IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Similar documents
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

National Policy and Guiding Principles

The Office of Infrastructure Protection

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

DFARS Cyber Rule Considerations For Contractors In 2018

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Click to edit Master title style

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

HELLO, MOSCOW. GREETINGS, BEIJING. ADDRESSING RISK IN YOUR IT SUPPLY CHAIN

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

FISMA Cybersecurity Performance Metrics and Scoring

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

ROADMAP TO DFARS COMPLIANCE

Request for Information Strategies to Improve Maritime Supply Chain Security and Achieve 100% Overseas Scanning

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cybersecurity Risk Management

Federal Government. Each fiscal year the Federal Government is challenged CATEGORY MANAGEMENT IN THE WHAT IS CATEGORY MANAGEMENT?

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Appendix 12 Risk Assessment Plan

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Section One of the Order: The Cybersecurity of Federal Networks.

European Union Agency for Network and Information Security

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

DoDD DoDI

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

Cybersecurity in Acquisition

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Appendix 12 Risk Assessment Plan

Cybersecurity & Privacy Enhancements

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Implementing Executive Order and Presidential Policy Directive 21

PIPELINE SECURITY An Overview of TSA Programs

General Framework for Secure IoT Systems

FiXs - Federated and Secure Identity Management in Operation

Federal Data Center Consolidation Initiative (FDCCI) Workshop III: Final Data Center Consolidation Plan

DHS Cybersecurity: Services for State and Local Officials. February 2017

Overview of the Cybersecurity Framework

Alternative Fuel Vehicles in State Energy Assurance Planning

Federal Data Center Consolidation Initiative (FDCCI) Workshop I: Initial Data Center Consolidation Plan

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Medical Device Cybersecurity: FDA Perspective

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

U.S. Japan Internet Economy Industry Forum Joint Statement October 2013 Keidanren The American Chamber of Commerce in Japan

Introduction brief to the ISCe Satellite and Communications Conference

HPH SCC CYBERSECURITY WORKING GROUP

how to manage risks in those rare cases where existing mitigation mechanisms are insufficient or impractical.

Federal Mobility: A Year in Review

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure:

Presidential Documents

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Updates to the NIST Cybersecurity Framework

Managing Supply Chain Risks for SCADA Systems

The NIST Cybersecurity Framework

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

GLOBAL INDICATORS OF REGULATORY GOVERNANCE. Scoring Methodology

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

NIST Special Publication

Cybersecurity Overview

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

March 21, 2016 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES. Building National Capabilities for Long-Term Drought Resilience

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

INFORMATION ASSURANCE DIRECTORATE

Security Standards for Electric Market Participants

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Inapplicability to Non-Federal Sales and Use

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Cybersecurity Risk Management:

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

INFORMATION ASSURANCE DIRECTORATE

DHS Supply Chain Activity: Cross-Sector Supply Chain Working Group and Strategy on Global Supply Chain Security

Appendix 2B. Supply Chain Risk Management Plan

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

ISOO CUI Overview for ACSAC

FedRAMP Security Assessment Framework. Version 2.0

DoD Software Assurance Initiative. Mitchell Komaroff, OASD (NII)/DCIO Kristen Baldwin, OUSD(AT&L)/DS

The Honest Advantage

Views on the Framework for Improving Critical Infrastructure Cybersecurity

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Information and Communication Technology (ICT) Supply Chain Security Emerging Solutions

Oregon Fire Service Conference Enterprise Security Office Update. October 26, 2018

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Engineering for System Assurance Legacy, Life Cycle, Leadership

Physical Security Reliability Standard Implementation

Transcription:

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION Briefing for OFPP Working Group 19 Feb 2015 Emile Monette GSA Office of Governmentwide Policy emile.monette@gsa.gov

Cybersecurity Threats are Sometimes Enabled by Federal Acquisition Practices When the government purchases products, services, or solutions from sellers with inadequate integrity, security, resilience, and quality in their deliverables or operations, the risks created for the government persist throughout the lifespan of the item purchased (or until they re fixed) and often result in increased costs to the government and contractors. Cybersecurity risks are present in all purchased products, services, or solutions that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a Federal agency. Federal buyers need better visibility into, and understanding of, how the products, services, and solutions they buy are developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of those products and services. This visibility should extend through all companies directly involved in delivery of products, services, and solutions to the government, and through all tiers of the supply chain. 1

Executive Order 13636 Section 8(e) Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity. Interpretation: Not limited to critical infrastructure Scope is all acquisition planning, contract administration, and procurement requirements 2

EO13636 Section 8(e) Report The Final Report, "Improving Cybersecurity and Resilience through Acquisition," was publicly released January 23, 2014: (http://gsa.gov/portal/content/176547) Recommends six acquisition reforms: I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions II. Address Cybersecurity in Relevant Training III. Develop Common Cybersecurity Definitions for Federal Acquisitions IV. Institute a Federal Acquisition Cyber Risk Management Strategy V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, Whenever Available, in Appropriate Acquisitions VI. Increase Government Accountability for Cyber Risk Management Ultimate goal of the recommendations is to strengthen the federal government s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System 3

Recommendation Implementation I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions Strong passwords, multi-factor login, anti-virus, Cybersecurity Framework Profile? Matched to Controlled Unclassified Information (CUI) rules? CUI rulemaking in process anticipates establishing a single Federal Acquisitions Regulation (FAR) clause that will apply the requirements of the proposed rule to the contractor environment OMB contract clauses working group (CAO + CIO Councils) OFPP received 70 responses to the Request for Cyber/Information Security Clauses & Materials (Dec 10, 2014). The spreadsheet of submissions is posted on the Cybersecurity Contracting Best Practice Submission MAX page. OFPP is forming a joint CIOC/CAOC contracting clauses working group to review materials and make recommendations. *Also relevant for Cybersecurity Risk Management Strategy (Rec IV) 4

