Page 10 - index
P. 10
that we no longer support an acquisition process where we potentially expose significant
exploitable risk in this manner.
If ever there was an issue that was ripe for Executive action, this is it. In order to change the
culture, it requires no-nonsense leadership and direction. Executive action should be offered
immediately that directs federal departments and agencies to only acquire information and
communications technology products and services from authorized providers, at the very least
for high impact and mission critical systems.
There are ongoing efforts being considered by the US Department of Defense; General
Services Administration; Department of Homeland Security; and others to examine this issue.
However, those activities have lagged and thus far have not produced any tangible measures to
address this significant cybersecurity and supply chain risk challenge. Accordingly, in order to
lead by example, the Administration should take immediate steps to direct federal departments
and agencies on this matter. The cultural issues have to change from acquisition practices
being exclusively about meeting requirements for cost and schedule, to include evaluation
criteria that address authenticity, security, and assurance of products and services purchased.
This will require leadership and a clearer understanding of the risk, including the business risk.
We all understand the impact of reduced budgets and how they impact decision making around
the acquisition process. The old Midas commercial talked about “pay me now or pay me later”.
Similarly, in the case of information technology and communications hardware, software, and
services, it is imperative that we make every effort through the acquisition process to purchase
those products and services from authorized providers. Without specific policy guidance and
direction, and with increasingly austere budgets for department and agencies, this challenge
could get worse as procurement officials focus even more on saving dollars in the acquisition
process.
Industry and government working together collaboratively will be able to address this matter in a
proactive and productive manner in efforts to drive a policy that updates the federal
procurement process to reduce the risk to cybersecurity and supply chain assurance thereby
improving national and economic security and resilience.
The risk is real. This time is now. Let’s get to it.
About the Author:
Bob Dix is Juniper’s Vice President for Global Government Affairs and Public
Policy. He was Chair of the Partnership for Critical Infrastructure Security
from 2011–2014 and chaired the Information Technology Sector Coordinating
Council from 2008–2009. He has been an active industry leader in efforts to
improve cybersecurity and critical infrastructure protection for more than 10
years. He served as Staff Director for the House Subcommittee on
Technology & Information Policy during the 108th Congress.
10 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
