Budget and staff pressures are reshaping the federal cybersecurity market

Budget uncertainties along with cybersecurity staff shortages are forcing agencies to make difficult trade-offs between securing data and maintaining full and open competition in their cybersecurity contracts with vendors, interviews with industry analysts and contract documents show.

Analysts estimate the nation is understaffed by between 10,000 and 30,000 cybersecurity experts. When the Homeland Security Department or the Pentagon outsource cybersecurity services to contractors, they often pay a premium because they are competing with banks and other computer-reliant industries for the same small pool of talent, procurement specialists say.

“We hear from agencies that those workforce issues start working against budgets,” said Alan Chvotkin, counsel for the Professional Services Council, a contractor trade group. “Professionals in the major leagues or National Basketball Association cost more than folks in the minor leagues. It’s both a budget issue and a workforce policy issue.”

Under pressure, some agencies are extending existing contracts or delaying new awards to avoid disrupting critical services.

On May 15, DHS’ Immigration and Customs Enforcement agency released a legal justification for awarding a cybersecurity contract without an open competition to its existing vendor Knowledge Consulting Group, based in Reston, Va. The firm’s original contract expired April 30.

In defending the decision to forgo an open competition for the work, the justification noted agency officials did not receive clear budget guidance until April, when the Office of the Chief Information Officer determined it would have to reduce the level of effort for information security support services “to align with ICE funding limitations.” “These budget constraints resulted in a significant change in the acquisition planning process thereby delaying and affecting the execution of the internal ICE balanced workforce assessment and other essential acquisition documents,” the justification said.

The new contract with KCG could remain in effect for as long as six months, by which time agency officials expect to complete an open competition for security services, the document stated.

“While there are other companies that have personnel with information assurance skills they would not be able to operate with the same type of efficiency and effectiveness on May 1 because they would need to acquire a significant amount of institutional knowledge from the incumbent” and familiarize themselves with ICE’s business partners and policies,” the document said. “Only one source is capable of providing the services required at the level of quality required because the services are highly specialized.”

Those services include security program management, risk management, and the introduction of new computer security policies and equipment across ICE -- the second-largest federal investigative agency.

KCG is a highly regarded contractor, according to market analysts. The firm earlier this month earned a slot as an auditor for the Federal Risk and Authorization Management Program, the governmentwide cloud security plan known as FedRAMP. KCG has been providing services to ICE since 2008.

Meanwhile, precarious funding and scant talent is preventing other federal agencies from hiring any contractors at that level of competence, according to industry groups.

“Instead of asking for a cyber pro, they are asking for a semi pro -- a journeyman rather than an expert,” Chvotkin said. “They’re reducing the skill levels for job categories and that brings reduced pay for those job categories even if the expectation is the work is going to be the same.”

But other industry analysts are skeptical that the cyber skills gap necessitates limiting free and open competition.

“I think there is somewhat of a shortage, but I don’t think it’s as critical as the author of that memo made it out to be,” said Ray Bjorklund, chief knowledge officer for market research firm Deltek. While the supply of individuals is thin, companies equivalent to KCG are not in short supply, he said.

Other cybersecurity firms may lack institutional knowledge, but agencies usually have the option of temporarily paying a previous contractor to train the new supplier, according to Bjorklund.

ICE “may not have had enough fiscal authority to take some type of concurrent approach,” he said.

The double whammy of scant talent and inadequate time, however, could restrict contract competition, Bjorklund added.

“When there isn’t enough time, and there aren’t quite enough cyber pros to go around, they might need to sole-source to protect homeland security,” he said. “Any agency [that] has any critical mission has to have cybersecurity in place. Time is an issue when you have a limited resource.”