Recommendation Implementation (cont.) II. Address Cybersecurity in Relevant Training Dec 2014 - focus group meeting at the Homeland Security Acquisition Institute (HSAI) consisting of acquisition personnel from the DHS components to discuss the cyber training needs of the field. Preliminary report was generated based on the feedback received. III.Develop Common Cybersecurity Definitions for Federal Acquisitions Federal Register Notice to be published soliciting greater participation IV.Institute a Federal Acquisition Cyber Risk Management Strategy Focus on mission priority and criticality of item being purchased Common way to assess risk of item being purchased includes deployed environment, hardware, software, service provision, and supply chain Request for Information closed 16 Feb 2015 https://www.fbo.gov/notices/230732591f542b7da9b9fc3e6c167eec 5

Recommendation Implementation (cont.) V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, Whenever Available, in Appropriate Acquisitions Five sub-groups: Industry Best Practices for Indicating Authorized Partners & Resellers Industry Best Practices for establishing and maintaining Trusted Suppliers Definitions, Parameters, and Boundaries Revise, Update, and Adapt Current Policy Provisions Waiver / Exception Provision VI.Increase Government Accountability for Cyber Risk Management Analogy to legal review throughout Acquisition process Certification of (1) understanding of risk, and (2) management satisfies risk tolerance 6

Implementation Working Group leads 1. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions - Don Davidson, OSD/OCIO donald.r.davidson4.civ@mail.mil 2. Address Cybersecurity in Relevant Training - Andre Wilkins, DHS/HSAI andre.wilkins@hq.dhs.gov 3. Develop Common Cybersecurity Definitions for Federal Acquisitions - Jon Boyens, NIST jon.boyens@nist.gov 4. Institute a Federal Acquisition Cyber Risk Management Strategy - Joyce Corell, ODNI 5. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, Whenever Available, in Appropriate Acquisitions - Emile Monette, GSA/OGP emile.monette@gsa.gov 6. Increase Government Accountability for Cyber Risk Management - Joe Jarzombek, DHS/NPPD/CS&C Joe.Jarzombek@hq.dhs.gov Working Groups will continue stakeholder-centric process Business Due Diligence Request for Information (https://www.fbo.gov/notices/230732591f542b7da9b9fc3e6c167eec) Spring 2015 Software and Supply Chain Assurance Forum 7

BUSINESS DUE DILIGENCE INFORMATION 8

Why is GSA interested in Business Due Diligence Information? GSA s Mission: Deliver the best value in real estate, acquisition, and technology services to government and the American people. GSA s #1 Priority: Delivering Better Value and Savings. By using the purchasing power of the federal government, we will drive down prices, deliver better value, and reduce costs to our customer agencies. As a result, these agencies can focus their resources and attention on their core missions. Customer Demand: DoD, DOE, Commerce, Justice, and Science agencies, and others have statutory and mission-related requirements for supply chain risk management; Other D/As recognize the threats and vulnerabilities inherent to the global supply chain (e.g., SSA, GSA) and seek greater confidence in deliverables and suppliers. 9

Business Due Diligence Pilot GSA is collaborating with its customer agencies and other stakeholders to establish a common set of risk indicators and risk research methodologies that can be used as the baseline for business due diligence research. Six-month pilot project to conduct open-source-based business due diligence risk research about GSA contractors. Risk information being used by GSA to: Engage contractors and collaboratively generate performance improvements; and Inform the development of requirements for initial operating capability. Open source business due diligence information will better inform customer agency risk decisions and provide greater confidence in contractors and deliverables Request for Information closes 16 Feb 2015 https://www.fbo.gov/notices/230732591f542b7da9b9fc3e6c167eec 10

Three Step Process. 1. Baseline information collection requirements what are the right risk indicators? 2. Collection, analysis, and sharing of risk information 3. Use the information specific use depends on end user risk tolerance; driven by mission priority and criticality 11

Authority to use Business Due Diligence Information in Acquisitions FAR 9.103 - - Policy ********* (c) The award of a contract to a supplier based on lowest evaluated price alone can be false economy if there is subsequent default, late deliveries, or other unsatisfactory performance resulting in additional contractual or administrative costs. While it is important that Government purchases be made at the lowest price, this does not require an award to a supplier solely because that supplier submits the lowest offer. FAR 9.104-2 -- Special Standards (a) When it is necessary for a particular acquisition or class of acquisitions, the contracting officer shall develop, with the assistance of appropriate specialists, special standards of responsibility. Special standards may be particularly desirable when experience has demonstrated that unusual expertise or specialized facilities are needed for adequate contract performance. 12

Authority to use Business Due Diligence Information in Acquisitions (cont.) FAR 9.105-1 -- Obtaining Information. (a) Before making a determination of responsibility, the contracting officer shall possess or obtain information sufficient to be satisfied that a prospective contractor currently meets the applicable standards ******* (c) In making the determination of responsibility, the contracting officer shall consider ****** o (3) Commercial sources of supplier information of a type offered to buyers in the private sector. 13

Authority to use Business Due Diligence Information in Acquisitions (cont.) OFPP Memo: Making Better Use of Contractor Performance Information July 10, 2014 [T]here is an increased risk of problems on high risk programs, major acquisitions, or other complex contract actions that are critical to an agency s mission. To address this risk and ensure we make awards to contractors with good performance records, as well as to encourage the use of new and innovative companies with little or no Federal experience, agencies are directed to undertake additional outreach and research to make more informed decisions. Broadening the Sources of Performance Information - The FAR allows the Government to consider information from additional sources of information beyond the Past Performance Information Retrieval System (PPIRS), including information found from conducting this additional research and outreach. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback