The Biden administration’s national cyber strategy, which came out last week, puts a lot of responsibility on industry. It has a hefty rule-making and legislative agenda to support that. For an early reaction from federal contractors, the Federal Drive with Tom Temin spoke with David Berteau, President & CEO of the Professional Services Council.
David Berteau The strategy is focused really on the entire nation, not the government contracting community. But as always, it will have major impacts on government contractors and major implications down the road. So it seems, first of all, that there’s a really key dynamic here, which is beginning to shift the responsibility for cyber security to what the strategy calls the most capable and best positioned actors. And that seems to mean, the I.T. community, the cloud providers, the Internet providers, etc. For you and me as private citizens, this might have meaning, but I’m not sure it’s going to shift any burdens away from contractors. In fact, it may complicate those burdens a little further.
Tom Temin Well, in some ways, cyber security has been to make an analogy, as if the airline industry required everyone to have their own parachute before you could get on the plane, because anything could happen. But the safety responsibility is not on the passenger. And I think there was a lot of that in here, which, again, is more of a consumer issue maybe than an industrial issue, but that’s spreading.
David Berteau I liken it more than the airline, too. We’ve all got houses along the road here, and the threat is on the road, but we keep focusing on getting better and better padlocks for the house. We need to actually make it a more secure highway here, on which those houses sit. But for contractors, there’s actually a couple of key things that come into play here. First, there’s five pillars. And those five pillars fall into the categories of defending critical infrastructure and disrupting threats, promoting data privacy, increasing the federal involvement in cyber research and development, which has some very potential valuable implications and more international partnerships. The biggest one, of course, is critical infrastructure. For that, you really have to go back to the 16 critical infrastructure sectors that have already been defined, and they’re pretty broad, but almost all of them impact government contractors in one way or the other.
Tom Temin Right. So does this change requirements for contractors? Let’s talk about [Cybersecurity Maturity Model Certification (CMMC)] program at the Defense Department. That’s not called out in that strategy, but that seems to be the kind of thing that they’re prescribing more broadly.
David Berteau Well, this is the real question. Is there overlap? Is there connectivity with other ongoing parts of the federal government that would impact contractors with this strategy? One place that it does mention that connectivity is in the NIST, the National Institute of Standards and Technologies Cybersecurity Framework, which is in the middle of being updated. They put out a draft a few months ago. They had a public workshop back in February. [Professional Services Council (PSC)] Stephanie Sanok Kostro was attending that. And so we’re looking for what that framework puts out there. It’s not finalized yet, we’re still operating under the old one. But you mentioned the Cybersecurity Maturity Model Certification Programs, CMMC. DoD already has an acquisition regulation issued. It’s been suspended, put on hold. It’s not taking effect, yet. They’re revising it. They’ve been revising it since 2021. It’s now 2023, we haven’t seen a revised rule yet. So you have questions of both, how these things connect? And there’s no indication of that connection in this strategy. And what the timetable is Tom? Because for two years, DoD has been working on this revised rule. We haven’t seen it yet, maybe we’ll see it this summer and maybe it’ll be something we can comment on. We certainly look forward to that.
Tom Temin Yeah, that’s a good point, because the CMMC program has been five, six, seven years or something in gestation now, with a reset from when the Biden administration came in. That’s only one rule and there are several. I didn’t count them, proposed rules that could come from this strategy. This as the White House or the OIRA office, Office of Information and Regulatory Affairs, already has a big backlog of rulemaking. And this is a ten-year strategy, it probably needs all of that to get the legislation and rulemaking done.
David Berteau Well, it may. And the key of any strategy is its implementation, not its documentation. And one of the big questions we’ll be looking at, is there’s an implementation guide that they say is coming out later this summer. That’s going to be awfully late to affect anything that agencies spend money on in this fiscal year, fiscal year ’23. Because by mid-summer, agencies are sweeping up their own obligated funds to use for other purposes. We’ll have an administration budget for FY ’24, will any of it reflect this strategy? The strategy didn’t come out, the budget’s due out in a couple of days. I doubt the strategy came out in time to affect anything in the budget. Maybe they knew it was coming, so they put it in there. That’s one of the things we’ll be looking for.
