and right now, we simply don’t have that.”
Agencies will struggle to assess individual vendors because of the
sheer number of contractors they rely on, said Kevin Gronberg, vice president of policy and government affairs at SecurityScorecard. The company uses open-source data to assess the strength of an organi- zation’s cybersecurity.
“They’re going to see what everybody sees, which is that there are a tremendous number of vendors, and there’s going to be a wide swath of those that are taking cybersecurity seriously...and then there are going to be a select few that are not taking their security as seriously as they can or should,” he added.
Despite such concerns, a senior administration official told report- ers in March that the White House plans to implement a policy that would label some consumer devices as having sufficient cybersecurity standards and introduce a grading system for software companies that sell products to the government. The policies are expected to be released through another executive order in the coming weeks. Whether industry will try to challenge the administration’s authority to enact such policies remains an open question.
Closing a persistent gap in the cybersecurity workforce
Another well-documented issue affecting cybersecurity is a chronic workforce shortage. CyberSeek, which tracks supply and demand in the cybersecurity job market with NIST’s backing, released data showing that from October 2019 to September 2020 more than 520,000 cybersecurity-related positions appeared in online job listings. That’s more than half of the 940,000 cybersecurity positions that were already filled nationwide in the same time period.
“Not only do \[agencies\] not have the technical people, they don’t have the operations and policy people,” said Mike McConnell, former director of the National Security Agency under President George H.W. Bush and director of national intelligence under Presidents George W. Bush and Barack Obama.
To address that issue at the national level, the Biden administration would need to fund scholarships for students to study cybersecurity, among many other efforts, said McConnell, who is now executive director of the Florida Center for Cybersecurity at the University of South Florida.
Furthermore, “the civilian servant system that was created in the middle of the last century” isn’t going to close the workforce gap, said Ron Sanders, former chairman of the Federal Salary Council and now staff director at the Florida Center for Cybersecurity. Public-sector jobs in high-demand fields such as cybersecurity have traditionally paid less than the private sector, creating a situation in which com- panies can poach talent by offering higher salaries and reimbursing the government for any scholarship funding the student received, Sanders added.
McConnell said part of the problem lies with senior officials who have not fully come to grips with how dependent the country is on digital infrastructure and the threats that a nation-state or extrem- ist group can pose. “As a nation, we have not yet embraced the full understanding of the significance of our vulnerability,” he said. n
GSA prepares guidance for using CMMC in civilian contracts
As the Cybersecurity Maturity Model Certifica-
tion becomes a standard requirement in Defense Department contracts, the General Services Administration is developing training and guid- ance for DOD contracting officers who use govern-
Keith Nakasone
mentwide acquisition contracts (GWACs). CMMC seeks to ensure adequate security at all levels of a supply chain.
“We know that training is going to be required as we go through this process with our Department of Defense part- ners,” said Keith Nakasone, GSA’s deputy assistant commissioner
for IT acquisition, at an AFFIRM event in February. “So as we move forward, we want to present an ordering guide where we have created templates \[and\] some guidance in our ordering process \[on\] how to use the GSA contracts.”
Nakasone said that approach would raise awareness by training GSA’s workforce and then extending the effort to DOD partners. GSA has already incorporated CMMC language into the request for proposals for the StreamlinedTech- nology Application Resource for Services III con- tracts, and officials are drafting CMMC require- ments for the Polaris small-business GWAC, which will replace the Alliant 2 Small Business contract.
Nakasone said CMMC requirements would be incorporated at a GWAC’s order level so that con- tracting officers have some leeway in addressing an individual system’s needs. “Not every single system is equal, so we have to have the flexibility in the contracts to deliver the acquisition solu- tions,” he added.
Delivering GWACs with order-specific require- ments will help GSA better manage the acquisition process, Nakasone said, adding that the agency also wants to show that the standards, regulations and framework are interconnected and malleable over time.
In addition, he said GSA is in early discussions with civilian agencies that have expressed interest in using CMMC in their contracts and possibly pur- suing efforts alongside DOD.
— Lauren C. Williams
March/April 2021 FCW.COM 35