Contractors not as Suppliers - but as Leaders

I have to admit that I don’t always read things like the Executive Orders. As a regular citizen, I have always presumed they are filled with political platitudes rather than actionable direction. However, in discussing the Executive Order on Improving the Nation’s Cybersecurity with Jim Goepel, my colleague and founder of the CMMC Information Institute, we realized it deserved more than just a read. It needed to be a call to action.

So, we dove in. Looking more for direction than inspiration, and wearing my skeptic’s hat, there is one line that motivated us to action. "But cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. ”The remainder of the document sets various agency goals and deadlines, creating authority for prioritizing cybersecurity across the government, including in acquisitions.

That one line, though, really caught our attention. It was different from the rest. It draws a connection between “protecting our nation” and the “private sector,” whereas the remainder of the document, as expected, talks about protecting federal systems. This line opens the door for the government to lead by example and creates the foundation for an initiative that could leverage the work done by contractors to secure themselves and lead in the private sector.

Customer Retention as a Sales Tool

Why not allow, and even encourage, government contractors to exploit their cyber investments to build trust and competitive advantage outside the beltway? Let them make their products stand out from their commercial-only competitors. Make security and trust selling points, drive demand for security, and make the non-contractor space jealous. Jealous enough to invest in cybersecurity themselves.

Let me expand on the point.

For 20 years, I ran a manufacturing company. To be honest, there isn’t much that would have made me care about cybersecurity back then unless it got in the way of production. But, if the buyers of the national chains who bought our product cared, you’d better believe we’d have snapped into action. I couldn’t control whether they liked my product enough to drop it into 500 stores, but I could control whether or not I met their standards.

Let me be more specific.

When I started, our products didn’t have bar codes on them. Yes, I’m old. Old enough to remember the sore index finger I had from clicking those sticker machines to put a price tag on every single unit before shipment because the national chain buyer didn’t want their people to do it.Old enough to remember the letter that said we’d need bar codes on everything and realizing that we’d have to invest hundreds of thousands of dollars to redo packaging and buy machinery that would box items as there was no other way to tag them with a bar code.

But not too old to learn.

Here’s the deal. We sold to several national chains. One grocery chain, around 100 stores, told me that barcodes were now a requirement. They represented 18% of my business. I didn’t want to walk away. I invested. Then I leveraged my investment by blasting it out to every other customer’s buyer.90% of my investment was for the first one that required the barcodes. It was just a little marketing pizazz, the last 10%, that made me stand out to the others.

When we started highlighting our then cutting-edge barcodes to other nationals, we found out two things:

1. They were thinking about making it a requirement anyway; and,
2. We didn’t get a single new order because of the barcodes.

We did not, however, lose a single order either. They wanted our product, not our label; we knew that. But we made it easy for them to buy. Moreover, we gained new credibility as a regional/national player as a manufacturer that looked out for customers finding innovative ways for us to make comparatively small investments that significantly enhanced the retailer’s labor efficiency.

As times change, businesses are often initially reluctant to make those changes. But the innovative ones, the ones who will weather the storm, are the ones who are able to adapt and even find ways to capitalize on those changes. One of the best ways to accomplish this is to use them as differentiators and as a basis for driving new sales.

It is no different with cybersecurity. Here though, it is the government’s universal acquisition rules that can create the 90% driver that pushes the innovative government contractor companies to make the investments we need as a nation. Like my manufacturing company and bar codes, it is more economically efficient for us, as a nation, to have the contractors make those investments than for us to keep suffering breaches. The lost productivity lost intellectual property, and other impacts are just staggering. So, we need to find a way to encourage the contractors to make the investment. We also need to find a way to allow them to tout that investment.

It isn’t just the government that is feeling the squeeze from data breaches. Consumers are increasingly vocal about the need for some kind of reform. Now is the time for companies to act. Make the necessary investments to turn their cybersecurity programs into a competitive advantage. Other companies will notice but not change. Buyers, who also watch the news, will see the contractors’ commercial divisions touting their cybersecurity, and soon enough, they’ll express a preference, then a requirement. A nation follows the lead of the contractors and becomes more secure.

What is stopping us?

Three things.

1. There is no preference for secure contractors as long as you don’t get actual credit in the acquisition decision for a validated, verified, boxes checked, cyber posture
2. Whether required or optional, we have no trustworthy public way to verify you have gone through all that it takes to meet #1
3. Without #2, there is no marketing. The investment in cyber ends inside the boundaries of the government contract. There is no exploitation of that time and treasure spent on the government used on the commercial side.

Solution?

Don’t wait - Hey, people in charge of government acquisition, the President’s Executive Order has 46 deadlines in it. All have expired except 2 (I counted). Let’s get something in place. Don’t make it perfect. Make it happen. Prefer good cyber over bad or unknown cyber.

Build a Family - GSA creates a bronze/silver/gold cert of certs. Each agency clearly has different needs and a different focus. GSA’s task is to categorize the certs that are acceptable for government purchases, such as GovSecure1, GovSecure2, and GovSecure3.

The selection of the name isn’t essential. For DoD, GovSecureX could align with CMMC Levels 1-3. For Homeland Security or the Department of Education, different certs may qualify. NIST can advise GSA, but it is GSA that sets the minimum threshold for each level. For example, I’d suggest a minimum threshold of the FAR + a 3rd Party Validated Virtual Assessment for GovSecure1, while any cert at GovSecure2 might require the FAR + all 5-point controls and an onsite assessment.

What else?

Nothing. Stand back. Let the market take over and do what competition does best.

Make it desirable to state, no shout, to consumers that your company is GovSecureX qualified. This provides a path for government to take care of government while setting an easily consumable bar for everyone to meet. The effort is led, of course, by contractors who can exploit their GovSecureX status in the private market.

If we follow the recipe above, contractors can leverage their investment in DoD work (90% of their investment) and advertise their advantage in their commercial work (10% of their investment). The contractors will be first, but commercial-only competitors will follow because they won’t want to lose.

All that money that different government agencies spend to train and educate about cybersecurity can be redirected to grants for early adopters of GovSecureX by rewarding companies who insist on GovSecureX from their vendors. Don’t worry about the training programs; the market will do just fine in educating commercial businesses as to what to do to get those grants.

Then, when we have reached a new normal, drop the grants.

I’ll be looking forward to getting a tax refund that year.