Government Acquisition of Cyber Technologies

Research Question

  1. How can federal entities acquire cyber technology rapidly while balancing risk tolerance?

Effective and efficient cyber acquisition has proven to be a challenge for government organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security (DHS). For cybersecurity, CISA has two roles: national coordinator for critical infrastructure security and resilience and the country’s cyber defense agency. In these roles, CISA acquires equipment and services to support numerous capabilities and must be able to plan, develop, execute, and deploy these capabilities expeditiously.

Like most organizations, CISA approaches acquisition by seeking to understand an organization’s needs and managing risks. However, the current DHS acquisition approach has not provided CISA the ability to acquire technology rapidly enough while balancing risk tolerance. This is partly because of the complexity of the acquisition process itself and partly because of a lack of a shared understanding of how to tailor the process for different types of acquisitions.

Analysts examined how different elements of the acquisition process support speed and flexibility in acquisition while maintaining an appropriate level of rigor based on acquisition complexity. They explored approaches used in other departments and agencies to create a more flexible acquisition process and identified opportunities to gain efficacies and reduce timelines in the execution of acquisition programs of record. They also identified contributions and research insights on improving and streamlining cyber acquisition and considered portfolio-based approaches to managing programs of record. This report captures the researchers’ recommendations to make them available to a wider audience.

Key Findings

  • A successful approach to cyber acquisition must be rooted in solid acquisition practice.
  • Flexibility is important to meet varied cyber acquisition needs.
  • Requirements are foundational but are challenging to formulate.
  • The cyber acquisition approach must be considered in relation to the goals.
  • Background and expertise of staff play a key role in cyber acquisition.


  • Ensure that existing acquisition policy is fully implemented.
  • Establish tailored pathways for cyber acquisition, using lessons from the U.S. Department of Defense’s Adaptive Acquisition Framework.
  • Develop and implement portfolio-based management practices.
  • Maximize the use of varied contract vehicles for well-defined program elements.
  • Correct any existing issues with requirements development.
  • To increase flexibility, change how requirements are developed.
  • Strive to improve program communication throughout a system’s life cycle.
  • Institute an acquisition measurement initiative that addresses every step in the acquisition process, from initiation to sustainment and across development, engineering, and operations.
  • Focus on the integration of technical and program management.
  • Develop strategies to recruit, grow, and retain technical acquisition management expertise.

This research was sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) chief acquisition executive and conducted in the Management, Technology, and Capabilities Program of the Homeland Security Research Division.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors.

Download Free Electronic Document

Format File Size Notes
PDF file 0.6 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

© 版权声明
点赞12 分享