Vendors Quibble With US Procurement Cybersecurity Plan
"The product code approach greatly expands complexity and creates ambiguities, making it impractical to be useful as a guide. There are just too many categories to align for most agencies to use productively," said David Bodenheimer, a partner and federal contracting law specialist at Crowell & Moring. "There is no reason greater security has to lead to a more protracted process."
Protecting supply lines is essential to military success. But the U.S. government has now launched an initiative designed to protect the supply chain of both civilian and military agencies from potential cyberattacks.
The effort will be especially important in the e-commerce procurement process. In fact, the information and communications technology segment of the federal IT market potentially covered by the program involves 322 products and services with a total 2013 fiscal year value of US$62.8 billion. The initiative is being managed jointly by the General Services Administration and the U.S. Department of Defense.
"Currently, government and contractors use varied and nonstandard practices which make it difficult to consistently manage and measure acquisition cyber-risks across different organizations. Meanwhile, due to the growing sophistication and complexity of ICT and the global supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks," said Emile Monette, senior advisor for cybersecurity at GSA's Office of Mission Assurance, at an industry briefing.
By executive order, President Obama directed federal agencies to address the protection of critical infrastructure in the U.S. from cybersecurity breaches and attacks. The February 2013 order specifically called on GSA and DoD to address cybersecurity protection related to the federal acquisition process. GSA and DoD issued a report on the process in January 2014 that included several reform recommendations:
- Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions
- Include cybersecurity in acquisition training
- Develop common cybersecurity definitions for federal acquisitions
- Increase government accountability for cyber-risk management
After issuing the report, the agencies invited industry to comment on a proposed implementation plan by April 28.
A key premise of the implementation plan is that "not all assets delivered through the acquisition system present the same level of cyber-risk or warrant the same level of cybersecurity," the agencies noted. As a result, they planned to develop a "repeatable, scalable process for addressing cyber-risk in federal acquisitions based on the risk inherent to the product or service being purchased."
However, IT vendors in the federal market are challenging that approach.
Information technology industry sources largely have supported the effort, but they have questioned the approach that GSA and DoD have taken to implement improved cybersecurity measures in the procurement process.
"We agree with the goal of the program, but we think the proposed implementation plan is not properly focused," Trey Hodgkins, senior vice president for the public sector at the Information Technology Industry Council, told the E-Commerce Times.
"Risk assessment made during a procurement should not focus too heavily on the product or service itself, and should consider surrounding factors, such as what the product or service is intended to be used for, among many other factors. A fully informed risk assessment should be well-rounded, or it will result in decisions that are not fully informed," Grant Seiffert, president of the Telecommunications Industry Association, told the E-Commerce Times.
"The suggested approach doesn't take into account the risk environment associated with the use of the product or service, or the risk associated with the mission of the agency. You need [to conduct] a broader risk analysis and then build out the protective overlays related to procurement," Hodgkins said.
"The product code approach greatly expands complexity and creates ambiguities, making it impractical to be useful as a guide. There are just too many categories to align for most agencies to use productively," David Bodenheimer, a partner and federal contracting law specialist at Crowell & Moring, told the E-Commerce Times.
As an alternative to the product category approach, Hodgkins suggested that the statement of work in any government request for proposals is a "critical element" in the acquisition process.
"The SOW provides the agencies the opportunity to describe the risk environment so they can build out the protection overlays and address any type of customized cyber security factor associated with the procurement. Then it's fair game for the vendors to respond appropriately," he said.
TheTrusted Suppliers Option
Another way to achieve improved cybersecurity, Hodgkins noted, would be through the use of a tiered "trusted supplier" chain. At the top would be the original equipment manufacturer that has an incentive to ensure the security of a product, followed by an authorized distributor or reseller, and then other supply sources. The government would define the criteria for a trusted supplier.
These alternatives were discussed in the GSA /DoD report issued in January, but the agencies' first crack at an implementation plan focused on the product category approach to security.
Federal agencies have been directed by the Office and Management and Budget to improve IT acquisition to make an often highly expensive and multiyear process simpler, more efficient and speedier. Adding more cybercontrols could add more time, and possibly more expense, to the procurement process.
"The emphasis of the effort at hand is not necessarily on improving the speed of procurement, although that is a valid concern for our members. The executive order is focused on using security standards in acquisition planning and contract administration to increase resiliency," said TIA's Seiffert.
Maintaining Efficient Acquisition
In fact, TIA's comments to GSA/DoD included recommendations that would "improve the efficiency of the acquisition process," he said.
These include ensuring that cybersecurity concerns are fully appreciated and understood throughout the acquisition process through adequate workforce training across the federal government; ensuring that there is a common understanding of key cybersecurity terms; and using risk management strategies that "should rely on voluntary, open and consensus-based standards, where possible," according to Seiffert.
"There is no reason greater security has to lead to a more protracted process," Crowell & Moring's Bodenheimer said.
"If GSA and DoD could provide some centralized guidance, similar to the FedRAMP model, it could help avoid a drawn-out process and allow the agencies to operate with a smaller cadre of people involved in the acquisitions," he suggested.
FedRAMP is a government-wide security protocol related to the acquisition of cloud technologies.
Any program should include significantly improved cybersecurity training for agency personnel involved in the acquisition process, both TIA and ITIC emphasized.
Whatever steps GSA and DoD take from here for improving cybersecurity in government procurement, the efforts to date have recognized the need for communication with the private sector.
"Both GSA and DoD have done a very good job of collaborating with the vendor community and seeking feedback," Pam Walker, senior director for homeland security at ITIC, told the E-Commerce Times. "Their staffs have talked to industry representatives on a regular basis."