1 / 11

Presentation to: ITIC Improving Cybersecurity through Acquisition

Presentation to: ITIC Improving Cybersecurity through Acquisition. Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance emile.monette@gsa.gov January 29, 2014. Background: We Have a Problem.

axel
Download Presentation

Presentation to: ITIC Improving Cybersecurity through Acquisition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presentation to: ITICImproving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance emile.monette@gsa.gov January 29, 2014

  2. Background: We Have a Problem • When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency. • Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations. • Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks

  3. Executive Order 13636 • On February 12, 2013, the President issued Executive Order (EO) 13636 directing Federal agencies to provide stronger protections for cyber-based systems that are critical to our national and economic security. Section 8(e) of the EO required GSA and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” • GSA and DoD recommended six acquisition reforms: • Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions • Address Cybersecurity in Relevant Training  • Develop Common Cybersecurity Definitions for Federal Acquisitions  • Institute a Federal Acquisition Cyber Risk Management Strategy • Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions • Increase Government Accountability for Cyber Risk Management

  4. White House Response to 8(e) Recommendations • “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: • We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts. • DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. • DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities.”

  5. 8(e) Recommendations & Potential Impact

  6. 8(e) Recommendations & Potential Impact (cont’d)

  7. 8(e) Recommendations & Potential Impact (cont’d)

  8. 8(e) Recommendations & Potential Impact (cont’d)

  9. 8(e) Recommendations & Potential Impact (cont’d)

  10. Presidential Policy Directive 21 • Designates GSA as Co-Sector Specific Agency (SSA) for Government Facilities Sector with DHS • Requires GSA, in consultation with DoD and DHS, to: • “[P]rovide or support government-wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for security of critical infrastructure.” • 1st next step - define which contracts are “for critical infrastructure systems,” and what the “audit rights for security” specifically encompass • Critical infrastructure systems could be any that support government essential functions, agency mission essential functions, or any functions on the DHS list of Critical Infrastructure at Greatest Risk of Cyber Attack • GSAM 552.239-71 provides a good starting point for defining the limits of the audit rights

  11. Open Questions • Establish a govt-wide program/function at GSA? • Is there an appetite in the community for starting to address the acquisition cyber risk in “non-covered” acquisitions? • Is it possible to define in a specific way which types of buys present cyber risks (i.e., NAICS, PSCs, FSCs, NSNs?)?   • How do we prioritize? Is FIPS-199 high or moderate a good starting point? • What about non-covered, non-IT acquisitions (i.e., those that would not get a FIPS rating)?  No doubt, many present at least the possibility of cyber risk, how do/should those risks be assessed?  Ranked by mission criticality? and if yes, how is that defined? • Business Case needs: • An articulation of need for "commercial" (OSINT-based) SCRM from customers, and • A general scope of what types of acquisitions the need applies to (e.g., a list of PSCs, NAICS, FIPS ratings, ???). 

More Related