With the next national cyber strategy on the horizon, sources say one of its six pillars will focus on federal procurement. This is not the first time a national cyber strategy has focused on the topic: the 2018 and 2023 strategies incorporated near-identical language about how the government should buy software. Despite an executive order, a supplemental OMB memorandum, two national strategies, and an implementation plan, secure-by-demand rules have been stuck at the Federal Acquisition Regulatory Council for more than three years.
As IST Senior VP for Policy Nick Leiserson explores in Lawfare, the lethargy of the FAR Council “calls into question the idea that government, as the biggest purchaser of information technology in the country, can act as a key lever to make software used across the country more secure,” unless significant reforms are made. Stopping procurement regulation vaporware is key for the U.S. government to see meaningful gains from security-by-demand.
