Summary
- Examines the quickly evolving IT and cyberthreat environments.
- Analyzes the challenges associated with current IT acquisition strategies.
- Discusses the potential benefits of a government-wide approach to acquiring cutting-edge IT.
The federal government is woefully ill-equipped to defend itself against the cyberthreats that it faces each day. The current acquisition regulations do not allow for the efficient procurement of information technology, which inhibits the government from building an effective government-wide cyber-defense. To enable an effective cyber-defense, the government must radically change the way in which it acquires cybersecurity-related goods and services. This Note argues that Congress should create a government-wide information technology consortium, modeled off the Other Transaction Agreements (OTA) consortium framework. The Note begins by detailing the range of cyberthreats that the United States faces and discusses the stunningly fast pace at which information technology advances. The Note then analyzes the current information technology acquisition techniques, focusing on the failure of these techniques, to provide a truly expedited avenue to procure information technology. The Note concludes by arguing that Congress should adopt the OTA consortium framework and transform it into a government-wide information technology consortium, which would provide all federal agencies with the ability to acquire cutting-edge information technology in an effective time frame.
As smoke billowed from mangled pieces of metal, screams echoed off massive ships, and the faint buzz of Japanese Zeros receded into the sun, the United States was just barely grasping the severity of the horrific attacks that occurred at Pearl Harbor on December 7, 1941. In just one morning, 2,400 Americans were killed, and the United States was pulled into a world war that would claim the lives of over 400,000 more Americans. More recently, the United States has been concerned that a “cyber Pearl Harbor,” a single cyberattack that would cripple the United States, was inevitable. Although the fear of such a major attack has presently subsided, the threats posed by cyberattacks are only growing. No longer are surprise attacks by Japanese Zeros at the forefront of the United States’ national security concerns, the United States is now focused on fighting a war on an invisible battlefield—the war of cyberspace.
Early in 2020, Russian hackers were able to gain months of access to key government networks, such as those used by the Pentagon, the Department of Homeland Security, the State Department, and many others. By using malicious code planted into a software update provided by SolarWinds, a Texas-based cyber company, the Russian hackers compromised some of the most secretive government networks in the United States. The SolarWinds attack is just one example, albeit an exceptional example, among the countless cyberattacks that the United States encounters each day. Instead of facing the threat of a single crippling cyberattack, the United States is facing a “death of a thousand cuts.” The United States must prepare itself for the constant and unending struggle that it will endure defending against countless cyberattacks. Similar to the United States’ perspective after the attack on Pearl Harbor, the future of the war in cyberspace is unknown. What is known is that the United States has a long and arduous fight ahead, a fight that will require every available tool to ensure the creation of an effective government-wide cyber-defense. Now is the time to take one small step towards progress by making one giant leap in federal contracting.
Currently, the federal government’s procurement system is woefully outdated and ill-equipped to keep pace with the rapidly evolving cyberthreats that the United States faces. The current procurement system is dominated by a culture that emphasizes rigid parameters and documentation, which is unable to adjust to the rapid development of information technology (IT). With the current legislation and culture among federal agencies, the United States will soon be outpaced in the realm of cybersecurity, an area that it once dominated. There have been countless attempts to reform the acquisition process, resulting in numerous regulatory changes and statutory mandates aimed at enhancing the United States’ IT and IT procurement system. However, even the most ingenious efforts have not been as effective as hoped. To keep pace with the rapid development of IT, the United States must adopt a robust and unique IT procurement solution to allow federal agencies to combat the rapidly evolving cyberthreats that the United States faces each day. One such solution would involve developing a structure that is similar to the Other Transaction Authority (OTA) consortium framework, a procurement technique that leverages the expedited acquisition processes provided by the OTA to quickly deliver innovative solutions by encouraging collaborative efforts among private sector leaders.
This Note seeks to modernize the federal government’s IT acquisition process, paying specific attention to the pace at which the acquisition process moves. To put the cybersecurity threats that the United States faces into perspective, Section II details some of the more significant threats. In Section III, the Note shifts to analyzing the statutory and regulatory framework surrounding the acquisition of IT, specifically addressing the issues present in the current system. Finally, Section IV of the Note argues that Congress should utilize the existing Other Transaction Authority (OTA) consortium framework as a model to create a government-wide IT consortium. This IT consortium will allow every federal agency to procure, in an expedited time frame, the IT that is needed to enact and maintain an effective government-wide cyber-defense.
