In today’s digital world, it’s not hard to find cybersecurity companies and solution providers—literally hundreds exist. Identifying the right one for your agency, however, is much more difficult. The time and effort it takes to sift through and analyze these various cybersecurity tools and their capabilities cannot be understated. But, to further complicate matters, even a product that checks all the required boxes, may still not be the right choice. For many reasons, agencies often implement inadequate solutions and suffer inevitable resulting gaps and inefficiencies.
Agencies should work to make a good choice the first time around. While some federal agencies have internal IT and cybersecurity resources capable of doing this in-depth analysis, they should still leverage industry experts who possess both the security and technology acumen and government system integration knowledge.
I personally follow seven strategies when vetting cybersecurity solutions for our government clients. These core best practices have helped me ensure the cybersecurity tools we integrate into the customer domain not only work as intended, but also comply with the ever-changing landscape of federal regulations and mandates.
The seven practices
- Make sure the vendor and solution are on the approved product list—The General Services Administration maintains an approved product list; only listed vendors may do business with the government through the Continuous Diagnostics and Mitigation (CDM) program. Some companies neglect to engage with GSA, making their products essentially off-limits to federal agencies even if they meet all of an agency’s requirements. Agencies can direct vendors to have their products added—while not difficult, this adds several weeks to the process.
- Ensure solutions fit deployment criteria—For example, many federal agencies currently prefer Software as a Service (SaaS), as a popular cybersecurity deployment model. But when vetting potential solutions, you have to be alert to the details behind the claims... A vendor might describe a product as SaaS when it is not truly multi-tenant, meaning your data will co-mingle with data from other agencies, with little protection from unauthorized access. You cannot take a vendor’s product description at face value; apply due diligence to ensure it actually meets deployment and multi-tenancy criteria. Evaluate the vendor’s support options with the same skeptical scrutiny.
- Confirm your budget is sufficient for stated security requirements—Solution costs and pricing directly relate to the agency’s deployment requirements. While it is easy to require a standalone tenancy, to avoid the risk of sharing a data store with a federal counterpart, does the budget support that requirement? Not only does a solo tenancy cost more, but most SaaS providers also charge large start-up costs for them. In the initial selection phase, agencies often don’t account for these fine-print charges. Any agency looking to augment its cybersecurity posture should first have a firmly understand its data management and storage requirements and policies. That leads to more accurate assessments of the needed deployment level and helps determine a sufficient budget.
- Determine data boundaries and the necessary level of FedRAMP authorization—Once an agency establishes its deployment model and associated budget parameters, it must determine whether it is comfortable sending data to a cloud. If identified as part of the plan, any cloud solution will require a certain level of FedRAMP authorization, and must appropriately map to the security controls of the agency. Don’t forget this critical latter element, as FedRAMP authorization alone does not mean the solution meets all of the agency’s requirements.
- Ensure vendor does not raise any supply chain risk management flags—Agencies need to know as much about the vendor itself as they know about its cyber solution. Ask fundamental questions: Is the vendor foreign-owned? If yes, did non-U.S. citizens create the solution in question? How much background checking has the company done on its employees? During reporting incidents, will we talk to a non-U.S. citizen about a highly classified system? Consider asking about their efforts to secure their development pipelines.
- Determine how difficult implementation effort will be—Sometimes an agency procures a cybersecurity solution and learns during implantation that integration with other aspects of the agency’s IT ecosystem is far more difficult than expected. Agencies have spent millions of dollars on solutions that never deployed, purely because the implementation effort was too great. It’s critical to understand from the start what level of effort (or difficulty) the agency is willing to accept. It is never easy to implement an enterprise-level cybersecurity tool, but an agency should understand its limits before picking a system.
- Ascertain the solution’s alignment with executive order/OMB mandates—President Joe Biden’s “Executive Order on Improving the Nation’s Cybersecurity,” issued in May 2021, established cybersecurity improvement as a priority, directing the Office of Management and Budget to release specific mandates. Most likely, none of those developments took cybersecurity providers by surprise. While many of these vendors are primarily commercially oriented, the ones that solicit federal government work pay attention to that domain, ensuring their solutions remain aligned to current and future objectives. So, obviously, when vetting cyber vendors and their solutions, analyze their products’ future roadmaps to determine if they will remain focused on federal priorities and activities.
Although vetting vendors presents a complex undertaking, but it’s not optional for federal agencies that want to spend their budgeted funds wisely and find solutions that truly meet all of their needs. The above seven steps will help you make a prudent choice.