Original broadcast 10/1/25
Presented by Carahsoft
At the Billington CyberSecurity Conference in Washington, DC, Bob Costello, Chief Information Officer at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the central role of acquisition and contracting in modernizing government IT. Far from being an afterthought, procurement practices, partnerships, and supply chain transparency are, in his view, the foundation for effective cybersecurity and innovation across the federal landscape.
Costello began by discussing the One Gov initiative led by the General Services Administration (GSA). The effort, he explained, allows agencies to engage directly with cloud service providers, software companies, and other vendors on coordinated projects. For a CIO overseeing technology at CISA, that alignment offers tangible benefits: faster modernization, stronger cybersecurity, and more efficient spending of taxpayer dollars. Costello noted that his office has already had encouraging discussions with major technology firms and is actively embracing opportunities to fold their innovations into CISA’s systems.
A recurring theme in his comments was the importance of direct dialogue with industry partners. Costello described how too many layers between government and suppliers can create opacity, confusion, and delays. By contrast, when CIOs can engage directly with vendors, both sides gain clarity: agencies better understand how technology can meet mission needs, while companies receive unfiltered insight into government requirements. This level of transparency not only speeds delivery but also builds trust, a factor Costello views as essential for long-term success.
The conversation then shifted to supply chain visibility, where Costello offered a candid perspective on one of the thorniest issues facing federal agencies: the software bill of materials, or SBOM. He acknowledged the complexity of the challenge, likening it to the regulatory rigor seen in pharmaceutical manufacturing. Just as consumers trust that medicines have been produced under strict processes and quality controls, agencies must be able to verify the provenance and composition of the software they deploy. With the proliferation of open-source code, legacy libraries, and third-party dependencies, building this level of assurance is no small feat.
CISA has taken a leadership role by issuing new guidance on SBOMs, developed in collaboration with multiple federal agencies and international partners. Costello positioned this work as both a technical and cultural shift: agencies must think differently about what they procure, and vendors must embrace a higher standard of transparency. The goal is to mature the software supply chain so that agencies know not only what they are buying but also whether it will be supported and secure over the long term.
Costello also reflected on his position within CISA, which allows him to see both the operational realities of running IT systems and the broader perspective of shaping national cybersecurity guidance. In recent months, his office has been closely integrated with CISA’s cybersecurity division, giving him and his team the opportunity to serve as a testbed for new initiatives. This unique dual role, he explained, enables CISA to model practices for other agencies, share lessons learned, and act as a proving ground for policies such as binding operational directives.
The impact of this approach is twofold. On one hand, CISA’s internal IT operations benefit from early access to innovative ideas. On the other, the wider CIO community across government gains practical insights into how new policies or technologies might play out in real-world conditions. Costello emphasized that his team does not claim to have solved every problem but is committed to transparency and to setting an example for others navigating similar challenges.
Above all, Costello credited his team for their role in advancing these efforts. He stressed the collaborative nature of government IT, pointing out that progress depends on partnerships not just with industry but also within agencies themselves. By combining strong internal teams with open external dialogue, he argued, agencies can build a healthier ecosystem for innovation.
His message resonated with a broader truth: modernization in government is not just about adopting the latest technology. It is about ensuring that contracts align with mission needs, supply chains are transparent, and partnerships are genuine. In an era where adversaries exploit vulnerabilities at scale, these fundamentals are no less important than the technologies themselves.
Key Takeaways
Acquisition and contracting are inseparable from modernization and cybersecurity.
Direct engagement with suppliers reduces complexity, speeds delivery, and strengthens trust.
SBOMs and supply chain transparency are essential for secure, sustainable IT systems.