(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
With the continued and growing dependence of the government on commercially provided IT services, what changes are needed to government acquisition policies and practices to ensure that contractors provide adequate security and privacy protections to government data and information?
Organizational procurement programs should have clearly defined and communicated priorities, accompanied by clear direction to procurement agents on the procedures to acquire technology consistent with those priorities, resulting in a consistent, predictable, and agile acquisition approach that will result in more secure technology deployments. For example, the Director of the Office of Management and Budget (OMB), in consultation with the Administrator of the Office of Federal Procurement Policy (OFPP), as key national priorities should: (1) provide clear direction to security and acquisition officials across government that cybersecurity solutions should be acquired and implemented rapidly; (2) advise security and acquisition officials on existing authorities available for the rapid acquisition and implementation of cybersecurity solutions; and, (3) expeditiously identify impediments to the rapid acquisition and implementation of cybersecurity solutions that need to be addressed by Congress and report those impediments to the relevant committees of jurisdiction for redress.
Tie organizational cybersecurity performance to funding, to achieve greater employee and organizational accountability and traceability. For example, OMB should withhold non-cybersecurity discretionary budget from underperforming agencies and identify and emphasize potential criminal and civil penalties for compliance failure (e.g., develop recommendations for revisions to the Anti-Deficiency Act).
Leverage agile and transparent acquisition approaches, as appropriate, that provide security officials the flexibility to procure the technologies they need expeditiously. For example, the government should consider the use of accelerated and national security contracting authorities once identifying an appropriate technology that satisfies a defined, urgent cybersecurity requirement.
Evaluate opportunities to achieve enhanced security using new and accepted technologies that can rapidly retire legacy systems and consolidate resources. For example, accelerate the appropriate use of shared services and the use of cloud computing, promote the right-sizing and efficient alignment of common agency systems, rapid retirement of insecure legacy systems, and consistent approaches to security.
All emerging and existing procurement, acquisition, and development programs should be aligned and consistent with organizational risk management and governance approaches, ensuring technology deployments are secure, protected, and within a broadly understood framework. For example, any new government-provided acquisition and consulting activities offered across agencies should not proceed without the development and implementation of a security framework and plan to mitigate cyber risk consistent with the framework established pursuant to these recommendations.
(non-ITAPS) Ensure Cybersecurity requirements are clearly identified and funded in all acquisitions, contract personnel are qualified and trained in cybersecurity roles, supply chain and HW/SW/applications are adequately secured, and incentives and dis-incentives are applied as appropriate.