Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration

Section 4: Effective Integration Overview: The IT system life cycle has 5 phases: 1. Initiation 4. Operation/Maintenance 2. Development/Acquisition 5. Disposal 3. Implementation The procurement life cycle has 5 phases: 1. Mission & Business Planning 4. Contract Performance 2. Acquisition Planning 5. Disposal and Closeout 3. Acquisition To effectively integrate IT security into the procurement process, security must be considered throughout the entire procurement life cycle.

Section 4 cont’d: Effective Integration Overview: How do the Procurement and IT System life cycles relate? Procurement Life Cycle Phases Mission and Business Planning Acquisition PlanningAcquisitionContract PerformanceDisposal and Contract Closeout InitiationDevelopment/AcquisitionImplementationOperation/ Maintenance Disposal IT System Lifecycle Phases ALL 5 phases in the procurement life cycle must address IT security requirements.

Section 4 cont’d: Effective Integration What Security Considerations need to be addressed during the Procurement Life Cycle? Procurement Life Cycle Phase 1 Mission and Business Planning PROCUREMENT CYCLE ACTIIVTIES Mission/Business Planning results in a needs determination which defines the problem to be resolved through the procurement process. Components of the needs determination are: - basic system idea - preliminary requirements definition - approval

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 1 Mission and Business Planning SECURITY CONSIDERATIONS The Needs Determination for IT systems and applications should result in a Preliminary System Security Plan compliant with NIST Special Publication that establishes the need, links the need to performance objectives, and addresses alternatives. The Procurement Initiator must obtain a unique system identifier number from the bureau’s Office of the Chief Information Office (OCIO). The procurement initiator should conduct a preliminary sensitivity assessment in accordance with Federal Information Processing Standard (FIPS)199. The procurement initiator must utilize criteria in Federal Information Processing Standard 199 to determine sensitivity as High, Moderate, or Low

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 2 Acquisition Planning PROCUREMENT CYCLE ACTIIVTIES Acquisition Planning results in a Requirements Analysis which is an in-depth study of the need and the initial beginnings of the Statement of Work (SOW). Other activities in this phase include: Considering market research, socioeconomic programs Acquisition planning in accordance with FAR Part 7 Funding the requirement: The project team is responsible for funding the requirement by completing a Capital Asset Plan as required by OMB Circular A-11, Section 300. The Capital Asset Plan and a Business Case may also be required to be presented to the ITRB when requested.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 2 Acquisition Planning SECURITY CONSIDERATIONS Security Considerations include:  Integrity, Availability, and Confidentiality Analysis  Sensitivity Assessment Update  Level of Assurance Analysis  Risk Assessment Preparation  For IT systems or major applications, development of the Security Plan.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 3 Acquisition PROCUREMENT CYCLE ACTIIVTIES This phase includes the development and issuance of the solicitation and the receipt and evaluation of offers or quotations. All considerations surrounding the acquisition of the product or service must be addressed in this phase. This includes the Statement of Work; how it will be acquired (Source Selection Plan); how it will be evaluated, tested, and accepted (offer or quotation evaluation plan); and how the contract will be administered.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 3 Acquisition SECURITY CONSIDERATIONS Develop security requirements for inclusion in the Statement of Work. Assignment of Contract Security Risk Establish Personnel Security requirements Establish Security Offer or Quotation Evaluation & Acceptance Criteria & Conduct Evaluation of offers or quotations Security Review of Solicitation Obtain Security Classification Guidance from Program Manager Ensure Contractor IT Security Awareness Training

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 4Contract Performance PROCUREMENT CYCLE ACTIIVTIES This phase involves contractor monitoring. The COR may require IT security expertise to assist in reviewing contract performance measurement documentation, inspecting IT security deliverables, or evaluating contract modifications.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 4Contract Performance SECURITY CONSIDERATIONS IT Security must be considered when: Inspecting and accepting deliverables Monitoring performance measures Reviewing of contractor compliance with IT contract IT security requirements Updating the Risk Assessment Annual reviews of all systems and contracted IT facilities are required by DOC policy and FISMA in accordance with the NIST Special Publication self- assessment guidance. The COR should participate in these reviews as well as monitor the contractor's daily operation of the system.

Section 4 cont’d: Effective Integration Procurement Life Cycle Phase 5Disposal and Contract Closeout PROCUREMENT CYCLE ACTIIVTIES The phase includes determining the following:  Appropriateness of disposal  Exchange and sale of property  Transfer and/or donation of property Contract Closeout activities are also performed.

Module 2 Review Summary Procurement & IT System Life Cycles ALL 5 phases in the procurement life cycle must address IT security requirements.