Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership Presentation: How do we Strengthen the Public-Private Partnership to Mitigate and Minimize the Damage: Improving Cybersecurity and Resilience Through Acquisition Presenter: Emile Monette, Senior Advisor for Cybersecurity, GSA, Office of Mission Assurance Description: How do we approach deliberate attacks against Federal contractors who handle and have access to massive amounts of sensitive and confidential data and information? From the increasing Insider threat to state-sponsored attacks, how can the Federal government partner more effectively with the private sector to detect and mitigate these attacks?

1. IMPROVING CYBERSECURITY AND RESILIENCE
THROUGH ACQUISITION
Implementation of the Final Report of the
Department of Defense and
General Services Administration
Emile Monette, GSA Office of Mission Assurance
23 Oct 2014

2. Acquisition Reform is Part of the Answer
 When the government purchases products or services with
inadequate in-built “cybersecurity,” the risks created persist
throughout the lifespan of the item purchased. The lasting effect of
inadequate cybersecurity in acquired items is part of what makes
acquisition reform so important to achieving cybersecurity and
resiliency.
 Currently, government and contractors use varied and nonstandard
practices, which make it difficult to consistently manage and
measure acquisition cyber risks across different organizations.
 Executive Order 13636 and Presidential Policy Directive 21, issued
concurrently in February, 2013, require the agencies to take an
integrated approach to cybersecurity through a variety of channels,
including Federal acquisition.
1

3. Executive Order 13636
 On February 12, 2013, the President issued an Executive
Order for “Improving Critical Infrastructure Cybersecurity,”
directing Federal agencies to provide stronger protections
for cyber-based systems that are critical to national and
economic security.
 Section 8(e) of the EO required GSA and DoD, in
consultation with DHS and the FAR Council:
Within 120 days of the date of this order, the Secretary of Defense and the Administrator
of General Services, in consultation with the Secretary and the Federal Acquisition
Regulatory Council, shall make recommendations to the President, through the Assistant
to the President for Homeland Security and Counterterrorism and the Assistant to the
President for Economic Affairs, on the feasibility, security benefits, and relative merits of
incorporating security standards into acquisition planning and contract administration. The
report shall address what steps can be taken to harmonize and make consistent existing
procurement requirements related to cybersecurity.”
2

4. Joint Working Group
 The “Joint Working Group on Improving Cybersecurity and Resilience
through Acquisition,” was formed to prepare the Section 8(e) Report
 Core group comprised of topic-knowledgeable individuals representing
broad expertise in information security and acquisition disciplines
selected from:
 DoD: USD-AT&L (DPAP, SE, C3CB), DoD-CIO, DISA, DIA
 GSA: OMA, FAS (ITS/SSD), OCIO, OGP (ME, MV), OGC, OCSIT, PBS
 DHS: NPPD (CS&C), USM (OCPO, OSA)
 Commerce: NIST
 EOP: OMB (OSTP, OFPP), NSC
 120-day collaborative effort with high level of stakeholder input
– Over 60 individual engagements
 Industry Associations, Critical Infrastructure Partnership Advisory Council Sector
Coordinating Councils, individual large and small companies, media interviews
– Federal Register Notice – 28 comments received (closed June 2013)
3

5. Section 8(e) Report
 The Final Report, "Improving Cybersecurity and Resilience through
Acquisition," was publicly released January 23, 2014:
(http://gsa.gov/portal/content/176547)
 Recommends six acquisition reforms:
I. Institute Baseline Cybersecurity Requirements as a Condition of Contract
Award for Appropriate Acquisitions
II. Address Cybersecurity in Relevant Training
III. Develop Common Cybersecurity Definitions for Federal Acquisitions
IV. Institute a Federal Acquisition Cyber Risk Management Strategy
V. Include a Requirement to Purchase from Original Equipment Manufacturers,
Their Authorized Resellers, or Other “Trusted” Sources, Whenever
Available, in Appropriate Acquisitions
VI. Increase Government Accountability for Cyber Risk Management
Ultimate goal of the recommendations is to strengthen the federal
government’s cybersecurity by improving management of the people,
processes, and technology affected by the Federal Acquisition System
4

6. Next Steps
 Working Group leads:
1. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for
Appropriate Acquisitions
- Don Davidson, OSD/CIO donald.r.davidson4.civ@mail.mil
2. Address Cybersecurity in Relevant Training
- Andre Wilkins, DHS/HSAI andre.wilkins@hq.dhs.gov
3. Develop Common Cybersecurity Definitions for Federal Acquisitions
- Jon Boyens, NIST jon.boyens@nist.gov
4. Institute a Federal Acquisition Cyber Risk Management Strategy
- Don Johnson, OUSD/AT&L donald.b.johnson1.civ@mail.mil
5. Include a Requirement to Purchase from Original Equipment Manufacturers, Their
Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate
Acquisitions
- Emile Monette, GSA/OMA emile.monette@gsa.gov
6. Increase Government Accountability for Cyber Risk Management
- Joe Jarzombek, DHS/NPPD/CS&C Joe.Jarzombek@hq.dhs.gov
 Working Group will continue stakeholder-centric process
 Federal Register Requests for Comment
 Conferences, symposia, meetings, media
 Iterative implementation, linked to existing rules / practices
 Focus on mission/function prioritization and criticality to assess risk 5