2019 Annual Conference Thought Leadership Compendium by Professional Services Council

ANNUAL

2019 Conference Thought Leadership Compendium

Table of Contents 2

Federal Publications Seminars and NeoSystems | Practical Solutions for GovCon Challenges

Holland & Knight | Megatrends in U.S. Government Contracting

Leidos | The AI Imperative

Parsons Corporation | C2Core MDC2 Multi-Domain Command and Control

Sabre Systems, Inc. | Recruiting Challenges for Critical Cybersecurity Positions

Salesforce | Platforms-as-a-Service: How Government Contractors Drive High Growth Within the Defense Market

Wells Fargo | Government Services: A View from Wall Street

April 2019 | GovCon Security Challenges

Practical Solutions for GovCon Security Challenges

Ed Bassett Chief Information Security Officer NeoSystems LLC

This Thought Leadership Piece is Brought to You by NeoSystems LLC 888.676.6367 | www.neosystemscorp.com and Federal Publications Seminars 888.494.3696 | www. fedpubseminars.com

Practical Solutions for GovCon Security Challenges By Ed Bassett, CISO, NeoSystems The Federal Government has been raising the cybersecurity bar for its contractors. These expectations have been codified in regulation, but the practical aspects of meeting them are still not well understood. In a recent panel discussion with representatives from the Department Defense, the government panelists reiterated their expectation that all contractors who fall under DFARS 252.204-7012 will comply with all of the security requirements – the DFARS clause plus NIST SP 800-171 – all of the time. At the time, my reaction was that reality is really quite far from that expectation. Very few GovCon firms have security solutions in place to consistently address all of the required controls. This is because the security controls being mandated are not a natural act for contractors, especially smaller ones who may have no dedicated security staff. And yet, the Government is looking to expand the current DoD-specific requirements to apply more broadly to civil agency contractors via the FAR. And, two years past the DFARS implementation deadline, audit and enforcement actions are on the near-term horizon. Everyone mostly agrees the NIST SP 800-171 requirements make good security sense, so why are so many contractors struggling to apply the required security controls? Firstly, the controls require a level of IT control and discipline that is often not needed for other business imperatives. That is to say, most contractors can get along just fine without the level of formality and process maturity needed to meet the security requirements. This means that security requirements are the primary business driver, and likely represent a significant change to the IT culture. Secondly, the requirements are not particularly well understood, either by Government COTRs or by contractors. Which specific data needs to be protected? Does a particular technical implementation meet the intent of the regulation? The best practices are in flux and many are in a “wait and see” stance. Third, and certainly not least, the requirements cover a broad range of security functions are not easily met by readily available technical solutions that are positioned to be cost-effective to small- and mid-sized contractors. While some of the 110 controls specified by NIST 800-171 are relatively easy to meet with standard commercial IT products, there are many that require specialized security products, each of which needs on-going operational processes to be effective. As contractors sort through the requirements, perhaps with the help of a consultant to perform gap analysis between their current state and the requirements, the general reaction of executives is doubt as to whether it is even possible – at a reasonable cost – to close all the gaps. Let’s break down these three challenges and explore practical ways to obtain a really solid security posture that meets the regulatory mandates and doesn’t cripple IT agility or the

budget. Managed IT service providers, cloud hosting, and security-as-a-service all play a part. Good security won’t overlay onto bad IT. Looking at the first challenge noted above, many IT shops are simply not operating with the operational maturity needed to support a strong security posture. For example, if free-wheeling admins are making changes to servers and software without proper analysis and documentation, it will be nearly impossible to meet the Configuration Management requirements of NIST SP 800-171. Similarly, if outdated policies are kept in a dusty 3-ring binder in a back closet, it will be nearly impossible to satisfy an auditor looking for direct evidence that the Security Assessment requirements are followed on a consistent basis. Look to managed IT services to quickly establish needed foundational IT practices. Most IT service providers rely on consistent, repeatable processes such as standardized build templates, formal change management, and ticket-based work tracking to meet their SLA commitments. And their specific services are contractually committed – meaning there are periodic reports showing adherence to the contract. This level of operational discipline plays nicely with the need to consider security and avoid unintended misconfigurations. IT outsourcing is not just for large, complex IT shops. And it’s not all about off-shoring (which is generally not an option in the GovCon market). Look for service providers that specialize in meeting federal regulations and are a good match for the size and complexity of your IT operation. Protect it all or be selective? As noted above, it’s not always clear exactly which data (and therefore which systems) need to meet federal security requirements. One approach is to bring your entire IT infrastructure up to compliance. While this is certainly the most secure option, it’s not always the right choice. For businesses that use data provided (or created) under government contract for all or a significant part of their business operations, a holistic security solution is likely the best answer. For those where federal data is a smaller part of the mix, segmentation and isolation will help limit security compliance expenditures to the minimum necessary. Virtualization technology, in particular virtual desktop infrastructure (VDI), is a very attractive way to provide a separate secure virtual workspace where sensitive federal data can be handled without the need to apply the strict federally-mandated controls to your entire network. One word of warning. If you do decide to focus your compliance efforts on a small segment of your IT infrastructure, don’t forget that the whole corporate network still needs to be secure from the everyday threats we face, even if it is not subject to federal compliance requirements. This will usually be a less rigorous set of controls, but don’t neglect the security of your non-federal elements.

Specialist or generalist? The required security controls – 110 controls over 14 different control families – cover such large range of functions that listing them all in a job posting can result in a position that there is literally no one qualified to fill. And while product vendors offer solutions for most any security challenge, most of these technologies require highly specialized skillsets to support and operate. It is vital to have access to the right skills at the right time. When a firewall is broken, you’ll need a technician qualified on your specific make and model. When there’s an active attack on your systems, you’ll need a security analyst to scrub through the logs and formulate the correct response. The list goes on. No generalist can cover all of these bases. A team of specialists is likely cost-prohibitive and many are not needed on a full-time basis. Fortunately, it’s fairly easy to buy security expertise on a fractional basis: on-demand and as needed. Managed security service providers offer the needed functions in a cloud-based security-as-a-service model. These services combine complex security technology with mature operational processes and deliver them for a monthly service fee. Using a cloud-based security service will likely mean transferring some highly sensitive security data to your service provider, possibly triggering the DFARS requirement for the provider to apply “FedRAMP equivalent” security controls. The FedRAMP marketplace (accessible at marketplace. fedramp.gov) lists all cloud service providers that have been successfully evaluated under the FedRAMP program. The Government’s cybersecurity expectations will likely increase even further as we continue to see targeting of GovCon systems by determined and capable state-sponsored adversaries. These adversaries are using very sophisticated techniques, and are targeting the weak. It’s important to establish a strong security posture. And for most in the GovCon market, that means significant changes to both IT and security.

About the Author: Mr. Bassett is a senior Cyber Security and Risk Management subject matter expert with over 32 years of experience in all aspects of security and privacy program architecture, design, management, and operations. His experience spans Government, Health Care, Financial Services and other industries and includes risk management, program planning, application and software security, security assessments and audits, and security operations. He built and led a global security consulting practice specializing in security strategy, assessment and testing, and managed security services. He has been the principal advisor to many Fortune 500 and government clients on information systems security, responsible for securing their critical information assets for e-commerce transactions, sensitive health records, and classified military communication. Ed is a U.S. Army veteran and a graduate of Clarkson University where he earned a degree in computer science.

This Thought Leadership Piece is Brought to You by NeoSystems LLC and Federal Publications Seminars. NeoSystems LLC, based in Tysons Corner, Virginia, delivers integrated strategic back office services and solutions to enable, run, and secure commercial entities, government contractors, and nonprofit organizations. Utilizing best of breed technology and leveraging in-depth expertise in Accounting & Finance, Human Capital Management, Recruitment Process Outsourcing, FedRAMP Ready FISMA Moderate Hosting (SOC1/SOC2/NIST/DFARS/ITAR), Security, and Information Technology, our team enables companies to improve vital operations, reduce their overhead costs and become compliant with complex requirements. For seven years in a row, NeoSystems has been named one of America’s fastest growing private companies by Inc. Magazine. Federal Publications Seminars (FPS), based in St. Paul, Minnesota, has been the leading provider of government contracts training and education for more than 60 years. FPS offers hundreds of classroom and online courses designed to provide clients with solid, comprehensive opportunities to learn about and understand foundational topics and stay current on critical issues throughout the government contracting market. FPS instructors are nationally recognized leaders in the government contracting industry. For more information, please visit fedpubseminars.com.

