CMMC: Get ahead by doing the bare minimum

By Ryan Nelson, Market Intelligence Manager

If you’ve been involved in federal sales for any time at all, you know that government cybersecurity professionals have been asking – pleading, in some cases – for vendors to “bake-in” risk management into their proposal. And while the industry does seem to be inching in that direction, it’s still a topic of great concern among agency IT leaders.

That’s why, if you really want to set yourself apart in federal sales, you need to do the bare minimum, and build your proposals with an eye toward compliance with Cybersecurity Maturity Model Certification 2.0. By doing the bare minimum, you’ll actually stand out from your less motivated competition, and stand a better chance at having your proposal come out on top.

At a recent AFCEA TechNet Cyber show in Baltimore, a panel of cyber experts was once again bemoaning this seeming lack of cooperation with industry’s compliance with cybersecurity directives.
CMMC 2.0 is the latest iteration of the cybersecurity certification, which is aimed at protecting the federal infrastructure from complex cyberattacks. It’s intended to cut red tape for small- and medium-sized businesses and help DoD and industry work together to address evolving cyber threats.
TechNet panelists (everyone from the senior tech advisor for the Operations and Infrastructure Center at DISA to the Army CIO cybersecurity director) were adamant about one thing: CMMC risk mitigation needs to be written into every single proposal.

Read more of this post

Big sales opportunities in lesser-known agencies: Decoding the Omnibus Bill

By Ryan Nelson, Market Intelligence Manager

The Omnibus Bill 2022 signed by the president about a month ago clocks in at nearly 2800 pages. It’s an annual free-for-all for vendors, with sales teams scouring the pages to compare appropriations to their product and service offerings.

While vendors’ typical targets are big-name agencies, there’s a strong argument to be made to dig a bit deeper below the surface, to the smaller sub-agencies. Big opportunities are often buried in small agency funding, and it’s worth having a closer read of the bill to find out just where those opportunities exist.

After all, you may be unlocking an opportunity that might not be obvious at first read, and therefore may not be as competitive as the larger agency requirements. Put enough of these smaller opportunities together, however, and suddenly you find yourself dealing with enough prospects to keep a team busy for some time.

That said, here are four interesting opportunities you might want to consider as you develop your prospect list from the newly signed budget bill:

1) Animal and Plant Health Inspection Service. Some $38,486,000 is to remain available until expended, for Animal Health Technical Services. Similarly, $4,251,000 is to remain available for information technology infrastructure. That means even agencies that are focused on the health of wildlife, domesticated animals and farmable plants are still a lucrative target for big data, data analytics and network infrastructure components.

2) Farm Service Agency. Necessary expenses for this comparatively low-profile agency actually top $1.1 billion. Information technology represents a significant part of this funding. With programs ranging from aerial photography to financial management information, there are quite a number of opportunities in this agency alone. Most notable is the Modernize and Innovate the Delivery of Agricultural Systems (MIDAS) program. MIDAS is a web-based modernization initiative to simplify, integrate, and automate the delivery of Farm Programs across the United States.

Read more of this post

Seven ways to improve your sales to state CIOs

By Ryan Nelson, Market Intelligence Manager

State and local legislatures are having a good year. Flush with cash from the federal funding, most states enacted budgets with an increase in spending and revenue for FY2022. According to a recent conference of market analysts and government leaders, states project general fund spending of $1.02 trillion, a 9.3% increase compared to 2021. The education outlook is a bit more cautious, showing a trend of delayed spending of federal funding in K-12 districts. Nonetheless, there is a projected additional $3.5 billion in e-rate funds for 2022 and 2023.

During the recent conference, Jim Weaver, Secretary for Information Technology/State CIO for North Carolina was interviewed about how vendors can better position themselves and present information to decision-makers. Here are some of his top tips:

Taking all of this into account, what do vendors planning to sell into the state and local market need to know? The sales approach to state and local decision-makers is different than the federal market, and vendors should be prepared to make adjustments to their approach, to ensure a better chance of success.

1. Understand the state’s strategic plan. Every state has a strategic plan. Before you engage, know how your products and services will help them achieve their particular goals. Do not ask what an agency’s “pain points” are, or “what keeps you up at night?” You’ll find yourself being redirected back to the strategic plan.

