Government leaders see partnership and culture as keys to reducing cyber risks

In the seventh of our series of Washington Technology Industry Days, a number of agency executives took a dive into the cybersecurity priorities, opportunities and procurement cultures at their agencies, and emphasized the need to think differently about cyber.

We hosted representatives from agencies such as DHS, Commerce Department, and Army PEO EIS, and each government executive emphasized a desire to partner effectively with contractors and highlighted opportunities for contractors to keep their eyes on in the near future.

Cybersecurity at DHS: Programs, Policies and the Pipeline

Darryl Peek, cybersecurity strategist, Federal Network Resilience Division, Office of Cybersecurity and Communications, National Protection and Programs Directorate, DHS

Peek began his presentation by highlighting his organizations structure.

He later noted that the Homeland Security’s budget request for fiscal 2016 is $41.2 billion, and the National Protection and Programs Directorate’s request is $1.66 billion.

One budget highlight, Peek said, is the $479.8 million going to the National Security Deployment for Einstein3 accelerated program. The program enables DHS to detect malicious traffic targeting federal networks.

“There was actually an award to CenturyLink that was looking at doing a service extension providing some of the capabilities no matter the commercial service provider that you’re leveraging,” Peek said.

Another budget highlight is an additional $102.6 million for the Continuous Diagnostics and Management program.

Contractors should be ready for a number of DHS recompetes soon, as well.

“We have a number of awards going through recompetes, so looking at FY16 throughout FY20, you’re going to be seeing some activity,” Peek said.

Some of these recompetes include the Near-Term Systems Accreditations and Ongoing Authorization (recompete in 2016) and the NEO TO3: Situational Awareness Threat Reporting (recompete in 2017).

Creating a Cybersecurity Culture: Priorities, Processes and Procurement

Rod Turk, director, Office of Cyber Security and chief information security officer, Office of the Chief Information Officer, Commerce Department

Turk began his presentation underlining the fact that there is much room for improvement when it comes to cybersecurity. Most attacks, he said, come from two to four year old known vulnerabilities.

“We’re not putting in the patches, we’re not fixing our systems, and I’m not just talking about the government, I’m talking about everywhere,” Turk said. “We’re not doing the basic cybersecurity hygiene that we need to be doing”

In order to address these problems, the Commerce Department is setting up secure enclaves that will, in the event of a breach, reduce the risk and limit the exposure.

Commerce is also looking for more credential management capabilities.

Most of all, Turk’s message was that the government and contractors need to establish a cybersecurity culture. Having a culture is about having a plan.

“If you don’t have a plan in your security organization to get where you need to go, you’re not going to get there. You need to put milestones in, you need to projectize it, and you need to decide that at this date, you’re going to have this done.”

Having a cybersecurity culture is the key to moving forward while achieving cybersecurity hygiene.

“I can have all of the tools in my bucket, I can have all of the cybersecurity PhDs in the world, but if I do not have a cybersecurity culture in the organization that listens to that, and is willing to fund it, willing to put up the cybersecurity culture to make these things work, it’ll all be for not,” he said.

Going Beyond the Basics

LTC Ossie Peacock, Jr., product manager, Army Contract Writing System, Army PEO EIS

Peacock named a list of challenges that his organization faces related to cybersecurity, which are echoed throughout the government. These challenges include:

• Fundamental disconnect when it comes to cyber security (User challenged)
• Poor prioritization within organizations
• Inadequate assessment of the cyber landscape
• Delay in realizing attacks have occurred
• Public knowledge of incident and perceived impact to organization
• Lack of cybersecurity security professionals

Peacock also mentioned some trends that influence these challenges:

• Tendency to address cyber shortcomings with additional tools
• Most tools being deployed are for monitoring and not events
• Data analytics becoming increasingly more important
• Network resilience is becoming more important
• Security operations, analytics and reporting
• Need for automation moving forward

Like the others, Peacock emphasized that the government and contractors must change the way they think about cybersecurity.

“We can’t continue this business as usual attitude. We have to change the culture, we have to figure out ways to get inside the decision network. We have to aggregate data faster,” he said.

The key to his, Peacock said, is teaming.

“It is critically important that we team. I consider teaming as the path forward, it’s not the contractor delivering capabilities. This world is too dynamic.”

Federal Cybersecurity Trends and Drivers for FY16

Llyod McCoy, Jr., DOD Manager, Market Intelligence, immixGroup

McCoy outlined a number of drivers and trends within civilian agencies and defense agencies.

For one, all civilian agencies are focusing on identity, credential and access management, he said, especially in wake of the Office of Personnel Management breach.

Additionally, many cyber drivers cross cut with cloud security. “Industry needs to pay attention to how their customers enforce FISMA requirements and other mandates to work in a cloud environment,” McCoy said.

There are opportunities abound at the Veterans Affairs Department, as well.

“Those of you who have security tools geared towards protecting network medical devices, especially those devices that can be implanted in a veteran, such as a pacemaker, this is a great opportunity to have a conversation with the VA today,” McCoy said.

Regardless of who you are doing business with, companies should make information protection, secured storage, and availability part of their strategy, he added.

Creating a More Nimble Approach to Cyber

Bill Weinberg, head of the Contracting Activity, U.S. Immigration and Customs Enforcement

Weinberg emphasized ICE’s efforts to award a significant number of contracts to get what it needs. The agency in 2015 made 7483 actions, $2.5 billion obligated dollars, making up 87.2 percent of its IT dollars eligible for competition.

He also emphasized its desire to contract out to small businesses, with the agency having met all of its small business goals with the one exception of HUBZone companies.

“We compete as much as we can. We try to give people a fair shot.”

ICE’s top services in 2015 were detention services ($1.4 billion), medical services, IT services, and professional program management and support (all less than $200 million)

Weinberg noted the much lower figure for IT services. “IT services is an area that we’re hopefully looking to improve on because that’s where you have a lot of the cyber efforts and the efforts to improve our infrastructure,” he said.

He also gave a piece of advice for companies looking to do business with ICE: show what you do best.

“People come in and say that they’re really good at everything, and they don’t talk about the one thing they’re really good at. And the way you demonstrate is not with a resume, the way you demonstrate that is an issue that I have solved in an agency.”

In 2016, Weinberg said, ICE is focused on continuing its emphasis on using strategically sourced solutions, maximizing competition, increasing small business opportunities—especially HUBZone companies—and managing contract risk to the government.