To put the severity of the situation into perspective, this Section identifies and explores the various threats that the United States faces in cyberspace. The Section begins by explaining why cyberthreats are so prevalent, utilizing a key example to highlight how actors of varying sophistication can carry out effective cyberattacks. The Section then explains why the United States is such a valuable target in cyberspace and briefly explains how the United States compares to other actors. The Section then concludes by analyzing the most concerning cyberthreats that the United States faces and ties together how all of the factors detailed in this Section combine to create the United States’ greatest national security concern.
The “cyberspace,” a network of interconnected IT, is an essential aspect of almost every facet of our world. There are “hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables” that allow for the proper functioning of the United States’ critical infrastructure and government. Without these interconnected devices, the government would not be able to perform their most basic duties.
These same devices present some of the greatest risks to the United States, however. Whether an adversary is a state actor, a criminal organization, or an anarchist, the U.S. government is constantly encountering cyberattacks. A primary reason for the constant cyberattacks is that the resources and capital needed to carry out a cyberattack are significantly less than those required for physical methods of attack, making cyberspace the perfect medium for asymmetric warfare.
For example, in 2016–2017, Artem Radchenko and Oleksander Ieremenko, both Ukrainian nationals acting on their own accord, utilized sophisticated cyberattacks to gain access to the U.S. Securities and Exchange Commission’s (SEC) Electronic Data Gathering, Analysis, and Retrieval system. Without the aid or funding of a government, Radchenko and Ieremenko were able to compromise a highly confidential government system and steal thousands of files. The success of Radchenko and Ieremenko exemplifies the idea that cyberattacks can be carried out by numerous actors for a fraction of the cost of conventional methods, opening the playing field of international combat to more actors than just states.
Additionally, cyberthreats evolve incredibly rapidly, making it easier for attackers to develop new methods of attack and frustrate the cyber-defense process. Following “Touhill’s Law,” for every year that a computer exists, it will have aged the equivalent of twenty-five human years. This speed of evolution makes creating a cohesive and effective cybersecurity program incredibly difficult, especially when the processes used to acquire IT are not designed for speed and efficiency.
As the proverbial “final nail in the coffin,” the government has lost its substantial lead in the cybersecurity realm. The United States dominates in almost every military realm, but is no longer a dominating power in cyberspace. The decline in U.S. superiority in cyberspace can be at least partially attributed to the procurement system’s inefficient acquisition and implementation of cutting-edge technologies. Combining the relative ease of carrying out cyberattacks, the rapid evolution of IT, and the United States’ dwindling lead in cybersecurity, cyberattacks present an extraordinary threat to the U.S. government.
The most sophisticated and persistent cyberthreat facing the United States comes from the People’s Republic of China. China has dedicated itself to becoming a hegemon in cybersecurity, as it has committed countless resources and research to developing the most advanced and cutting-edge IT. As one example, China’s Ministry of State Security is currently exploiting the United States’ cybersecurity vulnerabilities to carry out prolonged attacks on government agencies, jockeying for ongoing access to the government’s networks. China is using “Advanced Persistent Threats” (APTs) to effectuate these prolonged cyberattacks. APTs are cyberattacks that incorporate highly sophisticated technology to penetrate and remain hidden on a victim’s network for a prolonged period of time. Using APTs, China can penetrate and remain hidden on the United States’ networks while gathering economic, proprietary, and national security information.
APTs have been detected in various government organizations, including the Department of Defense (DoD), the State Department, the Commerce Department, and, most notably, the National Aeronautics and Space Administration (NASA). Particularly, China was able to penetrate NASA’s networks numerous times, successfully extracting sensitive rocket designs.
