Department of Defense Updates Its Instruction for Acquisitions of Software and Weapons Systems
On January 7, 2015, the U.S. Department of Defense (“DoD” or “the Department”) released an update for DoD Instruction 5000.02, on the “Operation of the Defense Acquisition Service.” The new Instruction is designed to assist acquisition personnel in tailoring the acquisition process to the specific item or system being purchased and to further the Department’s Better Buying Power initiative, launched in 2010. The Instruction focuses largely on the acquisition of DoD-specific software and weapons systems.
In the Memorandum accompanying the announcement, Frank Kendall, Under Secretary of Defense for Acquisition, Technology & Logistics, stated “this DoDI 5000.02 emphasizes tailoring of program structures, content, and decision points to the product being acquired.” To that end, the Instruction includes four models as “examples and starting points” to guide the Program Manager to create the best structure for any given procurement.
The four models are diagrammed along a timeline showing decision points as part of the acquisition process. The four models included vary depending on the item or system being purchased:
Model 1: Hardware Intensive Program. This model assumes a single, continuous acquisition or development process, from RFP through deployment, for either a single item or system or for multiple items or systems that would achieve full operational capacity at the same time. Model 1 is the classic “starting point for most military weapon systems” and has often been used for large defense-specific procurements.
Model 2: Defense Unique Software Intensive Program. This model envisions a single, continuous development process with incremental deployments of several planned software builds, which deploy subsets of the overall capacity and build towards a final integrated version. Model 2 best fits a complex, defense-specific software system that requires multiple software builds and testing phases before reaching full operational capacity.
Model 3: Incrementally Deployed Software Intensive Program. This model spreads the decision points along several continuums, including an initial, limited deployment followed by other interim deployments and incremental improvements or changes before reaching full deployment. Model 3 applies to software programs that are deployed piecemeal, as each new capability is developed in cycles. Such a model could also apply to software upgrades and could apply to Commercial-Off-The-Shelf software that can be acquired or adapted in a modular fashion.
Model 4: Accelerated Acquisition Program. This model anticipates a need for speed over everything else and includes fewer decision points before production and deployment. Model 4 applies “when schedule considerations dominate over cost and technical risk considerations.” This ultra-streamlined model is designed for “technological surprise by a potential adversary” and for procurements that must be filled in less than two years.
The Instruction also provides examples of Hybrid Models for systems that combine several of these categories. For example, complex weapons system hardware will likely include a software component. Whether the hardware or software dominates the system will determine how to combine Models 1 and 2, to create a hybrid decision model either Hybrid Model A (hardware-dominant) and Hybrid Model B (software-dominant).
In Models 1-3 and the Hybrid Models, there are multiple decision points before the release of an RFP, as well as later decisions about production and deployment. While the Instruction states that these models should be customized and tailored based on operational risk and urgency, the DoD wants to maintain several decision points and administrative hurdles before receiving proposals or committing public funds to a procurement (barring an immediate need).
While the Instruction focuses on the process of acquisitions, it also includes specific policies to address cybersecurity considerations, including one new requirement added in this update. The cybersecurity portion of the Instruction contains some of the same language as the previous version of DODI 5000.02—specific requirements to “document a strategy” and allocate resources for cybersecurity, to assess all systems for potential vulnerabilities, and to evaluate the item’s or system’s capability to “protect, detect, react, and restore” continuity of operation.
One change in cybersecurity in this Instruction is the specific requirement that “mission critical” systems, components, or functions require early “penetration testing from an emulated threat in an operationally realistic environment.” The less-determinate language of the earlier Instruction has been changed to clarify which types of systems require this testing.
Moreover, this Instruction adds a requirement for the Program Manager to “conduct periodic cybersecurity risk assessments” during the acquisition process. This new mandate emphasizes cybersecurity as a process that requires constant checking and updating to adjust to new threats. Contractors building software and weapons systems for the Government should be prepared for such periodic testing.
Finally, the covering Memorandum indicates that a new set of instructions on cybersecurity is in the works because the Department must better focus on “designing and managing cyber-security.”
Upcoming Legislative Changes
Under Secretary Kendall also suggests that legislative updates and changes to the acquisition process may be coming soon. He characterizes Better Buying Power as a program aiming for “continuous process improvement.” To that end, he states, the DoD is “working closely” with Congress on simplifying and rationalizing some of the “complex set of statutory requirements that have been levied on our managers over the past few decades.” He calls these acquisition requirements “burdensome and overlapping” and says he is “hopeful” that these requirements can be shortened and streamlined in the near future.
 Graphically, the four models remain similar to the November 26, 2013 version of DODI 5000.02.