As the world’s security experts, including many U.S. government officials, gather in San Francisco this week to attend the RSA Conference, it’s an appropriate time to discuss the ways our federal government is working to strengthen its cybersecurity posture as it relates to acquisition planning and contract administration. The federal government depends on technology to provide services to citizens and to protect our nation, but of course, in addition to the benefits we gain from technology, government, businesses, and individuals all face cyber risks as well. Improving and strengthening our nation's cyber posture is rightly a top priority for our government and changing how the federal government integrates security into its own acquisitions processes will help improve the cyber resiliency of federal networks.
To advance that priority, Executive Order 13636 directed the General Services Administration (GSA) and the Department of Defense (DOD) to make recommendations on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. In fulfillment of this charge, GSA and DOD fairly engaged in a transparent and collaborative process, drawing substantially from stakeholder input, and on January 29th, released their final report, Improving Cybersecurity and Resilience through Acquisition. The report provides six recommendations for the federal government to consider how to, "strengthen the cyber resilience of the federal government by improving management of people, processes, and technology affected by the federal acquisition system."
The recommendations are as follows:
- Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
- Include cybersecurity in acquisition training;
- Develop common cybersecurity definitions for federal acquisitions;
- Institute a federal acquisition cyber risk management strategy;
- Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources; and
- Increase government accountability for cyber risk management.
While the final report doesn’t detail how these recommendations will impact government vendors and the products and services they offer, it does share some insight into what approach the federal government is pursuing to incorporate security standards into acquisition planning and contracts. The next step is for GSA and DOD to seek public input on the six recommendations that will be used to determine the best ways to craft and implement any new requirements. Industry is encouraged to participate in this process. The first request for information (RFI) should be published very soon.
ITAPS and ITI commend the plan to engage industry early on in the process by issuing RFIs and urge that during this next phase of this effort GSA, DOD, and all relevant agencies also employ a range of additional means to gain input, such as public workshops, meetings, and the like. We support these recommendations as a potentially very effective way to improve security of federal IT systems.
However, while we work together on next steps, we urge the government to put on hold concurrent, but less effective, proposals outside of the GSA/DOD initiative that aim to increase security in federal systems. These siloed initiatives have multiplied, among other proposals, and include new requirements on unclassified technical information held or transiting corporate information systems. They also include new authority to exclude suppliers without notice in the defense industrial base, in the intelligence community, and at the Department of Energy. These separate initiatives are creating a patchwork environment for doing business with the federal government. Inconsistent proposals might be well intentioned, but they will decrease, not increase, security.
ITAPS and ITI agree that improving cybersecurity in federal acquisitions is extremely important, and we praise the thought leadership and vision embodied in the GSA/DOD report. It is imperative that industry and government continue to cooperate in producing these new requirements for government purchasing, so that together we reach policies that truly get us the results we all seek: improved security in federal IT systems.