Effectively Integrating IT Security into the Acquisition Process
Part 3 of 5
Welcome to Section 4.
In this section we will discuss how to effectively integrate the
procurement and IT system life cycles.
The IT system life cycle has 5 phases.
The 1st phase is Initiation followed by Development. The
next phase is Implementation followed by Operation and
The procurement life cycle also has 5 phases.
The 1st phase is Mission & Business Planning followed by
Acquisition Planning. The next phase is Acquisition
followed by Contract Performance and finally Disposal
To effectively integrate IT security into the procurement
process, security must be considered throughout the entire
procurement life cycle.
How do the Procurement and IT System Development
life cycles relate?
The following figure 1-1 depicts how the 6 phases of each
life cycle correlate.
Remember…ALL 5 phases in the procurement life cycle
must address IT security requirements.
Exactly what Security Considerations need to be addressed
during each phase of the Procurement Life Cycle?
We will first discuss Mission and Business Planning, which
is phase 1 of the procurement life cycle.
During this phase several procurement activities are
performed by the acquisition team. The first step is the
development of a needs determination.
The Needs Determination defines the problem to be resolved
through the procurement process. The needs determination
is very high-level in terms of describing the system’s
functionality. Although no system specifics are defined here,
the idea for a new or substantially upgraded system and the
feasibility of the idea and alternatives are explored
during this phase.
Components of the needs determination are the basic system
idea, preliminary requirements definition, and approval.
During the Mission and Business Planning phase, several
security considerations must be addressed.
The Needs Determination for IT systems and applications
forms the beginnings of a Preliminary System Security Plan
compliant with NIST
Special Publication 800-18. This plan:
establishes the need
links the need to performance objectives;
addresses alternatives; and
During this early phase, the Procurement Initiator is
responsible for obtaining a unique system identifier number
from the bureau’s Office of the Chief Information Officer.
This number is used to track the system in the IT system
inventory and in budget documentation.
The procurement initiator must conduct a preliminary
sensitivity assessment to determine the sensitivity level,
as either High, Moderate or Low. The procurement
initiator must make this determination by using the
criteria the in Federal Information Processing Standard 199.
During the Acquisition Planning, which is phase 2 of the
procurement life cycle, several procurement activities are
Acquisition Planning results in a Requirements Analysis that
specifically addresses security considerations.
A requirements analysis is an in-depth study of the need and
the initial beginnings of the Statement of Work (SOW). The
requirements analysis further develops the work performed
during mission and business planning by incorporating market
research, any results from analysis of alternatives, and
incorporates a risk assessment that addresses confidentiality,
integrity, and availability, as well as the criticality of the
system to the Department’s mission.
During this phase of the procurement life cycle, the
Contracting Officer and the Procurement Initiator are
jointly responsible for:
conducting market research, including the consideration
of socioeconomic programs
Conducting acquisition planning in accordance
with FAR Part 7
Funding the requirement also takes place during this phase.
Initiator, anticipated Contracting Officer Representative,
Contracting Officer and Program Manager comprise the
project team that is responsible for considering IT security
when funding the requirement. Securing funding includes
completing a Capital Asset Plan and Business Case as
required by OMB Circular A-11, Section 300. The project
team may also be required to present the Capital Asset and
Business Case to the ITRB when requested. ITRB expectations,
capital asset plan and business case format, and review criteria
can be found on the Office of the Secretary, Office of the
Chief Information Officer website.
What security considerations must be addressed during the
Acquisition Planning Phase?
First, an analysis of the system’s Integrity, Availability,
and confidentiality is conducted
in order to update the preliminary Sensitivity Assessment
developed in the Mission and Business Planning Phase.
Determining and obtaining assurance is the next step.
Assurance is the degree to which the purchaser of a system
knows that the security features and procedures being acquired
will operate correctly and will be effective in the purchaser’s
environment. There are several techniques for obtaining
assurance. Some of these include: Evaluations by Independent
Organizations, Evaluations by Another Vendor
Evaluations by Another Government Agency; or
Self-Certification Following a Formal Procedure
A Risk Assessment is prepared during this phase.
A risk assessment is a methodical identification and
measurement of threats, vulnerabilities and risks to a system.
Procurement Initiators must perform risk assessments of all
DOC IT general support systems as well as major applications.
The next security consideration includes developing a System
Security Plan. A system security plan provides an overview
of the sensitivity levels and types of data processed or stored
in a system and the related security requirements to protect the
data. It also describes the controls in place and planned for
meeting those requirements. The system security plan provides
all of the information necessary to secure an IT system
throughout the system’s life cycle.
