When it comes to buying cyber security, it’s hard to know where to even start. A constantly changing threat environment and the diversity of government IT networks make it complicated to determine how cyber security fits into the procurement lifecycle. In situations like this, a good first step is to figure out what exactly you are buying. Are you integrating a COTS product into an existing architecture? You’ll need anti-virus and threat protection applications. Developing a new digital service like an online permit application process? That’s a target for identity thieves, so you’ll need cyber protection to secure the transaction.
The possibilities are endless, and procurement professionals will find many questions that need answers when they begin procuring information technology and the cyber security applications necessary to protect against threats. We can’t answer all of the questions for you, but we can help you establish a consistent research approach to gain critical market intelligence for cyber security. And as we discussed in Techniques for Conducting Efficient, Effective Market Research, market intelligence is essential to achieving good outcomes for your customers through procurement.
To help you develop market intelligence for cyber security procurement, we begin our series by sharing several questions you may be asking yourself when you begin to procure cyber security for government customers.
Question Number 1: If my technology is decades old, is it still susceptible to modern threats?
Even with the recent focus on modernization, government IT leaders must still maintain the security of legacy applications and systems in their current environment. There’s no doubt about it: legacy tech is a prime target for cyber hackers and is highly vulnerable to current threats. Hackers love to exploit old software, and this means that investments must be made to secure any assets that are currently in use, no matter when they will be retired.
But if modernization is underway, what is the appropriate balance between securing the old while deploying resources to protect the new? For IT leaders and contracting professionals, this requires critical thinking about how to secure IT assets designated for “sunset” without overly diverting resources that could be used for modernization. Making sure programs don’t “throw good money after bad” is an area where contracting professionals can add value for their customers.
As a buyer, you can help customers think critically about these investments so that resources are still available for the future state, while support is provided to the legacy technology. Help your customers consider whether they are buying the right solutions for those legacy systems and then look to the future; do you have a plan to transition away from that legacy system in the near future? If so, you can plan for how long the legacy tech would require that cyber support and structure contract periods of performance accordingly.
Ultimately, this requires a keen understanding of your agency’s IT portfolio and objectives, and an awareness of critical milestones contained in transition plans. Create a roadmap for your acquisition priorities to track how long a license or support contract might be needed for old assets, and build in options that can quickly be exercised if the transition is delayed and you need a longer security window.
For new development, make sure that security tests and protocols are built in from the start. Ask if the security testing is automated and if you don’t get a good answer then consider whether dedicated subject matter experts who understand cyber security are actively supporting the product owner and procurement team. These individuals can help identify the relevant vulnerabilities and assist in the design of appropriate controls and requirements that do not drive costs without delivering a positive return on the investment.
Question Number 2: New cyber threats emerge every day. How do I possibly design a solicitation to cope with such an unstable environment?
According to arecent article in FCW by Tony D’Angelo, a vice president for cyber contractor Proofpoint, federal IT has typically focused its cyber investment on endpoint solutions to protect network infrastructure, which “includes relatively unsophisticated email gateway solutions for anti-virus and spam.”
While endpoint solutions are necessary, a more holistic procurement approach can help your organization build solutions that evolve over time, and in conjunction with the threat environment. Specific patches and anti-virus software aside, it is important to think beyond procuring a specific solution for a specific threat. Instead, focus on structuring procurement requirements in an outcome-oriented manner, ideally using performance work statements that give cyber teams flexibility in responding to changing environments.
Performance-based contracting is an acquisition strategy worth considering in these cases. Outcome-oriented measures let the experts you hire develop solutions that achieve those measures, irrespective of the threat or vulnerability they are securing. Performance-based contracts can also be more effective at differentiating proposals since they tend to require more expertise in the proposal writing process and are less susceptible to “gaming” by a talented business development team with experience in writing winning proposals.
However, performance-based contracting does require extra attention from contracting professionals who now need to learn more about their customer’s goals to translate them into outcome-oriented requirements. As a best practice, look to develop working relationships with individuals in the Office of Chief Information Security Officer and attend meetings whenever possible. This is an important way to learn about your organization’s IT environment and associated threats and vulnerabilities, providing critical market intelligence for the process of requirements development, market research, evaluation, and contract award.
And while you’re at it, go ahead and read the National Cybersecurity Strategy released on September 20, 2018.
Question Number 3: My customer’s key personnel requirements seem awfully specific. How do I know if the person they’re looking for actually exists?
Here’s a fun fact: cyber security undergraduate degrees started being offered in 2013, yet some government solicitations require personnel with a bachelor’s degree in cyber security and 10 years of working experience. That’s an unrealistic requirement because that person does not exist! Move ahead with that requirement and you’ll create some difficult challenges for yourself later in the acquisition lifecycle.
