100 likes | 272 Views
Presentation to: ACT-IAC Cybersecurity SIG Improving Cybersecurity through Acquisition. Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance emile.monette@gsa.gov March 5, 2014. Background: We Have a Problem.
E N D
Presentation to: ACT-IAC Cybersecurity SIGImproving Cybersecurity through Acquisition Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance emile.monette@gsa.gov March 5, 2014
Background: We Have a Problem • When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency. • Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations. • Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
Executive Order 13636 • Section 8(e) of the required GSA and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” • Report signed January 23, 2014 (http://gsa.gov/portal/content/176547) • Recommends six acquisition reforms: • Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions • Address Cybersecurity in Relevant Training • Develop Common Cybersecurity Definitions for Federal Acquisitions • Institute a Federal Acquisition Cyber Risk Management Strategy • Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions • Increase Government Accountability for Cyber Risk Management
White House Response to Recommendations • “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: • We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts. • DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. • DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities.”
Now What? • Implementation Plan – • Translate recommendations into actions and outcomes • Iterative process; sequential and concurrent implementation • Address recommendations in order of implementation • Open, collaborative, stakeholder-centric process • Request for public comment 45 days • In-person meetings • Press / Media coverage
The first recommendation to be implemented… • Institute a Federal Acquisition Cyber Risk Management Strategy • Provides necessary foundation for remaining recommendations • Draws from the sourcing practices of spend analysis, strategic categorization of buying activities, and category management, combined with application of information security controls and safeguards and procurement risk management practices like pricing methodology, source selection, and contract performance management. • Outputs: Category Definitions, Risk Prioritization, and Overlays
Category Definitions • Grouping similar types of acquisitions together based on characteristics of the product or service being acquired, supplier or market segments, and prevalent customer/buyer behavior. • Categories must be broad enough to be understandable and provide economies of scale, but specific enough to enable development of Overlays that provide meaningful, adequate and appropriate safeguards for the types of risks presented by the products or services in the Category • Determine which Categories present potential cyber risk • “Does this Category present cyber risk to any possible end user?”
Risk Assessment and Prioritization • Produce a ranked list of Categories based on comparative cyber risk. • “Which of the Categories presents the greatest cyber risk as compared to the other Categories? • The Category that is determined to have the highest risk through this comparative assessment would be the first one for which an Overlay is developed. • Where a Category is determined to have higher risk relative to other types of acquisitions, the level of resources expended to address those risks will also be justifiably higher.
Overlays • Overlays are a tool for acquisition officials to use throughout the acquisition lifecycle, and include: • An articulation of the level of risk presented by the Category that links the level of risk of the Category to the risk assessment; • A specific set of minimum controls that must be included in the technical specifications, acquisition plan, and during contract administration and performance for any acquisition in the Category; • The universe of additional controls that are relevant to the Category but are not required in the minimum (i.e., a “menu”), and • Examples of sets of the identified additional controls that apply to particular use cases (e.g., FIPS 199 High or Moderate system acquisition), as applicable.
Federal Register Notice & Request for Comment • To be published early this month; open 45 days • Directs readers to http://gsa.gov/portal/content/176547 • Draft Implementation Plan • Background, assumptions, constraints, etc., process map for implementation of recommendations • Will include an Appendix for each recommendation • Appendix I • Presents a notional “model” for category definitions, including taxonomy based on PSCs • Request for ACT-IAC members: Comment!