Getting It Right: Federal Efforts to Develop a Cyber Risk Acquisition Strategy Must Focus First on Agency Risks
The Information Technology Alliance for Public Sector (ITAPS) and the Information Technology Industry Council (ITI) support the federal government’s efforts to strengthen its cybersecurity posture as it relates to how it purchases technology goods and services and how it administers contracts. We appreciate that the government is engaging stakeholders in determining the right steps to do this, and Monday we submitted comments in response to the General Services Administration (GSA) and Department of Defense (DoD) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition request for information regarding a draft implementation plan to institute a federal acquisition cyber risk management strategy, one of six recommendations contained in the GSA-DoD January 2014 report, Improving Cybersecurity and Resilience through Acquisition.
The draft plan proposes a product and service-centric approach rooted in Product Service Codes (PSCs), which means the government would attempt to address cyber risk in federal acquisitions based on perceived risks inherent to the product or service being purchased. This approach, however, is not adequate for improving cybersecurity in acquisition because it overlooks some of the most important identifiers of cyber risk including the criticality of the mission or program for which the products or services are acquired; and their intended use in support of that mission or program. This approach also fails to assess risks inherent in processes and practices that may be used by the government for acquisition, such as using the lowest priced item if technical specifications are met. In short, the proposed approach does not support effective risk mitigation practices, and in fact, may actually increase the government’s cyber risks.
Also problematic: the PSCs approach seeks to assign risks based on product groupings, incorrectly assuming risk is generated only in the product or service to be acquired, when in fact, there are many reasons a product and service-centric approach cannot mitigate the government’s cybersecurity risks: 1) within any product category the government could use, the number of varied products and configurations is immense; 2) the product categories deny the complexity and diversity of solutions and products in the market, which are constantly changing with technological innovation; 3) how products are configured, operated, and maintained - which almost certainly would differ for each use case and customer – is not addressed; 4) given the rapid pace of technological innovation, product categories in use today may not capture products that have yet to be invented; and, 5) as recent media reports have shown, the greatest cybersecurity threats can hide in the unlikeliest of places.
Finally, a product and service-centric approach also would unfortunately send the wrong signal to other governments that the U.S. government believes cybersecurity, first and foremost, is based on products and services. We have spent the past decade working to counter other governments’ claims or beliefs that they can improve their own cybersecurity using product- or service-focused approaches. Given the international interest in U.S. approaches, GSA-DoD must develop policies that are workable globally.
In short, not only does the proposed approach not support effective risk mitigation practices, it may actually increase the government’s cyber risks. So, in lieu of the proposed product and service-centric approach, ITAPS and ITI strongly recommend that the plan create a risk-based process that is mission-focused and that agencies must conduct risk assessments at the front end of any procurement. Only by first understanding risks, the intended use of goods and services sought, and where they will be deployed, can the government improve the cybersecurity of its acquisitions.
We also recommend that GSA-DoD consider using this opportunity to develop guidance for federal agencies applying the National Institute of Standards and Technology (NIST) Framework to help them use business drivers to guide cybersecurity activities and consider cybersecurity risks as part of an organizations risk management process. The NIST Cybersecurity Framework, released in February 2014, helps organizations to take risk-based approaches to cybersecurity and should be much more integral to recommended government-wide changes in behavior.
Improving and strengthening our nation’s cyber posture is rightly a top priority for our government, and changing how the federal government integrates security into its own acquisitions process will help improve the cyber resiliency of the United States. ITAPS and ITI commend GSA and DoD for the open and collaborative manner in which they crafted this draft plan. We hope that our feedback is given due consideration and stand ready to work with our government colleagues to develop a more feasible approach.
Danielle Kriz, ITI’s Director of Global Cybersecurity Policy, contributed to this blog.