Recommendations attempt to raise acquisition, cyber consciousness

Thursday - 1/30/2014, 4:20am EST

Jason Miller on the Federal Drive.

Download mp3

A new set of recommendations aims to change the entrenched federal acquisition culture. The Defense Department and the General Services Administration made six suggestions Jan. 23 for addressing cybersecurity issues at the very beginning of any procurement.

The goal of the recommendations is to make the federal procurement community more cyber conscious.

"We identified gaps in the acquisition system, and one of the gaps is we don't often understand what the risk is in terms of cyber in the solution or deliverable we are purchasing, and because we don't understand the risks, we make decisions that are not informed and end up with a deliverable that doesn't meet our needs," said Emile Monette, GSA's senior adviser for cyber in the Office of Mission Assurance, in an interview with Federal News Radio Wednesday. "The other gap is the risk tolerance of the end user is not always understood by the buyer. We really wanted to bring those two things to the forefront."

GSA and DoD led the effort to come up with recommendations as required in President Barack Obama's cyber Executive Order from last February.

The working group, which included the National Institute of Standards and Technology and the Office of Federal Procurement Policy, determined areas ripe for change based on gaps in federal procurement or based on industry best practices.

"There are a couple things here that are something that industry has been directly calling for for years, like the requirement to purchase from original equipment manufacturers, their authorized resellers or other trusted sources. That's a low-hanging risk criteria that industry adopted many, many years ago in their supply chains to maintain the integrity of products they deliver, whether it's commercial or the government. So we are happy to see things like that in there," said Trey Hodgkins, the senior vice president of the public sector for the IT Alliance for the Public Sector (ITAPS). "The other thing we suggested to the government multiple times is that some of the acquisition practices and processes used today, and I'll point to lowest-price, technically acceptable (LPTA) as a good example, in certain circumstances contribute or add to the risk that this effort is attempting to address. Seeking out and only using the lowest price as a filter or threshold for acquiring goods and services doesn't get you the level of assurance this exercise and other exercises are seeking in government acquisitions."

GSA and DoD held more than 40 meetings with industry associations and others, including TechAmerica, the Professional Services Council, the Coalition for Government Procurement, privacy companies and many others. Hodgkins said industry's input is clear from both the draft recommendations issued last summer and these final ones.

The recommendations include:

  • Creating cyber training for acquisition workers.
  • Developing a baseline for cyber requirements as standard clauses in all contracts.
  • Developing standard definitions for cyber terms.
  • Developing and instituting a cyber risk management framework.
  • Requiring all contracts for agencies a clause that requires them to buy only from original equipment manufacturers or authorized resellers.
  • Increasing government accountability for cyber risk management.

Monette said of the six, the cyber risk management framework is among the most important of the recommendations because almost every other suggestion is dependent on that framework.

"It's really about addressing security as the strategic issue that it is. The idea is at the end of this, we would be building security in instead of bolting it on and fixing field systems and things like that," he said. "One of the outcomes that is sort of an interim step to implementing this recommendation is to define a repeatable process for addressing cyber risk in acquisitions. We are bringing together, blending what are traditional sourcing or procurement practices with information security practices."

Monette said, for example, the working group could use NIST Special Publication 800-53, Rev 4 to identify which security controls apply to a particular acquisition. Then, the committee could match that process with OFPP guidance or Federal Acquisition Regulations clause on pricing data that would address, for instance, when it's inappropriate to use LPTA or how you weigh source selection criteria or performance indicators.

"We would couple those together and identify them as a baseline or as a minimum or threshold requirement for different types of acquisitions," he said.

Recognizing, accepting risk

Monette said the working group will look through the entire procurement spend and decide which types of acquisitions present the biggest cyber risks.

He said the committee may want to group like-types of acquisitions together, similar to what GSA, DoD, and the Homeland Security Department is doing withcloud computing and Federal Risk Authorization and Management Program (FedRAMP).