New DOD guidance on cybersecurity and the product lifecycle
Under Secretary of Defense Frank Kendall has just released implementation guidance for Better Buying Power 3.0 — Achieving Dominant Capabilities through Technical Excellence and Innovation. The directive is the latest iteration of an initiative first launched almost five years ago, “to increase the productivity, efficiency, and effectiveness of the Department of Defense’s many acquisition, technology, and logistics efforts.”
The most recent guidance, with its focus on technical excellence, comes at a time when, “The technological superiority of the United States is now being challenged by potential adversaries in ways not seen since the Cold War” (the observation is Kendall’s, and appears in the cover memo accompanying the detailed guidance).
Of special note is the portion of the guidance, beginning at page 5, which speaks to cybersecurity, and which rests on the following critical and well-articulated understanding: “All our efforts to improve technological superiority will be in vain if we do not provide effective cybersecurity throughout the product lifecycle.”
While emphasizing that systems and networks “must be resilient from cyber adversaries,” the document acknowledges that “much more needs to be done” in order to achieve that goal. Accordingly, BBP 3.0 seeks to “help to focus and accelerate DoD’s efforts to address planning, designing, developing, testing, manufacturing, and sustaining activities with cybersecurity constantly in mind.”
The document identifies several critical steps that are to be taken by DOD in support of these objectives, including new efforts to protect “unclassified controlled technical information”; identifying the “acquisition and technology programs most critical to enabling U.S. technological superiority in order to focus our cybersecurity and protection resources”; and efforts to “educate our workforce on the value and best practices for system security.”
This conceptual framework is both prudent and forward-thinking. It also aligns well with many of the ideas raised in the report we released six months ago, together with Northrop Grumman: Raising the Bar on Cybersecurity and Acquisition.
See here for a broader analysis of the DoD guidance as a whole.