Landing a contract with the Pentagon is a major win worth celebrating. The procurement process can take months or years depending on what you’re selling. If you play your cards right, you can keep the government as a customer for years to come. It’s a great way to build a business. There’s just one factor to keep in mind.
The Unique Challenge of Working with the Pentagon
Since it spends billions of dollars on contracts, the Pentagon is subject to substantial rules and regulations on how it spends money. Companies that violate these rules can lose their contract and face public embarrassment in Congress. The written rules are just part of the story; you also need to consider some of the unwritten expectations. For instance, if you cause a Pentagon auditor to have concerns, your contract might not be renewed. Alternatively, if you project an image of failing to manage risk effectively, you’re likely to face awkward questions.
What’s Changed at the Pentagon in 2018?
The Pentagon announced in 2018 that it would seek proposals for a multibillion-dollar cloud computing contract. According to Bloomberg, “The effort, known as the Joint Enterprise Defense Infrastructure cloud, or JEDI, involves transitioning massive amounts of Defense Department data to a commercially operated cloud system.” For the companies that win the contract, it’ll be one of the largest cloud computing deals of the decade.
The Pentagon’s newfound enthusiasm for cloud computing is exciting. As a result, contractors may interpret this announcement to mean that they can use cloud computing to a greater degree than before. That means you can cut down your hardware costs and leverage the flexibility of the cloud. However, none of this means that you can ignore the Pentagon’s requirements.
7 Steps to Tighten Cloud Computing Risk and Increase Client Retention
To retain and expand your relationship with the Pentagon and related defense clients, use these risk management steps.
- Review Your Existing Agreements for Technology Risk, Liability, and Reporting
Depending on the nature of your agreement, you might have technology risk provisions in your current contract. Make sure to review the liability, monitoring, reporting, and key performance measures sections of the contract.
Tip: What if you find nothing in your current agreement about cybersecurity issues? In that case, you have the opportunity to take a leading role by introducing cloud computing security monitoring to your program.
- Examine Your Access Governance Tools
Now that you have a better understanding of your contractual requirements, you need to review your access governance tools. Why? What would happen if a summer student, intern, or new hire accidentally started working on your defense account? He or she would be much more likely to make a critical mistake.
To consistently enforce your access governance rules, consider Compliance Auditor.
- Fix Outstanding Password Management Problems
Mismanaged passwords are a significant problem for defense contractors. If sensitive data falls into the wrong hands, soldiers could suffer in addition to your company. If you have pending password issues to fix, don’t wait for your contacts at the Pentagon to question you further. Improving your password management oversight doesn’t have to be difficult.
- Implement a password management solution that empowers staff: When you choose a password solution, make sure you consider the employee experience. Nobody likes to ask the help desk for a password reset. That’s why Password Station supports employee self-service password resets.
- Improve employee password training: Ask your managers to provide an annual training update on password security. We also recommend avoiding traditional “password management” apps because they’re unlikely to meet military expectations. Discover why traditional password management tools give you a false sense of security.
- Optimize Your SaaS License Usage
This is the golden age of software as a service (SaaS). Every month, there are new software products you can use to improve your organization, accounting, and sales. For an organization concerned about security and cost, there’s a downside to this constant innovation. It can be difficult to control how many employees are using all these services.
By using a Single Sign-On solution, you can detect which services are being used and cut down your usage when needed. An underused SaaS service is less likely to be well maintained from a security perspective. Do yourself a favor: save money by scaling back on your underutilized SaaS licenses and reduce your cyber risk at the same time.
- Clarify Roles and Responsibilities for Cloud Computing Security Oversight
Quick question: who’s responsible for cloud computing security?
If you’re like most companies, the answer will be “multiple people.” That means it’ll be difficult to centrally coordinate who does what. Over time, it’ll become more difficult to enforce consistent security practices for each cloud service. Preventing this cloud computing security slow-motion collapse is easy: give one person overall responsibility for cloud computing security. Next, equip him or her with a powerful monitoring tool such as Compliance Auditor.
- Use Segregation of Duties to Improve Governance
For some of you, implementing segregation of duties may sound basic. However, don’t let that persuade you to ignore this technique. At a minimum, set up three lines of defense. Ask your front-line users to request permission to access Pentagon confidential data. Managers then act as the second line of defense by reviewing access requests to determine if they’re reasonable. Finally, internal audit or the IT department will review the overall state of the program as the third line of defense.
- Report Early and Often During a Cybersecurity Crisis
Face it: defense contractors are a major target for hackers. That reality means you’ll be targeted repeatedly by determined attackers. If and when one of those attacks succeeds, the way you respond will shape your chances of retaining the Pentagon as a customer. If you’ve never suffered a hacking incident, organize a “tabletop exercise” to stimulate your response to a hacking incident. You’ll be amazed at the security gaps you can discover through such a simulation.