Government Sales Insider

Federal Opportunity Alert: Cybersecurity Weaknesses at the Department of Transportation

May 13, 2013 by Chris Wiedemann Leave a comment

by Chris Wiedemann, Analyst

If you’ve been following our blog lately, you will have noticed a heavy focus on cybersecurity coming out of the government at a very high level, as mentioned by both Steve and Tom in the last few weeks. It’s not surprising that federal executives at the highest levels are dedicating renewed energy to this topic – there have been a number of high-profile and successful cyber attacks against federal systems lately. However, while attempts to solve sweeping issues at the level of legislation and executive policy are admirable, the fact remains that many (possibly all) government departments and agencies have real issues at the ground level that contribute to government-wide vulnerabilities. The good news for us is that many of those issues can be solved with COTS security technology.

To illustrate the point, let’s take a look at the Department of Transportation (DOT), which handles the fifth-largest civilian IT budget at a little over $3 billion. Although the department is best known for the NextGen program at the Federal Aviation Administration (FAA), it also handles a huge infrastructure – all of which needs to be secured. According to an Inspector General (IG) report from November, however, there are real deficiencies across DOT’s security posture, which can largely be described in three categories:

DOT networks are not sufficiently covered for the purpose of detecting and reporting incidents to the Department of Homeland Security (DHS);
Reported incidents are not remediated properly;
Configuration baselines and configuration changes are not appropriately managed.

That last point is particularly serious. In fact, the IG report went on to estimate that only 63% of DOT computers were compliant with departmental security policies. In other words, there is a real configuration management challenge being faced here, and it represents an area of priority for DOT cybersecurity personnel. The department is also severely delayed in terms of response to identified incidents, and it still trying to determine how many medium-risk vulnerabilities are present in its security architecture, which makes DOT a great target for vulnerability assessment & remediation. Finally, continuous monitoring tools are a big requirement. Now that the continuing resolution is in place and agencies finally know how much money they have to spend for the rest of the fiscal year, we expect to see movement on quickly addressing some of these issues, both at DOT and in other departments.

Filed under Market Intelligence, Sales Tagged with cybersecurity

New Cloud Spending Visibility Isn’t on the Horizon…It’s Already Here

May 9, 2013 by Tomas O'Keefe Leave a comment

by Tomas O’Keefe, Senior Analyst

Agencies are pursuing a handful of major initiatives to continue modernizing the IT landscape in the federal government. One of the Administration’s pushes within their Digital Government Strategy is directing agencies to look toward cloud solutions to create savings and enhance service delivery. The Cloud First Policy would require agencies to default to cloud-based solutions when evaluating options for new IT deployments “whenever a secure, reliable, cost-effective cloud option exists.” Following this line, OMB added something new and exciting to this year’s Exhibit 53s: this year agencies have included a breakout of cloud spending as a portion of their reporting. This means that cloud vendors have a better inkling of which investments are already on, or are going to be on, the cloud.

There are two new sources of information about cloud spending included in this year’s Exhibit 53s:

1. The first is in the traditional spreadsheet the administration makes available, where agencies have added three separate columns that detail cloud spending for the prior year (FY2012), current year (FY2013), and the budget year (FY2014). This is a great way for cloud vendors to get an idea of the applications that are going to on the cloud, or at least the applications the government would like to be on the cloud (barring the ever-constant budgetary challenges).

2. The second is a representation of the agency’s cloud computing portfolio. This exhibit breaks down the level of spending an agency has committed to the different types of cloud – private, public, community, and hybrid – and also shows us the level of spending in infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS). While we don’t necessarily have directly actionable opportunities as a result of this information, it is definitely something cloud vendors should take a look at before their next meeting with agency leadership.

One final note, the agency with the highest level of cloud spending may not be whom you initially think it is. Want to guess? Go ahead, we’ll give you a minute…got it? Okay. It’s not Defense, nor is it Treasury. It’s the Social Security Administration, with, according to the Exhibit 53s, nearly $1B in private cloud spending alone! Check out the table below for the top 10 agencies by cloud spending for FY2014, with all figures in $M:

Filed under Market Intelligence, Sales

This Cyber Working Group Packs a Punch

May 6, 2013 by Steve Charles 1 Comment

by Steve Charles, Co-founder and Executive Vice President

It may sound dull ⎯ Executive Order 13636 DOD-GSA Section 8(e) Working Group ⎯ but it’s a group with a lot of leverage. It could dramatically change the complexion of federal IT procurement.

The Working Group is drafting a request for information from industry for how to eventually bake cybersecurity standards into federal acquisitions. Using the authority of the February executive order, the administration wants to get increased cyber protection any way it can, whether Congress acts or not.

