What Portion of Federal Civilian Information Security Spending Is Contractor Addressable?

Published: October 15, 2014


With the inconsistencies in reported federal spending, it can be difficult to determine how much agencies are investing in different technology areas, like information security. That lack of visibility can make it even more challenging for contractors to determine the size of the addressable market. The reported data for top and mid-tier civilian agencies suggests around 80% of IT security funds could be in play for contractors.

Drawing on agency rankings from FIA’s previous information security market reports, we see that the top five civilian agencies along with mid-tier agencies account for the lion’s share of spending on IT security outside the Defense Department. According the FY13 FISMA report, these agencies comprised 87% of civilian cyber spending. While the FISMA figures give a sense of historic direct security spending, they do not reflect current addressable funding.

One approach to determining the current addressability of information security spending leverages the IT budget details that agencies report to the Office of Management and Budget (OMB). First the information security related categories within the Federal Enterprise Architecture (FEA) Business Reference Model (BRM) services are identified. These categories allow investment details to be filtered by determining primary and secondary service requirements. The results that meet the FEA BRM service criteria are reviewed for relevance to information security. This process yielded 208 IT investments reported for FY 2015. Then, the contractor addressable portion of spending for each of these investments is calculated. Finally, the figures for each of the investments are used to approximate averages for the spending per investment and for the contractor addressable portions. 

Key Findings

  • Contractor addressable information security at the top 10 civilian agencies amounts to nearly $3 billion.
  • On average, contractors vie for 81% of civilian IT investments that address information security.
  • Addressability varies across the civilian agencies and does not necessarily correspond to the highest levels of spending.
    • While the Energy Department appears to have the highest contractor addressability, it has the lowest average for funding per investment.
    • Not surprisingly, the Department of Homeland Security also has a high level of addressability and the funding per investment is significantly higher, indicating a high reliance on contracted goods and services.

There are some drawbacks worth acknowledging with this approach. Obviously, the calculations rely on the accuracy of agency reporting and consistently coding investments to FEA BRM service areas. This analysis also only takes public data into account, which omits any classified funding or details. Numerous investments include an unspecified portion of spending dedicated to security. In such cases, the whole amount has been included. Additionally, the funding level associated with each of the investments reflects the requested, not approved or actual, sum. Despite some of the limitations around the conclusions, they offer a decent starting point for sizing contracted spending on information security within the federal civilian government.