“Each employee and contractor in every aspect of an organization touches IT and thus has an important role in the overall cybersecurity posture of the state,” the guide notes. “The ubiquity of IT throughout the organization implies that only a true whole-of-organization approach can lead to successful cybersecurity outcomes. It is a team task to develop and integrate, patch and maintain and manage end-of-contract and end-of-life transitions.”
The guide notes that users need to properly use and protect resources, and “administrators must manage, security teams must define and monitor systems and procurement officials must incorporate security into the acquisition process and resulting contract.”
Best Practices for Secure IT Procurements
In early 2021, the guide notes, NASCIO sought feedback from state CISOs on how involved they are in the acquisition process. The responses “overwhelmingly indicated a lack of involvement.”
Many CISOs say they are often “left out of the process until the end and then pressured to ‘check a box’ and sign off on any cybersecurity contract requirements already established,” the guide states.
One CISO commented, “we are consulted at the end, after the agency has already chosen the product, negotiated everything to be negotiated and now we are ‘holding up’ the process by attempting to ensure that security is included.”
For successful and secure technology acquisitions, especially large-scale ones, all of the key stakeholders need to be included from the start of the process to understand their roles in cybersecurity, the guide notes. That includes representatives from the agency requesting the procurement, the state CIO and CISO’s offices, technical subject matter experts, risk management officers (including privacy officers), legal counsel, and the procurement office.
Procurement teams need to conduct thorough market research, the guide notes, and the CISO and CIO “should be actively engaged to provide their industry expertise.” Carefully structured requests for information issued early in the procurement process can also “provide information that can be incorporated into the project plan and the solicitation itself,” the guide states.
All of this information should be incorporated into a complete risk assessment and mitigation framework covering all relevant types of risk: IT security, privacy, financial, legal, procurement, technology and others, NASCIO states.
“In addition to the state’s minimum-security requirements, the solicitation lists other requirements as dictated by the risk assessment and mitigation framework. In addition to asking vendors to address these risks, they should identify what they perceive as the significant risks posed by the contract,” the guide notes. “Vendors should be required to provide a plan to reduce or manage the identified risks. This should be factored into the evaluation criteria included in the solicitation.”
State agencies must verify that prospective contractors meet the requirements set out in solicitations. That validation process, the guide says, should be overseen by the state CISO in conjunction with the procurement team. “States should establish a rigorous third-party (vendor) assessment and accountability system via terms and conditions, the project management process and implementation,” the guide notes.
The guide also notes that state should take steps to guard against supply chain security risks, something that has become more important in the wake of the SolarWinds cyberattack. Those include:
- A cybersecurity risk management program to address broad cybersecurity risks, regardless of whether they are supply chain risks.
- A targeted supply chain risk mitigation program for identifying and mitigating the most consequential supply chain risks.
- A supplier risk management program to reduce the risk from emerging threats and more elusive attackers.
In the end, the guide argues education, coordination and validation that vendors are meeting security requirements are crucial to enhancing the security of IT procurements. Cybersecurity “must be viewed as an integral part of the acquisition process” by the CIO, chief procurement office, agency staff and the private sector, the guide states.
“Neither the acquisition process nor cybersecurity are trivial components of state government which makes it all the more important that the two are integrated,” the guide notes. “Anything less than full integration and acceptance of the importance of the two quite simply puts states at a much higher risk.”