U.S. General Services Administration Presentation to: ITIC Improving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA.

Slides:



Advertisements
Similar presentations
The Department of Energy Enterprise Risk Management Model
Advertisements

Program Management Office (PMO) Design
Course: e-Governance Project Lifecycle Day 1
Buying Better Outcomes Workshop 4 Equalities and Contract Management If you do not take it seriously, why should the supplier?
Federal Acquisition Service U.S. General Services Administration Information Technology Government Council ITIGC Quarterly Meeting Policy Update Mark J.
Determining CLIMASP Competencies Jerash University Development of Interdisciplinary Program on Climate Change and Sustainability Policy- CLIMASP Development.
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,
U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.
KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.
Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
National Contract Management Association – Norfolk Chapter Contracting Ground Rules.
TEMPUS ME-TEMPUS-JPHES
1 Purchasing and Procurement Processes Module Four Revision Date: 2/06/2015.
FAI Training & Career Development Initiatives Gloria Sochon Director Federal Acquisition Institute March 17, 2005.
Risk Assessment Frameworks
Procurement Transformation State of North Carolina
Session 3 - Plenary on implementing Principle 1 on an Explicit Policy on Regulatory Quality, Principle 3 on Regulatory Oversight, and Principle 6 on Reviewing.
DoD Public Meeting: Detection and Avoidance of Counterfeit Electronic Parts Storme Street Director, Government Relations, Policy BAE Systems, Inc. March.
Guiding principles for the Federal acquisition system
1 Department of Education Race to the Top Assessment Program Procurement Strategy Discussion Dr. Allan V. Burman President Jefferson Solutions
Complying With The Federal Information Security Act (FISMA)
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Facilities Management Category Management Plan Synopsis Version 1.1 (March 2015)
FAI Preparing Tomorrow’s Acquisition Workforce Gloria M. Sochon Director, Federal Acquisition Institute October 22, 2004.
New Procurement & Delivery Arrangements for the Schools’ Estate Presentation to Strategic Advisory Group 18 April 2005.
TTBIZLINK PROJECT MINISTRY OF TRADE, INDUSTRY, INVESTMENT & COMMUNICATIONS.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Sustainable Procurement & Life Cycle Analysis Heather Pearce 9 th February 2010.
1 Directorate of Industry Relations, Analysis and Policy (DIRAP) Paul Herring, Director “CASE FOR CANADIAN DEFENCE INDUSTRIAL POLICY” 27 February 2012.
NIST Special Publication Revision 1
Presented by: Pechanga Environmental Department Designing and Managing a Recycling Program Source Reduction Strategies for Tribal Solid Waste Programs.
SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT Alan Chvotkin Senior Vice President and Counsel Professional Services Council DEFENSE ACQUISITION.
OFFICE OF THE UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE CI & SECURITY DIRECTORATE, DDI(I&S) Valerie Heil August 12, 2014 UNCLASSIFIED NISPOM Update.
Critical Infrastructure Protection: Program Overview
General Principles for the Procurement of Goods and Services Asst. Prof. Muhammad Abu Sadah.
Federal Acquisition Service U.S. General Services Administration June 3, 2013 Joint Working Group on Improving Cybersecurity and Resilience through Acquisition.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 This Presentation is printed on recycled materials.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
2 William P. McNally Assistant Administrator for Procurement NASA Procurement Tenets August 4, 2008 NCMA Conference.
Policies and procedures for developing acquisition plans; determining whether to use commercial or Government resources; whether it is more economical.
Office of Management and Budget NDIA Program Management Systems Committee May 3, 2005 EVMS Compliance Requirements David Muzio.
DGS Recommendations to the Governor’s Task Force on Contracting & Procurement Review Report Overview August 12, 2002.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Contracting with CMS and other Federal Agencies CMS Industry Day October 30, 2015 Anita Allen, Small Business Specialist and Claude Cable, SBA Procurement.
Mitigating Risk 2015 SEWP Acquisition Summit and Training 1 December 8-10, 2015.
RECOMMENDATIONS OF THE GOVERNOR ’ S TASK FORCE ON CONTRACTING AND PROCUREMENT REVIEW Report Overview PD Customer Forum September 2002.
1 NASA Office of Procurement NASA Procurement Tenets April 15, 2008 SMC Brief Bill McNally Assistant Administrator for Procurement.
What makes U.S. Communities Different? Public Benefit & Purpose Founders - Founded, owned and governed by Association of School Business Officials International,
Advancing Government through Collaboration, Education and Action Cybersecurity SIG Priority Area Project/Activity Report SIG Leadership Meeting July 17,
Small Business Programs Tatia Evelyn-Bellamy Director Small Business Division Small Business Center February 2016.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Buying Energy Efficient Products: Policy Requirements, Purchasing Tools, and Agency Experiences Christopher Payne Lawrence Berkeley National Laboratory.
© 2011 Underwriters Laboratories Inc. Conformity Assessment Best Practices and Advancing GRP in EAC: The Value of Public-Private Partnerships EAC Workshop.
Federal Procurement of Energy-Efficient Products: Policy Requirements & Purchasing Tools Christopher Payne Lawrence Berkeley National Laboratory June 17,
Shared Services and Third Party Assurance: Panel May 19, 2016.
Overview Training for Nottingham’s Commissioning Framework Liz Jones Head of Partnership Policy, NCC Nick Weatherall, Commissioning Officer, NCVS.
Small Business and Subcontracting. Subcontracting for Small Business 6 steps to successful subcontracting 6. Report Contractor performance 1. Consider.
SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT
PSC Guidelines and Recommendations
Improving Mission Effectiveness By Exploiting the Command’s Implementation Of the DoD Enterprise Services Management Framework - DESMF in the [name the.
NIST Cybersecurity Framework
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
Continuity Guidance Circular Webinar
Cybersecurity ATD technical
Presentation transcript:

