The recent establishment of a Cybersecurity Directorate within the National Security Agency is impacting the flow of information and contracting opportunities from the NSA.
That was one key takeaway from the FMA Industry Day keynote address by Tammy Griffith, Cybersecurity Directorate Portfolio Manager on February 13.
NSA Director General Paul Nakasone ordered the creation of the Cybersecurity Directorate less than a year ago. Tasked with preventing and eradicating cyber threats to U.S. national security systems and critical infrastructure, the directorate stood up in October 2019 and began work on its seven core functions: adversary defeat; nuclear command, control and communications; analysis and mitigation; encryption production and solutions; a Cybersecurity Collaboration Center; critical networks defense; and future and standards.
To achieve that mission across the federal government, the defense industry and an array of essential infrastructure, NSA leaders realized they would need to become both more public and more collaborative.
“One of the biggest things that we are excited about is NSA will be having an unclassified Cybersecurity Collaboration Center,” Griffith said. Similar to U.S. Cyber Command’s Dreamport, the center will bring “industry in to work side by side [with NSA], using commercial and unclassified data to conduct cybersecurity analysis.”
In addition, the directorate will utilize signals intelligence about cyber threats and mitigation strategies to further its mission to harden existing systems and weapons with robust cybersecurity and build that security into the front end of new products and systems.
“We must act in a wartime mentality,” Griffith said. “We need to work across all classification levels…to ensure we build products both privately and publicly that have cybersecurity built into them.”
That collaborative work will include mounting more pilot projects with small clusters of companies and working to expand successful pilots to cover the entire defense industrial base, she said.
Fulfilling that mission also involves providing more information to the public.
“You are going to see Cybersecurity Directorate front and center more often… No longer will we be behind the curtain,” she said.
NSA has already begun to put out more information about cybersecurity issues and threats through releases, social media and mass media. The agency has issued several advisories in recent months, sometimes in conjunction with international partners, that warned of cyber threats from Russia, Iran and other state actors. After discovering a critical vulnerability in Microsoft Windows 10, NSA also alerted Microsoft to the issue, prompting a rapid patch.
Overall, NSA’s reorganization and shifting operations have enhanced contracting opportunities.
During an Industry Day panel discussion of senior acquisitions officials from Fort Meade commands, Diane Dunshee reported that NSA awarded a record 46 competitive procurements in fiscal year 2019 and is on track to match that level in 2020.
“I am really proud to say we met or exceeded our small business goals in ‘19, including most of the socio-economic subfactors… We had large jumps in women-owned small business and overall small business numbers,” said Dunshee, NSA’s Deputy Director of Business Management and Acquisition, and Deputy Senior Acquisition Executive. “Over the last three years, we have made 500 awards to new companies [that were] first-time contracts. That’s a really great number. We are committed to bringing in new, small businesses.”
In addition, NSA is awarding more of its contracting budget – nearly 50 percent in Fiscal 2020 – on either fixed price, performance-based or outcome-completion bases, she said.
U.S. Cyber Command, which awarded one contract in 2017, saw its annual number of awards climb above 80 in 2019 and expects to increase awards by 30 percent in 2020, said Quentin McCoy, Acquisition Division Chief.
The command is also seeking to ease its current contracting limits which cap new contracts at $75 million annually and prevent any contract from extending past five years, in order to “better provide cyber capabilities to the warfighter,” McCoy said.
Contractors, however, will have to prepare for and secure Cybersecurity Maturity Model Certification (CMMC) in order to qualify for federal contracts, said Doug Packard, Director of the Procurement Directorate and Chief of the Defense Information Technology Contracting Organization within the Defense Information Systems Agency.
While subcontractors may only need Level 1 certification, that level of security will be essential to protect national security systems, Packard said.
“If an Iranian attack was going to come in, it would come in at the level of a fourth tier sub that had no controls and a very small part [of a contract], and it would come up that chain to hit the prime and hit the department,” said Packard. “They have figured out that the lowest level is where you attack.”