The Government Accountability Office has called on the Department of Homeland Security to provide greater clarity on when a cybersecurity risk assessment is required for technology acquisitions.
In a report published Thursday, the watchdog said that while the majority of technology procurement programs it reviewed were meeting cost and schedule goals, seven programs did not provide a required memo setting out potential cybersecurity risks.
Amid increasing cybersecurity threats to government agencies, DHS in 2020 issued an acquisition instruction requiring procurement officials to provide guidance and information to ensure cybersecurity threat analysis and risk management are integrated into the acquisition life cycle.
In the report, GAO said: “To facilitate collaboration and coordination throughout the systems engineering and acquisition life cycle, the 2020 instruction states that the DHS Chief Information Security Officer is to use input from the DHS Information Safeguarding and Risk Management Council and component cybersecurity acquisition risk management integrated product teams to develop and sign out a Cybersecurity Risk Recommendation Memorandum (CRRM).”
The watchdog added: “Program officials from these seven programs indicated that the CRRMs were not applicable to them for various reasons … [t]he instruction does not clarify when the CRRM requirement might be waived, is not applicable, or when other documentation may be used in its place.”
Supply chain risk within federal agencies’ IT procurement processes has received extra scrutiny since the SolarWinds attack in 2020 during which software supply chains were used to breach cybersecurity defenses and steal information across the government and the private sector.
In July, DHS’ Science and Technology Directorate’s Silicon Valley program issued a five-year other transaction solicitation call for foundational open-source software libraries and other tools increasing the availability of trustworthy software bills of materials (SBOMs), machine-readable inventories of components and how they relate.