GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
Competition for Cyber Talent Drives New Army and DHS Efforts

There is rarely a day that goes by when you won’t see a top story on cybersecurity and the scarcity of people with the right IT security skills to address the growing challenges. It is this very demand for skilled cybersecurity staff that is driving some new, creative, and some might say bold efforts by the Army and the Department of Homeland Security (DHS) to raise up, recruit, and retain talent.

The Department of Defense (DoD) may be the one federal entity where building a cyber workforce is the most prominent, as they continue to grow a cadre of uniformed cyberwarriors to staff various cyber commands and other network defense organizations, like the Joint Task Force-DoD Information Networks (JTF-DoDIN). However, building the force is only part of the challenge. Once their tour of service commitment is fulfilled these skilled cyberwarriors often have the attractive option to land high-paying jobs in the private sector, so the sustainability of a cyber-force is a major DoD priority.

Recognizing these realities is a driving force behind the establishment of the Army Reserve's Cyber Private Public Partnership, or Cyber P3, among the DoD, universities and private employers. In recent comments in a story by Nextgov, Cyber P3 program manager Lt. Col. Scott Nelson said that the program is trying to answer key questions of "how do we retain the investment the Army made in that soldier" and also "allow them to get a really good job with our industry partners?"

Maximizing the return on investment in cybersecurity personnel is not the only item on the Cyber P3 agenda. They also want to enhance the pipeline of skilled cyber personnel through building parallel cybersecurity education and training programs among military and universities. In that pursuit, several universities, companies and federal agencies are collaborating on the effort with the goal of establishing 3,500 to 5,000 Army reserve cyberwarriors that can be at the ready when the need arises. Among the 21 private companies that have already stepped up to help transition service members into civilian careers include Citibank, Microsoft, Fox Entertainment and Chevron, according to the Nextgov report. (Read more about Cyber-P3 here and here.)

The Pentagon is not the only federal agency looking to industry to bolster its long-term cybersecurity posture. The Department of Homeland Security Secretary Jeh Johnson announced at the RSA Conference in San Francisco that DHS is opening a cybersecurity branch office in Silicon Valley to “strengthen critical relationships… and ensure that the government and the private sector benefit from each other’s research and development.” Collaboration and synergy is not the only thing on Johnson’s mind, however. He’s recruiting. He intends to “convince some of the talented workforce in Silicon Valley to come to Washington,” highlighting the new United States Digital Service program that provides mechanisms for tech talent in private industry to complete a “tour of service” within government agencies. But on a more formal level, Johnson is “on the hunt” for a cybersecurity “all-star” to head up DHS' National Cybersecurity and Communications Integration Center (NCCIC), promising a direct reporting and communications line to the department Secretary, i.e. Himself.  

These efforts, and others, underscored the ongoing urgency and scope expansion of cybersecurity into nearly every area of modern life. As the “Internet of Things” (IoT) continues to march on – bringing digitization, sensor-ization and connectivity to everything from communications to home appliances and motor vehicles – securing this infrastructure from exploitation and destruction becomes even more critical. Further, the farther down the cybersecurity road we go, the more it becomes apparent that there is only so much we may be able to automate with tools – at least for now. This is especially true when it comes to decision-making and rapid response. Skilled people are critical, in high demand, and in short supply.

These efforts by the DoD, DHS, and others will take time to build the pipeline necessary to meet the demand. It will likely take years, not a cheerful prospect when one considers the growing threats we face. Meanwhile, the competition for these skills will remain fierce. 

Industry Leaders Chime In on Likely Federal CIO Priorities

New federal CIO Tony Scott is being welcomed with cautious optimism by federal IT industry leaders.  Most believe he has the right skills and experience for the job. 

A recent Federal Times article speculates about Scott’s likely priorities as CIO:  cybersecurity, IT workforce, and IT project performance. 

