Reflecting on the Past to Prepare for the Future of Cybersecurity and Compliance

By Tim Burke, Cloud Product Director, Deltek

Sometimes, when we least expect it, we find ourselves in a situation that reminds us of our own experiences, and we can’t help but reminisce. These moments in time help define how things once were and how they have since changed. As we look forward to the evolution of the government contracting industry’s cybersecurity and compliance regulations, I can’t help but reflect on my own experience in the industry and being a part of that change.

“How long did it take you to learn all the codes and regulations?” I asked the county building inspector while attempting to build rapport and avoid failing inspection of our basement remodeling project. The inspector replied, “I’ve been a master electrician in the field for 20 years and am required to keep current on over 100 national and local regulations that change every three years.” I had read all the local county building codes and heard from many contractors about the gray areas and warnings about moody and inconsistent inspectors and couldn’t help but think, “Were we going to pass or were we going to be delayed?”

During our conversation, I suddenly found myself thinking back to an oddly similar inflection point in my career where Cloud Service Providers (CSP) were required to prove they met industry cybersecurity and compliance requirements on an ongoing basis.

As we look forward to the upcoming launch of the Costpoint GovCon Cloud (GCC) Moderate, it is more important than ever to consider why it is critical to your business operations to stay ahead of these regulations.

Evolution of Cybersecurity Compliance

The Federal Government supply chain is no stranger to cybersecurity challenges; however, the increased level of scrutiny will drive changes in how and where they invest their staff’s time and budgets. In this year’s Deltek Clarity Government Contracting Industry Study, 48% of respondents stated that compliance requirements posed significant risk to their business and more than 64% noted that information technology (IT) and data security continue to be a top challenge. The consequences of failing to comply with compliance requirements can be costly from a financial, growth and reputational perspective, which is why it is important to invest in a solution that can support a firm’s ever-changing cybersecurity and compliance needs.

Prior to joining Deltek, I was part of a CSP that offered secure cloud and single tenant hosted services. During this time, federal agencies and systems integrators required CSPs to meet Federal Information Security Management Act (FISMA) or Department of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) requirements, including auditing of performance.

Looking back 10 years, as part of that first group of CSPs who achieved a Federal Risk and Authorization Management Program (FedRAMP) authorization, this was the first major shift where the government began to mandate its contractors look to the cloud for efficiency and cost savings. In addition, it became a requirement to select a provider that is trusted and has been vetted by the government to help keep data secure. Not only was this mandate a major change, but for the first time government contractors now had to prove they were meeting these controls and requirements on a regular basis. This “build-in versus bolt-on” security culture was taking hold and the requirement of showing your efforts on a more frequent basis was brand new to many.

The pairing of the Cloud First Mandate and FedRAMP controls provided a real opportunity for government agencies to trust commercial entities to host civilian and even DoD workloads, but only those truly committed to designing, operating and reporting their results on a monthly basis achieved authorization. Government contractors that did not maintain their security and compliance posture had their authorizations suspended, proving the risks and penalties were severe and real.

Looking to the Future

Security compliance requirements have continued to evolve and become more focused and prescriptive, with organizations adopting accepted standards, even in cases where they are not under direct regulatory control. Healthcare followed the example set by the payment card industry and formed their own industry-specific common security framework. The Health Information Trust Alliance (HITRUST) framework was built off of National Institute of Standards and Technology (NIST) and Health Insurance Portability and Accountability Act (HIPAA) foundational controls. Similarly, law enforcement agencies, at all levels, align with the Federal Bureau of Investigation’s NIST-based Criminal Justice Information Security (CJIS) policy, and State Local & Higher Education (SLED) organizations have been adopting FedRAMP controls for years. 

With increasing risk of financial penalties and potential reputation damage as the result of a security incident, the need for security standards continues to evolve. And, with public breach reporting requirements, there is nowhere to hide or downplay the scope and depth of these cybersecurity attacks.

Fast forward to today, government contractors will need to meet Cyber Security Maturity Model Certification (CMMC) framework requirements to pursue any business with the DoD. The following issues remain relevant and are reasons why the DoD developed the CMMC:

1. Cybercrime is big business and U.S. Defense Industrial Base (DIB) organizations manage some of the most valuable information to criminal elements. Cyber criminals are highly rewarded for their activities, and while they can face prosecution (e.g., Department of Justice indictments), they can be difficult to detect, catch and prosecute. This high reward for low risk equation explains the continued growth of cyberattacks.
2. The cybersecurity landscape is continually changing, with threat actors evolving their tactics, techniques and procedures (TTPs). As issues arise, technology vendors and service providers are making changes to counter these moves. The need for guiding compliance standards and frameworks continues to evolve as well. NIST 800-53 R5 was recently released and will likely drive behavioral changes across multiple compliance frameworks in the coming years.
3. CSPs must continually evolve their services, including cyber risk management strategies and security operations capabilities, by driving purposeful innovations that support the industry’s ever-changing cybersecurity and compliance mandates.

As a committed business partner, Deltek continues to evolve our strategies to help customers safeguard their protected data by designing and operating services that align with multiple compliance frameworks. Deltek’s existing Costpoint Cloud solutions currently align with NIST 800-171 standards.  This quarter, we will be releasing the Costpoint GCC Moderate offering, which will provide FedRAMP Moderate equivalent controls, and we expect to align with CMMC Level 3 controls. This new service will provide yet another solution option for customers who need to protect International Traffic in Arms Regulations (ITAR) data in their enterprise resource planning (ERP) systems.

Through Deltek’s Costpoint Cloud solutions, businesses of all sizes can confidently and securely access data within a secure cloud environment that is continuously adjusted to meet the most up-to-date governmental and agency standards.

Learn more about Deltek’s investment in cybersecurity and compliance by watching the webinar Are You Ready For CMMC? Deltek & Baker Tilly Can Help You Get There.

Are you ready to join Deltek on your compliance journey? Click here to get in touch!