Any company selling electronic products, software, or IT services to the federal government should read it. And get involved with your association. The initial RFI was drafted by a team of people not only from GSA and Defense, but also Homeland Security, NIST, and the Office of Federal Procurement Policy. A final draft is due any day now, and you’ll have until May 15 to comment.

The heart of the RFI consists of 37 questions grouped around three themes:

Is it feasible to incorporate cybersecurity standards into federal buys in the first place?
What are commercial procurement practices when it comes to cyber?
Would cyber-soaked acquisitions conflict with existing laws, regulations, or even common practices, and if so, what should we do about it?

No single company, much less any individual, can likely answer all 37 questions. It’s important to read them all, though, to get a thorough sense of where the administration might be going with this. For one thing, the working group points out a provision in the companion to the executive order (EO), namely Presidential Policy Directive 21. For governmentwide contracts for critical infrastructure systems, PPD-21 calls for GSA, DOD, and DHS to “ensure that such contracts include audit rights for the security and resilience of critical infrastructures.”

And, to insure governmentwide “consistency”, the workgroup is joining with another interagency task force led by DHS to implement the EO and PPD-21. To paraphrase the Chevrolet ads, this runs deep. And wide.

Consistency requires common language, and the federal parties involved want a “broad meaning” for the word cybersecurity “that includes…supply chain risk management, information assurance, and software assurance.”

It’s vital to future sales that your company helps shape whatever rules eventually emerge and that they don’t put all of the burden and liability for cybersecurity on industry–or freeze standards in contracting language when we are trying to address a threat that is evolving at light speed. To return to my first point ⎯ download the draft RFI, get your sales and business development teams together, and start penning some answers.

Filed under Sales Tagged with cyber protection, cybersecurity, federal IT procurement

Will Cybersecurity Bill Move Forward?

April 22, 2013 by Tomas O'Keefe 1 Comment

by Tomas O’Keefe, Senior Analyst

On Thursday, April 18, the House of Representatives passed H.R. 624, the Cyber Intelligence Sharing and Protection Act, more widely known as CISPA by a vote of 288 to 127. The House had attempted passage last year of the controversial bill, but privacy concerns derailed the act and it never came to vote in the Senate. Ostensibly, the bill is designed to enable government and businesses to share information on cyber threats and enhance the protection of U.S. business interests. Privacy advocates have protested the bill, noting insufficient protections within the bill to safeguard Americans from warrantless searches and other potential conflicts with the 4th Amendment. While the House has passed the bill, support is lukewarm in the Senate at best, and unlikely to leave committee due to the already conflicted Senate legislative agenda. Additionally, the White House has voiced serious objections over the bill, to the point where President Obama has threatened to veto its passage, so CISPA seems, at this point, to be nearly dead on arrival.

Obviously, cybersecurity and the protection of U.S. intellectual property has got to be a major objective of legislation going forward, particularly with the dramatic increase in and technological sophistication of cyber and advanced persistent threats. However, groups like the ACLU and the Electronic Frontier Foundation (EFF) have the ear of the President and Democrats and Republicans alike that the privacy concerns associated with the current iteration of the bill are valid and need to be addressed before legislation can move forward. Several amendments offered in the House that would have addressed these privacy concerns, for example one that would have required businesses to strip customers’ personally identifiable information before transmitting data to the government, were not allowed to be voted on. Until these concerns are adequately addressed, I wouldn’t expect to see CISPA moving forward anytime soon.

Filed under Market Intelligence, Sales

FY14 Budget Highlights Cybersecurity Opportunities within DoD

April 17, 2013 by Lloyd McCoy Jr. Leave a comment

Lloyd McCoy Jr., Senior Analyst

As you’ve heard from Mohamad’s blog post, the FY14 budget calls for the Department of Defense (DoD) to spend approximately $5 billion for cyberspace operations, up 20% from FY12. In an era of declining budgets and workforce cuts, there is bipartisan support for more cybersecurity spending which is good news for the technology industry.

Since the budget request’s release on April 10, we now know more about the government’s cybersecurity plans in the next fiscal year. The FY14 budget reorganizes some existing Pentagon cyber assets into teams specializing in critical infrastructure protection, cyber defense, and cyber offensive operations. These units, scheduled to become operational this year, will operate under U.S. Cyber Command (USCYBERCOM). The move reflects growing concern about our cyber vulnerabilities and seeks to correct a previously disjointed approach to cybersecurity. Furthermore, increased staffing and support for USCYBERCOM is a major step forward in its path to becoming a Unified Command which would give it greater authority and responsibility. These efforts coincide with Administration efforts to increase the overall size of the cyber workforce. USCYBERCOM has traditionally had the mission of directing cyberspace operations and offering guidance, but is granted no funding authority, and with increases in cyber budgets and more focus being placed on cybersecurity, funding may start to flow through USCYBERCOM within the next year or so.