Cybersecurity heads the list of expected priorities for the new federal CIO.  Backed by administration support, cybersecurity is allotted $14B in the president’s FY 2016 budget request.  Protecting federal data and networks is a high priority for the administration.   Scott will play a vital role in coordinating cyber efforts, capitalizing on technology and communicating policies to department and agency CIOs.  Forums where CIOs can share best practices and challenges, such as the CIO council, will be very valuable in these endeavors.

Scott is also expected to address IT workforce issues.  To bring government to the cutting edge of technology, the IT workforce must undergo continual training and also bring in private sector expertise.  According to OPM, nearly 50% of the federal IT workforce is over 50 years old.  While age doesn’t limit expertise or creativity, it does call for continual training to be on the cutting edge.  Industry hopes that that training extends beyond the traditional IT workforce and stretches to contract, acquisition and program personnel.

Federal industry executives also believe Scott will focus on IT project performance.  They suggest that the focus should be on using data to improve projects rather than looking at reporting requirements as just required mandates.  

Industry experts also see the new CIO as playing a role in the implementation of new digital service teams across agencies.  The federal budget request calls for creating teams at 25 agencies.     

Scott is the first federal CIO who comes to government with experience as a CIO.  He brings a private sector perspective to the business of government, along with commercial best practices.    “He’s going to be looked at as somebody to be a coordinator and also a leader in terms of identifying what are the top priorities and really leading the federal CIO community,” according to Jason Kimrey area director of Intel Federal.   Federal and industry IT leaders are hopeful that Scott will make a positive and lasting impact on federal IT.

 

DHS Would Get a $400 Million Boost for the Rest of FY 2015 Under House Bill

While most federal departments received their final fiscal year (FY) 2015 appropriations in mid-December, the Department of Homeland Security (DHS) was put in a funding holding pattern by the last Congress. Now, the new 114th Congress is in session and the U.S. House of Representatives has moved forward on a funding bill for the department.

In December, Congress passed an FY 2015 omnibus that funded all federal departments through the rest of the fiscal year, ending on September 30, except for DHS, which was funded with a continuing resolution (CR) until February 27, 2015. 

Now, with the DHS CR set to expire in a few weeks, the House has approved a FY 2015 Homeland Security Appropriations bill which would fund DHS through September, provided the Senate can move forward on a comparable version and the two chambers can reconcile a final bill to send to the president by the deadline.

The House bill, H.R. 240, provides a total of $39.7 billion in discretionary funding, which is an increase of $400 million (+1%) over the FY 2014 enacted level of $39.3 billion, which itself was a billion dollars more than White House requested in the FY 2015 budget. If enacted, the $37.7 billion would constitute more than a 3.5% increase over what the president requested for this fiscal year.

The bill and the accompanying Explanatory Statement provide details into agency funding and some specific IT investments areas.

