IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

States Take New Look at Cyber Procurement Strategies

As states plan how to get the most out of federal cybersecurity grants, they’ll need to approach procurement with a long-term strategy in mind and a focus on mastering basic cyber hygiene, said speakers at an ITI event.

ITI.png
Panelists speak at ITI event
Smarter procurement processes appear to be becoming a deeper part of statecybersecurity strategies, as they wrestle with the challenges of hiring enough talent to meet needs internally and consider how to best use anticipated federal cybersecurity grants.

Alongside testing new short-term hiring strategies to boost workforces, states are looking to fill unmet IT needs by tapping more third-party services.

Speaking during an Information Technology Industry Council (ITI) event yesterday, Texas CIO Amanda Crawford said that relying solely on internal technology workforces is not a feasible long-term solution for states. IT staffing shortages aren’t unique to the public sector, but are particularly hard for state government where, Florida CIO Jamie Grant said, “the hours are long and the pay sucks.“

Still, outsourcing those needs must be done carefully, Crawford said.

“That's where we pull in the procurement piece as well — we have to make sure that we have transparency, that we have strong competition on the contracts and that we have strong terms and conditions that are focusing on cybersecurity — for that outsourced model to be able to work,” Crawford said.

Procurement is also coming into sharper focus as states like Texas confront the cybersecurity risks of legacy systems and seek to modernize.

But procurement efforts can easily get tripped up by going too fast or too slow.

If funding for procurements is disbursed too slowly — a potential concern with forthcoming federal grants for state and local cybersecurity — the proposed technology could be outdated or no longer relevant to the current political or technological landscape by the time purchases are approved, Texas state Rep. Giovanni Capriglione, R-District 98, said during the event. Similar issues can occur if there are delays in implementing the adopted technologies.

“Whether it's federal grants — or other grants that are made available to the state — [we need] things that don't slow us down in order to be able to implement them, whether you're talking about the procurement process, or if you're talking about deployment,” Capriglione said. “Technology is moving fast. And so [if you’re] having a conversation with, let's say, a federal agency, that takes six months or nine months, you almost have to restart it at the end of it, because things have changed so much.”

At the same time, if agencies just charge ahead with purchasing, they can easily fall into the trap of buying tools without fully evaluating how well the offerings suit the agencies and state’s current needs or long-term security strategies.

Technology procurements need to fit with the states’ overall business strategies and tie into larger cybersecurity plans, such as NIST’s cybersecurity framework, said Ben Caruso, practice leader for state and local government at networking products and services provider Juniper Networks during the event.

States will also want to be sure that the investments they make now continue to serve them into the future, said Karen Worstell, senior cybersecurity strategist at software firm VMware.

That requires considering how they plan to maintain the technology over time.

“One of the things that happens so often in complex procurement strategies is it all goes in great after some effort, and then it degrades over time. And in security, that's a real concern,” Worstell said.

States also need to ensure they’ll be able to update their infrastructure as the cybersecurity space evolves, “without having to rip things out and try to start over again,” she said.

Agencies can be tempted to reach for high-tech tools too soon. They’ll instead get more mileage out of their budgets if they focus first on ensuring they have all the basic cyber hygiene practices in place, said Allan Wong, head of state and local government and director of U.S. strategy and business development for cyber risk management firm Tenable.

That includes taking measures like adopting multifactor authentication and ensuring they have visibility into their networks, which will help agencies reduce the most critical vulnerabilities, Wong said.

Visibility concerns appear high on Florida’s radar, where Grant said the state is still working to understand what data agencies are holding and where, so that it can better defend these assets.

And for some states, getting oversight of procurement is still in the early stages. Grant said his office, the Florida Digital Service, is trying to correct a situation in which state agencies can purchase expensive technologies without first having to prove that the tools clear certain performance quality checks.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.