anonymous. An anonymous hotline removes many of the obstacles to reporting inappropriate behavior and gives employees, suppliers and vendors the ability to raise genuine concerns about illegal or unethical behavior.

Ethics hotlines also reduce the risk of individuals going outside the organization with their concerns, potentially damaging an organization’s reputation and causing further financial harm.

Every employee wants to know that his or her voice matters in the organization. That’s why encouraging a speak-up culture is important. Employees want to know they are part of the success of the company. Encouraging them to speak up about wrongdoing and showing them that their concerns do matter and are taken seriously creates more motivated employees who truly want to participate in the company’s future.

Many companies believe they are too small to warrant an ethics reporting system. There’s a belief that there’s too much complexity and work involved. But putting in extra upfront effort to set up a customizable program that is right for the company is well worth it when the result is more open communication, happier employees, reduced risk, and future growth and success.

When an organization implements a confidential and anonymous third-party ethics hotline, it lets employees and stakeholders know that it is serious about adherence to its code of conduct, it takes all reports of misconduct seriously, and it does not tolerate retaliation towards anybody reporting perceived misconduct.

If company leaders truly want to promote a speak-up culture, and give employees a safe place to come forward to report ethics and compliance concerns, then one of the best ways is to provide employees security and comfort of anonymity and confidentiality via a whistleblower hotline.”

http://www.nationaldefensemagazine.org/articles/2017/7/17/whistleblower-hotlines-a-valuable-tool

Army Turns To Industry For Network Overhaul

Standard
Army-command-post

Army Command Post

“BREAKING DEFENSE”

“The Army today has about 20 different software “baselines,” with different units and offices using inconsistent and often incompatible programs, often because their hardware is too old to handle anything better.

The resulting patchwork of networks is expensive to operate and difficult to secure against cyber attack. So the service wants to upgrade everyone to a single, consistent, up-to-date baseline within two years.

Want to sell information technology to the US Army? Then you need to write this down: Paul.A.Ostrowski.mil@mail.mil. That’s the email of the generalseeking industry’s input — historically something of a struggle for the service — as the Army reviews and overhauls its networks.

The Army’s long-term goal: a single unified network connecting everything from the home base to the battlefield, easy for the service to upgrade, easy for soldiers to use amidst the stress of combat, and hard for enemies to take down. The Army’s immediate question for industry: Can you build it?

Lt. Gen. Ostrowski, the director of the Army Acquisition Corps, wants you to write him if you want in on a series of roundtables the Army is holding with selected companies, hosted by the federally funded Institute for Defense Analyses (IDA). One roundtable was personally led by the Army Chief of Staff, the hard-charging, wisecracking Gen. Mark Milley, who is taking a hands-on role in the review he launched in May.

“Who’s in charge? The Chief’s in charge…. he and the Secretary of the Army,” Ostrowski said at yesterday’s Association of the US Army conference on networks. Those top leaders have brought together the Army’s Chief Information Officer/G-6 (chief signals officer), the Army resourcing staff (G-8), the Training & Doctrine Command that brainstorms future warfare concepts and writes requirements for new systems, and the acquisition officials who buy them.

“What’s different is the involvement of the leadership,” said Army CIO Gary Wang, who’s leading the review for Gen. Milley. While the Pentagon bureaucracy does plenty of reviews, he told me, “oftentimes it’s delegated down to a much lower level.” This time, though, the severity of the Army’s “financial constraints” have gotten the Chief of Staff and Acting Army Secretary Robert Speer personally involved, Wang said.

There’s another reason Wang didn’t mention: the savage criticism in Congress of the Army’s flagship battlefield network, WIN-T. Gen. Milley himself said the network is too “fragile” and “vulnerable” for future battles against high-tech adversaries like Russia or China, because its transmissions are too easily detected and then jammed or hacked.

Beyond WIN-T

“WIN-T’s our current network,” Ostrowski said when I asked him about the system. “We’re an Army that has to fight tonight, and WIN-T will be very much part of that. Period. That gets that off the table.” Then he moved on to other topics — notably not saying what this review would mean for WIN-T in the future.

