In an ongoing contract with the federal government of the United States or Department of War (DoW), a business will need to stay compliant with the data governance model identified by NIST SP 800–171. In the contract period, for continued business continuity and operational activities in exchanges with the U.S. government, a business should hold a challenge to decide any contracting partners, including information technology (IT) providers.

As the work ensues, the business challenge winners will take on the task of creating unique proof of concepts, after their award phase, they will be integrated into the business workstreams. The provided challenge that leads to the award will meet the standards of the Federal Acquisition Regulations System (FAR) to identify a reputable vendor that can mitigate the technology risk on behalf of the organization. In this use-case, an IT firm will begin developing and implementing a secure network that facilities business communication to the highest standard of security and lowest risk.

Once the secure network is in place, the technology vendor will support software updates, disaster recovery planning, and enablement for the organization to continue its business processes. In action this business process plan will enable the organization to develop a staged delivery that is acceptably secure and ideal to support the end users or customers of the U.S. government.

Objectives and threats

When evaluating the risk applied to this project, elevated by the interactions of Controlled Unclassified Information (CUI), for U.S. and DoW standards, in addition to contracting of IT services, the focus is to maintain the organizations business continuity.

In managing deliverables due for summarizing outcomes and governance plans, the risk of handling the data, securing the exchange of information, and persisting the data through unexpected disasters, the organization will handle all related risks according to this plan.

The continuously changing threat landscape in the cybersecurity space poses extending threats in digital interactions. As an organization connecting to the U.S. and DoW through digital means, the business risks must account for handling data in secure transactions, protected by the contracted network.

In addition to the risk of cyberattacks the internal team working on the CUI data in their day-to-day workflow poses an insider threat to the organization when untrained on how to use the secure network. Once established, processes focused on mitigating risk using the network become paramount, the organizations employees will undergo training for utilizing the secured processes in their dat-to-day.

Risk tolerance

As a primary risk to the organization and its ongoing contracts, the interactions with CUI, IT subcontractors, including software, cloud, and network security will increase the overall business governance required. Lowering the risk through contracting for staff augmentation, with transference built into service-level agreements, will establish a beneficial overall ability of the organization to handle these added risks. These modern arrangements can enable business focused organizations to maintain secure projects with contracted IT employees to fulfill the standards required by the original contract.

Controlled Unclassified Information (CUI) / Compliance:

In handling secure information on behalf or in tandem with the federal government of the United States or Department of War (DoW), the objective is to sustain compliance measures and keep the data secure. This poses a medium risk that the organization will need to accept and prepare for as a standard of this type of business interaction.

Training processes for handling CUI and business-wide certification will be required to stay compliant with secure data handling practices, including the secure offline network.

Contracting Information Technology (IT):

Through qualification and challenges, the best contractor will be chosen to properly handle the development of this secure infrastructure. The contractor’s ability to collaborate with the business and secure the network will pose a medium risk to the organization.

After completing the secure network, the IT subcontractors will be retained to maintain the platform and perform backup activities, incentivizing them to perform quality work that endures beyond the contract.

Software, Cloud, and Network Security:

When establishing a secure network, cloud computing, and software as a service, there are in-depth standards for configuration based on government compliance. These connection points increase the risk of the data exchange and pose threats to endpoints of the system that allow for the exchange of information. Security groups, firewalls, advanced network intrusion detection, and capabilities like security automation through security information and event management (SIEM) and security orchestration, automation, and response (SOAR) will harden the overall infrastructure.

An established secure system will provide a continuous network for exchanging data with the United States or Department of War (DoW). This network, software, and cloud computing can lead to further contracts with the government when established correctly.

Milestones and responsibilities

When planning the objectives of this project, the major activities will enable business continuity, technical expansion, disaster recovery, and continuous collaboration with the federal government of the United States or Department of War (DoW) on secure projects. These milestones will showcase the capability of the organization and its contractors to facilitate business in a FedRAMP high environment. The following activities will allow for continuous business success at an above and beyond standard.

