Crystal Ball 2020: What to Expect in Federal Cybersecurity
Published: January 09, 2020
What are some cybersecurity trends to watch for in 2020?
For a decade or more Deltek has closely watched the evolution of the federal information security market and forecasted areas of growth and market trends. As 2020 begins, we see several trends that will both drive direct and indirect federal cyber spending as well as impact non-technical areas of federal contracting, such as acquisition policy and practice. As a result, 2020 is poised to be a pivotal year for federal cybersecurity.
Artificial Intelligence/Machine Learning for Cybersecurity
Efforts to evolve the federal cybersecurity posture from a largely defensive and reactive stance to one of greater situational awareness and proactivity has fueled a huge growth in software tools to address almost every aspect of cybersecurity – from network monitoring and incident response to mitigation and remediation. One consistent theme has been that all of these data streams produced by the new security tools has overwhelmed the human cyber-operators who need to make snap decisions on how to interpret, understand and respond to each potential incident.
Prediction: Agencies will look beyond simply increased automation of cybersecurity functions to seek greater use of decision support tools based on Artificial Intelligence/Machine Learning (AI/ML) principles to help with automating some of the routine network and data defense decisions that augment operator capacity. Many if not most of these efforts will take place in small pilot projects within agency R&D programs. The DOD’s Joint Artificial Intelligence Center (JAIC) will lead efforts to bring AI to bear. Broader progress will be incremental and sporadic as AI/ML is still in its very early stages.
Use of Other Transaction Authority (OTA) for Cyber Innovation
A great deal of attention has been paid to the growth of DOD’s use of Other Transaction Authority (OTA) agreements for a wider array of urgent capability needs, primarily due to the authority these awards allow to bypass most of the traditional contract competition process. While the vast majority of dollars flowing through OTA procurements are for defense platforms and weapons systems, contracting for information security via OTAs has been increasing over the last several years as demand for cyber innovation has increased.
Prediction: Use of OTAs will continue to grow as a means to develop prototype cyber capabilities under a strong sense of urgency. Defense Agencies and the Army may continue to outpace the Air Force and Navy use, but that may fluctuate given the growing popularity of OTAs. Congress will continue to monitor how these awards are made and how follow-on awards for post-prototype production programs are made and managed.
Contractor Supply Chain Security Requirements
The Departments of Defense (DOD), Homeland Security (DHS), Energy (DOE) and others have been voicing concern and instituting policies around the security of contractor-supplied products and components and the vulnerabilities to federal data – some of it highly sensitive – as it is processed or stored on internal contractor networks. Resulting federal actions have included acquisition regulation changes (e.g. DFARS) and outright bans on certain products or services, (e.g. Huawei and Kaspersky). However, the DOD is working to address cyber risks across all of its contracted areas, not just technology.
The DOD’s Cybersecurity Maturity Model Certification (CMMC) program that was announced in mid-2019 is anticipated to be inaugurated this month. The program will require all contractors – primes and subcontractors – to obtain third-party certification that their internal cybersecurity reaches a certain level on a five-tier scale just to be considered for a DOD contract. Different contracts will have different certification level requirements based on risk, but all contractors will be required to reach the minimum first level. The DOD has released drafts of their approach and has been working with industry to produce an effective program. The current timeline is to begin phasing-in certification requirements in contract requirements in mid-2020.
Prediction: CMMC will change the entire defense contracting environment in 2020 and beyond. That seems easy enough to see. The real challenge is in assessing to what extent, and that depends on the degree to which: 1) DOD continues on their stated timeline, and 2) current and potential prime and sub-contracting companies already have mature and documented cybersecurity practices in place now. Clearly, DOD’s move to institute CMMC is an indicator that some work on contractors’ parts was necessary, so it is likely that CMMC is on the New Year’s Resolution list of many firms, especially sub-contractors and firms that do not traditionally consider themselves IT firms. Another consideration is how quickly civilian agencies will seek to adopt or adapt the DOD’s CMMC requirement and work to begin adding it to their contract requirements.
It is noteworthy that two of the above three trends are acquisition-related and not technology capabilities, products or services that federal agencies will be looking to buy in 2020. This speaks to some of the challenges that agencies face in on-boarding new capabilities to improve their security posture as well as the increasingly comprehensive mindset among federal cyber- leaders who are looking at the entire information chain when it comes to cybersecurity risk management.