TechWonk Blog - Five Recommendations to Unlock the Benefits of Streamlining Federal Cybersecurity Schemes

The U.S. government marks October as Cybersecurity Awareness Month to celebrate the year-round work of countless dedicated civil servants to strengthen the security of the United States. Many of ITI’s members proudly partner with the federal government to provide innovative information and communication technologies and services that help agencies deliver their mission. The secure and effective delivery of constituent services requires the federal government to manage and streamline parallel cybersecurity efforts while also prioritizing collaboration between agencies and industry partners.

Because of the interconnectedness of information systems, the government needs to take a holistic look at managing federal information risk to reduce the likelihood for misconfigurations and unintended security siloes. While some efforts, like the recently-published OMB Memorandum M-22-18, apply to all federal agencies, other ongoing efforts directly place requirements on the IT contractor base, like the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program (CMMC), the Cloud Computing Security Requirements Guide (SRG), and the National Institute for Standards and Technology’s revision of its Special Publication (800-171) cybersecurity guidance. In order to optimize security while minimizing the risk of unintended negative consequences, these efforts need to be seamlessly integrated. A disorganized patchwork of federal security mandates will create duplicative or conflicting requirements. This has the potential to paralyze government operations and might even imperil U.S. national security. A coordinated whole-of-government approach to cybersecurity, on the other hand, will 1) free up precious resources that can be reprioritized to address the highest risks to the information system; 2) improve inter-agency information sharing which can help boost the acquisition of innovative products and services; and 3) lower the barriers of entry to small and medium enterprises to compete for government contracts.

Here are five recommendations on how the federal government can unlock the hidden benefits of streamlining federal cybersecurity schemes:

1. Ensure reciprocity between various federal cybersecurity schemes. This is critical, as this alignment provides U.S. government agencies with access to a diverse supplier base that can quickly come into compliance with any cybersecurity-related requirements. Contractors who have undergone the work required to gain certification or authorization under one scheme should not have to duplicate this work when seeking additional certifications. For example, the U.S. government should perform a comprehensive crosswalk of the overlapping controls between NIST SP 800-171, FedRAMP, and the DoD Secure Requirements Guide. A comprehensive mapping of controls would help contractors who feel they can meet the requirements of one framework understand what else is needed to gain certification in the other.
2. Minimize overly burdensome requirements that impede missions and do nothing to improve cybersecurity. Cybersecurity is not a “check-the-box” exercise – it needs to address real risks. Government officials should take a risk-based approach to requiring the implementation of a cybersecurity certification scheme in contracts and chose an appropriate scope. Requirements that aren’t risk-based or over-excessively applied may cause innovative companies to exit the federal marketplace altogether. For example, DoD contractors who receive a CMMC certification from an independent assessment organization while the SP 800-171 revision is ongoing should not have to start from scratch when NIST publishes a newer version of this guidance. Instead, defining the delta of additional controls would help contractors demonstrate compliance with additional or changing schemes more easily which would improve government access to innovative commercial services.
3. Recognize that cybersecurity is a continuous process. As technology evolves, new actors and techniques continuously enter the threat landscape. This will create new gaps that need to be quickly filled. Thus, federal cybersecurity schemes should allow and provide guidance for the use and timely execution of Plans of Action and Milestones (POA&Ms), which allow contractors to identify current gaps and explain to government partners how they intend to meet the goals of the cybersecurity scheme.
4. Integrate the federal acquisition workforce into federal cybersecurity processes. The federal acquisition workforce is a key player in protecting federal networks and systems, and this group should be fully integrated into federal cybersecurity processes. The federal government should provide clear guidance to all contracting personnel advising them to elevate cybersecurity in all IT procurements and move away from using cost as the sole award determinant, as required by current acquisition guidance. The recently-opened Federal Acquisition Regulation (FAR) Case 2022-010, which establishes a new part 40 devoted to cyber-supply chain risk management, is a step in the right direction. Equally imperative is the need for guidance on when prime contractors need to “flow down” information security requirements to their own suppliers, and how to safely do this.
5. Embrace industry as an equal partner in the broader mission to improve federal cybersecurity. Information needs to be shared not only between agencies but also between agencies and contractors. The U.S. government should hold regular public meetings on cybersecurity matters and establish regular communication channels, drawing on public-private-partnerships similar to the Cybersecurity and Infrastructure Security Agency’s ICT Supply Chain Risk Management Task Force. In the regulatory space, the public-private information exchange can be supported through the utilization of advanced notices of proposed rulemaking and pre-decisional public workshops.

The time is now for the federal government to adopt a holistic approach to managing federal cybersecurity to strengthen the security of the United States. ITI looks forward to continuing to work with government partners to continue this important work.