However, China is not the only state developing and utilizing their cyber capabilities: Russia, Israel, North Korea, and Iran are all doing the same. In October 2020 alone, Iran targeted voter information through state election websites, North Korea carried out attacks against various private and government entities in South Korea, Japan, and the United States, the U.S. Census Bureau was targeted in several attacks, and Russia stole information from the U.S. government and aviation networks, including networks containing information regarding U.S. election systems. As these examples demonstrate, attacks by state actors are not uncommon, and the United States is challenged each day to prevent a wide array of nefarious actors from gaining access to the government’s networks. The United States must take action now so that agencies are equipped and prepared to combat the countless cyberthreats encountered each day.
The IT procurement system, which is not currently designed to efficiently acquire desperately needed IT, must be substantially reformed so the United States can equip itself to effectively combat cyberthreats. The current federal procurement system, governed by the Federal Acquisition Regulation (FAR), is built to ensure key objectives, such as competition, integrity, and transparency. These objectives are worthy goals; however, the current regulations fail to provide agencies with a procurement vehicle that can keep pace with rapidly evolving technologies. This Section analyzes key attempts to expedite the procurement process, such as the Rapid Acquisition Authority, Government-wide Acquisition Contracts, and the Other Transaction Authority, identifying how these regulations have failed to provide a truly expedited acquisition technique able to keep pace with the United States’ cybersecurity needs.
To start, the federal government’s current approach to procuring IT is outdated, cumbersome, and woefully unable to keep pace with rapidly evolving technology. Instead of freeing agencies from burdensome regulations, the current IT procurement system is dominated by oversight, strict requirements, and extensive documentation. These burdensome regulations hinder the speed at which agencies can procure IT and thereby jeopardize agencies’ ability to mount an adequate cyber-defense.
Currently, the U.S. government procures IT through regulations similar to those used to acquire major weapons systems, meaning that IT procurements can take up to seven to ten years, a time frame that is far too long in the realm of cybersecurity. Further, goods in this field are “consistently delivered late, over budget, and obsolete.” If the United States desires to build an effective cyber-defense and remain a dominant force in cybersecurity, the “fundamentally broken” IT procurement system must be substantially reformed by replacing traditional acquisition techniques with techniques equipped to handle the rapid pace of IT evolution.
Numerous attempts have been made to streamline the federal IT acquisition process, but for the purposes of this Note, the most notable are the Rapid Acquisition Authority, Government-Wide Acquisition Contracts (GWACs), and the Other Transaction Authority (OTA). Each of these measures, to a varying degree, is useful; however, these measures have failed to establish a cohesive and foundational acquisition strategy that allows agencies to procure IT in an effective time frame. The following subsections analyze each of these three acquisition vehicles, detailing the impacts that each has made on the acquisition process, while explaining how these measures ultimately fail to create a truly expedited IT procurement vehicle.
Originating from Section 806 of the Fiscal Year (FY) 2003 National Defense Authorization Act (NDAA), the Rapid Acquisition Authority (RAA) was created to expedite the acquisition process to aid soldiers during the 2003 invasion of Iraq. The RAA allows the Secretary of Defense to waive policies and regulations that are deemed as unnecessarily impeding the rapid acquisition of equipment that is “urgently needed to eliminate a combat capability deficiency that has resulted in combat fatalities.” The most recent change to the RAA came in the FY 2016 NDAA, which extended the Secretary of Defense’s waiver authority to procure goods or services needed to eliminate a deficiency caused by a cyberattack. This authority is not unlimited, however. Per the FY2016 NDAA, acquisitions under the RAA are capped at $200 million. Likewise, the authority granted to the Secretary of Defense under the RAA will end two years after they make the determination that supplies or services are urgently needed.
The RAA is a valid attempt to streamline the acquisition process. The ability of the DoD to waive various policies and regulations that are deemed to hinder the acquisition process is a step in the right direction. However, limiting this authority to the head of the DoD limits the RAA’s scope. To see meaningful and effective change, the authority granted to the Secretary of Defense should be given to other senior leaders. Understandably, accountability and abuse would be major concerns if such authority is provided to a wide array of individuals, but all federal agencies need access to procurement methods that are unconstrained by traditional acquisition regulations for an effective government-wide cyber-defense to take hold.
