If your small defense business has desirable technology that the government considers classified, you’ll need a secure workspace before you can secure government work. It’s a Catch-22 that Congress wants to alleviate.
The 2024 National Defense Authorization Act includes language from both the House and Senate meant to open up existing classified work-spaces to small businesses.
Building or gaining access to a government-approved secure workspace is a costly burden that adds to the already thorny problems defense startups face in getting security clearances for their employees and in getting their companies as a whole “covered” or cleared to work on classified projects.
Such hurdles curb or prevent innovative, potentially war-winning technologies and ideas from being embraced and applied by the Pentagon says Andrew “Scar” Van Timmeren, vice president of government solutions for Blue Force Technologies, a small North Carolina-based business which recently secured a contract to build prototype unmanned adversary training aircraft for the Air Force.
A former USAF F-22 pilot, Van Timmeren has seen the problem surface repeatedly among the cohort of defense startups traveling in the same circles as Blue Force, shutting them out of potentially meaningful contracts and contributions to national security.
“It’s remarkably easy for continued contracts to go to incumbents within the cleared [classified] space because of the time and effort it takes to increase the number of new businesses that have access to cleared [workspace].”
Van Timmeren cites an example wherein defense program managers are evaluating candidates to perform radar cross section survivability analysis of an aircraft. There’s already a cleared company with its own approved secure workspace. Another new firm may want to enter into that mix. But for DoD, “the easy button is to just go to the incumbent which may not be a small business.”
Setting up a secure workspace isn’t easy. Classified defense programs (and operations) require “sensitive compartmented information facility” (SCIF) or special access program facility (SAPF) workspaces for program participation. But building a SCIF is cost prohibitive for most small companies.
A 2020 “Report on Common Sensitive Compartmented Information Facility” from the Office of the Director of National Intelligence (ODNI) noted that SCIF certification is tied to specific contracts because “work done under each contract is different, so security professionals need to review the safeguards required for each specific situation.”
That costs the government and the small business money and time. It can take two years or more for a new small business to gain a Facility Security Clearance (FCL) – a determination made by the government that a contractor is eligible for access to classified information.
That time can also be consumed in the process of building a company SCIF and getting it approved or finding an approved space to use, a process that the ODNI report observes is often case by case. “The security measures appropriate for the information supporting one agency’s contract may be insufficient for another, or there may be different classified information technology system requirements.”
Van Timmern notes that there are existing SCIF/SAPF spaces at nearly all U.S. military bases (including USCG installations) that have at minimum a room or building with secret-cleared space. Higher classification-level workspaces can be harder to find but they exist in geographically-spread numbers as well.
Previous experience with such facilities led Blue Force’s VP to start thinking about the possibility of making greater use of them by granting defense startups access. Van Timmeren was also influenced by learning about DARPA’s BRIDGES program which aims to provide companies that demonstrate they can provide innovation and value to the DoD with the means to obtain a facility clearance and interact directly with DoD customers at classified levels.
The idea of opening existing secure facilities to sharing among a larger pool of private sector businesses, particularly small businesses, is not new. The Fiscal 2018 NDAA directed the Pentagon to develop processes for building multi-use SCIFs “to facilitate access for small business concerns and nontraditional defense contractors to affordable secure spaces.”
However, progress on this directive has been slow to non-existent. In 2022, the Intelligence and National Security Alliance – a professional organization for the intel community – argued for agencies to fund and certify shared SCIFs to give the cleared workforce more flexibility in where it could work.
Cost would seem to be what’s held up such an effort. Funding for government-built facilities is hard to come by and more of it is necessary when attempting to meet the security requirements of multiple agencies and contracts at one facility. ODNI also noted that the idea of neutral or common SCIFs “conflicts with multiple statutes and regulations”.
Arguably, ODNI has poured too much cold water on the shared SCIF/SAPF idea for the intel establishment or the broader defense community. “If we want to expand the defense industrial base, our SCIF/SAPF ecosystem should be seen as a shared space for those who need to use it,” Van Timmeren asserts.
Earlier this year he floated the idea past contacts in congress and, with pre-existing DARPA and industry influence, got some buy-in. The House version of the NDAA includes a “Report on Secure Spaces for Small Business” section which directs the Secretary of Defense to report to the House Armed Services Committee on feasible options for granting access to existing government-owned SCIF space to small companies that have already received an FCL.
An amendment to the Senate version of the NDAA (Section 849) requires the Secretary of Defense to waive some capability requirements for covered small businesses to bid on classified contracts and to waive requirements for startups to meet certain facility security standards after the award of a DoD contract.
If they’re adopted and if they go beyond mere “reports”, these measures could relieve some of the burden of building or finding SCIF/SAPF spaces where small firms can dig into work on classified projects. Ironically, the current lack of opportunity for small business access has given rise to… a small business.
Arlington, Virginia-based Nooks is seeking to offer flexible access to classified facilities and associated networks for use by industry and government partners, a so-called Classified-Spaces-as-a-Service arrangement whereby startups can subscribe for secure facility and computer terminal privileges at a number of nationwide locations.
Nooks will likely have to provide approved multi-use SCIFs to make its business case. Otherwise, startups whose project security details don’t align with the qualities of a particular Nooks-operated SCIF would have to look elsewhere in its network or outside the company.
But the notion of maximizing the return on underutilized SCIF/SAPF spaces and getting new firms into them remains a logical and attractive proposition. Had such an option been available when Blue Force Technologies first entered into classified work shortly following its founding, it may have been able to accelerate faster Van Timmeren says.
“We could probably have had earlier access to opportunities. Small businesses in general might have earlier contract opportunities if given access to such facilities.”
Along with the impact earlier contract opportunities could have on the Valley of Death problem faced by defense startups, finding shared secure workspaces for them could greatly enhance the pool of innovation and direct to warfighter throughput that can help the U.S. deter conflict.
“Many of the greatest challenges that we face in deterring or winning in a conflict are solved and protected under classified programs,” Van Timmeren observes. “Those who already have deep access to those programs have an incumbency of opportunity. It’s a clear barrier to small business. Disrupting that incumbency of opportunity is something that should be worked on.”
Read the full article here