Published on March 19, 2014
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance email@example.com March 18, 2014
2 Background: We Have a Problem When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency. Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations. Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
Executive Order 13636 Section 8(e) of the EO required GSA and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” Report signed January 23, 2014 (http://gsa.gov/portal/content/176547) Recommends six acquisition reforms: I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions II. Address Cybersecurity in Relevant Training III. Develop Common Cybersecurity Definitions for Federal Acquisitions IV. Institute a Federal Acquisition Cyber Risk Management Strategy V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions VI. Increase Government Accountability for Cyber Risk Management 3
NSCS Response to Recommendations “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts. DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities.” 4
Now What? Implementation Plan – Translate recommendations into actions and outcomes Iterative process; sequential and concurrent implementation Address recommendations in order of implementation Open, collaborative, stakeholder-centric process Request for public comment 45 days (Responses due 28 Apr) In-person meetings Press / Media coverage 5
Emile’s Implementation Buzzword Imperfect [im-pur-fikt] – of, pertaining to, or characterized by defects or weaknesses: Le mieux est l'ennemi du bien. 6
The first recommendation to be implemented… IV. Institute a Federal Acquisition Cyber Risk Management Strategy – From a government-wide cybersecurity perspective, identify a hierarchy of cyber risk criticality for acquisitions. To maximize consistency in application of procurement rules, develop and use “overlays” for similar types of acquisition, starting with the types of acquisitions that present the greatest cyber risk. – The government needs an interagency acquisition cyber risk management strategy that requires agencies to ensure their performance meets strategic cyber risk goals for acquisition and is part of the government’s enterprise risk management strategy. The strategy should be based on a government-wide perspective of acquisition, and be primarily aligned with the methodologies and procedures developed to address cyber risk in the Cybersecurity Framework. It should identify a hierarchy of cyber risk criticality for acquisitions and include a risk- based prioritization of acquisitions. The risk analysis should be developed in alignment with the Federal Enterprise Architecture and NIST Risk Management Framework (RMF). 7
About the Acquisition Cyber Risk Management Strategy • Why this one first? Provides necessary foundation for remaining recommendations • What is it? Draws from the sourcing practices of spend analysis, strategic categorization of buying activities, and category management, combined with application of information security controls and safeguards and procurement risk management practices like pricing methodology, source selection, and contract performance management. • How? Three-step process that produces: Category Definitions, Risk Prioritization, and Overlays 8
Category Definitions 1. Grouping similar types of acquisitions together based on characteristics of the product or service being acquired, supplier or market segments, and prevalent customer/buyer behavior. – Categories must be right-sized – broad enough to be understandable and provide economies of scale, but specific enough to enable development of Overlays that provide meaningful, adequate and appropriate safeguards for the types of risks presented by the products or services in the Category – Determine which Categories present potential cyber risk • “Do purchases made in this Category present cyber risk to any possible end user?” 9
Risk Assessment and Prioritization 3. Produce a hierarchy of Categories based on comparative cyber risk. – “Which of the Categories presents the greatest cyber risk as compared to the other Categories? – The Category that is determined to have the highest risk through a comparative assessment would be the first one for which an Overlay is developed. • Unless….there is a compelling opportunity to develop Overlays for a different Category first… – Risk hierarchy provides reasoning – where a Category is determined to have higher risk relative to other types of acquisitions, the level of resources expended to address those risks will also be justifiably higher. 10
Overlays 4. Develop Overlays – a tool for acquisition officials to use throughout the acquisition lifecycle, and include: – An articulation of the level of risk presented by the Category derived from the risk assessment; – A specific set of minimum controls that must be included in the technical specifications, acquisition plan, and during contract administration and performance for any acquisition in the Category; – The universe of additional controls that are relevant to the Category but are not required in the minimum (i.e., a “menu”), and – Examples of sets of the identified additional controls that apply to particular use cases (e.g., FIPS 199 High or Moderate system acquisition), as applicable. 11
Federal Register Notice & Request for Comment • Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition, 79 Fed. Reg. 14042 (Mar. 12, 2014); responses due 28 Apr • Directs readers to http://gsa.gov/portal/content/176547 – Memo for Commenters – context and caveats – Draft Implementation Plan • Background, assumptions, constraints, etc., process map for implementation of recommendations • Will include an Appendix for each recommendation – Appendix I • Presents a notional “model” for category definitions, including taxonomy based on PSCs 12
A compelling opportunity…….. • Alliant II – The Alliant program office seeks to develop and implement a robust set of cybersecurity protections for the forthcoming Alliant II GWAC – Contract Overlays 1. Develop a “cross-walk” that maps the PSCs identified as within scope of Alliant 2 (https://interact.gsa.gov/document/interact-question-2- %E2%80%93-product-service-codes-pscs) to the Category definitions in the draft GSA-DoD Implementation Plan for the recommendations included in the joint report Improving Cybersecurity and Resilience through Acquisition (http://www.gsa.gov/portal/content/176547). 2. Identify Cybersecurity Framework controls applicable to the Alliant contract. 3. Identify acquisition safeguards/controls applicable to the Alliant contract 13
resilience ofthe Federal government by improving management ofthe people, ... Resilience through Acquisition. The report is one component ofthe government ...
EO 13636: Improving Critical Infrastructure Cybersecurity ... "Improving Cybersecurity and Resilience through Acquisition," can be downloaded at the ...
6 ways to improve cybersecurity through acquisition. ... “Improving Cybersecurity and Resilience through Acquisition,” sets out six reforms intended ...
Cyber Security; Robots; Lasers ... Improving Cybersecurity and Resilience. ... “Improving Cybersecurity and Resilience through Acquisition,” announcing ...
How to improve cybersecurity through acquisition. ... of Cyber Security Services at ... Improving Cybersecurity and Resiliency through Acquisition ...
DOD & GSA Issue Final Report on Improving Cybersecurity & Resilience through ... and Resilience Through Acquisition ... , cyber security, ...
Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition. ... have formed the “Joint Working Group on Improving Cybersecurity ...
GSA's Emile Monette's presentation before the DOD/DHS/NIST software and supply chain assurance forum: Improving cyber-security through acquisition