U.S. General Services Administration Presentation to: ITIC Improving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance January 29, 2014

2 Background: We Have a Problem  When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.  Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.  Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks

Executive Order  On February 12, 2013, the President issued Executive Order (EO) directing Federal agencies to provide stronger protections for cyber-based systems that are critical to our national and economic security. Section 8(e) of the EO required GSA and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration”  GSA and DoD recommended six acquisition reforms: I.Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions II.Address Cybersecurity in Relevant Training III.Develop Common Cybersecurity Definitions for Federal Acquisitions IV.Institute a Federal Acquisition Cyber Risk Management Strategy V.Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions VI.Increase Government Accountability for Cyber Risk Management 3

White House Response to 8(e) Recommendations “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: –We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts. –DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. –DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities.” 4

8(e) Recommendations & Potential Impact RecommendationPotential Impact I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions – Basic cybersecurity hygiene is broadly accepted across the government and the private sector as a way to reduce a significant percentage of cyber risks. For acquisitions that present cyber risks, the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver. The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified. FAR 4.17 – Basic Safeguarding of Contractor Information (not in FAR yet) could be updated to add definitions and solicitation provisions/contract clauses. FAR Part 7 – Acquisition Planning, could be updated to more explicitly require the government to consider cybersecurity requirements in the technical requirements of contracts. FAR Par 12 – Acquisition of Commercial Items could be updated to require solicitation provisions/contract clauses to apply to commercial items. FAR 52 – Development of solicitation provision(s) and contract clause(s) for cybersecurity. FAR4.4 – Safeguarding Classified Information Within Industry should also be reviewed for updates related to cybersecurity. FAR Part Management of Risk – could be updated to address certain types of cyber risk associated with IT contracts. 5

8(e) Recommendations & Potential Impact (cont’d) RecommendationPotential Impact II. Address Cybersecurity in Relevant Training – As with any change to practice or policy, there is a concurrent need to train the relevant workforces to adapt to the changes. Incorporate acquisition cybersecurity into required training curricula for appropriate workforces. Require organizations that do business with the government to receive training about the acquisition cybersecurity requirements of the organization’s government contracts. FAR 52 – clauses might be developed to require specific training for certain types of contracts where cyber risks are high. Note: OFPP, GSA (FAI), DHS (HSAI), and DoD (DAU) are meeting Jan 16th to start implementing this recommendation. Ms. Joanie Newhart, Associate Administrator for Acquisition Workforce Programs in the Office of Federal Procurement Policy, has agreed to convene/charter this informal group with the purpose that the initial training be developed and provided to Acquisition Workforce personnel government-wide. The meeting will gather stakeholder representatives from the relevant acquisition training communities to begin development of (1) course curriculum, (2) training policy, and (3) project plans. 6