  • Office of the Chief Information Officer (OCIO) – $288.1 million, of which $189.1 million is multi-year money available through FY 2016. The $288.1 million is $31 million over the FY 2014 enacted level. An additional $1 million is provided for the DHS Data Framework initiative and an additional $500 thousand is provided for cyber remediation tools.
  • Cybersecurity – The bill includes a total of $753.2 million for cybersecurity operations in the National Programs and Protection Directorate (NPPD). An additional $164.5 million is provided for NPPD Communications and $271 million for infrastructure protection programs, for an aggregate total of $1.19 billion. Cybersecurity workforce funding of $25.9 million is provided for Global Cybersecurity Management, of which at least $15.8 million is for cybersecurity education.
  • Science and Technology – $1.1 billion, $116.3 million below the FY 2014 enacted level, but $32.1 million above the president’s request. This includes $973.9 million for Research, Development, Acquisition, and Operations.
  • Customs and Border Protection (CBP) – $10.7 billion, an increase of $118.7 million above the FY 2014 enacted level. Of this, a total of $808.2 million is provided for Automation Modernization efforts for TECS, Automated Commercial Environment (ACE), International Trade Data System (ITDS) and others. The bill slates $382.5 million for Border Security Fencing, Infrastructure, and Technology (BSFIT).
  • Immigration and Customs Enforcement (ICE) – $5.96 billion, an increase of $689.4 million over the FY 2014 enacted level. IT funding includes $3.5 million to support enhancements to the PATRIOT system for visa vetting
  • Transportation Security Administration (TSA) – $4.8 billion, a decrease of $94.3 million below the FY 2014 enacted level. Technology provisions include $334 million for Explosives Detection Systems (EDS) Procurement and Installation, of which $83.9 million is discretionary funds. The bill also includes $449 million for Transportation Security Support IT and $295 million for Screening Technology Maintenance.
  • Coast Guard – $10 billion, $159 million below the FY 2014 level but $439.5 million above the president’s request, including $2.5 million to restore cuts to USCG information technology programs.
  • Citizenship and Immigration Services (CIS) – $124.4 million in discretionary appropriations is provided for the E- Verify program.
  • Federal Emergency Management Agency (FEMA) – $934.4 million for Salaries and Expenses, down $12.6 million from the FY 2014 enacted level. The bill allows for $7 billion for disaster relief and $2.5 billion in first responder grants, including $1.5 billion for state and local grants; $680 million for Assistance to Firefighter Grants, and $350 million for Emergency Management Performance Grants.
  • Secret Service – $1.7 billion, an increase of $80.5 million above the fiscal year 2014 enacted level. This includes $21.5 million to begin preparation and training for presidential candidate nominee protection for the 2016 presidential election, including for protective vehicles and communications technology. It also includes $45,6 million for investments in Information Integration and Technology Transformation programs.

As anticipated, the House bill restricts the use of funds for controversial White House immigration measures. The House Appropriations Committee Report that accompanies the bill includes an amendment stipulating that no funds, resources, or fees provided to DHS may be used to implement the immigration policy changes that the president initiated last fall.

The ball is now in the hands of the Senate Appropriations Committee (SAC), which has just solidified and announced committee chairs after the leadership change resulting from last November’s election. The Homeland Security subcommittee will need to quickly move their bill forward from the last committee action last summer if they hope to make the February 17 deadline, so the clock is ticking.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

 

Federal Cybersecurity Market Forecast –Sustained Growth Continues

The federal cybersecurity market continues to grow and we have just completed analysis that shows how much. Increasing threats, the rapid pace of technological change, and an increasing reliance on mobility, cloud computing, big data, and information sharing make information security critical for federal agencies. To address these challenges, agencies continue to invest in industry tools, technologies and personnel services and this will drive growth in the market segment over the next several years.

Taking a comprehensive perspective on the federal cybersecurity market, we see four major driving areas that continue to create demand for government-wide and agency budget investments:

  • Threat Drivers - Rapid rise in complex, diverse, persistent and morphing threats to networks, devices, data and other infrastructure.
  • Policy Drivers - Executive branch policies address wide areas of cyber- across government and beyond. Stagnant legislation reflects diversity of opinion. Compliance policy bolsters spending on existing frameworks. RFP language both driving and requiring security.
  • People Drivers - Challenge to find enough qualified cybersecurity professionals. Initiatives to cultivate internal government talent and “inherently governmental” roles will limit contractor addressability, but agencies that supplement by contracting will drive spending.
  • Technology Drivers - Threats and vulnerabilities drive direct technical remedies while new, disruptive technologies require security for full adoption.

Given these drivers, Deltek forecasts the demand for vendor-furnished information security products and services by the U.S. federal government will increase from $7.8 billion in FY 2014 to $10.0 billion in 2019 at a compound annual growth rate (CAGR) of 5.2%. (See chart below.)