What does this mean for you? Besides there being more personnel devoted to cybersecurity and a more unified cyber strategy, expect increased spending on tools that detect weaknesses on classified and unclassified networks, and solutions which both defend our critical networks and proactively respond to threats in kind.

In addition to these tools, information sharing is another growth area within the DoD cybersecurity budget. The White House calls for increased funding in establishing an all-inclusive cybersecurity information-sharing system. Some components of this plan include:

Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections
Deploy an intrusion detection system of sensors across the federal enterprise
Pursue deployment of intrusion prevention systems across the federal enterprise
Connect current cyber operations centers to enhance situational awareness

We do not expect the cybersecurity budget to drop off in the near future meaning opportunities will abound. Furthermore, due to the embryonic state of DoD’s cyber workforce and infrastructure, DoD officials are looking to industry for ideas and guidance. See this is a chance for industry to help shape future buying decisions. The budget request still needs to get past Congress in order to become law. Neither the House nor Senate, however, has shown an appetite for cutting cybersecurity spending. Therefore, while some details of the President’s request will change you can be sure there will be more opportunities in cybersecurity programs than in previous years.

Filed under Market Intelligence, Sales Tagged with budget, DoD

FY14 Exhibit 53s Now Available

April 16, 2013 by Tim Larkins 1 Comment

by Tim Larkins, Consultant

As we all know, the President’s FY14 budget request of $3.77 trillion was released last week, and thankfully, the targeted spending cuts proposed in this budget would essentially replace the blunt, across the board cuts that would have been caused by sequestration. A small portion of the budget document addressed IT (pages 349-358); with the IT request coming in at $82 billion, up slightly from FY12 spending levels of $80 billion.

The budget request that specifically addresses spending on IT programs (the Exhibit 53) was released yesterday. While the request is 1% above FY13 levels, there are some significant changes. HUD will receive a 36% cut, USAID will receive a 24% cut, National Archives will receive a 13% cut, GSA will receive a 12% cut, and SSA will receive a 6% cut. The largest increase in IT funds will go to the VA with a 19% increase, DHS and EPA will receive a 7% increase, and DOS will receive a 4% increase. The remaining agencies’ IT programs will be largely unchanged.

The Exhibit 53 is a budget request, and as such, can only be considered a guideline for IT spending for the year; but the fact that we are seeing a year-over-year increase in the IT request is outstanding news for the product community. This increase in budget requests, plus the possible elimination of blunt, across the board sequestration cuts, and the potential of an omnibus budget for FY14 could spell a very prosperous year for technology companies after a year full of gloom and doom in 2013.

Filed under Contracting, Market Intelligence, Sales

President’s FY14 Budget Request Would Add to Deficit but Bolsters Cybersecurity Spending

April 15, 2013 by Mohamad Elbarasse 1 Comment

by Mohamad Elbarasse, Analyst

In a recent webinar, analysts at Bloomberg Government (BGOV) began what will inevitably be the first of many dissections of President Obama’s FY2014 budget request. The request asks for $3.8 trillion in spending for the next fiscal year. The deficit would be $744 billion next year, with deficits continuing for the next decade.

When compared to the enacted spending amounts from FY2012, many agencies will be seeing a cut in base discretionary spending under Obama’s budget, including USDA, HUD, and Labor. It would initially seem as though the Department of Justice would be facing a whopping 40% decrease in base discretionary spending, but the researchers at BGOV aptly point out the discrepancy is largely due to a change in accounting regarding asset forfeiture and the Crime Victims Fund. Agencies such as Commerce, Energy, VA, and NSF will see increases in their spending requests.

Cybersecurity is one of the few areas enjoying bipartisan support and increased funding in FY2014. The budget outlines $4.7 billion for the Pentagon for cyberspace operations, significantly more than the $3.9 billion it intends to spend on cybersecurity by the end of FY2013. This funding request represents the President’s and the Pentagon’s desire to build out the government’s offensive cyber capabilities. The budget request also asks for $300 million more when compared to the FY2012 number for DHS and a 22% bump for the VA, so the two agencies can further enhance their cybersecurity efforts.

While the federal government is curbing spending, it is no longer treating IT, specifically cybersecurity, as expendable. We can expect another debt ceiling debate this summer and hopefully legislation ending the federal government’s financial gridlock before the August recess.