Federal Risk Management Focus
Last week I was in a discussion with one of FedTrax’ cybersecurity clients that produces an automated RMF compliance tool, and we got to talking about a prospect in the Intel community that was drawing the distinction between cybers compliance and cyber risk management. I wrote the words down after the presentation
Compliance is not Risk Management and Risk Management is not Compliance!
Truer words were never spoken in that setting, so much so that I ended up writing a short whitepaper or informational post about the difference between the two when it comes to cybersecurity (that’s another read). Then I got to thinking, when it comes to FedTrax clients looking to get Federal contracts, what is it that the buyer is trying to manage? Well, it’s risk isn’t it. In fact, government decision makers are extremely risk averse, notwithstanding all the bold statements made about needing innovation. If you’ve read any self-development books in the past 30 years, you know that you cannot steal second base while your foot is stapled to first, but that is exactly what the government buyer wants—high innovation, zero risk! That’s why the artificial intelligence (AI) companies don’t understand why their great tools aren’t being scooped up like an FDA approved Coronavirus vaccine. The Federal government wants AI, but it has to be explainable. As Silicon Valley heads implode with the disbelief that this is not how machine learning works, this is certainly just another way that the Federal program is looking to manage risk introduced by new technology, no matter how cool it seems.
Top Perceived Federal Contract Risks
Here’s a question for you. What exactly is risk? That informs Federal risk management practice
This brings me to you. If you are a Federal systems integrator, management consultant or a high-tech start-up that wants to get the next (or your first) big Federal contract and keep getting more of them, you have got to be the company that is seen as the low risk option. Being the low risk option provides you with a competitive advantage in the marketplace. Truthfully, what you really want to shoot for is to become the no risk option.
Webster defines risk as exposure to possible loss or injury, danger or peril. OK, no one wants that to happen and wants to limit risk, so how do we measure risk? After all, we all learned in business school (or was it kindergarten?) that if you can’t measure it, you can’t manage it. I’ll submit to you the measure of risk can be governed by a simple formula:
Risk = Capability X Probability
Risk is the magnitude of the bad thing, or destructive power, multiplied by the likelihood or probability of it happening. This follows in every aspect of life. The US Department of Defense makes this calculation all the time with regard to our adversaries. India and the United Kingdom have nuclear weapons, massive capability for destruction, but we believe that the risk to US national security is low. Why? Because we think that their leaders are sane and pose little likelihood that they will actually use that power in a bad way. Based purely upon capability, the United States is the biggest threat on the planet, yet probably not too many Australians go to bed every night worrying about a US nuking. So, we worry about rogue nation states and non-nation state actors getting ahold of nuclear weapons, even at small capacity, because history has shown leadership instability, downright kookiness, that jacks up the probability part of the equation for increased risk.
Technical or Delivery Program Risk
This one is obvious. The program manager has a fear that selected contractors cannot deliver the goods. Either their technology solution doesn’t live up to the hype, or they simply fail to meet the outcomes expected by the program, whatever those are.
As a contractor, why are you risky for Federal programs? Your risk capacity is magnitude of screw up multiplied by the chance it will happen. Ever notice that while the government doles out a lot of small business (SMB) contract awards to fill quotas, the smaller the business the smaller the opportunity for program casualties. SMBs do not typically get programs where the cost of failure is life or death, specifically because the Feds have some level of experience with SMBs failing. What specifically are they worried about?
Missed Deadlines
In the Federal government or private sector, missing deadlines for those deliverables can be costly. You tie up the customer’s money, time and resources to recover from unmet expectations. Moreover, deadlines exist for a reason. Whatever the good that was to come from the contractor getting the job done on time, those benefits are delayed, resulting in opportunity cost. Government program managers worry about this
Scalability Risk
How quickly can the contractor take a little program and successfully support it if it grows? An easy example of this is seen in the vetting of new innovation, where the government funds a prototype or proof of concept (POC) technology to see if it works. If it does, they want to transition that to a program of record (POR) as quickly as possible. That may mean ramping up production, hardening things for actual use in the field (think rugged DoD conditions, for instance), or staffing up to support things. Often the business that proves out a capability may not be the right one to successfully grow a program across a Federal enterpris
Cybersecurity Compromise
We started this article with this concern, and it is quickly becoming one of the larger issues facing primes and subcontractors. Every time a large cyber breach occurs in government or industry it is front page news and costs the victimized party hundreds of thousands to billions to make things right and can endanger people and property, both physical and intellectual. Federal data and systems are considered gold, so contractors are being rightly held to increasingly high standards. The DoD is rolling out the Cybersecurity Maturity Model Certification (CMMC) standards at the end of fiscal year 2020, and contractors that don’t measure up will no longer be allowed entry to the Federal dance.
