1 / 6

December 17, 2013

Presentation to: Software and Supply Chain Assurance Forum Improving Cybersecurity through Acquisition. December 17, 2013. Background: We Have a Problem.

chas
Download Presentation

December 17, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Presentation to: Software and Supply Chain Assurance ForumImproving Cybersecurity through Acquisition December 17, 2013

  2. Background: We Have a Problem • When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency. • Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations. • Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks

  3. Executive Order 13616 • On February 12, 2013, the President issued Executive Order (EO) 13636 directing Federal agencies to provide stronger protections for cyber-based systems that are critical to our national and economic security. Among other things, the EO required GSA, and DoD to: “… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration” • Collaborative effort between GSA, DoD, OFPP, DHS, and NIST • Over 60 individual stakeholder engagements in four months • Federal Register RFI – 28 comments received (www.regulations.gov) • Report to the POTUS recommending acquisition reforms that will result in improvements to cybersecurity

  4. Improving Cybersecurity Through Acquisition • Implementing the Recommendations: • Baseline cybersecurity requirements for contractors • Framework Profile? NIST SP 800-53r4? FIPS? SANS 20? • Training for Federal and industry workforces • Awareness, technology, products/services, contracting-specific • Cybersecurity definitions for contracts • Framework? CNSS? NIST SPs? FIPS? • Acquisition cybersecurity risk management strategy • NIST SP s + Framework Profile + FIPS + + +? • High-risk purchases only from “trusted “sources • OMs and “Authorized,” (OTTP-S, ISO, AS6496?) + FAR QBLs (9.2) • Increased government accountability for cybersecurity risk management • Define organizational risk tolerance

  5. What’s Next? Time to Engage! • Cyber-Acquisition RFI [date TBD] • Include outline of implementation plan and pose questions • Solicit public comment for 45 days • Public meetings / broad stakeholder outreach • Closing to coincide with final Cybersecurity Framework • Provide basis for FAR business case • Framework: http://www.nist.gov/itl/cybersecurity-102213.cfm • DHS Voluntary Program: EO-PPDTaskForce@hq.dhs.gov

  6. Contact Information Emile Monette Senior Advisor for Cybersecurity GSA Office of Mission Assurance emile.monette@gsa.gov

More Related