A Primer on IT Procurement#
Even for commodities, procuring IT is more than just buying a product or service—it’s a process. The procurement process can be very complex and can vary widely from state to state and locality to locality. This guide does not address the specifics and particularities of any given jurisdiction; the goal of this appendix is to provide a basic description of procurement in general so that non-procurement staff and officials have a better understanding of the underlying process for executing a procurement.
The Procurement Team#
It might be a stretch to say that it takes a village to execute a procurement, but there are a number of critical players involved:
Election officials. From an internal perspective, election officials are the customer. Election officials should look to develop positive, collaborative relationships with other organizational functions, but should always remember that the top priority is their ability to achieve the outcomes they need. Election officials must maintain full understanding of what is occurring throughout the procurement process. As an election official, if something does not make sense, ask for clarification until you are satisfied. This is the role and right of the customer.
Procurement teams. The role of procurement teams is to support election officials on the process and procedures of the procurement. They know how to properly execute contracts for goods and services within their jurisdiction. They are usually the final authority on whether a contract goes into force, but their overall role is to improve the manner in which programs and operational teams, such as election offices, execute their mission.
IT teams, including IT security teams. Whether state or local, IT teams often help set guidelines for procurements and may also be involved in the evolution and execution of some procurements. IT teams may set requirements but may also play an advisory role. IT teams focus more broadly than security. Don’t assume their perspective is to achieve the same level of security you want or that their input will result in better security outcomes. They are there to provide you support on the best practices for IT procurements, but as the customer you must use that information to assess the risks before making the final decision.
Election officials are the customer, and procurement and IT teams are there to help the election officials achieve their goals. While these different entities may be in the same organization, they may not always see the problem the same way. Together, by focusing on their respective roles, these teams can complete efficient and effective procurements.
Understanding Common Procurement Types#
There are many ways to execute a procurement. Different procurement types are appropriate for different circumstances. This section will address three common approaches:
Pre-negotiated contract: This is an agreement established by a government buyer with a schedule contractor to fill repetitive needs for supplies or services (from GSA). Pre-negotiated contracts include blanket purchase agreements (BPAs), indefinite quantity indefinite delivery (IDIQ) contracts, and schedule contracts, such as contracts awarded by the U.S. General Services Administration and available for use by state and local government organizations.
Lowest price technically acceptable: The award is made for a specific organizational requirement on the basis of the lowest evaluated price of proposals meeting or exceeding the acceptability standards for non-cost factors (from acquisition.gov).
Best value: These refer to tradeoffs between cost factors and non-cost factors, and allow the government to award a contract for a specific organizational requirement other than the lowest priced. The perceived benefits of the higher priced proposal have to merit the additional cost, and the rationale should be well documented (from acquisition.gov).
Pre-Negotiated Contracts#
Pre-negotiated contracts are typically the fastest way to make procurements, as terms and prices are already negotiated. State and local governments can usually buy off of their own state’s schedules or the federal government’s schedules, saving a great deal of time and effort. Because these agreements are typically negotiated for large quantities, prices are usually favorable.
Pre-negotiated contracts can be great if they meet exactly what you need (see the Additional Resources section for federal resources for pre-negotiated contracts and a similar option provided by CIS through its CyberMarket).
While efforts have been made to keep these contracts aligned with IT security needs, it’s important to vet them for appropriateness in the election context—and ask an IT security expert if you need help. Note also that in some states, there are existing pre-negotiated contracts that may either drive toward a particular solution or in some cases require it. Most procurements of commodity IT, such as basic computer and server purchases, should be under a pre-negotiated contract.
Lowest Price and Best Value#
When no item on a schedule meets the needs of the procurement, you need to conduct an independent procurement. There are two main types: lowest price and best value.
When you can clearly describe all of the requirements for a procurement, and multiple sellers can meet those requirements in similar and easily demonstrable ways, lowest-price procurements make the most sense.
For specialized procurements, best-value procurements are usually best. This will typically include hardware, software, or services that are specialized for elections. Similarly, risk mitigation in cybersecurity can be difficult to assess and describe before seeing a solution, so best-value procurements often lead to better security outcomes. Most procurements of election-specific IT should be conducted as best-value procurements.
Procurement offices sometime shy away from best-value procurements because of the difficulty many IT experts have in assessing the value of different solution features in financial terms. This can open the door for unfair decisions—whether actual or perceived—so procurement officers often require additional justification before allowing a procurement to go forward as best value. These justifications give confidence that the best-value determinations are made on an objective basis.
In making a justification for a best-value procurement, consider how you can describe incremental value associated with reaping additional benefits or eliminating risks. For instance:
Is there other hardware or software that you’ll no longer need to purchase because the more expensive option has a particular additional feature?
