Push to secure data and systems creates multibillion-dollar market for contractors.
New cybersecurity mandates are certain to drive tech spending for the next several years. What's less certain is the kind of products and services federal agencies will be buying, as well as which agencies will be doing the buying.
In April, the Office of Management and Budget directed agencies to start monitoring continuously and automatically the status of their security controls in the fall. And Congress is pushing to update the oft-maligned 2002 Federal Information Security Management Act to eliminate its burdensome reporting, require real-time monitoring and build security into all technology acquisitions.
"At the end of the day, compliance with cybersecurity goals and initiatives will represent a multibillion-dollar opportunity for the contractor community," says Rishi Sood, a vice president at research firm Gartner Inc.
Estimates on how much the government spends on cybersecurity range from roughly $2 billion to $8 billion a year, depending on how one defines cybersecurity and its range of applications. Some analysts predict costs could grow 5 percent to 8 percent annually during the next several years.
Security concerns are affecting just about every federal information technology initiative from social networking to cloud computing, in which users subscribe to products and services on demand and online from a third party.
The transition to cloud-based servers and storage will take a decade, largely due to security obstacles. "The day when the federal government sends all the Social Security check processing to the cloud is not on the horizon," says Andrew Bartels, a vice president and principal analyst at Forrester Research.
While much of the so-called Web 2.0 technology that supports online social communities is free, agencies often need to add safeguards to comply with security regulations. "If you're participating in a networked environment it may not be exclusive to you," notes Ray Bjorklund, senior vice president and chief knowledge officer for FedSources, a market research firm. "To create a controlled tool and a controlled environment by the government, there's going to be some cost to do it."
The Obama administration and lawmakers are still debating the procedures for purchasing security tools and services. The question is which department or departments will have power over federal cybersecurity, says Stan Soloway, president and chief executive officer of the Professional Services Council, a contractor group. Today, information security responsibilities are split between the White House cyber czar and the Defense and Homeland Security departments. But Congress could rewrite their budget authorities during the next year.
"Right now the cyber requirement is disaggregated- multiple owners and thus multiple buyers. The uncertainty really is around how the cyber requirement and the architecture will look if and when there is a more centralized, coordinated policy, plan and architecture," Soloway says.
Sen. Joe. Lieberman, I-Conn., sponsored a bill to invest heavily in recruiting and retaining federal security professionals to defend against escalating threats.
"The government is going to have to find a way to do something it hasn't traditionally done-maintain high-level cyber skills. The competition for these skills is fierce," Soloway says, hinting the private sector will be supplying agencies with security specialists as well as software for some time.