COMMENTARY: How cybersecurity is the price of entry in federal IT

Gettyimage.com/zf L

Find opportunities — and win them.

Kirk Fisher of DLT Solutions writes risk mitigation isn’t just a laudable goal, it’s the price of entry when competing for procurement dollars.

As far back as May 2024, the need to address ever-more-sophisticated cybersecurity threats was dubbed a truly “whole of nation” undertaking, according to a report from the Office of the National Cyber Director.

“The most capable and best-positioned actors in cyberspace, in both public and private sectors, need to do more to reshape the digital ecosystem and protect the vulnerable,” the report states.

That opinion is certainly understandable, given the damage caused to both public and private sector organizations over the past five years at the hands of cybercriminals. Ransomware in particular is on the rise, with the FBI’s Internet Crime Report of 2023 indicating nationwide ransomware incidents leading to an increase in reported losses rose by 74%, from $34.3 million to $59.6 million.

Emerging ransomware trends, the FBI noted, include “multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate.”

For federal contractors particularly, risk mitigation isn’t just a laudable goal, it’s the price of entry when competing for procurement dollars.

Federal contractors operate under high levels of scrutiny, which necessitates transparency and adherence to strict security protocols to maintain trust. Failure to comply with federal security and regulatory requirements is a sure way to disqualify companies from securing government contracts and funding.

Here are some of the key incidents and regulatory initiatives underlying the drive to better mitigate the cyberthreat posed to data in the U.S.

Improving vulnerability detection

In October 2022, The Cybersecurity and Infrastructure Security Agency (CISA) had issued its binding operational directive (BOD) 23-01, Improving Asset Visibility and Vulnerability Detection on Federal Networks. This directive called on federal civilian agencies to better account for the information carried by or stored on their networks.

This push for greater visibility was prompted by high-profile intrusions against federal civilian networks, CISA noted. This directive took a further step requiring baselines to be set for all federal civilian executive branch agencies to identify assets and vulnerabilities on their networks, with data provided to CISA at regular intervals.

“Threat actors continue to target our nation’s critical infrastructure and government networks to exploit weaknesses within unknown, unprotected, or under-protected assets,” CISA Director Jen Easterly was quoted at the time. “Knowing what’s on your network is the first step for any organization to reduce risk.”

Risk trends and the supply chain

The importance of risk mitigation when it comes to cybersecurity at the agency level is part of the underpinning of government’s technological mandates and regulations. Vendors and their partners must be part of the solution.

In terms of regulatory compliance, federal mandates like the Cybersecurity Maturity Model Certification (CMMC) require contractors to meet strict security and compliance standards to safeguard sensitive government data (CMMC is expected to be implemented into DoD contracts starting in early to mid-2025.).

Data sovereignty also is vitally important, with government contracts often demanding data to be stored and managed within the United States, requiring secure, U.S.-based support and infrastructure.

Similarly, federal agencies that handle classified and sensitive information are required to implement robust measures to prevent unauthorized access, breaches, and leaks. This requirement is a practical application of Executive Order 14117, issued Feb. 28, which called for measures to prevent access to sensitive personal and government data from falling into the hands of other countries.

The emphasis on improving security and limiting access to data by other countries does not end at federal agencies’ doors, of course. It’s an important aspect of the supply chain in federal procurement. Ensuring secure and verified supply chains is essential to prevent vulnerabilities from third-party companies or counterfeit components. Increasingly, federal agencies are calling for security measures to be “baked in” to vendor offerings.

There is specific guidance for IT companies in complying with supply chain requirements. The Federal Acquisition Supply Chain Security Act (FASCSA) of 2018 notes that certain covered articles be removed from executive agency information systems or executive agency procurement actions.

Several agencies provide particular guidance for what that means. For example, guidance from the GSA is readily available for GSA-managed contracts.

Supply chain issues and risk mitigation can be a complex field to navigate, to be sure. Federal contractors must address a range of issues including cyberattacks, natural disasters, and geopolitical tensions – all of which necessitate proactive risk mitigation strategies.

Meanwhile, they must also ensure operational continuity during events like the COVID-19 pandemic. These types of far-reaching events highlight the need for resilient supply chains and systems to ensure uninterrupted service delivery with the greatest possible assurance of IT threat mitigation.

Fighting fire with fire

Looking ahead, it’s important to understand that the best defense for cyber threats may very well be to pit the potential arsenal available to cyber criminals against them.

Advanced technologies clearly pose security risks. Rapid adoption of technologies such as AI, IoT, and cloud computing introduces new vulnerabilities, requiring advanced security measures to mitigate risks. At the same time, those technologies can also be used to protect sensitive data and critical infrastructure from emerging threats.

For instance, AI-driven security solutions can help detect anomalies in real-time, while robust cloud-based security measures can ensure data integrity and availability.

The landscape of risks has evolved, with new threats emerging from cyberattacks, natural disasters, and geopolitical tensions. Organizations must adapt to these complexities to safeguard their operations and assets.

Vendors and their partners need to work more diligently than ever this evolving landscape, to be able to pay the price of entry in federal procurement.


Kirk Fisher is VP, sales for DLT Solutions, a technology solutions aggregator and IT distributor headquartered in Herndon, Virginia, that is part of TD SYNNEX Public Sector. DLT connects government agencies with leading technology providers, offering the tools and expertise needed to address cybersecurity, compliance, and operational challenges in federal IT. For more information, visit https://www.dlt.com/