Miami-Dade County commissioners may soon extend a “buy American” policy they adopted last year for iron and steel products to all future cybersecurity software and hardware purchases. That change also would come with heightened screening of cybersecurity vendor employees.
On Tuesday, the Miami-Dade Commission is scheduled to cast a final vote on a proposed ordinance by Jose “Pepe” Diaz that would create a new “Cybersecurity Information Technology Procurement and Protection Program.”
Under the program, all future cybersecurity solicitations would have to include language requiring that the products were produced in the United States.
As was the case with the county’s “Buy American Iron and Steel Procurement Plan,” exceptions would be made if a needed product has no U.S. manufacturer, if the available domestic products are of unsatisfactory quality or upon written recommendation by Miami-Dade Mayor Daniella Levine Cava and subsequent Commission approval.
Earlier this month, commissioners in committee approved another workaround to allow for the purchase of products that aren’t listed as prohibited under the John S. McCain National Defense Authorization Act (NDAA).
Because the ordinance would only apply to contracts subject to Commission approval, the rule wouldn’t apply to deals of less than $1 million. However, Miami-Dade CFO Ed Marquez said the administration “is amenable to extending (the requirement) to all our purchases of these types of products.”
An amendment reflecting that commitment was still pending Friday.
The ordinance also would set a new rule requiring all employees of vendors with cybersecurity access to undergo a “heightened security review” prior to being granted access to county systems.
It provides little detail of what such a review would entail, defining it only as “security screenings or reviews the County Mayor or County Mayor’s designee determines necessary to protect the security of the County’s information technology networks, devices, programs, and data.”
Diaz’s ordinance follows several cyberattacks on local governments, including on the public school systems of Miami-Dade and Broward counties.
Miami-Dade’s cybersecurity infrastructure is currently composed of “a mix” of domestic and foreign-made products, according to Miami-Dade Chief Security Officer Lars Schmekel.
The county’s firewall technology, for instance, is from the U.S. and Israel. Israel also makes many of the county police department’s forensics tools.
Schmekel admitted it would be tough for Miami-Dade to exclusively source its cybersecurity products from U.S. makers, noting that approximately 80% of chipsets are made abroad, particularly in the Pacific Rim.
None, however, is on the NDAA list, he said.
“We have checked for some of those,” he added.
Asked by Danielle Cohen Higgins whether Diaz’s ordinance — which Sally Heyman, Rebeca Sosa and Javier Souto have cosponsored — would jack up costs, Schmekel said the county will continue to hold competitive solicitations to “get the best prices.”
“It’s very difficult to project what the ultimate fiscal impact may be on this legislation, but it is not just a buy-American legislation,” he said. “We are not purchasing from the National Defense Authorization Act list of banned companies, so we do have the ability to purchase from companies outside the United States, and there are very many well-regarded cybersecurity companies outside the U.S.”