A new publication released this week by the National Association of State Chief Information Officers urges state officials to be more mindful of the security of third-party vendors’ IT products when making acquisitions.
The guide, published in conjunction with the National Association of State Procurement Officers and the Center for Internet Security — the nonprofit that runs programs like the Multi-State Information Sharing and Analysis Center — suggests that state agencies far too often make technology purchases without running them by security officials who might have insights about which products are more trustworthy until the ink is already drying on contracts.
“As technology has grown increasingly complex over the last twenty years so has the acquisition process,” the document reads. “State CPOs have had to shift from primarily procuring commodities to complex technologies as well as services. This requires a more strategic and integrated approach to managing the entire process.”
In interviews with chief information security officers earlier this year, NASCIO and its partners found that few of them are being consulted on these big purchases, leaving them to feel like they are only a “box to be checked.”
“We are consulted at the end, after the agency has already chosen the product, negotiated everything to be negotiated and now we are ‘holding up’ the process by attempting to ensure that security is included,” one state CISO is quoted as saying. “I still find myself having to ‘push’ for security involvement early and in too many cases, being pressured to sign off late in the game.”
If CISOs were engaged on procurement more regularly, they would offer their government colleagues a tough assessment of potential vendors: According to NASCIO’s most recent biannual survey of state CISOs, 81% said they were “only somewhat” or “not very” confident in third parties’ cybersecurity practices.
That bleak outlook follows globally impactful IT breaches, like the compromise of SolarWinds network monitoring software — which U.S. intelligence officials say was a Russian espionage operation — that affected dozens of organizations, including at least three state governments.
“This highly successful attack begs a question for all organizations deploying in complex IT environments: if a large, well-resourced supplier like SolarWinds cannot prevent such an incident, how can I possibly keep these sorts of things from impacting my environment?” the NASCIO guide reads.
While the document states it was unlikely individual states or local governments could’ve done anything to block a foreign intelligence agency’s corruption of a trusted software supply chain like SolarWinds’, “there is hope.” NASCIO says state governments can implement stronger requirements, including network segmentation, zero-trust architecture and regular assessments of vendor practices.
Major government technology acquisitions, it says, should also get involvement from a range of voices, including the agency making the purchase, the CIO, the CISO, the procurement officer, any subject-matter experts and legal counsel, following guidelines laid out by NASPO.
The document cites more recent efforts to heighten the importance of cybersecurity in procurement, including President Joe Biden’s February order that directed federal agencies to review their IT supply chains for potential risks in the wake of the SolarWinds breach.
It also mentions a new organization called StateRAMP, an effort formed late last year to apply the same scrutiny to state and local IT vendors as that of the Federal Risk and Authorization Management Program, or FedRAMP, which grades the security of federal contractors.
“Neither the acquisition process nor cybersecurity are trivial components of state government which makes it all the more important that the two are integrated,” the report concludes. “Anything less than full integration and acceptance of the importance of the two quite simply puts states at a much higher risk.”