Pentagon Cybersecurity Seems Sequestration Proof

Published: June 12, 2013

CybersecurityDEFENSEIT WorkforceSequestration

The Department of Defense (DoD) is proposing to spend $23 billion over the next five fiscal years (FY) on cybersecurity, according to a news report this week. The disclosure highlights the ongoing priority that cybersecurity will be for the Pentagon, even with the pressures of sequestration and other budgetary issues remaining. The release also underscores how differently cybersecurity spending is accounted for within the government.

Citing budget documents they obtained, Bloomberg News reported that the DoD is seeking over $4.6 billion for cybersecurity for FY 2014, which would be an 18 percent jump in just one year from their FY 2013 cyber budget. In FY 2015 that amount would climb to $4.7 billion and settle back to $4.5 by FY 2018.
Cybersecurity may be one of the few areas of the Defense budget that is widely regarded to be a growth area over the next several years. Even before the specter of sequestration became a reality, the DoD’s revised defense strategy focused on realigning resources in light of drawdowns and the fiscal demands of sustaining certain areas of warfighting capabilities.
DoD vs. FISMA Numbers
The latest DoD top-line cyber numbers raise the question about what goes into those amounts. For comparison, the last few Federal Information Security Management Act (FISMA) reports for FY 2010 through FY 2012 give significantly higher numbers – more than double the current DoD figures – for IT security. In our most recent Information Security Forecast for FY 2012-2017, Deltek projects the estimated contractor-addressable market for defense-wide information security that is closer to the latest DoD figures. (See table below.)
 
The difference between the latest DoD numbers and those reported through FISMA may be the impact of personnel costs on the overall budget – specifically, identifying the number and cost of dedicated information security staff, compared to IT staff that may perform a security activity as part of their other IT functions. DoD has noted this challenge in their FISMA report submissions over the years, saying that the vast majority of their IT personnel perform some significant IT security function, role, or activity, making it nearly impossible to designate any IT staff not being involved in security. 
The latest DoD cyber budget figures may likely account for focused active network defensive and offensive activities that are mostly based within cyber-specific commands within the Pentagon and related services commands, i.e. USCYBERCOM, etc. These figures may not fully account for some traditional information assurance (IA) duties that get covered as part of ongoing network operations and maintenance.
Another aspect in sizing the contractor-addressability of this market is the mix of government and contracted personnel. The FY 2012 Federal Information Security Management Act (FISMA) report noted that among all executive branch agencies covered under FISMA, 67 percent of IT security (full-time equivalent (FTE)) staff is government employees while 33 percent are contractor FTEs. The FY 2011 FISMA report gave a bit more granularity on DoD, noting that the DoD’s IT security personnel force at that point was made up of 64 percent government FTEs and 36 percent contractor FTEs.
Regardless of the precise make-up of the numbers, one thing seems to be clear. Even in a fiscally constrained environment that includes statutory budget sequestration the DoD’s priority on answering the cybersecurity threat will continue and they are willing to put up the money to do it.