But this review goes well beyond WIN-T, Milley and Speer have emphasized. It covers all the Army’s networks, both for combat units and back-office business operations. The crucial issue, Ostrowski said, is “how do we simplify the network? Right now we have a lot of parts and pieces. We’ve gone out and bought a lot of stuff that’s incredible in terms of its capabilities. but we’ve got to simplify: We’ve got to make this soldier-intuitive; we’ve got to make it soldier-maintainable and soldier-operable.”

The Army today has about 20 different software “baselines,” with different units and offices using inconsistent and often incompatible programs, often because their hardware is too old to handle anything better. The resulting patchwork of networks is expensive to operate and difficult to secure against cyber attack. So the service wants to upgrade everyone to a single, consistent, up-to-date baseline within two years.

What’s more, cybersecurity in the narrow sense is not enough. The Army can’t just focus on hackers sending malicious code over the internet: It also has to worry about electronic warriors jamming, triangulating, or eavesdropping on radio transmissions. That’s a uniquely military problem. Yes, civilian mobile phones also rely on radio — that’s what “wireless” means — but only to reach the nearest cell tower, which is often plugged into fiber optic cable; battlefield wireless networks rely on long-distance radio, which is much more vulnerable.

A Daunting Task

So what does the Army want from its future network, and therefore from industry?

First and most fundamentally, Ostrowski told the AUSA conference, the review is driven by rapidly evolving threats, because the network needs to be ready to go to “fight and win our nation’s wars” against those threats. The Army must stand ready “to deploy rapidly, anywhere, anytime, to shape, prevent, and win, against any foe in any domain — domain being cyber, space, air, land, or maritime — and any environment — environment being megacity, desert, jungle, arctic.” So the network must be able to operate, and the soldiers using it must be able to reliably communicate, in all those conditions, under attack by any of those threats, and on the move, without stopping to set up radio antennas or lay fiber optic cables.

To that end, the network must be “simple and intuitive,” Ostrowski said, easy for soldiers to operate without extensive training or constant tweaking. Soldiers must be able to keep it running without relying on legions of industry Field Service Representatives (FSR), as was often the case in Afghanistan and Iraq.

The network must also be easy to upgrade as technology changes, without having to start the whole laborious procurement process over again, and without being locked in to one company’s intellectual property that no one firm can touch. “I will tell you up front, that if you’re going to bring proprietary solutions to the table, don’t come,” Ostrowski said. Instead, the network must be built on open standards, allowing any company to offer upgrades just as any company that meets Apple’s standards can sell apps for the iPhone.

Just as the network has to be open to different companies’ products, Ostrowski continued, “it has to be accessible to our allied partners,” allowing friendly nations’ networks to connect with ours.

Finally, the network must be secure against cyberattack, resilient to the damage of those attacks that do get through, and able to transmit its wireless signals in a way the enemy cannot easily detect. (The technical terms are Low Probability of Detection (LPD) and Low Probability of Intercept (LPI)).

This is a daunting list of desiderata, but engineers from both the Army and “numerous companies” are already “whiteboarding” how they would achieve them, Ostrowski said. “My name and number (are) up there,” he said, pointing to his slides. “I need you to let me know if you want to play.”

Who’s facilitating all this interaction? The Institute for Defense Analyses (IDA), a federally funded research & development cooperation that Congress had already chartered to study the Army network, said Maj. Gen. Peter Gallagher, who works for CIO Wang as director of architecture, operations, networks, and space. Gallagher told me he doubted if he’d ever seen a review this intensive, adding the full-court outreach to industry was “something Gen. Milley personally directed.”

“We rely on industry for everything we do,” Gallagher said simply.”

http://breakingdefense.com/2017/07/army-chief-milley-turns-to-industry-for-network-overhaul/

 

 

 

DoD Is Buying Fewer Commercial Items. Oops!

Standard

DOD Fewer Commercial Items DIUX-poster

“BREAKING DEFENSE”

“One constant in the acquisition reform debate of the last two decades ……  “buy more commercial items in a commercial fashion, and do it quickly and cheaply.”

