Critical Infrastructure Security

From Vulnerability to Leadership:  How DoD Can Leverage the FY25 NDAA to Transform Federal IT Procurement

The digital world is the backbone of modern life, enabling everything from economic growth to national security and daily connections. Yet, as it consolidates under a few dominant players, this critical infrastructure becomes increasingly fragile, leaving us vulnerable to cascading failures and escalating geopolitical threats.

No nation feels this tension more acutely than the United States, the world’s most digitally connected nation. China’s authoritarian digital model—characterized by state control and pervasive surveillance—offers a competing version of the internet that has effectively splintered the global web into at least two distinct frameworks.

China’s model promotes values fundamentally at odds with the open, decentralized digital ecosystem championed by democracies, and it remains largely disconnected from the U.S.-led version of the internet. Beijing’s efforts to export its model to other nations further highlight the strategic importance of addressing vulnerabilities in America’s consolidated systems to ensure leadership on the global stage.

An Institute for Critical Infrastructure Technology (ICIT) sponsored Task Force’s recent report outlines practical steps to enhance near-term resilience against the risks created by digital consolidation, focusing on actionable measures rather than exhaustive solutions. Among the many recommendations in the report, this piece focuses on two recommendations: strengthening interoperability to build redundancy and secure systems (Rec. 1.1) and modernizing procurement practices to reduce vendor dependency and enhance security (Rec. 2.2). These steps align with the opportunities presented by the Fiscal Year 2025 National Defense Authorization Act (NDAA) and are part of a broader framework emphasizing Resourcing, Recovery, Rehearsal, and Response—designed to mitigate risks and enhance resilience in critical systems.

Interoperability: Building Resiliency Through Redundancy

Interoperability standards are a cornerstone of resilience. They enable redundancy to mitigate disruptions and obfuscate system designs to reduce exploitable vulnerabilities. These standards also align with broader efforts to enhance public-private collaboration and ensure continuity during crises. Today’s digital landscape—where hyperscalers dominate cloud computing and critical software operates on centralized platforms—leaves the government and private sector exposed to single points of failure. The 2024 CrowdStrike outage, which disrupted millions of devices, exemplifies how concentrated systems can fail catastrophically.

Federal leadership on interoperability can break this cycle. By mandating standards that allow platforms to interact seamlessly, the government can diversify its dependencies and make it harder for adversaries to exploit vulnerabilities. Importantly, these standards must be enforced through contracts to prevent any vendor from using licensing terms to undermine them. While the primary goal is resilience, the secondary benefits—including increased competition, innovation, and market health—are too significant to ignore.

Like the private sector, the U.S. government heavily relies on a small group of IT vendors—most notably Microsoft. This overreliance underscores the need for interoperability to ensure systems can pivot when faced with disruptions or threats, reducing the risks associated with concentrating so much of the government’s digital ecosystem on a single provider. Establishing these standards sets a benchmark for robust, secure infrastructure that extends across public and private sectors.

Modernized Procurement Practices: Empowering Smarter Choices

The FY25 NDAA provides a historic opportunity to modernize federal procurement—a long-overdue step to mitigate risks and enhance security. The legislation grants Department of Defense (DoD) components greater flexibility to procure cyber products, enabling agencies to adopt innovative technologies while addressing vulnerabilities tied to consolidation. Traditionally, procurement decisions have emphasized cost savings and familiarity, often at the expense of security and diversity.

With an emphasis on flexibility, the NDAA empowers the DoD to prioritize security and resilience in cyber procurement, enabling solutions that address specific operational needs while reducing overreliance on entrenched vendors. To capitalize on this flexibility, federal procurement must prioritize vendor diversity, security performance, and adherence to interoperability and recovery standards. The government’s purchasing power—the largest in the nation—can drive market-wide change, incentivizing providers to deliver innovative, secure, and interoperable solutions.

Another important factor is the government’s reliance on private-sector infrastructure. Many critical digital systems that enable government services are controlled by private providers, further underscoring the need for modern procurement practices. The government can strengthen its digital ecosystem while reducing systemic risks by ensuring transparent supply chains and avoiding reliance on adversarial technologies.

Leading by Example: Setting the Standard for Resilience

As I’ve suggested before, the federal government must lead by example, not exception. The next administration has a unique opportunity to demonstrate that resilience and innovation go hand in hand. Implementing robust interoperability standards and modernized procurement policies is about safeguarding government systems and setting a transformative example for the private sector and global partners.

To achieve this, policymakers must:

  1. Legislate Interoperability Standards: Direct the National Institute of Standards and Technology (NIST) to develop technically feasible standards and empower the Cybersecurity and Infrastructure Security Agency (CISA) to enforce them. Contracts must ensure vendors cannot weaken these standards through restrictive licensing.
  2. Revamp Procurement Policies: The Office of Management and Budget (OMB) must prioritize resilience in federal contracts, reducing dependency on dominant providers and encouraging diversity in solutions.
  3. Strengthen Public-Private Collaboration: Partnering with industry is essential to ensure the feasibility and adoption of interoperability and recovery standards across sectors.

A Global Imperative

Digital consolidation isn’t just a domestic issue—it’s a global challenge. As geopolitical tensions with China intensify, the U.S. must fortify its digital resilience to counter risks from state-sponsored cyberattacks and economic competition. China’s centralized, state-controlled digital model starkly contrasts the open, democratic systems the U.S. aims to protect. By addressing vulnerabilities at home, we secure our systems and reaffirm our leadership in championing a free, secure, and democratic digital future.

The FY25 NDAA provides a clear starting point. By leveraging its provisions to prioritize interoperability and modern procurement, the next administration can transform vulnerability into leadership and ensure that America’s digital infrastructure is a global model of resilience and democratic values. The future of our digital infrastructure—and the security, prosperity, and trust it enables—depends on it.

Cory Simpson

Cory Simpson is the CEO of Gray Space Strategies, a Washington, D.C.-based consulting and advisory firm, and the Institute for Critical Infrastructure (ICIT), a non-profit organization dedicated to the security and resilience of critical infrastructure that provides for people’s foundational needs. He also serves as a Senior Advisor to the Cyberspace Solarium Commission 2.0.  The opinions expressed in this article are his own and do not reflect the views of any employer or affiliated organization.

Related

Single point of failure: The security threat no one’s talking about

The Institute for Critical Infrastructure Technology (ICIT) Digital Consolidation Risk and National Security briefing addresses the growing risks associated with IT and cybersecurity consolidation. The briefing showcases the findings and recommendations of ICIT's six-member Task Force, composed of industry experts and leaders to shape cybersecurity policy for the next Administration. Panel 2: Task Force Panel

One breach to rule them all: The security perils of digital consolidation

The Institute for Critical Infrastructure Technology (ICIT) Digital Consolidation Risk and National Security briefing addresses the growing risks associated with IT and cybersecurity consolidation. The briefing showcases the findings and recommendations of ICIT's six-member Task Force, composed of industry experts and leaders to shape cybersecurity policy for the next Administration. Panel 1: Fireside Chat- Digital Consolidation

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds