How to Scale AI: The Key to Crossing from Pathfinder to Success

Nov. 13, 2024 | By Adam Stone

Military leaders see applications for artificial intelligence in everything from autonomous aircraft to logistics and cybersecurity. But scaling up from pilot programs to operational is proving to be a major hurdle.

Scaling AI “is very much about building a scaffold or a framework,” said Jay Meil, chief data scientist at SAIC. Narrowing down to “what problem are we actually going to solve” is the first step, he said. “Once we identify that problem, we need to come up with a defined quantitative outcome, and we also need to identify applicable data.”

Good foundational work will help break the problem down into components, and then approach those smaller challenges with the idea that they can be combined later on.

“You can build a small pilot to solve one of those small problems,” Meil said, and then combined pilots can be constructed with future scalability in mind. “You want to build the framework in such a way that it’s extensible and scalable.”

The architecture should be able to easily accommodate more computing capacity; more storage capacity; increased functionality; and expanded data sets. “You want to have very robust processing pipelines and compute pipelines in order to be able to scale it organically over time,” Meil said. Anticipating the potential for additional data or alternative uses of that data can be crucial to creating a path for growth.

Meil is working on a pilot effort for an Intelligence Community customer with exactly that in mind. “We’re building those frameworks and pipelines out so that when they’re ready, they can slowly add more scope, more data, and more scale to the program,” he said.

The mindset is to focus three steps ahead—to envision possible full-scale applications as they mature. And that means starting out with a question: Is AI really the right solution for a given problem?

Meil said he looks for several key markers in addressing the issue. Will AI make the operator’s work easier? Will AI accelerate the speed of decision? Can AI be leveraged in a repeatable way? Does using AI create a force multiplier? And is the relevant data needed to build an AI model available?

If the answers are yes, Meil said, then AI can indeed be “the answer.”

For organizations new to AI, a partner like SAIC can provide invaluable experience and insight to the challenge. “Our focus is to bring these orchestration tools, these workflows and these scaffolds or frameworks, to make this process easier—in a repeatable manner,” he said.

Sometimes the hardest part is a lack of historical data. “Especially when we’re dealing with mission data, we are going to have sparse data sets,” Meil said. “We’re not going to have a lot of information on particular EW signatures or cyber information or information about adversaries,” he said.

But that doesn’t mean AI can’t help. Synthetically generated data can fill the gaps, and AI can help with that. “With generative AI, you might see a new ship that the model has never seen before, and it can generate an answer based on everything that it has learned in the past about previous ships or previous samples,” he said.

Weaving data together to combine, for example, intelligence data and command and control data, is the next step. With data available in a single place, “machines can make decisions and help the warfighter, recommending courses of action,” Meil said.

Some applications may require data to be isolated, such as in combined operations overseas, when some data sources may be shared by one partner but can’t be shared with others. Understanding that requirement ahead of time is key, Meil said. “All of the data can be physically co-located…and logically separated,” he said. “If you and I are searching for the same things, but we have different access levels, we’re both able to access the information that we need.”

With appropriate tagging, that approach can also apply to applications and users with different levels of access. By building that in from the start, the AI application will be readily scalable, and the focus can be on the mission, where existing doctrine and decision-making guidance is already well established.

Building on established doctrine helps ensure AI is providing viable courses of action, and that the humans in the loop—the ultimate decision makers—are always in charge. “There’s no need to rewrite [the rules] around Artificial intelligence,” Meil said. “We train the models on the doctrine that is already in place, that people are comfortable with, to make decisions in similar ways. And we always keep that human on the loop.”

Could Military Orders Via Tweet Return In Trump’s Second Term?

Nov. 13, 2024 | By David Roza

When Donald Trump begins his second term as president in January, national security law experts predict he may return to his old habit of issuing orders to the military via social media, a practice which could cause confusion in the ranks as the relevant chains of command seek clarity to carry out the commander in chief’s intent.

During his first term, Trump used Twitter, now known as X, to signal policy decisions, often from the hip: a 2018 warning to fire “nice and new and ‘smart’” missiles at Syria surprised his aides and disrupted plans with U.S. allies. In 2017, he tweeted his decision to ban transgender troops from the military and in 2020 he tweeted that all U.S. troops would be out of Afghanistan by the end of the year.

In 2019, Trump also used Twitter to intervene in the case of Chief Petty Officer Eddie Gallagher—a Navy SEAL who had been convicted of posing for a photograph with the corpse of an Islamic State prisoner—telling the Navy to let Gallagher keep his Trident pin, the symbol of being a SEAL.

