federal cybersecurity government partnering strategies: avascent white paper
DESCRIPTION
Avascent White Paper on the rapidly evolving Cyber marketplace - from my colleagues Michael McKloskey and Timothy WickhamTRANSCRIPT
THE AVASCENT GROUP 1225 EYE STREET, NW #400 WASHINGTON, DC 20005 (202) 452-6990
Cybersecurity is a problem of interdependencies. Because these interdependencies are also
the strength of the networks and systems on which government and society alike have be-
come so dependant, it is only through better coordination that cyber capabilities, both de-
fensive and offensive, will be improved.
The government market for cyber solutions, however, features a critical paradox: For all the
value of close coordination among players, the market is characterized by widely disparate
approaches to cyber issues and solution development. These differences are driven by a
multitude of factors, but they combine to make the task of achieving coordinated solutions
very difficult. Recent controversies over leadership roles in Federal cybersecurity, and the
recent publication of the Obama administration’s Cyberspace Policy Review, highlight these
problems.
Companies competing in the Federal cyberspace market must cope with this paradox. They
must grapple with customers of varying interests and needs, and who may face significant
hurdles in engaging with developments in sister agencies. Companies looking to expand
their role in providing responsive and effective cyber technology, services and support must
emphasize partnership with their customers.
The dynamism and diversity that characterize Federal cyberspace requires industry to build
highly collaborative customer relationships. To be successful in this market, companies
need the ability to work with their customers in the face of rapidly evolving challenges to
diagnose requirements and prescribe solutions that can draw on best of breed across agency
lines.
The Federal Cybersecurity Market Partnership for Continuous Innovation as the Path to Prosperity in the Cyber Market
JUNE 2009
B2G Advisory Services MARKET & STRATEGY SUPPORT
ABOUT THE AUTHORS: TIMOTHY WICKHAM PARTNER Tim is a partner of The
Avascent Group where he
directs the firm’s C4ISR
practice. Prior to joining
Avascent, Tim served as a
tactical communications
officer in the U.S. Army Sig-
nal Corps and as an analyst
in the Intelligence Commu-
nity.
MICHAEL MCKLOSKEY ASSOCIATE At Avascent, Mike advises
clients on security matters
confronting the federal gov-
ernment. Previously, Mike
worked as a supervisor and
analyst at the National Secu-
rity Agency where he spe-
cialized in information and
cyber security as well as
CBRN-terrorism issues.
For further information
please contact :
THE AVASCENT GROUP 2
THE FEDERAL CYBER ENVIRONMENT
Public attention to Federal cybersecurity and cyber warfare
challenges burst to public attention with the 2007 acknowl-
edgment of the Comprehensive National Cybersecurity Ini-
tiative (CNCI). This initiative
boosted Federal spending on cy-
ber solutions by more than a
third, to perhaps as much as $13
billion in 2009. Highly public
debates over issues of leadership
and control in cyberspace – be-
tween the Air Force and the rest
of DoD, between the National Security Agency and the De-
partment of Homeland Security – have served to cast closer
attention on the challenges Federal executives are grappling
with in the cyber realm.
For contractors, this is as compelling and complex an envi-
ronment in the Federal technology market. The complexity
that both industry and government alike must navigate is
driven by two primary factors:
Fluid Threat and Technology Environment: Information
technology evolves at a very rapid pace, particularly by the
standards of Federal procurement. At the same time, the
pace of change in the nature of cyber threats moves like no
other technology problem the government has addressed.
The “barriers to entry” to mount cyber attacks are virtually
nil: A lone, highly trained individual with a few thousand
dollars of “start-up capital” can cause immense damage. In
the hands of larger organizations or hostile states, cyberspace
offers a set of asymmetric weapons against which the U.S.
government is only just beginning to prepare.
The combination of a constantly changing threat and con-
tinually evolving technology landscape creates an environ-
ment in which the traditional and highly laborious Federal
processes for defining requirements and fielding solutions
are barriers to success. The pace of the “measure / counter-
measure” cycle in cyber defense and offense requires Federal
customers to innovate their tactics, technique and proce-
dures (TTP) with rapidity that is not normally associated
with the U.S. government.
Traditional requirements generation and acquisition proc-
esses make it difficult for the Federal customers to keep pace
with the dizzying pace required for effective cyber solutions.
The challenge for industry is equally daunting. Given finite
resources to invest, many firms have found that picking win-
ning technologies is more akin to a game of roulette than a
sound investment strategy.
Uneven Policy and Customer Needs: The Federal govern-
ment struggles to define leadership responsibility in the cy-
ber realm. The task of defining
standards for technology and se-
curity practices remains a matter
of fierce contention among key
stakeholders. Some of the changes
being implemented by the Obama
Administration may eventually
reap significant dividends in both areas, but it will inevitably
take time.
A consequence of this is that individual agencies will retain a
significant measure of independence in addressing their cy-
ber requirements as best they can. The first task that cyber
competitors face is to understand the unique requirements
and conditions affecting different customer groups. These
conditions may be driven by an array of factors, including:
Mission: An agency’s core missions will drive its informa-
tion architecture, the nature of its cyber vulnerability, and
the types of solutions required. Is the customer charged
with safeguarding “customer” data? Are they in the busi-
ness of operating and protecting critical infrastructure?
