U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor.

Slides:

Advertisements

Similar presentations

DoD Logistics Human Capital Strategy (HCS) Executive Overview 1 October 2008.

Advertisements

WCDR Thematic Panel Governance: Institutional and Policy Frameworks for Risk Reduction Annotated Outline UNDP – UNV – ProVention Consortium – UN-Habitat.

West London Alliance London Councils Delivering Apprenticeship Opportunities in the Supply Chain 21 st June

The Department of Energy Enterprise Risk Management Model

Program Management Office (PMO) Design

Roadmap for Sourcing Decision Review Board (DRB)

Course: e-Governance Project Lifecycle Day 1

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

BENEFITS OF SUCCESSFUL IT MODERNIZATION

U.S. General Services Administration Presentation to: ITIC Improving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA.

U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17,

Jane Jobarteh Midlands and East May 2013 The Future of Social Care Patients First and Foremost.

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

1 Why is the Core important? To set high expectations – for all students – for educators To attend to the learning needs of students To break through the.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Service Acquisition Process

The topics addressed in this briefing include:

Procurement Transformation State of North Carolina

Investment Management Concepts Portfolio Management | Segment Architecture March 25, 2009 Adrienne Walker and Kshemendra Paul

1 Department of Education Race to the Top Assessment Program Procurement Strategy Discussion Dr. Allan V. Burman President Jefferson Solutions

Complying With The Federal Information Security Act (FISMA)

Facilities Management Category Management Plan Synopsis Version 1.1 (March 2015)

Financial Contestability

Team 8 Chris Cooper Aaron Jones Ying Zhou Technology and Adaptive Strategies in Supply Chain Management at HP.

TTBIZLINK PROJECT MINISTRY OF TRADE, INDUSTRY, INVESTMENT & COMMUNICATIONS.

Article 5 of the Energy Services Directive Edward Green.

Jeju, 13 – 16 May 2013Standards for Shared ICT CYBERSECURITY-RELATED STANDARDS ACTIVITY IN THE TELECOMMUNICATIONS INDUSTRY ASSOCIATION Eric Barnhart, Fellow.

Is NEPA Preventing Energy Development? Bryan Hannegan, Ph.D. Associate Director – Energy and Transportation White House Council on Environmental Quality.

Outcomes of the 16 th Regional Disaster Managers Meeting held from 9 th – 11 th August 2010 Presentation to the Pacific Humanitarian Team Monday 6 th December.

NIST Special Publication Revision 1

SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT Alan Chvotkin Senior Vice President and Counsel Professional Services Council DEFENSE ACQUISITION.

Phoenix Convention Center Phoenix, Arizona DOE eGuide for Strategic Energy Management Building PerformanceStrategic Energy Management Ridah Sabouni Energetics.

ON TRACK WITH STRATEGIC PROCUREMENT PRESENTED BY Joan Graham, CPPO, CPPB.

The revised Common Inspection Framework for further education and skills Charlie Henry HMI Principal Officer Special Educational Needs and Disability Natspec.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

DRAFT – For Discussion Only HHSC IT Governance Executive Briefing Materials DRAFT April 2013.

General Principles for the Procurement of Goods and Services Asst. Prof. Muhammad Abu Sadah.

Contact Monitoring Regional Network (CMKN). Why procurement It is estimated that an effective public procurement system could save as much as 25% of government.

Federal Acquisition Service U.S. General Services Administration June 3, 2013 Joint Working Group on Improving Cybersecurity and Resilience through Acquisition.

Commissioning Self Analysis and Planning Exercise activity sheets.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

2 William P. McNally Assistant Administrator for Procurement NASA Procurement Tenets August 4, 2008 NCMA Conference.

Office of Management and Budget NDIA Program Management Systems Committee May 3, 2005 EVMS Compliance Requirements David Muzio.

You can replace this text with art Goal Setting Process for the Verona Public Schools Board of Education Facilitated by: Charlene Peterson, NJSBA Field.

EPA Geospatial Segment United States Environmental Protection Agency Office of Environmental Information Enterprise Architecture Program Segment Architecture.

NIST / URAC / WEDi Health Care Security Workgroup Presented by: Andrew Melczer, Ph.D. Illinois State Medical Society.

Developing a Sustainable Procurement Policy and Strategy EAUC – EAF Programme.

DGS Recommendations to the Governor’s Task Force on Contracting & Procurement Review Report Overview August 12, 2002.

12/5/2015 Communication on Progress Elena Panova UN Global Compact Network Bulgaria.

Task Force on Services Contracting Removing Federal Services Acquisition Barriers And Balancing Public and Private Interest Presentation to Defense Acquisition.

RECOMMENDATIONS OF THE GOVERNOR ’ S TASK FORCE ON CONTRACTING AND PROCUREMENT REVIEW Report Overview PD Customer Forum September 2002.

1 NASA Office of Procurement NASA Procurement Tenets April 15, 2008 SMC Brief Bill McNally Assistant Administrator for Procurement.