Key Findings

There are several conclusions that we came to when reflecting on what we are observing across the federal information security environment and how the drivers above are impacting the market both now and going forward. Here are some of our key findings:

  • The continued rise in cyber incidents underscores what is at stake.
    • Threats span all areas of cyber – from within and from without.
    • Threat concerns impact all levels of the federal IT environment.
    • Persistent and diverse threats are driving risk-based approaches.
  • Policies and priorities are slow to evolve into effective security approaches.
    • The drive for security permeates multiple layers of federal policy, but there is a disconnect between compliance policies like FISMA and actual security, as revealed by the volume and type of security incidents.
    • Security considerations impact the broader tech and acquisition landscape.
  • Security efforts and posture are currently dependent on the availability and proficiency of skilled personnel.
    • Staffing levels and skill sets vary across government, driving sustained demand for industry support.
  • Technologies are seen as both security “gap-filler” and “gap-creator.”
    • One year into CDM tools BPA only marginal improvements have been seen.
  • Strong processes are needed to link technologies, approaches and personnel skill sets to maximize security posture.

Efforts among agencies to increase effectiveness, efficiency and economy like the joint DHS-GSA Continuous Diagnostics and Monitoring (CDM) program BPA are having some impact on how agencies are approaching cybersecurity and setting their spending priorities within their security budgets. Although the process of arriving at accurate and complete IT asset inventories that need to be secured and monitored is taking time, somewhat elongating the journey, we remain bullish that the priority of securing and protecting federal data and infrastructure will continue to drive significant market opportunity over the next five years.

Get more of our perspective in our latest report: Federal Information Security Market, FY 2014-2019.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

DHS Cybersecurity Spending Trends Align with Personnel Challenges

Attracting and retaining skilled cybersecurity people is key for federal agencies in meeting their cybersecurity challenges and this is especially true at the Department of Homeland Security. Yet, DHS continues to make the news with its difficulty in retaining top staff and in hiring highly-qualified people, especially for cybersecurity.   A look at their cybersecurity spending data reveals what has been happening.

I previously looked at the media reports of morale and personnel retention issues at DHS that impact their cybersecurity mission and some legislation that Congress has moved forward that may make it easier for DHS to hire cybersecurity staff in the future. This week I want to look at some of the IT security budget data that underscores the situation at the department – especially how much of DHS’s IT security spending goes toward security personnel verses security software and hardware solutions.

Hard data on what agencies spend on cybersecurity is not usually easy to find and it can vary in its completeness and granularity. However, over the last several years OMB has released varying amounts of IT security budget data as part of their annual Federal Information Security Management Act (FISMA) report submitted to Congress to update them on the progress and challenges agencies are facing. On a few occasions OMB has provided a breakdown of spending by personnel, security tools, training and other areas.

To be sure, the amount that a federal department spends on security personnel compared to their overall IT security spending varies agency by agency and the relative mix of government personnel to contracted personnel also varies. Observing an agency’s total IT security personnel spending vis-à-vis their overall security budget can give a sense of the security landscape at the department. The stability or movement often may be tied to specific priorities at the department. Even if it is not, the mix can give us a sense and hint at what opportunities may exist

DHS IT Security Spending

Based on the last several Federal Information Security Management Act (FISMA) reports released by OMB, DHS’s reported IT Security spend was stable from FY 2010 to FY 2011 and then saw significant yearly increases in FY 2012 and FY 2013. However, over the same period, the amount of money DHS spent on security personnel actually dropped. (See chart below.)  The result is that the relative percentage of total spending that was used for security personnel decreased at an accelerating rate over the period as the two categories moved in opposite directions – total spending increased while personnel spending decreased.


But the story gets even more stark. For FY 2012 DHS reported to OMB that they employed just under 400 IT security government personnel, compared to contracting more than 600 IT security personnel from industry. While this proportion of government-to-contractor personnel itself is not completely unheard of (Treasury, Energy, and NASA have even larger spreads) the fact remains that DHS holds the predominant role in government-wide IT security, consistently receives the largest IT security budget among the civilian agencies, and is one of the most dependent on a contracted workforce to achieve its cyber- mission.

