paying attention to doing the test right from the beginning.”
“There’s this huge disparity,” a third agreed. Project owners “will say, ‘Oh, don’t worry about security. We got another contractor.’ And it’s this little guy. We need to really move where the money is — where you can get your requirements into that big contract.”
Another participant steered the discussion to the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, noting that it is both an acquisition enabler and an example of how important true buy-in will be.
CDM’s Dynamic and Evolving Federal Enterprise Network
Defense series of task orders “is exciting because it gives agencies more flexibility to embrace this [continuous monitoring] philosophy and to implement it in a way that is appropriate for that agency’s enterprise,” the official said. “But if it isn’t viewed as a holistic ongoing security philosophy across the federal enterprise, then what happens when DHS stops funding it and the agencies have to pick up the tab? And then the whole thing stops, and we all go back to manual dashboards.”
“I’m a huge supporter of the program,” the official continued, “but if it’s just another siloed mandate that we have to check the box for CDM, then it’s never going to work.”
Putting the right people in the room
Part of the solution is bringing deep expertise into all stages of planning for a system or program, most participants agreed. But although program owners, contracting officers and other key stakeholders can be educated on the importance of security, that’s not likely to be sufficient.
“Are we going to be able to train a whole cadre of acquisition specialists to address these issues?” one participant asked. “We’re starting to see hints that maybe you can’t.”
Instead, that official said, many initiatives need to have a true expert “in the room next to you to start throwing down the detailed plot of what needs to be done.”
September/October 2018 FCW.COM 23