TIA Provides Views on Improving Cybersecurity and Resilience through Acquisition
As the Administration continues to move forward with implementation of the Feb. 2013-released Executive Order 13636 (Improving Critical Infrastructure Cybersecurity) that directed the creation of the voluntary Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology for use by critical infrastructure owners and operators, to some it may seem like the Executive Order’s impact on Federal acquisitions has been overshadowed somewhat by the effect of the Framework on private owners of critical infrastructure. This is probably because the latter group owns and operates the vast majority of the United States’ critical infrastructure, but this fact should not discount the importance of the activities that Executive Order 13636 initiated for Federal purchasing.
Changes to Federal procurement requirements in the area of cybersecurity are of immense importance to the information and communications technology (ICT) sector because the Federal government purchases billions of dollars worth of ICT. ICT manufacturers and vendors to use a distributed approach to their technology development and an increasingly trusted global Internet and infrastructure to innovate, resulting in ever-adapting and dynamic security in ICT products and services, represented by billions of dollars of private ICT research and development each year. In short, the US government has important purchasing power and directly benefits from the private sector’s virtuous cycle of investment that provides product assurance. The procurement policies that it sets will also likely effect private procurements to a degree, as well as foreign governments that keenly watch the US government to inform their own procurement policies.
Section 8(e) of Executive Order 13636 requires the Secretary of Defense and the Administrator of General Services to make recommendations to the President on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration,” and that this report “shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.” TIA, representing the ICT manufacturer, vendor, and supplier community, has engaged GSA-DoD as they have worked to implement Section 8(e), filing views to inform their recommendations to the White House in May 2013 which are available here. Very recently, GSA-DoD released their final recommendations, seeking guidance on how to best implement them. On April 28, TIA submitted its views on how the Federal government should go about implementing those recommendations, which are available here. Among other priorities our recent filing with GSA-DoD discusses are:
- Don’t impede innovation: Efforts to implement the Report’s recommendations should ensure flexibility and the ability to innovate through the use of outcome-based and technology-neutral .
- Rely on existing approaches and standards: Efforts to implement the Report’s recommendations should recognize the necessity of international approaches and standards.
- Education is crucial: The role of the Federal workforce training process in improving cybersecurity through acquisition shouldn’t be understated.
- Risk-based decisions: Take proactive steps to ensure that risk – as well as cost – factor into decisions to purchase from outside of trusted channels.
- Fully leveraging public-private partnerships: Efforts to improve cybersecurity risk analysis and mitigation processes, including in Federal procurement policies, should leverage public-private partnerships as an effective tool for collaboration on addressing current and emerging threats. Public-private partnership model to be a key element of a cross-sector standards-based approach.
TIA believes that by taking an approach consistent with our views as the recommendations on improving cybersecurity and resilience through acquisition are implemented, the Federal government can continue to improve the resiliency of the ICT it purchases, from standard uses to those that are highly-sensitive and mission-critical. We look forward to future engagement with GSA, DoD, and other Federal agencies as policies are formulated and implemented pursuant to the EO and the Report.