Driving efficiency while improving federal agencies’ cybersecurity postures

In this fiscal year 2025, the U.S. government is projected to spend $27.5 billion on cybersecurity across all federal agencies. Of that total budget, the Deltek Federal Cybersecurity Market Report estimates the federal government will spend just $3.7 billion on cybersecurity products — including encryption tools — and $1.8 billion on identity access and management solutions, with the remaining 80%, or $22 billion, spent on a combination of internal government staff and outside contract labor and support. In other words, the federal government is spending, on average, $4 on labor for every $1 invested in cybersecurity technology.

This lopsided labor-to-technology spending ratio is far from typical. A recent survey of over 750 chief information security officers by the National CIO Review found the cross-sector average of spending on labor and support was only 63% compared to 37% for cybersecurity products — including IAM. In short, a federal agency that spends a similar amount on cybersecurity products as a comparable private sector company will, on average, spend more than 2.3 times more on labor. Put differently, a federal government agency will spend 85% more on its overall cybersecurity than a comparable private sector company.

At a time when the Trump Administration has adopted a renewed focus on government efficiency, we need to take an honest look at the root of our current cybersecurity challenges and how the government became inefficient in allocating cybersecurity resources — and the concrete steps we can take to fix it.

Confronting a culture of compliance-driven security    

The original Federal Information System Management Act was enacted in 2002 — and updated in 2014 — and created a compliance regimen requiring federal agencies to develop security programs based on NIST security controls and to be audited annually. As part of FISMA, agencies assess new systems and IT infrastructure to ensure compliance with these security controls and grant authorities to operate. FISMA was good legislation when enacted. But, like what happens too often in government, original good ideas can eventually lead to inefficient outcomes if they are not revisited and updated regularly.

In this case, FISMA, and particularly the ATO process, has created a bureaucracy in which compliance has become a significant focus of agency cybersecurity efforts. This has led to the emergence of professional service firms that are protective of preserving the status quo because they generate substantial revenues from helping agencies meet and maintain ATO and other compliance requirements.

How we fix this: Driving measurable cyber outcomes while rationalizing costs

The U.S. Government can take four actions right now that will significantly enhance agencies’ cybersecurity resilience posture while lowering their expenditures on cybersecurity:

OMB and CISA should replace measuring compliance to the ATO process with a small set of outcome performance measures that assess an agency’s enterprise cybersecurity resilience. As one example, two key indicators of cyber resilience are Mean Time to Detect  a system breach and Mean Time to Respond to a breach. Given adversaries’ abilities to both find and rapidly exploit vulnerabilities, an agency’s ability to detect and respond rapidly to breaches is the best indicator of their cyber resilience. Disappointingly, MTTD and MTTR are not uniformly measured today across federal agencies.

Drive agencies to reduce the number of cybersecurity point solutions through implementing modern platforms. Another unfortunate byproduct of the ATO process has instilled an individual system-level orientation to cybersecurity. This complexity is compounded by many agencies’ implementation of point solutions to address a particular system’s cybersecurity posture rather than enterprise-wide solutions that can serve many systems within an agency — I have supported agencies that have products from dozens of different vendors running in their security operations centers. The cybersecurity product industry has been rapidly evolving, and just like we have seen in IT, product evolution is driving to platforms in which much of the required cybersecurity functionality is provided as an integrated solution that can serve an agency across all of its systems. Such an approach can eliminate point solutions, simplify operations, improve enterprise visibility and response and ultimately lower cybersecurity costs.

Agencies should deploy AI-based solutions in their Security Operations Centers. Over time, a proliferation of cybersecurity tools in agency SOCs has proven costly, labor-intensive, and led to disjointed enterprise visibility. Over the past few years, leading cybersecurity product companies have developed orchestration, automation and response capabilities that can significantly shorten an agency’s MTTD and MTTR to a breach, improving its cybersecurity resilience. These AI-based tools leverage machine learning, integrate threat intelligence and analytics, and enhance automation and orchestration to significantly reduce the number of human analysts needed in a SOC.

Reform the process for cybersecurity-based procurements, treating it as a national security imperative. Federal agencies urgently need to replace many of the antiquated security tools and systems that lower their cybersecurity resilience. The procurement process should not impede them. Simply put, federal government procurement cycles do not live at the speed of technological innovation, giving adversaries the upper hand. Agencies need the capability to license and deploy the latest cybersecurity capabilities rapidly, bypassing the traditional procurement processes. Having served as an agency CIO, I saw firsthand how the procurement process can be streamlined and accelerated during emergencies – we need to bring that mindset to improving the cybersecurity posture of federal agencies.

Recent cyber-attacks have made clear that the federal government’s cybersecurity is a national security imperative. This doesn’t mean we should completely eliminate cybersecurity compliance initiatives, but not at the expense of an agency’s ability to invest in modern cybersecurity capabilities. New technology adoption, architected as part of a coherent security platform, can both drive measurable improvements in cyber resilience and meet the administration’s cost optimization priorities.

Richard A. Spires is a consultant and author who served as the chief information officer of the Internal Revenue Service and then the U.S. Department of Homeland Security. He is actively involved in the American Council for Technology – Industry Advisory Council, a nonprofit organization working to improve government through the use of technology. He recently served as the Chair of IAC.