The third phase of the procurement life cycle is the
This phase covers the development and issuance of the
solicitation and the receipt and evaluation of offers. All
considerations surrounding the acquisition of the product
or service must be addressed in this phase. This includes the
description of what is being acquired; how it will be acquired,
evaluated, tested, and accepted; and how the contract
will be administered.
During the Acquisition phase of the procurement life cycle,
several security considerations must be addressed.
The Security Considerations are as follows:
Establish applicable security requirements or specifications
For inclusion in the Statement of Work. It is incumbent on
the procurement initiator to know what federally mandated
specifications apply to the system being procured. These are
technical issues and are, therefore, the responsibility of the
procurement initiator who may obtain assistance from the
IT Security Program Officer.
Assignment of Contract Security Risk occurs during this
phase. The Procurement Initiator or Program Manager, in
conjunction with operating IT security officer will review
the work to be performed under contract and assign the
appropriate risk or sensitivity designation to the entire
contract in accordance with the criteria stated in Chapter
10, paragraph 1003, of the Department of Commerce Security
Manual. Accordingly, each contract employee will undergo
investigative processing based on the contract's risk or
sensitivity level designation.
The next consideration includes establishing the Personnel
Security requirements. The Commerce Acquisition Manual
section 1337.70, Security Processing Requirements for
On -Site Service Contracts, provides facility access criteria
and contract language for IT service contracts.
IT security should be addressed in the evaluation criteria
portion of the solicitation to call attention to the importance
of security to the government.
Security review of solicitation should also take place. The
Procurement Initiator, Program Manager and the IT Security
Officer certify that the offer complies with the security
requirements specified in the solicitation and the requirements
of the DOC IT Security Program.
For classified contracts, the Contracting Officer Representative
(COR) must develop the Department of Defense Contract
Security Classification Specification form DD-254, to
provide guidance to the Contractor concerning access to
classified information on the contract.
Once the contract has been awarded, the (COR)
must ensure that all personnel working on the contract
complete nondisclosure agreements for both sensitive
and classified information and receive their initial IT
Security training and classified briefings.
The fourth phase of the procurement cycle is
Contract monitoring takes place during this phase. The (COR)
may require IT security expertise to assist in reviewing
contract performance measurement documentation,
inspect IT security deliverables, or evaluate
During the Contract Performance phase of the procurement
life cycle, several security considerations must be addressed.
The (COR) must provide concurrence or non-concurrence
of contract deliverables. Upon concurrence, the government
accepts and pays for the deliverables as stipulated in the contract.
The (COR) should monitor the contractors performance in
order to ensure that the contract performance measures
are continuously being met.
The (COR) should regularly review the contractor’s
performance to ensure compliance with IT security
requirements and to ensure that security has not degraded
since formal system Certification.
The Risk Assessment, including the System Security Plan
should be updated accordingly.
Annual reviews of all systems and contracted IT facilities are
required by DOC policy and FISMA in accordance with
the National Institute of Standards and Technology (NIST)
Special Publication 800-26 self-assessment guidance.
The (COR) should participate in these reviews as well
as monitor the contractor's daily operation of the system.
The final phase in the procurement life cycle is disposal and
contract closeout. All issues surrounding disposal and final
payment are addressed during this phase.
When IT systems are transferred, obsolete, or no longer usable,
it is important for the contracting officer and the (COR)
to ensure that government resources and assets are protected
by determining the appropriateness of disposal, sale,
or donation of the property.
Security must be considered during this phase of the
procurement life cycle.
First, the security plan should be updated. Usually there
is no definitive end to a system life cycle. Systems evolve or
transition to the next generation as a result of changing
requirements or improvements in technology. Security plans
should continually evolve with the system. Much of the
environmental, management, and operational
information should still have relevance and be useful
in developing the security plan for the follow-on system.
Organizations should consider archiving information so
that it may be retrieved in the future. Legal requirements
for records retention should also be considered when
disposing of systems.
Sanitizing media requires residual magnetic or electronic
data to be deleted, erased, or written over and that any
system components with nonvolatile memory be erased.
Hardware and software can be sold, given away, or discarded.
The disposition of software should comply with license
or other agreements with the developer.
Finally, the Risk Assessment should be updated as appropriate.
You have completed the 2nd module of this course. Before
moving on to the final module, we will review the main
points discussed in this module.
In this module you learned about the 5 phases of the
procurement and IT Systems Life Cycle and how they relate.
You also learned that ALL 5 phases in the procurement life
cycle must address IT security requirements. Finally, you
learned which specific security considerations need to be
addressed and when and by whom they should be addressed.
Congratulations! You have competed module 2. You may
continue on to the final Module 3.
Print Course Materials
Email for your notes:
Type your notes here.
Click Send only after
the module has concluded.
Copyright © 1999—2004. All Rights Reserved.