2. States are changing the way they consume info. A crisis is an opportunity to influence change, Weaver said, and that has been true with the pandemic. What’s important now are case studies and the applicability of the study to the particular agency being courted. Messaging has to be eye-catching and visionary, but still based on what’s being done at the strategic planning level. Also, Weaver emphasized being engaged in the procurement process; vendors who aren’t already engaged in the process will most likely not get a lot of traction.

Read more of this post

How TMF helps agencies fund IT Modernization

By Tara Franzonello, Program Development Manager

Improved cyber security is a priority for government agencies, which is why IT Modernization products and services are becoming so important. Unfortunately, agencies may not have sufficient funds for mission-critical IT.

That’s where the Technology Modernization Fund (TMF) comes in.

TMF bridges the gap in IT Modernization between what agencies want and Congress expects. In the last several months alone, the TMF has approved seven new projects totaling over $300M in new funding.

To help address immediate security and capability gaps, suppliers must have a better understanding of the TMF. Agency customers will be better positioned for TMF money if you can explain how products and services map to TMF priorities, and how they provide solutions to pressing IT issues. 

Shaping the TMF proposal

TMF is an “innovative funding vehicle” authorized by the Modernizing Government Technology Act of 2017. It provides agencies with resources to secure systems and data, and to deliver services to citizens.

The Technology Modernization Board of TMF evaluates project proposals, provides funding recommendations, and monitors progress and performance of approved projects. Project proposals are submitted through a two-phased approval process – an Initial Project Proposal (IPP) and a Full Project Proposal (FPP). 

Read more of this post

StateRAMP is here to stay. Are you ready?

By Ceren Öney, SLED Market Intelligence Manager

Formal adoption of StateRAMP into IT procurement policies is rapidly increasing. Last year, we encouraged vendors to put StateRAMP on their radar screens. Since then, nearly 200 government members representing 33 states have joined the membership.

For service providers selling into state, local, and education institutions, now is the time to ensure that your cloud security is compliant with StateRAMP requirements.

While StateRAMP itself may still be a few years from being a household word, that doesn’t mean that state and local governments have been sitting idly by. The move toward better monitoring and certification of state, local and education network security has been going on for years, with two states at the forefront.

Arizona and Texas introduce state-specific frameworks

In September 2021, Arizona CIO J.R. Sloan announced the state will “test-drive” StateRAMP over the next year. Sloan, StateRAMP President and founding board member, had previously introduced AZRamp, Arizona’s Risk and Authorization Management Program. Arizona’s move to test StateRAMP doesn’t come as a surprise and further solidifies Sloan’s confidence in the program.

Meanwhile, effective January 1, 2022, Texas mandates state agencies to only enter or renew contracts for cloud offerings compliant with the Texas Department of Information Resources’ (DIR) own security framework, TX-RAMP.

Rising ransomware attacks targeting state and local governments, schools and colleges increased the pressure to strengthen cybersecurity postures and protect against incursions by bad actors. Coupled with the shift to digital services due to COVID-19’s disruptions and federal funding available under the Infrastructure Investment and Jobs Act and the American Rescue Plan Act, considerable emphasis is being placed on cyber security now more than ever.

Other states adopt the StateRAMP framework

For most states, like North Carolina and Georgia, creating a state-specific framework is too laborious and inefficient. Adopting the established StateRAMP framework makes the initial risk assessment, continuous monitoring and management more seamless and easier.

Read more of this post

The Fed’s EDR focus will unlock opportunities in cyber defense

By Amanda Mull, Contract Specialist

The cybersecurity of the federal government is constantly under attack.  A recent FISMA report from the Office of Management and Budget noted that in FY2020, agencies reported 30,819 cybersecurity incidents to the U.S. Computer Emergency Readiness Team. The variety of attack vectors continues to evolve, creating a dynamic threat landscape.

The government is addressing this challenge by mandating Endpoint Detection and Response (EDR) tools. Companies that can offer these tools and capabilities will be well-positioned to build their federal customer portfolio.

EDR is an integrated security solution that detects threats by combining real-time continuous monitoring and collection of endpoint data with rules-based automated responses and analysis capabilities. The data collected helps determine system security. Evaluation and machine analysis of the data provides coordinated detection of threats and conditions that elicit programmed responses, including follow up via human notifications and further actions to mitigate any potential or actual threats. 

