Does Improving Federal Cybersecurity Begin with Improving the Acquisitions Process?

The ability to secure federal data, networks, and assets is impacted by the ability of agency cyber leaders to access required technology. They need to continually respond to well-resourced adversaries that are constantly evolving the mechanisms of attack. Because of the acquisitions process, requests to upgrade existing cyber defenses or acquire the tools that can keep pace with this constantly evolving threat environment can take months if not years. During that time – from request to approval and deployment – critical systems and data are vulnerable to a breach.

But is the acquisition process, or at least how agencies approach it, responsible for on-going cyber vulnerabilities among federal agencies?

While this is a commonly heard argument around Washington, D.C., Kimberly Baker, Senior Vice President and GM Public Sector for RedSeal, believes that the acquisition process isn’t the obstacle to quickly bringing in new cybersecurity technology. “We don’t need any process or procedure changes,” she said. “Everything agencies need to operate quickly exists in the current acquisition policy and Federal Acquisition Regulation (FAR).”

View More Cybersecurity Resources

While current regulations and processes can support speedy acquisitions, what does cause concern among agency IT leaders and procurement teams is the uncertainty in funding. The recent history of budgets that aren’t approved at the beginning of the cycle causes agencies to rely on continuing resolutions (CRs) to keep the federal government running. The result is that “an agency needs to complete an annual acquisition cycle in a single quarter,” shared Baker.

To help offset these pressures, Baker noted that agencies are looking for alternatives to traditional technology purchasing — paying large sums upfront for new hardware and software. “There’s been a shift from perpetual software licensing, for example, to shorter terms and as-a-service procurements. These are classified as operating expenses rather than as capital investments.”

She explained that this shifts the risk to suppliers and encourages everyone to make sure value is truly being delivered. The hard part, though, is anticipating out-year costs. “When you go to a subscription or as-a-service model, you may need more capacity than you expected. Your real capacity need is 5X, but you only planned for 2X,” she noted. “So, there are a different set of things you need to plan for and build into your contract when you’re putting an as-a-service or subscription program in place.”

And there’s still one more option for investing in state-of-the-art cyber tools that will help stem the tide of attacks, Baker pointed out – the Technology Modernization Fund (TMF). “The TMF is a great resource for funding pilot programs that can be iterated and repeated multiple times across multiple agencies in short order.” However, Baker went on to note that it’s rare that you get to build something new from the ground up without addressing legacy technology, particularly when it comes to ensuring the safety and integrity of data and infrastructure. “TMF lets us focus on not just having a cool, whiz-bang plan for a new capability and technology, but also on how we can eliminate and shut down legacy systems in an orderly way.”

The challenge is that there is never enough money to fully modernize at an enterprise level. But, as Baker explained, “if the program office is smart about what they choose to invest in, they’ll identify projects with a strong ROI based on a solid business case, scoped to be completed within the agency’s fiscal year.”

Baker said that as agencies move through the phases of the Department of Homeland Security’s CDM program and need to upgrade infrastructure and integrate additional vulnerability management and incident response tools, for instance, agency cybersecurity leadership will want to work closely with their acquisition and contracting counterparts. “This combination of well-educated, forward thinking acquisition and contracting leadership who are engaged with the major IT spending organizations – CIO or program level – will be able to execute quickly and deliver results no matter what obstacles – real or perceived – might be in the way,” she concluded.