Trump’s tweets count as official statements of the president, the Department of Justice said in 2017, but Defense officials did not always jump to carry them out. For example, in the Gallagher case, then-Navy Secretary Richard Spencer told Trump he needed the Trident intervention in writing for it to count as an official order.

Even so, tweets from the commander in chief meet all the criteria for a military order, they’re just not the best way of issuing orders, argued Butch Bracknell, a retired Marine judge advocate and national security expert.

“If the President of the United States issues an order by tweet, and it’s a lawful order, and it’s heard and understood by the person to whom it’s directed, that’s the end of it,” Bracknell told Air & Space Forces Magazine. “It is legal but it is a terrible practice. In my view it puts a burden on the person receiving the order to clarify.”

Bracknell made a similar argument during Trump’s first term in a 2020 opinion piece for Task & Purpose. Under the Uniform Code of Military Justice, an order from the President counts as an order if it regards a subject within his or her jurisdiction, is lawful, is authentic, and gives comprehensible direction, Bracknell pointed out. Typically, orders are carefully written and distributed to avoid confusion.

“We want a rifle squad leader or a destroyer squadron commander to be clear about what he’s been tasked with doing, and that’s why we have a process,” he said. “There’s a science and an art to orders-writing, and we do it in order to reduce ambiguity so that people know what latitude they have to act.”

Doing so typically requires coordination and negotiation with the relevant parties, explained Scott Anderson, a fellow in governance studies at the Brookings Institution and a former legal advisor at the State Department.

“Usually commands go through a process of clarification, discussion, expansion by different people in the chain of command to clarify what the role is for the people implementing it several layers down,” he said. “So if the president authorizes the military to intervene in Iraq, for example, there’s a big coordinated effort to implement that.”

Careful coordination is particularly important in delicate national security situations, said Tony Johnson, president and CEO of the Truman National Security Project, who once served as an intelligence advisor to the deputy secretary of defense.

“We want to ensure there’s no misinterpretation, no bad signaling to allies and adversaries,” he said.

President Donald Trump speaks with Soldiers of the 1st Theater Sustainment Command Operational Command Post via video conference at Camp Arifjan, Kuwait, Dec. 24, 2019. (U.S. Army photo by Master Sgt. Jonathan Wiley)

Effects

But as thorough as the process may be, it is not legally required to transmit a lawful order.

“There’s no defined medium by which a commander in chief is required to give orders,” Anderson said. “There’s no requirement that they be in writing or of a particular type.”

What happens if the typical process is not followed? Social media posts usually lack the specificity for service members to execute without clarification, experts said, which means most troops will ask their chain of command for clarity before acting. The lack of specificity also means posts likely will not hold up in court if troops do not immediately act on them, Anderson said. But they can still cause confusion and make it more difficult for the president to achieve his goals.

“Does that mean there is not some risk of somebody down the chain of command doing something unexpected because they thought that’s what the president wanted? No, and that risk is exactly why this is a bad idea and the president shouldn’t do it,” he said. “The greater impact is simply stress, disarray, and confusion within the ranks, which ultimately makes it harder and less efficient for the people trying to do what the president wants to do.”

There would be even more confusion for orders that could be considered unlawful, such as striking cultural sites or using lethal force within the U.S.

Service members are not required to obey unlawful orders, but the bar for proving an order is unlawful can be very high, Anderson said. For example, a 2022 analysis by the Brennan Center for Justice, a law and policy research group, found that the Insurrection Act, which allows the president to deploy the military domestically in certain situations, “is dangerously overbroad and ripe for abuse.”

Last month, the chairman of the Senate Armed Services Committee, Sen. Jack Reed (D-R.I.) told reporters the Insurrection Act “could be improved significantly” and that the Posse Comitatus Act, which largely precludes federal military forces from acting as civilian law enforcement, is also in need of reform.

In 2020, Trump threatened via tweet to strike dozens of Iranian cultural sites, an act the Pentagon considered unlawful and refused to follow up on. Trump eventually dropped the matter, but if he were to insist on a similar case in the future, it would put the Defense Department in a difficult state.

“If the president persisted through the chain of command,” Anderson said, “then [service members] would hit the hard pressure: ‘are we confident this is unlawful enough that we don’t have to abide by it? And are we willing to risk our personal liberty on that, because we would be potentially charged in a court-martial.’ That’s a harder question.”

