The goal of security recommendations is to improve management of the people, processes, and technology affected by the Federal Acquisition System, says GSA Administrator Dan Tangherlini. (Gannett Government Media Corp)
A report released on Jan. 29 lays out six recommendations for incorporating security standards into the government’s acquisition process, including one that would ensure agencies do business only with companies that meet baseline security standards.
Last February, President Obama tasked the General Services Administration and Defense Department with providing recommendations on the feasibility, security benefits and merits of aligning cybersecurity standards with the acquisition process. The executive order also called on the agencies to provide steps for making consistent the existing cyber-related requirements for procurement.
The report’s recommendations include:
■ Institute baseline cybersecurity requirements as a condition of contract award for acquisitions that present cyber risks.
■ Include cybersecurity in acquisition trainings, including training for government contractors.
■ Develop common cybersecurity definitions for federal acquisitions.
■ Institute a federal acquisition cyber risk management strategy.
Require suppliers or resellers to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources.
■ Increase government accountability for cyber risk management.
The report does not provide explicit guidance on how to implement the recommendations, but a request for public comment on a draft implementation plan will be published in the Federal Register next month, GSA said in a news release.
“The ultimate goal of the recommendations is to strengthen the federal government’s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System,” GSA Administrator Dan Tangherlini said in a statement. “GSA and the Department of Defense will use continue to engage stakeholders to develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all Federal procurements.”