Debt ceiling deal impacts IT budgets

What federal IT contractors need to know about the legislation

By Grier Eagan, Senior Market Intelligence Analyst

With the expected passing of the debt ceiling legislation, which locks in federal civilian spending until January 2025, contractors who sell IT to the government face a shifting landscape. While the Federal Civilian FY24 IT budget will cap at $56.4 billion, identical to the budget passed in FY22, opportunities still exist for those nimble enough to adapt.

Despite this cap representing a $6.9 billion decrease from the IT budget originally requested for FY24, IT vendors should take solace in the fact that the FY25 budget will see a marginal 1 percent increase. However, considering the current annual inflation rate of 4.93 percent as per the Consumer Price Index, this means that the federal civilian government will have approximately 4 percent less buying power under the FY25 budget than the FY24 budget.

Read more of this post

Selling cyber now means understanding FITARA

Feds update FITARA metrics to include agency performance in critical cyber needs.

By Tara Franzonello, Program Development Manager

The U.S. House of Representatives Committee on Oversight and Reform (COR) released its 15th  Federal Information Technology Acquisition Reform Act (FITARA) scorecard in December 2022. This latest scorecard introduced a new category for cyber security. 

Agencies’ protests against enacting this key IT legislation have high visibility from agency chief information officers (CIOs) to the General Accounting Office (GAO) to Congress. Technology vendors have an advantage over their competition if they can help agency customers show progress in measured categories. This is now particularly important for FITARA because agency self-assessment for compliance happens every spring.

Why FITARA matters for federal cyber security sales

Read more of this post

DAFITC Recap: DoD cyber experts emphasize ZTA and RMF reform

By Ryan Nelson, Market Intelligence Manager

When it comes to cybersecurity, look for the DoD to emphasize Zero Trust Architecture (ZTA) as the branches push for reform to the Risk Management Framework (RMF), among other hot topics.

At the recent Department of the Air Force Information Technology and Cyberpower 2022 conference, increased focus on ZTA and RMF topped the list of cybersecurity concerns across the DoD. According to a panel of cybersecurity experts, other top-of-mind topics included the Cyber Security Maturity Model and the need for a better articulated policy for cybersecurity overall.

The panel included cybersecurity experts across the DoD, including:

  • David McKeown – Deputy Chief Information Officer for Cybersecurity and the Chief Information Security Officer for Department of Defense (DoD)
  • Alvin “Tony” Plater – Director of Cybersecurity for the Department of Navy Office of Chief Information Officer (OCIO)
  • Brigadier General Jan C. Norris (USAR) – Deputy Chief Information Officer, Department of the Army Office of the Chief Information Officer (OCIO)
  • Scott M. St. Pierre – Deputy Director Enterprise Networks and Cybersecurity Department of the Navy (OPNAV N2N6D)

As mentioned at the outset, panelists generally agreed that all branches of service need to move away from perimeter security to a Zero Trust Architecture (ZTA). The panelists noted the DoD released a plan in July for Zero Trust Reference Architecture.

Read more of this post

New Requirement for Software Deliverables to Comply with NIST 800-218

By Skyler Handl, Corporate Counsel, Public Sector

On September 14, 2022, OMB took a substantial step forward in implementing EO 14028 Improving the Nation’s Cybersecurity by issuing memorandum M-22-18. This memorandum requires agency leaders to comply with NIST Secure Software Development Framework (SSDF), SP 800- 218,3 and the NIST Software Supply Chain Security Guidance with regards to third-party software in agency information systems. This applies to software developed or modified by major changes after September 14, 2022, regardless of whether the software is a commercial product or COTS item.

How does this impact your business?

Read more of this post

EO 14028 uncertainty offers opportunities in event logging, zero trust, Part 2 of 2

By Ryan Nelson, Market Intelligence Manager

Uncertainty at the agency level about what constitutes compliance with EO 14028’s requirements regarding event logging (EL) and zero trust architecture (ZTA) offers vendors with those technological capabilities an opportunity to support agencies as they try to meet the demands of the order.

In the first part of this two-part series, we looked at event logging. This time we’ll turn our attention to ZTA.

As mentioned in our first installment, agencies have requested significant funding for the zero trust architecture and event logging requirements in the Executive Order, typically to the tune of $25 million per agency to achieve both goals.

Read more of this post

EO 14028 uncertainty offers opportunities in event logging, zero trust (Part 1 of 2)

By Ryan Nelson, Market Intelligence Manager

The Executive Order on Improving the Nation’s Cybersecurity, along with timelines and compliance guidance from the Office of Management and Budget (OMB), is causing some confusion among agencies as to what actually constitutes compliance. Agencies have requested significant funding for zero trust architecture (ZTA) and event logging (EL) requirements in the Executive Order, often around $25 million per agency to achieve both goals.

Vendors that can help agencies comply with the order and meet OMB’s timelines will be of extreme interest to these organizations.

Background

Signed on May 12, 2021, EO 14028 contains specific directives to achieve improve agency visibility on network activity and cybersecurity. The Office of Management and Budget (OMB) then released clarifying guidance in memos to define what agencies must accomplish. These include:

  • OMB 21-31: Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents
  • OMB 22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

EO 14028 requires agencies to determine their strategy for achieving a zero trust architecture within 60 days of release, while OMB 22-09 requires specific security goals be achieved by the end of FY24.