President Donald J. Trump talks with Col. Thomas Sherman, 88th Air Base Wing commander, Lt. Gen. Robert McMurry, Jr., Air Force Life Cycle Management Center commander, and Gen. Arnold W. Bunch Jr., Air Force Materiel Command commander, before getting into his vehicle after landing at Wright-Patterson Air Force Base, Ohio, Aug. 7, 2019. (U.S. Air Force photo by Wesley Farnsworth)

What to Do

It remains to be seen whether Trump will be as active on social media in his second term as president as he was in his first term. One complicating factor is Trump’s change of platforms. The president was banned from Twitter after the attack on the U.S. Capitol in January 2021, and while billionaire Elon Musk reinstated Trump’s account after buying Twitter in 2022, Trump said at the time that he preferred his new platform, Truth Social. Trump began tweeting again in August 2023, though by that point Musk had renamed the platform X.

In the days since his reelection, Trump has issued policy statements from X, which now allows paying subscribers to post up to 25,000 characters – far greater than the old limit of 280. Bracknell expects to see more orders-by-tweet or, more accurately, by X post, in the near future, because Trump has fewer constraints than he did in his first term.

“He doesn’t have to worry about electoral politics because he’s in his second term,” Bracknell said. “Second term presidents always have a lot more latitude because the political consequences are attenuated.”

But the risk of those posts sparking a conflict may be lower now because the U.S. has a smaller military footprint worldwide today than it did during Trump’s first term, Anderson said.

“Instead of targeting Iran or that kind of thing, it may be more about standards for [Diversity, Equity, and Inclusion] or other policies within DoD,” he said.

If service members do find themselves wondering whether they should act on a social media order from the president, the experts all offered similar advice: ask your chain of command.

“You have superior officers who are supposed to help you understand how to best do your job,” Anderson said. “If there’s any confusion, ambiguity, or anything seems unusual, check with your commanding officers to get clarification.”

Katherine Kuzminski, Deputy Director of Studies at the Center for a New American Security, offered that service members swear an oath to protect and defend the constitution, no matter who’s in office.

“That is part of the stability of what our professional all-volunteer force provides to the nation,” she said. “They don’t belong to a partisan community.”

USAF Will Withdraw A-10s from Final Overseas Base in Korea in 2025

Nov. 13, 2024 | By Greg Hadley

The U.S. Air Force will start withdrawing its A-10 aircraft from Osan Air Base, South Korea, the Thunderbolt II’s last overseas location, starting in January.

In a Nov. 12 release, the 7th Air Force said all 24 A-10s will depart Osan by the end of fiscal 2025—Sept. 30, 2024.

Meanwhile, the USAF F-16s on the peninsula will continue to receive avionics upgrades as part of the Post Block Integration Team (PoBIT) program.

The moves continue the Air Force’s push to tweak its force structure in Korea and the broader Pacific. In July, the 7th Air Force shifted F-16s from Kunsan Air Base to Osan to create a “super squadron” for a yearlong test on how to maximize combat effectiveness.

That month, the Pentagon also said the Air Force would bring in F-35 fighters to Misawa Air Base, Japan, and F-15EX fighters to Kadena Air Base, Japan. It will be the first time either fighter type will be based overseas in the Pacific.

“By introducing advanced fourth and fifth-generation aircraft like our upgraded F-16s along with F-35s and F-15EXs in the Pacific region, we are significantly enhancing our overall air combat capabilities in the Korean theater,” 7th Air Force commander Lt. Gen. David R. Iverson said in a statement.

Iverson did not say if the USAF would bring in new fighters to Korea to match the A-10s being phased out.

The U.S. has been flying A-10s in Korea since 1982, and the current iteration of the 25th Fighter Squadron stood up in 1993. In recent years, however, the Air Force has moved to retire its fleet of Warthogs, saying the legendary close air support aircraft is not suited for a potential high-end fight against adversaries like China or Russia.

Leaders have suggested every A-10 could be divested before the end of the decade, and the service has started identifying new missions for units and bases that host the A-10—the Maryland Air National Guard’s 175th Wing will transition to cyberspace operations, Moody Air Force Base in Georgia will get F-35s, and the Idaho Air National Guard’s 124th Fighter Wing will move to F-16s. One of the service’s main A-10 hubs, Davis Monthan Air Force Base, Ariz., is gaining the 492nd Special Operations Wing.

The retirements at Osan will end the A-10’s permanent presence in the Indo-Pacific region, and it marks the second Pacific USAF base to move on from older fighter/attack aircraft—Kadena is also phasing out its older C and D models of the F-15.

‘The United States Needs More Air Force’: Allvin Makes the Case for More Funding

Nov. 13, 2024 | By Chris Gordon

The Air Force’s top officer made a blunt case Nov. 13 for the service to get more funding so the nation can employ more effective airpower—and offered a preview of a coming force design to go with that funding.

“I think the United States of America needs more Air Force. I think we need more Air Force,” Chief of Staff Gen. David W. Allvin said at the inaugural Airpower Futures Forum hosted by AFA’s Mitchell Institute for Aerospace Studies. “I think we can see why. We can see what we can do with more Air Force, and I think we can provide some capabilities for the nation that we’re unable to now just because of how we are stressed. The force is stressed. And we’re still doing our very damn best.”

Allvin and other top officials outlined the service’s future force design, which the chief said is built around four attributes: lethality, survivability, mass, and connectivity.

The current Air Force is the smallest in history by aircraft inventory, and nuclear modernization is putting budgetary pressure on some of the service’s future programs, such as the crewed fighter of the Next-Generation Air Dominance program, which is in limbo and may be curtailed to keep costs down.

Allvin said the goal of the Air Force’s force design, which will outline capabilities needed for a 2030s timeframe, is to enable the service to continue “thinking about the change in the environment that we are experiencing, and how we need to ensure that our United States Air Force remains the most dominant force on the face of the planet.”

“It’s not going to happen as a birthright,” Allvin added. “We just can’t let it evolve on its own. We have to put work behind this. We have to put thought behind this.”

“It’s my job as Chief of Staff to advise our leadership on what I think that we should do with the Air Force we have, but also to be very clear about the things I think we need if we could have more Air Force,” Allvin said. “I think that’s something that this force design is going to suss out as us out as well, to be able to more clearly articulate: this is the value proposition that airpower has to our nation, and I think we’re fulfilling as much as we can within the resources that the American people give us.”

Allvin’s pitch for more funding comes amid speculation about how President-elect Donald Trump’s administration will approach the defense budget. Trump has said his foreign policy will be based on “peace through strength,” though incoming officials have not provided any details.

The Department of Defense is currently operating under the Fiscal Responsibility Act, which imposes a one percent annual growth cap for the defense budget in fiscal 2025 and could further limit overall government spending through 2029.

“My point is that if the American people gave us more resources for the United States Air Force, we could do more mission. And I am committed to making sure with whatever dollar that we get, this force design ensures that we put the most lethality, the most combat effectiveness, and the best air force we can put forward for the nation,” Allvin said. “That’s my job, while at the same time advising for areas that if we were working with more resources.”

Hegseth Tapped for Defense Secretary as Trump National Security Team Takes Shape

Nov. 12, 2024 | By John A. Tirpak

President-elect Donald Trump has named Pete Hegseth, a Fox News television commentator for the past eight years, as his choice for Secretary of Defense, rounding out a new cabinet-level national security team announced on Nov. 12.

Hegseth, 44, is an Army National Guard veteran who served in Afghanistan, Iraq, and Guantanamo Bay. He is the author of several politically-themed books, including “The War on Warriors” which contends that the U.S. military has been weakened by diversity and inclusion initiatives.

“The book reveals the leftwing betrayal of our Warriors, and our great Veterans,” Trump said in announcing the choice, saying Hegseth would be “a courageous and patriotic champion of our ‘Peace Through Strength’ policy.”

Other members of the Trump national security team, now announced, include Republican Rep. Mike Waltz of Florida as National Security Advisor; Rep. Elise Stefanik (R-N.Y.) as Ambassador to the United Nations; South Dakota Gov. Kristi Noem as Secretary of Homeland Security and John Ratcliffe, a former Representative from Texas, as head of the CIA. Florida Sen. Marco Rubio is expected to be nominated as Trump’s Secretary of State.

Hegseth graduated from Princeton University in 2003. He worked for Bear Stearns as an equity markets analyst but also took a commission in the Army National Guard. He was called up for service at Guantanamo Bay, Cuba in 2004, as a member of the Minnesota National Guard. He later volunteered for service in Iraq, where he was a platoon leader and a civil-military affairs officer. He received a Bronze Star and Combat Infantry Badge during his service in Iraq.

Capt. Peter Hegseth, Assistant Civil Affairs Officer, 3/187th Infantry Regiment, meets with Manmood Kalaf Ahmed, Mayor of Samarra, March 5, 2006. U.S. Army photo

He deployed again in 2012 to Afghanistan, again with the Minnesota Guard, teaching counterinsurgency techniques at a counterinsurgency school in Kabul. He received another Bronze Star during his Afghanistan service.

