Analysis: Policies and Opportunities That Will Shape Cybersecurity Spending

Jul 08

From: Homeland Security Today

By: Stephanie Sullivan, immixGroup Inc.

As cyber threats continue to dominate the headlines, it is important for the innovators in the government security market to understand how the legislative and executive branches are tackling cybersecurity and the potential ramifications of these efforts for industry.

FY14 Legislation Impacts on Cyber

These are some of the several legislative directives that could impact the commercial-of-the-shelf (COTS) vendor community in FY14, and aim to encourage the adoption of cybersecurity best practices on a voluntary basis. The underlying motivation of these directives is to spur industry and government collaboration on information sharing and defending networks.

The framework proposes to allow intelligence gathering on cyber-attacks and cyber threats, as well as address network security gaps in critical components of U.S. infrastructure, including banking, utility, and transportation networks.
NIST in collaboration with GSA, DOD, and DHS released a Request for Information (RFI) last February in order to gather feedback from industry and relevant stakeholders regarding the development of the framework, and has been holding a series of workshops to identify priority elements the framework must address.
An initial draft of the framework was publicly released on July 1st with revisions expected to be made following the 3rd Cybersecurity Framework Workshop being held on July 10-12th in San Diego, and will be expanded and refined leading into the fourth workshop anticipated to be held in September. Additional framework milestones include the release of the preliminary version due in October; with a final version expected in February 2014.
Keep an eye on this – participating in stakeholder engagements and familiarizing yourself with the draft guidelines will be critical to all COTS vendors, because you need to understand how your products and solutions can enhance the framework and meet these ‘voluntary’ but critical security needs. After all, the end goal of these working groups will be to eventually bake cybersecurity standards into federal acquisitions to ensure cyber protection.

  • The Presidential Policy Directive – 21 or PPD 21 on Critical Infrastructure and Security Resilience is serving as a replacement and update to 2003 Homeland Security PPD – 7, and was also issued on February 12, 2013 as a complement to the Cybersecurity Executive Order.  PPD – 21 defines what critical infrastructure is and encourages the Federal Government to strengthen the security and resilience of its own critical infrastructure, which is outlined in the directives three strategic goals. It also defines sector-specific agencies (SSAs) for critical infrastructure segments, and mandates information sharing and cooperation between the SSAs, state & local organizations, and international partners.

The new policy establishes “national critical infrastructure centers” in the physical and cyber space designed to promote information sharing and collaboration, as well as ordering the State Department to work with DHS on issues of international interdependencies and multi-national ownership, and growing concerns of the global economy. However, some speculate that not enough has changed from the former Presidential Directive to be truly noteworthy.

  • The Cyber Intelligence Sharing and Protection Act (CISPA) is a bill designed to encourage voluntary information sharing between private companies and the government in order to gain information surrounding incoming cyber threats. In a perfect scenario a private company, like an Amazon or Google, would identify unusual network activity that may suggest a cyber attack and alert the government, or if the government detected a threat to a private business network they would share their findings.

The bill was originally introduced into Congress last year, but privacy concerns proved to be a major roadblock, and the bill didn’t make it to the Senate floor. The bill could meet the same fate this year, even after it was passed by the House of Representatives on April 18, 2013. The NSA PRISM program has halted any movement regarding cybersecurity legislation until at least September, if not further down the road due to increased scrutiny of private information sharing.

One of the provisions of note calls for mandatory reporting requirements by defense contractors when there has been a successful cyber penetration. Additionally, the NDAA also calls for improved monitoring and alert technologies to detect and identify cybersecurity threats from both external sources and insider threats. The NDAA also contains a provision aimed at addressing longstanding concerns over elements of the Pentagon’s supply chain. The NDAA hints that statutory requirements to address this problem may be down the road. DOD is encouraged to cooperate with industry.

FY14 Federal IT Sales Opportunities in Cyber

The federal government plans to spend about $13 billion in FY14. This reflects the fact that cybersecurity continues to be a strategic concern for federal agencies. Just as important, cybersecurity will benefit from bipartisan reluctance to curb spending in this high profile area. Fiscal constraints do exist, however, and agencies will have to be circumspect in how they earmark money. The following are a small selection of programs with significant cybersecurity requirements and large allocations for new starts. It is important to understand which programs have funding and map your solutions to these programs.

FY14 Opportunities: Civilian

Funded cybersecurity opportunities within the civilian arena can be found in almost every Executive Branch agency. Below are the top three civilian programs by Development, Modernization and Enhancement (DME) funding – money used to buy new products.

  1. Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) – The Continuous Diagnostics and Mitigation (CDM) program is the agency’s largest cybersecurity investment dedicated to continuous monitoring, diagnosis, and mitigation activities to strengthen the security posture across federal .gov domain. This investment will assist DHS in overseeing the procurement, operations and maintenance of sensors and dashboards deployed to federal agencies.
    • FY14 DME IT spend for CDM is $121.4 million
  2. Department of Commerce (United States Patent and Trademark Office (USPTO)) – Network and Security Infrastructure investment describes the IT operations and services provided to the USPTO and external customers by the OCIO Enhancements and upgrades of this IT infrastructure will include firewall enhancements, antivirus software, network security, data protection and compliance too.
    • FY14 DME IT spend for NSI is $89.5 million
  3. DHS (NPPD) – The National Cyber Security Division, through its National Cybersecurity Protection System (NCPS), which is operationally known as ‘Einstein’, protects the Federal civilian departments and agencies IT infrastructure from cyber threats. Potential FY14 requirements for this program could include: intrusion prevention, intrusion detection, and advanced cyber analytics.
    • FY14 DME IT spend for NCPS is $72 million

FY14 Opportunities: Defense

Generally speaking, cybersecurity opportunities within the Department of Defense can be found within major network and infrastructure programs. Below are the top three defense programs by Development, Modernization and Enhancement (DME) funding – money used to buy new products.

  1. Warfighter Information Network Tactical System Increment (WIN-T): High speed, high capacity tactical communications network serving as the Army’s cornerstone tactical communications system through 2027. Developed as a secure network for video, data, and imagery linking mobile warfighters in the field with the Global Information Grid. Potential FY14 procurements include firewall enhancements, intrusion protection and detection, continuous monitoring, and encryption.
    • FY14 DME IT spend for WIN-T is $815.4 million
  2. Next Generation Enterprise Network (NGEN): An enterprise network which will replace the largest intranet in the world, the Navy Marine Corps Intranet, providing secure, net-centric data and services to Navy and Marine Corps personnel. NGEN forms the foundation for the Department of Navy’s future Naval Network Environment. HP was recently awarded the contract potentially worth up to $3.5 billion. The entire gamut of information assurance requirements are at play here, specifically due to the high reliance on cloud technology that NGEN will require.
    • FY14 DME IT spend for NGEN is $195.05 million
  3. Consolidated Afloat Networks Enterprise Services (CANES):  Consolidates the Navy’s multiple afloat networks into one network. CANES replaces these existing networks with new infrastructure for applications, systems, and services and will improve interoperability along the way. The RFP is currently out with an award expected this winter.
    • FY14 DME IT spend for CANES is $195.1 million
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *