Twitter Facebook Google RSS
 
Viewpoint 

Government Contracting Culture Impedes Progress in Cybersecurity 

2,010 

By Anand Datla 

Damaging attacks on Defense Department and private-sector networks have filled news headlines. They also prompted the Obama administration to appoint a national cybercoordinator and the Pentagon to create a Cyber Command.

But these initiatives still don’t address foundational issues that will certainly impede any progress. The biggest problem by far is that the U.S. government lags far behind industry in ensuring quality of service for its network infrastructure. In other words, the current acquisition culture makes it difficult to harness resources in support of cybersecurity.

This largely is the result of institutional practices, particularly in the way the Defense Department acquires information technology.

The government already is spending billions of dollars on IT products and services but does not hold its vendors accountable for cyberintrusions. The current contracting practices also fail to provide financial incentives to contractors to protect government networks from attacks.

Contracting typically is measured in terms of a service or a weapon system that the government is purchasing. Most contract types used today were designed to lower the risk to the government depending on the requirements, but they are not structured to reward or punish contractors for poor performance. This is a problem when it comes to cybersecurity.

The contract acquisition types that have stood out over time are known as “time and materials” and “labor hours.” Time-and-material contracts are primarily concerned with acquiring services for the government without knowledge of the required duration to finish the work. Similarly, labor hours are an acquisition of services, the only difference being that the government supplies all the necessary materials.

These contract mediums were used in eras when systems were closed networks and grew at a linear pace. An example was the CSC Infonet in the 1970s. Infonet was a large network with hundreds of users. The focus was more on supporting infrastructure development needs instead of ensuring quality of service.

In the decades since, there has been a continued push to make it easier for the government to be able to access commercial technology. To support this effort, legislation such as the Federal Acquisition Streamlining Act of 1994 and the Clinger Cohen Act provided measures so acquisition services could be obtained faster. 

In this context, the Defense Department’s cyber-efforts have been directed towards obtaining “technical solutions” rather than high quality support.

The traditional acquisition economy is not giving the government the best value for taxpayer dollars. The biggest challenge for the government is that it now must protect vast, openly accessible networks. How can the Defense Department cope with these challenges given the lack of technical expertise within the government?

The Pentagon has turned to vendors and contractors for support in the areas of infrastructure design, maintenance and operations. But most contracts don’t require vendors to protect the networks as an integral piece of the service they provide to the client.

In the private sector, the situation is quite different. In the acquisition of cyberspace technologies, the most highly regarded contracts are “service level agreements” and their variants. SLAs are contracts that establish measurable performance indicators for services provided by vendors. For instance, a vendor may establish a service level agreement contract with a company that includes 99.9 percent guaranteed uptime and remediation of all cyberintrusions within 48 hours. It is up to the vendor to ensure that the agreement is not violated or it runs the risk of losing the contract. In some cases, the vendor must pay financial penalties if the service level agreement is violated.
By their nature, service level agreements also add a layer of acquisition oversight, since they put in place a criterion of success or failure in the contract. Following industry’s example, the U.S. government also tried to use SLAs and other similar performance-based measures.

Performance-based contracting was envisioned as a way to bring the benefits of service level agreements and at the same time give more freedom to vendors for developing technology. The process in theory would have the government release a requirement and request vendors to come up with a solution. Once a vendor was selected, the government would then actively monitor how well the vendor was performing. While in theory, the concept made sense, there have been a number of hurdles.

One is the institutionalized culture at the Defense Department that resists using anything other than the standard contract mediums. The reason is that performance-based contracting added new responsibilities for both the government and vendor that appear difficult to implement. For the government, the challenge has been fostering a culture that emphasizes monitoring the quality of work. At the same time, the vendor has found it difficult to meet the demands of the contract, which are alleged to be vaguely written or lack specific details.

Time and resource constraints also have made it difficult for the vendor’s system to be adequately tested as a proof of concept. Without any trial run, the final product has at times been a disappointment.

Little has been done to change existing habits. The outcome has been to largely circumvent performance-based contracting or SLAs by reshaping requirements. By all accounts, none of these actions addresses the fundamental inability to ensure a measurable quality of service or to improve the government’s ability to defend networks from cyberattacks.

Some of the problems were seen early on in NMCI (Navy Marine Corps Intranet) and more recently in Department of Veterans Affairs contracts. NMCI, which was completely run by a contractor, was a tough learning experience. On multiple occasions NMCI failed to meet the requirements set in the SLA. Instead of ending the contract, the Navy chose to continue using the vendor’s services without charging a financial penalty.

The Department of Veterans Affairs has also been challenged by the quality of its computing environment. After awarding a series of contracts for improving information security, it found that the resulting acquisitions had poor oversight.

Secretary of Defense Robert Gates plans to bring on some 30,000 acquisition officials to the Defense Department. At first glance this seems to present an excellent opportunity to increase the use of service level agreements and performance based contracts. But as has been the case with NMCI and Veterans Affairs, the entrenched culture has not broken free of the habits associated with old contract mediums.

Bottom line: It is increasingly imperative to somehow change the existing culture to include greater accountability, and offer further incentives in creating service level agreements and performance-based contracts.

Unless further attention is given to this problem, the United States runs the risk of falling behind in its technical leadership and in its cybersecurity capabilities.

As the Obama administration elevates the cybersecurity mission to the White House level, it is also important to recall that a similar role existed during the Clinton era. Richard Clarke sought to coordinate across government and provide an enhanced role for cybersecurity. Unfortunately, because of the difficulty in achieving coordination, the effort fizzled out. Let us hope for a better outcome this time around.


Anand Datla is a former Defense Department civilian who worked on strategic planning, policy and operations. He also served as a professional staff member of the House Armed Services Committee. He is currently a consultant based in the Washington, D.C. area.
Reader Comments

Re: Government Contracting Culture Impedes Progress in Cybersecurity

Excellent Article! Uncle Sam needs to get smarter with the contractual language

http://www.sei.cmu.edu/library/abstracts/reports/09sr008.cfm

and perhaps use metrics to help manage & mitigate risk

http://certellus.net/Documents/Code%20Quality%20Metrics%20In%20Mgmnt%20of%20Outsourced%20Devel%20Maint.pdf

The implementation of a QUALITY LEVEL AGREEMENT that is similiar to a SLA would help.

http://www.mccabe.com/doc/QualityLevelAgreement.doc

Just a thought

Thomas McCabe Jr. on 02/19/2010 at 11:23

Submit Your Reader's Comment Below
*Name
 
*eMail
 
The content of this field is kept private and will not be shown publicly.
*Comments
 
 
Refresh
Please enter the text displayed in the image.
The picture contains 6 characters.
*Characters
  
*Legal Notice

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

 
 
  Bookmark and Share