Cybersecurity and IT remain top concerns
on the Government Accountability Office’s (GAO) biennial list of high-risk
While this may come as a surprise to some, given the considerable
rhetoric surrounding these issues, a closer look shows that government tech
systems remain high-risk for a number of reasons. First, Congress fails to put its money where
its mouth is. Agencies can’t get
money in their own budgets to modernize IT and strong Senate opposition has
prevented the passage of a more generalized $1billion boost to the IT
Modernization Fund. Second, any
experienced IT contractor will tell you that there can be a huge gulf between IT
system security directives and how agencies actually go about acquiring IT
equipment. Perhaps the best
example of this is agency use of E-Bay to acquire old equipment that agencies
need in order to run current systems, regardless of supply chain directives.
Agencies turn to E-Bay, with all of its myriad risks, because new parts for
existing solutions are no longer available.
Again, lack of funding prevents real modernization. Third, some agencies also look
requirements right in the eye and blink. It’s simply “too costly” to buy compliant
equipment, regardless of whether there are secure supply chain or other
security directives. Besides, the
contractor has to certify, right?
Pushing off requirements on contractors is a time-honored, if
incomplete, way to try and ensure cyber compliance. Contractors that have compliant
solutions and actually obtain proper certifications can be at a disadvantage in
the market. These companies need
to let OMB and Congress know what they see “in the trenches”. Only when Congress gets serious about funding
and OMB provides appropriate oversight can we expect to see cybersecurity no
longer be a “high-risk” area in government.
There’s a great line from old movie “Desk Set” where
Spencer Tracy quizzes Katherine Hepburn on some early version of an aptitude
test. Tracy’s character says to
“never assume” circumstances that aren’t actually made clear. So it is with government business. Here are three things contractors should
never assume as they approach the federal market: 1. Don’t
assume that your federal prospect knows anything about your product or service. This is true even if your solution has an
established commercial market footprint.
Federal officials are approached every day by contractors trying to sell
everything from copier paper to drones. Make
sure your target knows what you’re talking about and why looking at your
solution is worth their time. 2. Don’t assume that your customer knows about
certifications and other qualifiers contractors are supposed to have. If we’ve learned anything lately its that
federal customer knowledge of FedRAMP requirements, secure supply chain
mandates, and best value directives is highly uneven. It’s not enough to say that your solution
meets “Section 508” standards. Spell it
out. Provide some background on what
that is and why federal agencies have to buy 508-compliant technology. Expect pushback, too. While you may know that federal
agencies are supposed to buy FedRAMP-ed cloud solutions, more than one federal
buyer has looked the other way.
Don’t take it personally. 3. Don’t assume that your customer knows
how to buy from you. Make sure
your sales team has the latest information on how to buy from the GSA Schedule,
NASA SEWP contract, or even how to make a Micro-Purchase. Customers can have their favorite way of
buying and if you’re solution is outside their comfort zone, its vital that you
provide the information they need to buy from you correctly through the vehicle
that is the best fit. Federal
agency customers have a mission to meet and are often focused on that, not on
how to buy the solutions they need to support that mission. Make sure you know that part of the puzzle
fits. Hepburn, by the way, aced
“Arbitrary reductions would
not be the right way to go,”
said Senate Armed Services Committee Chair Jack Reed (D-RI) last week, when
asked whether he expected deep cuts in Pentagon spending as an offset to
pandemic funding. He prefers to examine
proposals made by Pentagon leaders first, to see what weapons programs and
other cuts they recommend. Reed, and
other Congress watchers, also point out that any steep defense cuts would
require Republican support given the 50-50 split in the Senate and the
razor-thin Democratic majority in the House. This could all be good news for contractors
that sell anything from professional services to products to DOD
customers. Many companies have expected
substantial cuts to programs as the new Congress looked for ways to balance
defense spending with civilian agency priorities. Contractors thathave been planning for flat DOD spending and may be well-positioned to
continue doing business if such forecasts prove accurate. Where defense money ends up is still far from
certain, despite Reed’s statements and those made in late 2020 by his House
counterpart Adam Smith (D-WA). At least
one member wants further cuts to so-called “4th estate” DOD civilian
workers. Neither party, however,
wants to be seen as weak on defense spending with the growing international
presence of China and Russia.
Defense spending may not increase as it has, but most companies should
continue to find good opportunities throughout the agency.
Recently-issued Executive Orders on everything from “Made in America”, to secure
supply chains, payment of fair wages, and more may have government
contractors and their customers wondering what will change, when changes will
be implemented, and what they will be. Indeed, if your company hasn’t
been paying attention to the string of orders that have the potential to impact
procurement, you are behind the curve. See the list here: https://www.federalregister.gov/presidential-documents/executive-orders/joe-biden/2021. This is a particularly important time
for contractors to be aware of what’s happened so far, and what has yet to
happen. You also can’t always
take your customer’s word for it, either, as they may be as confused as you
are. The bottom line is that no
real changes have yet to take effect and likely won’t for several months. The Biden Administration implemented a 60-day
moratorium on new regulations that runs through March 20th. Provisions of Executive Orders (EO’s) need to
be turned into rules before becoming effective.
Those rules will fill in details on the “how” factor on such issues as
whether the Buy American Act exception for COTS IT remains in place, supply
chain requirements, and other policy directives more broadly covered in an
order. At least one company we know has
been asked by a customer to certify that it meets a new EO standard. No company can do this yet, however, because
there is no new regulatory standard to meet.
Make sure you know the difference between what has been proposed
and what has actually been implemented.
Watch this space and watch modifications to your contracts to understand
how your company will be impacted.
Remember, too, whether a contract modification is sent to implement a
policy change or some other matter, NEVER sign and return it without reading
and understanding it first.
Some readers believe that we exaggerate the risks of contract
non-compliance. We wrote recently about the
potential for the Department of Justice to use the False Claims Act to pursue
contractor culpability when supplying compromised SolarWinds solutions. We could see your eyes rolling from here. The Department of Justice helpfully
backed us up last week, though, by sending a warning to government contractors
that they will be turning up the False Claims Act heat on cybersecurity fraud.
Acting Assistant Attorney General Brian
Boynton told the Federal Bar Association Qui Tam Conference this week that it
is not difficult to imagine a situation where False Claims Act liability may
arise given what the government pays for systems or services that are supposed
to comply with required cybersecurity standards. The bottom line: If your company provides a cybersecurity system
that fails to meet stated federal requirements, or attests to a cyber standard
that it does not meet, DOJ could pursue a False Claims Act case against you. Boynton went on to say that cybersecurity was
one of six key priorities for the civil division when it comes to the False
Claims Act. Contractors are on notice to
ensure that they comply with any cyber standards included in an RFP or RFQ and
that their company meets cyber-related standards such as CMMC. The cost of an FCA investigation starts
at seven figures and can easily reach the mid-8 level, not including potential
suspension or debarment. Keep
that in mind when your company contemplates whether to spend six figures on a
cyber compliance system.
Conversely, if your company does meet required standards and your
competitors do not, you now have a powerful tool that should give you an
advantage. If a government customer
still goes ahead and makes an award to a non-compliant company a whistleblower
case you file can add to your bottom line.