Budget and staff pressures are reshaping the federal cybersecurity market

jcjgphotography/Shutterstock.com

A shortage of skilled cyber experts is driving some contract decisions.

Budget uncertainties along with cybersecurity staff shortages are forcing agencies to make difficult trade-offs between securing data and maintaining full and open competition in their cybersecurity contracts with vendors, interviews with industry analysts and contract documents show.

Analysts estimate the nation is understaffed by between 10,000 and 30,000 cybersecurity experts. When the Homeland Security Department or the Pentagon outsource cybersecurity services to contractors, they often pay a premium because they are competing with banks and other computer-reliant industries for the same small pool of talent, procurement specialists say.

“We hear from agencies that those workforce issues start working against budgets,” said Alan Chvotkin, counsel for the Professional Services Council, a contractor trade group. “Professionals in the major leagues or National Basketball Association cost more than folks in the minor leagues. It’s both a budget issue and a workforce policy issue.”

Under pressure, some agencies are extending existing contracts or delaying new awards to avoid disrupting critical services.

On May 15, DHS’ Immigration and Customs Enforcement agency released a legal justification for awarding a cybersecurity contract without an open competition to its existing vendor Knowledge Consulting Group, based in Reston, Va. The firm’s original contract expired April 30.

In defending the decision to forgo an open competition for the work, the justification noted agency officials did not receive clear budget guidance until April, when the Office of the Chief Information Officer determined it would have to reduce the level of effort for information security support services “to align with ICE funding limitations.” “These budget constraints resulted in a significant change in the acquisition planning process thereby delaying and affecting the execution of the internal ICE balanced workforce assessment and other essential acquisition documents,” the justification said.

The new contract with KCG could remain in effect for as long as six months, by which time agency officials expect to complete an open competition for security services, the document stated.

“While there are other companies that have personnel with information assurance skills they would not be able to operate with the same type of efficiency and effectiveness on May 1 because they would need to acquire a significant amount of institutional knowledge from the incumbent” and familiarize themselves with ICE’s business partners and policies,” the document said. “Only one source is capable of providing the services required at the level of quality required because the services are highly specialized.”

Those services include security program management, risk management, and the introduction of new computer security policies and equipment across ICE -- the second-largest federal investigative agency.

KCG is a highly regarded contractor, according to market analysts. The firm earlier this month earned a slot as an auditor for the Federal Risk and Authorization Management Program, the governmentwide cloud security plan known as FedRAMP. KCG has been providing services to ICE since 2008.

Meanwhile, precarious funding and scant talent is preventing other federal agencies from hiring any contractors at that level of competence, according to industry groups.

“Instead of asking for a cyber pro, they are asking for a semi pro -- a journeyman rather than an expert,” Chvotkin said. “They’re reducing the skill levels for job categories and that brings reduced pay for those job categories even if the expectation is the work is going to be the same.”

But other industry analysts are skeptical that the cyber skills gap necessitates limiting free and open competition.

“I think there is somewhat of a shortage, but I don’t think it’s as critical as the author of that memo made it out to be,” said Ray Bjorklund, chief knowledge officer for market research firm Deltek. While the supply of individuals is thin, companies equivalent to KCG are not in short supply, he said.

Other cybersecurity firms may lack institutional knowledge, but agencies usually have the option of temporarily paying a previous contractor to train the new supplier, according to Bjorklund.

ICE “may not have had enough fiscal authority to take some type of concurrent approach,” he said.

The double whammy of scant talent and inadequate time, however, could restrict contract competition, Bjorklund added.

“When there isn’t enough time, and there aren’t quite enough cyber pros to go around, they might need to sole-source to protect homeland security,” he said. “Any agency [that] has any critical mission has to have cybersecurity in place. Time is an issue when you have a limited resource.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.