CIS Logo
tagline: Confidence in the Connected World
 

A Guide for Ensuring Security in Election Technology Procurements

Part 3: The Procurement Process

For the purposes of successfully executing procurements, there are several aspects of governance worthy of attention.

Protecting Confidential Security Information

Cybersecurity often implicates a tradeoff between confidentiality in security techniques and maximizing transparency of government activities. Many vendors are hesitant to share security information that, if disclosed, could benefit attackers or industry competitors. Yet government offices have a fundamental obligation to share information with the public. Election offices should consult with their legal and procurement teams to better understand what information can be held closely, and what must be released. During procurements, this determination should be made clear to potential proposers as well as how to mark information as proprietary and confidential. If you are unable to protect vendor proprietary and confidential information from disclosure, you should expect to receive less detailed information from proposers.

The Players

Typically, election officials and their teams, procurement teams, and IT teams all have a role to play in election procurements. In many jurisdictions, poll workers and the public are also involved, and elected officials often have a critical role in setting priorities and budgets. To the extent possible, this is good for transparency and may also provide opportunities to educate about your approach to security. Election officials are the customer, and procurement and IT teams are there to help the election officials achieve their goals. While these different entities may be in the same organization, they may not always see the problem the same way. Together, by focusing on their respective roles, these teams can complete efficient and effective procurements.

Understanding Common Procurement Types

There are many ways to execute a procurement. Different procurement types are appropriate for different circumstances. This section will address three common approaches:
  1. Pre-negotiated contract: This is an agreement established by a government buyer with a schedule contractor to fill repetitive needs for supplies or services.2 Pre-negotiated contracts include blanket purchase agreements (BPAs), indefinite quantity indefinite delivery (IDIQ ) contracts, and schedule contracts (e.g., contracts awarded by the General Services Administration and available for use by state and local government organizations).
  2. Lowest price technically acceptable: The award is made for a specific organizational requirement on the basis of the lowest evaluated price of proposals meeting or exceeding the acceptability standards for non-cost factors.
  3. Best value: These refer to tradeoffs between cost factors and non-cost factors, and allow the government to award a contract for a specific organizational requirement other than the lowest priced. The perceived benefits of the higher priced proposal have to merit the additional cost, and the rationale should be well documented.
Pre-negotiated contracts are typically the fastest way to make procurements, as terms and prices are already negotiated. State and local governments can usually buy off of their own state’s schedules or the federal government’s schedules, saving a great deal of time and effort. Because these agreements are typically negotiated for large quantities, prices are usually favorable. Pre-negotiated contracts can be great if they meet exactly what you need (and for this reason, Appendix A, Resources for Procurement and Related Information, lists a federal resource for pre-negotiated contracts and a similar option provided by CIS). But, historically, these contracts have not always been sufficient on their own for achieving appropriate levels of security. It’s important to look at them but be sure to vet them for appropriateness—and ask an IT security expert if you need help. Note also that in some states, there are existing prenegotiated contracts that may either drive toward a particular solution or in some cases require it. Most procurements of commodity IT, such as basic computer and server purchases, should be under a pre-negotiated contract. When no item on a schedule meets the needs of the procurement, you need to conduct an independent procurement. There are two main types: lowest price and best value. When you can clearly describe all of the requirements for a procurement, and multiple sellers can meet those requirements in similar and easily demonstrable ways, lowest-price procurements make the most sense. For specialized procurements, best-value procurements are usually best. This will typically include hardware, software, or services that are specialized for elections. Similarly, risk mitigation in cybersecurity can be difficult to assess and describe before seeing a solution, so best-value procurements often lead to better security outcomes. Most procurements of election-specific IT should be conducted as best-value procurements. Procurement offices sometime shy away from best-value procurements because of the difficulty many IT experts have in assessing the value of different solution features in financial terms. This can open the door for unfair decisions—whether actual or perceived—so procurement officers often require additional justification before allowing a procurement to go forward as best value. These justifications give confidence that the best-value determinations are made on an objective basis. In making a justification for a best-value procurement, consider how you can describe incremental value associated with reaping additional benefits or eliminating risks. For instance:
  • Is there other hardware or software that you’ll no longer need to purchase because the more expensive option has a particular additional feature?
  • Will the solution result in reduced operating costs due to fewer errors, provide for increased capabilities resulting in a greater portion of the job being done in an automated fashion, or result in the likely elimination of the need for other systems or staffing?
  • Can you reduce risk (and consequently avoid cost overruns) because of the more expensive approach? If so, what is reducing this risk worth?
  • What types of non-monetary value can you consider? Does a better security approach reduce reputational risk? Political risk? Can you estimate a range of financial value for reducing that risk?
The good and bad response descriptions in the best practices found in this guide can help with some of those justifications. Understanding these differing approaches to procurements—and being prepared to defend your rationale—can make or break a procurement. Above all, be prepared to be your own advocate for your needs.


Information Hub : Elections Resources


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0