We don’t suggest disregarding cyber certifications and degree programs from your personnel requirements, but we want to stress they aren’t always a predictor for future success. Hiring the best talent is an operational and execution challenge, but broad descriptions of what a qualified candidate looks like gives industry the flexibility they need to staff your labor categories with the best people possible. And, it makes it easier for your evaluation teams to distinguish good proposals from bad.
Ultimately, you want a contractor that has dedicated resources to training staff on all the threat vectors and a contractual structure that can let you quickly incorporate them into your organization. So instead of trying to acquire specific degrees or certifications, look for companies that have strong internal HR and workforce development structures. If a threat does emerge that needs immediate response, you won’t have time to conduct a staffing search, so you’ll be glad your industry partner has a deep bench of talent and the ability to “train them up.”
Question Number 4: What is procurement’s role in the event of an attack?
At some point in your IT procurement career, your organization or customer will be impacted by a cyber attack. If you’ve built a flexible contract that permits your support teams to adapt and evolve in response to the attack, you’ll be in good shape to respond and hopefully minimize the damage. But what’s the playbook for procurement professionals to follow so they can best support their customers?.
In a recent guest blog post on Public Spend Forum, Jean-Paul Bergeaux, Federal Chief Technology Officer for GuidePoint Security wrote about five steps that security professionals should take to protect their assets and mitigate the damage from a successful cyber attack. Within these steps, which are tailored to reflect an organization’s level of maturity, are cues to help procurement professionals position themselves for adding value through contracting.
The first opportunity is to assist with the “basic security blocking and tackling” that occurs after any incident. Brush up on your p-card policy as some licenses and hot fixes can be acquired under the newly expanded simplified acquisition threshold. Look for as-a-service opportunities to fortify your response team, and try to get a sense from your technical SMEs as to how long the response may last.
After any attack, there’s an opportunity to do some cleaning up of the IT environment. You may be asked to acquire support for this effort, so help your customer think through the entire process. Can one vendor do the job, or will you need multiple support contractors? Bergeaux suggests in his blog post that many issues arise when IT customers are unable to identify their most important data, so talk with your customer about how you can help them acquire some basic data management services before you move deeper into security patches and testing.
Which brings us to the next point, which is the testing that occurs after the attack. Here’s where Bergeaux suggests that customers consider new tools and platforms that can improve cyber health and are more responsive to current threats and vulnerabilities. You as the procurement professional should have a degree of market intelligence about what the market offers, so check out our Ultimate Guide for Government Cyber Security Market Research to kickstart your learning!
Question Number 5: There are so many different types of solutions and support for cyber security. How can we possibly conduct a fair evaluation?
The first rule of thumb it, don’t try to compare apples to apples. Instead, try to evaluate each contractor based on the factors that are most important to you. According to Spence Witten, the cyber expert who joined us for a recent podcast episode about cyber security procurement, the Department of Defense has a simple but effective method for letting contractors know what facets of a requirement are most important to them: they identify them in the solicitation.
This lets Spence and his proposal teams focus their proposal efforts on what is most important, so they can write the most responsive proposals possible. A responsive proposal is always easier to evaluate than broad proposals that generally address requirements. Furthermore, when vendors know what is most important to a government customer, the proposals they submit are easier to compare to others in the competition.
So instead of trying to solve the “apples to apples” comparison challenge, change the way you write your requirements so you can tease out a company’s actual strengths and weaknesses. Ask your bidders specific questions like how they are integrating security into their functional testing plan, or how they are securing functional requirements.
Being more specific and focused in your solicitation can help weed out weaker vendors, which lets you spend time evaluating only the cream of the crop.
Question Number 6: My team is working on an agile software development project. How do I address cyber security when I’m designing software with multiple support teams?
If you’re building software in your organization, you have an excellent opportunity to build security into the system or application to be delivered. If your teams aren’t already talking about security, they should be. And if they aren’t, this is a chance for you to ring the bell and encourage greater security representation in the product team.
Both Scrum (an agile development methodology) and Play 6 of the Digital Services Playbook call for a Product Owner to represent the domain, prioritize functionality, and develop acceptance criteria represented in tests. Recommend an analogous “co-Product Owner” who can do the same with regards to security, and determine whether this expertise exists on your contract team or needs to be added through another channel.
As a corollary to this, security acceptance tests should be part of the same automation pipeline as functional acceptance tests and static analysis. This is essential for building security into your software from the start and ensuring that moving to a continuous delivery pipeline to deliver more often doesn’t compromise security.
Are you Ready to Buy?
While the answers to these questions may certainly provoke more questions, the time for discovering what you know and don’t know about your procurement needs is “as soon as possible.” So if you’re about to embark on a journey to buying cyber security, use the questions and considerations in this post to more effectively communicate with your program counterparts and subject matter experts.