DOD addressing 'obstacle course' of impediments holding back work with cybersecurity startups

John Sherman, Department of Defense Chief Information Officer, participates in a virtual panel, April 15, 2021. (DoD photo by Chad J. McNeeley)

Deputy Secretary of Defense Kathleen Hicks has tasked top Pentagon IT and acquisition officials to find and root out obstacles that are keeping startups and other small companies from scaling and sustaining innovative technologies when working with the Department of Defense, according to CIO John Sherman.

Hicks directed Sherman’s office to partner with the undersecretaries of acquisition and sustainment and research and engineering, Chief Digital and AI Officer Craig Martell, and others to look for “all the kind of ‘stop-sticks’ … that hit you along the way” when small, innovative companies try to move from piloting a technology capability to fielding it at a large scale with the department, Sherman said during a podcast interview with a program called “Progress, Potential, and Possibilities.”

Those “stop-sticks,” as Sherman refers to them, lead to what is well known in the defense space as the “valley of death” — the phenomenon where the Pentagon’s bureaucratic, often slow-moving acquisition system can stifle successful innovative pilots from moving forward into production.

Sherman said he’s working with Ron Moultrie, undersecretary of defense for intelligence and security, to address impediments to the “security and cybersecurity portfolio piece” of DOD’s innovation ecosystem that may hinder companies from doing successful work with the department.

DOD’s Cybersecurity Maturity Model Certification (CMMC) program — the forthcoming rule that requires all contractors that handle the department’s controlled unclassified information to be certified to do so or risk losing their opportunity to bid on contracts — falls under that, Sherman said. Many small companies have expressed concern that CMMC will put such onerous requirements on them that they will be forced to stop working with the DOD.

That security portfolio also includes other things “like accrediting compartment intelligence rooms and facilities and how long it takes to accredit software,” Sherman said, referring to the federal government’s often criticized and arduous process for software companies to earn authorities to operate.

The essence of what the department is trying to do is “listening to the companies that say, ‘Look, you’re making it too hard for us,’ particularly small and medium businesses — and also the large big primes —but those startups, those innovators, to not make this such an obstacle course where they just kind of run out of gas and say: ‘Look, we had a thing that was going to help you on this mission set. But we just ran out of gas here along the way, or ran out of funding.'” Sherman explained.

There’s still a lot of work to be done in this space, he noted.

“I’ll be honest with you, we have not solved this. And I think a lot of your listeners and others would argue we still have a ways to go. But I want them to know we get it. We’re working it,” Sherman said.

“There are roughly — I’ve heard different numbers — but up to 300,000 companies in the U.S. defense industrial base. Think about that, 300,000 — everything from a five-person company to those that employ hundreds of thousands. And we need to be able to draw on that innovation from all of them to provide that qualitative edge that our warfighters are going to need,” he added.