Fixing Defense Innovation: Rewriting Acquisition and Security Regulations


It has become fashionable to lament the Department of Defense’s innovation challenges. It is true that complex weapons systems like advanced fighters take decades to develop, but the government’s bureaucracy has stifled innovation and made even routine purchases for office furniture difficult and cumbersome. The Pentagon has struggled to buy and adapt commercial cloud technology and integrate artificial intelligence, and many commentators fear that America’s best and brightest have little inclination to work in national security.

During the Cold War, the Department of Defense fed the private sector with innovative technologies like the Internet, the global positioning system, and even LED lights, and it quickly developed and fielded new weapon systems. In the 1950s, the Air Force fielded six new models of fighter aircraft in less than a decade. Today, the United States’ most modern fighter, the F-35, simultaneously exists in squadrons around the world, on the assembly line, and in the Smithsonian. Where has the Pentagon’s innovation prowess gone? 

Congress, the White House, and the Pentagon have each contributed to these innovation challenges in recent decades. At the height of the Cold War, Congress and the White House permitted processes that allowed the rapid purchase and fielding of industry-developed weapon systems and emphasized user-testing over the lengthy formulation of requirements documents. However, over the last 40 years, Congress and the executive branch have introduced various measures to bring the defense acquisition and contracting process under heel, standardize contracting procedures, bolster testing and evaluation, increase industrial and cyber security, and rigorously systematize the requirements process.



In a little over two decades, the U.S. government created the Federal Acquisition Regulation (1983), Competition in Contracting Act (1984), National Industrial Security Program (1993), Federal Information Security Management Act (2002), and Joint Capability Integration and Development System (2003). While each of these policies addressed contemporary problems, and some reflected incremental changes, the collective weight of these regulations, processes, and laws have created many of the hurdles that constrain defense innovation today. 

If Congress and the executive branch want to reduce these hurdles, then they should rewrite acquisition regulations and laws to emphasize speed and flexibility over cost control, increase opportunities for nontraditional contractors to gain clearances to work with the Department of Defense, modernize antiquated cybersecurity practices, and make the Pentagon’s requirements process more iterative and agile by continually integrating user feedback.

The Compliance Labyrinth 

In 1980, the U.S. government had over 64,000 pages of procurement regulations in effect. Despite efforts at reform, the complexity of these processes still serve as a barrier to entry for small businesses and inhibit the government’s rapid procurement of goods and services. It can take a contracting officer 3 months and a 47-page solicitation to buy 12 sofas. Imagine the paperwork for an aircraft carrier.

The Department of Defense also has burdensome security protocols, some of which are mandated by law, and others are self-imposed. In 2002, Congress passed the Federal Information Security Management Act, which required the adoption of agency-wide information security programs. The Federal Information Security Management Act has its merits. It tasked federal agencies with developing system-wide security plans and created government-wide security standards. However, its implementation has led to lengthy, outdated security practices. For example, government agencies must submit hundreds of pages of security documentation before they install new software on government networks. Lt. Gen. John Morrison, the Army’s chief information officer, summed it up when he said officials spend 80 percent of their time just getting the paperwork right. 

Collectively, the accumulation of acquisition and security laws and regulations over the past four decades has caused procurement officials and their industry partners to devote increasing amounts of time and resources to compliance rather than acquiring, developing, and buying the best weapons. It has also stifled innovation because small businesses and nontraditional contractors do not have the resources or desire to meet compliance obligations and choose not to compete for contracts. In 1984, Congress passed the Competition in Contracting Act to ensure robust competition for federal contracts, but the competitive practices established by it and related legislation have had the opposite effect. A large number of the reforms implemented over the last 40 years to streamline contracting, make it fairer, and prevent cost overruns now reduce competition and have become anchors on America’s defense innovation base.

Cuttings Anchors on Defense Innovation

Many of Congress’ attempts to expedite acquisition so far have consisted of “work arounds” that allow the Department of Defense to enter into some contracts without following existing regulations. While these contracting authorities have some benefits, broader changes are needed to make accelerated contracting the rule, not the exception.

Congress, the Department of Defense, and industry should cooperatively work together to completely overhaul acquisition regulations and laws in a way that emphasizes speed and flexibility as much as fairness, transparency, and cost control. In the 2016 National Defense Authorization, Congress created the “Section 809 Panel” to provide suggestions to streamline acquisition regulations and laws. This 16-member panel of acquisition experts made over 90 recommendations to improve defense acquisition, but Congress has only implemented roughly a quarter of the suggestions. Many of the most impactful policy changes remain undone.

