In This Story
The United States possesses extraordinary military firepower and the finest service members in the world. Yet history and current events remind us that American success in war has always depended on the strength of our industrial base. Similarly, the reliability and creativity of our industry hinge on information systems and supply chain security.
History and current events additionally remind us that our foreign adversaries and competitors will do their best to use their strengths against our weaknesses, in ways and to ends different from our expectations, approaches, and wishes. Our foes are not fools. They understand our armed forces are dominant on the battlefield. They also understand that compromising and damaging the industrial base that builds and sustains our military capabilities is a straightforward way to injure our military effectiveness and steer public opinion.
Along these lines, in recent remarks on the defense ecosystem, I shared several observations that are relevant to all federal government contractors and the agencies they support.
The overall health of the government contracting industrial base
Our government contracting industrial base is stressed. There are serious demands on the system. Multiple global conflicts and contingencies – Iran, Ukraine, China, Venezuela, Cuba – demand accelerated and expanded production of weapons and platforms. Equally, the shock to industry has been real in seeing the government’s initiatives to defund agencies, centralize contracting in GSA, challenge prime contractor executive compensation, as well as audit and decertify small businesses, while demanding industry to be more innovative in creating new capabilities. Contractors are, more so than ever, subject to debilitating uncertainty concerning the probability of episodic federal shutdowns and debt ceiling halts to revenue. At the same time, there are very real tensions between traditional members of the government contracting industrial base, those subject to public quarterly earnings calls or family ownership stakes, on one hand, and new non-traditional and commercial entrants backed by private equity and venture capital funds, on the other.
The compounding effect of these wartime demands, customer dynamics, and internal divisions strains the government contractor industry, rendering it vulnerable.
The most pressing foreign threat
Foreign adversaries pursue two core objectives – theft of designs and data, and injury to production and processes. Industry primes and major OEMs remain key targets for these attacks. However, the greatest risk for the government contracting industrial base lies in the more permeable segments of the supply chain: subcomponent manufacturers, small software vendors, data firms, and new non-traditional entrants. These companies are essential engines of innovation and vital to creating and delivering capabilities to the government customer. But these businesses’ expertise is in building products, not in defeating determined foreign adversaries. Likewise, their internal investment imperatives and incentives are often not in cybersecurity compliance. In turn, these companies often lack the mature cybersecurity compliance infrastructure warranted considering the present and future threat.
Coupled with the threat of cyber-attacks is the overall challenge that even large integrators and OEMs have in terms of adequate visibility in their own supply chains. You cannot secure what you cannot see. This challenge is exacerbated for companies that are newer or deeper down in supplier tiers where the ability to track, with high degrees of confidence, the origins and movement of critical components can degrade.
These challenges put data integrity for the systems that power government-wide missions at risk. If companies in the government’s industrial base are unable to protect critical design, build, and test data, and adversaries can obtain the ability to manipulate code or algorithms, there can be grave consequences.
This applies just as much to a piece of screening equipment at U.S. airports, databases that perform continuous vetting to determine security clearances, or software that protects our energy grids, as it does to warfighting capabilities.
On talent
The government contracting industrial base needs more cleared, technically proficient, mission-oriented professionals skilled in cybersecurity, operational technology (OT), and supply chain risk. Much of this current talent inside government contracting firms is allocated to servicing the Intelligence Community, the Department of War, the Department of Homeland Security, and offices in various Federal agencies. This talent is not heavily allocated to defend the government contracting industry itself, particularly within the lower tiers of legacy manufacturing, small personnel services firms, or technology start-ups. Again, the expertise and experience of these vulnerable businesses is elsewhere than in cybersecurity.
The imperatives and incentives for these companies are to focus their attention and investments on making their products a success – securing those products against theft, compromise, or injury by a foreign nation is not their leading priority in a sea of priorities.
In response, a tiered model that combines in-house expertise, trusted partners, and external shared services (e.g., SOC/MDR, SBOM automation) is essential for these firms and the federal customers and primes who depend upon them. To an extent, this is how some leading firms already face the problem. Nonetheless, this is also the strategy needed for the bulk of startups, non-traditionals, and small legacy firms who are focused on doing their job with limited resources.
What the Executive Branch can do right now
The fastest gains are likely to come from focus on practical execution rather than new rules. To that degree, simplifying compliance and scaling across the ecosystem to:
- Enforce CMMC Level 2 with support and shared services for small and mid-tier suppliers.
- Converge CMMC, Zero Trust, and SBOM into one coherent framework.
- Expand threat intelligence sharing with simple, adoptable playbooks for the entire supply chain.
- Establish a Federal Shared Services Cybersecurity Support Program for Tier 2/3 and Non-traditional Suppliers (offering managed SOC/MDR, automated SBOM generation and monitoring, and virtual C3PAO assessment preparation support that small and mid-tier suppliers can access at low cost). Fund through annual reprogramming.
- Underscore for contractors that cybersecurity investments are an allowable expense under the Federal Acquisition Regulation (FAR) Part 31 and highlight that cybersecurity expenses should not be factored against firms submitting bids when cost is a key evaluation criterion for proposals.
- Direct the Defense Contract Management Agency (DCMA) and Defense Contract Audit Agency (DCAA) to issue immediate guidance confirming reasonable cybersecurity and supply chain risk management investments (including CMMC preparation, Zero Trust implementation, and basic supplier visibility tools) qualify as allowable costs under FAR Part 31.
- Update FAR Part 13 to allow for fast payment procedures to compensate contractors for cybersecurity expenses before products are delivered.
- Establish a pilot program for expanding fast-payment procedures or progress payments for verified cybersecurity expenditures.
- Request added funding and visibility for university scholarships under the CyberCorps, Cyber Service Academy, and NSA Stokes Educational Scholarship program to further expand the number of cyber students entering federal service – as many of these men and women will later move on to work for government contractors.
A final thought
A Coast Guard captain once told me, “the greatest risk is the one you don’t pay attention to.” The government contracting industrial base is not just a supplier. It is on the front line. For America to deter and prevail, industry must defend itself as vigorously as our armed forces defend the nation.
The security of our platforms, weapons, and data ultimately depends on the security of our information systems and supply chains. Protecting that security is not optional. It is foundational to maintaining the Arsenal of Democracy and ensuring our federal government continues to function with the support of the government contracting industry.
What are your thoughts on strengthening federal contractor cybersecurity and supply chain resilience? How can primes, non-traditionals, new entrants, and federal agencies better collaborate to close these gaps?