CGA COMMENTARY: Why going small is not always the best cyber strategy

By: Chris Cummiskey, CGA Senior Advisor

**Note: This piece originally appeared in Fifth Domain Cyber, an affiliate of C4ISRNET, Federal Times and DefenseNews.**

In recent years, there has been a strong push in federal departments and agencies to emphasize the need for awarding contracts to small business. This strategy has been further re-enforced by the Small Business Administration that issues regular scorecards to show which agencies meet predetermined percentage targets for small business contract awards.

During my tenure as the acting undersecretary for management and chief acquisition officer at the Department of Homeland Security, I worked closely with our procurement teams to generate a string of “A” grades from SBA in meeting our targets.

Today, of the $13 billion or so DHS awards each year, about one-third goes to small business, while about a third goes to medium sized and large businesses each. This has led to DHS being recognized as one of the leading departments in working with small business.

There are many places in government where a small business procurement strategy is efficient and effective, yet cybersecurity is not necessarily one of those areas. My experience is that government procurement and program officials are dedicated professionals who seek to craft the best acquisition approach based on the requirements. There are, however, a growing number of instances in cyber contracting where a shift to small business could have a detrimental impact. The pressure to meet small business goals, and the feeling among many that small businesses are more flexible and less expensive,  has led to decisions, particularly with cyber contracts, to craft a strategy that is high-risk and counterproductive.

There are several considerations that need examination when crafting a successful cyber procurement approach. These include past performance, program complexity, scale, staffing and pricing.

Past Performance

Demonstrating successful past performance is a key indicator of future success in government contracting. This track record is an important consideration in evaluating which companies can effectively execute often complex federal cyber requirements.

Given the sensitivity and complexity of the cyber mission, it is essential that contracting officers carefully weigh past performance in their evaluation criteria. In this scoring process, well established companies with extensive government experience will certainly have an advantage, but the resulting lower risk to the mission is clearly an important consideration given the cybersecurity climate today.

Program Complexity

Providing cyber defenses in federal agencies has become a challenging and complex undertaking. DHS has been tasked by Congress and the White House with protecting federal networks, while serving as the lead agency for sharing information with the private sector. These vital cyber missions are executed through programs such as Einstein and Continuous Diagnostics and Mitigation (CDM) and centers like the NCCIC and US-CERT.

There is only a subset of companies that have the necessary cyber technical capabilities, large-scale integration experience and processes to effectively run these types of programs.

Breaking cyber contracts up into smaller pieces for the promise of lower cost and more agility can sound promising, yet these promises often go unfulfilled. In reality, what most often occurs is the government themselves will need to integrate across the pieces, potentially compromising the cyber mission, and stressing an already under-staffed government professional team. When coupled with other emerging technological advancements and qualifications, this will continue to be an area where small business will struggle to compete.

Scalability

Another area where small business will have difficulty in meeting requirements of the cyber mission is with scalability. Many successful cyber programs that start as pilots or trial runs eventually end up having to be brought to scale.

As an example, Einstein 3 Accelerated (E3A) started with a relatively modest number of seats covered, yet after the OPM debacle the political will materialized to bring the cyber protection to all 2 million seats in the federal government. Once the decision was made to expand E3A, there was little time to debate whether or not the vendors would be able to accommodate the request. Immediate action to rapidly scale the capability was an imperative.

Staffing

It is not hard to see that there is shortage of skilled cyber employees. Professionals in cyber-related fields have many options today. They can work for the alphabet soup of government agencies that work the cyber mission or they can choose an often more lucrative track in the private sector.

Large government cyber programs need talented and capable personnel in the seats. Often, that means hiring private sector companies to assist with staffing and capabilities. This can be a very good option if the company has solid internal controls for maintaining high quality, cleared cyber staff who receive ongoing training. Small business often has trouble competing to attract and retain high caliber cyber talent.

Pricing

One of the regular arguments one hears about awarding to small business is they are just cheaper than some of the larger outfits. In some cases that may be true, but again, in most cyber procurements that may be an illusion.

A better metric for government cyber than Lowest Price Technically Acceptable (LPTA) should be Best Value. It is not unusual for smaller companies to low ball their pricing on a RFP with the hopes of winning the award. Once secured, they sometimes struggle to meet the contract deliverables, terms and conditions. This is a dangerous trap door for government procurement officials. They are often pressed to reduce contract cost, while not sacrificing functionality.

In too many cases, the government finds out too late that program performance has suffered due to an award to a small business that just can’t get the job done.

Conclusion

These observations are not meant to slam the small business community. There are plenty of areas in federal contracting where small business is the best choice. Unfortunately, large scale government cyber is not one of those places.

Past performance, program complexity, scalability, staffing and pricing all factor into sound federal procurement decision-making. At the start of a new administration, I hope the incoming teams of appointees will take a hard look at how federal cybersecurity is planned, procured and executed to ensure the best results.

Chris Cummiskey is a former acting undersecretary/deputy undersecretary for management and chief acquisition officer at the U.S. Department of Homeland Security.