Under the Joint Capability Integration and Development System, it can take from one to five years to develop requirements for weapon systems. That’s unacceptable at today’s rate of technological change. To address this, the military services should adopt an iterative procurement process that prioritizes flexibility, user feedback, and experimentation in alignment with commercial best practices. 

For example,  a recent Pentagon Inspector General report claims that the Army “risks wasting” nearly $22 billion on developing an augmented reality goggle that makes some soldiers ill with their use. In a more agile system, the goggles would have been sent directly to the soldiers as they were tested, and then the soldiers’ feedback would be used to make changes far earlier in the process. This approach would reduce wasteful spending, better align equipment acquisition with user needs, and speed up acquisition by reducing frivolous system requirements.

Making it easier to navigate the security bureaucracy, like updating the requirements process, is equally important to ensuring the Department of Defense has the latest technology. At present, software developers must seek approval to upload software to every department network individually. This process is cumbersome and requires duplicative paperwork and onerous restrictions. There is also a straightforward fix: Congress should direct the Department of Defense to standardize its software accreditation procedures and offer automatic reciprocity between the hundreds of department networks in existence. The duplication of paperwork required now doesn’t make networks any more secure. It wastes money and elongates the time it takes to get our military the software it needs. 

Moreover, the Department of Defense should accelerate the adoption of development environments and cultures that integrate security and operations at all stages of software development  and continuous-authority to operate security processes, which require active and automated cybersecurity protocols. Software in commercial products, like the iPhone or the Tesla, is updated and delivered continuously. The Department of Defense should not continue to rely on an industrial age model of software procurement, security reviews, and updates at set intervals if it wants to receive the benefits of software as a service, cloud computing, or machine learning. 

The Department of Defense also needs to help ensure that the defense industry continues to attract new, innovative entrants. At present, many firms struggle to do business with the Pentagon because they cannot gain facility clearances to work on classified contracts. This is a classic chicken and egg problem. Firms can’t win classified contracts without a security clearance, but they can’t apply for a clearance until they’ve received a classified contract award. This restriction creates a strong barrier to entry to competing for many Department of Defense contracts. Even large and well-funded heavyweight defense startups can struggle to gain a facility clearance. If the Pentagon wants to take advantage of the private sector’s increasing investments in research and development, and its engineering talent, it needs to provide firms additional opportunities to apply for facility clearances and compete for contracts.

The Department of Defense’s culture plays an instrumental role in its ability to innovate, but regulations and processes both reflect and perpetuate this culture. The most talented contracting and acquisition officers in the Pentagon can employ the Federal Acquisition Regulation in an agile manner to procure and produce weapons of war, but what about the other 90%?  They live within the confines of existing processes and the resulting career incentives these processes have created. 

Taking Action

If the United States wants to enrich defense innovation, it should do the hard work of rebalancing the laws and regulations that govern the Department of Defense’s willingness to take risks during the development of next-generation weapon systems, software, and technology. I am not advocating for more commissions on reform. There have been numerous reports and studies on acquisition reform over the past five decades but little implementation. The Department of Defense’s acquisition and security processes remain cumbersome and difficult to navigate. 

Congress and the executive branch cannot call on the Department of Defense to take the risks necessary to innovate if they will not take risks themselves. Rather than wait for yet another panel of experts to offer tomes of suggestions, legislators and officials should re-write and revise acquisition laws and regulations now, assess impacts, and iterate until outcomes match expectations. It is difficult to foresee the impact of policy changes on complex systems, and it is for this very reason that legislative and regulatory experimentation must occur. While there is risk in this approach, it pales in comparison to the geopolitical risk of allowing a peer competitor, like China, to maintain an edge in the weapons acquisition and procurement cycle. 

Policymaking is a game of tradeoffs and the balancing of risks. The U.S. government’s compliance-centric mindset to acquisition minimizes the risk of fraud and cost overruns at the expense of agility. To contend with China’s rise and Russia’s aggression, the executive and legislative branches should work with the Department of Defense to rebalance its incentives, regulations, and laws toward innovation.



Jules “Jay” Hurst is an Army strategist. He currently serves as an Army congressional fellow and previously worked on the Algorithmic Warfare Cross-Functional Team (Project Maven). 

The views expressed are those of the author and do not necessarily reflect the official policy or position of the Department of the Army, Department of Defense, or U.S. government.

Image: Department of Defense