*****Source- americancityandcounty.com, Dr. Alan R. Shark, First Published Aug June 21, 2022
For well over decade, IT managers have listed cybersecurity as their number one concern. Both the CompTIA Public Technology Institute (PTI) and the National Association of State Information Officers (NASCIO) have been tracking top trends in IT management, policy, governance and operational issues as they relate to state and local government. Only recently has “procurement” entered the top 10 issues domain—and it’s about time. Over the past several years, I have had the pleasure to speak before several procurement officer events, as well as a purchasing cooperative. What I learned from these experiences was that purchasing managers have a genuine desire to learn more about the IT enterprise. Likewise, IT managers described their relationship with procurement as somewhat mixed, often blaming outdated procedures, not individuals. Both sides have voiced the need for greater understanding and cooperation. As we all know IT is quite specialized, and aside from laptops and related equipment, the rest is far from being labeled as a “commodity item.”
The pandemic (the beast) might have been the important and critical catalyst for change. Never in the history of public management has city and county IT support had to pivot to a remote workforce while continuing to serve citizens in such a short period in time. Rules were side-stepped to make the great shift to remote work possible. Hundreds of thousands of laptops, monitors, cameras and headsets had to be acquired in record time. Less obvious was the massive procurement of VPN networks, collaboration software and cybersecurity monitoring devices. The pandemic forced everyone to operate and move in ways and speed not thought possible. The pandemic forced local governments to accelerate plans for the digitalization of government. Much of what had been deemed temporary has now largely been maintained and is most likely here to stay.
As more government employees were forced to work remotely, cyber criminals sought (often successfully) to exploit the new remote workforce landscape. Not only did ransomware attacks increase, but we also learned of a new type of attack referred to as a “supply-chain” attack where a cybercriminal would hack a vendor’s customer database so that when updates were pushed out, so too was malicious malware.
The 2022 CompTIA Public Technology Institute (PTI) State of City and County IT National Survey had procurement enter its top 10 space for the first time; mentioning the need to “streamline procurement processes.” When compared to the other priorities on the annual survey, there is plenty of need for purchasing decisions that go beyond cybersecurity, such as IT modernization, system integration, increased digital services for citizens, and finally, migrating systems/applications to the cloud. While NASCIO’s Annual CIO Top 10 Priorities doesn’t point out procurement directly, procurement is mentioned in their fourth priority under Cloud Services—“cloud strategy; selection of service and deployment models; scalable and elastic services; governance; service management; security; privacy; procurement.”
Over the years, cloud services have grown in functionality as well as in the definition itself. Today, an expanding number of state and local governments are moving more and more of their operations to cloud well as managed service providers. For IT and procurement managers alike, it is often difficult to assess the services offered by such vendors. The federal procurement market can lean on FedRamp for cloud-security related assurances through vendor certifications. Until recently state and local governments were left out of the process when hundreds of thousands of smaller regional and local service providers did not qualify under FedRamp regulations. Somewhat new to the scene is StateRamp, a nonprofit organization whose mission is to provide certifications for such local players. As StateRamp evolves, state and local governments will have a much-needed tool to better access their purchasing decisions when it comes to cloud and managed services with a focus on cybersecurity.
Adding to the immediacy of the problem, the Cybersecurity and Infrastructure Security Agency (CISA) has recently issued a global and nation-wide advisory aimed at protecting managed service providers and customers—often state and local governments. Among the five recommendations is to “Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.”
Recent events have caused a massive change in how we use, procure and operate information technology. The list of supplemental purchasing decisions that must be made regarding the purchase of IT equipment and systems, both hardware and software decisions will need to be viewed through various lenses such as legal, cyber, financing, risk assessment, compatibility, support and training, to name just a few. The pandemic, along with an increase in cybersecurity requirements, has created a new path forward where procurement has evolved into a team sport, resulting in stronger information technology for all state and local governments in particular and making the process more secure and effective. And that’s the beauty of this beastly pandemic.