Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA

1,115 views

Published on

When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.

Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.

Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,115
On SlideShare
0
From Embeds
0
Number of Embeds
260
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA

  1. 1. IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION IMPLEMENTATION PLAN
  2. 2. 1 Background: We Have a Problem  When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.  Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.  Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
  3. 3. Based on public comments on EO 13636 Implementation Plan
  4. 4. 3 Executive Order 13636  On February 12, 2013, the President issued an Executive Order for “Improving Critical Infrastructure Cybersecurity,” directing Federal agencies to provide stronger protections for cyber-based systems that are critical to national and economic security.  Section 8(e) of the EO required GSA and DoD, in consultation with DHS and the FAR Council: Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”
  5. 5. 4 Joint Working Group  The “Joint Working Group on Improving Cybersecurity and Resilience through Acquisition,” was formed to prepare the Section 8(e) Report  Core group comprised of topic-knowledgeable individuals representing broad expertise in information security and acquisition disciplines selected from:  DoD: USD-AT&L (DPAP, SE), DoD-CIO, ASD-C3&Cyber, DISA, DIA  GSA: OMA, FAS (ITS/SSD), OCIO, OGP (ME, MV), OGC, OCSIT, PBS  DHS: NPPD (CS&C), USM (OCPO, OSA)  Commerce: NIST  EOP: OMB (OSTP, OFPP), NSC  120-day collaborative effort with high level of stakeholder input – Over 60 individual engagements  Industry Associations, Critical Infrastructure Partnership Advisory Council Sector Coordinating Councils, individual large and small companies, media interviews – Federal Register Notice – 28 comments received (www.regulations.gov)
  6. 6. Section 8(e) Report Ultimate goal of the recommendations is to strengthen the federal government’s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System 5  The Final Report, "Improving Cybersecurity and Resilience through Acquisition," was publicly released January 23, 2014: (http://gsa.gov/portal/content/176547)  Recommends six acquisition reforms: I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions II. Address Cybersecurity in Relevant Training III. Develop Common Cybersecurity Definitions for Federal Acquisitions IV. Institute a Federal Acquisition Cyber Risk Management Strategy V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions VI. Increase Government Accountability for Cyber Risk Management
  7. 7. White House Feedback on Report  Jan 7, 2014 - - email from Lisa Monaco* to Christine Fox** - - “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: – We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts. – DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. – DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities. – We will need a structured approach, with continued dedication to stakeholder engagement, to develop a repeatable process to address cyber risks in the development, acquisition, sustainment, and disposal lifecycles for all Federal procurements. – It is imperative to reconcile and harmonize the implementation of the report with existing risk management processes under FISMA and OMB guidance.” * Lisa Monaco is Assistant to the President for Homeland Security and Counterterrorism ** Christine Fox is Acting Deputy Secretary of Defense
  8. 8. Notice and Request for Comments  Federal Register Notice closed April 28; 13 submissions  www.regulations.gov  Acquisition / Cyber Risk Management (Rec IV)  Major themes of comments:  Use public-private partnerships to develop Plan (e.g., Workshops)  Don’t use PSCs as basis for categorizing risk posture, focus instead on use-case/function/mission  Use government-wide approach, not agency-specific  Require best-value source selection  Use Cybersecurity Framework  Focus on Agency practices and processes as 1st changes  Explicitly link w FISMA, FedRAMP, CDM, DISA Cloud …..
  9. 9. Joint Plan of Action and Milestones  Next Steps  Secure explicit senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations  Define and document roles/responsibilities for implementation  Translate recommendations into actions and outcomes  Assign offices of primary responsibility and establish milestones  Working Group will continue stakeholder-centric process  Sub-working groups – project team with lead agency  Federal Register Requests for Comment  Conferences, symposia, meetings, media  Iterative implementation, linked to existing INFOSEC rules / practices  Focus on mission/function supported to determine risk
  10. 10. RFI / Sources Sought (incl. supply chain questions) List of potential offerors and associated supply chains Baseline SCRM “business research” assessment – based on public domain information: • Publicly avail info • Commercial data • Government data Baseline assessment informs RFP SCRM requirements RFP / Solicitation (incl. supply chain risk mgmt requirements) 1 2 3 SCRM Gaps / Needs 3 2 1 • What questions need to be asked about supply chain during Market Research? • What elements of Public Domain data should be included in baseline SCRM assessments? • What SCRM measures should be included in Solicitations (e.g., SCRM Plans, Evaluation Factors, Key Performance Indicators)?

×