Get College Credit
Acq Research Journal
Defense Acq Magazine
Need Help at Work
Defense AT&L Magazine
Defense Acq Magazine Blog
Turn on more accessible mode
Turn off more accessible mode
Defense Acquisition University
Defense Acquisition Magazine
Financial Management’s Key Role in Cybersecurity
Written by: Stephen Speciale & Kimberly Kendall
September 01, 2018
Cybersecurity and its associated threats are increasing at the speed of light. The Department of Defense (DoD) is no exception. Since the DoD is responsible for our nation’s defense, cybersecurity will remain a top priority.
How do we effectively deter and defeat cyber threats? We must understand the cybersecurity requirements and risks to our systems and utilize the expertise from all acquisition functional areas. Successful cybersecurity risk management necessitates involvement and contributions from all functional areas, not just those within information technology (IT) and engineering.
An article—“Including Cybersecurity in the Contract Mix,” by Kimberly Kendall and William Long—in the March–April 2018 issue of Defense AT&L magazine, outlined the importance of contracting personnel and processes for sound cybersecurity management. Let us here focus on the importance of the financial management (FM) community and its associated functions throughout the acquisition process to ensure that we have accounted for cybersecurity. For the purposes of this article, the FM community includes those in cost estimating, budget formulation, budget execution and earned value management (EVM).
Importance of the FM Community
Everything needed to support DoD acquisition programs requires funding—including personnel, materials, systems and facilities. All requirements have a cost. This includes cybersecurity and its associated cost drivers. DoD’s process to determine and allocate funding for requirements is the Planning, Programming, Budgeting and Execution (PPBE) process. DoD Program Manager’s (PM) Guidebook for Integrating the Cybersecurity Risk Management Framework into the System Acquisition Lifecycle [September 2015]—herein referred to as “DoD PM’s Guidebook”—states that “cybersecurity resources will require funding through various types of appropriations, since cybersecurity is considered throughout the full life cycle of the program.” Acquisition teams must fully utilize the FM community to ensure that programs effectively identify and utilize funding based on cybersecurity requirements and associated cost drivers. Figure 1 outlines the major FM functions throughout the acquisition process where cybersecurity must be considered.
Cost estimates link cybersecurity requirements to costs. Estimates are vital not only at program initiation but also for each fiscal year (FY) and for major program milestones throughout the program’s life. Cost estimators utilize the program’s Cost Analysis Requirements Description (CARD), or equivalent document, to recognize requirements and develop costs using appropriate estimation models and methods. Such estimates are integrated into a program’s Acquisition Program Baseline, used to develop program life-cycle cost estimates and as the basis for programs to construct their budget requests for inclusion in the President’s Budget submissions to Congress. Program documents containing cybersecurity requirements and associated risk factors are of particular importance for cost estimators to construct estimates. To address the affordability of cybersecurity, cost estimators should have a broad understanding of the unique cybersecurity cost drivers to ensure that applicable elements are identified and included within a program’s budget. For instance, if a program has cybersecurity requirements with rigorous software development, software testing and supply chain risk management activities, cost estimators must understand the requirements and duration for each requirement to develop realistic estimates. Accurate cost estimates form the basis for all other FM functions.
These efforts involve transforming program cost estimates into actual budget requests within budget documents. Why are budget documents so important? Programs cannot exist without funding appropriated by Congress and those budget documents are the way programs request their needed funds. Budget formulation, with assistance of acquisition team members, requires identifying cybersecurity requirements and associated amounts needed each FY by appropriation. Those budget documents are reviewed by the Office of the Under Secretary of Defense Comptroller (OUSD[C]) and Congress. Whereas the OUSD(C) supports the DoD and its programs, Congress maintains responsibility for appropriating funds and providing DoD’s programs budget authority. The DoD PM’s Guidebook states that programs should include cybersecurity requirements as an identifiable line with a program’s budget. That requirement is critical because budgets must be defendable and written clearly so that the requirements can be understood by stakeholders independent of the program office. If cybersecurity requirements are not properly projected by cost estimators, a program’s budget documents likely will not reflect the appropriate requirements or associated funding.
These efforts revolve around funding execution, once programs receive budget authority, on contracts or other vehicles as specified in program budget documents. They include the creation and maintenance of spend plans per FY and appropriation to demonstrate how the program will use funding appropriated by Congress. Input from other acquisition team members is required to ensure that the plans are accurate, realistic and incorporate all planned program requirements (including cybersecurity). Spending plans may encompass obligations or expenditures and are tracked against actual execution rates. Actual execution rates and comparisons to spend plans are of significant importance for programs since they are a key measurement for evaluating program performance. They not only are tracked by OUSD(C), but also used by Congress when considering future program budget requests. Execution personnel are key contributors for completing program Select and Native Programming Data Input System (SNaP-IT) reports on IT/cybersecurity budgets. The SNaP-IT reports are another requirement for programs to justify their cybersecurity activities and funding amounts since programs must report actual spending and future planned spending. Finally, execution personnel can initiate or complete actions (such as submit unfunded requirements or reprogramming requests) for programs if urgent needs or shortfalls arise, for example, due to emerging cybersecurity threats or vulnerabilities.
