Miami-Dade County commissioners may soon extend to all future purchases of cybersecurity software and hardware the “buy American” policy they adopted last year for steel products. This change would also come with increased scrutiny of employees of cybersecurity vendors.
On Tuesday, the Miami-Dade Commission is due to vote on a final vote on a draft order by Jose “Pepe” Diaz this would create a new “Cybersecurity Information Technology Protection and Procurement Program”.
As part of the program, all future cybersecurity solicitations are expected to include language requiring products to be made in the United States.
As was the case with the county”Buy the U.S. Iron and Steel Supply Plan“, exceptions would be made if a product needed does not have a U.S. manufacturer, if the domestic products available are of unsatisfactory quality, or on the written recommendation of the Mayor of Miami-Dade Daniella Levine Cava and subsequent approval by the Commission.
Earlier this month, commissioners in committee approved another workaround to enable the purchase of products that are not classified as prohibited under the National Defense Authorization Act John S. McCain (NDAA).
Since the order would only apply to contracts subject to Commission approval, the rule would not apply to transactions under $1 million. However, Miami-Dade’s chief financial officer Ed Marquez said the administration “is willing to extend (the requirement) to all of our purchases of these types of products.”
An amendment reflecting that commitment was still pending on Friday.
The order would also establish a new rule requiring all vendor employees with cybersecurity access to undergo an “enhanced security review” before being granted access to county systems.
It provides few details on what such a review would entail, defining it only as “security checks or reviews that the county mayor or county mayor’s designate deems necessary to protect the security of networks, devices , County Information Technology Programs and Data”.
Diaz’s order follows several cyberattacks on local governments, including public school systems in Miami Dade and Broward counties.
Miami-Dade’s cybersecurity infrastructure currently consists of a ‘mix’ of domestic and foreign products, according to Miami-Dade’s chief security officer Lars Schmekel.
The county’s firewall technology, for example, comes from the United States and Israel. Israel also manufactures many of the county police department’s forensic tools.
Schmekel admitted that it would be difficult for Miami-Dade to source its cybersecurity products exclusively from U.S. manufacturers, noting that about 80% of chipsets are made overseas, particularly in the Pacific Rim.
None, however, are on the NDAA list, he said.
“We checked some of them,” he added.
Ask by Danielle Cohen Higgins if Diaz’s prescription – who Sally Heyman, Rebecca Sosa and Javier Souto have co-sponsored — would increase costs, Schmekel said the county would continue to hold competitive solicitations to “get the best prices.”
“It’s very difficult to project what the ultimate tax impact may be on this legislation, but it’s not just buy American legislation,” he said. “We don’t buy from the National Defense Authorization Act’s prohibited list of companies, so we have the ability to buy from companies outside the United States, and there are many, many reputable cybersecurity companies outside the United States”