Hegseth worked for a number of conservative groups, including Vets for Freedom and the conservative-backed Concerned Veterans for America, which pushed for privatization of many Department of Veterans Affairs functions. During his first term, Trump considered Hegseth for the leadership of the VA.

On-air with Fox in 2020, in the wake of Iran’s firing of ballistic missiles at U.S. bases in Iraq, Hegseth urged Trump to bomb Iranian economic targets, as well as cultural sites if they were harboring weapons. He said U.S. and international laws against war crimes are “rigged” against American military success. The U.S. should “rewrite the rules” of war to gain an advantage, he said.

“With Pete at the helm, America’s enemies are on notice – Our Military will be Great Again, and America will Never Back Down,” Trump said in the announcement.

Waltz and Rubio have voiced strong support for countering and confronting Chinese aggression in the western Pacific, suggesting that the Biden Administration’s National Defense Strategy calling China America’s “pacing” military threat will not be fundamentally changed. However, Rubio has said that the war in Ukraine cannot be won by Ukraine, and that a negotiated settlement with Russia is necessary.

Air National Guardsman Teixeira Gets 15 Years for ‘Exceptionally Grave’ Leak

Nov. 12, 2024 | By David Roza

The Air National Guardsman who was arrested last year for sharing hundreds of top secret and classified documents to online chatrooms was sentenced to 15 years in federal prison on Nov. 12 after pleading guilty this March to six counts of willful retention and transmission of classified information relating to national defense.

Airman 1st Class Jack Teixeira was a cyber transport systems journeyman at the Massachusetts Air National Guard’s 102nd Intelligence Wing when he was arrested by the FBI on April 13, 2023. Over the past year, he had shared a trove of classified documents on the war in Ukraine, the Indo-Pacific and Middle East military theaters, and other sensitive subjects to a server on the online social platform Discord.

“Teixeira told the FBI he did this to boost his ego, impress his anonymous friends, and set the record straight about Russia’s invasion of Ukraine,” FBI Special Agent Jodi Cohen told reporters at a press conference on Nov. 12.

Joshua Levy, the acting U.S. Attorney for the District of Massachusetts, said that the government determined the information Teixeira leaked could cause “exceptionally grave damage to the United States.” The documents included information about troop movements and supplies in Ukraine and “a plot to kill Americans serving overseas by a foreign adversary,” he said.

“This conduct caused immediate operational damage and long-term enduring damage to our relationships with our allies [and] to our ability to gather information by revealing intelligence-gathering methods,” Levy added. “We won’t know the full extent of Jack Teixeira’s damage for several years.”

After Teixeira was arrested, Air Force Secretary Frank Kendall told lawmakers the department would review its security practices, conduct an Air Force Inspector General probe of the 102nd Intelligence Wing, and hold a stand-down for Airmen and Guardians for review their security practices and conduct training if needed.

“There is a full-court press going on about this,” Kendall told the Senate Appropriations defense subcommittee. “We are all disturbed about it, and we are working very, very hard to get to the bottom of it and take corrective action.”

A 45-day military-wide review found that the “overwhelming majority” of service members with access to classified information are trustworthy, but the Defense Department still needs to improve how it handles classified information by clarifying its regulations.

The 102nd Intelligence Wing was sidelined and not allowed to resume its mission until this May. The Air Force started disciplinary and administrative actions against 15 Airmen after an investigation found that Teixeira’s actions were enabled by a “lack of supervision.” The commander of the 102nd Intelligence Support Squadron and an administrative commander at Otis Air National Guard Base were suspended last year.

In March, Teixeira pleaded guilty to six counts of willful retention and transmission of classified information. Each charge carried a sentence of up to 10 years in prison, according to the U.S. Attorney’s Office for the District of Massachusetts, though the guilty plea likely played a role in reducing the sentence to 15 years total. Levy said the sentence will serve as a significant deterrence to would-be leakers.

“I expect that starting tomorrow, Jack Teixeira’s name will be mentioned when people are trained about the gravity of a top secret clearance and the consequences if you leak information,” he said.

The 22-year-old was regretful at the sentencing hearing.

“I wanted to say that I’m sorry for all of the harm that I’ve caused and wrought, to my friends, family and those overseas. I don’t think I can really sum up how contrite I am,” he said, according to the Washington Post. “I understand all of my responsibility and the consequences fall upon my shoulders.”

Teixeira is scheduled to face a military court-martial next spring.

