Cybersecurity for Acquisition Professionals
Organizations and individuals are often targets of cybercrime because they have access to multiple sources of data such as internal company, government, customer, vendor, and employee data.
Cyber attacks commonly target the following:
- Databases (internal and external)
- File servers (in-house, remotely managed)
- Mobile devices (e.g., phones, tablets, watches)
- Internet of Things (e.g., home or business security systems, thermostats, personal assistants, like Alexa)
- Social media (e.g., Facebook, LinkedIn, Snapchat)
- Email (e.g., Google, Yahoo)
As a contracting professional, whether for the government or for a contractor, it is important to continually consider the following cybersecurity questions when considering the acquisition information and data that your organization handles:
- What sensitive data do we have?
- Who has access?
- Where is it stored?
- How do people access it?
- How is it delivered, transferred, or transported?
Cybersecurity Hygiene
When acquiring a product or service, it is critical that you consider all opportunities for potential cybersecurity risk to ensure that the proper controls are in place to avoid or reduce the cyber risk during the product’s or service’s lifecycle. Cyber hygiene, also known as cybersecurity hygiene, is a set of practices and steps that organizations and individuals regularly perform to ensure the secure handling of critical data and maintain the security of users, devices, network systems, and information. Insufficient cybersecurity has lasting effects—making it clear why the acquisition process plays such a crucial role in cyber hygiene!
For example, the federal government increasingly relies on supplies and services from commercial information and communications technology (ICT) to meet its mission needs. However, reliance on ICT vendors has also exposed the government to cybercriminals. The majority of federal technical information is contained in ICT-acquired systems, meaning the data is vulnerable to cyber-attacks. The acquisition and security of ICT is only one of many scenarios that illustrate the importance of cybersecurity management. Other important cybersecurity management considerations relevant to the acquisition professional include:
- Potential exchange of data during the acquisition process. What if, during the acquisition process, there was a need to exchange controlled unclassified information (CUI)? For example, the government may have a need to distribute CUI to approved contractors so they can prepare proposals.
- Design or production of hardware or software that stores or processes data. The federal government may be procuring a product or service that handles data (e.g., health information software). The contracting personnel will need to know whether the software is cybersecure.
- Servicing hardware or software that processes data. The federal government may use a vendor to perform maintenance on hardware or software, which requires careful consideration of the contractor’s qualifications to safely handle CUI.
- Generation or processing of data during contract performance. A vendor may have access to information that is important for national security that needs to be protected.
The Role of Contracting Professionals in Cybersecurity Management
As a contracting professional, you are the cybersecurity gatekeeper of the federal acquisition process and you, as a member of the contracting team, are responsible for certifying that cybersecurity requirements have been met and that your contracts are kept secure. Whether you are a contractor handling sensitive government data, or a contracting professional on the government side selecting applicable cybersecurity clauses for a solicitation, you are responsible for safeguarding your contracts. In your role, you will likely need to be aware of whether your organization is in compliance with the latest cybersecurity requirements and/or requirements of a contract.
It is also important to remember that as a contracting professional you are a potential target of cybercrime because you have access to data that cybercriminals are looking for: government and contractors’ information and systems
Cybersecurity during Acquisition Planning and Management
So, as a contracting professional and member of an acquisition team, what should you do?
Cybersecurity should be a primary consideration of the acquisition team throughout acquisition planning—from the moment a need is identified to the point at which a solicitation or Request for Information (RFI) is released to the industry.
In contracting, practicing good cyber hygiene starts with the requiring activity, beginning when the requirement is defined and a solution is analyzed. The acquisition team must decide which controls should be included in the requirement and ensure that any critical decisions relating to the acquisition are informed by a cyber risk management plan.
The contracting officer should ensure that the requiring activity states in the solicitation whether and how it will consider the contractor’s implementation of NIST SP 800-171 and its Basic and Derived Security Requirements only (or level of CMMC certification), and not on NIST SP 800-53 security controls, i.e., they should not reference a NIST SP 800-53 control (e.g., AC-4) in order to identify a NIST SP 800-171 security requirement (e.g., 3.1.3).
Contracting professionals, both working for the government and contractors, need to think critically about cyber risk throughout the contracting lifecycle and focus on how to safeguard contract information and data, especially in today’s data-driven environment. How vigilant are you and your organization in your preparation and management of cybersecurity threats?
To keep your organization safe, check out Cybersecurity for Contracting Professionals to learn from our experts.