This is a topic I have been trying to raise awareness on for some time. This article covers many of the component and human resource providers, but one that has slipped under the covers is basic IT/Cyber Security purchases. These are the ones done off GSA, SEWP, NETCENTS, etc. Many of the GWAC contracts were originally started for commodity purchases. Did not matter where you got it, the product was the same and you handled how to use or consume it. How-ever, Cyber Security components are part of a system (or should be). And it depends on each organizations value and reliance on Cyber Security. If it's a "nice to have" then does not matter where you get it. If your SIM, DLP, UTM, APT, etc. is critical to the organizations mission you better trust who you got it from, and have a long term relationship with them. There are so many changes and challenges in deploying, managing, updating Cyber solutions that there should be a team involved, one with a track record and history of the project and customer. Vendors today do not protect their resellers for the renewals and add on's into each organization. They have "deal registration" and no price protection for their partners that provided a solution to a particular customer. They just allow a "even playing field" and low bid to guide the purchase - saying that is the law. It is not, but its easy to hide under. For Tomato Juice or Cement that may be OK. For that APT solution that needs to plug into 5 different other solutions, needs customization for the particular customer, had several problems in the past (what exactly were those again?) having 4 different vendors on file for the last 4 years purchases is a recipe for disaster, in my opinion.
I can name off the top of my head many different examples in the Government space where sensitive to classified information was compromised because the vendor sent the wrong thing, did not update the customer of a important change, or simply released a press release or said something they should not have. But they did not provide the initial solution, did not do the proof of concept or trouble shooting with the customer, did not become part of the evaluation and deployment team, they just got a renewal for the maintenance or add on from being the low bidder. And that is who is on record at the agency of who to call. In many cases, they have to call them. And they have no idea of the problem or even who to call at the vendor.
For me I would never do business with a supplier that does not care who I procure their product or service from. Whether is a my contractor who changes plumbers for each room, or my Firewall vendor that allows a low bid contractor to get my renewal or upgrade. Cyber Security for me is serious business. But the Government in many cases allows this to happen - saying "those are the rules" or "we cant change that". Actually they can, there are many options available under the law. It's just that most agencies are not aware of what those options are, and they do business with vendors who do not care.
It did not used to be this way, and projects I worked on for 10 years worked pretty well. We overcame the issues - because of our history. But this is not the case today, and it pains me to see so many problems that in my opinon are not necessary.
Just my thoughts. Anyone want to post examples or or counter argument? Worth a discussion.
More information about text formats