Over the last several years various members of the DHS leadership have made well-publicized comments about the challenges of attracting and retaining cybersecurity personnel. Hence the legislative push in Congress to help them. Yet the spending data suggests that there is growing opportunity at DHS in areas that are not personnel-centric, like cybersecurity solutions that put tools in the hands of the skilled people they have now in order to make them more productive and effective. Evidence for this is that DHS’s spending on IT security tools increased from about $30 million in FY 2010 to nearly $300 million in FY 2012.

DHS will probably continue to struggle to build their cyber-workforce for some time – with or without help from Congress. Until then, they’ll continue to need skilled people from industry to fulfill the mission, but to reach long-term sustainability and ultimate success they will need to look to ever-advancing security tools to leverage their people to the maximum effect.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

Will Congress Help DHS Stem its Cyber-Workforce Hemorrhaging?

Recent news media reports reveal endemic leadership and staff turnover and low morale at the Department of Homeland Security (DHS) and these challenges continue to impact both its intelligence and cybersecurity missions and the department’s ability to attract and retain skilled experts. Now, it appears that some legislation in Congress might help address some of the issues. 

According to a recent Washington Post report, over the past four years, federal employees have left DHS at a rate that is nearly twice as fast as the overall federal government, and the trend is accelerating. Morale is dismal, by most reports, and the department’s ability to attract replacements and new talent has been slow and ineffective. Contributing factors include cultural clashes and in-fighting among the sub-agencies, bureaucratic lethargy, unclear missions, a high degree of regulatory oversight, and low pay compared to similar jobs in the private sector. The departures have hit the leadership area especially hard. The department’s ­top-level vacancy rate had reached 40 percent, although the Senate has confirmed 10 top DHS officials in the last six months or so.

The high-level leadership departures have hit hard DHS’s intelligence functions as well as cybersecurity. The Post reports that between June 2011 and March 2012, four senior DHS cybersecurity officials left, right as DHS was arguing its case to Congress to be given more authority in protecting critical private-sector infrastructure and networks, a failed effort. High churn rates have also impacted operational areas like the National Cybersecurity and Communications Integration Center (NCCIC), which just recently lost its director and another key leader. The high turn-over rate is credited with stalling the progress of major programs like EINSTEIN. Compensation is a major issue as cybersecurity experts can make 2-3 times as much, or more, in the private sector than they can at DHS.

While numerous legislative bills aimed at beefing up the federal cybersecurity workforce have come and gone over the last few years, one effort to support DHS has gained legs recently. The Senate recently passed the Border Patrol Agent Pay Reform Act of 2014, which includes the DHS Cybersecurity Workforce Recruitment and Retention Act that is aimed at helping the department recruit and retain cybersecurity experts.

A recent article summarizes the provisions to include:

  • Giving DHS greater hiring authorities, similar to those at DoD, to expedite the on-boarding of cybersecurity staff, as well as greater leeway in compensation,
  • Requiring DHS to report annually on the progress of the hiring effort, and
  • Requiring DHS to develop cyber- occupation classification codes for staff performing cybersecurity activities to aid in identifying and fulfilling its cybersecurity needs.

What gives some hope to the current Senate bill is that it is similar to the Homeland Security Cybersecurity Boots-on-the-Ground Act that passed the House this summer.  I discussed this House bill when it first passed out of committee back in October, 2013. Now, nearly a year later, we will see if this or the Senate bill has enough legs to be passed as-is by the other chamber or can survive a conference committee mark-up and re-vote in both chambers to make it to the president. Given that we are in a Congressional election year with little left in the legislative calendar before the run-up to November, such fate may fall to the lame duck session and that is an uncertain fate for sure.

Even if legislation were enacted immediately, it will take significant time to for DHS to make up lost ground and build up its workforce. Until then, they look to industry to help fill the gaps and protect the department and the rest of the .gov domain from an increasingly hostile cybersecurity landscape.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

GAO: Federal Agencies are Falling Short in Overseeing IT Contractors

Federal agencies need to improve at overseeing the IT contractors that operate their computer systems and process their information, according to a study by the Government Accountability Office (GAO). Agencies are legally required to ensure that contractors adequately protect these assets, but GAO shows that there are inconsistencies among agencies’ handling of this responsibility.