PRESS RELEASE: Former U.S. Department of Homeland Security Under Secretary Francis X. Taylor Joins Cambridge Global Advisors as Principal

May 4, 2017 (Washington, DC) – Today, Cambridge Global Advisors (CGA) announced that Francis X. Taylor, former Under Secretary for Intelligence and Analysis (I&A) at the U.S. Department of Homeland Security (DHS), will join CGA as a Principal and Senior Advisor, advising on a variety of government, NGO, corporate and non-profit client projects in the national security and global affairs space.

At DHS, from 2014-2017, Taylor oversaw and carried out the mission of the Office of Intelligence and Analysis, equipping the Homeland Security Enterprise with the timely intelligence and information required to keep the homeland safe, secure, and resilient. 

Before his DHS appointment, Taylor served as Vice President and Chief Security Officer for the General Electric Company (GE) and was responsible for GE's security operations and emergency management processes. Taylor also had a distinguished career in public and military service, including serving as Assistant Secretary of State for Diplomatic Security and as the US Ambassador at-Large and Coordinator for Counterterrorism for the Department of State from 2001-2002. During his 31-year military career, Taylor achieved the rank of Brigadier General and oversaw counterintelligence and security operations for the US Air Force.

Of the recent appointment, Jake Braun, CEO of Cambridge Global Advisors said: “A home for many other former leaders at the Department of Homeland security, Cambridge Global is proud welcome Frank Taylor to our team. He brings a depth of knowledge and demonstrated leadership managing security operations in the military, government and corporate arenas.  We are pleased to be able to offer our clients the benefit of Frank Taylor’s high-level experience in the public and private sectors.”

CGA COMMENTARY: Kelly Lays Out Agressive Agenda in GW Address

By: Chris Cummiskey, CGA Senior Advisor

In his first major address since being sworn in as the fifth Secretary of Homeland Security on January 20th, General John Kelly delivered a wide-ranging address today at the George Washington University, Center for Cyber and Homeland Security. His remarks were centered on the state of U.S. homeland security here and abroad and Trump Administration priorities of fighting terrorism, tightening immigration/vetting, cyber protections for Federal networks and management reforms.

As a former Acting Under Secretary/Deputy Secretary at DHS and a Senior Fellow with the GW Center, I was struck by Secretary Kelly’s full-throated support for the DHS workforce and his “commitment to have their backs” with Congress and other critics of the department. Calling on his 45 years of experience in the Marine Corp, Secretary Kelly made it clear that the department would enforce current law; however unpopular, and challenged members of Congress to have the courage to make changes if they don’t like the current state of affairs.

FIGHTING TERRORISM

Consistent with his former role as the combatant commander of the Southern Command for the Department of Defense, there was a great deal of emphasis on changing the playing field on which the U.S. fights terrorism. Just as former Secretary Jeh Johnson sought to pursue a Southwest Border Campaign Strategy, Secretary Kelly is seeking to push the fight against terrorism far beyond U.S. borders. I also was interested to hear about his prediction that we will be facing increasing coordination between terrorist and criminal organizations in coming years. He also talked about the challenges of thousands of fighters in Syria returning to their countries of origin, many with visa waiver programs with the U.S. He also acknowledged the challenges of confronting “lone wolf” threats and homegrown extremist activity.

IMMIGRATION/ENHANCED VETTING

One of the most dramatic numbers cited by Secretary Kelly was the 70% decrease in southern border crossings over the last ninety days. He referenced President Trump’s tough stance, not necessarily increased enforcement, as the reason for the dramatic decline. It was interesting there wasn’t any reference to building a border wall or the significant plus up (10,000 ICE agents, 5,000 CBP agents) that is being requested in the FY2018 President’s budget. I was glad to hear about his collaborative strategies with other governments and other Federal agencies in seeking to build economic strength in those areas the most outmigration (Guatemala, Honduras et cet.). Secretary Kelly also defended new screening measures and the need for enhanced vetting of foreign travelers.

CYBER

One of the areas in the speech that was less specific involved defense of Federal computer networks. Secretary Kelly did say the White House has various task forces and a draft Executive Order on Cyber pending, yet he was more circumspect about DHS’s plans for reorganizing its cyber capabilities or future plans for the major cyber programs, Einstein and Continuous Diagnostics and Mitigation (CDM). These two major acquisitions have come under fire from GAO and the Hill in recent months. I am encouraged that Secretary Kelly has selected some able cyber professionals like his Chief of Staff, Kirstjen Nielsen, and former Microsoft executive, Chris Krebs, to advise him, yet the absence of a coherent acquisition strategy and a hardened internal bureaucracy continue to stifle cyber progress.

UNITY OF EFFORT

I was glad to hear Secretary Kelly say he is committed to building on his predecessor’s Unity of Effort strategy to further strengthen the department’s business functions. Newly confirmed Deputy Secretary Elaine Duke and Acting Under Secretary for Management Chip Fulghum will likely be tasked with gaining further acquisition and budget efficiencies in the coming months. As the Federal Times reported last month, the FY2018 DHS budget proposal seeks to fund increases in border security and enforcement by reducing the budgets of other DHS components like the Coast Guard, TSA and FEMA. This approach will be a tough sell with Congress.