Further, scholars and practitioners have argued the $200 million cap on the RAA should be increased. In the realm of government acquisitions, $200 million is a small sum, and the need to have significant funds available is highly important in the IT realm. Therefore, to make the RAA more impactful, increasing the $200 million cap would allow more cyber acquisitions to occur at a much quicker pace.
The last major concern with the RAA is the emphasis that it places on defensive measures. The language of Section 803 of the FY 2016 NDAA specifically limits the RAA’s use to be in response to or recovery from a cyberattack. Instead of allowing the RAA to be utilized well before a cyberattack occurs, the language limits its applicability to either after an attack has occurred or in response to an imminent threat of an attack. Limiting the RAA to such instances will not foster an effective cyber-defense. Instead, the RAA needs to be utilized in a more proactive and preventative manner to enable agencies to procure and implement the needed IT before an attack occurs.
Government-Wide Acquisition Contracts (GWACs), are multiple-award, indefinite delivery, indefinite quantity (IDIQ) contracts that allow agencies to purchase IT from contractors through other agencies’ existing contracts. GWACs represent a unique acquisition technique, but it can be confusing and inefficient. To establish a GWAC, an agency must be designated by the Office of Management and Budget (OMB) as an agency capable of establishing a GWAC. Once an agency has been delegated the authority to establish a GWAC, OMB must approve the creation of the GWAC.
An established GWAC will include numerous pre-approved contractors who are eligible to compete for task-orders placed under the GWAC. Since contractors are pre-approved, the acquisition process under GWACs is, in theory, more efficient than other acquisition processes. Also, orders placed under a GWAC are not subject to the full competition requirements or traditional procurements; the procuring agency need only provide contractors with a fair opportunity to be considered for award. So, in essence, GWACs provide agencies with a consolidated, streamlined means to procure IT goods and services.
Nonetheless, GWACs have several features that limit their efficiency. For example, some GWACs require the agency that established the GWAC, referred to as the servicing agency, to carry out acquisitions on behalf of agencies desiring to procure goods or services through the GWAC, referred to as requesting agencies. The requesting and servicing agency relationship can be complex, resulting in confusion between the two agencies as to their respective responsibilities, thus hindering the efficiency of GWACs. Clarifying the responsibilities of the requesting and servicing agencies would help to make GWACs more efficient. An evolution of the current GWAC system could entail the delegation of the servicing agency’s responsibilities to a professional entity solely dedicated to carrying out acquisitions for requesting agencies. The use of a third party to carry out acquisitions on behalf of government agencies is explored in more detail later in this Note. Overall, GWACs are a compelling acquisition technique, but the convoluted ordering process prevents them from being more efficient.
One of the early attempts to streamline the acquisition process was the creation of the Other Transaction Authority (OTA), or Other Transactions (OTs), which are vehicles utilized to procure research and prototypes from academic and commercial entities. The OTA model of contracting originates from the late 1950s, when the United States was seeking to keep pace with the Soviet Union’s rapid technological advancements in space. After realizing the success of the OTA, Congress granted the DoD an OTA in the FY 1990 and 1991 NDAAs.
Though it was originally more constrained, the DoD is currently authorized to use OTs for research and production projects, along with prototyping projects that involve “platforms, systems, components, or materials” intended to enhance the mission effectiveness of the military. Even though an individual OT cannot exceed $500 million, there are no limits on the number of OTs that can be utilized or their cumulative value. If an individual OT is projected to exceed the $500 million threshold, the Under Secretary of Defense for Research and Engineering or the Under Secretary of Defense for Acquisition and Sustainment must approve the contract, and the congressional defense committees must be notified within thirty days.
Unlike other attempts to streamline the acquisition process, OTs are not constrained by the FAR or the Defense Federal Acquisition Regulation Supplement (DFARS). The lack of constraint by traditional acquisition regulations extends to competition requirements, which are essentially non-existent. OTs are intended to utilize competition when awarding a contract, but there are no governing competitive requirements established by law, nor do requirements established by the Competition in Contracting Act (CICA) apply. The lack of competition requirements associated with OTs helps to make the OT acquisition process less burdensome and essentially eliminates agencies’ concerns with bid-protests.