MEGATRENDS IN U.S. GOVERNMENT CONTRACTING Eric Crusius | 703.720.8042 | eric.crusius@hklaw.com David Black | 703.720.8680 | david.black@hklaw.com

www.hklaw.com

.S.U NI SDNERTAGEM GNITCARTNOC TNEMNREVOG

Megatrends in U.S. Government Contracting

The following are “megatrends” in federal contracting that cut across industries and are likely to alter the way the Government purchases goods and services. These megatrends signal a coming change in the paradigm for doing business with the federal government and seem poised to drive opportunities and risks over the next several years.

moc.walkof h@ suisurc.cire Megatrend #1: The Commercialization the Government’s Buying Process

| 2408.027.307 | suisurC cirE

moc.walkh@kcalb.divad | 0868.027.307 | kcalB divaD

• The Government, particularly the Department of Defense (DoD), sees the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) as hindrances to the efficient acquisition of vital supplies and services for the warfighter. Because of that, the Government has been seeking dramatic shifts in how it purchases goods and services:

moc.walkh.w w w

• The Section 846 E-Commerce Portal: GSA, in association dev reseR sthgiR llA PLL thginK & dnalloH 9102 © thgirypoC with OMB, is in the process of developing new platforms for the rapid sale of commercial-off-the-shelf MEGATRENDS IN U.S. (COTS) products to the federal government. While details are still being finalized, platforms will GOVERNMENTthese CONTRACTING be run by private industry and will allow for the sale of COTS products under the Simplified Acquisition Eric Crusius | 703.720.8042 | eric.crusius@hklaw.com Threshold without the need for sellers to comply with many terms that are found in other David and Black | conditions 703.720.8680 | david.black@hklaw.com contract vehicles. • The Section 809 Panel: under the 2016 National Defense Authorization Act (NDAA), DoD established a panel aimed at recommending ways for DoD to streamline the acquisition of goods and services. In five separate reports (including a roadmap), the Panel found that DoD was not serving the warfighter well and that the Chinese and other geopolitical rivals, unburdened by the FAR or DFARS, were out-innovating us. Because of that, the Panel made a number of dramatic recommendations including: (i) giving DoD the power to purchase a lot of goods and services without issuing solicitations; (ii) washing away a lot of the DFARS and FAR requirements that are onerous; and (iii) moving to a total lifecycle portfolio management model. www.hklaw.com

• Increased use of Other Transactions (OTs): with the authority to enter into OTs has been present across numerous agencies for some time, the flexibility on the thresholds and use of other transactions has been legislatively expanded recently and DoD is taking advantage. OTs are not seen as government contracts and the parties are responsible for negotiating all terms and conditions. Megatrend #2: Increasing focus on Cybersecurity and Supply Chain Compliance While the Government is seeking to commercialize its buying process, it is increasingly concerned with contractors’ supply chains and their ability to thwart cyber threats. Late last year, Congress passed the SECURE Act that will, among other things, set up a Federal Acquisition Security Council. This came on the heels of NDAA provisions that restricted certain Chinese and Russian companies from doing business with the Government or being in contractor supply chains. In addition, we expect DoD to focus on enforcing existing cybersecurity obligations, including DFARS 252.204-7012. Megatrend #3: A More Open Contracting Process The Government is focusing on greater engagement with industry. In addition, under previous NDAAs, postaward debriefings for DoD will be more fulsome and allow for post-debriefing questions.

The AI Imperative Artificial intelligence will strengthen our national defense capabilities, but it must be implemented with care.

The United States has found itself in a “Sputnik moment for modernizing our military,” according to some national security officials1. Like the period following the Soviet Union’s satellite demonstration in 1957, we are again in a technological arms race with formidable rivals. Many top defense officials believe China is poised to lead the future of warfare through its open and aggressive pursuit of artificial intelligence (AI), which many consider a linchpin of high-tech conflict in the years ahead. China has devised plans and dedicated enormous resources to meet its stated goal2 of surpassing the U.S. in AI by 2030. Although Russia lags behind, it has also expressed its intentions to be a player in this race.

1. The Chinese threat that an aircraft carrier can’t stop (https://www.washingtonpost.com/opinions/the-chinese-threat-that-an-aircraft-carrier-cant-stop/2018/08/07/0d3426d4-9a58-11e8-b60b-1c897f17e185_story.html?utm_term=.7dc16be5d165) 2. China's application of AI should be a Sputnik moment for the U.S. But will it be? (https://www.washingtonpost.com/opinions/chinas-application-of-ai-should-be-a-sputnik-moment-for-the-us-but-will-it-be/2018/11/06/69132de4-e204-11e8-b759-3d88a5ce9e19_story.html?utm_term=.9ece38cafcb3)

How should the U.S. respond? Like aerospace engineering after Sputnik, AI has become one of the top emerging technologies that the federal government is eager to understand and use. However, AI adoption in the national security sector has come under scrutiny by some in the tech industry. A debate is unfolding about whether or not AI should be deployed as an instrument of warfare. A rift between the tech industry and the Pentagon is a significant problem. To maintain its leadership position, the U.S. military must source the best and most advanced technologies available. Some will be developed by the Defense department, but many will come from the private sector and require integration into the department’s complex IT systems. AI tools are customized for specific tasks all the time, but the commercial industry that creates them often lacks the expertise to integrate AI into national security systems, which often require greater care and more rigorous testing than commercial systems. Leidos, one of the largest IT systems integrators for the federal government, will play an important role in these efforts. AI is an important field in modernizing the U.S. military, and keeping it from those who protect us would come with serious consequences. New technology always comes with risk, but it’s our responsibility to act wisely. America’s geopolitical adversaries aren’t holding back, with coordinated efforts among government, academia and private industry. To effectively respond to this “Sputnik moment,” the U.S. must do the same. To illustrate the point, we’ve selected three cases that demonstrate practical AI adoption in national security. In combat teaming, AI helps soldiers make better and faster decisions. In geospatial intelligence, AI accelerates the analysis of overhead imagery. And, in counterterrorism, AI extracts actionable intelligence from seized media. AI adoption in the armed forces is more than just hype. We believe these specific applications add substance to the broader conversation about AI in national security.

what is AI? Artificial intelligence (AI) is the simulation of human intelligence by computers. AI can refer to machines that exhibit human traits such as logical thinking, intuitive leaps and emotional intelligence. AI can also refer to autonomous systems that perceive their environment and take actions that maximize their chance of success. This is done by mimicking the human brain’s ability to reason over various types of data. AI is now a major source of military strategy because of its power to gain valuable insights from data.

AI and Combat Teaming

The OODA Loop is a decision-making model that stands for observe, orient, decide and act. Though first articulated as a strategy to dominate air-to-air combat in the twentieth century, the OODA Loop was later adopted in other combat operations and even extended into the business world. It became famous for precisely outlining how to win in adversarial environments. AI is poised to improve military decision-making by accelerating progression through the OODA Loop. Decision-making in the U.S. military is often dictated by documented processes. By embedding AI into these processes, decision-makers will be able to act much faster. AI can help observe by processing mission-related data. AI can help orient by adding meaning to these observations and making sense of the data. Human control must be retained, however, to decide and act in combat settings. U.S. military doctrine assures human accountability behind any decision to pull a trigger. Safeguards should remain in order to prevent decision-makers from relegating life-or-death decisions to machines or abdicating responsibility for those decisions.

