Cybersecurity in Procurement

The requirement to address cyber security risk in procurements lies in clause 8.3 of the Commonwealth Procurement Guidelines (CPRs). The CPRs require cybersecurity to be considered and managed in accordance with with the Protective Security Policy Framework (PSPF).

The PSPF stipulates requirements when procuring ICT goods and services including but not limited to:

- Information Security Manual reuirements

- Resilient Digital Infrastructure Program

- Data Centre Facilities Suppliers Panel

- Vendor Disclosure Program

- Secure Cloud Strategy

- Secure by Design

- Australian Government Hosting Certification Framework

A considerable part of cybersecurity in procurement centres around the Cyber Supply Chain Risk Management (C-SCRM). Agencies should consider the security risks that may arise in the design, development, storage, installation, maintenance, operation and decommissioning of a software solution. For example, in 2010 SuperMicro’s motherboards allegedly contained an extra chip the size of a grain of rice. This extra chip may have been used by state sponsored organisations for espionage or other nefarious actions, that went unchecked for a number of years until action was taken by US government agencies. Learn more here.

As such, when purchasing technology solutions understanding the vast threat environment is paramount to identifying associated procurement related risk and implementing mitigations.

AI also has its own cyber security risks which need to be considered from a procurement perspective. One such risk is data poisoning by an adversary that may cause availability or integrity degradation. An example of this occurred in 2019 when white hat hackers tricked a Tesla’s Autopilot to veer the vehicle into on-coming traffic, highlighting the risk. Learn more here.

Supply chain cyber security management also considers people (consider the engagement of a remote software engineering specialist who may live in a country that is known to spy on its constituents' network traffic) this raises jurisdictional, privacy, governance and security risks that should be considered.

Secure by design is a framework that holds cybersecurity at the forefront of software development and includes but is not limited to:

- Utilising memory safe languages

- Considering updates and patches

- Supply chain monitoring

Foreign ownership and other security risks should also be considered as part of the procurement process.

Procuring Software itself has inherent risk. Refer to our Software in Procurement page for more information.

ProConIQ Consulting can help you with your cybersecurity in procurement needs. Reach out to us at ProConIQ@outlook.com.au

Disclaimer:

ProConIQ Consulting does not guarantee or accept any information published on this website and accepts no legal liability for the currency, reliability, accuracy or soundness of this website or any linked website.

Links to other websites are provided to users of the ProConIQ Consulting website for convenience and do not in any way constitute endorsement of that website material, product or service nor is ProConIQ Consulting responsible for other websites accuracy, availability, integrity. Users use these websites at their own risk.

The Opinions and information contained within www.proconiqconsulting.com are provided “as is” without any warranties or guarantees.

Users of www.proconiqconsulting.com website should exercise their own judgement with respect to the material contained therein. Before any decision or action is undertaken by users viewing this material, users should seek their own professional advice.

ProConIQ Consulting accepts no liability for any damage to any user’s computer, software or data arising out of use of this website.