US Strikes Iranian-Backed Groups in Syria After Attacks on American Troops

Nov. 12, 2024 | By Chris Gordon

The U.S. conducted strikes against Iranian-backed groups in Syria on Nov. 12 in response to a fresh spate of attacks on American personnel, the U.S. military announced.

It was the second series of strikes in two days.

U.S. military targeted an unspecified Iranian-backed militia group’s “weapons storage and logistics headquarters facility” in Syria on Nov. 12 in response to an attack on U.S. troops at Patrol Base Shaddadi, U.S. Central Command, which oversees American forces in the Middle East, said in a statement. No U.S. troops were injured, the command said.

The day before, the U.S. military conducted airstrikes on nine targets in two locations in Syria following “several attacks on U.S. personnel in Syria over the last 24 hours,” CENTCOM said in an earlier statement.

CENTCOM’s releases are the first time the U.S. military has acknowledged recent attacks on American forces by Iranian-supported militias.

Providing additional details, Pentagon Press Secretary Air Force Maj. Gen. Patrick S. Ryder told reporters Nov. 12. that U.S. troops were attacked twice in Syria at the Mission Support Site Green Village in northeast Syria on Nov. 10. He said there were no U.S. injuries as a result of the attacks.

“One attack consisted of a UAV. The second was indirect fire comprised of two rockets,” Ryder said. “We are going to protect our forces. We’re going to take the necessary steps to send a message, but importantly, as we’ve said before, we will reserve the right to respond in a time and place of our choosing.”

Some 900 U.S. troops are in Syria as part of the campaign to work with local partners to defeat the remnants of the Islamic State group. U.S. troops in Iraq and Syria have come under dozens of attacks from Iranian-backed militias, which has hindered U.S. troops’ ability to conduct operations against Islamic State militants.

“These strikes will degrade the Iranian-backed groups’ ability to plan and launch future attacks on U.S. and coalition forces who are in the region to conduct defeat-ISIS operations,” Ryder said.

The U.S.-backed coalition that is fighting the Islamic State group plans to wind up its operation by September 2025. At that point, the U.S. is planning to transition to a bilateral security arrangement with Iraq, where the U.S. currently has some 2,500 troops.

That arrangement would allow the U.S. to support its presence in Syria, where the U.S. works with local partner forces.

It remains to be seen what deployments President-elect Donald Trump might support. Trump wanted to pull all U.S. troops from Syria during his previous term in office before reversing course.

“Our message is clear. Attacks against U.S. and coalition partners in the region will not be tolerated,” CENTCOM commander Army Gen. Michael “Erik” Kurilla said in a statement on the strikes. “We will continue to take every step necessary to protect our personnel and coalition partners and respond to reckless attacks.”

Will DOD’s New Cybersecurity Program Stifle Small Businesses or Get Them to Tighten Up?

Nov. 12, 2024 | By Shaun Waterman

When Donna Huneycutt’s company, a woman-owned small business selling professional services to the Air National Guard, got its first really big contract, she made a decision: “We were going to get serious about cybersecurity.”

Following a slew of cyber intrusions by China against defense contractors, the Department of Defense was seeking to shore up cybersecurity standards in the defense industrial base. It was 2018 and an amendment had just come into force to DOD acquisition regulations. Contractors who handled unclassified but still sensitive data known as Controlled Unclassified Information or CUI had to comply with cybersecurity guidelines from the National Institute for Standards and Technology, or NIST.

Although there was no enforcement mechanism in the regulation, Huneycutt said her company WWC Global—which she sold to Command Holdings in 2022—had contracts with Special Operations Command and was doing work that involved access to CUI. So she decided to do the right thing.

“We spent about $1 million, taking into account all the labor hours,” to implement the 110 security controls listed in the NIST document, known as SP 800-171, Huneycutt told Air & Space Forces Magazine.

When they did so, she added, two things happened: “We had to put our prices up, and we found we were being hacked.” Security tools the company installed revealed executives’ phones were being attacked, although the NIST controls helped them identify and block the attacks, she recalled.

Huneycutt has sold her company, but that $1 million investment will finally begin to pay off for the new owners next year, when a long-delayed DOD enforcement mechanism, the Cybersecurity Maturity Model Certification program, or CMMC, starts to show up in DOD contracts. The department rolled out the first version during President Donald Trump’s administration in 2020, but the Biden administration rolled it back the following year for a revamp into two parts. The first part became final last month, and the second part will start to kick in next year.