AI and Geospatial Intelligence

AI is transforming overhead vigilance, a tradecraft known as geospatial intelligence (GEOINT). The world is flooded with raw data collected by satellites, drones and other aircraft deployed around the globe. AI holds enormous power to turn these chaotic data sets into coherence. AI can not only analyze specific images faster, but also identify patterns across a wide range of assets to detect patterns. Applying AI to GEOINT will help decision-makers better understand what is happening on the ground and predict what will happen next, including during relief operations the U.S. military and its allies perform all over the world. As part of an R&D program, Leidos data scientists developed AI-powered computer vision algorithms to identify man-made structures in overhead imagery across Rio de Janeiro, which covers roughly 500 square miles. The team estimated it would take an individual analyst roughly 44 weeks to identify and categorize these structures across the entire city. But the automated solution was so advanced it learned to identify them on its own, reducing analysis time to a matter of hours

AI and Counterterrorism

Osama bin Laden, the architect of the September 11 attacks and numerous other atrocities, was killed on the night of May 2, 2011 in one of the most important counterterrorism strikes in American history. In an interview3 following the raid, one of the operatives recalled a member of his team escaping bin Laden’s compound with a computer terminal in one hand and a bag full of electronic devices in the other. Much of the data recovered from bin Laden’s personal devices has been declassified and published under the title, “Bin Laden’s Bookshelf.” But before this data was scrubbed and released, it was delivered to the clearinghouse for data seized on the battlefield. Bin Laden’s data might have the highest profile, but it represents just a tiny fraction of the intelligence seized from terrorist organizations since 9/11. Devices captured in counterterrorism operations frequently provide new insights into terrorist plots, inner workings, whereabouts and motivations. However, extracting actionable intelligence from raw data is an onerous process. AI tools now help analysts automate parts of this process through image recognition and natural language processing, allowing them to keep pace with the onslaught of data they face every day.

AI adoption in the national security sector has only just begun. The volume of military-related data is immense, and finding meaningful intelligence quickly is paramount. The Defense department recently announced its $2 billion AI Next4 campaign to create “more trusting, collaborative partnerships between humans and machines” and established the Joint Artificial Intelligence Center to “promote collaboration on AI-related research and development among military service branches, the private sector and academia.” In the future, AI can and should do much more to modernize how the defense and intelligence communities interact with data to keep us safe.

3. 60 Minutes Presents: Killing bin Laden (https://www.youtube.com/watch?v=Uzl0GPU0vLE) 4. Defense Department pledges billions toward artificial intelligence research (https://www.washingtonpost.com/technology/2018/09/07/defense-department-pledges-billionstoward-artificial-intelligence-research/?utm_term=.23172e14b327)

C2Core MDC2 Multi-Domain Command and Control

Defining MDC2 and MDO In its purest form, Command and Control (C2) is defined as a commander’s ability to disseminate commands with the resources and authorities to effectively execute missions, objectives, and tasks. In planning, programming, and acquisition, C2 is often an afterthought to systems development and procurement, courses of action (COA) planning, or assessment analysis. Through the Multi-Domain Command and Control (MDC2) initiatives being championed by all the services, C2 is finally receiving the muchneeded emphasis it really requires.

However, the upgrading and sustainment of future C2 capabilities is as much about mindset as technology advancement. General Hawk Carlisle once said, “we need to start building the roads before we decide what type of truck we put on them.” This is a fitting analogy to the importance of standardizing and distributing C2 requirements as a first step in any planning or acquisition process. C2 is not necessarily difficult, but due to the combination of advanced technology proliferation, globalization, its situational dependency, and the desire for casualty mitigation over the last decade, C2 has become increasingly complex. Effective C2 must reach across the spectrum of conflict from Gray Zone engagements to nuclear deterrence, and everything in-between. In March 2017, General David Goldfein, Air Force Chief of Staff, released “Enhancing Multi-Domain Command and Control…Tying It All Together”. This document stated, “While we dominate the air, space, and cyber domains today, our adversaries have invested heavily in technologies to deny us the superiority we have come to rely upon. To counter this, we must integrate our advantages across these domains in new and dramatically effective ways.”i The idea of operating multiple domains simultaneously in an integrated fashion with cross-domain expertise has led to a new more complex C2 concept, Multi-Domain Command and Control (MDC2). These contributing factors linked with the exponential expansion of internet access and social networksii results in rapid dissemination of information, and disinformation, at a global level. This relatively

2 | Multi-Domain Command and Control | Parsons

inexpensive influencing capability can be termed Information Warfare (IW), and has seen the rise of weak-state, and non-state, actors manipulating world opinion. The viral nature of social media and sophistication of those operating in the environment creates a dynamic in which the smallest tactical action can have strategic implementations, and hence a level of risk aversion toward use of kinetic actions and increase in non-kinetic (NK) options. However, NK operations bring additional levels of risk due to immaturity in the ability to assess effectiveness or potential collateral damage from NK actions. Balancing this low end, in cost and manpower, capability with the growth and proliferation of Weapons of Mass Destruction (WMD), to include Hypersonic weapons, High-Powered Microwaves (HPM), and low observables emphasizes the urgency to develop/enhance a resilient, flexible, scalable C2 system-of-systems for planning, generating, executing, and assessing effects against the full-spectrum of adversaries and adversary capabilities. The emergence of Multi-Domain Operations (MDO) is a direct result of linking the above operational considerations with the broadly used concept of Anti-Access / Area Denial (A2/AD) where adversary threats seek to force opposing capabilities to operate from beyond their effective range, whether in air, space, cyberspace, on land, or at sea. Specifically, to deter or decisively win conventional conflicts in the future depends on the ability to attack the anti-access threats where they live, rather than merely protecting friendly forces against their effects. This requires the ability to attack the areadenial side of the problem in a multi-domain construct. Potential tasks include striking adversary airfields and aircraft before prior to launching with cruise missiles, striking or threatening to strike adversary ground-based Anti-Satellite (ASAT) capabilities, targeting adversary cyberspace capabilities, and exploiting communications capabilities. This situation demonstrates another level of complexity in the realm of MDC2 where C2 across all domains must be executable at the tactical edge, potentially thousands of miles into contested battlespace.

Responding to MDO Challenges The evolving MDO environment is more complex, more contested, and more lethal, than any our military has encountered. It creates an increasing need for integration of and operations across the current six established domains, Air, Space, Cyber, Land, Maritime, and Sub-Surface. However, it also demands a deep understanding of, if not designation as a domain, for Information Operations (IO), Electromagnetic Spectrum (EMS) activities, and utilization of Machine Intelligence (MI). MI is a combination of imitation (i.e. artificial intelligence), self-learning, extrospection, and introspection.iii Without MI, operators will not be able to look across each of the domains for a solution in real-time, nor will they be capable of assessing probability of success for courses of actions which involve all of the domains while considering all of the next order effects resulting from specific actions. Revolutionary technologies and integration of evolutionary technologies (system-of-systems) to maintain our fragile capabilities advantage in this complex environment is a requirement for success in the MDO environment.

While technologies are the critical enabling component to success in future MDOs, the ability to effectively execute Multi-Domain Command and Control (MDC2) is equally a technology issue, as it is a need for policies, procedures and culture, reshaping. The technologies exist for a revolutionary change in how all services execute MDO, but, leaders, acquisition professionals, and operators across all the services need to be willing and able to explore and embrace a new highly-dynamic environment filled with ambiguity. There must be a willingness to risk failure in experimentation and training to increase success in conflict. True cross-domain C2 experts are rare, and advanced experimentation and training must be exploited to produce the highly skilled cadre required for this mission set. Additionally, product users and owners must become truly versed in software development and all its facets to better correlate how the new technologies can change, often, long standing Doctrine, Policies, and Tactics, Techniques, and Procedures (TTPs). Due the proliferation of relatively inexpensive IO, Cyber and EMS capabilities, military dominance is shrinking / has shrank, and distant Frienemiesiv a decade ago are now considered nearpeers/peers on military, economic, political, and social levels. In September 2015, the Air Force released its Future Operating Concept with the stated objective of, “In 2035 Air Force Forces will leverage operational agility to adapt swiftly to any situation or enemy action. Operational agility is the ability to rapidly generate – and shift among – multiple solutions for a given challenge.”v The Army further emphasized the situation in 2017 when it published The Army’s Multi-Domain Battle 2025-2040 highlights “Multi-Domain Battle entails collaboration and integration of comprehensive effects and enablers.”vi While each service and international partner has a different MDO approach and execution strategy, the overarching concepts align rather closely.

