Last month Frank McNally of Public Spend Forum hosted Neil Chaudhuri, President of Vidya, and I for a webinar on Cyber Acquisitions. I got some great questions afterward about federal procurement generally and buying cybersecurity products and services specifically. Here’s a summary.
Is there such a thing as buying cyber anymore?
The cybersecurity category has matured to the point that there’s really no such thing as “buying cyber” anymore. We now have specialist providers, each serving specific niches, all with unique approaches and pricing models.
But solicitation structures inevitably favor certain types of providers over others. For example, the Government buys a lot of security compliance services. With rare exceptions (e.g. FedRAMP, complex mission-critical networks, etc.) security compliance is commoditized and the work rarely demands a high-level of expertise.
So first, don’t pay a lot for it. More importantly, don’t structure solicitations that make vendors charge more for these services. I cringe every time I read an RFP that requires crazy levels of expertise, rare certifications or advanced degrees for simple compliance exercises. It’s just not necessary, and it chases away vendors who may be able to provide adequate support to these basic tasks extremely cheaply.
Alternatively, some services such as managed security, incident response & forensics, cyber hunt and other unique disciplines are challenging, expensive and require continuous training. Solicitations for these services should be evaluated differently in order to select the most appropriate provider.
What do you think of Governmentwide Acquisition Contracts (GWACs)?
GWACs – such as Alliant, VETs, OASIS, etc. – are great sources of vetted providers capable of supporting big programs. However, the evaluation criteria to secure a place on these contracts heavily favor commodity IT service providers. You simply can’t win a prime spot on these vehicles as a pure play cybersecurity company.
They’re also biased against companies with sizable commercial practices. As many of the best cybersecurity companies focus primarily on the commercial market, this is a problem.
Before taking your cybersecurity requirement to a GWAC, understand what you’re buying. If you’re buying something that a federally-focused commodity IT provider can supply, great. But if you need specialized expertise the GWACs just won’t cut it.
I’d like to use Simplified Acquisitions but I just don’t know if it’s worth it.
Even for large organizations, $250k can buy a lot of cybersecurity support. So I’m surprised that more agencies don’t take advantage of these procedures to quickly procure certain services.
Let’s say an agency needs compliance assessments covering a small, simple system portfolio. We see these types of requests often on eBuy. Agencies could easily use a tool like GovShop to identify local trade area businesses for a quick competition under Simplified Acquisition Procedures. Depending on the system type, a small, low-cost provider may be able to support a sizeable system portfolio under the threshold.
Simplified acquisitions are also a great way to reach specialty providers who aren’t equipped to execute complex federal bid and proposal processes. A great example is support for cyber intelligence services. Many of these solutions can be purchased even at scale for under the $250k threshold. However, a lot of the best cyber intelligence solutions providers just aren’t set up to bid on Government contracts. They end up working through system integrators to reach the Government market, at a significant markup.
As simplified acquisitions operate much like private sector acquisitions, take advantage of this competition type to quickly reach specialized providers.
Are there any contract types you do recommend?
If I were a government contracting professional in charge of a major cyber program I would want Blanket Purchase Agreements in place to manage my contractor workforce.
Federal procurement shops are overworked. And BPAs have a reputation for being difficult to manage, both on the procurement and on the execution side. So we seem to have turned away from agency-specific Blanket Purchase Agreements (BPAs).
This is unfortunate. Without question, our best performing cyber contracts are agency-specific BPAs. Once a BPA is in place we can respond to short turnaround task orders, often in as little as one business day. We can then jump start execution and respond to urgent needs.
BPAs also have the flexibility necessary to fight back against modern cyber challenges. A well-written BPA can cover a diverse range of skills, labor categories, and pricing models. And Task Orders can be written to ramp up and down quickly, saving the Government money.
An example: most agencies don’t need high end, expensive malware analysis support on site, billing 40 hours per week, week after week. With the right BPA in place, short duration task orders can make that expertise available as needed in response to specific incidents. You can then send those high-priced experts home once the work is done.
Most importantly, stay involved.
The Government is far too dependent on contractors. We need to change that. But it won’t happen fast.
In the meantime, effective contract management is one of the most vital critical success factors impacting federal program success. This is especially true in the cyber arena, as fighting back against modern cyber threats requires a fleet-footed approach to acquisitions and execution.
No one is better suited to provide that leadership than federal procurement professionals. Our best performing cyber contracts all share at least one thing in common: the continuous presence of a strong Contracting Officer. By staying engaged throughout program execution, procurement professionals can help provide that flexibility while ensuring program accountability and effectiveness.
About the Author: Spence has somehow survived ten years at start-ups and small businesses without suffering a (major) nervous breakdown. As Lunarline’s Director of Federal Sales, Spence actually loves working on proposals. If there were any doubt, this is proof that he is in fact certifiably insane. While his title says “Sales” Lunarline doesn’t let him off that easy. They make him do real work, too. Luckily he’s a recognized subject matter expert in security policy and loves helping clients navigate their way around tricky security compliance standards. He’s also been known to lead a software development initiative or two, though that pretty much always ends poorly for everyone involved. He can be reached at firstname.lastname@example.org.