HomeGlobal Defence UpdatesWhat new federal cybersecurity policy means for government contractors

What new federal cybersecurity policy means for government contractors


In March, the U.S. government released a new Cybersecurity Strategy authored by the Office of the National Cyber Director.

Split into five Pillars and 27 Strategic Objectives, the strategy lays out a bold vision for defending critical infrastructure, dismantling threat actors, shaping market forces to drive security, investing in a resilient future and forging international partnerships. If fully implemented, this strategy will present businesses in the contracting space with the challenge of increased scrutiny and higher security standards, but also the opportunity to compete for orders and grants aimed at bolstering the nation’s critical digital infrastructure.

The strategy includes several areas of interest for the government contracting community, with the potential for increased funding for various projects as well as the possibility of additional regulation and enforcement.

One section, for example, discusses using federal grant programs to incentivize the creation of critical digital infrastructure. Another expands on the ways that the government could “leverage federal procurement to improve accountability,” but also calls for increased enforcement of security requirements for vendors that sell to the Federal Government. Finally, one provision outlines plans to “reinvigorate federal research and development for cybersecurity” through a variety of federally funded research and development centers.

‘Zero Day’ vulnerabilities

The most controversial section calls for holding software companies liable for producing insecure code. While the exploitation of “Zero Day” vulnerabilities has reached an all-time high in recent years, resulting in sweeping impacts across industry and government, the idea of holding the companies liable for the production of insecure code is a major departure from previous norms. Some have questioned whether the strategy contains enough details to be adequately implemented, while others noted that this objective could reshape how the entire government procures software.

In an effort to emphasize this shift in thinking, the Cybersecurity & Infrastructure Security Agency along with several international partners published Secure-by-Design and -Default Principles in April. This guidance was intended to drive a cultural change in how the technology community views vulnerable software and shift the burden of security onto technology manufacturers.

As part of the rollout for this new way of thinking, the Director of CISA, Jen Easterly, noted in a speech at Carnegie Mellon University that the concept of Secure-by-Design and -Default was intended to shift the burden away from consumers and small businesses and onto the major technology companies. This means that if fully implemented, major tech companies like Microsoft and Google would bear a greater degree of responsibility than the average government contractor, particularly companies classified as small businesses.

Shifting the burden of responsibility is controversial because up to this point major software development companies have assumed that if they continue to identify and patch vulnerabilities, they will be immune to most negative consequences. In fact, Microsoft has institutionalized the idea of routinely releasing updates and fixes to their software to the point that “Patch Tuesday” has been an industry staple since 2003.

However, as threat actors continue to exploit more zero-day vulnerabilities than ever before, the need for secure software has never been greater. 2021 saw the largest number of zero-days exploited in history, with state-sponsored actors leading the way. So far in 2023, criminal ransomware groups have leveraged critical vulnerabilities leading to hundreds of millions of dollars in ransom payments.

In July 2023, the ONCD published a National Cybersecurity Strategy Implementation Plan providing timelines, responsible agencies, and specific guidance for many of the objectives laid out in the strategy. The plan, for example, put the Office of Management and Budget in charge of implementing Federal Acquisition Regulation changes required under Executive Order 14028 by the first quarter of FY24, and called for the Office of Science and Technology Policy to work with a variety of grant-making agencies to prioritize investments in “memory safe programming languages.”

‘Secure by Design’

Neither of these provisions came with fresh funding for implementation. Strikingly, the “Secure-by-Design” provision had one of the weakest implementation plans in the entire document, calling for ONCD to host a legal symposium by the second quarter of FY24 to “explore different approaches to a software liability framework.”

Ultimately, how federal dollars are allocated over the next few Fiscal Years will determine the true impact of the new strategy and implementation plan. While it appears that offices like ONCD and CISA are pushing for dramatic shifts in the cybersecurity landscape, their lack of regulatory and budget authority may hamper the implementation of those plans.

If fully implemented, the strategy would have a net positive effect on the government contracting space by increasing federal investment in secure technology development and reducing vulnerabilities in major software that all government contractors use. It is too soon to tell whether this bold vision for the future can truly become a reality.

Noah Rivers is a research associate at the Greg and Camille Baroni Center for Government Contracting at the George Mason University School of Business.

Have an opinion?

This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.

Source by [author_name]
#federal #cybersecurity #policy #means #government #contractors



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Aatmanirbhar Bharat


ASMI submachine gun from Hyderabad’s Lokesh Machines Ltd. poised for Army service

In a new development, Lokesh Machines Ltd., a city-based manufacturer known for CNC machines, has achieved a significant milestone with its debut small arms...

A study reveals how India can achieve $5 billion defence export goal

A recent study suggests that streamlining foreign direct investment (FDI), enhancing Research & Development (R&D), and boosting manufacturing capabilities could help India reach its...

AMCA 5th Generation Stealth Fighter Updates

AMCA to be integrated with sophisticated indigenous Distributed Aperture System (DAS) that making it a formidable air asset for the Indian Air Force

Source : IgMp Bureau India’s Advanced Medium Combat Aircraft (AMCA) is on the brink of a revolutionary transformation with the integration of a sophisticated Distributed...

AMCA to incorporate the best features of both 5th and 6th Generation fighters: ADA sources

Source : IgMp Bureau India's strides toward indigenous air dominance receive a substantial boost with the green signal for the Advanced Medium Combat Aircraft (AMCA)...

Most Popular

Recent Comments

Archive Months


Spain to send Patriot missiles to Ukraine, El Pais reports

Spain will send a small number of Patriot missiles to Ukraine, El Pais newspaper reported on Friday, in response to pressure from EU and...

India to offer indigenous weapons to Japan at the upcoming Bilateral Army Exercise

Source : Indian Defence Updates (IDU)Indian Prime Minister Shri Narendra Modi (Left) shaking hands with Japanese Prime Minister His excellency Fumio Kishida (Right) in Tokyo,...

Indian Army wants an ATGM launching WhAP : TATA Kestrel once again the favourite

Source : IgMp BureauIndian Army wants a variant like this with NAMICA turret over WhAP, here TATA KestrelIn an interesting development, the Indian Army...

Eyeing China and Pakistan, MoD clears 6 Netra Mk1A AEW&CS, 3 SIGINT-COMJAMM, and 6 flight refueling aircraft to enhance the capability of the Indian...

Source : Indian Defence Analysis 16th February 2024 was an important day for Indian Defense acquisition as MoD approved some of the important and crucial...
error: Content is protected !!