Page 8 - index
P. 8







Federal Acquisition Practices Are A Key Contributor to Cyber &

Supply Chain Risk

A continuing focus on cost rather than authenticity of products and services is an outdated and
increasingly risky approach to federal procurement


Presented by: Robert B. Dix, Jr.

At a time when the challenges of cybersecurity and supply chain assurance continue to be
topics of great attention nationally and globally, it remains elusive to understand why the US
government has not taken the appropriate step to require federal departments and agencies to
purchase information and communications technology (ICT) products and services from
authorized sources, at least for high impact and mission critical systems.


Instead, the ongoing culture of meeting acquisition cost and schedule parameters by purchasing
ICT products and services based on a lowest price, technically acceptable (LPTA) approach is a
contributor to the growing cybersecurity risk. The pressure to save acquisition dollars may
result in government contracting officials deciding to purchase from untrusted resellers. By
purchasing ICT products and services from online brokers and other untrusted sources, the risk
of acquiring counterfeit, tainted, or even malicious equipment is significantly increased.

Most Original Equipment Manufacturers (OEMs) have made significant investments to create
and implement extensive product assurance and supply chain risk management programs
which are comprehensive, from product concept to delivery and disposal. Such programs
include measures that afford component traceability and history of the product path, including
assembly and delivery. Given the global nature of most supply chains, such programs are
necessary to affirm product integrity and authenticity.

Additionally, many (OEMs) have business relationships with partners and resellers that offer
their products and services to interested acquirers, including government. In order to be
included in the approved channel of partners and resellers, OEMs conduct a vetting process to
affirm the veracity of the entity, often including background checks, site visits, financial
evaluations; and other criteria to validate the credibility of the business. Contractual elements of
the engagement allow for entities to be dismissed from the authorized channel if they fail to
sustain the requirements established by the OEM. While there is no absolute solution that
eliminates all risk, such a review process can certainly reduce the risk and provides greater
assurance of the authenticity of the products and services provided.


However, far too often, the government pursues acquisition practices that are driven solely by
cost. To be clear, the men and women who are procurement professionals are pursuing their
craft based on the long-standing culture of saving money and meeting delivery schedules. In
fact, their own performance evaluation may rely on their success in this area. This culture does
not consider product authenticity, security, or assurance, and therefore may drive well meaning
folks to shop online, in the gray market, or with other untrusted sources seeking to save dollars
on whatever product or service they are looking to acquire on behalf of the end user. Given the

8 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide

   3   4   5   6   7   8   9   10   11   12   13