Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA

513
views

Published on

When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate …

When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.

Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.

Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
513
On Slideshare
0
From Embeds
0
Number of Embeds
25
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION IMPLEMENTATION PLAN
  • 2. 1 Background: We Have a Problem  When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.  Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.  Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
  • 3. Based on public comments on EO 13636 Implementation Plan
  • 4. 3 Executive Order 13636  On February 12, 2013, the President issued an Executive Order for “Improving Critical Infrastructure Cybersecurity,” directing Federal agencies to provide stronger protections for cyber-based systems that are critical to national and economic security.  Section 8(e) of the EO required GSA and DoD, in consultation with DHS and the FAR Council: Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”
  • 5. 4 Joint Working Group  The “Joint Working Group on Improving Cybersecurity and Resilience through Acquisition,” was formed to prepare the Section 8(e) Report  Core group comprised of topic-knowledgeable individuals representing broad expertise in information security and acquisition disciplines selected from:  DoD: USD-AT&L (DPAP, SE), DoD-CIO, ASD-C3&Cyber, DISA, DIA  GSA: OMA, FAS (ITS/SSD), OCIO, OGP (ME, MV), OGC, OCSIT, PBS  DHS: NPPD (CS&C), USM (OCPO, OSA)  Commerce: NIST  EOP: OMB (OSTP, OFPP), NSC  120-day collaborative effort with high level of stakeholder input – Over 60 individual engagements  Industry Associations, Critical Infrastructure Partnership Advisory Council Sector Coordinating Councils, individual large and small companies, media interviews – Federal Register Notice – 28 comments received (www.regulations.gov)
  • 6. Section 8(e) Report Ultimate goal of the recommendations is to strengthen the federal government’s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System 5  The Final Report, "Improving Cybersecurity and Resilience through Acquisition," was publicly released January 23, 2014: (http://gsa.gov/portal/content/176547)  Recommends six acquisition reforms: I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions II. Address Cybersecurity in Relevant Training III. Develop Common Cybersecurity Definitions for Federal Acquisitions IV. Institute a Federal Acquisition Cyber Risk Management Strategy V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions VI. Increase Government Accountability for Cyber Risk Management
  • 7. White House Feedback on Report  Jan 7, 2014 - - email from Lisa Monaco* to Christine Fox** - - “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: – We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts. – DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. – DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities. – We will need a structured approach, with continued dedication to stakeholder engagement, to develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all Federal procurements. – It is imperative to reconcile and harmonize the implementation of the report with existing risk management processes under FISMA and OMB guidance.” * Lisa Monaco is Assistant to the President for Homeland Security and Counterterrorism ** Christine Fox is Acting Deputy Secretary of Defense
  • 8. Notice and Request for Comments  Federal Register Notice closed April 28; 13 submissions  www.regulations.gov  Acquisition / Cyber Risk Management (Rec IV)  Major themes of comments:  Use public-private partnerships to develop Plan (e.g., Workshops)  Don’t use PSCs as basis for categorizing risk posture, focus instead on use-case/function/mission  Use government-wide approach, not agency-specific  Require best-value source selection  Use Cybersecurity Framework  Focus on Agency practices and processes as 1st changes  Explicitly link w FISMA, FedRAMP, CDM, DISA Cloud …..
  • 9. Joint Plan of Action and Milestones  Next Steps  Secure explicit senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations  Define and document roles/responsibilities for implementation  Translate recommendations into actions and outcomes  Assign offices of primary responsibility and establish milestones  Working Group will continue stakeholder-centric process  Sub-working groups – project team with lead agency  Federal Register Requests for Comment  Conferences, symposia, meetings, media  Iterative implementation, linked to existing INFOSEC rules / practices  Focus on mission/function supported to determine risk
  • 10. RFI / Sources Sought (incl. supply chain questions) List of potential offerors and associated supply chains Baseline SCRM “business research” assessment – based on public domain information: • Publicly avail info • Commercial data • Government data Baseline assessment informs RFP SCRM requirements RFP / Solicitation (incl. supply chain risk mgmt requirements) 1 2 3 SCRM Gaps / Needs 3 2 1 • What questions need to be asked about supply chain during Market Research? • What elements of Public Domain data should be included in baseline SCRM assessments? • What SCRM measures should be included in Solicitations (e.g., SCRM Plans, Evaluation Factors, Key Performance Indicators)?