On 19FEB2013, the President directed SECDEF and GSA to report, within 120 days, on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” (more here). 369 days later, the report was signed and sent back to the President. Oh well, that’s DC time for you!
Improving Cybersecurity and Resilience through Acquisition (see here) is a quick read. The emphasis is on how DoD and GSA can strengthen cyber resilience through improved management of people, processes and technology.
We characterized this effort as a critically important activity that will help enhance overall resilience of DoD and other US Government systems and be overall good for the US IT community as well. The overall report is the result of extensive coordination, study and analysis and will make for a better overall system.
It goes without saying that this will not in itself be sufficient, but it sure will help. In many ways this is an attempt to enhance cybersecurity with no real application of additional resources and without holding anyone to timelines or objectives.
The report brings forward the following six recommendations:
- Institute baseline cybersecurity requirements as a condition of contact award for appropriate acquisitions. Having across-the-board baseline requirements for acquisitions that present cyber risks is the first step in buying safe stuff. Giving the AQ staff’s technical requirements that they can understand and implement will be a huge improvement over what they are currently working with. It’s not easy.
- Address cybersecurity in relevant training. Training is surely needed for the AQ staffs, and the industries that support DoD. Of course, we can’t make them all cybersecurity experts. It’s pretty tough to make the “Cybersecurity Experts” EXPERTS! But this is a noble effort.
- Develop common cybersecurity definitions for Federal Acquisition. Back to point 1., it’s not going to be easy. Just defining the terms across DoD will be a good start.
- Institute a Federal acquisition cyber risk management strategy. This will require a huge effort to identify a hierarchy of cyber risk criticality for acquisition. The suggestion of an “overlay” to be used across like-acquisitions hints of some re-use and streamlining, which will be very important to also attaining timely acquisition.
- Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other “trusted” sources, whenever available, in appropriate acquisitions. This is way over-due. I think all of us are losing some sleep over those low-cost equipment purchases that DoD made in the past five years.
- Increase Government accountability for cyber risk management. Holding “key decision makers accountable” for managing cybersecurity shortfalls in a solution they purchase and field will be a new way of doing business. Maybe we can finally get past the days when a useless, unsecure system can be designed, purchased, and fielded with zero consequences to anyone’s careers.
These are all great ideas, and we are excited to see them implemented in DoD. It’s mostly about incorporating standards into the acquisition planning and contracts process. We are most certainly in a new world of slowing down the acquisitions and making sure they comply with [insert your emphasis here: costs, cybersecurity, interoperability, etc]. Gone are the days of pushing “rapid technology insertions”!
These folks work really hard and will need all the help they can get to be able to add cybersecurity to their bag of tricks! Changing the behavior of government program managers and acquisition decision makers will not be easy, especially as more immediate challenges will continue to capture their attention (such as sequestration and budget cuts and in-general-doing-more-with-less stuff).
Related Posts:
The Important Difference Between Cybersecurity And Cyber Resilience (And Why You Need Both)
Watch out Intel and Nvidia, AMD just made a game-changing acquisition
Quick Look On Report of the President’s Commission on Cybersecurity