Security experts often make the case for building cybersecurity into federal systems and solutions up front. Those results have been mixed, at best.
But that’s expected to change as government officials flesh out recommendations for incorporating security standards into the federal acquisition process. That includes setting baseline cybersecurity requirements for contractors bidding on work that could pose cyber risks.
“We are entering a new era where every federal acquisition is going to have a cyber component in it,” said Donald Johnson, with the Defense Department. “It hasn’t before. It’s happening now, and it’s going to happen more so in the future,” said Johnson, who spoke March 20 at the Acquisition Excellence conference in Washington.
Last year, President Obama tasked the General Services Administration and DoD with providing recommendations on the feasibility, security benefits and merits of aligning cybersecurity standards with the acquisition process. The agencies released six recommendations in January.
DoD and GSA have since been directed by the White House to develop an implementation plan for those recommendations, and both agencies are seeking feedback on the best forward. Public comments for the implementation plan are due April 28, according to a notice in the Federal Register.
What form the implementation plan will take is unclear, but it is likely that changes will be made to the government’s acquisition regulations, said Emile Monette, senior adviser for cybersecurity at GSA’s Office of Mission Assurance. Monette compared the effort to what has been done with the government’s cloud security program, known as FedRAMP. Like FedRAMP, the implementation plan would set baseline standards, using those approved by the National Institute of Standards and Technology, and could focus on requirements for certain purchases like networking gear.
For contracting officers, program managers and others involved in the acquisition lifecycle, they will be expected to review requirements with cyber in mind, Monette said. If what they are buying connects to a network or involves the transmission of data, they must ensure the proper person has signed off that they understand the security risks involved and certify those risks will be sufficiently mitigated.
DoD could be a model for how these requirements will be implemented, Johnson said. In November, the department issued a regulation requiring organizations that hold, store or transmit unclassified technical information to meet certain NIST security requirements, he said. If those organizations are hacked, they must report it to DoD within 72 hours.
He said governmentwide cybersecurity standards will be a core piece of the proposal process going forward and could be grounds for not awarding a contract, if it could cause supply chain risks. The balance is ensuring the standards aren’t too far reaching and do not eliminate competition.
Ensuring the security of the supply chain will be a key focus of implementing standards, said Joe Jarzombek, director for software and supply chain assurance at the Homeland Security Department. Jarzombek said the upcoming release of draft NIST standards for supply chain practices will have implications for government and its customers.
The concern from industry is that cyber standards will be overbearing for small businesses, increase companies’ cost of doing business with the government and in some cases make them less competitive, considering the prevalence of lowest price, technically acceptable contracts.
A number of companies already adhere to the kinds of standards the government is considering, said John Pistolessi, supply chain risk management program manager for the Defense Intelligence Agency.
Companies express their frustrations of offering the government additional security protections and agencies going with the lowest bid that doesn’t offer those protections, Pistolessi said.