GAO set out to assess how well certain agencies oversee the security and privacy controls for systems that are operated by contractors and how well the agencies with government-wide security and privacy guidance and oversight responsibilities were doing in helping them. In their audit, GAO reviewed the implementation of security and privacy controls for selected contractor-operated systems across six federal agencies, based on their reported number of contractor-operated systems. These were the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM). 

GAO found that the agencies generally had established security and privacy requirements for contractors to follow and prepared for assessments to determine the effectiveness of contractor implementation of controls. However, all but DHS were inconsistent in overseeing the execution and review of those assessments. One frequent area of inconsistency was in executing test plans that would identify potential security and privacy risks. In one example, GAO found that the DOT officials did not have evidence that 44 of 133 contractor employees operating one particular system had undergone a current background investigation.

A contributing reason for shortfalls that GAO identified in agency oversight of contractors was that agencies had not effectively documented procedures to direct officials in performing such oversight activities. None of the agencies had procedures in place to direct officials in how to conduct such oversight and that led to inconsistencies.

Another area mentioned by GAO is inconsistently-applied or unclear guidance. OMB FISMA reporting instructions to agencies state that systems operated by contractors are to be reported as part of the agency’s system inventory. But GAO found that agencies are interpreting and applying the guidance differently because the guidance for categorizing and reporting contractor-operated systems does not clearly define what constitutes a contractor-operated system. The difference in application causes many systems that are contractor-operated to not be classified as such.  This has resulted in incomplete information on the number of contractor-operated systems within the government.

Potential Cost Implications

Given the areas of shortfall within agencies it is possible that renewed efforts could have cost and administrative implications in several areas:

  • Personnel Security – Scrutiny of contractor background investigations is at an all-time high and inconsistencies discovered by GAO may result in direct costs and/or delays to companies and agencies while sufficient background investigations are completed. Similar implications may result if required agency-specific training in security or contingency planning has not been consistently administered.
  • Compliance Efforts – Given GAO’s spotlight on inconsistencies in how systems are evaluated, assessments of systems and personnel for compliance with agency requirements will likely increase, adding short-term burden until processes are in place and efforts are routine.
  • FISMA Assessment – Increased clarity or education from OMB on applying their FISMA reporting standards for contractor-operated systems could increase scrutiny on some systems – both government-owned, contractor-operated and contractor-owned, contractor-operated.  Many of these systems may have been previously overlooked or mis-categorized, which could spur deeper scrutiny and increased costs.

Potential Contractor Opportunities

As agencies strive to improve they may look to industry experts for assistance in the following areas:

  • Procedure Development – Agencies will need to document the procedures for their officials to follow in order to perform effective oversight of contractors. While these efforts may be considered inherently governmental in nature, some agencies may seek the help of contracted experts to aid in solidifying such procedures. Expect agencies to maintain directive control over this process.
  • Independent Assessments – GAO found that five of the six agencies they studied used independent assessors for system reviews, as required by NIST, and this included contracting for these assessment services. There may be continued opportunities for contractors to find work in this area. Expect agency officials to verify that the selected assessor is independent.
  • Test Plan Development and Execution – While most agencies that GAO audited had developed test plans, almost none of them had effectively executed test plans. Here is another area where independent contracted services may be in demand.

Considering GAO’s recommendations focus on both procedures and policies – that agencies develop procedures for contractor oversight and that OMB clarify reporting instructions to agencies – it will take some time for agencies to fully address the concerns raised in the report.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

NSA Adds Five Schools to Centers of Academic Excellence Roster

The National Security Agency (NSA) Central Security Service (CSS) Center of Academic Excellence (CAE) programs support the President's National Initiative for Cybersecurity Education (NICE) in growing the base of skilled workers capable of supporting a cyber-secure nation.  Mid July 2014, NSA recognized five schools as additions to the Cyber Operations Program.