The foundational piece applicable to all Joint and Allied forces is the ability to C2 physical domains and cross-cutting capabilities in a comprehensive, effective, and synergistic manner. Ultimately, creating the level of complexity required to maintain offensive superiority and to minimize adversary actions will require the employment of mutually supporting kinetic and non-kinetic actions. The ability to provide simultaneous cross-domain targeting impacts an adversary’s ability to rapidly Observe, Orient, Decide and Act, (OODA Loop) which in turn enhances freedom of action for friendly forces. Non-kinetic effects, such as Information Operations (IO), EMS management, and Cyber now have equal or greater influence on the landscape of conflicts as kinetic operations, previously considered the touchstone for conflict escalation. Therefore, the ability to collect, fuse, and distribute big data (multi-INT) as operational intelligence, sense the environments (including RF and cyber), and deconflict effects are critical enabling capabilities for the whole of government decision making, operational execution, and economic trade space.

Recommendations for Achieving MDO Dominance Operators in the distinct domains often effectively coordinate activities to produce multiple varied domain actions in pursuit of an effect(s). However, the collaboration does not exploit truly integrated capabilities from each domain due to lack of crossdomain understanding, correlation of operational and strategic effects from tactical actions, or lack of transparency from multilevel security restrictions. Furthermore, these same factors influence the ability to fuse different types of collection data, or multi-INT, to create actionable intelligence for political and military decision making, operational execution, and economic trade space.

Multi-Domain Command and Control | Parsons | 3

Recommendations for Achieving MDO Dominance Cont. Therefore, new CONOPs need to develop, exercise, and employ an open mindset of how a future C2 system will be acquired, employed, and led to ensure synergistic Find Fix, Track, Target, Engage, Assess (F2T2EA) operations which utilize all domains. Success will require the most capable and agile technical solutions, such as, Cloud Architecture, Machine Intelligence, Blockchain, Quantum, and interoperability through Open Architectures combined with processes like Scaled Agile Framework enterprise (SAFe). The new agile solutions will allow for changes to policies, directives and TTPs founded in the current capabilities.

As an example, the use of Cloud Architectures minimizes the tyranny of distance since users across the globe can simultaneously share information, visualization tools and assessments. The ability for commanders to maintain regional and global Situational Awareness (SA) and provide increasingly responsive support to other theater commanders, while reducing coordination and potential miscommunications, is a force multiplier. Additionally, the ability for COA development and deconfliction at a rate currently unimaginable with the added advantage of 2nd, 3rd, and even 4th order effects assessment becomes significantly more attainable. However, the framework architecture must be resilient, scalable, and flexible enough to work on-premise, in a hybrid configuration, or in a cloud during depending on environmental conditions (i.e. Garrison, Tactical Edge, Contested, Denied, etc.). Of course, Machine Intelligence (MI) plays a critical piece in MDO operations and the ability to effectively C2 the barrage of data and actions across a plethora of platforms and options. Additionally, the ability to effectively and autonomously select conventional and non-conventional effects against traditional military targets and supporting infrastructure would revolutionize current C2 paradigms and timelines. MI advancements require technological, but also Concept of Operations (CONOPS) and ROE, which need their own discussion outside this paper. However, future conflicts will require MI enabled near real-time decision-making based on adversary actions, and how the other instruments of power are influencing operations. There may be a need for non-attributional effects, or minimization of damage to infrastructure which would most likely lead to non-kinetic or special operations action. Or, there might be a desire to not directly influence an adversary C2 center at all, but to interrupt its power supply through cyber options where degradation of the center would be a 2nd or 3rd order effect.

4 | Multi-Domain Command and Control | Parsons

However, when interrupting power supplies, it will be critical to minimize spillover to the commercial infrastructure. However, when interrupting power supplies, it will be critical to minimize spillover to the commercial infrastructure. The consideration of 2nd and 3rd order effects leads to another paradigm shift in MDO operations. An additional C2 challenge exists due to the potentiality of disparate domains being at varied phases of operations. Ideally, the various domains that will be used as effects are desired/required to ultimately de-escalate conflicts. As examples, it might be required to execute a cyber action to prevent a space event, initiate space activities to deter kinetic plans or conduct kinetic operations to deter nuclear options. Through this paradigm, it is conceivable cyber activities could be operating in a phase III (dominate) construct while kinetic capabilities remain in phase 0 (shaping). In each case, there are significant planning, deployment, and execution attachments to each phase which will dramatically complicate C2 operations. The United States Military is the world’s preeminent force, and some argue already executing MDO. Both are factual statements; however, they are also potentially naïve view-points regarding the emerging global environment and state of MDO C2. Military and industry teammates are working diligently to maintain and operate a hybrid mix of obsolete C2 tools and evolutionarily advanced products. However, the services need to decide what MDO is, both from a user and an application perspective. For instance, what, if anything, does an MDO leader/operator/analyst want on their screens? What would you require him/her to be able to accomplish, or what tasks or capabilities would you need for them to be able to do which are not easily/readily done today? These are answers which need to be gleaned from a true Secure Developmental Operations (SECDEVOPS) environment. SECDEVOPS is “the inclusion of security efforts and best practices into the continuous integration and continuous deployment pipeline. It also suggests that security requirements are considered before development to ensure security is included throughout the product lifecycle.”vii From warfighters and software engineers sitting side-by-side in secure software test environments and actual operations to agile, lethal capabilities. The processes must change to minimize large government acquisitions processes as well as senior leaders driving solutions based on their views of the problem. The technology needs to be assessable and usable under the Rule of 2s: 2-Star, 2-Bar, 2-Strip. Therefore, it must be flexible, configurable, and responsive (low latency). Few individuals in any of their missions, tasks or typical workday care about the actual supporting technology or architecture. They care about the applications, analytics and tools available to accomplish the mission. A good example is Google Mail. Other than perhaps a software professional, it is doubtful any Google Mail user cares about the software architecture or hardware required to support operations; they are only concerned that Gmail gives them access to their email via any/all their devices (phone, tablet, computer) and a significant amount of storage. Current data classification levels, IA policies and procedures and “culture of no” are what inhibit effective MDO, not lack of technology. Adopting a “security should be good enough” approach (for the

mission, application, system) rather than a strict set of policies and compliance reporting, such as the one the Ministry of Justice in the UK implemented for their Amazon Web Services migration, could go a long way to enabling more agile and innovative MDO applications.