Do they have an offensive mission, and if so, of what
kind? Intelligence gathering? Achieving effects on the bat-
tlespace?
Sophistication: Federal customers are widely divergent in
their level of sophistication regarding information tech-
nology. Where IT and cyber issues are central to an
agency’s mission, it will be motivated toward greater in-
volvement in the solution definition process. For other
customers, outsourcing the entirety of the solution makes
greater sense. Those agencies at the higher end of the so-
phistication scale will tend to have deeper pockets, and
will demand a much more collaborative working ap-
proach to solution definition and implementation.
Autonomy: Some customers will be inclined to lead the
process of identifying requirements and solutions. Some,
indeed, like NSA and DISA, have this explicit charge. But
many others will take their cue from either adjacent or-
ganizations or follow the lead of more advanced agencies.
Similarly, many customer agencies, particularly in the
Companies looking to expand their role in
providing responsive and effective cyber
technology, services and support must em-
phasize partnership with their customers
THE AVASCENT GROUP 3
Department of Defense, may “own” only a piece of the
responsibility along the chain from requirements defini-
tion to budgeting to source selection to implementation
and operation.
IMPLICATIONS FOR INDUSTRY
The cyber mission is here to stay. Specific solutions will
change and programs will evolve, but investment in cyber
solutions is rising to a place of importance alongside other IT
investments, “kinetic” warfighting capabilities, and other
core mission systems. Further, contractors and government
stakeholders alike should realize the turbulence they are ex-
periencing is not likely to go away and those agencies and
firms that learn to deal with this uncertainty will accomplish
their mission most successfully.
To capitalize on this rising oppor-
tunity, companies shape their ap-
proach to the realities of customer
behavior and constraints, as well
as technology change. Excellence
in cyber capabilities requires a
constantly responsive process of innovating in the face of
evolving technology conditions. Providers must be cognizant
not just of the state of the art, but of the state of play among
adjacent but disconnected customer groups. These condi-
tions imply the need among contractors for flexibility and
capacity for partnership that are unlike many other markets
in which they have come to excel.
To best support Federal customers and their effort to secure
and exploit cyberspace, contractors should consider develop-
ing a wide range of government partnership strategies. For
example:
Help Government Customers Keep Pace with Technology:
Critical to the mission will be the ability to leverage cutting
edge technologies, whether they emanate from the vital com-
mercial sector or Federal investments. Firms’ ability to rap-
idly test, simulate the effect, and understand the benefits of
emerging technologies can be of huge use to their govern-
ment partners. Similar to some of the goals of DARPA’s Na-
tional Cyber Range effort, such a process would offer multi-
ple benefits to both industry and government. It would build
greater intimacy and appreciation among stakeholders. It
would make government stakeholders better informed and
more efficient consumers of necessary technology. And it
would allow for the more rapid application and refresh of
technology into government networks with limited disrup-
tion.
Cooperative Research: While perhaps applicable only to
some customers with the appetite to sponsor non-recurring
engineering (e.g. DoD, the Intelligence Community, DHS,
and DoE), working through Cooperative Research and De-
velopment Agreements (CRADAs) to solve specific problems
will further build partnerships. Developing technology or
processes in cooperation with the customer offers a surer
avenue to formal adoption, particularly with careful parallel
marketing among user communities. The “build it and they
will come” model is anathema among most defense firms.
Working with a government customer on cyber CRADA ef-
forts will provide both parties insight into how each works,
and can be a key building block for partnership necessary for
long-term market success be-
yond the specific goals of the
area of research cooperation.
Leverage IT ID/IQ Contract
Vehicles: An underappreciated
opportunity to develop effective
partnerships is offered by IT-focused indefinite demand/
indefinite quantity contracts. While much cyber technology
will be acquired through targeted procurements, much of the
capability acquired will also come through traditional multi-
ple-award contract vehicles, like the Army’s ITES-2S/H,
DISA’s ENCORE, DHS’ EAGLE, and others. Companies
with existing positions on these vehicles already understand
the value of these arrangements as windows through which
to understand requirements, offer solutions, and maintain
ongoing connectivity with their use and evolution. For firms
not positioned on viable contracts, it is important to under-
stand how the ongoing dialogue between government and
industry that these vehicles permit can be a powerful means
of anticipating and serving demand. As new multiple-award
IT contracts are set to be formed in the coming year (e.g.
DIA’s SITE, Air Forces’ NETCENTS II) companies consider-
ing improving their position in the cybersecurity market
should consider how best to approach and capture a position
on these key partnership enabling vehicles.
To improve competitiveness and find ways to build these
critical partnerships, firms should take stock not only of ex-
isting technical capabilities and gaps, but of their other ad-
vantages and limitations, including customer relationship,
sales channels, etc.
Contractors and government stakeholders
alike should realize the turbulence they are
experiencing is not likely to go away
THE AVASCENT GROUP 4
THE AVASCENT ADVANTAGE
The Avascent Group is the leading management consulting firm specializing in serving senior executives in the defense,
aerospace, homeland security, logistics, technical services and infrastructure sectors. Avascent provides a full range of man-
agement consulting services, from strategic planning to market analysis to organizational and operational improvement.
Our consultants combine our deep market knowledge with proven rigorous market validation and strategic planning meth-
odologies to provide invaluable decision support to our clients.