The Cyber Operations program includes technologies and techniques pertinent to cyber operations as well as legal and ethical considerations. According to the NSA, “these technologies and techniques are critical to intelligence, military and law enforcement organizations authorized to perform [cyber] specialized operations.” The July 14, 2014 announcement added five schools to the ranks of qualified academic institutions:

  • New York University (New York);
  • Towson University (Maryland);
  • The United States Military Academy (New York);
  • The University of Cincinnati (Ohio); and
  • The University of New Orleans (Louisiana).

The additions bring the total of schools in the Cyber Operations program up to thirteen. NSA’s Centers for Academic Excellence include programs addressing Cyber Operations, Information Assurance Education, and Research. The Information Assurance Research and Information Assurance Education, jointly overseen by NSA and the Department of Homeland Security, boast over 100 existing centers of academic excellence.

While the Cyber Operations program is “designed to cultivate more U.S. cyber professionals,” it’s not clear whether these individuals are expected to bolster the nation’s information security from within government ranks. While students may consider the CAE designation in evaluating schools, they might have their sights set on the private sector. Students participating in the Cyber Operations program will have opportunities to pursue summer internships at NSA, which suggests that there is hope to bring in new talent.  Considering the workforce challenges agencies have faced in recent years, it’s questionable whether that’s where students will head. When it comes to information security personnel, federal agencies have struggled with recruitment, retention, training, and hiring system complications.

Although the most recent FISMA report did not include data on security personnel, the FY2012 FISMA Report indicated a continue reliance on skilled personnel. Workforce amounted to approximately 90% of FY2012 IT security costs. Within civilian agencies, around 42% of the FTEs with major responsibilities in information security were contracted roles. Defense agencies managed to fill 68% of those information security roles with government employees, but they still relied on contractors for nearly a third of the workforce with information security responsibilities.  It’s clear that agencies will need contractor support for the foreseeable future. At the same time, the current fiscal environment casts this cost structure in an unsustainable light. Perhaps, the more realistic expectation for these academic programs is simply to serve as incubators for cyber talent. In the long run, both industry and government (often through contracted support) stand to benefit, and continued government-industry collaboration will help improve our overall cybersecurity posture adapt to future threats.

----------------------------------

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin.

 

Security Challenges in 2013 Will Continue Demand for IT Security

With the ink barely dry on a budget deal to fund the government for the remaining three fiscal quarters of FY 2014, all signs continue to point to fiscal constraint. But given the number, diversity, and high-profile nature of several cybersecurity events of the past year, one area of federal growth for the foreseeable future, especially in staffing, is for cybersecurity.

Nextgov recently published a list of their ten worst security hacks of 2013, which ranged from government networks and media organizations to personal credit card information. The variety and international nature of many of these attacks underscores that the battlefield of today and the future continues to reside in cyberspace. And the Department of Defense’s U.S. Cyber Command and its branch components are working to staff-up with uniformed personnel and others to meet the challenge.

The Army has around 500 cyber-staff and is building a new command center at Fort Meade, Md., to house 1,500, leading a worldwide cyber-corps of 21,000 soldiers and civilians. By 2017, the Air Force will add more than 1,000 uniformed cyber-forces to its 6,000 experts now working at Air Force Space Command.

The Navy had 800 cybersecurity staffers in 2013 and will reach nearly 1,000 by 2017, working toward a mix of 80% uniformed sailors and 20% civilian employees and contractors. The Marines currently have 300 uniformed personnel, civilians, and contractors at work and plan to increase that number to just under 1,000 by 2017.

By contrast, the Department of Homeland Security — which is charged with protecting the federal civilian .gov domain — can’t seem to hire quickly enough, as proven by some recent legislation. The latest proposed amendment to the Homeland Security Act of 2002 would require the DHS Secretary to regularly assess the readiness and capacity of the agency’s cyber workforce to meet its cybersecurity mission and develop a comprehensive workforce strategy to enhance readiness, capacity, training, recruitment and retention of the cyber workforce, including a five-year recruitment plan and 10-year projection of workforce needs.

