Exceed Federal Cyber Rules for an Edge: Rey Martinez de Andino

Doing business with the government is complex and often overwhelming. Past performance, client knowledge, and a streamlined accounting system are among the first things we consider when trying to grow a government contracting business.

I’m here to tell you that you also need to consider cybersecurity. With a 50% increase in weekly cyberattacks during 2021, malicious cyber actors have become a major threat to businesses, especially federal contractors.

The Federal Cybersecurity Push

Contractors are continually looking for differentiators to increase their government business, but they often miss the way cyber preparedness factors into their likelihood of winning new contracts over the long and short term.

Over years of dealing with a cyber risk, the government has learned that poor cybersecurity practices among contractors undermine its cyber preparedness and contribute to dangerous breaches. Bad actors going after government data have long recognized that it is easier to attack small government contractors with limited resources than go straight at the US government. That’s why federal authorities have issued cybersecurity requirements to their partners in the private sector.

The Department of Defense was among the first to take this initiative, and since then, other federal agencies have followed in its footsteps. In 2017, the DOD began requiring its vendors to produce a Systems Security Plan (SSP) and Plan of Actions and Milestones (POAMs). This became a core requirement of the National Institute of Standards and Technology special publication (SP) 800-171 that businesses in the Defense Industrial Base (DIB) are required to follow.

Unfortunately, reliance on self-assessment resulted on low levels of compliance. The DOD has since changed its tone and created various iterations of the Cybersecurity Maturity Model Certification (CMMC).

Trust as the Ultimate Differentiator

What do these standards have to do with revenue and bottom line? We all know that you do business with people you know, like, and trust. But how can clients trust your company to keep their data safe? Would you trust anyone that might leave your data unprotected? Would reassurances based on tested cybersecurity standards increase your trust? Of course they would.

Likewise, getting your government customers to trust that you will safeguard their data can be a massive differentiator for your company, and that increases revenue-building opportunities.

Compliance with CMMC will go a long way to label companies as trustworthy to the DOD. But ultimately, it’s only a small step in the right direction.

What can companies do to use cybersecurity as a trust-building revenue-increasing practice?

Building a Cybersecurity Culture

It’s one thing to say your company is cybersecurity conscious. In an increasingly digital world, awareness is not enough. Cybersecurity should be one of your core values.

Business owners and C-suite executives need to understand the importance of cybersecurity and the risks associated with failing to protect their data. Company leaders must buy in and actively promote a security-first mentality to their employees throughout the company.

Every employee in every position should be able to understand and explain how cybersecurity initiatives contribute to your short- and long-term goals. By building a unified front, all government-facing employees demonstrate that your company takes cybersecurity seriously. The government likes to do business with a company they trust. If they trust that you can protect controlled unclassified information (CUI) and personally identifiable information (PII), they will be more inclined to award you with a contract.

Think Security Beyond Compliance

Today, there are many cybersecurity and compliance frameworks across different industries. Going the extra mile and taking your cybersecurity to the center of your business will allow your company to go beyond compliance and achieve real cyber preparedness.

Never do the bare minimum to comply. Ensure that the requirements make sense for your unique business. Doing this will show prospective clients that you know what you are doing, not merely checking boxes to pass an audit.

Showcase Your Expertise

Once you have accomplished what we discussed above—making cybersecurity a central value, attaining compliance, and going the extra mile, it’s time to make everyone aware. Discussing your performance and initiatives with decision makers and showing that you take cybersecurity seriously is the last step to using cybersecurity as a marketing tool. Don’t be afraid to tell them about your company’s certifications, frameworks, and accomplishments.

Achieving cyber preparedness is no small feat. Many fail at protecting data, so this is your chance to shine and show that you are succeeding at an essential aspect of modern business.

At the same time, cybersecurity’s impact on revenue doesn’t reduce to a marketing tactic—a good cybersecurity posture will also prevent and limit the damage of ransomware attacks. Providers of cybersecurity insurance will take a careful look at your practices and risk level, influencing the cost your company will have to pay. The value of a trusted reputation and high brand equity is intangible. It will pay dividends for years to come.

At the end of the day, good cybersecurity is not an expense, it’s an investment.

Subscribers can find related content at Bloomberg Government .

Author Information

Rey Martinez de Andino is a compliance adviser and cybersecurity expert designing programs to reduce cyber risk for government agencies and contractors. He is the CEO of Tenace , an IT management and financial services consulting firm.

Write for us: Email IndustryVoices@bloombergindustry.com