Blog Article

Cybersecurity for Acquisition Professionals

Cybersecurity for Acquisition Professionals icon

Organizations and individuals are often targets of cybercrime because they have access to multiple sources of data such as internal company, government, customer, vendor, and employee data.

Cyber attacks commonly target the following:

  • Databases (internal and external)
  • File servers (in-house, remotely managed)
  • Mobile devices (e.g., phones, tablets, watches)
  • Internet of Things (e.g., home or business security systems, thermostats, personal assistants, like Alexa)
  • Social media (e.g., Facebook, LinkedIn, Snapchat)
  • Email (e.g., Google, Yahoo)

As a contracting professional, whether for the government or for a contractor, it is important to continually consider the following cybersecurity questions when considering the acquisition information and data that your organization handles:

  • What sensitive data do we have?
  • Who has access?
  • Where is it stored?
  • How do people access it?
  • How is it delivered, transferred, or transported?

Cybersecurity Hygiene

When acquiring a product or service, it is critical that you consider all opportunities for potential cybersecurity risk to ensure that the proper controls are in place to avoid or reduce the cyber risk during the product’s or service’s lifecycle. Cyber hygiene, also known as cybersecurity hygiene, is a set of practices and steps that organizations and individuals regularly perform to ensure the secure handling of critical data and maintain the security of users, devices, network systems, and information. Insufficient cybersecurity has lasting effects—making it clear why the acquisition process plays such a crucial role in cyber hygiene!

For example, the federal government increasingly relies on supplies and services from commercial information and communications technology (ICT) to meet its mission needs. However, reliance on ICT vendors has also exposed the government to cybercriminals. The majority of federal technical information is contained in ICT-acquired systems, meaning the data is vulnerable to cyber-attacks. The acquisition and security of ICT is only one of many scenarios that illustrate the importance of cybersecurity management. Other important cybersecurity management considerations relevant to the acquisition professional include:

  • Potential exchange of data during the acquisition process. What if, during the acquisition process, there was a need to exchange controlled unclassified information (CUI)? For example, the government may have a need to distribute CUI to approved contractors so they can prepare proposals.
  • Design or production of hardware or software that stores or processes data. The federal government may be procuring a product or service that handles data (e.g., health information software). The contracting personnel will need to know whether the software is cybersecure.
  • Servicing hardware or software that processes data. The federal government may use a vendor to perform maintenance on hardware or software, which requires careful consideration of the contractor’s qualifications to safely handle CUI.
  • Generation or processing of data during contract performance. A vendor may have access to information that is important for national security that needs to be protected.

The Role of Contracting Professionals in Cybersecurity Management

As a contracting professional, you are the cybersecurity gatekeeper of the federal acquisition process and you, as a member of the contracting team, are responsible for certifying that cybersecurity requirements have been met and that your contracts are kept secure. Whether you are a contractor handling sensitive government data, or a contracting professional on the government side selecting applicable cybersecurity clauses for a solicitation, you are responsible for safeguarding your contracts. In your role, you will likely need to be aware of whether your organization is in compliance with the latest cybersecurity requirements and/or requirements of a contract.

It is also important to remember that as a contracting professional you are a potential target of cybercrime because you have access to data that cybercriminals are looking for: government and contractors’ information and systems

Cybersecurity during Acquisition Planning and Management

So, as a contracting professional and member of an acquisition team, what should you do?

Cybersecurity should be a primary consideration of the acquisition team throughout acquisition planning—from the moment a need is identified to the point at which a solicitation or Request for Information (RFI) is released to the industry.

In contracting, practicing good cyber hygiene starts with the requiring activity, beginning when the requirement is defined and a solution is analyzed. The acquisition team must decide which controls should be included in the requirement and ensure that any critical decisions relating to the acquisition are informed by a cyber risk management plan.

The contracting officer should ensure that the requiring activity states in the solicitation whether and how it will consider the contractor’s implementation of NIST SP 800-171 and its Basic and Derived Security Requirements only (or level of CMMC certification), and not on NIST SP 800-53 security controls, i.e., they should not reference a NIST SP 800-53 control (e.g., AC-4) in order to identify a NIST SP 800-171 security requirement (e.g., 3.1.3).

Contracting professionals, both working for the government and contractors, need to think critically about cyber risk throughout the contracting lifecycle and focus on how to safeguard contract information and data, especially in today’s data-driven environment. How vigilant are you and your organization in your preparation and management of cybersecurity threats?

To keep your organization safe, check out Cybersecurity for Contracting Professionals to learn from our experts.

Related Resources

See All
Blog Article

NCMA World Congress 2024: Celebrating Silver and Going for the Gold

Management Concepts was proud to be a bronze sponsor of the National Contract Management Association’s (NCMA’s) signature annual event, World Congress. Over 3,000 attendees gathered together in Seattle, Washington, with an additional 1,500 joining virtually during…

Read More
Blog Article

NCMA Nexus: Tying It All Together

The National Contract Management Association (NCMA) held its inaugural Nexus event in Jacksonville, Florida, on March 3–6, 2024. Nexus drew hundreds of attendees both on-site and online, getting this new venture off to an energetic start. The concept…

Read More
Video

Acquisition & Contracting Training for Every Government Professional

Discover how our acquisition and contracting training helps federal professionals advance their career.

Watch
Blog Article

Supply Chain Management Best Practices In The Federal Acquisition Context

Supply chain management in the federal acquisition context involves various key procedures to ensure smooth internal and external operations. Steps like planning, sourcing, procurement, logistics, and management of goods and services play a crucial role in supply chain management. Carrying out these…

Read More
Blog Article

How Federal AC Contractors Can Effectively Use Small Businesses for Their Needs

For federal acquisition (AC) contractors, the challenges of small business procurement, seen as an innovation, efficiency, and community impact catalyst, can create a synergy beyond the usual vendor-client relationship. The result is an ecosystem that flourishes with agility, fresh viewpoints,…

Read More
Video

Career Gateway: Acquisition

Designed for real-world success, Career Gateway: Acquisition program doesn’t just check boxes – it cultivates true competency. Dive deep into seven key elements driving performance outcomes, from technical know-how to critical thinking and leadership skills. Gain expertise in Federal…

Watch
Infographic

Microlearning

Learn more on how Microlearning delivers bite-sized “nuggets of knowledge,” exactly when and where you need them, boosting retention with quick bursts of focused, engaging content.

Download
Webinar

Navigating Uncertainty: Risk Management in Federal Contracting

Empower yourself with the knowledge and tools needed to navigate the complexities of risk management as part of the federal acquisition process.

Watch
Blog Article

A Federal Acquisition Professional’s Introduction to Project Lifecycle Activities

The Federal Acquisition Certification for Program and Project Managers (FAC-P/PM) is a professional certification program designed to enhance the acquisition and project management skills of federal employees involved in planning, acquiring, and managing various projects. The program’s core structure encompasses a…

Read More
Blog Article

The Role of Acquisition in Supply Chain Management

Explore how effective acquisition strategies, from strategic sourcing to vendor relationships, reduce costs, improve quality, and enhance competitive advantage in supply chain management.

Read More

Scroll to view more