Defense Agency Spending for Cybersecurity Using Other Transaction Agreements, FY 2021-2023

The Department of Defense (DoD) agencies and the military service branches continue to use Other Transaction Agreement (OTA) contracts to acquire and develop various information technology (IT) capabilities, including those to meet cybersecurity objectives. Over the last few weeks, I have looked at the Air Force’s use of OTAs for cybersecurity-related efforts as well as the Navy’s OTA use for cybersecurity. This week, I will continue the series by looking at the Defense Agencies.

Defense Agency Cybersecurity-Related OTA Spending, FY 2021-2023

The federal spending data for the most recent three completed fiscal years (FY) – FY 2021 through FY 2023 – reveals a wide degree of OTA usage among the four major DoD components. Compared to the military departments (MILDEPs), the Defense-wide agencies taken together fall behind the Army and the Air Force in their use of OTAs for cyber-related efforts, spending an aggregate $338M from FY 2021 through FY 2023.

Delving into Defense Agency OTA use for each fiscal year over the 3-year period shows some consistent yearly growth. After $45M in growth from FY 2021 to FY 2022, Defense Agencies aggregate spending on OTAs for cybersecurity efforts again grew by nearly $46M (+41%) from FY 2022 to FY 2023, to come in at $158M. That represents 134% growth in just two years.

Cybersecurity-Related OTA Spending by Defense Organization, FY 2021-2023

The FY 2021-2023 spending data shows that cyber-related work using OTAs among the Defense Agencies is highly concentrated within two organizations that have as part of their mission to develop new, innovative capabilities and technologies to support various defense-wide capacities and functions. However, several more DoD agencies and other organizations use OTAs for at least some of their cyber capability development, underscoring the attraction and accessibility of using OTA contacts.

More than ninety-one percent of recent Defense Agency spending on OTAs for cyber comes from two organizations – the Defense Information Systems Agency (DISA, 73%) and the Defense Advanced Research Projects Agency (DARPA, 18%). This generally fits with historical cyber OTA spending trends at these agencies.

The remaining 8.5% of OTA contracts for cyber-related efforts from FY 2021-2023 were spread among a variety of other DoD organizations: US Special Operations Command (SOCOM, 2.2%); Office of The Secretary of Defense (OSD, 2.0%); Undersecretary For Research & Engineering (USD(R&E), 1.8%); Washington Headquarters Service (WHS, 1.0%); National Security Agency (NSA, 0.7%); Defense Finance and Accounting Service (DFAS, 0.4%); Defense Intelligence Agency (DIA, 0.4%); Missile Defense Agency (MDA, 0.2%).

Defense Agency Cybersecurity-Related Efforts Using OTAs, FY 2021-2023

Below is a list of the Defense Agency efforts using OTAs that had cyber-elements for the past three fiscal years and reported spending for FY 2023, indicating the most recent activity. The amounts below are aggregate OTA spending from FY 2021 through FY 2023, with FY 2023-specific spending also noted.

• Cloud Based Internet Isolation Service (DISA), $108M total, $51M (47%) in FY 2023
• Thunderdome (DISA and WHS), $61M total, $44M (72%) in FY 2023; $60M at DISA, $43M in FY 2023, and $358K at WHS, all in FY 2023
• Identity, Credentialing and Access Management (ICAM) Production OTA (DISA), $46M total, $21M (45%) in FY 2023. (DARPA spent $10M on a separate ICAM Prototype OTA in FY 2021.)
• ABIL - AISS By Industry Leaders, Automatic Implementation of Secure Silicon (AISS) (DARPA), $28M total, $8M (28%) in FY 2023
• Trebuchet in Response to the Data Protection in Virtual Environments (DPRIVE) BAA (DARPA), $ 11M total, $2.3M) (20%) in FY 2023
• Mobile Endpoint Protection Production (DISA), $8.6M total, $3.4M (43%) in FY 2023
• TARDYS3 Production OTA For Sustainment of the Spectrum Scheduling System (S3) and the Interference Prevention, Detection, Resolution (IPDR) Capability (DISA), $7.4M total, $3.3M (44%) in FY 2023
• Quantum Technologies For Threat Applications (USD(R&E)), $4.9M total, $384K (8%) in FY 2023
• Prototyping of the Authentication, Verification and Integration Requirements of the GIG Eagle Platform (OSD), $4.8M total, $1.8M (38%) in FY 2023
• Detect and Counteract Cyber-Social Operations in Supply Chain Ecosystems (DARPA), $3.5M total, $1.7M (48%) in FY 2023
• Joint Cyber Warfare Experimentation Framework (JCWEF) (SOCOM), $3.4M total, $2.4M (72%) in FY 2023. (DARPA spent $961K on this OTA in FY 2022.)
• Reverse Engineering of Deceptions (DARPA), $3M total, $1.8M (59%) in FY 2023.
• Cyber Assured Systems Engineering (CASE) TA2/TA5 (DARPA), $2.8M total, $500K (18%) in FY 2023
• Guaranteeing AI Robustness Against Deception (GARD) (DARPA), $2.5M total, $1.7M (69%) in FY 2023
• DARPA I2O Harden (DARPA), $2.4M total, all in FY 2023
• Quantum Resistant Cryptography Public Key Infrastructure (DISA), $2.3M total, all in FY 2023
• OSS Ranger (DARPA), $2.3M total, $1.3M (57%) in FY 2023
• Low SWaP Network Monitoring and Filtering (NSA), $2.2M total, all in FY 2023
• Multi-Level Security and Data Federation Through Blockchain (OSD), $1.9M total, all in FY 2023
• Robust Intelligence Pilot Demonstration (DFAS), $1.5M total, all in FY 2023
• SBIR PH 2, End-To-End, Topic-Level Security for EGS Applications (USD(R&E)), $1.2M total, all in FY 2023
• Real-Time Multi-Modal Measurements from Subcomponents for Late Stage Attack Detection/Mitigation (DARPA), $1.0M total, all in FY 2023
• JFAC Prototype for Cloud-Hosted Assurance Tools [for] the Cybersecurity Community and Software Factory Ecosystem (WHS), $810K total, all in FY 2023
• Secure Cloud Management Production (WHS), $704K total, $280K (40%) in FY 2023
• Rapid Response Bug Bounty Prototype (WHS), $700K total, all in FY 2023
• Mayhem [SW) with ForAllSecure (MDA), $515K total, $259K (50%) in FY 2023
• Enhanced Protection of Information Capabilities (OSD), $162K total, all in FY 2023

Final Thoughts

As noted above, the use of OTA contracts by the Defense Agencies for cybersecurity-related efforts has been growing significantly over the last few years, even though their aggregate spending is less than other DoD components, i.e., the Army and Air Force. Further, looking at the robust growth of OTA use in FY 2023 combined with the wide variety of the various areas, capabilities and applications for which the agencies are using these contracts points to a demand for innovation, the urgency to develop new capabilities and the desire and willingness to use the flexible contracting options that OTAs offer.

The use of OTAs to develop greater operational cyber-capabilities address many of the “bread and butter” areas of cybersecurity, including identity/authentication, threat prevention/detection/response and data security. The OTAs for cyber-related work for cloud-based systems and environments cover both securing cloud deployment and leveraging cloud instances to bolster cybersecurity capabilities.

The OTAs listed above indicate the breadth of contract opportunities available for innovative solutions providers with rapid prototyping capacities. The data continues to support a trend of sustained use of cyber OTAs at the Defense Agencies going forward.

If you are interested in a perspective on the Defense Agencies’ use of OTAs for broader IT prototypes beyond cybersecurity, check out this recent article from my colleague, Alex Rossino.