How states can improve cybersecurity on a budget
October 19, 2017
Commentary: Isaac Kohen, CEO of Teramind, says some of the biggest threats come from inside the organization and provide an accessible opportunity to tighten the perimeter.
The company said the state's decision to work with multiple companies to provide IT services starting in 2019 is costly and unnecessarily risky.
Alex Koma is a freelance reporter based in Arlington, Va.
Previously, Koma was a staff reporter for StateScoop covering state and l...
As Virginia begins winding down its exclusive IT services contract with Northrop Grumman, the company has announced that it won’t bid on a new deal with the state and blasted the decision to end the arrangement as both costly and risky.
The Virginia Information Technologies Agency, also known as VITA, informed Northrop Grumman of the state’s decision to start disentangling from some services with the company earlier this month, as part of its plan to move to multisourced system when the contract ends in 2019. Northrop Grumman responded to that news with a sharply worded letter to lawmakers and state IT leaders last week, which was obtained by StateScoop.
The company has served as Virginia’s sole service provider since 2006, and Christopher Jones, corporate vice president and president of the company’s technical services division, expressed concerns that ending that long-standing partnership would endanger the “best-in-class enterprise IT infrastructure” the company helped the state assemble.
“Northrop Grumman does not believe that VITA’s proposed disaggregated sourcing model is in the best interests of the Commonwealth,” Jones wrote. “Northrop Grumman recommends a reassessment of this approach and encourages a transition to a single integrated service provider, even if that provider is a different partner.”
Specifically, Jones believes VITA’s plan to contract with several companies for its services (aided by the work of a third-party service integrator) will “weaken” the state’s cybersecurity.
“Under the proposed plan, system control will be undermined as each service supplier chooses its own technology to use, when to perform updates and which security strategy to employ,” Jones wrote. “This creates an architecture where security becomes only as strong as the service with the weakest posture, at best.”
[Read more: Virginia weighs results of IT infrastructure audit]
Jones also said that the state’s “integrated architecture” developed by Northrop Grumman “is not designed to be disaggregated to multiple providers,” and could prove to be very risky for the agency.
Additionally, Jones worries that the decision will have adverse economic impacts on the state. He charged that ending the arrangement would threaten “over 600 Virginia jobs,” and he feels VITA has “significantly underestimated” the cost of starting to disentangle its services from the company.
“Our immediate perspective is that such a change will likely cost the commonwealth between $135 million and $200 million to cover overlap of services, agency labor to support VITA’s transition and the commonwealth’s payment of resolution and exit fees in accordance with the [contract],” Jones wrote.
Gov. Terry McAuliffe asked the Legislature to allocate roughly $4.5 million for that process in both the 2017 and 2018 fiscal years, though lawmakers ultimately agreed to double that amount.
In a statement, Chief Information Officer Nelson Moe defended the move to a multisourced approach as “the result of more than a year of research and study, and extensive input from business and IT leaders from across executive branch agencies” and believes it will help the state save millions.
“VITA has determined that multisourcing services to a variety of providers for shorter periods of time, as opposed to the current 13-year, single-service provider contract, is the best approach for the commonwealth,” Moe wrote. “This permits the commonwealth to contract with multiple providers for specific individual services at market rates with competitive conditions.”
Indeed, the state is following the recommendations of a report prepared by the IT consulting firm Integris Applied and released last November. The group’s analysts concluded that “changes to the commonwealth’s infrastructure services delivery platform are necessary to improve services, pricing and flexibility” after hearing a variety of complaints from agency heads about the current arrangement.
The firm believes that Northrop Grumman’s “pricing is above market rates” and its single-source approach means the state “cannot take advantage of emerging models, such as cloud.”
Accordingly, Moe said the state will move ahead with the firm’s transition plans, and Jones wrote that the company will “cooperate appropriately” with those efforts, though it won’t “participate as the prime contractor in any ongoing or upcoming procurements to replace the current service.”
VITA is slated to spend the next two years issuing bids and doling out contracts to replace Northrop Grumman’s services ahead of the end of the agreement in 2019.
Contact the reporter at firstname.lastname@example.org, and follow him on Twitter @AlexKomaSNG.