Demonstrating Low Contractor Risk
How can your company become the no risk option that we talked about earlier, or at a minimum be seen that way in the eyes of the decision makers? You’ve got some persuading to do, and here is a hint. What you say about yourself is almost completely irrelevant. The fact is, Federal PMs will view your credibility from the prism of only two things: 3rd party credentials and demonstrated actions.
Past Performance
(tech in POR, prime CPARs, sub writes ups ready)
If you have any experience in Federal contracting at all, you know that Past Performance is a piece of every solicitation. This is the first and most prevalent way that government program managers check you out to manage risk. If you have had a number of prime contracts, you will have a CPARS (Contractor Performance Assessment Reporting System) rating, and that will say a lot. That’s not all. If you have provided software, hardware, other technology or services on a Federal program and it is now operational as POR, that speaks volumes. Big win, assuming they love what you’ve done. But subcontractors are not left out in the cold even without CPARS. Have solid past performance narratives ready to go, modifiable for relevance to whatever opportunity you are pursuing, with reference to both the prime contractor you worked for AND the government program.
Standards
There is a reason that certifications or levels of competence are a part of most acquisition, and it isn’t to be onerous to SMBs. It provides some level of assurance that your company has met minimum standards for the certification, usually dealing with your process for getting things done. In Federal contracting, these standards can have multiple levels or aspects. For instance, the Capability Maturity Model Integration (CMMI) cert has 5 different levels ranging from basic to advanced. Many Federal solicitations either require or provide evaluation points for Level III or higher. Similar checks on your organizational quality are the ISO 27001 compliance levels that govern information security, manufacturing methods, and a lot more. For cybersecurity, I already mentioned to soon-to-be CMMC certification, based in framework on CMMI
If you are providing software or cloud services to the government, there are standards there too. Cloud services that are FEDRamp compliant will impress much more than those without. If you’re looking to sell an application into the DoD, those that are pre-STIG’d (Secure Technical Implementation Guides) to accelerate mandatory RMF (Risk Management Framework) compliance have a much brighter shine than products that the government knows it will take months of configuration controls cybersecurity work (and cost) to even turn it on. Having a product tested for a Federal environment makes you much easier to do business with.
Visible 3rd Party References
Think of what you brandish on your company website. Do you have testimonials from other government or even commercial clients in print, showing that clients have put a name to your endorsement? How about case studies? There is a reason that you cannot find an online marketplace that does not have reviews available (that supposedly cannot be rigged). Review help buyers make the decision to pull the trigger and buy. Similarly, it is a good idea for Federal contractors to have a cultivated, pre-approved list of callable references, those people that have agreed to speak on your behalf to other agencies. This availability makes your company much less risky in the eyes of a Federal buyer. It goes without saying that any 3rd party awards your company has won (top rated supplier, Malcolm Baldridge Quality, etc.) should be prominent. The more you can show it is others, not you, tooting the company horn, the quicker you can be vetted as the low risk vendor.
Program Knowledge
This is not an external reference but does help credibility. When you demonstrate in your conversations, RFI and RFP responses and other communications that you not only know your product and value add, but exactly how it integrates with and benefits a government prospect’s exact program, you show you have at a minimum done your homework. This translates to the perception that if you are hired, learning curve will be shorter and your insight may provide them with something beyond the general capabilities you may be presenting. Ergo, companies that win government work tend to have their collateral capabilities briefs tailored to agencies and sub-programs. By becoming a meaningful specific, the barrier to entry is lowered.