Officials: Be specific about cybersecurity during acquisition
October 13, 2015
The administration has been pushing agencies to include more cybersecurity language in contracts, specifically in citing control standards like those advanced by the National Institute of Standards and Technology. Some officials don't think those standards are enough and are encouraging agencies to get specific with vendors when writing cybersecurity requirements.
"In software assurance or as a computer scientist you say it's all about the code," Kris Britton, director of NSA's Center for Assured Software, said during a panel discussion hosted by the Consortium for IT Software Quality (CISQ) on Oct. 13. "Ultimately it is. But it all begins — at least in government — back at the acquisition process."
As more products and services are being managed by third-parties, much of the cybersecurity responsibility is falling on the vendors, Britton said, particularly for delivering resilient code. In order for those vendors to be successful, they have to understand exactly what is expected of them, he said.
Britton also noted the difficulty in holding contractors accountable if cybersecurity duties aren't explicitly laid out in the service level agreements (SLAs).
John Keane, software assurance lead for the Department of Defense Healthcare Management System Modernization (DHMSM) program, took it a step further, outlining in the solicitation the specific software assurance tools the agency planned to use to test potential vendors for its massive electronic health records system.