Analysts examined how different elements that acquisition supports can improve speed, flexibility, and rigor in federal cyber acquisition; agencies' ways of making acquisition more flexible, efficient, and timely; and ways to improve and streamline cyber acquisition with portfolio-based approaches. This report captures the researchers' recommendations to make them available to a wider audience.

Government Acquisition of Cyber Technologies

Lessons Derived from Analysis of the Cybersecurity and Infrastructure Security Agency's Cyber Acquisition Processes

Chad Heitzenrater, James Dimarogonas, Kyle Bunch, Frank Camm, Ryan Consaul, Sarah W. Denton, Quentin E. Hodgson, Erin N. Leidy, Laurinda L. Rohn, James Ryseff, et al.

ResearchPublished Feb 13, 2024

Effective and efficient cyber acquisition has proven to be a challenge for government organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security (DHS). For cybersecurity, CISA has two roles: national coordinator for critical infrastructure security and resilience and the country's cyber defense agency. In these roles, CISA acquires equipment and services to support numerous capabilities and must be able to plan, develop, execute, and deploy these capabilities expeditiously.

Like most organizations, CISA approaches acquisition by seeking to understand an organization's needs and managing risks. However, the current DHS acquisition approach has not provided CISA the ability to acquire technology rapidly enough while balancing risk tolerance. This is partly because of the complexity of the acquisition process itself and partly because of a lack of a shared understanding of how to tailor the process for different types of acquisitions.

Analysts examined how different elements of the acquisition process support speed and flexibility in acquisition while maintaining an appropriate level of rigor based on acquisition complexity. They explored approaches used in other departments and agencies to create a more flexible acquisition process and identified opportunities to gain efficacies and reduce timelines in the execution of acquisition programs of record. They also identified contributions and research insights on improving and streamlining cyber acquisition and considered portfolio-based approaches to managing programs of record. This report captures the researchers' recommendations to make them available to a wider audience.

Key Findings

  • A successful approach to cyber acquisition must be rooted in solid acquisition practice.
  • Flexibility is important to meet varied cyber acquisition needs.
  • Requirements are foundational but are challenging to formulate.
  • The cyber acquisition approach must be considered in relation to the goals.
  • Background and expertise of staff play a key role in cyber acquisition.

Recommendations

  • Ensure that existing acquisition policy is fully implemented.
  • Establish tailored pathways for cyber acquisition, using lessons from the U.S. Department of Defense's Adaptive Acquisition Framework.
  • Develop and implement portfolio-based management practices.
  • Maximize the use of varied contract vehicles for well-defined program elements.
  • Correct any existing issues with requirements development.
  • To increase flexibility, change how requirements are developed.
  • Strive to improve program communication throughout a system's life cycle.
  • Institute an acquisition measurement initiative that addresses every step in the acquisition process, from initiation to sustainment and across development, engineering, and operations.
  • Focus on the integration of technical and program management.
  • Develop strategies to recruit, grow, and retain technical acquisition management expertise.

Topics

Document Details

Citation

RAND Style Manual

Heitzenrater, Chad, James Dimarogonas, Kyle Bunch, Frank Camm, Ryan Consaul, Sarah W. Denton, Quentin E. Hodgson, Erin N. Leidy, Laurinda L. Rohn, James Ryseff, Yuliya Shokh, and Padmaja Vedula, Government Acquisition of Cyber Technologies: Lessons Derived from Analysis of the Cybersecurity and Infrastructure Security Agency's Cyber Acquisition Processes, Homeland Security Operational Analysis Center operated by the RAND Corporation, RR-A1671-2, 2024. As of April 9, 2025: https://www.rand.org/pubs/research_reports/RRA1671-2.html

Chicago Manual of Style

Heitzenrater, Chad, James Dimarogonas, Kyle Bunch, Frank Camm, Ryan Consaul, Sarah W. Denton, Quentin E. Hodgson, Erin N. Leidy, Laurinda L. Rohn, James Ryseff, Yuliya Shokh, and Padmaja Vedula, Government Acquisition of Cyber Technologies: Lessons Derived from Analysis of the Cybersecurity and Infrastructure Security Agency's Cyber Acquisition Processes. Homeland Security Operational Analysis Center operated by the RAND Corporation, 2024. https://www.rand.org/pubs/research_reports/RRA1671-2.html.
BibTeX RIS

Research conducted by

This research was sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) chief acquisition executive and conducted in the Management, Technology, and Capabilities Program of the Homeland Security Research Division.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.