Security Program Controls/Technologies

Why the Pentagon remains both the best and worst customer for tech innovators

Cybersecurity personnel work in a cyber operations center

The Pentagon does not lack for offices and programs that are designed to foster innovative technology and engage with cutting edge ideas, whether internally or in the private sector. And yet, the struggle to penetrate the Department of Defense with big ideas remains real.

Consider a report issued last year by the Center for Security and Emerging Technology, which found that despite the myriad of offices defense officials stood up over the years around innovation, efforts have largely been disconnected from DoD’s procurement operations, limiting scope and impact. In particular, the report concluded that the military’s engagement with smaller companies and nontraditional tech vendors rarely amounted to more than “innovation tourism.”

Said authors Melissa Flagg and Jack Corrigan: “We find the military’s current approach to engaging with small tech companies, or nontraditional vendors, is more akin to innovation tourism — with the DoD sampling the local fare of the United States’ various tech hubs — than a bona fide strategy for bringing emerging technologies into the department."

So what might move the needle of innovation, most notably in the area of cybersecurity? SC Media examined the good and bad of selling to the the world's biggest buyer.

Pentagon innovation inroads, and obstacles

Of course, it's difficult to speak about innovation in DoD without referencing the work of the Defense Advanced Research Protection Agency. DARPA brings a 50-year history of developing novel technological solutions to government problems. But newer agencies like the Defense Innovation Unit were explicitly set up to tap into Silicon Valley’s ecosystem of tech startups.

Image from DARPA's Cyber Grand Challenge (CGC) Final Event—the world’s first all-machine cyber hacking tournament in 2016. (DARPA)

Katherine Gronberg, head government services at NightDragon, a venture capital firm that invests in late-stage cybersecurity companies, said there is “a lot of nuance” to how the military approaches its innovation problem. Between entities like DARPA, DIU, In-Q-Tel and others, it’s clear that Pentagon leaders are on some level attuned to their innovation problem.

At the same time, she said it’s not clear that these programs have been able to make a broader impact on existing obstacles across the military when it comes to adopting cutting-edge tech.

“There has not been a comprehensive look at how we do rapid acquisition, speeding the way to adopt innovation,” Gronberg said in an interview.

Congress has also been left to wonder at times why military leaders keep requesting new programs designed to bridge the innovation gap in procurement while previously funded efforts have been underutilized. In a report on the 2023 defense authorization process, the Senate Appropriations Committee questioned why a new, $100 million fund was needed to enhance the department’s access to commercial technologies in light of existing programs and continued reports from the private sector about difficulties engaging with the DoD bureaucracy. It also encouraged the undersecretary of defense for research and engineering to coordinate more closely with offices like DIU to ensure those efforts are synchronized across the department.

“The Committee notes that the Department has existing outreach efforts designed to improve connectivity with the private sector and academia; however, the Committee continues to receive feedback from non-traditional and small businesses that barriers to entry remain high, and that the process for transitioning promising innovative commercial technologies to a program of record within the Department remains arduous and cumbersome,” the committee wrote this year.

A regulatory alternative

If repeating the same stale acquisition strategy over and over again while expecting new results is the definition of insanity, newer entities stood up within DoD have looked for ways to bypass the crazy.

The DIU, which began as an experimental project in 2015 before being established as a permanent office, is meant to be one of the military’s most direct answers to this problem. Based in Silicon Valley, DIU is specifically set up to bypass many of the bureaucratic and acquisition roadblocks that have plagued other parts of the department.

From the very beginning, DIU’s acquisition process is set up to be distinct from standard government or military buying protocols. Their solicitations are crafted more like problem statements that need solving, rather than the prescribed set of requirement and solutions that wind up in most federal bids. They typically stay open for two weeks, and companies that express interest are asked to submit a proposal that is no longer than five pages or 20 PowerPoint slides.

Cherissa Tamayori, director of acquisition and senior contracting official at DIU, said it is in part a conscious effort to avoid alienating smaller or nontraditional companies who may be unfamiliar, intimidated or put off by the massive paperwork requirements that often come with federal contracting.

“We’re really targeting the commercial market and the innovative ideas that come from that market space, so instead of telling you what we want and how we want you to do it, we basically propose a question and provide a lot of [space] for industry to come back to us with their best ideas,” said Tamayori in an interview. “Because of that, we really see a large response to a lot of our [procurements], where our process is highly competitive and that’s the intent. We really want to reach as many companies as we can because that basically opens up the opportunity for us to see that many more solutions.”

After consulting with partner agencies, DIU then invites a select number of companies to come give an in-person or virtual “Shark Tank” pitch, with companies asked to provide a model or live demonstration of their technologies. In the final phase, a team of representatives from the government and the final selected companies will collaborate together on a statement of work for the project.

This approach does bring an admirable number of new companies into the fold. According to figures provided by the agency, between June 2016 and September 2021, 33% of their contract awardees have been first-time DoD vendors; 86% are considered nontraditional and 73% are small businesses.

“You’d be surprised how many of the companies that we’ve never heard about who respond to solicitations actually get the award on the back end,” said Patrick Gould, deputy director of the DIU’s cyber portfolio.

