U.S. General Services Administration

Presentation to: ACT-IAC Cybersecurity SIG

Improving Cybersecurity through Acquisition

Emile MonetteSenior Advisor for CybersecurityGSA Office of Mission Assurance

emile.monette@gsa.gov

March 5, 2014

2

Background: We Have a Problem

When the government purchases products or services with inadequate in-built “cybersecurity,” the risks created persist throughout the lifespan of the item purchased. The lasting effect of inadequate cybersecurity in acquired items is part of what makes acquisition reform so important to achieving cybersecurity and resiliency.

Currently, government and contractors use varied and nonstandard practices, which make it difficult to consistently manage and measure acquisition cyber risks across different organizations.

Meanwhile, due to the growing sophistication and complexity of ICT and the global ICT supply chains, federal agency information systems are increasingly at risk of compromise, and agencies need guidance to help manage ICT supply chain risks

Executive Order 13636

Section 8(e) of the required GSA and DoD to:

“… make recommendations to the President, … on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration”

Report signed January 23, 2014 (http://gsa.gov/portal/content/176547)

Recommends six acquisition reforms:I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for

Appropriate Acquisitions

II. Address Cybersecurity in Relevant Training 

III. Develop Common Cybersecurity Definitions for Federal Acquisitions 

IV. Institute a Federal Acquisition Cyber Risk Management Strategy

V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions

VI. Increase Government Accountability for Cyber Risk Management

3

White House Response to Recommendations

“DoD and GSA did an outstanding job engaging with public and private sector

stakeholders to craft the report and provided realistic recommendations that

will improve the security and resilience of the nation when implemented.

Moving forward, we highlight that: We view the core recommendation to be the focus on incorporating cyber risk

management into enterprise acquisition risk management, built on “cybersecurity

hygiene” baseline requirements for all IT contracts. DoD and GSA must now move quickly to provide an implementation plan that

includes milestones and specific actions to ensure integration with the various

related activities like supply chain threat assessments and anti-counterfeiting. DoD and GSA should ensure the highest level of senior leadership endorsement,

accountability, and sustained commitment to implementing the recommendations

through near and long term action. This should be communicated clearly to the

Federal workforce, government contractors, and the oversight and legislative

communities.”4

Now What?

Implementation Plan – Translate recommendations into actions and outcomesIterative process; sequential and concurrent implementation Address recommendations in order of implementation

Open, collaborative, stakeholder-centric processRequest for public comment 45 daysIn-person meetingsPress / Media coverage

5

The first recommendation to be implemented…

• Institute a Federal Acquisition Cyber Risk Management Strategy

– Provides necessary foundation for remaining recommendations– Draws from the sourcing practices of spend analysis, strategic

categorization of buying activities, and category management, combined with application of information security controls and safeguards and procurement risk management practices like pricing methodology, source selection, and contract performance management.

– Outputs: Category Definitions, Risk Prioritization, and Overlays

6

Category Definitions

• Grouping similar types of acquisitions together based on characteristics of the product or service being acquired, supplier or market segments, and prevalent customer/buyer behavior.

– Categories must be broad enough to be understandable and provide economies of scale, but specific enough to enable development of Overlays that provide meaningful, adequate and appropriate safeguards for the types of risks presented by the products or services in the Category

• Determine which Categories present potential cyber risk– “Does this Category present cyber risk to any possible end user?”

7

Risk Assessment and Prioritization

• Produce a ranked list of Categories based on comparative cyber risk.

– “Which of the Categories presents the greatest cyber risk as compared to the other Categories?

– The Category that is determined to have the highest risk through this comparative assessment would be the first one for which an Overlay is developed.

– Where a Category is determined to have higher risk relative to other types of acquisitions, the level of resources expended to address those risks will also be justifiably higher.

8

Overlays

• Overlays are a tool for acquisition officials to use throughout the acquisition lifecycle, and include:

– An articulation of the level of risk presented by the Category that links the level of risk of the Category to the risk assessment;

– A specific set of minimum controls that must be included in the technical specifications, acquisition plan, and during contract administration and performance for any acquisition in the Category;

– The universe of additional controls that are relevant to the Category but are not required in the minimum (i.e., a “menu”), and

– Examples of sets of the identified additional controls that apply to particular use cases (e.g., FIPS 199 High or Moderate system acquisition), as applicable.

9

Federal Register Notice & Request for Comment

• To be published early this month; open 45 days• Directs readers to http://gsa.gov/portal/content/176547

– Draft Implementation Plan • Background, assumptions, constraints, etc., process map for

implementation of recommendations

• Will include an Appendix for each recommendation

– Appendix I• Presents a notional “model” for category definitions, including taxonomy

based on PSCs

• Request for ACT-IAC members: Comment!

10