How To Use the NDAA Pages

Back to NDAA Contents

TITLE VIII--ACQUISITION POLICY, ACQUISITION MANAGEMENT, AND RELATED MATTERS

Subtitle A--Acquisition Policy and Management

P. L. 114-

House Conference Report. 114-270

(1) IN GENERAL.—The Commander of the United States Cyber Command shall be responsible for, and shall have the authority to conduct, the following acquisition activities:

(A) Development and acquisition of cyber operations-peculiar equipment and capabilities.

(B) Acquisition and sustainment of cyber capability-peculiar equipment, capabilities, and services.

(2) ACQUISITION FUNCTIONS.—Subject to the authority, direction, and control of the Secretary of Defense, the Commander shall have authority to exercise the functions of the head of an agency under chapter 137 of title 10, United States Code.

(b) Command acquisition executive.—

(1) IN GENERAL.—The staff of the Commander shall include a command acquisition executive, who shall be responsible for the overall supervision of acquisition matters for the United States Cyber Command. The command acquisition executive shall have the authority—

(A) to negotiate memoranda of agreement with the military departments and Department of Defense components to carry out the acquisition of equipment, capabilities, and services described in subsection (a)(1) on behalf of the Command;

(B) to supervise the acquisition of equipment, capabilities, and services described in subsection (a)(1);

(C) to represent the Command in discussions with the military departments regarding acquisition programs for which the Command is a customer; and

(D) to work with the military departments to ensure that the Command is appropriately represented in any joint working group or integrated product team regarding acquisition programs for which the Command is a customer.

(2) DELIVERY OF ACQUISITION SOLUTIONS.—The command acquisition executive of the United States Cyber Command shall be—

(A) responsible to the Commander for rapidly delivering acquisition solutions to meet validated cyber operations-peculiar requirements;

(B) subordinate to the defense acquisition executive in matters of acquisition;

(C) subject to the same oversight as the service acquisition executives; and

(D) included on the distribution list for acquisition directives and instructions of the Department of Defense.

(c) Acquisition personnel.—

(1) IN GENERAL.—The Secretary of Defense shall provide the United States Cyber Command with the personnel or funding equivalent to ten full-time equivalent personnel to support the Commander in fulfilling the acquisition responsibilities provided for under this section with experience in—

(A) program acquisition;

(B) the Joint Capabilities Integration and Development System Process;

(C) program management;

(D) system engineering; and

(E) costing.

(2) EXISTING PERSONNEL.—The personnel provided under this subsection shall be provided from among the existing personnel of the Department of Defense.

(d) Budget.—In addition to the activities of a combatant command for which funding may be requested under section 166 of title 10, United States Code, the budget proposal of the United States Cyber Command shall include requests for funding for—

(1) development and acquisition of cyber operations-peculiar equipment; and

(2) acquisition and sustainment of other capabilities or services that are peculiar to cyber operations activities.

(e) Cyber Operations Procurement Fund.—In exercising the authority granted in subsection (a), the Commander may not obligate or expend more than $75,000,000 out of the funds made available in each fiscal year from 2016 through 2021 to support acquisition activities provided for under this section.

(f) Rule of construction regarding intelligence and special activities.—Nothing in this section shall be construed to constitute authority to conduct any activity which, if carried out as an intelligence activity by the Department of Defense, would require a notice to the Select Committee on Intelligence of the Senate and the Permanent Select Committee on Intelligence of the House of Representatives under title V of the National Security Act of 1947 (50 U.S.C. 3091 et seq.).

(g) Implementation plan required.—The authority granted in subsection (a) shall become effective 30 days after the date on which the Secretary of Defense provides to the congressional defense committees a plan for implementation of those authorities under subsection (a). The plan shall include the following:

(1) A Department of Defense definition of—

(A) cyber operations-peculiar equipment and capabilities; and

(B) cyber capability-peculiar equipment, capabilities, and services.

(2) Summaries of the components to be negotiated in the memorandum of agreements with the military departments and other Department of Defense components to carry out the development, acquisition, and sustainment of equipment, capabilities, and services described in subparagraphs (A) and (B) of subsection (a)(1).

(3) Memorandum of agreement negotiation and approval timelines.

(4) Plan for oversight of the command acquisition executive established in subsection (b).

(5) Assessment of the acquisition workforce needs of the United States Cyber Command to support the authority in subsection (a) until 2021.

(6) Other matters as appropriate.

(h) Annual end-of-year assessment.—Each year, the Cyber Investment Management Board shall review and assess the acquisition activities of the United States Cyber Command, including contracting and acquisition documentation, for the previous fiscal year, and provide any recommendations or feedback to the acquisition executive of Cyber Command.

(i) Sunset.—

(1) IN GENERAL.—The authority under this section shall terminate on September 30, 2021.

(2) LIMITATION ON DURATION OF ACQUISITIONS.—The authority under this section does not include major defense acquisition programs, major automated information system programs, or acquisitions of foundational infrastructure or software architectures the duration of which is expected to last more than five years.

The House bill contained no similar provision.

The House recedes with an amendment that would clarify that the Commander of CYBERCOM may obligate and expend up to $75.0 million of the funds made available for each fiscal year from 2016 through 2021. The amendment would add a requirement for an implementation plan, the review of programs being acquired under this authority by the Cyber Investment Management Board, and an annual end of year assessment. The amendment would also make a number of technical and conforming edits.