Read more of this post

FITARA Scorecard changes: What you need to know

By Tara Franzonello, Program Development Manager

How will changes to the Federal Information Technology Acquisition Reform Act affect government agencies and OEMs?

On Jan. 20, 2022, the Subcommittee on Government Operations discussed FITARA, the Modernizing Government Technology Act, and the Federal Information Security Modernization Act of 2014. The purpose was to consider how to modernize the FITARA Scorecard, since many agency grades have remained stagnant. 

Rep. Gerald E. Connolly, chairman of the Subcommittee, suggested that lack of progress was because of the methodology used to calculate metrics. Connolly believes there should be new ways to hold agencies accountable for IT modernization, including moving to the cloud.

Read more of this post

CMMC: Get ahead by doing the bare minimum

By Ryan Nelson, Market Intelligence Manager

If you’ve been involved in federal sales for any time at all, you know that government cybersecurity professionals have been asking – pleading, in some cases – for vendors to “bake-in” risk management into their proposal. And while the industry does seem to be inching in that direction, it’s still a topic of great concern among agency IT leaders.

That’s why, if you really want to set yourself apart in federal sales, you need to do the bare minimum, and build your proposals with an eye toward compliance with Cybersecurity Maturity Model Certification 2.0. By doing the bare minimum, you’ll actually stand out from your less motivated competition, and stand a better chance at having your proposal come out on top.

At a recent AFCEA TechNet Cyber show in Baltimore, a panel of cyber experts was once again bemoaning this seeming lack of cooperation with industry’s compliance with cybersecurity directives.
CMMC 2.0 is the latest iteration of the cybersecurity certification, which is aimed at protecting the federal infrastructure from complex cyberattacks. It’s intended to cut red tape for small- and medium-sized businesses and help DoD and industry work together to address evolving cyber threats.
TechNet panelists (everyone from the senior tech advisor for the Operations and Infrastructure Center at DISA to the Army CIO cybersecurity director) were adamant about one thing: CMMC risk mitigation needs to be written into every single proposal.

Read more of this post

How TMF helps agencies fund IT Modernization

By Tara Franzonello, Program Development Manager

Improved cyber security is a priority for government agencies, which is why IT Modernization products and services are becoming so important. Unfortunately, agencies may not have sufficient funds for mission-critical IT.

That’s where the Technology Modernization Fund (TMF) comes in.

TMF bridges the gap in IT Modernization between what agencies want and Congress expects. In the last several months alone, the TMF has approved seven new projects totaling over $300M in new funding.

To help address immediate security and capability gaps, suppliers must have a better understanding of the TMF. Agency customers will be better positioned for TMF money if you can explain how products and services map to TMF priorities, and how they provide solutions to pressing IT issues. 

Shaping the TMF proposal

TMF is an “innovative funding vehicle” authorized by the Modernizing Government Technology Act of 2017. It provides agencies with resources to secure systems and data, and to deliver services to citizens.

The Technology Modernization Board of TMF evaluates project proposals, provides funding recommendations, and monitors progress and performance of approved projects. Project proposals are submitted through a two-phased approval process – an Initial Project Proposal (IPP) and a Full Project Proposal (FPP). 

Read more of this post

StateRAMP is here to stay. Are you ready?

By Ceren Öney, SLED Market Intelligence Manager

Formal adoption of StateRAMP into IT procurement policies is rapidly increasing. Last year, we encouraged vendors to put StateRAMP on their radar screens. Since then, nearly 200 government members representing 33 states have joined the membership.

For service providers selling into state, local, and education institutions, now is the time to ensure that your cloud security is compliant with StateRAMP requirements.

While StateRAMP itself may still be a few years from being a household word, that doesn’t mean that state and local governments have been sitting idly by. The move toward better monitoring and certification of state, local and education network security has been going on for years, with two states at the forefront.

Arizona and Texas introduce state-specific frameworks

In September 2021, Arizona CIO J.R. Sloan announced the state will “test-drive” StateRAMP over the next year. Sloan, StateRAMP President and founding board member, had previously introduced AZRamp, Arizona’s Risk and Authorization Management Program. Arizona’s move to test StateRAMP doesn’t come as a surprise and further solidifies Sloan’s confidence in the program.

Meanwhile, effective January 1, 2022, Texas mandates state agencies to only enter or renew contracts for cloud offerings compliant with the Texas Department of Information Resources’ (DIR) own security framework, TX-RAMP.

Rising ransomware attacks targeting state and local governments, schools and colleges increased the pressure to strengthen cybersecurity postures and protect against incursions by bad actors. Coupled with the shift to digital services due to COVID-19’s disruptions and federal funding available under the Infrastructure Investment and Jobs Act and the American Rescue Plan Act, considerable emphasis is being placed on cyber security now more than ever.

Other states adopt the StateRAMP framework

For most states, like North Carolina and Georgia, creating a state-specific framework is too laborious and inefficient. Adopting the established StateRAMP framework makes the initial risk assessment, continuous monitoring and management more seamless and easier.

Read more of this post
%d bloggers like this: