presentation to itic improving cybersecurity through acquisition n.
Skip this Video
Loading SlideShow in 5 Seconds..
Presentation to: ITIC Improving Cybersecurity through Acquisition PowerPoint Presentation
Download Presentation
Presentation to: ITIC Improving Cybersecurity through Acquisition

Loading in 2 Seconds...

play fullscreen
1 / 11

Presentation to: ITIC Improving Cybersecurity through Acquisition - PowerPoint PPT Presentation

  • Uploaded on

Presentation to: ITIC Improving Cybersecurity through Acquisition. Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance January 29, 2014. Background: We Have a Problem.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Presentation to: ITIC Improving Cybersecurity through Acquisition

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
presentation to itic improving cybersecurity through acquisition

Presentation to: ITICImproving Cybersecurity through Acquisition

Emile Monette

Senior Advisor for Cybersecurity

GSA Office of Mission Assurance

January 29, 2014

background we have a problem
Background: We Have a Problem
  • When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.
    • Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.
    • Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks
executive order 13636
Executive Order 13636
  • On February 12, 2013, the President issued Executive Order (EO) 13636 directing Federal agencies to provide stronger protections for cyber-based systems that are critical to our national and economic security. Section 8(e) of the EO required GSA and DoD to:

“… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration”

  • GSA and DoD recommended six acquisition reforms:
    • Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
    • Address Cybersecurity in Relevant Training 
    • Develop Common Cybersecurity Definitions for Federal Acquisitions 
    • Institute a Federal Acquisition Cyber Risk Management Strategy
    • Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions
    • Increase Government Accountability for Cyber Risk Management
white house response to 8 e recommendations
White House Response to 8(e) Recommendations
  • “DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that:
    • We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on “cybersecurity hygiene” baseline requirements for all IT contracts.
    • DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting.
    • DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities.”
presidential policy directive 21
Presidential Policy Directive 21
  • Designates GSA as Co-Sector Specific Agency (SSA) for Government Facilities Sector with DHS
  • Requires GSA, in consultation with DoD and DHS, to:
    • “[P]rovide or support government-wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for security of critical infrastructure.”
    • 1st next step - define which contracts are “for critical infrastructure systems,” and what the “audit rights for security” specifically encompass
      • Critical infrastructure systems could be any that support government essential functions, agency mission essential functions, or any functions on the DHS list of Critical Infrastructure at Greatest Risk of Cyber Attack
      • GSAM 552.239-71 provides a good starting point for defining the limits of the audit rights
open questions
Open Questions
  • Establish a govt-wide program/function at GSA?
    • Is there an appetite in the community for starting to address the acquisition cyber risk in “non-covered” acquisitions?
    • Is it possible to define in a specific way which types of buys present cyber risks (i.e., NAICS, PSCs, FSCs, NSNs?)?  
    • How do we prioritize? Is FIPS-199 high or moderate a good starting point?
    • What about non-covered, non-IT acquisitions (i.e., those that would not get a FIPS rating)?  No doubt, many present at least the possibility of cyber risk, how do/should those risks be assessed?  Ranked by mission criticality? and if yes, how is that defined?
  • Business Case needs:
    • An articulation of need for "commercial" (OSINT-based) SCRM from customers, and
    • A general scope of what types of acquisitions the need applies to (e.g., a list of PSCs, NAICS, FIPS ratings, ???).