The award of an OT, however, is limited by certain requirements, such as the type of contractor who can be awarded the OT. For example, relevant guidance encourages OTs to be awarded to “non-traditional defense contractors.” If a traditional defense contractor is awarded an OT, either a non-traditional defense contractor must participate in the project to a significant extent, the awardee must provide financial or in-kind cost sharing, or the Service Acquisition Executive must make a written determination justifying the use of the OTA. The constraints placed on the award of OTs limits the OTA’s applicability, but they promote innovation and the inclusion of companies that would not normally be able to compete with traditional defense contractors.
Further, some have expressed concern that the DoD has not utilized the OTA to its fullest extent. Currently, many contracting officers in the DoD are being plagued by “FAR creep,” the slow and unofficial implementation of FAR-like regulations into acquisition authorities unconstrained by the FAR. Even though contracting officers understand the benefits of OTs, contracting officers have been trained to emphasize the use of the FAR and the DFARS regulatory powers. Additionally, contracting officers are evaluated by senior officials who were trained and worked under a FAR and DFARS dominated procurement system, which could discourage current contracting officers from utilizing modern, more efficient acquisition techniques. Overcoming the acquisition culture of relying on the FAR and the DFARS, even when more efficient acquisition techniques are available, is a significant barrier to the expedited acquisition of IT.
A truly unique and thought-provoking aspect of the OTA is the development of the OTA consortium framework. An OTA consortium is a group of companies that agree to deal with the government under a common rule set to perform work in a given subject area. The purpose of an OTA consortium is to develop and deliver innovative solutions in an efficient manner “not possible without collective action and collaboration.” The consortium framework intends to leverage innovation and efficiency by gathering private sector leaders in a given subject area to provide solutions for government needs in a manner that is generally unconstrained by acquisition laws and regulations.
The basic structure of a consortium consists of a broad pool of vendors, who the government solicits for proposed solutions in a particular subject area, such as IT goods and services. The government will communicate its needs to the consortium contractors, who then submit proposals or white papers to the procuring government body by whom an award is made. The final piece of the consortium structure is a management company that organizes the flow of information between the government and the consortium contractors.
A primary benefit of the OTA consortium framework is that it provides a flexible and expedited avenue for acquisitions. For example, on average, the Army’s consortium makes an award in less than two months from the first communication between the government and a consortium member. In addition to being a flexible and efficient acquisition technique, the lack of regulation and ease of becoming a consortium member entices new companies to become members and compete for contracts. By enticing new companies to compete, the consortium framework provides a valuable opportunity to establish relations with companies that would not normally consider a standard government contract.
For example, an Army consortium requires prospective consortium contractors to complete a one-page online form and pay an annual $500 fee, which is the typical process for joining many consortia. The decreased barriers to entry along with the other benefits of the consortium framework has led to a remarkable increase in the number of consortia, growing from one in 2000 to over thirty today. Additionally, OTA consortia have come to account for nearly sixty percent of the DoD’s OTA spending, which equated to nearly $4.68 billion in FY 2019.
An early example of the benefits and success of the consortium framework can be seen through the United States’ re-establishment of itself as a major presence in the semiconductor industry in an incredibly quick time frame. In the 1980s, the United States’ share of semiconductors fell below fifty percent, which became a significant concern for the government. In response, a group of semiconductor manufacturers lobbied Congress for funding and ultimately formed the Semiconductor Manufacturing Technology consortium (Semtech). Within five years of Semtech’s formation, the United States regained a solid footing in the semiconductor market, “securing both the economy and the nation’s defense posture.” By leveraging the efficiency and innovation of the OTA consortium framework, the United States may be able to secure the nation’s defense posture in cyberspace.
Overall, the establishment of the consortium framework is an incredibly useful and ingenious development to come from the OTA. The framework leverages the innovation that comes from communication and collaboration between public and private sector entities and expedites the acquisition process by exploiting the deregulation provided by the OTA. Due to its formation under the OTA, the consortium framework does not promote traditional acquisition policies, such as transparency, and is limited to the scope afforded to OTs. However, even with its several drawbacks, OTA consortia are highly effective and provide a highly promising framework that should be expanded upon.
