Kaspersky, Microsoft In Mix To Help Guide Cybersecurity Federal Procurement Changes
Kaspersky Lab's new federal subsidiary is among Microsoft other vendors, industry groups and service providers offering guidance on proposed federal guidelines governing the acquisition of cybersecurity software and services for critical infrastructure protection.
The organizations responded to the General Services Administration (GSA) and the Department of Defense, which sought guidance in how to implement recommendations on federal procurement changes in a report issued by a Joint Working Group to the Obama Administration in January. The group was established to identify ways to make the acquisition process agile enough to address dangerous threats following President Obama's Executive Order to bolster critical infrastructure protection.
The report outlines ways to increase government accountability into risk management practices at organizations that maintain critical infrastructure facilities. It recommends that the manufacturers of security products must meet a minimum set of security standards to protect sensitive data and reduce software vulnerabilities as a condition of being awarded a contract.
[Related: DHS Sharing Classified Threat Information With Service Providers ]
Kaspersky Government Security Solutions Inc., the newly formed federal subsidiary of Russian antivirus giant Kaspersky Lab and Milpitas, Calif.-based network security vendor FireEye were the two security vendors that offered specific guidance on the proposed changes. Business and technology industry associations are also weighing in on the proposed changes, including The Information Technology Industry Council, an organization that represents a number of industry heavyweights including Dell, Hewlett-Packard, and Symantec.
Hilary MacMillan, vice president and cybersecurity intelligence executive at Kaspersky Lab Government Security Solutions offered a number of specific changes to add a risk assessment process to high-risk acquisitions and incorporate the impact of vulnerabilities or threats that products or services are addressing. For example, best-of-breed products could be validated under a federal program to identifying weaknesses at the source code level, MacMillan said.
Procurement practices need to be able to adapt to a constantly changing threat landscape and threats that are increasingly defeating dated security defenses, said Orlie Yaniv, FireEye's director of government affairs and policy, in his comments on the changes. Federal agencies continue to use signature-based tools that don't address increasingly sophisticated tactics and techniques of attacks that target them, Yaniv said.
"We believe that agencies should have greater agility and flexibility in their procurement decisions, which will allow them to procure and deploy the advanced and innovative cybersecurity technologies that are necessary to address the evolving threat landscape," Yaniv said. "Given the risks presented by advanced cyber threat actors, low-cost technically acceptable procurements should be discouraged or prohibited in acquisitions deemed of higher risk."
NEXT: Changes May Become Significant Compliance Burden, Microsoft Warns
The comments were made in March and April following the release of the Framework to Improve Critical Infrastructure Cybersecurity, a document issued in February by the National Institute of Standards and Technology to establish voluntary guidelines to protect critical infrastructure facilities from cyberattacks. The Department of Homeland Security has identified 16 industry sectors who own and maintain critical infrastructure facilities, including some that are operated by small and midsize businesses.
Microsoft also weighed in, expressing concern that changes could negatively impact the acquisition process already governed by the Federal Risk and Authorization Management Program (FedRAMP), a certification program that validates the security of cloud services for use in U.S. government agencies. Microsoft, Amazon and other cloud providers achieved FedRAMP certification last year. The draft implementation plan would create new and significant compliance burdens without reducing risk, said Cristin Flynn Goodwin, a senior attorney for legal and corporate affairs at Microsoft.
Solution providers also warned of the potential of a price increase on products and the impediment of U.S.-based suppliers to foreign markets. Dobson, N.C.-based InfusionPoints LLC and Washingon, D.C.-based Lineage Technologies, LLC each said guidelines should incorporate risk assessment practices into the process.
Solution providers told CRN that it often takes years before any significant changes are made to the procurement process. Systems integrators and resellers seeking federal contracts must navigate a completely different process when working with the federal government, said Oscar Flores, president of Riverview, Fla.-based systems integrator Adsevero. Flores, who has worked on some federal projects with previous firms, said some manufacturers guide solution providers through the process.
"It depends on who you are working with, but the federal process is already very complicated and especially daunting for people who have never been there before," Flores said.
Other solution providers are embracing the federal push to boost cybersecurity in the private sector. Tyson Kopczynski, a security solution principal at Slalom Consulting in San Francisco, said his practice is using the NIST Cybersecurity Framework to help private sector businesses address security improvements in the right areas.
"We are really seeing a lot of interest in this area because it is getting a lot of broad attention," Kopczynski told CRN. "There are ways that you can use the framework to make risk-based decisions and invest in the areas that have the most impact."