Homeland Security’s challenges in recruiting and retaining cybersecurity personnel are not breaking news. Even with multiple agency efforts to improve recruitment and retention, the Government Accountability Office reported this year that over 20% of cybersecurity positions are vacant at the National Protection and Programs Directorate, the primary DHS cyber-division.

Agencies beyond Homeland Security have also continued to supplement their internal workforces with contracted personnel. Office of Management and Budget reports show that up to 90% of federal IT security spending is on personnel costs, so the focus on beefing up the cyber ranks does raise the issue of cost.

However, given that the lack of an experienced and skilled cybersecurity workforce continues to put agencies at risk -- as well as demand for an improved national cybersecurity posture -- cyber spending will likely continue to buck the budget belt-tightening trend.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

Congress May Press DHS to Bolster Cybersecurity Workforce Development

When we hear the phrase “boots-on-the-ground” most of us think of uniformed military personnel being deployed in active combat situations. But a current bill in the U.S. House of Representatives uses the phrase in connection with boosting Department of Homeland Security (DHS) efforts to improve its domestic cybersecurity workforce development activities.

In October, the House Committee on Homeland Security marked-up and passed the bill by voice vote authorizing it to be reported to the full House for consideration. It joins several other cybersecurity-related bills that have been introduced and are at various stages of progression. It is yet unclear which if any of these bills will progress to a vote in the House and are taken up in the Senate, given other priorities.

HR 3107 - Homeland Security Cybersecurity Boots-on-the-Ground Act

The bill in its current form would require DHS to develop:

  • Occupation classifications for individuals performing cybersecurity mission activities and ensure that they are used throughout DHS as well as other federal agencies
  • Workforce strategy that enhances the readiness, capacity, training, recruitment, and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs
  • Verification process so that contractor cybersecurity employees at DHS receive initial and recurrent information security and role-based security training

Other provisos

  • Defines "cybersecurity mission" as threat and vulnerability reduction, deterrence, incident response, resiliency, and recovery activities to foster the security and stability of cyberspace.
  • Directs the DHS Chief Human Capital Officer and Chief Information Officer to assess the readiness and capacity of DHS to meet its cybersecurity mission.
  • Requires the Secretary to provide Congress with annual updates regarding such strategies, assessments, and training.
  • Expands recruiting outreach through a tuition-for-work fellowship program and a program to identify military veterans and unemployed computer specialists for potential DHS cybersecurity employment

Implications

The challenge that DHS has faced with recruiting and retaining cybersecurity personnel is not breaking news. DHS has announced multiple efforts to improve recruitment and retention over the last 5+ years. Even with those efforts, the GAO reported earlier this year that more than 20% of cybersecurity positions at the National Protection and Programs Directorate (NPPD) are vacant (see p. 24). 

To cope with the shortfall agencies have continued to supplement their internal workforce with contracted personnel, but budget constraints from all sides add to the challenge. According to OMB, up to 90% of federal IT security spending is on personnel costs. The rest is a mix of training, testing, cyber tools and risk management policy implementation.

It seems to me that this is a tough cost model to sustain in an increasingly constrained fiscal environment, but the nature of current cybersecurity operations and existing needs present challenges to automating many functions that require experienced analysts’ eyes (or “boots,” to follow the theme) monitoring the networks. The nature of the work combined with the priority of improved overall cybersecurity continues to show growth prospects, bucking the budget belt-tightening trend.

Read more of our perspective in our latest report: Federal Information Security Market, FY 2013-2018.

---
Originally published for Federal Industry Analysis: Analysts Perspectives Blog. Stay ahead of the competition by discovering more about 
GovWin FIA. Follow me on Twitter @GovWinSlye.

More Entries