n FFRDC operated by the RAND Corporation under contract with DHS
OPERAT IONAL ANALYSIS CENTER
CHAD HEITZENRATER, JAMES DIMAROGONAS, KYLE BUNCH, FRANK CAMM, RYAN CONSAUL,
SARAHW.DENTON, QUENTIN E. HODGSON, ERIN N. LEIDY, LAURINDA L. ROHN, JAMES RYSEFF,
YULIYASHOKH, PADMAJA VEDULA
Government Acquisition of
Cyber Technologies
Lessons Derived from Analysis of
the Cybersecurity and Infrastructure
Security Agency’s Cyber Acquisition
Processes
E
ffective and efficient cyber acquisition has proven to be a challenge for government organiza-
tions, including the Cybersecurity and Infrastructure Security Agency (CISA), part of the
U.S. Department of Homeland Security (DHS). With respect to cybersecurity, CISA has a
mandate to act in two roles: as national coordinator for critical infrastructure security and
resilience and as the country’s cyber defense agency.
1
In these roles, CISA acquires equipment and
services to support numerous capabilities and must be able to plan, develop, execute, and deploy
these capabilities expeditiously, driving down costs and schedule timelines while increasing techni-
cal performance for mission operators.
Like most organizations, CISA approaches acquisition by seeking to understand the request-
ing organization’s needs, including resilience, and manage risks. (See the box on the next page for
information on CISA’s acquisition approach.) However, the current DHS acquisition approach has
not provided CISA the ability to acquire
technology rapidly enough while bal-
ancing risk tolerance. This is partly
because of the complexity of the acquisi-
tion process itself and partly because of
a lack of a shared understanding of how
to tailor the process for different types
of acquisitions.
Although DHS has adapted many
U.S. Department of Defense (DoD)
processes for its own use, more can be
KEY FINDINGS
■ A successful approach to cyber acquisition must be rooted in
solid acquisition practice.
■ Flexibility is important to meet varied cyber acquisition needs.
■ Requirements are foundational but are challenging to formulate.
■ The cyber acquisition approach must be considered in relation
to the goals.
■ Background and expertise of staff play a key role in cyber
acquisition.
Research Report
