60 likes | 204 Views
Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition. December 17, 2013. Background: We Have a Problem.
E N D
Presentation to: Software and Supply Chain Assurance ForumImproving Cybersecurity through Acquisition December 17, 2013
Background: We Have a Problem • When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency. • Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations. • Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
Executive Order 13616 • On February 12, 2013, the President issued Executive Order (EO) 13636 directing Federal agencies to provide stronger protections for cyber-based systems that are critical to our national and economic security. Among other things, the EO required GSA, and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” • Collaborative effort between GSA, DoD, OFPP, DHS, and NIST • Over 60 individual stakeholder engagements in four months • Federal Register RFI – 28 comments received (www.regulations.gov) • Report to the POTUS recommending acquisition reforms that will result in improvements to cybersecurity
Improving Cybersecurity Through Acquisition • Implementing the Recommendations: • Baseline cybersecurity requirements for contractors • Framework Profile? NIST SP 800-53r4? FIPS? SANS 20? • Training for Federal and industry workforces • Awareness, technology, products/services, contracting-specific • Cybersecurity definitions for contracts • Framework? CNSS? NIST SPs? FIPS? • Acquisition cybersecurity risk management strategy • NIST SP s + Framework Profile + FIPS + + +? • High-risk purchases only from “trusted “sources • OMs and “Authorized,” (OTTP-S, ISO, AS6496?) + FAR QBLs (9.2) • Increased government accountability for cybersecurity risk management • Define organizational risk tolerance
What’s Next? Time to Engage! • Cyber-Acquisition RFI [date TBD] • Include outline of implementation plan and pose questions • Solicit public comment for 45 days • Public meetings / broad stakeholder outreach • Closing to coincide with final Cybersecurity Framework • Provide basis for FAR business case • Framework: http://www.nist.gov/itl/cybersecurity-102213.cfm • DHS Voluntary Program: EO-PPDTaskForce@hq.dhs.gov
Contact Information Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance emile.monette@gsa.gov