Just like you used to lock the file cabinets and the office door, procurement officials need to take responsibility for safeguarding their own digital systems as well as vetting the products and services being contracted from suppliers for state agencies.

 

“Cybersecurity is not ‘one and done’.” Leah McGrath, Executive Director of StateRAMP

Cyberattacks on state and local governments were up by 50% in 2020. It is no longer a matter of if it happens and is now a matter of when it happens. Cybersecurity can no longer be left up to the IT department. Cybersecurity and Risk Management have been the top priority for NASCIO for the last 8 years.

WHAT’S AT STAKE?

The integrity of our government and our democracy.

Does that sound farfetched? It’s not, according to people who study cybersecurity. Election systems, schools, hospitals and health records, city and county governments have all been hit with ransomware attacks (demanding money in exchange for releasing control of systems) or data breaches/intrusions like the SolarWinds attack. These attacks strike at the heart of our governmental infrastructure, disrupting civic life and eroding trust in our systems.

Cost of Clean Up

According to the Poneman Institute, the average cost of a ransomware attack is $3.86 million.  In their report The Economic Value of Prevention in the Cybersecurity Lifecycle, the Poneman Institute found “when attacks are prevented from entering and causing any damage, organizations can save resources, costs, damages, time and reputation.”  Prepare and prevent, not repair and repent, as my mother used to say.

WHAT SHOULD I DO?

Dugan Petty, NASPO ValuePoint’s Cooperative Contract Coordinator, breaks down the defensive effort into 4 focus areas:

1. Protect State Data
   • Do a risk assessment of every contract to see what Personally Identifiable Information(PII) is accessible to the supplier.
   • Set up terms and conditions to protect data from unauthorized use.
2. Identify Touch Points
   • Find out where each product connects to state systems. Even office supply contracts can have access to state systems.
3. Map Supply Chain Risk
   • Identify downstream suppliers and do a risk assessment on their level of access to state systems.
4. Treat Procurement as a Business
   • Prioritize the integrity of the procurement process. CIOs and CISOs are focused on the big state picture. Procurement officials need to take the lead on protecting the integrity of the procurement process at the digital level.
   • Develop a good relationship with your state CIO or CISO now. Make them a partner in your effort to harden your systems. Get them involved in specification development of software and cloud services.

WHAT TOOLS CAN HELP ME?

StateRAMP

A new tool designed to help state procurement officials verify cloud service providers and provide assurance that their contractors have the processes and capabilities necessary to deliver with the appropriate security controls in place​. Leah McGrath, Executive Director of the new organization, explains that cybersecurity is an ongoing process, not a one and done task. Products and services are continually updated and patched. Security verification needs to work the same way.

SANS Institute

This cooperative research and education organization is the largest source of information for security training and security certification in the world. Many of their resources are free including the internet storm center, weekly news digest, weekly vulnerability digest  and more than 1,200 original information security research papers.

Gartner, Forrester and ISG

 Now on the new NASPO ValuePoint / Minnesota led Information Technology Research & Advisory Services contract portfolio with competitive awards to Forrester Research, Inc., Gartner, Inc., and ISG Public Sector.

MS – ISAC 

Multi State Information and Analysis is a focal point for cyber threat protection, response and recovery for state, local, tribal and territorial governments.  Membership is open to states and they provide a wide array of services including real time monitoring – they are a go-to resource for most state CISOs.  Their website offers a variety of resource information on best practices, tools and threats.

Watch the recorded NASPO CYBERSECURITY + PROCUREMENT webinar.