There are certain phrases you should never expect to hear coming out of my mouth.
There are long odds against me saying things like “You know, being a vegan sounds like something I would really enjoy” or “You know what I miss most about Upstate New York?
The really long and bitter winters.” And as the father of three young girls, you definitely shouldn’t anticipate me saying “No, no, all the drama, fighting, and refusal to go to bed is actually a lot fun. I highly recommend it.”
So when I say the following, it is fitting that the Potomac recently froze over: the federal government just came up with a really good idea for businesses to follow when it comes to cybersecurity. I mean really good.
I’m not kidding.
Cue the locusts, frogs, fire, and brimstone.
Last year President Obama released an Executive Order on Cybersecurity. The most attention-grabbing part of the EO has been the section calling for the creation of “voluntary framework” that businesses can use to help prepare them for cyberattacks.
The relative merits, benefits, and problems with the framework are best left for another column. What has been relatively overlooked, however, is that the EO also called for a fundamental change in the way the federal government buys products and services.
Section 8(e) of the EO mandated that the Defense Department, working with the General Services Administration and the Department of Homeland Security (DHS) make recommendations to the President on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.
That group of agencies just released its report, which includes a number of recommendations on acquisition policy that can materially increase the federal government’s cybersecurity. More simply stated, the President has been given a playbook whereby when the federal government buys “stuff” from now on, it should make sure that that “stuff” would not cause or increase cyber vulnerabilities.
I can live with that.
The recommendations from the report are broad ranging, but represent a fairly cohesive acquisition strategy that considers cybersecurity. The recommendations specifically include recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development.
The final report makes six specific recommendations on ways to increase cybersecurity. The report states that the federal government going forward should:
- institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
- address cybersecurity in relevant training;
- develop common cybersecurity definitions for federal acquisitions;
- institute a federal acquisition cyber risk management strategy;
- include a requirement to purchase from original equipment or component manufacturers, their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and
- increase government accountability for cyber risk management.
The report calls for the government to more specificity state the cybersecurity standards to which contractors will be held accountable. This recommendation was made because existing cybersecurity requirements are often stated too broadly, leaving significant ambiguity as to what cybersecurity measures are actually required. The report therefore recommends the inclusion of well-defined baseline cybersecurity requirements in sections of contracts that are clearly intended to be mandatory requirements.
To be sure, the report does leave open many questions, including:
- What cybersecurity terms will be defined, and what will those definitions look like?;
- What topics will be covered in the cyber education program for the procurement work force? If procurement officials are not properly educated on a variety of threats, then they may fail to incorporate standards and requirements that are necessary for information protection;
- How will the risk management strategy be developed? And will it be flexible enough to account for the rapidly evolving threat environment?; and
- How deep will these requirements reach into federal contractors’ business? In other words, will the cybersecurity obligations be limited to just public-contracting programs, or will they effectively become company-wide requirements regardless of the buyer?
So in short, the federal government is moving on a path that will require a review to determine whether every dollar spent will require some sort of cybersecurity requirement. Further, it is going to train its purchasing agents on the ins and outs of cybersecurity, so they will be able to make decisions on what kind of cybersecurity requirements should be included in a given contract.
I like it. I like it a lot.
I like it so much, in fact, that I dare say it is the type of common sense action that the private sector should be leaning on to help decrease its vulnerabilities to cyberattacks.
Does anyone else feel that draft? Maybe we should move to a booth.
Think about it – not a whole lot is being asked for, here. Essentially a rule could soon be imposed saying “look, when we buy stuff, we need to make sure that stuff has security built into it that matches up with the risks we face.” Also, we are now in a position where the people in charge of purchasing have to be educated about cyber threats and cybersecurity measures so that they can incorporate meaningful requirements into contracts.
Frankly, I’m not sure how your average business owner and especially companies that are at severe risk for cyberattacks could avoid undertaking these kinds of purchasing actions. It only makes sense that if you know you are at risk of a cyberattack—and often times those attacks are enabled by components or services that have few to no cybersecurity requirements in them—then you should be careful what you buy and from whom.
We live in a different world. Businesses make many different issues priorities in their purchasing activities, whether they address sustainability, diversity, or efficiency goals. The natural next step is to consider cybersecurity as part of the purchasing process. Doing so is yet another vitally important step in making businesses safer and more secure.
One last thing: put a sweater on. A warm place just froze over.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.