Huneycutt said she hopes CMMC will help level the playing field for security-conscious contractors. “We were at a disadvantage,” she said of the years after her 2018 decision to get serious about the NIST controls. Her overhead was higher because of the costs of the security measures her company was implementing.

“We were competing with companies who were cheaper because they were less secure,” she said. “If you don’t enforce cybersecurity standards, you create a race to the bottom.”

CMMC will require contractors to validate their compliance with the security controls in NIST, albeit at different levels depending on their size and over the course of seven years:

Just over 103,000 companies will be required to self-attest their compliance with a set of 15 basic security controls for CMMC Level 1.

56,000 small businesses will need to get a third-party assessment of their compliance with the 110 NIST controls for CMMC Level 2.

Fewer than 1,500 businesses of all sizes, whose contracts deal with more sensitive data, will have their compliance with a beefed-up set of 134 security controls assessed by government audit teams under CMMC Level 3.

Huneycutt explained that for companies at Levels 2 and 3, there is a huge administrative burden involved in compliance with the NIST standards. “Every one of those 110 controls had to be written into a company policy,” with personnel to carry it out and a manager assigned responsibility, she said. Everybody had to be trained: “In my business, an hour of somebody’s labor has a dollar value to it. So for every hour that I required for cybersecurity training, that was an hour that I could not ask them to perform and get paid on my time and materials contracts,” she said.

Third-party assessment requires a major record-keeping effort, she added.

”You have to enforce internally, and you have to show that you’ve been enforcing and that you’ve managed situations where people deviated from the policy. All of this requires a tremendous amount of documentation, and therefore a tremendous amount of labor hours, overhead. … It just kind of never ends,” she said.

A wide range of industry associations echoed Huneycutt’s complaints, arguing that meeting the requirements CMMC imposes, depending on how they’re implemented, will impose an unreasonable burden on small businesses and will discourage exactly those contractors that the Air Force and other services want to encourage—small innovative companies at the cutting edge of new technologies.

“DOD itself has acknowledged that it has been hemorrhaging small businesses from the defense industrial base,” said Rachel Gray, the director of research and regulatory policy for the National Small Business Association. She cited DOD statistics that it lost 43 percent of its small business contractors between 2016-2022.

“This is only going to serve to further exacerbate that bleeding,” she said. DOD officials have acknowledged that cybersecurity compliance is a barrier to entry for smaller companies, she said. “We support a secure and strong defense industrial base, but there are ways in which CMMC can be implemented … which will ease the burden for smaller companies, who may not be as well resourced as their larger counterparts.”

ML Mackey is CEO of Beacon Interactive Systems, a small business which is digitizing Air Force flight lines and first became a military supplier through an SBIR contract. She told Air and Space Forces Magazine that, in addition to the cost and the administrative burden, companies could suffer a hit in productivity.

“You might have a commercial email provider and commercial security tools and that might seem—and be—perfectly reasonable to you. But now you might have to move to different providers, ones that are certified to DOD standards,” she said. “It’s like moving house, you still have somewhere to live but the disruption can be considerable.”

Any costs of the transition come out of hide, she said. “Once you’re on a contract, the cost of running your new infrastructure, that becomes part of your overhead cost and it’s allowable—the government will pay it. But that initial piece [buying and transitioning to the new infrastructure and other upfront costs of compliance] is not allowable, so it literally comes out of the pocket of the small business owner,” before they’ve seen the first dollar from a contract, she said.

Huneycutt said providing secure hardware and connections for a single desktop computer costs about $4,000 extra per year, and about $1,500 more for a phone, costs that mount as businesses scale.

CMMC requirements flow down from prime contractors to their subcontractors, so small businesses that are suppliers for large systems integrators have to comply as well.

Mackey said she wasn’t arguing for a free pass: “Industry should pay,” she said.

But depending on how the program is implemented and the burden of compliance is distributed, there might be unintended consequences from CMMC, if it discourages innovative commercial companies from trying to sell to DOD, Mackey explained.

“When all of a sudden we drop a new requirement that has a disproportionate weight on the bottom line of the exact companies whose participation we want to increase; the same companies that we’re having a massive decrease of participation by, then we need to change the model, right?” she said.

“No one is saying small businesses should get a free pass. Everything should be paid for. Business is business. We just need to match [the burden] to the cadence and the abilities of the players that we have on the field,” Mackey said.

She said that there were many ways that novel policy approaches could help square the circle for innovative small businesses.