Aquiring MDO Solutions During the Air Force Associate event in September 2018, Dr. Will Roper, Assistant Secretary of the Air Force for Acquisition, Technology and Logistics had a small group with defense industry leaders and highlighted his desire for corporate teammates focus on evolutionary, if not revolutionary, capabilities which do not necessarily arrive with “support tails”. This emphasis was primarily focused on software development, and the services have followed this lead with the beginnings of an internal capability to engineer and maintain software code produced by industry partners. This does not mean the military/government should be developing operational software, but they should be able to maintain, manipulate, and adjust software when operational requirements demand. Elon Musk has been a “vocal opponent of intellectual property law maintains they actually harm invention, and he’s acted on that belief: In 2014, Tesla promised not to sue people for using its electric car patents.” The military has a desire for this approach, and correctly so because it will produce Best in Class capabilities with minimal sustainment requirements. This tangent must be further investigated, but as Air Force leadership acknowledges that multi-domain mindset will be a necessary evolutionary change; however, based on technological advances, a revolutionary approach to acquisition and training are required, specifically the significant challenge to keep pace with technology advancements to support Blue operations and counter Red

advances. The complete revamping, and not just Other Transaction Authorities (OTAs) or Federal Acquisition Regulation (FAR) Section 804, but an acceptance to depart the established large, small business designations and relationships. This is a team event, and everyone wants the same endgame, a powerful military and a strong nation. There are many business models that can allow this to happen. The better approach is to understand the mission needs so that we (industry) can invest in solutions, which involves developing technologies, maturing offerings and creating partnerships which truly support the Warfighter. Often, government rules, regulations, policies, testing requirements, and lack of transparency drive costs up, and cause a loss of requirements’ focus. We (industry) want to partner with our customer to provide the best solution to meet mission needs. Through more open dialogue and industry outreach, we can better focus our investment on cutting edge future mission requirements. Good people from all sides are working hard to overcome established hurdles. Finally, products and solutions which often provide innovative paths forward are not unique to a particular academic, government, or industry (commercial and defense) organization or subset. In fact, each of these contributes unique insights and expertise necessary to maintain a Warfighting edge planning, execution, and assessment of combat operations. This nation has brilliant, dedicated individuals working to serve the through creation of innovative products and capabilities. Let us open the aperture, level the playing field and truly compete using Best of Class regardless of company, industry, or relationship to provide the tools to create, train, and support cross-domain Warfighters.

https://www.af.mil/Portals/1/documents/csaf/letter3/CSAF_Focus_Area_CoverPage.pdf , March 2017

The Air Force Future Operating Concept (AFFOC): A View Of The Air Force In 2035, September 2015

ii.

https://www.statista.com/statistics/278414/number-of-worldwide-social-network-users/ : In 2019, it is estimated that there will be around 2.77 billion social media users around the globe, up from 2.46 billion in 2017

vi.

Multi-Domain Battle: Evolution of Combined Arms for the 21st Century 20252040, December 2017

vii.

https://www.cspi.com/devsecops-vs-secdevops-blog/

iii.

https://www.shield.ai/content/2018/9/13/what-is-machine-intelligence

iv.

Frienemey is a colloquial term to identify a relationship between two parties which is tense and competitive, but collaboratory when mutually beneficial.

Multi-Domain Command and Control | Parsons | 5

Count on Parsons For more than 30 years, Parsons has delivered cybersecurity and physical defense services that have protected our nationâ&#x20AC;&#x2122;s most sensitive information and critical infrastructure. This experience is enhanced by more than 70 years of experience in the design, construction and management of vital assets around the globe. As a trusted partner to commercial organizations, and federal, state and local governments, Parsons and its team of OT/IT experts stand by to deploy leading professionals, processes and technologies to address the full spectrum of risks to your business.

Jay Lennon

VP, Mission Software Factory

Director, Business Development

Direct: +1 719-452-7201 drew.decker@parsons.com

Direct: +1 719.452.7297 jay.lennon@parsons.com

5875 Trinity Parkway, Centreville, VA 20120

www.parsons.com

Thriving in Times of Change Recruiting Challenges for Critical Cybersecurity Positions Robert J. Hanley Vice President, Cyber Solutions and Engineering

Abstract Cybersecurity is one of the most pressing issues across all sectors of Government, industry and academia. Meeting the demands of protecting your organization requires skilled and experienced cyber-professionals. Unfortunately, the demand for people with these skill sets far exceeds the supply. As a result, every organization, regardless of the sector, must develop a recruiting strategy that will enable them to compete for the services of this talent sector. This strategy must include close collaboration with: ▪ The customer to understand requirements and expectations. ▪ Academia to influence the educational curriculums that will ensure delivery of a workforce ready to contribute from day one. and ▪ The Government (who may also be the customer) to understand laws, regulations, and policies that may impact the pre-requisites for cyber positions. A focused plan will make any organization more competitive in recruiting and retaining skilled people in this talent pool. This paper highlights some of the strategic initiatives organizations must take to meet their cybersecurity goals. The Challenge There are currently about 315,000 cybersecurity vacancies across the United States and about 715,000 filled positions. Roughly 30% of all cyber positions are unfilled in the United States (Source: https://www.cyberseek.org/heatmap.html). The supply/demand ratio for the cybersecurity workforce is well below the national average for all jobs making recruitment a challenge, and in some cases, impossible if steps are not taken to overcome this obstacle. The entry level cyber certification requirement is typically a CompTIA Security+ certificate. Fortunately, most cyber- professionals obtain this early on in their careers and sometimes as part of their initial employment (as part of a weeklong boot camp). That is not the case with most other desired/required certifications such as CISSP, CISA, or 1

CISM. These positions have a negative supply/demand ratio - more positions than certified workers. Understanding these metrics nationally, regionally, and locally is the first step to developing solutions. Focus Areas to Meet the Recruitment Challenge Every organization needs to develop a plan to recruit these hard to get skill sets. Sabre formed a Joint Cyber Development Group with representatives from Government, industry, and academia (currently 18 colleges and universities participate, with more being added each month) in 2017 to attack these recruitment issues for not only cyber talent, but also for secure software coders, since these two disciplines are often connected and both are hard to fill skills. We have had 100% success filling cyber positions since addressing the recruiting issues with this group after establishing key focus areas to tackle these issues head-on. The ten main focus areas we found you must consider to meet the recruitment challenges are: 1. Understand your geographic supply/demand challenges for the positions you are targeting for recruitment. Know what you are up against. 2. Develop outreach initiatives that create partnerships with academic institutions, trusted industry partners, and Government. Be competitive for local talent and work to “grow your own”. Retention is typically higher with local talent. 3. Clearly understand the position requirements you and/or your customer has. Do not try to recruit a PhD when an entry level skill set is all that is required. Also, if you think the skills/experience requirements are too high, you need to address that up-front or you may end up with an unfilled vacancy for a long period of time because the position was over specified. 4. Make sure the contract/work requirements that addresses the skill sets are written clearly. This is a common problem across the cyber industry. Many contract requirements are written by non-cyber professionals and this can also result in unobtainable recruiting goals. 5. Understand the workarounds/substitutions for hard to fill skill sets. Degrees can sometimes replace certifications. Hands-on experience can complement educational achievements (example: some positions could be posted with a BS/BA requirement or AA plus 2 years’ experience or High School plus 6 years’ experience). 6. Form partnerships with academic institutions in your hiring region. Most colleges and universities will adjust curriculums to meet industry/Government requirements. They also work with STEM programs, which can help in the “grow your own” process. Some colleges are now adding boot camps in their programs to enable students to obtain some entry level certifications before they graduate. 7. Identify the recruitment challenges you have in your hiring region. Supply/demand is just one part. Many millennials (which is the largest supply area in cyber) have requirements other age group workers do not require or demand. This includes telework, higher starting salaries, more personal time off than the average industry standards typically offer to start, etc. Cyberprofessionals are in such a high demand they are drawn to jobs that interest them (like cloud engineering, gaming, etc.) Working cyber for the DoD in a secure vault with no access to their cell phone for long periods is NOT an attractive position for many cyber workers. You must have a strategy to lure these workers to these hard-to-fill positions. You must “sell” these jobs better. 8. Understand your retention challenge. Cyber millennials have easily portable skills. They take their 401(k) with them. Make them understand their value and make them an integral part of your organization. DO NOT PIGEON HOLE THEM! They will leave when they get bored. You must make the job interesting, diverse, and include growth potential. Why spend $50K to 2