But a report by the Government Accountability Office analyzing a decade of the federal acquisition database finds that Pentagon’s purchase of commercial items has declined since 2007.

Now, nobody argued that you could buy F-35s or ships that way, but as competitors such as China and Russia fielded weapons in double-quick time and software and computer hardware became increasingly important to a weapon’s effectiveness, so did speeding up purchases and lowering their costs grew in importance.

To build bridges with the commercial sector and to ensure the military sped up its adoption of technology advances — especially in software and commercial IT — former Defense Secretary Ash Carter created the the Strategic Capabilities Office and the Defense Innovation Unit Experimental, fondly known as the DIUX. They were supposed to help accelerate the purchase of commercial technology, bolstered by a raft of legal and policy changes over the last decade.

“The data now supports what was long suspected — that the purchase of commercial items was declining. The question is why? The answer can likely be found in the overreaction to the perceived contracting abuses of of the Iraq War.

“While commercial items and the Iraq War shouldn’t be linked, they became so in the so-called ‘war on profits’ that was initiated early on in the Obama Administration,” Greenwalt argues. “In a typical overreaction applied to a different set of circumstances….the DOD bureaucracy, instead of going after bloated cost-type contracts and move to a more fixed-price, commercial-like, performance-based contracting approach, decided to do the opposite and reign in commercial item contracts where profit margins are traditionally higher.”

Part of the problem appears to be that Pentagon acquisition officials just don’t know much about buying commercially. To cope with that, the Defense Contract Management Agency (DCMA) created six Commercial Item Centers of Excellence staffed with engineers and price/cost analysts to advise contracting officers in how to determine what can be bought commercially.

“According to DCMA officials,” the GAO report says, “experts at these centers began reviewing cases in June 2016 and since then have examined 437 cases that contained approximately 2300 items. They recommended that the contracting officer make a determination that an item was commercial in 94 percent of the cases reviewed.”

But Greenwalt isn’t really optimistic, even though he pushed hard to make sure the acquisition community had the policy and legal tools to buy more commercially.

“The linkage between higher profits and higher risks and performance that occurs on commercial item contracts was forgotten in order to keep as many traditional cost-type programs (with somewhat reduced fees) going during a budgetary downturn,” he says. “Congress acted in the last two NDAAs to try and roll back this situation, but since none of the rules to implement new commercial item legislation have been enacted yet, it is doubtful we will see much improvement soon in the statistics.”

http://breakingdefense.com/2017/07/dod-is-buying-fewer-yes-fewer-commercial-items-oops/

 

The Business of National Cybersecurity

Standard

Business of Cyber Security

 

“FIFTH DOMAIN CYBER”

“With all the attention this subject is now receiving, one would think the business of national cyber security (commercial, government and defense) would be very robust.

Small and medium-sized businesses are not singing a happy, carefree tune. Delays in contracts, budget cuts and delayed payments seem to be the most common complaints.

It is hard to open a browser, look at a newspaper, or watch or listen to a news show without the topic of cybersecurity coming up. In mid-June, Microsoft received a lot of attention from headlines about the company’s warning of an elevated risk of cyberattacks. Another attention-grabbing headline came from Chris Childers, the CEO of the National Defense Group located in Germantown, Maryland, who shined light on the fact that many satellites in use today are dated and use old technology that was made before cyberthreats were a real issue and prior to when cyber defenses were readily available.

With all of the headlines about cyberattacks, viruses, ransomware attacks (WannaCry) and so on, you would think cybersecurity business is booming. Odds are it is not as robust as many people think. Let’s not forget when the Department of Homeland Security said 20-plus states faced major hacking attempts during the 2016 presidential election.

Today, basic cybersecurity understanding and skills need to reach into every profession and every level of the workforce. Updating the skills of the workforce must be continuous, and this takes time and money.

Another interesting point was brought up during a recent cyber strategy thinking session: Could our adversaries be leveraging inexpensive cyberattacks and threats as economic warfare, knowing full well that we will move to identify, analyze and address the emerging threats — something that would cost us money? After all, what choice do we have?”

http://fifthdomain.com/2017/07/07/the-business-of-national-cybersecurity-commentary/