CONCLUSION

Overall, I thought Secretary Kelly did a good job of laying out a clear agenda for the department in the coming months. The messages were not wildly different than those delivered by former Secretaries Johnson and Napolitano in their first months in office. The main difference for DHS is that for the first time you have an operator running an operational department. These days that is a pretty big deal.

Chris Cummiskey is a senior advisor at CGA, as well as former Acting Under Secretary/Deputy Under Secretary for Management, Chief Acquisition Officer at the U.S. Department of Homeland Security and a Senior Fellow with the George Washington University Center for Cyber and Homeland Security.

PRESS RELEASE: CGA Announces Final License for NeMS Cybersecurity Technology

February 14, 2017 (San Francisco, CA) – Today at the annual RSA Information Security Conference in San Francisco, Cambridge Global Advisors (CGA) was proud to announce that the commercialization license for its Network Mapping System (NeMS) technology has been finalized.

Developed by Lawrence Livermore National Laboratory (LLNL) and licensed by LLNL to a CGA subsidiary, NeMS is a software-based tool that simplifies the network security process by automating several of the 20 Critical Security Controls (CIS Controls), a prioritized set of cyber practices created to stop the most pervasive and dangerous of cyberattacks as put forth by the Center for Internet Security.  Specifically, NeMS will automate three of the top five CSC components and inform users what is connected to their network so that they know what needs to be protected.

“This is an important moment for NeMS, the final license coming on the heels of multiple prominent cyberattacks that have policymakers scrambling for solutions,” said Jake Braun, CEO of CGA. “Several leaders in the last year – including the Attorney General here in California –have pushed measures requiring businesses to implement the CIS Controls as a condition of operation. As a result, enterprise consumers are searching for products – like NeMS – that will help them comply with mandatory baseline security standards.”

The commercial licensing of NeMS was aided by the U.S. Department of Homeland Security Science and Technology’s (S&T) Transition to Practice Program (TTP) which looks to transition federally-funded cybersecurity technologies from the laboratory to enterprise consumers. The program also seeks to create institutional relationships between the cyber research community, investors, end users, and information technology companies by showcasing the technologies throughout the country to develop pilot and commercialization opportunities.

Each year the TTP program selects eight promising cyber technologies to incorporate into its 36-month program. S&T introduces these technologies to end-users around the country with the goal of transitioning them to investors, developers or manufacturers that can advance them and turn them into commercially viable products.

“LLNL has a long history of successfully engaging with our industry partners to commercialize technologies that advance our national and economic security,” said Rich Rankin, the director of LLNL’s Industrial Partnerships Office.  “Commercializing LLNL-developed technologies like NeMS enables the private sector to apply the Lab’s solutions to market needs beyond the U.S. government’s immediate interests – helping solve some of nation’s biggest, most complex challenges while driving economic growth.”

PRESS RELEASE: Cybersecurity Experts Meet to Discuss 2016 Election Hacking

February 9, 2017 (Chicago, IL) – Yesterday, Cambridge Global Advisors (CGA) convened a timely discussion on cybersecurity and the U.S. democratic process. The event, hosted by and at the Chicago Council on Global Affairs, focused on how cybersecurity and hacking impacted the 2016 election outcome.  The full event is available for viewing online at: https://www.thechicagocouncil.org/event/hacked-democracy

Jake Braun, CEO at CGA, moderated the event and was joined by Cindy Cohn, Executive Director, Electronic Frontier Foundation; Siobhan Gorman, Director, Brunswick Group; Robert K. Knake, Whitney Shepardson Senior Fellow, Council on Foreign Relations; and Sherri Ramsay, Senior Advisor to the CEO, CyberPoint International; Cybersecurity Consultant.  Among various topics, this panel of experts addressed some of the key challenges currently facing both the government and private sectors as they fight cybersecurity breaches, privacy issues, and electorate concerns about the integrity of American elections.

The panel raised concrete things the Trump Administration, other governments, political groups and private sector interests can do to protect the nation, highlighting the need to balance national security concerns with civil liberties concerns within a democracy.  One of the issues raised included whether or not technology is a threat to democracy. With democratic nations amassing enormous cyber-surveillance powers, it becomes increasingly difficult for democratic nations and societies to balance both transparency and security in the new digital age.

“There’s no doubt that cyber-meddling by foreign actors is now at the forefront of the discussion around technology, cybersecurity and democracy,” said Jake Braun who has advised both public and private sector interested on cyber assessments and network security matters. “But where it was elections in November, it can be our energy grid or water resources in the future. Bottom line: When an outsider can cause this much damage, it’s not just on our government to foster solutions, it’s on the private sector to get involved too.”

The full event is available for viewing online at: https://www.thechicagocouncil.org/event/hacked-democracy