The Department of Defense and the General Services Administration, which together spend more than $500 billion annually on information technology, have released a joint report to the White House recommending steps to upgrade the cybersecurity requirements of acquisitions of information technology and services throughout the federal government. These recommendations will affect not only suppliers to federal agencies, but together with the NIST cybersecurity Framework for critical infrastructure to be released in mid-February, will be felt throughout the broader U.S. marketplace for IT goods and services.
Executive Order 13636, issued in February 2013, is best known for initiating development of the NIST cybersecurity Framework for critical infrastructure, which is due to be released in two weeks. The EO had other, less well-known provisions, including a requirement that DoD and GSA make recommendations to incorporate cybersecurity requirements into standards for federal acquisitions of information technology products and services. This report, completed in November but not released until yesterday, recommends adoption of standards and practices that will significantly affect both federal IT procurement and the broader U.S. market for information technology.
Among the recommendations are the following:
- For acquisitions that present cyber risks, the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver. The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified.
- Require organizations that do business with the federal government to receive training about the acquisition cybersecurity requirements of the organization's government contracts.
- Mitigate the risk of receiving inauthentic or otherwise nonconforming items by obtaining required items only from original equipment manufacturers, their authorized resellers, or other trusted sources.
The report acknowledges that “while it is not the primary goal, implementing these recommendations may contribute to increases in cybersecurity across the broader economy, particularly if changes to Federal acquisition practices are adopted consistently across the government and concurrently with other actions to implement the [NIST] Cybersecurity Framework.”
Initially, the recommendation that technical requirements for cybersecurity in procurements will be implemented through two rulemakings currently underway: “Basic Safeguarding of Contractor Information Systems” published as a proposed rule in August 2012, and “Safeguarding Unclassified Controlled Technical Information” published by DoD as an interim rule in December 2013.
The recommendation to narrow the sources from which the government may buy information technology to OEMs, authorized resellers and “other trusted sources” inherently conflicts with broad competition and may place some smaller contractors at risk because they do not have, or cannot achieve the required status. The report acknowledges that “limiting eligibility to only these types of sources for all acquisitions may not be compatible with acquisition rules, socioeconomic procurement preferences, or principles of open competition,” but leaves resolution of that difficult problem to another day.
The report contends that its recommendations are really more addressed to changing the behavior of government acquisition personnel than changing the behavior of industry, but the consequences of the acquisition rule and policy changes already underway on the larger industry are inevitable.