Government agencies working toward secure procurement

In an effort to improve public sector data security, the U.S. General Services Administration is now seeking input to help improve cybersecurity measures taken with new IT procurements. Along with the Defense Department, the GSA is now required by presidential mandate to provide recommendations for standardized cybersecurity contract requirements. The Washington Post reported that this stems from an executive order earlier this year to improve the security of critical infrastructure.

Emile Monette, senior adviser for GSA's Office of Acquisition Management, told the Post that companies are spending millions on cybersecurity but the government has to be able to share these costs in a way that makes sense.

"There's already a significant cost to doing business with the federal government, and we don't want to unduly increase that," Monette said. "Any time you increase the requirements on a company just to do business with the government, you create barriers to entry."

GSA is also looking at commercial requirements and whether they may apply to federal purchase. The body would also like to figure out a better way to resolve conflicts in various regulations, contracts and policies. Officials want to figure out if there are conflicting or redundant standards that businesses will face when doing business.

Alan Chvotkin, executive vice president of the Professional Services Council, told the Post that their organization will submit comments and ask for requirements that will focus on outcomes and attributes instead of specific designs. This will allow organizations to approach issues based on the size of the company and the amount of business they are doing with the government, as well as what kind of work they are doing. Every organization will need something, he said, but not all will need the same thing.

Many see an update in this line of thinking as a positive, including Raymond Aghaian, a partner at McKenna Long & Aldridge who specializes in cybersecurity, who told the Washington Post that this will allow contractors to have their voices heard on this matter.

"The train is essentially leaving the station, and so [companies] should get on board," he said. "It would be difficult if … the government was to dictate what the standards [will] be without considering the practical effects … It's important to try to strike the right balance, and it would be difficult to do so if it's just a one-sided conversation."

An 'insidious' threat
In a speech at the Shangri-La Security Dialogue in Singapore recently, Defense Secretary Chuck Hagel said that threats to the cybersecurity pose a "quiet, stealthy, insidious" danger to the U.S., as well as other nations, and said there needs to be a better guide to defusing cyberwarfare in its earliest stages, according to Insurance Journal.

"Cyber threats are real, they're terribly dangerous," Hagel said. "They're probably as insidious and real a threat (as there is) to the United States, as well as China, by the way, and every nation. … That's not a unique threat to the United States, (it affects) everybody, so we've got to find ways here … working with the Chinese, working with everybody, (to develop) rules of the road, some international understandings, some responsibility that governments have to take."

Although Hagel hopes there will be some private conversation about the issue between countries, he believes much of it will be solved by the public, as it is a "very real" threat to everyone, no matter what nation of affiliation. In fact, NATO Secretary-General Anders Fogh Rasmussen, said their organization faces regular attacks, particularly to a system used to coordinate the military activity and actions among the 28 allied countries.

Security News from SimplySecurity.com by Trend Micro

Leave a Reply