EDR initiatives and Approved Product listing

On January 10, the Cybersecurity and Infrastructure Security Agency announced an expanded and revised EDR technical capability definition and new requirements for adding EDR items to the Department of Homeland Security’s Continuous Diagnostics and Mitigation Program’s Approved Product List.

The federal EDR initiative includes a CISA dashboard to record data collected from all federal executive agency and department information systems. The dashboard metrics are intended to provide an overall federal cyber threat analysis. OMB and other federal actors plan to use the dashboard metrics to evaluate vulnerabilities and make budgetary decisions to fund cybersecurity improvements.

Agency EDR responsibilities and FISMA updating

Expectations for agency engagement are high. EDR implementation is mandated, and agencies must continue to develop and mature their EDR solutions – along with continued reporting of endpoint data to the coordinated CISA federal dashboard.

Read more of this post

Cybersecurity Opportunities within the Infrastructure Investment and Jobs Act

By Gabrielle Perea, Senior Market Intelligence Analyst

With the signing into law of the Infrastructure Investment and Jobs Act, significant funding has been allocated in support of highways, highway safety, and transit programs, including cybersecurity provisions. Cybersecurity providers have a significant opportunity to position their offerings as tools to help with cybersecurity provisions and opportunities detailed in the IIJA.

The IIJA provides $1.9 billion for cybersecurity, with a $1 billion grant program to assist state, local, and tribal governments to guard against cyberthreats and modernize systems, especially critical infrastructure. These funds will be disbursed by the Federal Emergency Management Agency over the course of 4 years, beginning in 2022, with disbursement guided by the Cybersecurity and Infrastructure Security Agency.

Read more of this post

GSA planning government-wide cloud BPA: What you need to know

By Adam Hyman, Director, Government Programs

Over the past couple years, immixGroup has tracked discussion about the General Services Administration putting together yet a new acquisition vehicle — this time around for cloud solutions. That initial chatter may now become reality.

In 2019, GSA released an RFI seeking industry input on providing cloud products and services in creative solution bundles, to better help customers with their business/technology needs and to save the government money.

This past October, GSA released another RFI related to cloud, making its intent clearer: GSA intends to establish a government-wide, Multiple Award Blanket Purchase Agreement using the following Special Item Numbers (SINs):

Read more of this post

NASCIO Survey shows three transformation areas: Digital services, cyber and people

By Chauncey Kehoe, SLED Contracts Manager

If 2020 was a roller coaster ride for state CIOs, the priority shaping their decisions now is to push forward with digital transformation.

The National Association of State Chief Information Officers publishes an annual survey of state CIOs and their perspectives. The 2021 State CIO Survey reveals insights from 49 state CIOs on the “short-term and long-term impact of the pandemic.”

The overwhelming consensus amongst state CIOs is that digital services, cyber security and people are going to continue to be top priority over the next year. This marks a shift from 2020, where, understandably, the emphasis was on initiating remote working and more online services for citizen programs.

I attended this year’s NASCIO conference, and what I heard from state CIOs was consistent with the survey findings. Let’s take a look at their current and planned focus areas.

Read more of this post

CMMC 2.0 streamlines requirements for contractors

By Hollie Kapos, Corporate Counsel

In September 2020, DoD published an interim rule to implement CMMC, which became effective November 30, 2020. The DoD received over 850 public comments in response, citing concerns with cost, trust in the assessment ecosystem, and alignment to other federal requirements.

Accordingly, it began an internal assessment of CMMC policy and implementation and, as a result, DoD has just announced CMMC 2.0, which makes several substantial changes from the original model.

Levels streamlined in CMMC 2.0

Levels 2 and 4 have been removed, so there are now only three instead of five levels of compliance as follows:

  • CMMC Level 1, Foundational – Requires implementation of the 17 controls from NIST SP 800-171 enumerated in FAR 52.204-21 and submission of an annual self-assessment to the DoD through the Supplier Performance Risk System (SPRS).  
  • CMMC Level 2, Advanced – Requires implementation of the 110 controls in NIST SP 800-171 and submission of an annual self-assessment or, if required to handle “critical national security information” (currently undefined), a triennial independent assessment performed by a CMMC Third Party Assessment Organization (C3PAO). 
  • CMMC Level 3, Expert – Requires implementation of the 110 controls in NIST SP 800-171 and a subset of controls from NIST SP 800-172 and a triennial government-led assessment. Requirements for level 3 are still being developed.
Read more of this post
%d bloggers like this: