6 ways to improve cybersecurity through acquisition
- By Defense Systems Staff
- Jan 30, 2014
Training acquisition staff in cybersecurity and coming up with a common cybersecurity vocabulary are two ways to help protect government systems when buying new IT products, according to a report by the Defense Department and General Services Administration.
The report, “Improving Cybersecurity and Resilience through Acquisition,” sets out six reforms intended to reduce the risks agencies face in an increasingly dangerous, and increasingly connected, cyber environment, by aligning acquisition with the risk management practices.
"This report is an important step to improving the cybersecurity of our acquisition processes,” Frank Kendall, undersecretary of defense for Acquisition, Logistics and Technology, said in a joint DOD/GSA announcement.
The six reforms the report recommends are:
• Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions.
• Include cybersecurity in acquisition training.
• Develop common cybersecurity definitions for federal acquisitions.
• Institute a federal acquisition cyber risk management strategy.
• Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources.
• Increase government accountability for cyber risk management.
“The ultimate goal of the recommendations is to strengthen the federal government’s cybersecurity by improving management of the people, processes and technology affected by the Federal Acquisition System,” said GSA Administrator Dan Tangherlini.
The acquisition report grew out of Presidential Policy Directive 21 and Executive Order 13636, both released in February 2013, addressing the security and resilience of critical infrastructure.
Those directives address broad plans for security, information exchange and integration among federal, state, local and tribal governments. The DOD/GSA plan is just one part of that, seeking to address cybersecurity throughout a product’s lifecycle — from development and acquisition through disposal — while tying the process to risk management practices already set forth by the Federal Information Security Management Act and the Office of Management and Budget.
The Federal Register will publish a request for public comment on the draft implementation plan in February.