Copyright 2010, The World Bank Group. All Rights Reserved. Managing processes Core business of the NSO Part 1 Strengthening Statistics Produced in Collaboration.

Outsourcing of Census Operations United Nations Statistics Division UNSD-ESCWA Regional Workshop on Census Data Processing in the ESCWA region: Contemporary.

Advancing Government through Collaboration, Education and Action Priority Area Leaders Community Accomplishments Preview May 7, 2015.

Virginia Office of Public-Private Partnerships (VAP3) Adopted Public-Private Transportation Act (PPTA) enabling legislation in 1995 Public-Private Education.

Outsourcing of Census Operations United Nations Statistics Division Regional Workshop on the 2010 World Programme on Population and Housing Censuses: International.

Advancing Government through Collaboration, Education and Action Cybersecurity SIG Priority Area Project/Activity Report SIG Leadership Meeting July 17,

Small Business Programs Tatia Evelyn-Bellamy Director Small Business Division Small Business Center February 2016.

Implementing Program Management Standards at Duke Energy.

ICT occupation specific capability set (Skills Framework for the Information Age - SFIA) An introduction.

FITARA Revamping IT in the Federal Government Presentation to DIR Information Security Forum Richard A. Spires April 14, 2016.

1 Services Contracting in the DoD: An Empirical Analysis of the Use of a Project Management Approach Breakout Session # D14 Dr. Rene G. Rendon, CFCM,

Financial Services Sector Coordinating Council (FSSCC) 2011 KEY FSSCC INITIATIVES 2011 Key FSSCC Initiatives Project Name: Project Description: All-Hazards.

Overview Training for Nottingham’s Commissioning Framework Liz Jones Head of Partnership Policy, NCC Nick Weatherall, Commissioning Officer, NCVS.

SERVICES ACQUISITION REFORM ACT OF 2003 A STATUS REPORT

NIST Cybersecurity Framework

Draft OECD Best Practices for Performance Budgeting

Continuity Guidance Circular Webinar

Cybersecurity ATD technical

Presentation transcript:

U.S. General Services Administration Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance March 5, 2014

2 Background: We Have a Problem  When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.  Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.  Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks

Executive Order  Section 8(e) of the required GSA and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration”  Report signed January 23, 2014 (  Recommends six acquisition reforms: I.Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions II.Address Cybersecurity in Relevant Training III.Develop Common Cybersecurity Definitions for Federal Acquisitions IV.Institute a Federal Acquisition Cyber Risk Management Strategy V.Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions VI.Increase Government Accountability for Cyber Risk Management 3

White House Response to Recommendations  “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that:  We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts.  DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting.  DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities.” 4

Now What?  Implementation Plan –  Translate recommendations into actions and outcomes  Iterative process; sequential and concurrent implementation  Address recommendations in order of implementation  Open, collaborative, stakeholder-centric process  Request for public comment 45 days  In-person meetings  Press / Media coverage 5

The first recommendation to be implemented… Institute a Federal Acquisition Cyber Risk Management Strategy –Provides necessary foundation for remaining recommendations –Draws from the sourcing practices of spend analysis, strategic categorization of buying activities, and category management, combined with application of information security controls and safeguards and procurement risk management practices like pricing methodology, source selection, and contract performance management. –Outputs: Category Definitions, Risk Prioritization, and Overlays 6

Category Definitions Grouping similar types of acquisitions together based on characteristics of the product or service being acquired, supplier or market segments, and prevalent customer/buyer behavior. –Categories must be broad enough to be understandable and provide economies of scale, but specific enough to enable development of Overlays that provide meaningful, adequate and appropriate safeguards for the types of risks presented by the products or services in the Category Determine which Categories present potential cyber risk –“Does this Category present cyber risk to any possible end user?” 7

Risk Assessment and Prioritization Produce a ranked list of Categories based on comparative cyber risk. –“Which of the Categories presents the greatest cyber risk as compared to the other Categories? –The Category that is determined to have the highest risk through this comparative assessment would be the first one for which an Overlay is developed. –Where a Category is determined to have higher risk relative to other types of acquisitions, the level of resources expended to address those risks will also be justifiably higher. 8

Overlays Overlays are a tool for acquisition officials to use throughout the acquisition lifecycle, and include: –An articulation of the level of risk presented by the Category that links the level of risk of the Category to the risk assessment; –A specific set of minimum controls that must be included in the technical specifications, acquisition plan, and during contract administration and performance for any acquisition in the Category; –The universe of additional controls that are relevant to the Category but are not required in the minimum (i.e., a “menu”), and –Examples of sets of the identified additional controls that apply to particular use cases (e.g., FIPS 199 High or Moderate system acquisition), as applicable. 9

Federal Register Notice & Request for Comment To be published early this month; open 45 days Directs readers to –Draft Implementation Plan Background, assumptions, constraints, etc., process map for implementation of recommendations Will include an Appendix for each recommendation –Appendix I Presents a notional “model” for category definitions, including taxonomy based on PSCs Request for ACT-IAC members: Comment! 10