DLA Support for Performance Based Logistics Contracts

The Performance Based Logistics 2010 Conference was held last week in Arlington, VA. It made me think about how much defense logistics has changed over the last ten years.

Performance Based Logistics (PBL) goes beyond traditional acquisition of contractor good and services.  PBL guarantees contractor performance and system capability based on declared performance-based agreements between the Department of Defense (DOD) and the contractor.

Before PBL, defense contractors simply provided a product or service.  A contractor would develop a weapons system, for instance, and DOD would subsequently assume complete responsibility for its storage and maintenance.

DOD advocated PBL in the 2001 Quadrennial Defense Review and called for the evaluation of a PBL approach for all new acquisition programs and systems.

As a result, a defense contractor awarded a PBL contract for aviation services, for instance, is required to provide more than just an aircraft, but all the services, support, and maintenance required to keep that aircraft mission-ready for a specified period of time.

In many cases, however,  DLA’s bulk purchasing capability allows it to acquire common repair parts at a lower cost than individual PBL contractors.

With the advent of PBL support contracts, DOD needed a way to allow defense contractors to purchase parts from DLA under PBL contracts.  The easiest way to support this capability was to enable PBL contractors with access to DOD EMALL.  Using DOD EMALL, contractors can purchase repair parts directly from the DLA and at lower cost to the government.

Today, Lockheed Martin, Boeing, Honeywell, and dozens of other defense contractors s are participating in this DLA program.

As the primary developer of the DOD EMALL, Partnet is pleased to support this innovative strategic sourcing initiative.

How secure do we want to be?

This picture by Dustin Sacks shows the extreme measures one can take to feel secure.  It’s amusing that only one of the hundred or so locks actually anchors the bike to the bike rack.  Government web pages need to be secure, but currently there are many, many, different security practices—so many that it can be over-whelming.  Some are more important, while others are just cosmetic and provide only a false sense of security.  Some are not needed and may actually open the door to more attacks.  Over-zealousness may result in a situation like the bike pictured above.

Low Hanging Fruit

Why climb up the tree for an apple if you can reach the apple from the ground?  Removing the low hanging fruit for hackers needs to be first priority.  The OWASP Top 10 Risks represents the current low-hanging fruit.  If these risks are ignored, your site will be the first to get hacked.  For a development team the CWE/SANS Top 25 Most Dangerous Software Errors are more valuable and instructive.

Regular training has helped Partnet uncover and resolve vulnerabilities in DOD EMALL that was thought to be secure.  It has helped DOD EMALL  stay ahead.  Because of training with the OWASP top ten, Partnet added protection against CSRF attacks nearly a year before these protections were required by the Application Development and Security STIG in May.

Adding Depth

A government website cannot be content with simply removing the low-hanging fruit.  But with so many security activities, it’s hard to know what to focus on next.  For adding depth, the OpenSAMM (Software Assurance Maturity Model) project from OWASP provides that guidance.  It organizes many of the best security practices into a maturity model.  It organizes 12 general security practices into four business functions: Governance, Construction, Verification, […]