This is a valuable program management tool for evaluating cost, schedule and technical performance on contracts, including cybersecurity. EVM measures past performance, forecasts future performance and incorporates risk factors to support program decisions. Military Standard (MIL-STD) 881D Work Breakdown Structures for Defense Materiel Items (April 9, 2018) emphasizes the importance of cybersecurity and actions that programs should take to better manage cybersecurity requirements. It states that, “Attention must be paid to cybersecurity at all acquisition category levels and all classification levels, including unclassified, throughout the entire life cycle….” MIL-STD-881D provides the structure for programs to identify, measure and report crucial cybersecurity-related costs. It instructs programs to break out specific cybersecurity elements (hardware or software) within the work breakdown structure (WBS) where those costs can be easily accounted for. If elements are separated within the WBS, as opposed to being commingled with other program requirements, programs will have enhanced ability to measure actual performance against planned expectations.
Cybersecurity Best Practices
Involve the FM Community.
Acquisition programs can better manage resourcing for cybersecurity requirements if they involve the FM community early and often. Not only should programs proactively evaluate cybersecurity requirements throughout the entire acquisition life-cycle, they should consistently leverage the FM community because of the critical functions its members complete. If FM personnel have no active role or understanding of the requirements and cost drivers, programs risk not having appropriate cost estimates, budgets or effective evaluation capabilities.
Involve All Functions to Identify Cybersecurity Costs.
Cybersecurity cost drivers span all acquisition functional areas. Since cybersecurity requirements and risk factors are unique to each program, acquisition teams should consider all potential requirements at program initiation and each milestone with respect to FY and appropriation. FM functions can only be accurately executed from direct interactions with the other acquisition functions. Table 1 outlines the major acquisition functions and potential cybersecurity cost drivers. Many of these cost drivers are derived directly from the DoD PM’s Guidebook and MIL-STD-881D. This list is provided for illustrative purposes only, as several activities may be shared between acquisition functions.
Effective communication and coordination are required for a successful team-based approach when resourcing cybersecurity requirements. Figure 2 depicts the relationship between the acquisition process (milestone/event driven) and the PPBE process (calendar driven). Cybersecurity requirements and associated cost drivers, like other system requirements, must be included in the CARD and Program Office Estimate and considered throughout the program lifecycle. They shall also be reflected in the PPBE process through budget documents, funds execution/reporting, and evaluation. The durations of life-cycle phases are unique to each acquisition program and determine the number of PPBE cycles executed.
Validate Financial Reporting.
Accurate financial reporting is critical for program success and supporting and defending current and future budgets. In an environment with elevated accountability for taxpayer resources and increased congressional interest in the cybersecurity threat, programs must accurately report cybersecurity budgets and requirements (such as spend plans and SNaP-IT reports). All acquisition functional areas play a key role in ensuring cybersecurity is accurately represented in financial reporting activities.
Leverage DAU Resources.
DAU continues to assist DoD’s acquisition community with integrating cybersecurity into existing processes across the DoD acquisition life cycle. Resources include online tools, courses, articles and specialized training or workshops. DAU’s specialized training has helped numerous programs better understand concepts critical to designing and maintaining cyber resilient systems. Also, DAU’s Cybersecurity and Acquisition Lifecycle Integration Tool outlines the major cybersecurity activities and interaction with existing processes at each phase of the acquisition life cycle in accordance with DoD Instruction 5000.02, “Operation of the Defense Acquisition System.”
FM Community’s Cybersecurity Challenges
Several cybersecurity-related challenges exist for the FM community within programs. First, cybersecurity requirements are relatively new and cost drivers are unique to each program. As a result, cybersecurity cost estimates can vary widely. And minimal historical data increases assumptions and application of risk factors. Varying degrees of program complexity with associated cost drivers only further complicate cost estimating activities. For example, developing cybersecurity cost estimates for a legacy defense business system will be vastly different than those of a new missile program. One program may have more critical hardware components or unique software algorithms, require more testing and have a longer program life cycle. Unique cost drivers, risk factors and durations can have potentially large impacts on program cost estimates for individual requirements and life-cycle costs.
Second, emerging or changing cybersecurity threats can drive unexpected requirements changes for programs. Combined with the federal government’s calendar-driven budget process for programs to submit budget requests and receive appropriated funding from Congress, programs may encounter undesirable challenges. It can be difficult to define requirements for the current year, let alone several years in the future, as budget requests may not be appropriate from time of request to actual time of use. Challenges will only become more difficult to manage should emerging cybersecurity threats delay schedule due to technical risk mitigation. That also could wreak havoc on program spend plans since they are a key performance-tracking mechanism. For those reasons, it is increasingly vital that programs should involve FM personnel, as they initiate or complete various courses of actions to adjust program funding as requirements change.
Third, it is difficult to measure cybersecurity performance. Whereas typical contract requirements have independent WBS elements, cybersecurity requirements are not always independent elements and are instead embedded within other WBS elements (such as systems engineering, system test and evaluation, and program management). The lack of direct traceability to cybersecurity requirements makes oversight and evaluation functions difficult for programs, specifically the FM community. MIL-STD-881D has provided additional guidance to help programs better measure cybersecurity performance.
The impact and dynamic nature of current and future cybersecurity-related threats on our personnel, systems and facilities cannot be overstated. A proactive and flexible approach to deter and defend against cybersecurity threats must involve all appropriate stakeholders; responsibilities extend to all members of the acquisition workforce, not just IT and engineering. Successful integration of cybersecurity into existing acquisition processes, including FM, is critical to the success of DoD programs. FM community personnel, like those of the contracting community, are critical members of the acquisition team and perform vital functions to ensure program success. DoD will not be able to deliver effective capabilities to the warfighter for defending our homeland and allied nations against threats if we do not adequately fund cybersecurity requirements.
Speciale is a professor of Financial Management at the Defense Acquisition University (DAU) South Region in Huntsville, Alabama. Kendall is a professor of Cybersecurity at DAU-South.
The authors can be contacted at
Log In to View Comments