DHS Official: Cybersecurity Is Industry Responsibility
May 25, 2010
| 2:57 PM
A top Department of Homeland Security official said Tuesday that contractors that fail to live up to security requirements in federal technology contracts should be held accountable, even if the vulnerabilities originated in products or capabilities provided by suppliers, Nextgov.com reported.
In most business situations, "if we have a contractual arrangement and you fail [to meet the requirements], I have legal recourse," said Richard Marshall, director of global cybersecurity management at DHS. "Why wouldn't the same be true when the supply chain [is involved]? I'm buying a product from you, and you represent that it's a product with the following characteristics. If you fail, I have a right to sue you."
Marshall spoke at the SecureAmericas conference in Arlington, Va., an event hosted by the cybersecurity provider International Information Systems Security Certification Consortium.
He noted a number of examples where failures in the supply chain led to serious security implications, including a wave of hard drives infected with viruses that infiltrated the U.S. market from Asia in 2007 and a recent case in which thumb drives were shipped preinstalled with malicious software, eventually leading to the Defense Department imposing a temporary ban on the storage devices. "Buy from an authorized vendor and make sure that vendor has purchased from an authorized vendor," Marshall advised.
Federal technology and acquisition officials must write contracts that set specific expectations for how industry secures computer hardware and software, including assurances the products they purchase from suppliers and the development processes followed best practices. To read more, click here.
Join the Discussion
The National Journal Group has the right (but not the obligation) to monitor the comments and to remove any materials it deems inappropriate.
Comments powered by Disqus