Tom Temin We’re speaking with David Berteau, president and CEO of the Professional Services Council. And I wanted to ask you about the 24 budget. It’s a month late, but that is the new on time, just as the new fiscal year is three months or six months after the official fiscal year. And except for more, what are contractors looking for?
David Berteau Well, as you know, the release is usually now what they call the skinny budget. That doesn’t mean it’s skinny in terms of dollars, It just means it’s skinny in terms of content. We may get 100 pages or so. We won’t get all the detailed justification material, but we’ll be looking for a few key signals there. You mentioned more, well, is a question of more, but there’s really a question of more for what? So will it be a higher number? Will that number actually incorporate the funds necessary to compensate for inflation? We had this problem a couple of years ago. Each year the administration, and this is not unique to this administration, they try to downplay what they think inflation is going to be, because it makes your numbers look better. But inflation is going to be what it’s going to be. And certainly it looks pretty sticky right now, still at 6% or so per year. Will that be incorporated in there? Will their new priorities be folded into this sort of thing? And this includes some of the priorities, not only from that cyber security strategy, but overall modernization and updates. Does it have the focus on China that we need to have? Does it incorporate the guidance necessary for agencies to know what their priorities are across the board? Plus, of course, it’s just the opening round of a long series of months and months of negotiations that tie back to the debt limit extension and whether they’re going to be spending cuts, etc. So we’ll be looking for all of that.
Tom Temin And tied to that could be shifts, continued shifts in small business strategy and requirements for contracting. Because many officially small businesses, that qualify for set asides, don’t quite align with the [Diversity, Equity, and Inclusion (DEI)] imperatives that seem to be covering everything these days. So are you expecting more shift there in the coming year?
David Berteau We are awaiting, over 100 executive orders have been signed out by this administration. President Biden’s on a pace of eclipsing all previous records for executive orders. Many of them have a requirement to flow into contracts. A lot of those flowing into contracts, you mentioned the delays from the Office of Information and Regulatory Affairs. A lot of those have been held back, even though we’re in the third year of the administration now. We are expecting some kind of a clause requiring more reporting or more updates on diversity, inclusion, equity and accessibility, as they now call it. But we haven’t seen that, yet. So it could well come into play. I think that the implementation of those through the [Federal Acquisition Regulation (FAR)], is one of the real questions. PSC, of course, constantly comments on these, it points out the disconnect between what your supposed goals are and what your results are going to be. Not just impact on small businesses, but even on companies that don’t want to do business with the government at all anymore. Declining numbers across the board.
Tom Temin Yeah, so lots of uncertainty then you might say, going deeper into fiscal ’23. And really for fiscal ’24.
David Berteau It’s probably the number one challenge we have is that uncertainty. Not only, what are we going to get in terms of funding and resources for FY 24? What are the priorities going to be? Will there be spending cuts tied to the debt limit extension? When will we know what that is? All those uncertainties permeate our business. And one of the toughest things for any company is how to deal with uncertainty, especially with the federal government.
Tom Temin And on top of that, of course, uncertainty tends to increase during election years and by golly, ’24 is already going to be one of those.
David Berteau It appears that we move the start date of election cycle earlier and earlier. I mean, Tom, we just finished an election a few months ago, and we’re already high into the 2024 election cycle. What’s that going to mean? Of course, it almost certainly is going to mean that we’ll start the fiscal year with a continuing resolution. One of the concerns is, can we actually reach a full year appropriation at any point in this cycle? Or will we have continuing resolutions off and on? We call them multiple sequential short-term CR’s. But ultimately, it could end up being a full year continuing resolution or even longer. That’s a level of uncertainty we haven’t faced much in the past. Election year complicates it, obviously.