The Cybersecurity Challenge in Acquisition

Abstract

To improve cybersecurity, the acquisition community must understand and manage multiple dimensions of cyber-attacks both as an opportunity and as a risk that can compromise the bottom line of the organizations they work for and with. In particular, the acquisition community must understand and recognize the cyber threats inherent in procuring complex modern systems with significant cyber components. If cybersecurity is not designated as a requirement of a modern system, it is often challenging to add effective security on later, and the severity of the cyber vulnerabilities may only be identified after a breach has already occurred. If appropriate cybersecurity is designed and built-in, these systems will have higher up-front costs but potentially lower life-cycle costs because of the reduced need to fix vulnerabilities in the systems later. Additionally, individuals working in acquisition need to recognize that given the sensitive nature of their work, including intellectual property and financial data, their IT processes, information, and systems will be an attractive target for cyber threats from both criminal sources (e.g., organized crime) and nation state adversaries, and the complexity and integration of the modern supply chain will add vulnerabilities to these linked supplier systems.