Amid the aftermath of troubling cybersecurity breaches at various government agencies—including the Office of Personnel Management—the U.S. government and Congress have pushed for a major increase in government focus and spending on cyber protection.
To assess and strengthen federal networks and systems, the White House Office of Management and Budget (OMB) launched the Cybersecurity Strategy Implementation Plan (CSIP) in October 2015.
The CSIP focuses on five key areas:
- Identifying and protecting high-value assets and information
- Detecting and responding to incidents quickly
- Recovering from incidents and implementing lessons learned
- Building a robust cybersecurity workforce
- Efficiently and effectively acquiring and deploying existing and emerging technologies. 1
The influx of government focus and spending on cybersecurity generates immense opportunity for commercial information technology companies to increase their revenue by contracting with the government or working with existing prime contractors to provide cyber services.
Most notably, the Department of Homeland Security’s (DHS) $1 billion award to Raytheon at the end of last year marks one of the largest civilian cybersecurity orders in recent history. The contract, which will reportedly run for five to seven years, includes the development and support of cybersecurity protections for the DHS and its umbrella agencies.
Feeling the pressure
Increasingly prevalent cyber threats are squeezing private businesses and federal entities alike. Last year, the government revealed that hackers stole sensitive information from upwards of 21 million people—including every person given a government background check during the past 15 years—through a massive breach of government computer systems. A separate breach earlier in the year compromised the personal records of 4.2 million federal employees. Both attacks are believed to have originated from China.
The government must defend its information systems against a growing number of both individual and state-sponsored threats. Simultaneously, businesses working with the government must contend with increasingly tight standards around protecting and securing not only their own data and information systems but also those of their government customers in order to comply with newly imposed federal regulations.
As the government increases scrutiny and tightens regulations, its own data infrastructure is growing. The recently passed Cybersecurity Information Sharing Act (CISA), a historic bill designed to foster collaboration and sharing of cyber threat information between private industry, government and law enforcement, has implications for technology companies as well as federal entities. While the bill intends for a two-way flow of information, it has garnered attention for potential privacy risks to personal data if the government collects information on a cyber attack. The federal government faces a heightened need to protect not only its own data against attack, but also companies’ data and, potentially, consumers’ data, which might be collected as a result of this and other cyber-related legislation. The recent data encryption debate between Apple and the FBI illustrates the potential sensitivities that may arise.
Opening doors for cyber‑related contracting
There are a number of pathways that may allow companies to take advantage of the pipeline of emerging opportunities and participate as prime or subcontractors in targeted efforts to upgrade systems and protect various agencies’ information infrastructure. In his fiscal 2017 budget proposal to Congress, President Obama included a $19 billion cybersecurity request—which, if passed, would constitute a 35 percent increase in cyber spending over this year. The initiative calls for $3.1 billion for technology modernization at various federal agencies and $62 million to expand efforts to retain qualified cyber professionals.
As part of the proposed budget for fiscal year 2017, President Obama has allocated $14 billion in cybersecurity funding around a number of priorities, including securing federal networks with the Continuous Diagnostics & Mitigation (CDM) program, promoting research and development to expand agencies’ cybersecurity capabilities, and supporting long-term investment in cybersecurity. 3 Furthermore, the White House has asked Congress to take further legislative action to protect agencies’ cybersecurity with the 2015 Cybersecurity Legislation Proposal.
From a defense perspective, the National Defense Acquisition Act (NDAA) for fiscal year 2016, signed into law last November, could also revolutionize cyber acquisition and expand opportunity for contractors by allowing U.S. Cyber Command the authority to acquire cyber tools it deems necessary to its mission. The NDAA also specifies that, in the event of a cyber attack, the Defense Secretary can appoint an official charged with awarding contracts to acquire supplies and services to mitigate an attack’s effects, ideally within 15 days. 4 Additionally, cleared defense contractors and ”operationally critical” contractors have been provided with cybersecurity liability protections, provided the contractor is in compliance with the DOD’s cyber requirements.
Commercial companies looking to enter the government contracting space must be prepared to protect highly sensitive information and implement the necessary security controls to satisfy the government’s strict requirements. On Dec. 30, 2015, the Department of Defense (DOD) gave contractors an extension on implementing the new rules for network penetrating reporting and contracting for cloud services until Dec. 31, 2017. While DOD has granted additional time for contractors to assess their information systems and address any security gaps, it is critical to identify those gaps now to avoid a breach of contract or false implied certification determination.
In addition, the recently passed 2016 NDAA contains several cybersecurity provisions that have compliance implications. The aforementioned liability protections do not extend to contractors who engage in “willful misconduct,” which includes “disregard of a known or obvious risk that is so great as to make it highly probable that the harm will outweigh the benefit.” The NDAA also requires defense contractors to report network penetrations within 72 hours.
What do these new rules mean for government contractors? To take advantage of the opportunity to contract with the government to strengthen its systems and bolster its cybersecurity protections, commercial companies must, at a bare minimum, comply with the government’s prescriptive recommendations for cybersecurity, and employ best practices to keep sensitive data out of the wrong hands. To do so, contractors should:
- Implement early detection protocols: A variety of systems and technologies, including artificial intelligence, machine learning and probabilistic mathematics, enable the rapid identification of malware and intrusions that have gained access to IT systems. Contractors can contain these infiltrators by identifying them early on and preventing them from accessing what they want to access.
- Identify your sensitive data: A breach of government data could not only compromise personal identification records, but jeopardize national security. When evaluating cyber risk, contractors need to be able to assess where there are vulnerabilities in the network as well as the security consequences of exposing the data.
- Establish and maintain a strong system of internal controls. Companies should implement policies explicitly outlining access levels for sensitive information and establish procedures for ongoing training, monitoring and documentation. Proactively managing and promoting internal controls helps employees stay up to date on the latest threats, which can help lower a company’s vulnerability.
- Develop a clear and comprehensive threat response plan. Of course, it is best for companies to take a proactive approach to dealing with cyber threats rather than waiting until a crisis emerges. This includes putting together a response team composed of legal, compliance and IT personnel to handle threats as they arise and establish protocols for detecting, isolating and eradicating threats. This response plan should also outline protocol for recovering from the breach—bringing IT systems back online, patching vulnerabilities, etc.—and identifying lessons learned to help improve policies and procedures for the future.
Organizations can be certain that cybersecurity will remain a top priority for both private industry and the federal government. Businesses in the cyber realm are operating in a rapidly shifting landscape characterized by both challenges and opportunities. Preventing and addressing cyber threats is a moving goalpost for both businesses and government agencies. The right mix of proactive risk reduction and testing combined with maintenance of internal controls can go a long way for businesses looking to tap into the full pipeline of cyber-related contracting opportunity.
Bob Craig is a Risk Advisory Services managing director and may be reached at firstname.lastname@example.org.
Shahryar Shaghaghi leads the firm’s Technology Advisory practice and may be reached at email@example.com.
This article originally appeared in BDO USA, LLP’s “Government Contracting” newsletter (Spring 2016). Copyright © 2016 BDO USA, LLP. All rights reserved. www.bdo.com