A governmentwide cybersecurity purchasing contract gains converts

Defense Deputy Secretary William Lynn wants to speed the buying process, which can strengthen cybersecurity. Defense Department

Security experts inside and outside government are becoming more convinced that the federal government must develop contracting programs that provide agencies with the ability to buy cybersecurity tools and services quickly to fend off ever-evolving and sophisticated threats.

There is no department that better illustrates the problem than the Defense Department. Currently, Defense takes an average of 81 months -- nearly seven years -- to develop an IT program from its initial funding to when it becomes operational, making systems four to five generations old by the time they are turned on, said Deputy Secretary William Lynn during a military symposium on cyberspace in May. At the meeting, he announced the formation of a task force that will look into speeding the IT acquisition process.

But such a long development and purchasing cycle makes it difficult to secure computer systems against cyberattacks that can develop almost instantaneously. "The challenge we have in the cyber world is that adversaries are acting on a faster time frame -- days or hours, not months or years," said Don Proctor, a senior vice president at Cisco and leader of its cybersecurity task force in the Office of the Chief Executive Officer.

The challenge government and industry face is finding a way to shrink the procurement window without sacrificing quality or imposing on fair competition.

Hackers often begin attacking federal IT systems well before agencies have time to buy the latest security control that can protect them. To help agencies buy the latest and greatest protection, the Senate included funding in its version of the fiscal 2011 Defense authorization bill that would explore innovative and flexible procurement models that Defense could follow to quickly acquire capabilities that would ward off serious threats that suddenly evolve.

The challenge extends to civilian agencies as well, said Pat Howard, chief information security officer at the Nuclear Regulatory Commission. "The government could play an important role in giving particular security products a Good Housekeeping Seal of Approval, saving individual agencies the time and effort of performing their own evaluation" of which security tools are the best suited for them, he said.

Howard endorsed the idea for a governmentwide contract where agencies could buy IT security services the government has certified as compliant with federal standards. It would resemble Networx, the government's massive telecommunications program that offers agencies a list of prequalified contractors offering the latest communications technologies and services at deeply discounted prices.

"Normally to get speed in contracting you have to limit to some degree full and open competition and perhaps award low-cost solutions," said Kevin Carroll, president of the IT consulting firm Kevin Carroll Group and a former program executive officer for enterprise information systems in the Army.

Carroll also supports separate contracts for qualified cyber products and services, and estimated that indefinite delivery-indefinite quantity contracts awarded to numerous contractors would provide the kind of quick and competitive task orders that could be issued within 10 days, with awards made within no more than another 20 days.

But before contracting vehicles can be developed, cybersecurity requirements must be clearly defined, said Stan Soloway, president of the Professional Services Council. "There's a lot of money being spent on cybersecurity, but there are still a lot of questions about what the government will actually be looking for," he said. "Maybe one cyber office doesn't have to award all contracts and give all grants, but there does need to be a clear and consistent policy" for how cybersecurity products and services will be purchased.

The policy likely will be defined by a cybersecurity office in the White House, run by a Senate-confirmed presidential appointee. Numerous bills on the Hill would establish such an office.

"That office, which should already exist, is what's missing," said Alan Paller, director of research for the SANS Institute. He advocates reforming the procurement system so it would not only speed cybersecurity purchasing, but also require industry to include security controls in their software while it is being written.

"Right now, who's going to look at what the people writing the contracts are doing?" Paller said, adding the National Institute of Standards and Technology and the Homeland Security Department do not have the power to oversee the process, and the Office of Management and Budget "are just too busy."

"No one has had that kind of oversight over how [agencies] buy," he said.