Will the solution result in reduced operating costs due to fewer errors, provide for increased capabilities resulting in a greater portion of the job being done in an automated fashion, or result in the likely elimination of the need for other systems or staffing?
Can you reduce risk (and consequently avoid cost overruns) because of the more expensive approach? If so, what is reducing this risk worth?
What types of non-monetary value can you consider? Does a better security approach reduce reputational risk? Political risk? Can you estimate a range of financial value for reducing that risk?
The good and bad response descriptions in the best practices found in this guide can help with some of those justifications. Understanding these differing approaches to procurements—and being prepared to defend your rationale—can make or break a procurement. Above all, be prepared to be your own advocate for your needs.
Understanding these differing approaches to procurements—and being prepared to defend your rationale—can make or break a procurement. Above all, be prepared to be your own advocate for your needs.
Planning#
The first step in a procurement is planning. It requires a clear understanding of the scope and objectives of the procurement, the requirements and desired outcomes from the procurement, and the risks associated with the procurement.
Define business objectives#
Reviewing or defining the business objectives of the organization will help put the potential procurement in the context of the environment and will assist in many early, but critical, decisions. For the purposes of this guide, organizations should focus on their overall risk posture and the impact of potential unavailability or error in the individual functions and components of the election infrastructure. In addition, for IT procurements, clear objectives will help in the analysis of whether hardware needs to be purchased or leased, whether to use cloud or on-premises solutions, whether you need long-term sustained support or a surge of resources. The clearer these objectives at the outset, the higher the likelihood of a successful procurement.
Business objectives should be tied to organization outcomes that include expected benefits, acceptance criteria, success metrics, and financial impacts.
Draft requirements#
The better the requirements for the procurement, the more likely you’ll get what you want out of it. But the critical aspect is tying requirements of a product or service to the business needs of the organization. Requirements will identify deliverables and clearly indicate the requirements that must be met precisely and those for which a vendor may have flexibility to propose alternatives.
Election organizations might find that they need help defining requirements. They may look to requirements that have been defined by external organizations, such as the specifications developed by the EAC and NIST or contract requirements documents developed by other election organizations, some of which are listed on the EAC website. Some organizations may have a preference to reuse requirements from prior contracts.
The best practices provided in this guide can be helpful in identifying requirements that specifically address correctness of election IT functions and ensuring security of operations. It is recommended that the requirements include identification of minimum security requirements, where failure to provide results in disqualification, as well as desired security requirements, which can assist in ranking offerings from different proposers.
While requirements will evolve as you prepare for the procurement and gather additional information, it is still critical to develop them as completely as possible in this early stage.
Establish a procurement plan#
Like anything, starting with a good plan will improve the chances of getting the outcomes you want. Using the objectives and requirements already established, you can develop a plan that includes timelines and identifies costs and risks.
At this stage, you’ll often decide what type of procurement vehicle to use (e.g., sole source contracts, buying off a schedule, full and open competition) and will involve coordinating with procurement officials, business owners, and IT staff to ensure the plan is viable.
Market Research#
Market research, including outreach to industry, can be an excellent way of identifying the functional and security capabilities that are available from other sources. The results of market research should serve as inputs to refining requirements. While a few voting machine vendors make up the vast majority of the market, the options for other systems used in election administration, especially those that run on commodity IT hardware and software, are as broad as the IT market as a whole. Thorough market research can ensure the procured items meet the desire outcomes.
Emphasis on security during market research is very important. Given the relatively recent increase in expectations regarding security, as well as the evolving threat to election systems, market research is an excellent opportunity to find out what industry leaders are doing with regard to security.
Moreover, market research helps identify some of the important differences between vendors that can impact outcomes down the road. Beyond the current-day capabilities, perhaps less exciting but as important are the service agreements, warranties, and lifecycle support differences that can have a long-lasting impact.
Quality market research can also help identify contract vehicle and discounting options, and can include working with other localities, the state, and even the federal government to obtain discounting and negotiated prices. Even if your locality can’t take advantage of some of these opportunities, knowing about them can help you understand vendors’ pricing structures and give you an advantage in negotiations.
One common way to perform market research is through a Request for Information (RFI) that is publicly posted or sent to potential vendors or contractors based on pre-defined criteria. Another popular method is to have an “industry day” that invites vendors to present to potential buyers. But conducting market research doesn’t have to be entirely formal. Anything that increases your ability to make good procurement decisions—talking with colleagues about their experiences with vendors, searching for new vendors on the internet, making calls to vendors, reviewing past procurements and those from other jurisdictions—can all help you reach your goal.
Once you’ve completed your market research, you can update your procurement plan and requirements. With careful thought, planning, and research about what you need and what is available, you’re ready to move on to the solicitation itself.
