NASCIO, CIS and NASPO Call for Cyber and Acquisition Integration

LEXINGTON, Ky., Tuesday, April 27, 2021 — The National Association of State Chief Information Officers (NASCIO), the Center for Internet Security (CIS) and the National Association of State Procurement Officials (NASPO) today released Buyer Be Aware: Integrating Cybersecurity into the Acquisition Process. The publication addresses steps state governments should take to ensure cybersecurity is an integral part of the acquisition process.

NASCIO President and New Hampshire Commissioner and CIO Denis Goulet commented, “too often state chief information security officers aren’t consulted about an IT procurement until the end of the process. State CISOs are charged with reducing cybersecurity risk to state governments and cannot be pressured to simply ‘check a box’ when it comes to cybersecurity. The risks are just too great.”

As the publication notes, cybersecurity functions in state government are increasingly being outsourced, however, confidence in third-party vendors is decreasing. Additionally, major cyber incidents in the past year have called into question the security of commonly used software and the COVID-19 pandemic reinforced the importance of supply chain security.

“Managing cybersecurity risk in your organization requires an enterprise and IT level focus on best practices for your systems as well as everything you bring in to integrate with those systems,” said Mike Garcia, Senior Advisor for Cybersecurity for the Center for Internet Security. “The latter means building security into the procurement process by involving the CISO from the beginning and holding vendors to the same standards that you apply to your own organization. Widely accepted and actionable guidance, like the CIS Controls and CIS Benchmarks, are freely available to help all organizations make wise investments during procurements and beyond.”

The publication also calls for a strong partnership between the CIO office, CISO office, procurement office, state agencies and the private sector. Neither the acquisition process nor cybersecurity are trivial components of state government which makes it all the more important that the two are integrated. Anything less than full integration and acceptance of the importance of the two quite simply puts states at a much higher risk.

“Procuring technology is an essential part of the work of our state procurement officer members. It is important for our members to be able to partner with their CIOs, CISOs and agency customers to successfully conduct IT procurements. Those partnerships allow state procurement to understand the software and security elements needed as well as ensure that all specific purchasing requirements are met throughout the process,” said NASPO Chief Executive Officer, Lindle Hatton.

Finally, the publication includes a list of recommendations aimed at assisting state governments in fully integrating cybersecurity into the acquisition process.

NASCIO Contact
Meredith Ward
Director of Policy and Research
National Association of State Chief Information Officers