recruit a cyber-professional only to have them lured away for $10K more by another company? Pay the $10K and save yourself $40K in trying to recruit another cyber-professional. 9. Understand the security clearance challenge if the candidate requires this level of access. Does the position really require a clearance to start? If yes, get it started right away, current averages are about 45 days to get an Interim Secret Clearance. Do not over specify the security clearance requirements or you may end up with a position with unobtainable pre-requisites. 10. Hire interns. This is a great way to grow your own at low cost and if you allow students to work during the school year, you can meet experience requirements before they graduate. You can also start the security clearance process and have that done before they become full-time. The Secret to Success The supply/demand ratio is not going to magically fix itself. Organizations are, for the most part, competing for existing talent already employed by another group. That is even harder in California, Texas, and the mid-Atlantic region of the United States. These areas have the worst supply/demand ratios for cyber hiring managers. The focus areas noted above provide a roadmap to help attract, hire, and retain cyber-professionals. But there are other considerations that you need to explore. Universities like Virginia Tech, Temple, Drexel, Arcadia, and the College of Southern Maryland have outreach programs to bring students into cyber programs and develop them through partnerships with organizations, either through paid internships or academic tuition assistance that also bring work commitments for the students after graduation. These outreach programs also work with STEM programs and with under-resourced students who have the aptitude and desire to become a cyberprofessional, but cannot afford the formal education. Organizations that work with colleges and universities to reach down into the future work force build trust and loyalty that will pay dividends when they graduate and join your workforce full-time. These candidates tend to stay with the company that helps them achieve their success for longer periods of time, giving the hiring organization a huge return on their investment. Starting salaries for cyber graduates can exceed $100K/year. However, STEM participants that go through outreach programs with corporate sponsors will typically accept much lower starting salaries because of loyalty and appreciation. Good will goes a long way. The Navy has been doing this for years through programs like PATHWAYS. Here, the Navy brings in interns during college for summer programs at about $12-$14/hour. They also pay partial tuition. This comes with a commitment to work a minimum of three years for the Navy after graduation. Their starting salaries are below national averages but these graduates tend to stay working for the Government for extended periods of time because of the relationship they have built with the Navy for years before becoming fulltime. You must introduce programs like this to be competitive! Conclusion Not finding cyber qualified people to work for you? How many of the focus areas above are you working on right now? If none or few, no surprise you cannot hire enough cyber-professionals. If you have had little or no success recruiting these cyber-professionals, you need to re-focus. You need to put a plan into effect to not only lure qualified candidates away from other organizations, but to also begin a program to grow your own. Look at college football. They are now beginning the recruiting process as early as Pop Warner football or as freshman in high school. Why? Because the competition is extremely high to recruit the best of the best and the supply for this level of talent cannot meet demand. Do not be left behind with an unfilled position(s) and no candidates. Get focused!

Platform-as-aService: How Government Contractors Drive High Growth Within The Defense Market

Platform-as-aService: How Government Contractors Drive High Growth Within The Defense Market From systems integrators to manufacturers, aerospace and defense contractors are facing fierce competition with the largest federal contracting agency, the Department of Defense (DOD). Securing business with defense agencies is growing harder because of complex acquisition processes, pressure for low-price bids, and a growing need within government for systems services that provide easy and continuous support.

Platform-as-a-Service

As a result, some companies are consolidating to secure more market share. Another key step to deliver value to the DOD is to enable all members of a contracting organization to continuously focus on customer success. To better serve defense agencies government partners must learn how to use technology to support changing mission demands and customer expectations. Defense agencies face the same challenges. In November 2017, U.S. Deputy Defense Secretary Patrick Shanahan directed the DOD to adopt cloud platform services to align technology with complex mission sets. To help the DOD meet this objective, contractors need to deliver best-in-class services, from business development to supply

A key step to deliver value to the DOD is to enable all members of an organization to continuously focus on customer success.

Salesforce

chain management. To enable growth within the DOD market, contractors are turning to Platformas-a-Service (PaaS) as a means to offer more value to government clients, gain greater visibility into resources, and increase profitability. PaaS gives contractors a strategic advantage in a tight, consolidating market where achieving real growth hinges on being able to adapt and evolve quickly. By embracing PaaS in their own organizations, contractors are positioning themselves to be the DODâ&#x20AC;&#x2122;s trusted partner.

Improving Internal Operations There is currently a new focus on High Productivity PaaS, or HPA PaaS, which provides the speed, agility, and acceleration needed for users to quickly bring concepts to reality; test and deploy them; and see business value faster. All the elements that go into developing applications are provided in no-code, low-code, and pro-code environments, from logic mapping to security. With HPA PaaS, organizations simplify, improve, and automate process, as well as leverage data in more integral ways. While the concept of PaaS was first created by Salesforce in 1998, HPA PaaS is the latest evolution. It combines data and intelligence with powerful ways for system users and customers to engage with each other. HPA PaaS empowers everyone, not just IT specialists, to focus on and improve mission outcomes. Organizations very quickly identify and produce applications they or their customers need. How does HPA PaaS improve a contractorâ&#x20AC;&#x2122;s internal operations? Every government contractor competes essentially on price, and price is largely based on the cost of doing business. Speed and efficiency in operations translate into more effective pricing and more business. For any company, business operations are a series of workflows that people move information in and out of. With HPA PaaS, organizations not only move information faster by

Platform-as-a-Service

accelerating and streamlining time-consuming or duplicative workflows, they realign infrastructurefocused IT departments to teams that focus on rapid application development. At Salesforce, clients roll out solutions within days or weeks, resulting in significant efficiencies, savings, and profit margin. A business leader knows whether or not his or her systems and processes are working. Oftentimes, even if a system is delivering its basic business purpose, leaders almost always look to improve and maximize efficiency. In these cases, organizations should consider PaaS first. It is absolutely the most efficient and most effective way to move systems forward and to digitally transform.

Delivering Value to Government HPA PaaS also accelerates delivery of external products. For systems integrators in the business of providing IT solutions to government, developing apps with HPA PaaS drives greater value. For contractors on a fixed price contract, the faster the right systems or solutions are delivered, the more profitable a contract becomes. More and more government agencies are requesting

HPA PaaS combines data and intelligence with powerful ways for system users and customers to engage with each other.

contractors deliver capabilities that can be repurposed to minimize maintenance costs. HPA PaaS allows contractors to meet agency requests.

Salesforce

For manufacturers it’s all about delivering highquality products and services efficiently, often through complex supply chains. PaaS streamlines major functions, such as procurement and partner management. One key element is a platform that delivers nocode, low-code, and pro-code options. What this means is contractors have the ability to hire and leverage teams with varying technical skills to deliver, repurpose, and scale solutions. The platform brings the agility, speed, and efficiency companies need for high growth. Another important element is innovation – something that Salesforce invests in constantly. In addition to providing all the infrastructure, networking, security, and development environments, Salesforce regularly introduces game-changing advances in technology. For example, Salesforce has built artificial intelligence into the platform so that users continuously gain business insights. Innovation is introduced through seamless updates that take place throughout the year – keeping all customers on the same version of Salesforce while preserving any customizations they may have. With today’s cloud technology endlessly evolving, customers are prepared for the future of doing business with government.

Implications for A&D Contractors The DOD is all about speed, agility, and acceleration. Roughly two decades ago, the DOD had a program, called Velocity Management, that focused on logistics. It emphasized the concept of moving material and personnel into combat faster and faster, like deploying a battalion of the 82nd Airborne Division anywhere in the world in 18 hours or less. So how does the DOD move faster to accomplish objectives? And how does it move with more efficiency? By removing extra mass and weight

Platform-as-a-Service

from the equation. Cloud does that and the DOD recognizes it. The DOD no longer can afford the old way of doing business. There is always going to be a time where the DOD needs data centers, servers and networks, but there is no equivalent to cloud in terms of the ability to move quickly and efficiently to meet mission objectives. Additionally, traditional long-term system environments and slow acquisition speeds hinder the DOD’s ability to reach its goals. The established path of buying software and placing it into a data center comes with many complexities such as managing an entire environment, meeting security requirements, and establishing networks. To further complicate the process, every department has its own acquisition requirements. This process takes time, costs money, and results in losing sight of objectives. With cloud, departments go back to focusing on process, insights, and mission.

There is always going to be a time where the DOD needs data centers, servers and networks, but there is no equivalent to cloud in terms of the ability to move quickly and efficiently to meet mission objectives.