Since the entire federal government is under constant cyberattack, both civilian and military agencies need to benefit from the streamlined processes afforded by the OTA consortium framework (also referred to as the “consortium framework”) for an effective government-wide cyber-defense to take hold. The consortium framework has shown to be an effective and innovative acquisition technique that allows for a wide array of entities to compete for contracts, minimizes administrative costs, alleviates burdens created by the FAR, and significantly expedites the acquisition process. Given the efficiency and other benefits of the consortium framework, it is the most effective mechanism to enact a truly expedited IT acquisition process, so long as it is tailored to suit the entire federal government. Therefore, Congress should adopt the OTA consortium framework and create a similar IT consortium available to the entire federal government.
The basic construct of this government-wide IT consortium (also referred to as the “IT consortium”) would mirror the OTA consortia already established. Essentially, the IT consortium would be an association of numerous parties dedicated to pooling their resources to produce innovative solutions needed to create an effective government-wide cyber-defense. The IT consortium would provide a platform for agencies and contractors to communicate concerning current IT developments and threats, encourage collaboration on methods to implement the latest IT developments, and allow agencies to procure needed IT in a highly expedited manner.
The idea is to leverage both the private and public sectors’ experience and expertise with IT by combining their efforts to identify and address cybersecurity threats. As the consortium members interact with the changing cyber-landscape, they will be able to inform each other of newly identified threats, technologies, and methods of cybersecurity. Utilizing this shared information, the consortium contractors and government agencies can then work together to develop innovative IT solutions that can be quickly produced and acquired through the government-wide IT consortium.
When creating the IT consortium, it is imperative that Congress utilize similar regulations to those governing the OTA consortia. To put it bluntly, the IT consortium should not be constrained by the FAR. Understandably, granting OTA-like authority, being unconstrained by the FAR, to every federal agency is a drastic measure. However, the IT consortium’s sole intention is to truly expedite the IT acquisition process; retaining the same regulations that govern current IT acquisition techniques will be a useless endeavor. To create a truly effective government-wide cyber-defense, the government must “enthusiastically embrace risk-taking and the ‘need for speed’” in the realm of IT procurement. Adopting the OTA consortium framework and tailoring it for government-wide use will enable the entire federal government to procure needed IT in an effective time frame.
Additionally, Congress should eliminate the limitation placed on OTs requiring that acquisitions be utilized only for research, prototyping, and production. Surely, some acquisitions under the IT consortium will require novel research or production projects, but the essence of the IT consortium is to provide every federal agency with the capability to efficiently procure whatever IT is needed to enact an effective cyber-defense. Whether the IT be a commercial off-the-shelf product or the latest cutting-edge invention, federal agencies need to be able to procure it through the IT consortium. By limiting the IT consortium to research, prototypes, and production, the full potential of the IT consortium will not be realized.
To appropriately adapt the OTA regulatory framework into a government-wide IT consortium, the legislators, IT experts, acquisition experts, agency officials, and contractors should collaborate on the IT consortium’s regulatory framework. The General Services Administration (GSA) should be tasked with organizing this collaboration. Once the collaborating parties have finalized the proposed regulatory framework, along with any other recommendations, GSA should submit a report to Congress outlining the proposed regulatory framework and any other relevant information pertaining to the creation of the IT consortium. Congress, affording great weight to GSA’s report, should then enact a regulatory framework that creates and governs the government-wide IT consortium.
The IT consortium will consist of three constituent bodies: federal agencies, consortium contractors, and a management company. The first constituent body will be comprised of all federal agencies that will be statutorily authorized to place orders through the IT consortium. This arrangement will allow the entire federal government to reap the benefits of the IT consortium and will better enable the enactment of an effective government-wide cyber-defense. The second constituent body will be comprised of contractors. The consortium contractors will consist of a wide array of private sector entities, ranging from major defense contractors to garage startups, and academic organizations. The barriers to becoming a consortium contractor should be low as the IT consortium is intended to attract contractors of ranging sizes and capabilities. However, contractors will need to prove their ability to contribute to the development of IT to ensure that each contractor can provide valuable solutions. Similar to reviewing a contractor’s past performance, perspective contractors will need to demonstrate their ability to contribute meaningful solutions to the IT consortium before being accepted as a consortium contractor. To do this, contractors will be required to submit information that exemplifies their relevant expertise and capabilities, which the management company will evaluate to determine if the contractor is suitable for the consortium.
The last constituent body will consist of a management company. Hiring a management company, an independent third party, to manage consortia is a common and effective practice. The management company’s main role will be to facilitate organized and efficient communication between government agencies and consortium contractors. Because the IT consortium will be available to the entire federal government, significant amounts of information will be flowing through the consortium; therefore, a dedicated professional managerial company is needed to ensure organization and efficiency. As stated in the context of GWACs, having an intermediary in the acquisition process can inhibit efficiency. However, because the management company is a professional organization, solely dedicated to managing the organization of the IT consortium, there will not be the same issue as there is with GWACs.
An additional benefit of utilizing a management company is that it will help coordinate an effective government-wide cyber-defense. If several agencies have the same or similar needs, the management company can consolidate necessary acquisitions, reducing administrative burden and cost. Further, if similar needs are being submitted by numerous agencies, the management company can notify other agencies of these common needs and allow those other agencies to participate in the acquisition if needed.
The management company would also be perfectly situated to ensure accountability and compliance among the IT consortium. Since the management company will have access to all the information flowing through the consortium, the management company will be able to monitor the agencies’ compliance with the IT consortium’s regulations. If the management company learns of any abuse, it can inform the GSA or Congress, which can then take the appropriate punitive actions. Also, structuring the management company as a non-profit has proven to help assure the government that the management company is serving as an honest broker. Since the consortium framework does not place an emphasis on many of the traditional acquisition policy objectives, empowering the management company to ensure accountability and regulatory compliance is essential.
Because the OTA consortium framework eliminates many of the traditional acquisition regulations, abuse of the IT consortium is a major concern. To limit acquisitions for which the IT consortium can be used, the author recommends that the IT consortium be limited to acquisitions necessary to facilitate an effective government-wide cyber-defense. By limiting the consortium’s scope, agencies will only be able to use the consortium to acquire goods or services that are directly related to facilitating a government-wide cyber-defense, leaving other IT acquisitions to pre-existing, more traditional acquisition techniques. For example, acquisitions of computer monitors, word-processing software, printers, and other non-defense-related IT will still be fulfilled through traditional acquisition processes, such as GWACs and the Federal Supply Schedules, but the acquisition of cyber-defense related goods or services will be carried out through the IT consortium.
The main purpose of limiting the consortium’s scope is to ensure that agencies do not circumvent existing acquisition regulations for procurements not related to the government-wide cyber-defense. This requirement can be tailored as the consortium develops, but, as a starting point, the requirement will help to avoid abuse of the consortium framework.
As stated throughout this Note, the government needs to have the ability to efficiently procure effective solutions to address its most pressing cybersecurity concerns. To procure effective IT in an efficient time frame, the IT consortium will encourage participation among non-traditional contractors, shorten the time to award, enhance contractors’ understanding of acquisition goals, and provide agencies with ingenious solutions by promoting innovation.
First, by utilizing the combined ingenuity of a diverse array of contractors, the IT consortium can provide exceedingly effective solutions to the government’s most pressing cybersecurity needs. To achieve this result, the IT consortium will include a wide array of contractors by having low barriers to entry. Prospective contractors will only need to pay a small administrative fee and prove that they can provide innovative IT solutions in order to participate. The process by which contractors will prove that they can provide innovative IT solutions must be simple; the purpose is to ensure that qualified contractors are admitted into the consortium, not to limit acceptance to only contractors who have the ability and resources to complete a lengthy and confusing application. However, certain security measures, such as requiring contractor personnel to obtain security clearances, will be necessary as the information being shared within the IT consortium will be sensitive and likely classified. By combining the collective capabilities of a wide array of contractors, the IT consortium will provide solutions that would not have been provided under traditional acquisition techniques.
Second, the IT consortium will drastically reduce the time to award by adopting the OTA consortium’s regulatory framework. By adopting the OTA’s regulations, thus eliminating many of the FAR and the DFARS regulations, burdensome and ineffective acquisition requirements will be removed, allowing for a truly expedited acquisition process. The purpose of the IT consortium is to have consortium contractors provide solutions in far quicker time frames than can be achieved using traditional acquisition techniques. Eliminating many of the traditional acquisition regulations, and utilizing a management company, are key aspects designed to expedite the time to award.
