The Department of Veterans Affairs (VA) is implementing a “trust but verify” approach to all of its IT acquisitions to ensure its cybersecurity components are fully compliant with President Biden’s cybersecurity executive order (EO), according to VA Chief Acquisition Officer Michael Parrish.
At MeriTalk’s Cyber Central event in Washington, D.C., on May 17, Parrish explained how the EO has helped to improve supply chain security by elevating cybersecurity standards for vendors.
“I think we’ve seen significant improvement. I think what it’s really done in the acquisition community is it’s helped to provide two things,” Parrish said. “One is it’s brought the standards that we do for procurement of widgets and products, it’s gotten to software to be able to get to that same level of standardization.”
“Additionally, and the reality of the world that we’re in today, everything has software in it – it’s forced the traditional widget components to incorporate cybersecurity,” he added.
Parrish noted that during the VA’s Technology Acquisition Center (TAC) annual Advanced Planning Brief to Industry (APBI) on Wednesday, he stressed the importance of implementing speed and common sense to improve the acquisition process.
For example, he said the Federal government often “over-engineers things,” asking how many hours a vendor spent building a product. Just as you wouldn’t ask the BMW manufacturer how long it took to build a car, Parrish said the Federal government shouldn’t either.
Instead, he said the VA is focusing on more important questions, like requiring vendors to disclose their cybersecurity components.
“We’ve expanded the zero trust envelope inside the VA, we’re fully compliant with the EO, and we’ve also included our CISO as part of the FITARA evaluation to evaluate every single procurement that we do in VA – both from the hardware as well as the software side,” Parrish said.
In order to better secure the supply chain, Parrish said the VA is focusing on establishing zero trust within its acquisition process, so that every vendor builds zero trust into its products.
Parrish said the VA is leading the edge on what his agency calls independent verification and validation (IV&V). The VA is validating everything, not just from a contractual standpoint, but also from a technical standpoint, he said, “evaluating and ensuring that there is true compliance from the different areas.”
“We’re going to actually prove it, not just take your word for it,” he warned.
“A lot of enforcement mechanisms are coming into play in VA, for those of you that have contracts with us,” Parrish added. “It’s kind of trust but verify, that we will be doing verification on the spot to make sure that all these things are correct because, at the end of the day, we have to serve veterans, we also have to protect our taxpayers and the greater good of America.”
As far as upcoming contract opportunities, the VA announced in December that it would be transitioning away from its supply chain management system – the Defense Medical Logistics Standard Support (DMLSS) – and is in the market for a new solution contract.
Parrish said the request for proposal (RFP) for the DMLSS replacement is “ready to go” and the agency hopes to send it out within the next few days or weeks.
“One of the things we’re doing with industry – and this is the critical component for you all – is, again, to the concept of government over-engineering things, we can’t do these things in a vacuum, and we need to make sure that we’re working with you all in industry to advise us and help us,” Parrish said. “[With] the speed of technology today, supply chain’s a continuous process.”
