GSA's Emile Monette's presentation before the DOD/DHS/NIST software and supply chain assurance forum: Improving cyber-security through acquisition

1. U.S. General Services Administration
Presentation to: Software and Supply Chain Assurance Forum
Improving Cybersecurity
through Acquisition
Emile Monette
Senior Advisor for Cybersecurity
GSA Office of Mission Assurance
emile.monette@gsa.gov
March 18, 2014

2. 2
Background: We Have a Problem
 When the government purchases products or services with
inadequate in-built “cybersecurity,” the risks created persist
throughout the lifespan of the item purchased. The lasting effect of
inadequate cybersecurity in acquired items is part of what makes
acquisition reform so important to achieving cybersecurity and
resiliency.
 Currently, government and contractors use varied and nonstandard
practices, which make it difficult to consistently manage and measure
acquisition cyber risks across different organizations.
 Meanwhile, due to the growing sophistication and complexity of ICT
and the global ICT supply chains, federal agency information systems
are increasingly at risk of compromise, and agencies need guidance
to help manage ICT supply chain risks

3. Executive Order 13636
 Section 8(e) of the EO required GSA and DoD to:
“… make recommendations to the President, … on the feasibility, security benefits,
and relative merits of incorporating security standards into acquisition planning and
contract administration”
 Report signed January 23, 2014 (http://gsa.gov/portal/content/176547)
 Recommends six acquisition reforms:
I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for
Appropriate Acquisitions
II. Address Cybersecurity in Relevant Training
III. Develop Common Cybersecurity Definitions for Federal Acquisitions
IV. Institute a Federal Acquisition Cyber Risk Management Strategy
V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their
Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate
Acquisitions
VI. Increase Government Accountability for Cyber Risk Management
3

4. NSCS Response to Recommendations
 “DoD and GSA did an outstanding job engaging with public and private sector
stakeholders to craft the report and provided realistic recommendations that
will improve the security and resilience of the nation when implemented.
Moving forward, we highlight that:
 We view the core recommendation to be the focus on incorporating cyber risk
management into enterprise acquisition risk management, built on “cybersecurity
hygiene” baseline requirements for all IT contracts.
 DoD and GSA must now move quickly to provide an implementation plan that
includes milestones and specific actions to ensure integration with the various
related activities like supply chain threat assessments and anti-counterfeiting.
 DoD and GSA should ensure the highest level of senior leadership endorsement,
accountability, and sustained commitment to implementing the recommendations
through near and long term action. This should be communicated clearly to the
Federal workforce, government contractors, and the oversight and legislative
communities.”
4

5. Now What?
 Implementation Plan –
Translate recommendations into actions and outcomes
Iterative process; sequential and concurrent implementation
Address recommendations in order of implementation
 Open, collaborative, stakeholder-centric process
Request for public comment 45 days (Responses due 28 Apr)
In-person meetings
Press / Media coverage
5

6. Emile’s Implementation Buzzword
Imperfect
[im-pur-fikt]
– of, pertaining to, or characterized by defects or
weaknesses:
Le mieux est l'ennemi du bien.
6

7. The first recommendation to be implemented…
IV. Institute a Federal Acquisition Cyber Risk Management
Strategy
– From a government-wide cybersecurity perspective, identify a hierarchy
of cyber risk criticality for acquisitions. To maximize consistency in
application of procurement rules, develop and use “overlays” for similar
types of acquisition, starting with the types of acquisitions that present
the greatest cyber risk.
– The government needs an interagency acquisition cyber risk
management strategy that requires agencies to ensure their
performance meets strategic cyber risk goals for acquisition and is part
of the government’s enterprise risk management strategy. The strategy
should be based on a government-wide perspective of acquisition, and
be primarily aligned with the methodologies and procedures developed
to address cyber risk in the Cybersecurity Framework. It should identify
a hierarchy of cyber risk criticality for acquisitions and include a risk-
based prioritization of acquisitions. The risk analysis should be
developed in alignment with the Federal Enterprise Architecture and
NIST Risk Management Framework (RMF).
7

8. About the Acquisition Cyber Risk Management Strategy
• Why this one first? Provides necessary foundation for
remaining recommendations
• What is it? Draws from the sourcing practices of spend
analysis, strategic categorization of buying activities, and
category management, combined with application of
information security controls and safeguards and
procurement risk management practices like pricing
methodology, source selection, and contract performance
management.
• How? Three-step process that produces: Category
Definitions, Risk Prioritization, and Overlays
8

9. Category Definitions
1. Grouping similar types of acquisitions together based on
characteristics of the product or service being acquired,
supplier or market segments, and prevalent
customer/buyer behavior.
– Categories must be right-sized – broad enough to be
understandable and provide economies of scale, but specific
enough to enable development of Overlays that provide
meaningful, adequate and appropriate safeguards for the types of
risks presented by the products or services in the Category
– Determine which Categories present potential cyber risk
• “Do purchases made in this Category present cyber risk to any
possible end user?”
9

10. Risk Assessment and Prioritization
3. Produce a hierarchy of Categories based on comparative
cyber risk.
– “Which of the Categories presents the greatest cyber risk as
compared to the other Categories?
– The Category that is determined to have the highest risk through
a comparative assessment would be the first one for which an
Overlay is developed.
• Unless….there is a compelling opportunity to develop
Overlays for a different Category first…
– Risk hierarchy provides reasoning – where a Category is
determined to have higher risk relative to other types of
acquisitions, the level of resources expended to address those
risks will also be justifiably higher.
10

11. Overlays
4. Develop Overlays – a tool for acquisition officials to use
throughout the acquisition lifecycle, and include:
– An articulation of the level of risk presented by the Category
derived from the risk assessment;
– A specific set of minimum controls that must be included in the
technical specifications, acquisition plan, and during contract
administration and performance for any acquisition in the Category;
– The universe of additional controls that are relevant to the Category
but are not required in the minimum (i.e., a “menu”), and
– Examples of sets of the identified additional controls that apply to
particular use cases (e.g., FIPS 199 High or Moderate system
acquisition), as applicable.
11

12. Federal Register Notice & Request for Comment
• Joint Working Group on Improving Cybersecurity and
Resilience Through Acquisition, 79 Fed. Reg. 14042 (Mar.
12, 2014); responses due 28 Apr
• Directs readers to http://gsa.gov/portal/content/176547
– Memo for Commenters – context and caveats
– Draft Implementation Plan
• Background, assumptions, constraints, etc., process map for
implementation of recommendations
• Will include an Appendix for each recommendation
– Appendix I
• Presents a notional “model” for category definitions, including taxonomy
based on PSCs
12

13. A compelling opportunity……..
• Alliant II – The Alliant program office seeks to develop and
implement a robust set of cybersecurity protections for the
forthcoming Alliant II GWAC
– Contract Overlays
1. Develop a “cross-walk” that maps the PSCs identified as within scope
of Alliant 2 (https://interact.gsa.gov/document/interact-question-2-
%E2%80%93-product-service-codes-pscs) to the Category
definitions in the draft GSA-DoD Implementation Plan for the
recommendations included in the joint report Improving Cybersecurity
and Resilience through Acquisition
(http://www.gsa.gov/portal/content/176547).
2. Identify Cybersecurity Framework controls applicable to the Alliant
contract.
3. Identify acquisition safeguards/controls applicable to the Alliant
contract
13