In order for government contractors to effectively consult and advise the DOD on cloud strategies, they must keep pace with today’s latest technology offerings. Currently, a large number of government contractors are using cloud or moving to the cloud

Salesforce

for different business functions and processes. Salesforce has assisted contractors who want to modernize business process with cloud-based HPA PaaS. Because Salesforce has already built the architecture, implemented security requirements as set by the DOD Cloud Computing Security Requirements Guide, and expanded capabilities over the years, contractors may get ahead of the curve quickly. Contractors have an opportunity here. For contractors embracing cloud, they have the ability to become trailblazers – particularly for the DOD.

Platform-as-a-Service

These early adopters can learn how to monetize cloud systems and services for government agencies and will set the course for other contractors to follow. There will always be a world with traditional on-premise environments, but more and more requirements are going to be for cloud. Contractors that understand cloud – that have shifted their workforce, processes, and data to the cloud – they are the ones that are really going to set the market and make it take off. Produced by GEMG | Studio 2G

Salesforce

Equity Research

Government Services: A View from Wall Street

April 15, 2019 Edward Caso, Jr., CFA Managing Director, Senior Analyst IT/BPO Services 443-263-6524 | edward.caso@wellsfargo.com

Government Services: A View from Wall Street

Budget Time Again

Award Activity

The President’s budget proposal for GFY20 again seeks to reduce spending on domestic programs while solidly funding National Security needs. The proposal seeks to leverage the mechanics of the Budget Control Act of 2011 (BCA) by plugging the targeted defense budget using Overseas Contingency Operations (OCO) funding that falls outside the ceilings. Given that the House of Representatives is now controlled by the Democrats, there is even less chance this relative funding mix and approach survives. We note that in recent weeks that Senate and House leadership has moved forward with the “normal” budgeting process. Given the increasingly partisan politics, upcoming Presidential election and the lingering dispute around immigration (especially along the southern border), we expect that GFY20 will begin again under a “continuing resolution” (CR). We are of the view that the next twoyear BCA cap raising deal will be signed early in 2020 with GFY20 appropriations following about a month later. We look for the defense budget to be in the $730 billion range (about plus 2% yr/yr) and FedCiv budgets to be generally flat.

Award activity has remained brisk for the publicly traded providers for several years now with book-tobills consistently over 1.0x on a trailing 12 month basis (removes seasonality). As seen in Exhibit 1, book-to-bill (Tr12) has been over 1.0x for 17 consecutive quarters. This has helped push organic growth into positive territory as the group comes out of the BCA and low-price/ technically-acceptable (LP/TA) pricing driven downturn. Even historically softer quarters like December have seen strong award activity of late. Of course with increased investor focus on the book-to-bill metric, there has been more discussion over the varying approaches to providing this new business metric. Discrepancies exist on inclusion or not of awards still in protest (most do not), treatment of no longer relevant backlog (i.e. presenting awards on a “net” basis), and more recently the focus has been on the treatment of indefinite-delivery / indefinite-quantity (IDIQ) contracts, especially those that are single-awardee (most put in some kind of run rate, SAIC [SAIC] does not suppressing their book-to-bill metric). This analyst would also like to see better and more consistent disclosure on new versus re-compete awards, although we realize this can be challenging to determine at times as contracts are redefined during the re-compete cycle.

We highlight three Congressional considerations. First, politicians do not want to run for re-election having to defend why they are not funding our men and women in harm’s way. We believe this is why striking two year deals have gotten the budget discussion off the table for recent election cycles. Second, most in Congress (on both sides of the aisle) see the need for at least steady defense spending as threats from China and other “peer” states suggest a need for a change in the approach to defense strategy from the asymmetric conflicts of the last fifteen years. Third, offsetting the first two positive factors, is that the annual deficit (given in part because of the recent fiscal stimulus and tax reform) has pushed the annual federal deficit to around $1 trillion. The last time the deficit approached these levels the response was the still contentious BCA. We note that interest expense and baby boomer retirement driven entitlement programs continue to put pressure on the base of tax dollars that are considered “discretionary.” We have not heard much “outcry” about runaway federal spending, so we expect the trillion dollar deficit will not be addressed in the upcoming budget discussions.

There is some concern that larger contract opportunities will continue to slide to the right given political gridlock and the large number of “acting” agency heads. Since most awards are the continuation of existing work, we would expect a revival of contract “extensions” as decisions on new contract vehicles are delayed. This of course favors the incumbent, to a degree. A one-year extension provides only about one-fifth the booking of a normal five-year award, which will have a depressing effect on book-to-bill ratio, although not impact the revenue run rate. Pricing is also a variable and depends on the approach to the legacy award and whether it carries the onerous terms of LP/TA. Another factor with the potential reduction in new awards, is that it becomes harder to achieve “takeaway” wins and meet above market growth expectations often presented to investors.

existing work, we would expect a revival of contract “extensions” as decisions on new contract vehicles are delayed. This of course favors the incumbent, to a degree. A one‐year extension provides only about one‐fifth the booking of a normal five‐year award, which will have a depressing effect on book‐to‐bill Wells Fargo Securities | Equity Research ratio, although not impact the revenue run rate. Pricing is also a variable and depends on the approach to the legacy award and whether it carries the onerous terms of LP/TA. Another factor with the potential reduction in new awards, is that it becomes harder to achieve “takeaway” wins and meet above market growth expectations often presented to investors. Exhibit 1. Government Services Book-to-Bill versus Organic Growth (both trailing 12 months basis) Exhibit 1. Government Services Book‐to‐Bill versus Organic Growth (both trailing 12 months basis) Gov't Services: TTM Book-to-Bill (left axis)

Average Organic Yr/Yr Revenue Growth (right axis)

1.6x

15%

1.4x

10%

1.2x

1.0x

0.8x

-5%

0.6x

-10%

0.4x

-15%

Notes: Data is based on Calendar Year (CY) basis Notes: Data is based on Calendar Year (CY) basis Book‐to‐bill metric includes BAH, CACI, CSRA, EGL, MANT, and SAIC Book-to-bill metric includes BAH, CACI, CSRA, EGL, MANT, and SAIC Organic growth includes BAH, CACI, ICFI, MANT, LDOS and SAIC Organic growth includes BAH, CACI, ICFI, MANT, LDOS and SAIC CSRA excluded after CQ4 2017 given acquisition by General Dynamics. EGL excluded after CQ3 2018 given acquisition by SAIC. CSRA excluded after CQ4 2017 given acquisition by General Dynamics. EGL excluded after CQ3 2018 given acquisition by SAIC. Q2 2015 excludes LDOS $2.8B UK Ministry of Defense (MoD) contract; also excludes the $4.3B Defense Healthcare Management Systems Q2 2015 excludes LDOS $2.8B UK Ministry of Defense (MoD) contract; also excludes the $4.3B Defense Healthcare Management Systems Modernization Modernization (DHMSM) contract which was awarded in CQ3 2015 (DHMSM) contract which was awarded in CQ3 2015 Source: FactSet and Wells Fargo Securities, LLC Source: FactSet and Wells Fargo Securities, LLC

Revenue Outlook Revenue growth has been making a steady recovery with Investors continue to be challenged with the concept that Revenue growth has been making a steady recovery with all expected to generate positive organic all expected to generate positive organic growth in 2019 government clients dictate the type of contract (i.e. costgrowth in 2019 ranging from about 2% to 7%. Those firms (particularly Booz Allen [BAH] and ManTech ranging from about 2% to 7%. Those firms (particularly plus versus fixed-price) and the EBITDA margin range for [MANT] with greater focus on cyber‐security and intelligence agencies continue to enjoy better growth Booz Allen [BAH] and ManTech [MANT] with greater focus each type of service. With revenue growth now positive, we rates. Those with more commodity like support services are not enjoying the benefits of the supply‐ on cyber-security and intelligence agencies continue to expect to see some operating leverage benefit, of course enjoy better growth rates. Those with more commodity this upside is shared with the client on cost-plus contracts. demand imbalance in the more information technology (IT)‐focused part of the market. In general, we like support services are not enjoying the benefits of We also see more demand for higher-margin IT versus see a better environment for award decisions (even if just extensions) and average pricing (as LP/TA the supply-demand imbalance in the more information mission support (i.e. outsourcing) contracts, which should shrinks as percent of the contract portfolio). Slow ramp‐ups on large contracts have tempered the technology (IT)-focused part of the market. In general, yield a favorable mix shift. Several companies, CACI (CACI) we see revenue recovery of some. In general, we see plus or minus 5% as a more sustainable growth rate after a better environment for award decisions (even if and Leidos (LDOS) in particular, are focused on leveraging 2019. and average pricing (as LP/TA shrinks as just extensions) intellectual property or products to enhance the margin

Revenue Outlook

Margin Outlook

percent of the contract portfolio). Slow ramp-ups on large contracts have tempered the revenue recovery of some. In general, we see plus or minus 5% as a more sustainable growth rate after 2019.

opportunity, of course this increases revenue unevenness, margin volatility, and the need for R&D to support the proprietary offerings. In general, we see a positive upward drift in EBITDA margin, although we expect it to be modest.

