Rand: Navy must hasten cyber defense acquisitions
The Navy needs a new Defense Department-approved acquisition process for cybersecurity, not just a revised version of existing procedures, says the Rand Corp. in a report commissioned by the DoD.
In the report (.pdf), Rand suggests the Navy address emerging and imminent cybersecurity threats by splitting IT acquisitions into three categories: those that must be complete in less than 30 days, such as virus definition updates and simple patches; acquisitions that must complete in less than six months, including things like operating system service packs; and those that can or will take longer, such as integrated system replacements.
The report says current testing, certification and accreditation phases cause significant delays for systems that need more immediate protection, such as responding to new threats like worms. It suggests a tiered approach can remove some delays by using vendor and software requirements specifically made for time-sensitive needs.
Another aspect that must be sped-up, says the report, is funding. The Navy should use fleet commanders' large, flexible operations and maintenance budgets to pay for software upgrades or patches for emerging needs, says the report.
There are steps the Navy can take to make the entire process smoother, says the report. These include working with contractors to develop incentives for rapid contracting operations, giving more oversight to program managers, allocating real-world testing facilities such as docked ships and considering options like vendor scorecards that can maintain information on a vendor's ability to deliver rapid cyber capabilities.
- download the Rand report, "Rapid Acquisition and Fielding for Information Assurance and Cyber Security in the Navy" (.pdf)