We Can Turn Security Into a Market Force

This  is  a  response  to  a  question  I  was  asked  by  a  State  CIO  (not  our  state),  regarding  legislation  that  addresses  security in procurement. Now sharing with you.

I  have  been  very  interested  in  strategies  to  turn  security  into  a  “market  force”  through  the  creation  of  competitive differentiators,  and  using  the  purchasing  power  of  the  government.  I  feel  this  is  a  non-regulatory  way  to  address  the problem  –  leverage  the  fact  that  we’re  capitalists.  This  was  a  message  delivered  to,  and  very  well-received  by  the Deputy Secretary of DHS in a recent meeting.

I’m  not  aware  of  legislation  that  has  created  an  actual  requirement  for  demonstrable  security  in  a  product  or  service  with the exception of the Fedramp program for cloud products. See below.

First, the opinion.

Effective  legislation  would,  in  my  opinion,  create  an  expectation  that  it  is  the  responsibility  of  the  state  to  purchase products  and  services  that  are  differentiated  by  their  attention  to  security.  This  would  have  to  be  based  on  standards  but  don’t  create  the  standards.  Make  the  products  attest  that  they  adhere  to  existing  industry  standards  (for  example OWASP  for  web  application  security),  and  ideally  that  they  have  been  validated  by  a  third  party  as  meeting  the standard.  Don’t  make  it  a  mandate  that  they  hire  a  third  party  to  test  the  product,  just  score  them  higher  on  the  RFP response  if  they  have!  Change  is  thus  forced  in  a  non-regulatory  way,  just  by  using  the  power  of  the  purse.  Companies start to advertise the fact that their products are demonstrably secure, and capitalism starts to do its thing.

Now the experience.

I  see  the  procurement  security  issue  (or  supply-chain  security)  done  more  through  innovation  then  legislation,  and  by industry  groups  more  than  government.  Example  is  the  recent  Boeing/DHS  conference  on  that  topic  a  few  weeks  ago in  Mukilteo,  WA  –  sharing  ideas  rather  than  waiting  for  a  standard  to  be  imposed  by  regulators.  Also,  most  of  the  effort seems around newer technology purchases like cloud products (SAAS and IAAS – PAAS I think a notable exception).

The  PCI  standard  mandates  that  web  applications  meet  security  requirements  on  a  quarterly  basis  (testing  performed by  an  approved  vendor),  and  that  you  can  only  engage  a  payment  processor  that  have  been  certified  for  security. That’s  an  industry  control,  and  is  a  reasonably  effective  way  to  achieve  an  outcome  –  the  companies  MAKING  the money are to provide security, not the organizations SPENDING the money.

At  the  City  of  Seattle  we  modified  procurement  and  contract  language  to  create  an  expectation  of  security,  and  used that  as  proposal  scoring  criteria.  The  minimum  qualifications  to  bid  included  third-party  attestation  OR  allowing  the City  to  perform  testing  for  security  against  the  OWASP  standard  (for  SAAS  applications).  Evaluation  of  the  product  or service  included  specific  scoring  on  security  in  policy,  vulnerability  management,  et  al.  and  the  RFP  template  was connected  to  a  spreadsheet  of  security  questions  on  COTS,  SAAS,  Proserv,  etc,  so  that  the  relevant  queries  on security  were  integrated  into  the  posted  RFP  for  the  product  or  service  being  sought.  Contract  language  included  the expectation  for  security  management  of  the  product,  and  submission  of  additional  testing  attestation  if  the  product underwent structural or functional changes.

The  Fedramp  program  for  cloud  providers  was  created  through  legislation  (HR  1163  in  2013).  Fedramp  is  a  standards compliance  certification  program  for  cloud  products,  with  third-party  assessment  required.  Federal  agencies  cannot procure these products from non-certified vendors. I am aware of nothing similar at the state level.

Part  of  the  NIST  framework  talks  about  third  party  security,  but  not  in  great  detail  for  the  lowest  tier  of  “compliance”. The  NIST  framework  was  created  through  executive  order  (EO  13636  in  2013),  so  is  an  example  of  a  non-legislative solution.

In  my  view,  when  we  can  collectively  implement  a  market-based  strategy  to  require  security  in  the  products  we  buy, we   will   turn   a   significant   corner.   Changing   our   thinking   about   how   we   secure   our   information   technology   and implementing  the  change  through  organizational  innovation  has  to  happen  now.  Waiting  for  legislation  –  especially federal legislation – is Quixotic.