Federal Government Acquisition Standards to Involve Cybersecurity
In January of this year the Department of Defense (DoD), in cooperation with the General Services Administration (GSA) announced they would be implementing a cybersecurity and resilience program for the Federal Acquisition System. As part of this announcement, the program would call for six planned reforms to strengthen the current security posture and ultimately combat risks to the Federal Acquisition System.
Initially, I was thinking this may be another failing attempt to bring security to our government systems, but after further investigation, I believe this is a positive step forward with the Risk Management Framework (RMF) that has been adopted. While past programs have focused on the security of systems and components, it appears the federal government may be leaning heavily on the DoD’s DIACAP structure and expanding their concerns to people, processes, and the technology in use. A pure “management of risk” in my opinion.
6 Cybersecurity Goals for DoD and GSA Acquisition
While we are far from seeing a full-blown implementation of these reforms and/or RMF, the report released by the DoD/GSA focuses on six reforms that align cybersecurity initiatives with the current federal acquisition process:
- Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions. – Making this a contract requirement prior to contract award may prove to push “commercial” organizations into the adoption of a NIST-based RMF and further improve security for all US-based organizations.
- Include cybersecurity in acquisition training – This is something that should have been done years ago. As a former government IT employee, I can’t tell you the number of times that contracts were awarded based on price, and not based on the merit, capability, and security of the awardee.
- Develop common cybersecurity definitions for federal acquisitions – Everyone speaking the same language. Our federal government has almost made it impossible for sister-agencies to conduct business with one another because of the various guidelines and varying requirements from one agency to the next. Having a common platform and definitions for risk management and overall security will prove to enhance operations, and introduce the reciprocity many of us have longed to receive.
- Institute a federal acquisition cyber risk management strategy – This is in direct relation to the RMF game plan, and should strengthen not only the federal contracts it will oversee, but also keeps our national security as a top priority. While I will refrain from pointing out any questionable contract awards from the past, having a systematic way of measuring risk during the acquisition process is something that should protect all stakeholders involved.
- Include a requirement to purchase from original equipment manufacturers, their authorized re-sellers, or other trusted sources – How is this not already a requirement? Do some of our federal agencies not have a Configuration Control Board (CCB) that reviews and permits software/hardware procurement’s? This will should improve the reliability of goods/services and save significant budgetary dollars in the process.
- Increase government accountability for cyber risk management – This is the one aspect that has been lacking in many contracts I have been involved with. While the federal government loves to “pass the buck”, many times they end up paying the price for a security-breach. IF implemented correctly, this aspect will strengthen government contracts, and essentially be the mainstay of the cybersecurity reform.
What Cybersecurity Improvements Are Expected?
The reforms listed above will be implemented by using a structured approach and involve stakeholder engagement, utilizing a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal life-cycles for all Federal procurement’s. The implementation will also harmonize the recommendations with existing risk management processes under Federal Information Security Management Act and OMB guidance.
As with most cybersecurity initiatives sponsored by the federal government, this adoption will take some time to develop, but I can honestly say that we seem to be heading in the right direction. As we progress there will most likely be some shifts and modifications to the overall plan, but taking a proactive stance to security instead of the reactive approach we are so used to experiencing is far more inviting.