The DIU has pushed out a slate of cybersecurity-related projects over the last year, and the cyber portfolio “specifically has gotten lucky” by tapping first time federal sellers. Gould told SC Media in an interview that U.S. Cyber Command and NSA “have essentially been the main and the lead customer” of projects under his purview. Because of that, many are designed to align with the broader strategic objectives laid out by Gen. Paul Nakasone, who leads both agencies.

But other agencies have been able to tap the approximately 200-person strong organization for new security capabilities as well, including a $633,000 prototype software for asset inventory management developed by IntelliPeak Solutions for the Defense Information Systems Agency, and a $679,000 prototype platform developed by CounterCraft for the Air Force that creates sophisticated deception environments to detect malicious cyber activity and has already been tested in military wargames with national and NATO-level red teams.

“We try to make it as commercially friendly as possible, so we try to mirror what those vendors are seeing specifically in the security realm, like if any other CISO was coming to them and saying hey I want to use your capability,’” said Gould.

DIU is able to do this largely because of a once-obscure federal contracting process known as the other transaction authority. Originally designed engage with smaller, nontraditional companies on research and development projects, OTAs allow government agencies to establish contracts and other agreements with the private sector and universities that are not subject to the Defense Federal Acquisition Regulations, or DFAR, which serve as the primary rules that dictate how contractors can be leveraged by DoD.

All DIU prototype contracts are awarded under this authority, and Tamayori said this not only allows for more freedom to set terms with the vendor during the procurement phase but also over the life of the contract. Because of this, small startups and non-contractors don’t have to completely overhaul their internal structure or mission in order to do business with DoD the way they would when pursuing traditional contracts.

“What this allows us to do is really be more flexible both throughout our process and while negotiating the final agreement. We are able to negotiate terms and conditions as well as data rates that could be more flexible than would otherwise be allowed if you were just issuing a solicitation" subject to FAR, she said.

A limited solution with limited reach

While offices like DIU have been able to see success with this more nimble and nontraditional approach, it still represents a small pocket of the approximately $130 billion the military on research, development, testing and evaluation, the pot of money that encompasses much of the new software and innovation that DoD buys and develops.

Indeed, while the work being done at places like DIU has found ways to break through the morass that is the status quo in defense procurement, these serve as anomalies. In order to fix DoD’s broader innovation problem, outside observers say those same processes must begin to permeate throughout the other branches and at the highest levels of leadership.

Last year Rep. Adam Smith, D-Wash., chair of the House Armed Services Committee, compared the marginalized role DIU currently plays in the larger defense technology ecosystem to the way Special Operations Command was ignored by Pentagon leadership in the years prior to the 9/11 attacks. SOCOM is now a central piece of the military’s global counterterrorism strategy, and Smith said a similar recognition could empower its technology procurement and innovation offices.

“We’ve got to start moving to get to the point where DIU and other organizations are as big as SOCOM, in terms of really driving how the Pentagon does business,” Smith said in comments captured by Defense Daily. 

But the procurement morass continues to get in the way. Time and again, critics both internal and external have questioned the Pentagon’s ability to purchase and implement innovative technologies fast enough to keep pace with industry standards and international competitors.

Last year Nicolas Chaillan, the first chief software officer for the U.S. Air Force, publicly resigned from his position, describing it as “probably the most challenging and infuriating [job] of my entire career.” He called out the DoD for failing to empower its IT and cybersecurity leaders, falling behind China and other world powers on technologies like artificial intelligence and paying lip service when it comes to tapping the private sector for innovation.

Staff Sgt. Wendell Myler, a cyber warfare operations journeyman assigned to the 175th Cyberspace Operations Group of the Maryland Air National Guard monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron. (U.S. Air Force photo by J.M. Eddins Jr.)

More recently Michael Brown, director of the Defense Innovation Unit, announced he will resign in September. In an interview with Breaking Defense, he cited similar concerns that his office and its mission has not received backing from key Pentagon leaders.

“I just don’t feel that we’re making the kind of progress that I’d like to see made. So I’m frustrated that we’re not achieving more, we’re not supported more. There’s not the agreement by leadership that this is a priority,” Brown said. “And so if that is the case, then you can’t accomplish what you believe should be accomplished. It’s really that simple.”

If DoD is going to successfully buy better technology and security tools, it will need to find similar ways to incorporate the approach offered by agencies like DIU. Gronberg said her company invests in later-stage security companies that are more mature than the average startup or small businesses, but even these companies are not set up to sell primarily to the government, and they can’t sustain or grow their business by dedicating the bulk of their resources and operations to contracting.

To use them more effectively, she said the Pentagon must evolve to find quicker entry paths into doing business with DOD that don’t bog down ability of these businesses to sell to the commercial market. Otherwise many won’t be around for a second contract.

“It kind of comes back to this problem: can companies grow up and cross that valley of death? Can they grow big enough that they can scale, where they can actually deploy in more than just a pilot way at the DoD? The way you do that is to make sure that there is promise and prospecting and market and pipeline on the commercial side," Gronberg said. "They go hand in hand.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.