Making decisions that you believe are right in the face of possible risks to tenure, position or reputation is...
always difficult. Many people face this challenge -- some more than others. After weighing the pros and cons of the decision and ultimately making the right choice, it is not based on whether it is good for the company or for others; it is what you believe to be right.
In July 2016, NASA CIO Renee Wynn refused to sign an expiring Authority to Operate (ATO) clause in a contract with Hewlett Packard Enterprise (HPE) due to security issues at HPE. She had juxtaposed the risk of not signing the contract with the potential to put her position at NASA in jeopardy.
If she renewed the HPE contract, the security risks would remain, and HPE would not be forced to make them a priority. If she refused to sign the contract, NASA would have to consider overturning her decision, taking some disciplinary action or accepting the security risks. That was not acceptable to Wynn. She needed to send HPE a message, and she likely considered NIST SP 800-53, more recently NIST SP 800-171r1 and possibly other regulations that require government contractors to meet specific security requirements to obtain an ATO.
Was not signing the vendor contract the right decision? In retrospect, it was. HPE took the steps to address the security issues, and we all applaud Wynn's resolve to protect NASA's assets and Controlled Unclassified Information (CUI).
The CUI Registry defines categories and subcategories of protection required for safeguarding and disseminating information. The head of each U.S. executive branch department and agency, such as the Department of Defense and the National Security Agency, is required to ensure the implementation of the CUI program within their agency or department. This includes ensuring that government contractors comply with the protection measures defined in NIST SP 800-53 and NIST SP 800-171r1. Noncompliance risks the loss of their government contracts.
Signing with a contractor that has gross security issues, as defined in these two NIST Special Publications, would certainly weigh heavily in the CIO's decision.
What CISOs should consider with vendor contracts
In industry, the CIO and, particularly, the CISO, can find themselves in the same quandary. The CISO has several choices. He can decide not to sign the vendor contract, sign the vendor contract or go on record that he disagrees with the contract, state the risks and have the decision made by upper management. However, the latter does not assuage his misgivings any less, especially because, if a major incident ensues, he might still wind up as a casualty.
The CISO needs to make his case from a pragmatic perspective.
- Weigh the pros and cons of signing the vendor contract. If the vendor demonstrates a remediation initiative is in process, have it document the effort, the compensating controls implemented to mitigate the risk and the expected target date.
- Communicate the risks to upper management so they can support your decision to not sign the vendor contract renewal. Ensure management understands that additional funding may be required.
- Investigate an alternate vendor that can provide the same or better service, supported by an independent certification that its security is not in question. Leverage this intent with the original vendor to pressure them to speed up the remediation.
The financial and operational implications of not renewing a vendor contract due to security issues could be substantial. The effect of not signing could have a detrimental impact on production, loss of credibility, missing critical deadlines and loss of significant investments in the contract services, products or processes. Use existing security policies, laws, regulations and risks of noncompliance to make your case, focusing on the overall risk to the enterprise.
Decisions like this are not strictly from a business risk perspective. Many times, they are a matter of ethics. CISOs, if professionally certified as a certified information security manager, certified information systems security professional (CISSP) or certified information systems auditor, commit to a code of ethics. For example, the CISSP Code of Ethics states that individuals certified by (ISC)2 agree to "support efforts to promote the understanding and acceptance of prudent information security measures throughout the public, private and academic sectors of our global information society."
Intuitively, we know what is prudent and right in making decisions about vendor contracts.
Find out what CISOs need to know about security startups before becoming customers
Learn whether CISOs should share responsibility for a security incident
Discover whether one cybersecurity mistake should mean the end of a CEO's career