The conferees believe the Commander of CYBERCOM should utilize this limited acquisition authority to fulfill cyber operations-peculiar and cyber capability-peculiar requirements the services are unable to meet to ensure the Department of Defense is adequately postured to defend and respond to cyber threats. The conferees maintain that this limited authority should not be construed to replace the acquisition responsibilities of the military services to fulfill their man, train and equip requirements. The conferees believe successful demonstration of these acquisition authorities will require implementation of memoranda of agreement with the military services to define enduring responsibilities and more explicit definition cyber operations-peculiar and cyber capability-peculiar requirements.

Senate Report 114-49 to accompany S. 1376 as it was reported out of the Senate Armed Services Committee.

Acquisition authority of the Commander of United States Cyber Command (sec. 807)

The committee recommends a provision that would authorize limited acquisition authority for the Commander of United States Cyber Command (CYBERCOM). The provision is modeled on the authority provided to the Commander of U.S. Special Operations Command, but is limited to the acquisition of non- major systems.

The provision would authorize the development and acquisition of cyber operations-peculiar equipment and capabilities and the acquisition of cyber capability-peculiar equipment, capabilities, and services. The provision would direct that the staff of the Commander include a command acquisition executive who would be responsible for the overall supervision of CYBERCOM acquisition matters. The command acquisition executive would also be responsible for negotiating memoranda of agreement with the military departments, supervising the acquisition of equipment, capabilities, and services, regardless of whether such acquisitions are carried out by the Command or a military department. The command acquisition executive would also be responsible for representing the Command in discussions with the military departments regarding acquisition programs for which the Command is a customer, and working with the military departments to ensure the Command is appropriately represented in discussions with the military departments and joint working groups or integrated product teams.

To support CYBERCOM in fulfilling its acquisition responsibilities, the provision would direct the Secretary of Defense to provide CYBERCOM with the personnel or funding equivalent to ten full-time equivalent personnel to CYBERCOM with experience in program acquisition, the Joint Capabilities Integration and Development System process, program management, system engineering, and costing. The personnel or funding equivalent provided would come from existing department resources. The provision would require the Department of Defense Office of Inspector General conduct internal audits and inspections of purchasing and contract actions. The provision would also establish a $75.0 million cyber operations procurement fund for each fiscal year from fiscal year 2016 through 2021 out of the funds made available in each fiscal year for defense-wide procurement. The provision would sunset on September 30, 2021.

The committee is concerned there is an urgent need for cyber capabilities that is not being fulfilled by the military services. Major investments to date have been heavily weighted towards network defense and network consolidation. For a variety of reasons, the services have failed to adequately prioritize funding in their budget requests for the development of cyber warfighting capabilities. According to the Commander of CYBERCOM in testimony before the committee on March 17, 2015, the Department of Defense is ``at a tipping point where we not only need to continue to build on the defensive capability, but we have got to broaden our capabilities to provide policy makers and operational commanders with a broader range of options.''

The committee is also concerned that traditional service- led acquisitions and existing acquisition statutes and regulations lack the flexibility, agility, and speed necessary to deliver cyber capabilities responsively enough to stay ahead of the rapidly evolving threat. According to the Commanding General of Marine Forces Cyberspace Command in testimony before the committee on April 14, 2015, ``current acquisition processes do not adequately support the delivery tempo required for emerging cyber solutions. The tempo at which emerging technologies must be acquired to meet cyberspace operational mandates is occurring at a much greater pace, which creates tension within the acquisition process.'' This provision would address these shortfalls by providing the Commander of CYBERCOM the limited ability to rapidly procure capabilities to meet the requirements the military services have been unable to meet thus far and are incapable of meeting in operationally relevant ways in the future.

The committee recognizes that CYBERCOM is a new organization that is still maturing and has little experience or expertise in systems acquisition. However, the committee also recognizes that few acquisition models across the DOD have demonstrated successes in acquiring cyber capabilities. The committee believes that if structured appropriately CYBERCOM has the unique opportunity to demonstrate and validate new acquisition approaches. The burden is on CYBERCOM and the Department as a whole to demonstrate that CYBERCOM can effectively exercise these acquisition authorities over the next five years.

There are a number of additional authorities in this title that would also improve the ability of the department to more rapidly acquire cyber capabilities. These include enhancements to commercial item, other transactions, and rapid acquisition authorities. Elsewhere in title XVI of this Act, the committee also recommends a provision that would direct the Secretary of Defense to designate within 90 days of the date of enactment an entity of the Department of Defense to be responsible for the acquisition of critical cyber capabilities to include: (1) The unified platform; (2) a persistent cyber training environment; and (3) a cyber situational awareness and battle management system. The committee believes that today department entities with existing acquisition experience are best suited for the development of larger foundational programs such as the unified platform. However, in the future the committee envisions the possibility of a shared acquisition approach where the traditional acquisition entities, in partnership with CYBERCOM, fund and develop foundational systems and service specific capabilities. CYBERCOM's acquisition role would be focused primarily on meeting joint cyber operations-peculiar and cyber capability-peculiar requirements the services are unable to meet.