In the federal government, cyber is a daunting challenge.
The government and its suppliers face “the intersection of evolving and expanding threats in the cybersecurity world, along with evolving and emerging compliance requirements that they need to keep up with,” said Bill Malone.
As president of Coalfire Federal, Malone is helping the government and its industry partners meet those challenges. The company provides a range of services, including cyber program management and operations; cyber automation, engineering, and orchestration; and security compliance and advisory.
Malone is especially focused on the compliance piece, for example, by helping to ensure commercial-cloud offerings align with FedRAMP standards. Coalfire is also helping contractors to meet the emerging demands of the Cybersecurity Maturity Model Certification, the Defense Department’s supply chain security requirement.
Coalfire is well positioned to meet those needs. “We are a FedRAMP third-party assessment organization, and we work with those commercial vendors to certify their offerings, to allow them to bring those into the federal government,” Malone said.
CMMC meanwhile “helps to address the threat to the supply chain: that’s everybody who comes in to support DOD,” he said. “Some people don’t understand the emerging program, and we have an advisory capability that helps them there. We are also a certified third-party assessor for CMMC, with the credentials and experience to do that work.”
Coalfire Federal’s strategic positioning as a FedRAMP third-party assessment organization and a certified CMMC third-party assessor underscores its capability to bridge the compliance gaps.
“Our approach to compliance is defined by a practitioner’s perspective,” Malone said. “We don’t just navigate regulatory landscapes: we immerse ourselves in the details, providing hands-on insights that set us apart in the field.”
This kind of outside expertise is critical, he added, at a time when contractors, government agencies and the private sector in general all compete for a limited pool of cyber talent. When it comes to compliance, an outside partner can bring needed experts to the table, and can often do so in the most economical way.
“Some of these requirements call for annual reviews,” Malone said. With a third-part provider, “you can bring that talent in, they can do their job and then go away. That might be more cost-effective than hiring an employee to do that.”
For federal agencies in particular, an outside provider can help to ensure cyber efforts are keeping pace with the evolving threat.
“It’s important to the federal government to bring in an outside vendor who has a broad array of exposure to the market ⏤ different departments and agencies, federal government and commercial clients,” he said. “We can bring commercial best practices into the federal government that they may not have seen, and that’s important in cyber because the technology changes, the threat changes. You want someone who’s seen the latest and greatest.”
As he looks to drive growth, Malone sees the explosive adoption of cloud in government driving demand for FedRAMP-related services. And the emerging CMMC model will create new business opportunity, too, as firms seek to ensure compliance.
Right now, CMMC applies only to firms doing business with DOD, “but it also may provide a model for the rest of the federal government ⏤ civilian departments and agencies,” he said. That, in turn, will help Coalfire continue to build momentum.
How to make the most of that opportunity?
Malone said Coalfire’s laser focus on cyber is a competitive differentiator. Unlike other firms who may have cyber as one of several capabilities, “Coalfire Federal only does cybersecurity, we don’t do anything else,” he said. “We are more surgical, more specific, and more focused. We bring a practitioner’s perspective to the table. That’s what you need to be relevant these days.”
To bring that to life, Malone has to wrangle with the same challenge his clients face: How to build and sustain a highly skilled workforce. There is a “war for talent,” he said, and Coalfire is proving it can be among the winners.
“We’re giving these employees exciting work, and it’s work across different areas,” he said. “They’re not always in the same place, so they’re seeing more in terms of training and exposure to threats.” By keeping the work interesting and engaging, “we have proven our ability to recruit and retain a really good team of cyber professionals.”
Because Coalfire doesn’t have the brand cachet of Amazon or Google, Malone focuses on corporate culture to ensure the company is attractive to potential hires.
“We provide everything from pay and benefits, to opportunities for professional development and a sense of camaraderie towards protecting the mission of our clients,” he said.
He’s also leveraging the geographic reach made possible by remote work.
“I have people in San Antonio, people in New York,” he said. “That allows us to do our recruiting in a much broader way.”
A former naval officer, Malone said he takes personal pride in the work of supporting the federal government.
“As a naval officer, I got up every day and put on my uniform and I knew I was part of a team making a difference. That was very fulfilling to me,” he said. “Being a government contractor scratches that same itch. “Protecting the mission is important.”
Government agencies and those who support them “have to have cybersecurity in order to enable their mission, and that’s what we do,” he said. “I took off my uniform, I put on my civilian suit, and I still feel like I’m making a difference.”