8(e) Recommendations & Potential Impact (cont’d) RecommendationPotential Impact III. Develop Common Cybersecurity Definitions for Federal Acquisitions – Unclear and inconsistently defined terms lead, at best, to suboptimal outcomes for both efficiency and cybersecurity. Increasing the clarity of key cybersecurity terms in federal acquisitions will increase efficiency and effectiveness for both the government and the private sector. Key terms should be defined in the Federal Acquisition Regulation. One option is to consider efforts already underway dealing with higher-level quality standards and detection and avoidance of counterfeit electronic parts. (FAR Case Higher-Level Contract Quality Requirements). This case revises FAR to add new higher-level quality standards developed by industry for counterfeit goods. Using this case as an example, FAR 46 – Quality Assurance, could also be revised to include industry standards for cybersecurity in commercial items. FAR 39 – Acquisition of Information Technology could be updated to consider applicable definitions. FAR 2 – Definitions of Words and Terms, is probably the most obvious place to promulgate new acquisition definitions. 7

8(e) Recommendations & Potential Impact (cont’d) RecommendationPotential Impact IV. Institute a Federal Acquisition Cyber Risk Management Strategy – From a government-wide cybersecurity perspective, identify a hierarchy of cyber risk criticality for acquisitions. To maximize consistency in application of procurement rules, develop and use “overlays” for similar types of acquisition, starting with the types of acquisitions that present the greatest cyber risk. An overlay is a fully specified set of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments. The FAR could be updated to provide standardized source selection criteria, weighting for those criteria, and contract performance measures for procurements that present high levels of cyber risk. Note: OMA/FAS/OGP are engaged in market research and needs assessment with DHS, DoD OCIO, DIA, DISA and NIST to develop a supply chain risk management function to complement the processes used for National Security Systems. 8

8(e) Recommendations & Potential Impact (cont’d) RecommendationPotential Impact V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, in Appropriate Acquisitions – In certain circumstances, the risk of receiving inauthentic or otherwise nonconforming items is best mitigated by obtaining required items only from OEMs, their authorized resellers, or other trusted sources. The cyber risk threshold for application of this limitation of sources should be consistent across the Federal government. The FAR could be updated to require consideration of cyber risk when determining the type of acquisition method (best value vs. LPTA) used. The FAR could be updated to require purchases from a reseller, distributor, wholesaler or broker that is a trusted supplier with the original equipment manufacturer (OEM) or obtain assurances that the supplier can guarantee the security and integrity of the item being purchased. Potential conflicts with competition rules would have to be addressed. VI. Increase Government Accountability for Cyber Risk Management – Identify and modify government acquisition practices that contribute to cyber risk. Integrate security standards into acquisition planning and contract administration. Incorporate cyber risk into enterprise risk management and ensure key decision makers are accountable for managing risks of cybersecurity shortfalls in a fielded solution. The FAR could be updated to ensure contract administration matters relevant to cybersecurity are considered (i.e., past performance, Federal Awardee Performance and Integrity Information Systems (FAPIIS), debarment/suspension, etc.) 9

Presidential Policy Directive 21 Designates GSA as Co-Sector Specific Agency (SSA) for Government Facilities Sector with DHS Requires GSA, in consultation with DoD and DHS, to: –“[P]rovide or support government-wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for security of critical infrastructure.” –1 st next step - define which contracts are “for critical infrastructure systems,” and what the “audit rights for security” specifically encompass Critical infrastructure systems could be any that support government essential functions, agency mission essential functions, or any functions on the DHS list of Critical Infrastructure at Greatest Risk of Cyber Attack GSAM provides a good starting point for defining the limits of the audit rights 10

Open Questions Establish a govt-wide program/function at GSA? –Is there an appetite in the community for starting to address the acquisition cyber risk in “non-covered” acquisitions? –Is it possible to define in a specific way which types of buys present cyber risks (i.e., NAICS, PSCs, FSCs, NSNs?)? –How do we prioritize? Is FIPS-199 high or moderate a good starting point? –What about non-covered, non-IT acquisitions (i.e., those that would not get a FIPS rating)? No doubt, many present at least the possibility of cyber risk, how do/should those risks be assessed? Ranked by mission criticality? and if yes, how is that defined? Business Case needs: –An articulation of need for "commercial" (OSINT-based) SCRM from customers, and –A general scope of what types of acquisitions the need applies to (e.g., a list of PSCs, NAICS, FIPS ratings, ???). 11

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.