Some would have us believe that the tail is wagging the dog:
“FISMA has… created a ‘cyber-industrial complex’ that feeds at the trough of federal cybersecurity spending and has become so entrenched and powerful that it rules federal cybersecurity with a profitability rather than a best-practice metric… Many agencies are using “lowest price, technically acceptable” contractors to protect some of our nation’s most important and sensitive data.”
The same article suggests that the government should “discharge its contractor masters”.
It’s true that the government relies on contractors. This isn’t just in the security space though. The federal government finds contractors cost effective for the same reasons the private sector does.
Far from calling the shots, contractors are disposable. Contractors are “pre-fired”, and can’t expect any further work if they fail to deliver what their contract calls for.
So long as contractors are used, the profitability metric will be important. That’s the nature of capitalism. It’s the American way, and it’s a deliberate part of the federal purchasing strategy. Nearly all contracts nowadays favor getting the job done as inexpensively as possible. For many purposes “lowest price, technically acceptable” does work, so long as the contracting officer’s technical representative does a good job of determining what the requirements are, and what’s technically acceptable. Yes, that’s pretty hard. Regardless of the quality of the requirements, it’s ludicrous to think contractors are in charge.