The Defense Department and the General Services Administration on Jan. 23 delivered a joint report to the president recommending a series of wide-ranging changes to the federal acquisition cycle to help improve cybersecurity and critical infrastructure resilience.
The report, signed by Secretary of Defense Chuck Hagel and GSA Administrator Dan Tangherlini, is in response to requirements outlined in Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” signed by President Barack Obama last February. The order directed the Pentagon and GSA to come up with a plan to incorporate cybersecurity standards into acquisition planning and contract administration, and to harmonize procurement requirements across the federal government.
“One of the major impediments to changing how cybersecurity is addressed in federal acquisitions is the differing priorities of cyber-risk management and the federal acquisition system,” the report states. “The acquisition workforce is required to fulfill numerous, sometimes conflicting, policy goals through their work, and cybersecurity is but one of several competing priorities in any given acquisition.”
The report outlines six recommendations that focus on the need for baseline cybersecurity for federal contractors, comprehensive workforce training, consistent cybersecurity terminology for contracts, incorporation of cyber-risk management into federal enterprise risk management, development of more specific and standardized security controls for particular types of acquisitions, limiting purchases to certain sources for higher-risk acquisitions, and increasing government accountability for cybersecurity throughout the acquisition lifecycle.
Tim Larkins, a consultant with immixGroup Inc.’s Market Intelligence practice in McLean, Va., said he doesn’t think the proposed changes will have a major impact on industry.
“It’s something vendors are going to have to be mindful of when they interact with government customers, but I doubt they will feel much of a change in day-to-day operations,” Larkins said.
The report’s recommendation calling for common cybersecurity definitions in federal acquisition could have a minor impact on industry, Larkins said. “Depending on how much they diverge from industry standard definitions of cyber-capabilities, cyber-vendors may have to change some of their marketing and messaging strategies,” he said.
The biggest potential impacts, however, could come from the report’s call for implementation of a federal acquisition cyber-risk management strategy and holding government decision makers accountable for cyber-risk decisions in acquisition programs, Larkins said.
“We’ve all heard that one of the major issues with federal security management is a lack of clear leadership structure, particularly on the nondefense side,” Larkins said. “This risk framework and increased accountability could go some way to establishing better security management roles and repeatable acquisition practices.” It could also “change the way contractors (system integrators) approach [and] interact with government on large programs.”
- Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions.
- The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified.
- Address cybersecurity in relevant training.
- Incorporate acquisition cybersecurity into required training curricula for appropriate workforces. Require organizations that do business with the government to receive training about the acquisition cybersecurity requirements of the organizations government contracts.
- Develop common cybersecurity definitions for federal acquisitions.
- Key terms should be defined in the Federal Acquisition Regulation.
- Institute a federal acquisition cyber-risk management strategy.
- From a governmentwide cybersecurity perspective, identify a hierarchy of cyber-risk criticality for acquisitions. Develop and use “overlays” for similar types of acquisition, starting with the types of acquisitions that present the greatest risk.
- Include a requirement to purchase from Original Equipment Manufacturers, their authorized resellers, or other “trusted” sources, whenever available, in appropriate acquisitions.
- The cyber-risk threshold for application of this limitation of sources should be consistent across the federal government.
- Increase government accountability for cyber-risk management.
- Identify and modify government acquisition practices that contribute to cyber-risk. Ensure key decision makers are accountable for managing risks of cybersecurity shortfalls in a fielded solution.