Cybersecurity — A big deal for contracting [Commentary]


Photo credit: vreemous/Getty Images

Almost anyone in government, if not indeed the country at large, is aware of the security risks of the information systems we are now completely dependent upon. And make no mistake — we are completely dependent upon them.

Technology has evolved to vastly augment our human capabilities. It has affected how we complete our daily work, conduct financial transactions, travel from one place to another and socialize with one another. Unfortunately, while the sophistication of the technology on our desks and in our homes, cars and carried about with us continues to rise, this sophistication is matched, if not exceeded by, the abilities of those who would do us harm.

It used to be that the protective physical barriers of our homes or workplaces — as well as the invisible barrier of “privacy” in our private lives — kept such people at bay. However, technology has also allowed such people to transcend and reach through such barriers, intruding into every aspect of our identities and personal or privileged information. Many of us have been “hacked” or tricked in one way or another into losing this data. “Cybersecurity” is a national security threat to the nation, and so far government response is still a work in progress.

In contracting, this issue is not technically new. Protecting the integrity of the supply chain has always been part of ensuring the quality of goods and services delivered to the customer. Perhaps the private sector had a head start in this area, given the global nature of many commercial consumer products. However, the risk has spread and increased over time. It has now moved into the federal market as a result of a global economy that is more interdependent than ever, and which is unable to be reversed without severe impacts to standards of living across the world.

Thus, for many government requirements, commodity items in contractor supply chains, including those used for national defense, are not typically produced exclusively within the United States and are subject to less and less government influence, and sensitive information and access to the systems that contain them is being pushed further and further down the supply chain.

In the post-World War II era, there was a time when the government may have included a contract clause and — given the government’s large impact in the overall U.S. GDP at the time — fully expected compliance. Today, however, the government’s supply chain now stretches around the Earth, and in many cases, isn’t at all clear. Just as consumers now worry about whether their TVs are “watching them,” government and industry do not have the historical confidence that requirements are properly passed on and understood down a longer and farther-reaching supply chain.

Every contracting officer understands the concept of “privity” — i.e., the customer (government) only has a contractual relationship with the prime contractor, not the sub. However, in such an increasingly interdependent world, does this still seem like the proper position to take?

Government requirements are flowed down through the supply chain, but as the length and complexity of supply chains increase, visibility decreases and the risk of noncompliance increases.

We have reached a flashpoint with cybersecurity. Whether it is government human resource data, air traffic control systems, law enforcement information, citizen tax and corporate filings, media news feeds or even our election process, what defines “national security” has in a very short time taken dramatic new forms and requires many different and still to be determined responses.

Along with the vital technical and programmatic aspects of responding to new and serious threats, contracting (as well as subcontracting) supply managers or buyers must determine whether the contractors/vendors/suppliers they do business with can be identified and require them to provide assurance that they will adequately protect any sensitive information they may have access to in accordance with corporate or U.S. federal policy, law and regulation (and that their employees are similarly trustworthy) — regardless of whether those contractors exist outside the country.

Solutions are many and still being developed. However, the competencies of the contracting, subcontracting, buyer or procurement manager must quickly be expanded to include those of the supply chain manager. The skill sets that were heretofore independent have converged. Protection of the cyber supply chain is about protecting the ultimate consumer. In the case of most government contracts, that is all Americans. It is imperative that best practices be shared across disciplines and that everyone be involved — and fast!

Michael P. Fischetti is the executive director of the National Contract Management Association.