Effectively Integrating IT Security into the Acquisition Process
Part 2 of 5
WELCOME TO Effectively Integrating Information
Technology (IT) Security into the Acquisition Process
A COURSE FOR THE DEPARTMENT OF COMMERCE
CONTRACTING, AND CONTRACTING OFFICER
This course is comprised of three modules.
In the 1st module provides an introduction to information
technology security. This module will cover 3 sections.
Section 1 will get us started with a discussion of the purpose,
course objectives and answering the question,
What is IT Security?
Section 2 – will outline the legal framework for federal
The last section of this module is Section 3. In this section
we will look at the major players and the key roles they place
in the acquisition process.
Module 2 will cover section 4 of this course. Section 4
outlines the steps needed to effectively integrate IT Security
into each phase of the acquisition process.
Finally module 3 will cover IT Security Controls in Systems
and Key Security Specifications and Clauses
Welcome to Section 1. In this section we will answer the
question, What is IT Security?
But first, we will go over the purpose of the course and course
The Purpose of this course is to familiarize you with the IT
security requirements that must be considered during the
The objectives are that upon successful completion of this
course you will be able to:
Recognize the legal and practical reasons for considering
IT security during the acquisition process
Identify specific security considerations in each phase of the
acquisition life cycle
Integrate IT security language into procurement documents
Ensure that contractors comply with DOC, Bureau and other
appropriate industry security practices
What is IT Security?
IT security is about protecting information assets by
effectively managing risks. How much protection depends
on the risk and magnitude of harm that could result if the
data were lost, misused, disclosed, or modified.
The Department of commerce maintains an IT Security
Program Policy that is reviewed annually by the IT Security
Program Manager. The IT Security Program includes a set
of policies and guidance for ensuring the protection of IT
resources from harm. Harm is typically defined as a loss of
integrity, availability, or confidentiality of the Department’s
The Department of Commerce IT Security Program can be
found at the web address noted here.
Welcome to section 2. In this section we will review the
applicable laws, policies and regulations that establish the
framework for protecting federal information systems.
First we will discuss several laws. The Competition in
Contracting Act of 1984 – CICA is a public law enacted by
Congress for the purpose of increasing the number of Federal
Government procurements conducted under the principles of
full and fair competition, as opposed to contracts that are issued
under noncompetitive arrangements such as “sole source”
or “set aside” awards.
The Federal Information Security Management Act of 2002 –
FISMA requires Federal Agencies to implement a
comprehensive IT security program and monitor the security
of all information systems. From an enforcement perspective,
the law requires every agency to provide a risk assessment
determination and report of the security needs of its systems.
The Government Paperwork Elimination Act – GPEA
requires Federal agencies to allow individuals the option to
submit information. The Act specifically states that electronic
records and their related electronic signatures are not to be
denied legal effect merely because they are in electronic form.
The Clinger-Cohen Act of 1996 Also known as the IT
Management Reform Act (ITMRA), requires agencies
to appoint Chief Information Officers and to use business
process reengineering and performance measures to ensure
effective IT procurement and implementation.
The Paperwork Reduction Act of 1995 requires federal
agencies to be accountable for reducing the burden of
federal paperwork requirements.
The Privacy Act of 1974 establishes provisions to balance
the government’s need to maintain information about
individuals with the rights of individuals to be protected
against unwarranted invasions of their privacy stemming
from Federal agencies’ collection of personal information
Regulations and Policies also help to establish the
framework for protecting federal information systems.
The first regulation we will discuss is the Federal Acquisition
Regulation, the FAR (Note: pronounced like the word far)
is a federal regulation that is establishes uniform acquisition
policies and procedures for use by executive agencies.
The second regulation is the Commerce Acquisition Regulation,
the CAR (Note: pronounced like the word car). The CAR is a
federal regulation that is established by the Department of
Commerce to implement and supplement the FAR within the
Department of Commerce. The CAR should be read in
conjunction with the FAR.
OMB Circular A-130, Appendix III is also used in conjunction
with the FAR.
It establishes a minimum set of controls that agencies must
include in IT security programs; assigns agency
responsibilities for the security of IT; and links agency IT
security programs to agency management controls. It also
requires that a single individual be assigned operational
responsibility for IT security.
Welcome to Section 3, the final section in this module. In
this section the major players and their key roles in this process
will be identified.
A major player in the acquisition of information technology is
the Chief Information Officer. The CIO is the Department or
Bureau level senior official whose key role is to ensure that
the organization’s programs make full and appropriate use of
Another major player in the process is the Contracting Officer.
The CO is a federal procurement official that possesses a
formal written certificate of appointment from the Head of the
Contracting Activity that authorizes the CO to contractually
obligate the Federal Government as set forth in the
FAR Subpart 1.6.
The Contracting Officer’s Technical Representative is another
major player whose key role is to serve as the CO’s technical
representative on a designated contract subject to the
limitations set forth in their appointment letter. The COTR
plays a key role in ensuring that security requirements are
identified during the post-award phases of the
The Division or Bureau IT Security Program Manager
sometimes called the IT Security Officer is responsible for
maintaining an organization’s IT security program. This
individual plays a leading role in introducing an appropriate,
structured methodology to help identify, evaluate, and
minimize IT security risks to the organization.
The role of the Information Technology Review Board,
the ITRB, is to review and evaluate the Department’s
information technology capital investments to ensure that
proposed investments contribute to the Department's strategic
vision and mission requirements, that they employ sound IT
investment methodologies, comply with Departmental systems
architectures, and provide the highest return on the investment
or acceptable project risk.
The term Procurement Initiator is synonymous with the term
Requisitioner. A Procurement Initiator is a Federal
Government employee that represents programmatic interests
during the pre-award phase of the acquisition process and
is responsible for initiating a requisition for a particular
procurement need for products and/or services.
The Procurement Initiator is involved in strategic planning
initiatives of the procurement, plays an essential role in
security and is intimately aware of functional system
requirements. The Procurement Initiator is generally appointed
the COTR after contract award.
The Privacy Officer’s role is to ensure that the services or
system being procured complies with existing privacy laws
regarding protection, maintenance, dissemination and
disclosure of information.
The Program Manager is the person who manages a group of
related activities in support of a specific scientific, business,
technical, statutory or regulatory goal. The key role of the
program manager is to manage the design, development and
operations of a Departmental system. The program manager is
usually the system owner and may be the procurement initiator.
The Technical Evaluation Team is the team assembled by the
Procurement Initiator, responsible for reviewing, analyzing,
rating offers in response to a government solicitation.
You have completed the first three sections of this course.
Before moving on to Module 2, we will review the main
points discussed in this module.
In this module you learned about the legal reasons for the
Department of Commerce’s IT security program.
Several laws, regulations place emphasis on the security of
federal information technology.
You also learned that IT Security it about protecting
information assets by managing the risks associated from the
information being from being lost, misused, or improperly
disclosed or modified.
You also learned who the major players are when procuring
information technology. Each player has a key role in
addressing security when procuring information technology.
Congratulations! You have competed module 1.
You may continue on to Module 2.
Print Course Materials
Email for your notes:
Type your notes here.
Click Send only after
the module has concluded.
Copyright © 1999—2004. All Rights Reserved.