By Patrick Marshall

Blog archive
Different cybersecurity word clouds on two facing monitors

Built-in security could start with a common lexicon

It makes sense to buy products and services with some degree of security built-in rather than to add security piecemeal as vulnerabilities are found. That is one of the goals of an interagency working group developing plans for cybersecurity requirements in federal acquisitions.

The Joint Working Group on Improving Cybersecurity and Resilience through Acquisition, a cooperative effort between the Defense and Homeland Security departments and headed by the General Services Administration, has issued a request for information on how best to include cybersecurity requirements in contracts. Such requirements are not entirely absent from Federal Acquisition Regulations, but the working group is tasked with making them more consistent — both across government and with industry requirements — and focusing them on risk management rather than boiler-plate contract language.

Not that language isn’t important. “The importance of common language cannot be overstated,” the RFI says. “It is apparent that a common lexicon is one of the critical gaps in harmonizing federal acquisition requirements related to cybersecurity.”

Attempts at developing a common lexicon are being made. DHS’ National Initiative for Cybersecurity Careers and Studies, for example, has a cybersecurity glossary  intended “to enable clearer communication and common understanding of cybersecurity terms, through use of plain English and annotations on the definitions.” The question is whether a common lexicon can be applied consistently to the acquisition process.

The acquisition effort is part of a presidential initiative in the face of congressional gridlock to improve government and critical infrastructure cybersecurity. A voluntary framework for privately-owned critical infrastructure systems is being developed, but additions to FAR would be mandatory for agencies, although it is not anticipated that the changes would be a one-size-fits-all set of requirements.

The working group was formed under Executive Order 13636 on Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive-21 on Critical Infrastructure Security and Resilience, both issued in February. According to the RFI, one of the goals of the orders is to “provide and support government-wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for the security and resilience of critical infrastructure.”

The working group’s job is to make recommendations on the feasibility, benefits and merits of incorporating security standards into contracting requirements. The recommendations are expected to lay the foundation for any standards.

The working group wants to identify internal conflicts between different government cybersecurity requirements as well as conflicts with industry and international standards. Some of the issues it is asking for feedback on are incentives that could be offered to government contractors and suppliers in the face of tight budgets; how closely current commercial standards and best practices meet federal requirements; and how to better match commercial practices with federal needs.

Anyone interested in providing input to the project should respond to the RFI by June 12.

Posted by William Jackson on May 28, 2013 at 9:39 AM


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected