Why going small is not always the best cyber strategy [Commentary] Photo Credit: Cpl. Jo Jones/Marine Corps In recent years, there has been a strong push in federal departments and agencies to emphasize the need for awarding contracts to small business. This strategy has been further re-enforced by the Small Business Administration that issues regular scorecards to show which agencies meet predetermined percentage targets for small business contract awards. During my tenure as the acting undersecretary for management and chief acquisition officer at the Department of Homeland Security, I worked closely with our procurement teams to generate a string of “A” grades from SBA in meeting our targets. Today, of the $13 billion or so DHS awards each year, about one-third goes to small business, while about a third goes to medium sized and large businesses each. This has led to DHS being recognized as one of the leading departments in working with small business. There are many places in government where a small business procurement strategy is efficient and effective, yet cybersecurity is not necessarily one of those areas. My experience is that government procurement and program officials are dedicated professionals who seek to craft the best acquisition approach based on the requirements. There are, however, a growing number of instances in cyber contracting where a shift to small business could have a detrimental impact. The pressure to meet small business goals, and the feeling among many that small businesses are more flexible and less expensive, has led to decisions, particularly with cyber contracts, to craft a strategy that is high-risk and counterproductive. There are several considerations that need examination when crafting a successful cyber procurement approach. These include past performance, program complexity, scale, staffing and pricing. Past Performance Demonstrating successful past performance is a key indicator of future success in government contracting. This track record is an important consideration in evaluating which companies can effectively execute often complex federal cyber requirements. Given the sensitivity and complexity of the cyber mission, it is essential that contracting officers carefully weigh past performance in their evaluation criteria. In this scoring process, well established companies with extensive government experience will certainly have an advantage, but the resulting lower risk to the mission is clearly an important consideration given the cybersecurity climate today. Program Complexity Providing cyber defenses in federal agencies has become a challenging and complex undertaking. DHS has been tasked by Congress and the White House with protecting federal networks, while serving as the lead agency for sharing information with the private sector. These vital cyber missions are executed through programs such as Einstein and Continuous Diagnostics and Mitigation (CDM) and centers like the NCCIC and US-CERT. There is only a subset of companies that have the necessary cyber technical capabilities, large-scale integration experience and processes to effectively run these types of programs. Breaking cyber contracts up into smaller pieces for the promise of lower cost and more agility can sound promising, yet these promises often go unfulfilled. In reality, what most often occurs is the government themselves will need to integrate across the pieces, potentially compromising the cyber mission, and stressing an already under-staffed government professional team. When coupled with other emerging technological advancements and qualifications, this will continue to be an area where small business will struggle to compete. Scalability Another area where small business will have difficulty in meeting requirements of the cyber mission is with scalability. Many successful cyber programs that start as pilots or trial runs eventually end up having to be brought to scale. As an example, Einstein 3 Accelerated (E3A) started with a relatively modest number of seats covered, yet after the OPM debacle the political will materialized to bring the cyber protection to all 2 million seats in the federal government. Once the decision was made to expand E3A, there was little time to debate whether or not the vendors would be able to accommodate the request. Immediate action to rapidly scale the capability was an imperative. Staffing It is not hard to see that there is shortage of skilled cyber employees. Professionals in cyber-related fields have many options today. They can work for the alphabet soup of government agencies that work the cyber mission or they can choose an often more lucrative track in the private sector. Large government cyber programs need talented and capable personnel in the seats. Often, that means hiring private sector companies to assist with staffing and capabilities. This can be a very good option if the company has solid internal controls for maintaining high quality, cleared cyber staff who receive ongoing training. Small business often has trouble competing to attract and retain high caliber cyber talent. Pricing One of the regular arguments one hears about awarding to small business is they are just cheaper than some of the larger outfits. In some cases that may be true, but again, in most cyber procurements that may be an illusion. A better metric for government cyber than Lowest Price Technically Acceptable (LPTA) should be Best Value. It is not unusual for smaller companies to low ball their pricing on a RFP with the hopes of winning the award. Once secured, they sometimes struggle to meet the contract deliverables, terms and conditions. This is a dangerous trap door for government procurement officials. They are often pressed to reduce contract cost, while not sacrificing functionality. In too many cases, the government finds out too late that program performance has suffered due to an award to a small business that just can’t get the job done. Conclusion These observations are not meant to slam the small business community. There are plenty of areas in federal contracting where small business is the best choice. Unfortunately, large scale government cyber is not one of those places. Past performance, program complexity, scalability, staffing and pricing all factor into sound federal procurement decision-making. At the start of a new administration, I hope the incoming teams of appointees will take a hard look at how federal cybersecurity is planned, procured and executed to ensure the best results. Chris Cummiskey is a former acting undersecretary/deputy undersecretary for management and chief acquisition officer at the U.S. Department of Homeland Security.