Accelerating Cyber Acquisitions: Introducing a Time-Driven Approach to Manage Risk with Less Delay

The highly dynamic nature of the cyber domain demands that cyber operators are capable of rapidly evolving and adapting with exquisite timing. These forces, in turn, pressure acquisition specialists to accoutre cyber warfighters to keep pace with both cyber domain advancement and adversary progression. However, in the Department of Defense (DoD), a vigorous tug of war exists between time and risk pressures. Risk reduction is a crucial element of managing any complex enterprise and this is particularly true for the DoD and its acquisition program [1]. This risk aversion comes at significant cost, as obsolescence by risk minimization is a real phenomenon in DoD acquisition programs and significantly limits the adaptability of its operational cyber forces. Our previous research generated three recommendations for reforming policy to deliver performance at the “speed of relevance” [3]. In this paper we focus on one of the recommendations: “Manage rather than avoid risk—especially time-based risks”. While this advice can apply to many areas of human endeavor, it has elevated urgency in cyberspace. Incomplete risk metrics lead to overly conservative acquisition efforts that imperil timely procurement of advanced cyber capabilities and repel innovators. Effective cyber defense operations require acquisition risk models to be extended beyond fiscal and technical risk metrics of performance, to include risks associated with the cost of failing to meet immediate mission requirements. This paper proposes a time-shifting approach to simultaneously (a) accelerate capability delivery while maintaining traditional rigor, and (b) achieve optimal balance between fiscal, performance, and time risks.