Why the cybersecurity industry is failing government

You’d think that after years (if not decades) of government IT professionals urging the vendor community to understand agency missions before trying to sell products into the federal market, that technology companies would be doing a better job of making their products mission-ready. And yet, any time you get a couple of federal IT pros together in the same room, the song remains the same.

At an IT summit late last year, government panelists complained of how technology companies still try to force-fit their commercial applications into the federal space. Vendors, these executives said, still don’t understand specific agency requirements, agencies’ mandates to share information securely across platforms or even the basic qualifications required to be compliant with federal technology initiatives such as the Federal Risk and Authorization Management Program known as FedRAMP.

For many on the agency side, enough is getting to be too much. It’s not that these buyers aren’t interested in products tested first in the commercial marketplace – to the contrary, that’s clearly the buying trend in government. But if you are just trying to expand your market share by treating the government as just another customer, save your time. Many of the summit panelists said flat-out that a lack of mission knowledge is a deal-breaker for product purchases.

The government is trying to be clear

Paul Grassi, senior standards and technology advisor for the National Institute of Standards and Technology (NIST) and the Department of Commerce, commented, “I’m of the mindset that if we’re not building, we’re buying unless told otherwise.” To that end, he stressed that vendors should participate in the development of documentation. “We’re doing everything out in the open,” Grassi said. “There should be no surprises going forward in terms of what we’re doing.”

“A consistent understanding of threats, vulnerabilities, capabilities, gaps and risk” is crucial for Martin Gross, director, network security deployment, at the Department of Homeland Security. “These things are not interchangeable. Everyone, from the agencies to the technology providers, has to make sure they talk about these things the same way,” he noted.

“We need to increase public/private partnerships,” Gross said. At the same time, he added, “I hear a lot of people criticize programs in the government saying, ‘you shouldn’t be doing X, you should be using my solution.’”

But why should an agency purchase a tech solution that’s been developed in a vacuum, free from government input? There’s no excuse for industry not to be involved.

NIST’s Grassi explained, “We are telegraphing much earlier in the process that we’re actually doing something, rather than surprising you all with a draft out of nowhere. If for some reason, you can’t participate, I value the input no matter when it comes.”

Creating more open technology for information sharing is also becoming critical. Martin Gross, added, “We need to leverage what’s in the commercial industry,” but “I don’t want to be stuck in technology locked into individual companies. Nobody is going to be able to provide us with a total solution. We need common APIs, common mapping, common datasets – industry needs to get together and help us figure that out.”

“You need to help us get to mission outcomes,” he said. “I’m agnostic on tools. You need to help me figure out how I can bring things together to get to that mission outcome, as opposed to just saying ‘I have this tool that’s going to do everything for me.’ That doesn’t really do me any good.”

And according to Steve Hernandez, CISO for the Department of Health and Human Services (HHS), “If you’re selling services and tools that don’t have a good API that I can hook into to access that data, you’re going to have a real hard time in the federal space.”

“It’s almost a deal breaker,” Hernandez said. “If you don’t have an open data mindset and the ability to share the outcomes that your tech or services are producing, go design that right now.”

Know what FedRAMP means

And while you’re at it, make sure that your offerings meet FedRAMP requirements. Hernandez rolled his eyes at the number of security vendors who want him to put sensitive data on the cloud without fully understanding how technology is vetted for FedRAMP.

“If you have a cloud component that is crucial to delivering your service or delivering your tech,” Hernandez said, FedRAMP compliance is “non-negotiable in most cases. HHS is one of the agencies most adamant about making sure that any cloud service or provider we bring in meets the FedRAMP requirements.”

Douglas Perry, deputy CIO for the National Oceanic and Atmospheric Administration (NOAA), added that vendors need to take a closer look at the specialized needs of the agencies they target for solution sales. “What’s important to NOAA is going to be different than what’s important to HHS or another agency,” he said.

To that end, interoperability is especially important. “NOAA is not going to go invest in R&D for some new cyber solution. We’re going to leverage the best in the industry. We want it to be adaptable and interchangeable with other solutions. We don’t want to have to reengineer something every time we implement it.”

“So, from a cyber operations perspective, address the basics, understand our mission, and come to us with good solutions,” Perry added.

For NIST’s Grassi, industry’s basic disconnect between technology needs and mission requirements is becoming frustrating, and he echoed the common refrain heard earlier that comes from vendors at nearly every meeting.

“You (vendors) come to sell me a tool without looking at what we currently have and where it would fit in and how we could use it. Not just from a tool perspective, but how can we use it in our mission to get the mission outcome of getting better availability, better protection, better privacy, all those type of things,” Grassi said.

“A lot of people come in and tell me, ‘What you’re doing here is all wrong, you should just do what I do instead,’” he said. “That’s what we hear constantly.”