One suggestion was DOD-provided regional resources—secure workspaces where small businesses can do their work in a CMMC-compliant way without requiring a large upfront investment, for instance on an initial SBIR contract. “They can come in and see what the water’s like, splash around, before they dive into the deep … meaning becoming fully CMMC-compliant,” she said.

She said the U.S. Small Business Administration office of innovation and invention was doing “really interesting work with the [DOD’s] Office of Strategic Capital. They’re looking at existing authorities SBA has for loans and other financial tools and how they can be brought to bear in ways that facilitate participation in the [defense industrial base].”

Mackey said those authorities could also be used to help innovative small businesses meet the upfront costs of CMMC compliance. “The ability to get a line of credit to finance CMMC implementation with an extended payback period, I think, would greatly reduce the barrier to entry.”

Ultimately, defenders of the CMMC say, businesses large and small are going to have to absorb the costs of compliance, because being cyber-secure is just a basic requirement of running a business.

Level 1, the self-attestation to a whittled down set of security controls for 103,000 companies requires “very basic” compliance, Kelley Kiernan, a veteran acquisition professional and now a professor at the Defense Acquisition University, told Air and Space Forces Magazine.

But for the 56,000 companies requiring CMMC Level 2, implementing the NIST security controls needs a professional approach and dedicated cybersecurity personnel, she said. They were “written by cyber engineers for cyber engineers and so you’re going to need a professional on your team [to implement it], and there’s no way around that,” Kiernan said.

“There are charlatans in the marketplace,” she added, warning against easy, off-the shelf, “do-it-yourself” solutions.

“If you needed gallbladder surgery, you wouldn’t do it yourself, you’d find a professional,” Kiernan said, “No one balks at hiring a lawyer or an accountant or a tax professional. Cybersecurity is a critical operating expense.”

“Without robust cybersecurity to protect your intellectual property, you’re not even going to have a business,” she warned, referring to the campaign of cyber-enabled theft of proprietary data and other digital valuables that officials have attributed to China.

“A U.S. small business could implement the NIST standard to protect their IP, even if they did not have a DOD contract,” she said.

“It’s time for small businesses to channel their pioneering insight that got them where they are and embrace their entrepreneurial savvy and change the paradigm to a new truth which says that robust cybersecurity is simply good business in the modern world,” she said, “And the new CMMC program seeks to certify that everybody’s ready to go.”

Editor’s Note: This story was updated Nov. 13 to correct an error in a quote attributed to Kelley Kiernan.

Fresh F-15E Fighters Arrive in Middle East to Replace Departing Jets

Nov. 12, 2024 | By Greg Hadley and Chris Gordon

F-15Es from the 492nd Fighter Squadron at RAF Lakenheath, U.K., have deployed to the Middle East, replacing Strike Eagles from Seymour Johnson Air Force Base, N.C., that recently wrapped up a rotation in the region.

U.S. Central Command noted the arrival of the Lakenheath F-15s on social media, and multiple officials confirmed the deployment to Air & Space Forces Magazine. On Nov. 1, the Pentagon announced it was sending additional forces to the Middle East to compensate for the upcoming departure of the USS Abraham Lincoln carrier strike group. U.S. officials previously told Air & Space Forces Magazine that the extra airpower would include F-15Es, but did not specify from where they would deploy.

The recently departed Seymour Johnson F-15Es first arrived in the Middle East in April, just before Iran launched a massive attack on Israel that included 300-plus one-way drones and missiles. Members of the 335th Fighter Squadron helped defend against that attack.

Then, in October, the “SJ” fighters had their deployment extended as the Pentagon sought to bolster its regional airpower following Israel’s killing of Lebanese Hezbollah’s leader Hassan Nasrallah, which led to Iran retaliating with a salvo of some 180 ballistic missiles.

A month later, those Airmen and fighters finally started returning home. Local spotters and flight trackers noted the F-15Es stopping over at Lakenheath on the way back. Several are still at the base in England.

Meanwhile, the Lakenheath jets are joining other F-15Es from Mountain Home Air Force Base, Idaho, in the Middle East. The 492nd Fighter Squadron arrives a year after its sister unit at Lakenheath, the 494th Fighter Squadron, first deployed to the region. The 494th also played a key role in repelling Iran’s April attack before returning in May after a seven-month deployment.

CENTCOM has significantly upped its airpower in recent months, deploying more F-16s, F-15s, and A-10s—plus KC-46 tankers—in October, then adding B-52 bombers earlier this month before the most recent F-15Es. These moves come as Israel considers how it will respond to Iran’s latest salvo and as U.S. officials stress their desire to avoid the conflict spiraling into a large-scale regional war.