A recent Cyber Safety Review Board (CSRB) report on the shortcomings of Microsoft’s security standards is a great opportunity to start a serious discussion between government and industry on the price the government is willing to pay for a solution vs. the cost of providing what it actually wants.  The Microsoft story is just the latest example of where the government expects a lot more than it’s willing to pay for.  The CSRB report said, among other things, that “…security culture was inadequate…” at Microsoft.  Inadequate in that it didn’t meet the government’s expectations.  Ask just about any commercial item contractor, though, and you’ll hear the same story.  It is essentially this: “we’re happy to create the systems that the government needs if only they will pay for us to create and support it.”  FedRAMP is another great example.  Many DOD agencies insist that they need FedRAMP high, or better, even if the specific solution doesn’t seem to call for it.  Contractors with FedRAMP moderate are happy to build out systems that meet higher standards if their DOD customers will pay for it.  Most won’t, limiting competition to those few contractors that have no choice but to make the investment.  Not only does the reduced competition increase acquisition costs, but it also locks the government into paying for and maintaining systems with a higher level of security than may be needed.  Although there are many areas where similar scenarios regularly play out, the one getting the most attention today is cyber.  We’ve written extensively on the government’s cavalcade of cyber rules.  Cyber is a valid goal, but industry needs to do a better job in making it clear that what the government says it wants will come at a cost, a cost higher than comparable commercial systems that don’t require the same security levels.  It’s time for some open and honest discussions on this front. “What we have here is a failure to communicate” is no way to run government acquisition.