This plan does not mean, however, that competition will be absent from the consortium framework. Each contractor will have the chance to submit a solution for any contract being solicited through the consortium. If an agency is soliciting for a large, time-intensive contract, traditional defense contractors will have the advantage. But, smaller, non-traditional defense contractors will be encouraged to offer innovative solutions for portions of the contract. Therefore, by joining the two contractors as a team, the larger contractor can leverage innovative solutions provided by smaller contractors, while the smaller contractor will benefit from the administrative and managerial capabilities of the larger contractor.
Contracts will not be solely tailored for large, traditional contractors. Within the OTA consortia, smaller, non-traditional contractors have been providing highly innovative and effective solutions, competing with traditional contractors on many occasions. The OTA consortium framework is unique in that creates competition among contractors but also creates opportunities for contractors to combine their respective expertise and provide a joint solution.
Next, the IT consortium will encourage agencies and contractors to actively communicate, which will allow contractors to have a better understanding of the goals and objectives of acquisitions. The IT consortium will ideally allow agencies and contractors to continually communicate as new developments in IT emerge or as new threats are identified. By forming a more interconnected public-private relationship, contractors will have a better understanding of what agencies are encountering in cyberspace, thereby allowing contractors to provide more effective solutions in a quicker time frame.
Granted, having federal agencies’ cyber-defense needs being communicated with a consortium of contractors presents significant security concerns. The Cybersecurity Maturity Model Certification (CMMC) will provide a basis for establishing security requirements when sharing information within the consortium. In addition, the author advocates that information security experts and individuals managing the existing OTA consortia collaborate during the IT consortium’s creation to establish a security framework that will ensure that information passing through the IT consortium is protected.
Finally, as was briefly discussed earlier in this Section, the IT consortium will ensure that the most innovative cybersecurity solutions are provided by limiting consortium membership to contractors that demonstrate an ability to produce innovative IT solutions. When a contractor applies to become a member of the consortium, the management company will assess the contractor’s relevant capabilities, determining whether the contractor possesses the capabilities to provide innovative IT solutions. Therefore, with only qualified contractors competing for the consortium’s contracts, only high-quality solutions will be proposed, increasing the probability for a successful procurement and the satisfaction of agencies’ needs.
Federal agencies will be able to acquire innovative IT in an effective time frame with a diverse array of contractors competing for the consortium’s contracts, the time to award being reduced, an increased understanding of the goals for each acquisition, and limiting consortium membership to contractors who demonstrate an ability to produce innovative solutions. As IT is rapidly evolving, the IT consortium framework provides the flexibility and expertise that the United States needs to remain a dominant force in cybersecurity. When a new cyberthreat or new technology is discovered, instead of having to dredge through the formal acquisition process, agencies would be able to consult the IT consortium and quickly develop an innovative solution, thereby staying at the forefront of cybersecurity.
The U.S. government’s cybersecurity is incredibly vulnerable. The IT that many agencies utilize is outdated and ill-equipped to handle the extraordinary number of cyberthreats that the United States faces daily. As exemplified by recent attacks, the cost that cyberattacks have on the United States is extreme: identities are stolen, innovation is stifled, and classified information is corrupted.
The U.S. government must immediately take meaningful action to begin the difficult process of building a reliable and effective government-wide cyber-defense. One of the first steps in this process is to revolutionize the way that federal agencies procure cybersecurity-related IT. The government must develop and implement a truly expedited, yet innovative, acquisition technique that can handle the needs of a government-wide cyber-defense. The OTA consortium framework—a mechanism that has proven to be an efficient and innovative acquisition technique—provides a viable option to meet these pressing national security concerns. By adapting the OTA consortium framework for government-wide applicability, federal agencies will have the ability to efficiently acquire innovative IT solutions needed to combat the growing number of cybersecurity threats. The risks of maintaining the status quo are too great, and the government must make this small step towards progress by taking one giant leap in federal contracting.