The document outlines a plan to improve cybersecurity and resilience through acquisition reform. It discusses:
1) The need for acquisition reform to address cybersecurity risks that persist throughout an acquired item's lifespan. Currently, varied practices make consistently managing risks difficult.
2) An executive order directing agencies to provide stronger protections for critical systems. A joint working group was formed to prepare recommendations.
3) The working group's final report, which recommends six acquisition reforms, including instituting baseline cybersecurity requirements and developing common definitions. The White House supported moving quickly to an implementation plan with milestones.
2. 1
Background: We Have a Problem
When the government purchases products or services with inadequate
in-built “cybersecurity,” the risks created persist throughout the
lifespan of the item purchased. The lasting effect of inadequate
cybersecurity in acquired items is part of what makes acquisition
reform so important to achieving cybersecurity and resiliency.
Currently, government and contractors use varied and nonstandard
practices, which make it difficult to consistently manage and measure
acquisition cyber risks across different organizations.
Meanwhile, due to the growing sophistication and complexity of ICT
and the global ICT supply chains, federal agency information systems
are increasingly at risk of compromise, and agencies need guidance to
help manage ICT supply chain risks
4. 3
Executive Order 13636
On February 12, 2013, the President issued an Executive
Order for “Improving Critical Infrastructure Cybersecurity,”
directing Federal agencies to provide stronger protections
for cyber-based systems that are critical to national and
economic security.
Section 8(e) of the EO required GSA and DoD, in
consultation with DHS and the FAR Council:
Within 120 days of the date of this order, the Secretary of Defense and the Administrator
of General Services, in consultation with the Secretary and the Federal Acquisition
Regulatory Council, shall make recommendations to the President, through the Assistant
to the President for Homeland Security and Counterterrorism and the Assistant to the
President for Economic Affairs, on the feasibility, security benefits, and relative merits of
incorporating security standards into acquisition planning and contract administration. The
report shall address what steps can be taken to harmonize and make consistent existing
procurement requirements related to cybersecurity.”
5. 4
Joint Working Group
The “Joint Working Group on Improving Cybersecurity and Resilience
through Acquisition,” was formed to prepare the Section 8(e) Report
Core group comprised of topic-knowledgeable individuals representing
broad expertise in information security and acquisition disciplines
selected from:
DoD: USD-AT&L (DPAP, SE), DoD-CIO, ASD-C3&Cyber, DISA, DIA
GSA: OMA, FAS (ITS/SSD), OCIO, OGP (ME, MV), OGC, OCSIT, PBS
DHS: NPPD (CS&C), USM (OCPO, OSA)
Commerce: NIST
EOP: OMB (OSTP, OFPP), NSC
120-day collaborative effort with high level of stakeholder input
– Over 60 individual engagements
Industry Associations, Critical Infrastructure Partnership Advisory Council Sector
Coordinating Councils, individual large and small companies, media interviews
– Federal Register Notice – 28 comments received (www.regulations.gov)
6. Section 8(e) Report
Ultimate goal of the recommendations is to strengthen the federal
government’s cybersecurity by improving management of the people,
processes, and technology affected by the Federal Acquisition System
5
The Final Report, "Improving Cybersecurity and Resilience through
Acquisition," was publicly released January 23, 2014:
(http://gsa.gov/portal/content/176547)
Recommends six acquisition reforms:
I. Institute Baseline Cybersecurity Requirements as a Condition of Contract
Award for Appropriate Acquisitions
II. Address Cybersecurity in Relevant Training
III. Develop Common Cybersecurity Definitions for Federal Acquisitions
IV. Institute a Federal Acquisition Cyber Risk Management Strategy
V. Include a Requirement to Purchase from Original Equipment Manufacturers,
Their Authorized Resellers, or Other “Trusted” Sources, Whenever
Available, in Appropriate Acquisitions
VI. Increase Government Accountability for Cyber Risk Management
7. White House Feedback on Report
Jan 7, 2014 - - email from Lisa Monaco* to Christine Fox** - -
“DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the
report and provided realistic recommendations that will improve the security and resilience of the
nation when implemented. Moving forward, we highlight that:
– We view the core recommendation to be the focus on incorporating cyber risk management
into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline
requirements for all IT contracts.
– DoD and GSA must now move quickly to provide an implementation plan that includes
milestones and specific actions to ensure integration with the various related activities like supply
chain threat assessments and anti-counterfeiting.
– DoD and GSA should ensure the highest level of senior leadership endorsement,
accountability, and sustained commitment to implementing the recommendations through
near and long term action. This should be communicated clearly to the Federal workforce,
government contractors, and the oversight and legislative communities.
– We will need a structured approach, with continued dedication to stakeholder engagement, to
develop a repeatable process to address cyber risks in the development, acquisition, sustainment,
and disposal lifecycles for all Federal procurements.
– It is imperative to reconcile and harmonize the implementation of the report with existing risk
management processes under FISMA and OMB guidance.”
* Lisa Monaco is Assistant to the President for Homeland Security and Counterterrorism
** Christine Fox is Acting Deputy Secretary of Defense
8. Notice and Request for Comments
Federal Register Notice closed April 28; 13 submissions
www.regulations.gov
Acquisition / Cyber Risk Management (Rec IV)
Major themes of comments:
Use public-private partnerships to develop Plan (e.g., Workshops)
Don’t use PSCs as basis for categorizing risk posture, focus
instead on use-case/function/mission
Use government-wide approach, not agency-specific
Require best-value source selection
Use Cybersecurity Framework
Focus on Agency practices and processes as 1st changes
Explicitly link w FISMA, FedRAMP, CDM, DISA Cloud …..
9. Joint Plan of Action and Milestones
Next Steps
Secure explicit senior leadership endorsement, accountability, and
sustained commitment to implementing the recommendations
Define and document roles/responsibilities for implementation
Translate recommendations into actions and outcomes
Assign offices of primary responsibility and establish milestones
Working Group will continue stakeholder-centric process
Sub-working groups – project team with lead agency
Federal Register Requests for Comment
Conferences, symposia, meetings, media
Iterative implementation, linked to existing INFOSEC rules / practices
Focus on mission/function supported to determine risk
10. RFI / Sources
Sought (incl.
supply chain
questions)
List of potential
offerors and
associated supply
chains
Baseline SCRM
“business
research”
assessment –
based on public
domain
information:
• Publicly avail
info
• Commercial
data
• Government
data
Baseline assessment informs
RFP SCRM requirements
RFP / Solicitation
(incl. supply
chain risk mgmt
requirements)
1
2
3
SCRM Gaps / Needs
3
2
1 • What questions need to be asked about supply chain during Market
Research?
• What elements of Public Domain data should be included in baseline
SCRM assessments?
• What SCRM measures should be included in Solicitations (e.g., SCRM
Plans, Evaluation Factors, Key Performance Indicators)?