Solicitation and Award#
Your jurisdiction may have specific requirements for which types of procurements it allows under a given set of circumstances, but generally you’ll see that low-dollar value, short-lived, or commodity procurements don’t require much scrutiny or paperwork, while large, long-lived, and specialized procurements have a longer lead time and require more review.
Issuing a solicitation#
Simple procurements can be as straightforward as using a credit card or purchasing from a central buying office in your jurisdiction. The process is usually quite simple and isn’t addressed in this guide. That said, improperly sourcing items as simple as a USB stick can have devastating security impacts. So even when it seems like a five-minute task, when it involves IT procurement, take all matters seriously.
For larger procurements, products and services are usually either purchased from an existing bulk contract or schedule or are solicited via a competitive procurement process. In the case of a procurement that requires highly specialized items or one in which there is only one vendor or a small number of vendors, remember that the security requirements don’t change, and so the process for ensuring security shouldn’t change even with limited options.
A Request for Quote (RFQ) or Request for Proposal (RFP) or similar tool triggers the formal proposal process. Once the RFQ has been released or published, the work of preparing the quote or bid is now on the vendor, but the government must still take an active part in the procurement. Widely circulating a procurement and being responsive to questions from bidders are critical aspects of ensuring strong bids.
Communication during solicitation#
Maintaining fairness is important in the solicitation process, but so is maintaining communication. As with many processes, an all-too-common downfall of the solicitation process is a breakdown of communication between the government and vendors. In the interest of not divulging information that could unfairly advantage one vendor, government personnel sometimes shy away from answering questions or discussing the procurement with individual vendors. This can hinder a procurement and lead to proposers that misunderstand requirements or fail to properly reflect what is really important to the government.
Much of this can be avoided with good planning and research, but the government should also maintain communication throughout the process. A good—and inexpensive—way to answer questions while maintaining fairness is to require that all questions, with their answers, be posted publicly with the solicitation. Even with a proposers’ conference, everyone will have access to clarifying information, which improves proposals and ultimately results in an improved outcome for the government.
Your state or locality may have specific rules or systems for questions and answers, so always work with the procurement authority to stay above board.
Evaluating proposals and selecting vendors#
Evaluation of quotes or proposals should be a formal process to ensure the work that went into planning, researching, marketing, and clarifying the procurement goes to good use. Some IT procurements will choose selection of the proposal that has the lowest bid while meeting stated minimum requirements (lowest cost), while others will allow for a broader evaluation of all that is offered in the proposal (best value). Given the nature of security and the difficulty of capturing all security requirements as minimum, it is typically preferable to evaluate security using a best value evaluation method.
Whichever method is applied, evaluators should first eliminate any proposal that doesn’t meet the minimum requirements. In a best value procurement, evaluators need to identify objective methods for identifying and assessing the value of additional attributes of a proposal when comparing it to a lower cost offering. When there are large differences in the proposals, it can be difficult to put a cost impact on the value of additional attributes, for example better security that may reduce the risk of successful attacks—which have very costly consequences. Critically important for a best value analysis is documentation and objective reasoning. Like everything, your jurisdiction’s procurement rules matter, but, in general, documenting a defensible, objective basis for decisions will get the job done. Also, it is typically helpful to have one or more individuals not specifically involved with the procurement evaluation do an independent review of best value analyses to ensure that the logic behind the objective assessment is appropriately captured.
In best value procurements, negotiations are often part of the evaluation and selection process as well. Approaches to negotiations vary, but the government must go in with a clear expectation of what it wants and what it cannot accept. While no procurement is perfect, the clearer the expectations ahead of time, the higher the likelihood of a positive outcome.
Managing Procurements#
Aside from the simplest of procurements, there is always more to it than delivery of a product and an exchange of money. For IT contracts in elections, this means that election officials and their teams need continual involvement in procurements, both from technical and non-technical personnel. This is true of all IT: hardware, software, and services, on-premises and in the cloud. To this end, individuals in election offices need a level of training that will enable them to understand what they can and cannot do in managing a procurement.
For hardware and software support contracts, IT and non-IT election staff should understand the service level agreements that were specified in the contract—who responds in an outage, what are expected uptimes, how quickly must a vendor respond to a system failure or other disruption. For services contracts, election staff should also understand contracted response times in case of emergencies, contingency plans, and how to enforce compliance in a critical situation. For many unexpected situations, someone whose day-to-day work is not in procurement likely won’t have the experience or expertise to always have the right answer, so those individuals must maintain relationships with procurement officials.
There are a number of security focus areas that are important in managing contractors. In most cases, a contract will require a contract-specific security plan that outlines the processes and activities to ensure that security is maintained through activities such as security updates to software, vulnerability assessments, incident response, and personnel training. Keeping the procurement folks up-to-date on key activities, important upcoming events, and ongoing risks can speed their reaction time when something goes awry.