Establishing a training program for current and future employees, handling CUI to mitigate risk when contracting with the U.S. and DoW. This process can set a precedence for compliance managers, auditors, and trainers that will provide guidance when handling secure information.

Hiring a technical contractor that can facilitate the deployment of secure networks, cloud computing, and software as a service that meets government compliance standards. Through a competitive challenge built to focus on compliance, performance, and ability that ethically sources the IT solutions in a FAR capacity.

Incorporating a business and IT governance framework that operates through a secure network with an offline demilitarized zone (DMZ) for interacting with CUI data. These standards can be applied to all the software, cloud, and network infrastructure used by the organization to facilitate the federal government contract. Training and maintenance documentation can enable these companies to collaborate and establish maintainable business processes.

Through the process of facilitating this contract there should be governance facilitated by key roles in the organization that will oversee the business, technical, and operational capacity required for meeting the key milestones and more.

Project Manager: Maintains the overall schedule, works across the different teams to enable agile delivery, quarterly planning, and handle epic review with the customer.

Risk Manager: Oversees the continuous risk tracking with a focus on the accountability of the team handling the tasks from the organization and the subcontractor team managed through a risk matrix.

Business Analyst: Structures the delivery of the project with the project manager to assess the necessities of the requirements provided by the federal government and enables the teams to focus on sprint sized delivery of the work.

Business Consultants: Individuals focused on finance, operations, management, legal, and human resources activities to work with the federal government’s information.

Technical Consultants: Individuals focused on software, cloud, networking, and security that support compliance alignment with the federal government’s requirements.

Resources and fixed assets

As a project of this stature is established and enhanced to support a wider array of services, a core of necessary assets will be required to support the various work-streams. The fixed costs of this project are estimable as the requirements for setup can be built from previous projects historically with the federal government of the United States or Department of War (DoW). The variable costs will increase as the systems complexity scales and as new work is added.

Workstations: Computers capable of handling excel spreadsheets to data modeling, such as a Dell Pro Max 16 Laptop costs $1,708.25, with a capacity of team members up to 20, this would cost $34,165.

Daily Software: Everyday business needs will require Microsoft 365 licenses for each project member, at $22.00 a month, that would be $440 a month for the full team, and $5,280 a year.

Azure Cloud VPN: Establishing a secure route between the DoW and the organization would require a compliant Virtual Network, which could be established with Azure Express Route, using 1Gbps at $1,186 a month, then $14,232 a year.

Servers: Storing and backing up data would require at least two servers, four servers could support large capacity and redundancy locally, the Dell PowerEdge R570 Rack Server is available for $7,439 which would provide 491 TB of data each at a total cost of $29,756. The costs of installation and setup, including power and internet will be covered by the IT subcontractor.

Training: As a training program is established internally, it will take up to time of two consultants at $100 an hour, and assuming this task will take at least two months to build out, the total cost of the initial internal training program will be 62 days, multiplied by 24 hours, at a cost of 1488 hours times $100 dollars or $148,800.

Workforce: In the project planning, the 20 members of the staff could be paid at a flat rate of $100 an hour which at a given project length of one year, 8765.999 hours, or $876,599 an employee and with 20 employees that would be $17,531,998.

Total: All above resources accounted for, the fixed cost of this project is the sum of $34,165, $5,280, $14,232, $29,756, $148,800, and $17,531,998 for a total of $17,764,231 for the first year. The cost of setup and depreciating assets would be lower after provisioned, while the variable costs may increase with cloud spend, increased staffing, and additional resources for completing the work.

These costs will establish the basis for this project to operate a secure offline DMZ, connecting the organizations office to the DoW through a compliant private connection, and employing the staff equipped with the resources needed to complete the project.

Engineering resilience, security, and future-ready software architecture. Follow on X, GitHub, and LinkedIn, and visit https://joealongi.dev/.