U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,

Slides:

Advertisements

Similar presentations

Presented by the US Department of Education. More information at

Advertisements

Tenace FRAMEWORK and NIST Cybersecurity Framework Block IDENTIFY.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

Federal Risk and Authorization Management Program (FedRAMP) Lisa Carnahan, Computer Scientist National Institute of Standards & Technology Standards Coordination.

Federal Acquisition Service U.S. General Services Administration Information Technology Government Council ITIGC Quarterly Meeting Policy Update Mark J.

U.S. General Services Administration Presentation to: ITIC Improving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA.

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

Bill Newhouse Two Government Cybersecurity Initiatives NIST.

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

Overview of New Government Protections Against Trafficking in the Federal Supply Chain Mathew Blum, Associate Administrator, Office of Federal Procurement.

CHIEF INFORMATION OFFICER DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE OF THE U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES John Teeter Deputy Chief Information.

IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development EDUCAUSE Live! November 14,

Procurement Transformation State of North Carolina

Investment Management Concepts Portfolio Management | Segment Architecture March 25, 2009 Adrienne Walker and Kshemendra Paul

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”

Complying With The Federal Information Security Act (FISMA)

U.S. General Services Administration Sustainable Procurement with the Government Purchase Card Adam Jones Procurement Analyst Program Analysis Division.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

The U. S. National Strategy for Global Supply Chain Security Neema Khatri Office of International Affairs U.S. Department of Homeland Security.

Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

NSTC Smart Grid Subcommittee Overview and Goals for Ongoing Federal/State Collaboration By George Arnold, NIST & Jessica Zufolo, RUS NARUC Annual Convention,

SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT Alan Chvotkin Senior Vice President and Counsel Professional Services Council DEFENSE ACQUISITION.

BOTSWANA NATIONAL CYBER SECURITY STRATEGY PROJECT

Federal Acquisition Service U.S. General Services Administration Emile Monette Senior Advisor FAS Office of Acquisition Management Sustainable Acquisition:

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.

Federal Acquisition Service U.S. General Services Administration June 3, 2013 Joint Working Group on Improving Cybersecurity and Resilience through Acquisition.

Homeland Security UNCLASSIFIED Executive Order Presidential Policy Directive (PPD) - 21 Implementing the Presidential Executive Order (EO) on cybersecurity.

Implementing the Regulatory Flexibility Act. 2 Background The Regulatory Flexibility Act (5 U.S.C. 601–612) requires Federal agencies to— –Consider the.

Department of Energy June 16, 2015 Executive Order (EO) 13673: Fair Pay and Safe Workplaces Jean Seibert Stucky Assistant General Counsel for Labor and.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

1. Zoning for Foreign Animal Disease Presentation to RCC Stakeholder Dialogue Session February 2014 Canadian Food Inspection Agency Dr. Cheryl James

NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.

Of XX Cybersecurity in Government Contracting David Z. Bodenheimer, Partner, Crowell & Moring LLP ©2015 PubKLearning. All rights reserved.1 The Federal.

Improving Management of Federal Grant Dollars: Council On Financial Assistance Reform (COFAR) Priorities for FY13-15 The Council on Financial Assistance.

Beverly Harris Collaboration in Statistics: The Case of St. Kitts and Nevis NSDS Workshop Anguilla November 9 th

1 International Electricity Infrastructure Assurance (IEIA) Forum A Collaboration of Australia/Canada/New Zealand/United Kingdom/United States North American.

Mitigating Risk 2015 SEWP Acquisition Summit and Training 1 December 8-10, 2015.

NIST HIPAA Security Rule Toolkit Kevin Stine Computer Security Division Information Technology Laboratory National Institute of Standards and Technology.

RECOMMENDATIONS OF THE GOVERNOR ’ S TASK FORCE ON CONTRACTING AND PROCUREMENT REVIEW Report Overview PD Customer Forum September 2002.

Advancing Government through Collaboration, Education and Action Cybersecurity SIG Priority Area Project/Activity Report SIG Leadership Meeting July 17,

Presented by Eliot Christian, USGS Accessibility, usability, and preservation of government information (Section 207 of the E-Government Act) April 28,

CNCI-SCRM STANDARDIZATION Discussion Globalization Task Force OASD-NII / DoD CIO Unclassified / FOUO.

Small Business Programs Tatia Evelyn-Bellamy Director Small Business Division Small Business Center February 2016.

FITARA Revamping IT in the Federal Government Presentation to DIR Information Security Forum Richard A. Spires April 14, 2016.

FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.

Financial Services Sector Coordinating Council (FSSCC) 2011 KEY FSSCC INITIATIVES 2011 Key FSSCC Initiatives Project Name: Project Description: All-Hazards.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

1DoD Cloud Computing Read the provided excerpts from - The “25 Point Implementation Plan to Reform Federal IT” - DoD Cloud Computing Strategy - The National.

Date Page-1 CLASSIFICATION – UNCLASSIFIED Kick-off Meeting for The Open Group Supporting the Acquisition Cyber Security Initiative ~ Kristen Baldwin Office.

Proposed Updates to the Framework for Improving Critical Infrastructure Cybersecurity (Draft Version 1.1) March 2017

SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT

Cyber Risk Presentation to the Board of Directors

Small Business Committee

PSC Guidelines and Recommendations

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

NIST Cybersecurity Framework

IT Schedule 70 Putting the Pieces Together

Commercial Item Group Overview.

An Urgent National Imperative

North American Stakeholder Meeting:

Perspectives on Defense Cyber Issues

Cybersecurity ATD technical

An Executive Summary: The Issue the Profile Addresses, Its Development as a Solution, Its Benefits, and Support The Issue: Domestic and international regulatory.

NIST Privacy Framework

Security of Department of Defense Acquisition Ecosystem

Anti-Counterfeit Policy Framework

Presentation transcript:

U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17, 2013

2 Background: We Have a Problem  When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.  Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.  Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks

Executive Order  On February 12, 2013, the President issued Executive Order (EO) directing Federal agencies to provide stronger protections for cyber-based systems that are critical to our national and economic security. Among other things, the EO required GSA, and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration”  Collaborative effort between GSA, DoD, OFPP, DHS, and NIST –Over 60 individual stakeholder engagements in four months –Federal Register RFI – 28 comments received ( –Report to the POTUS recommending acquisition reforms that will result in improvements to cybersecurity 3

Improving Cybersecurity Through Acquisition  Implementing the Recommendations: 1.Baseline cybersecurity requirements for contractors Framework Profile? NIST SP r4? FIPS? SANS 20? 2.Training for Federal and industry workforces Awareness, technology, products/services, contracting-specific 3.Cybersecurity definitions for contracts Framework? CNSS? NIST SPs? FIPS? 4.Acquisition cybersecurity risk management strategy NIST SP s + Framework Profile + FIPS + + +? 5.High-risk purchases only from “trusted “sources OMs and “Authorized,” (OTTP-S, ISO, AS6496?) + FAR QBLs (9.2) 6.Increased government accountability for cybersecurity risk management Define organizational risk tolerance 4

5 What’s Next? Time to Engage! Cyber-Acquisition RFI [ date TBD ] –Include outline of implementation plan and pose questions –Solicit public comment for 45 days –Public meetings / broad stakeholder outreach –Closing to coincide with final Cybersecurity Framework –Provide basis for FAR business case Framework: DHS Voluntary Program:

Contact Information Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance 6