Blog

GAO HIGH RISK REPORT ONLY SCRATCHES THE SURFACE ON WHY AGENCIES DON’T MEET CYBER STANDARDS

Cybersecurity and IT remain top concerns on the Government Accountability Office’s (GAO) biennial list of high-risk government programs.  While this may come as a surprise to some, given the considerable rhetoric surrounding these issues, a closer look shows that government tech systems remain high-risk for a number of reasons.  First, Congress fails to put its money where its mouth is.  Agencies can’t get money in their own budgets to modernize IT and strong Senate opposition has prevented the passage of a more generalized $1billion boost to the IT Modernization Fund.  Second, any experienced IT contractor will tell you that there can be a huge gulf between IT system security directives and how agencies actually go about acquiring IT equipment.  Perhaps the best example of this is agency use of E-Bay to acquire old equipment that agencies need in order to run current systems, regardless of supply chain directives. Agencies turn to E-Bay, with all of its myriad risks, because new parts for existing solutions are no longer available.  Again, lack of funding prevents real modernization.  Third, some agencies also look requirements right in the eye and blink.  It’s simply “too costly” to buy compliant equipment, regardless of whether there are secure supply chain or other security directives.  Besides, the contractor has to certify, right?  Pushing off requirements on contractors is a time-honored, if incomplete, way to try and ensure cyber compliance.  Contractors that have compliant solutions and actually obtain proper certifications can be at a disadvantage in the market.  These companies need to let OMB and Congress know what they see “in the trenches”.  Only when Congress gets serious about funding and OMB provides appropriate oversight can we expect to see cybersecurity no longer be a “high-risk” area in government. 

THREE THINGS TO NEVER ASSUME WHEN DOING GOVERNMENT BUSINESS

There’s a great line from old movie “Desk Set” where Spencer Tracy quizzes Katherine Hepburn on some early version of an aptitude test.  Tracy’s character says to “never assume” circumstances that aren’t actually made clear.  So it is with government business.  Here are three things contractors should never assume as they approach the federal market:  1.  Don’t assume that your federal prospect knows anything about your product or service.  This is true even if your solution has an established commercial market footprint.  Federal officials are approached every day by contractors trying to sell everything from copier paper to drones.  Make sure your target knows what you’re talking about and why looking at your solution is worth their time.  2.  Don’t assume that your customer knows about certifications and other qualifiers contractors are supposed to have.  If we’ve learned anything lately its that federal customer knowledge of FedRAMP requirements, secure supply chain mandates, and best value directives is highly uneven.  It’s not enough to say that your solution meets “Section 508” standards.  Spell it out.  Provide some background on what that is and why federal agencies have to buy 508-compliant technology.  Expect pushback, too.  While you may know that federal agencies are supposed to buy FedRAMP-ed cloud solutions, more than one federal buyer has looked the other way.  Don’t take it personally.  3.  Don’t assume that your customer knows how to buy from you.  Make sure your sales team has the latest information on how to buy from the GSA Schedule, NASA SEWP contract, or even how to make a Micro-Purchase.  Customers can have their favorite way of buying and if you’re solution is outside their comfort zone, its vital that you provide the information they need to buy from you correctly through the vehicle that is the best fit.  Federal agency customers have a mission to meet and are often focused on that, not on how to buy the solutions they need to support that mission.  Make sure you know that part of the puzzle fits.  Hepburn, by the way, aced the test.

DEEP DEFENSE CUTS MAY NOT BE IN PLAY

“Arbitrary reductions would not be the right way to go,” said Senate Armed Services Committee Chair Jack Reed (D-RI) last week, when asked whether he expected deep cuts in Pentagon spending as an offset to pandemic funding.  He prefers to examine proposals made by Pentagon leaders first, to see what weapons programs and other cuts they recommend.  Reed, and other Congress watchers, also point out that any steep defense cuts would require Republican support given the 50-50 split in the Senate and the razor-thin Democratic majority in the House.  This could all be good news for contractors that sell anything from professional services to products to DOD customers.  Many companies have expected substantial cuts to programs as the new Congress looked for ways to balance defense spending with civilian agency priorities. Contractors thathave been planning for flat DOD spending and may be well-positioned to continue doing business if such forecasts prove accurate.  Where defense money ends up is still far from certain, despite Reed’s statements and those made in late 2020 by his House counterpart Adam Smith (D-WA).  At least one member wants further cuts to so-called “4th estate” DOD civilian workers.  Neither party, however, wants to be seen as weak on defense spending with the growing international presence of China and Russia.  Defense spending may not increase as it has, but most companies should continue to find good opportunities throughout the agency.

STREAM OF EXECUTIVE ORDERS MAY CAUSE MARKET CONFUSION

Recently-issued Executive Orders on everything from “Made in America”, to secure supply chains, payment of fair wages, and more may have government contractors and their customers wondering what will change, when changes will be implemented, and what they will be. Indeed, if your company hasn’t been paying attention to the string of orders that have the potential to impact procurement, you are behind the curve.  See the list here:  https://www.federalregister.gov/presidential-documents/executive-orders/joe-biden/2021.  This is a particularly important time for contractors to be aware of what’s happened so far, and what has yet to happen.  You also can’t always take your customer’s word for it, either, as they may be as confused as you are.  The bottom line is that no real changes have yet to take effect and likely won’t for several months.  The Biden Administration implemented a 60-day moratorium on new regulations that runs through March 20th.  Provisions of Executive Orders (EO’s) need to be turned into rules before becoming effective.  Those rules will fill in details on the “how” factor on such issues as whether the Buy American Act exception for COTS IT remains in place, supply chain requirements, and other policy directives more broadly covered in an order.  At least one company we know has been asked by a customer to certify that it meets a new EO standard.  No company can do this yet, however, because there is no new regulatory standard to meet.  Make sure you know the difference between what has been proposed and what has actually been implemented.  Watch this space and watch modifications to your contracts to understand how your company will be impacted.  Remember, too, whether a contract modification is sent to implement a policy change or some other matter, NEVER sign and return it without reading and understanding it first.

JUSTICE DEPARTMENT OFFICIALS INDICATE POSSIBLE USE OF FCA ON CYBER, CMMC COMPLIANCE

Some readers believe that we exaggerate the risks of contract non-compliance.  We wrote recently about the potential for the Department of Justice to use the False Claims Act to pursue contractor culpability when supplying compromised SolarWinds solutions.  We could see your eyes rolling from here.  The Department of Justice helpfully backed us up last week, though, by sending a warning to government contractors that they will be turning up the False Claims Act heat on cybersecurity fraud.  Acting Assistant Attorney General Brian Boynton told the Federal Bar Association Qui Tam Conference this week that it is not difficult to imagine a situation where False Claims Act liability may arise given what the government pays for systems or services that are supposed to comply with required cybersecurity standards.  The bottom line:  If your company provides a cybersecurity system that fails to meet stated federal requirements, or attests to a cyber standard that it does not meet, DOJ could pursue a False Claims Act case against you.  Boynton went on to say that cybersecurity was one of six key priorities for the civil division when it comes to the False Claims Act.  Contractors are on notice to ensure that they comply with any cyber standards included in an RFP or RFQ and that their company meets cyber-related standards such as CMMC.  The cost of an FCA investigation starts at seven figures and can easily reach the mid-8 level, not including potential suspension or debarmentKeep that in mind when your company contemplates whether to spend six figures on a cyber compliance system.  Conversely, if your company does meet required standards and your competitors do not, you now have a powerful tool that should give you an advantage.  If a government customer still goes ahead and makes an award to a non-compliant company a whistleblower case you file can add to your bottom line.