Strengthening Cybersecurity Through Acquisition Reform
One element of last year’s cybersecurity executive order was a report by the DoD and GSA on how to improve the government’s cybersecurity posture through acquisition reform. Recently released to the public, the report, titled “Improving Cybersecurity and Resilience through Acquisition,” lays out six policy recommendations: (i) instituting baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions, (ii) address cybersecurity in relevant training, (iii) develop common cybersecurity definitions for Federal acquisitions, (iv) institute a Federal acquisition cyber risk management strategy, (v) include requirements to purchase from OEMs, authorized resellers, or trusted sources, and (vi) increase government accountability for cyber risk management.
If implemented, these recommendations will directly impact contractors pursuing programs that have any cyber-threat element. Today, certain contracts indirectly address security requirements by calling for compliance with broad standards; however, the report recommends that specific security requirements be incorporated into contracts’ technical descriptions, making security one of the active deliverables owed by the performer. These “baseline” requirements can include malware protection, multi-factor authentication, software patch updates, and methods to ensure confidentiality of data, among others. As a result, companies interested in pursuing such work would have to develop internal cybersecurity capabilities or team with proven specialists, providing increased opportunity for security solutions providers.
The recommendations may pose certain risks for contractors as well. The requirement to purchase technology only from OEMs, authorized resellers, or trusted vendors, for example, has been proposed in the past as an addition to the cost accounting standards rules, and would shift financial liability for counterfeit components to the contractor. Though not yet defined, the consequences for failing to properly secure systems may become contract violations in this framework, adding additional exposure for contractors.
The implementation of these recommendations may also portend opportunities for government consulting and technical assistance companies. Many of the recommendations include development of definitions, standards, and best practices. Consultants with security expertise may stand to benefit from potential acquisition support work aimed at ensuring compliance with evolving cybersecurity definitions and requirements.
Though the report does not lay out specific implementation plans and is open for public comment, the DoD signaled that it is likely to move forward with implementation in the near term, suggesting that procurement changes may be coming in the not too distant future.