Download presentation
Presentation is loading. Please wait.
Published byGonzalo Dallis Modified over 9 years ago
1
U.S. General Services Administration Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition December 17, 2013
2
2 Background: We Have a Problem When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency. Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations. Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
3
Executive Order 13616 On February 12, 2013, the President issued Executive Order (EO) 13636 directing Federal agencies to provide stronger protections for cyber-based systems that are critical to our national and economic security. Among other things, the EO required GSA, and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” Collaborative effort between GSA, DoD, OFPP, DHS, and NIST –Over 60 individual stakeholder engagements in four months –Federal Register RFI – 28 comments received (www.regulations.gov) –Report to the POTUS recommending acquisition reforms that will result in improvements to cybersecurity 3
4
Improving Cybersecurity Through Acquisition Implementing the Recommendations: 1.Baseline cybersecurity requirements for contractors Framework Profile? NIST SP 800-53r4? FIPS? SANS 20? 2.Training for Federal and industry workforces Awareness, technology, products/services, contracting-specific 3.Cybersecurity definitions for contracts Framework? CNSS? NIST SPs? FIPS? 4.Acquisition cybersecurity risk management strategy NIST SP s + Framework Profile + FIPS + + +? 5.High-risk purchases only from “trusted “sources OMs and “Authorized,” (OTTP-S, ISO, AS6496?) + FAR QBLs (9.2) 6.Increased government accountability for cybersecurity risk management Define organizational risk tolerance 4
5
5 What’s Next? Time to Engage! Cyber-Acquisition RFI [ date TBD ] –Include outline of implementation plan and pose questions –Solicit public comment for 45 days –Public meetings / broad stakeholder outreach –Closing to coincide with final Cybersecurity Framework –Provide basis for FAR business case Framework: http://www.nist.gov/itl/cybersecurity-102213.cfm http://www.nist.gov/itl/cybersecurity-102213.cfm DHS Voluntary Program: EO-PPDTaskForce@hq.dhs.gov EO-PPDTaskForce@hq.dhs.gov
6
Contact Information Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance emile.monette@gsa.gov 6
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.