Government Services: A View from Wall Street

Industry Consolidation 2018 was a busy year for larger transactions as General Dynamics (GD) acquired $5 billion in revenue CSRA to nearly double the size of its information technology focused GDIT unit, as “prime” GD takes the opposite tact than other large aerospace & defense primes that have been reducing their services exposure. Later in 2018 SAIC (SAIC) announced their intent to acquire nearly $2 billion in revenue Engility creating an approximately $6.5 billion top five services provider. Our expectation for 2019 is that industry consolidation will continue (as it does every year) but deal sizes are likely to be smaller (and targeted at private companies) with activity focused on acquiring cybersecurity, analytics and cloud skills, although these are often higher multiple transaction (e.g. 10x plus EBITDA). We note that most of the publicly traded services providers (with the exception of ManTech [MANT]) now have financial leverage in the “normal” range of 2.5-3.0x, if not higher, which may limit their “dry powder.” We assume any larger deals could have an equity component similar to the LDOS/ IS&GS and SAIC/ Engility transactions, or be more creative in nature, such as the creation of Perspecta from the merging of DXC Technologies’ (DXC) government practice with privately held Vencore. We expect private equity to remain active as both buyers and sellers. See Exhibit 2 for a listing of select government services providers. Note that just below the big IT focused firms are a group of historically infrastructure focused companies that have become more aggressive increasing their federal government focused revenue in recent years.

Exhibit 2. Selected Government Service Providers. Name

Ticker (if public)

Revenue ($ in billions)

Period

Leidos

LDOS

$10.8

CY19E

GD IT

8.3

CY19E

Booz Allen

BAH

7.0

CY19E

SAIC

6.6

CY19E

CACI

5.3

CY19E

Perspecta

PRSP

4.3

CY19E

NOC TS

NOC

4.3

CY19E

Jacobs

JEC

3.9

FY18A

KBRwyle (+ Honeywell +SGT)

KBR

3.5

CY18A

AECOM

ACM

3.4

FY18A

Accenture Federa; Services

ACN

2.3

FY18A

DynCorp

Private

2.1

CY18A

ManTech

MANT

2.1

CY19E

PAE

Private

2.0

BAE I&S

BAE

1.6

ICF International

ICFI

1.5

CY19E

CGI Federal

GIB.A

1.5

FY18A

Vectrus

VEC

1.3

CY19E

Peraton

Private

1.1

Alion + MacB

Private

1.1

Pro Forma CY18E

ASGN Inc. (ECS Federal)

ASGN

0.7

CY19E

Unisys Federal

UIS

0.6

CY18A

KEYW Holdings

KEYW

0.5

CY19E

Salient CRGT

Private

0.5

Pro Forma CY17A

Total

77.4

Note: ACM, GD, ICFI, JEC NOC, KBR, PAE, DynCorp, BAE, Peraton, Vectrus, Unisys and KeyW are not covered. Note: Figures for Leidos, Booz Allen, SAIC, CACI, Perspecta, ManTech, and ASGN are Wells Fargo Securities, LLC estimates Note: All other figures offered on a CY19E basis represent the midpoint of company-provided guidance. Note: Jacobs guide figures reflect the Aerospace, Technology, Environmental and Nuclear (ATN) segment that comprises ~40% of proforma revenue Note: AECOM figures reflect the U.S. Federal revenue generated from the Management Services (MS) segment Note: BAE figures represent estimates from various news outlets TTM = trailing 12-month Source: Company data and Wells Fargo Securities, LLC estimates

Wells Fargo Securities | Equity Research

Valuation

Our View

Well, that was a fun ride at the end of calendar 2018, with So where do we stand? We remain constructive on the government services shares now having bounced back government services sector as a way for investors to add a since the end of September 2018, similar to the overall defensive component to their portfolios. (See comments market move. But, Booz Allen (BAH) is the only one that is above about the sector’s “defensive” nature.) We do actually above September 30 levels with CACI close. What acknowledge that valuation is in the upper quartile of was interesting is that the group did not perform in its the historic valuation range which may limit meaningful normal “defensive” manner during the market downturn upside, but note that revenue (now positive for all we track) as it declined more than the market. Historically, the group and EPS estimates have an upward bias, and the sector has had more muted market movements given: 1) less continues to consolidate providing both being taken-over economically sensitive clients, 2) sticky client relationships, or accretive acquisition opportunities. In some cases (in 3) long-term contracts, 4) limited capex needs, and part given favorable cash tax rates), free cash flow yield therefore 5) more predictable and consistent free cash flow. signals an even more compelling valuation. We also note The President’s comment that $700 billion (down about 2% that most publicly traded providers offer a dividend yield in yr/yr) should be enough for the Defense budget in GFY20 the 1-2% range with some upward bias in the dividend rate. was the trigger for concern as analysts/ investors focused In addition, several have share repurchase programs, but on the aerospace & defense primes became concerned these tend to be more opportunistic. that defense spending had peaked. The President quickly changed his target to $750 billion (up about 5% yr/yr), but the damage had been done in the minds of investors, especially as the House of Representatives has now shifted to Democratic control. Exhibit 3 presents a long-term view Representatives has now shifted to Democratic control. Exhibit 3 presents a long‐term view of valuation of valuation based on EBITDA multiples.

based on EBITDA multiples. Exhibit 3. Long-term View of Valuation Based on EBITDA Multiples Exhibit 3. Long‐term View of Valuation Based on EBITDA Multiples

Source: FactSet and Wells Fargo Securities, LLC Source: FactSet and Wells Fargo Securities, LLC

Our View So where do we stand? We remain constructive on the government services sector as a way for investors to add a defensive component to their portfolios. (See comments above about the sector’s Edward Caso is an Equity Research Analyst covering IT & BPO Services with Wells Fargo Securities, “defensive” nature.) We do acknowledge that valuation is in the upper quartile of the historic valuation a wholly owned subsidiary of Wells Fargo & Company. range which may limit meaningful upside, but note that revenue (now positive for all we track) and EPS Wells Fargo Securities is the trade name for the capital markets and investment banking services estimates have an upward bias, and the sector continues to consolidate providing both being taken‐over of Wells Fargo & Company and its subsidiaries, including but not limited to Wells Fargo Securities, or accretive acquisition opportunities. In some cases (in part given favorable cash tax rates), free cash LLC, a U.S. broker dealer registered with the U.S. Securities and Exchange Commission and a member of NYSE, FINRA, NFA and SIPC, Wells Fargo Prime Services, LLC, a member of FINRA, NFA flow yield signals an even more compelling valuation. We also note that most publicly traded providers and SIPC, Wells Fargo Bank, N.A. and Wells Fargo Securities International Limited, authorized and regulated by theoffer a dividend yield in the 1‐2% range with some upward bias in the dividend rate. In addition, several Financial Conduct Authority. have share repurchase programs, but these tend to be more opportunistic. www.wellsfargoresearch.com Copyright © 2019 Wells Fargo Securities, LLC

4401 Wilson Blvd. Suite 1110 Arlington, VA 22203 www.pscouncil.org