This analysis was first available to Bloomberg Government subscribers.
The House Armed Services Committee’s National Defense Authorization Act for fiscal 2018 recommends additional cybersecurity funding and assessments for the Defense Department, which would help address cybersecurity concerns and offer opportunities to federal information technology vendors.
The bill would fully fund the defense budget request for cyber operations and provide resources for cyber warfare. The funding would go toward the HASC’s recommendations outlined in 13 issues of the report’s Cyber-Related Matters section.
If the bill is passed, the following issues could effect defense IT contractors in fiscal 2018, due either to requirement changes or to potential opportunities resulting from the fully funded and potential increases in cybersecurity operations.
The report focuses on assessments that would improve the ability to hold contractors responsible for cybersecurity.
Under the current framework, Cyber Security and Incident Reporting section of the Defense Federal Acquisition Regulation Supplement (DFARS), defense contractors are required to provide adequate security on contractor-operated information systems that includes defense information. If a cyber incident occurs, a contractor must report it to DOD and review the damage.
The cybersecurity clause has caused concern about the viability of small businesses and non-traditional contractors to comply. To mitigate compliance risk, DOD and the Homeland Security Department introduced tools to help.
The committee suggests that the defense secretary assess contractor compliance and ask for industry to identify any issues or concerns. A briefing of the assessment would be due in December 2018, and depending on industry’s response, the requirement could change for contractors or additional tools could be introduced to further assist contractors.
It also recommends using private sector tools to rate and monitor defense contractors’ cybersecurity prior to awarding a contract and continually after a contract is awarded. This change could cause contractors who were previously hacked or those who are attacked in the future to be at a disadvantage during contract evaluations. It could also offer opportunities to firms that provide cybersecurity rating services.
The HASC bill could create additional opportunities for cloud services providers, data analysts, and innovators.
It encourages the Pentagon to further adopt cloud computing technologies, especially in military exercises, weapons systems, and wargames. This includes the IT and acquisition communities working together to make sure future contracts include a cloud component. As a result, contractors should expect increased opportunities that connect IT to cloud or hybrid cloud requirements.
The additional capabilities that come with cloud migration, like data being easier to access and associate, could bring new opportunities in data analytics, machine learning, and cybersecurity.
The HASC also wants DOD to embrace innovation when reviewing responses to solicitations, both in the response itself and in the type of solution the company can offer. The committee would like the Pentagon to be open to new types of responses to requests for proposals, such as the submission of code. In order to understand the response, this would also require the IT and acquisition community to collaborate.
As part of solicitations, the committee requests that DOD include “opportunities for industry to offer new and innovative concepts above and beyond those formally articulated.” This suggestion indicates that lowest price technically acceptable wouldn’t be the default in IT contracts that have room for innovation. If the bill is passed, best value could become the default in more solicitations.
Hardening Cyber Vulnerabilities
DOD will likely need help from contractors in conducting cyber vulnerability assessments and finding appropriate cyber technologies to harden systems.
The committee recommends an increase of $20 million to reach $50.1 million in fiscal 2018 to evaluate and harden cyber vulnerabilities in weapon systems.
The HASC also suggests that DOD “explore and invest in cyber technology that provides multi-tiered defensive capabilities, including those that leverage software defined “Moving Target Defense” technology and techniques.”
Workforce of the Future
The report emphasizes cyber training and increasing the size of the cyber workforce. Though there is no clear opportunity for contractors, there could be future partnerships that develop between industry, non-profits, and academia. This could lead to contracts, though they’re likely to be small, or low-margin. For example, HASC recommends $8 million to fund cyber defense education of military and National Guard reservists.
A larger federal cyber workforce could ultimately impact the need for contractors who provide cybersecurity-related products and services to the government. Yet, with the current demand for cybersecurity, it’s unlikely that this is a threat except in the long term.