the Defense Department and General Services Administration report on improving cyber security and resilience through acquisition. This report, developed as part of the President’s Executive Order on Cyber Security, forms the baseline for a fundamental shift in federal procurement policy. In short, going forward cyber security is going to be a core consideration in federal procurements. Contractors will likely find cyber security obligations embedded in their contracts, and may even find themselves excluded from the procurement process if certain cyber security benchmarks are not met.
The report spells out six key recommendations:
1) Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
2) Address Cybersecurity in Relevant Training
3) Develop Common Cybersecurity Definitions for Federal Acquisitions
4) Institute a Federal Acquisition Cyber Risk Management Strategy
5) Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions
6) Increase Government Accountability for Cyber Risk Management
GSA's Presentation on Improving Cyber Security Through Acquisition
1. U.S. General Services Administration
Presentation to: WG#2
Improving Cybersecurity
through Acquisition
Emile Monette
Senior Advisor for Cybersecurity
GSA Office of Mission Assurance
emile.monette@gsa.gov
January 16, 2014
2. Background: We Have a Problem
When the government purchases products or services with
inadequate in-built “cybersecurity,” the risks created persist
throughout the lifespan of the item purchased. The lasting effect of
inadequate cybersecurity in acquired items is part of what makes
acquisition reform so important to achieving cybersecurity and
resiliency.
Currently, government and contractors use varied and nonstandard
practices, which make it difficult to consistently manage and measure
acquisition cyber risks across different organizations.
Meanwhile, due to the growing sophistication and complexity of ICT
and the global ICT supply chains, federal agency information systems
are increasingly at risk of compromise, and agencies need guidance
to help manage ICT supply chain risks
2
3. Executive Order 13636
On February 12, 2013, the President issued Executive Order (EO) 13636 directing Federal
agencies to provide stronger protections for cyber-based systems that are critical to our
national and economic security. Section 8(e) of the EO required GSA and DoD to:
“… make recommendations to the President, … on the feasibility, security benefits,
and relative merits of incorporating security standards into acquisition planning and
contract administration”
GSA and DoD recommended six acquisition reforms:
I. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for
Appropriate Acquisitions
II. Address Cybersecurity in Relevant Training
III. Develop Common Cybersecurity Definitions for Federal Acquisitions
IV. Institute a Federal Acquisition Cyber Risk Management Strategy
V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their
Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate
Acquisitions
VI. Increase Government Accountability for Cyber Risk Management
3
4. White House Response to 8(e) Recommendations
•
“DoD and GSA did an outstanding job engaging with public and private sector
stakeholders to craft the report and provided realistic recommendations that
will improve the security and resilience of the nation when implemented.
Moving forward, we highlight that:
– We view the core recommendation to be the focus on incorporating cyber risk
management into enterprise acquisition risk management, built on “cybersecurity
hygiene” baseline requirements for all IT contracts.
– DoD and GSA must now move quickly to provide an implementation plan that
includes milestones and specific actions to ensure integration with the various
related activities like supply chain threat assessments and anti-counterfeiting.
– DoD and GSA should ensure the highest level of senior leadership endorsement,
accountability, and sustained commitment to implementing the recommendations
through near and long term action. This should be communicated clearly to the
Federal workforce, government contractors, and the oversight and legislative
communities.”
4
5. 8(e) Recommendations & Potential Impact
Recommendation
I. Institute Baseline Cybersecurity Requirements as a
Condition of Contract Award for Appropriate Acquisitions –
Basic cybersecurity hygiene is broadly accepted across the
government and the private sector as a way to reduce a
significant percentage of cyber risks. For acquisitions that
present cyber risks, the government should only do
business with organizations that meet such baseline
requirements in both their own operations and in the
products and services they deliver. The baseline should
be expressed in the technical requirements for the acquisition
and should include performance measures to ensure the
baseline is maintained and risks are identified.
Potential Impact
FAR 4.17 – Basic Safeguarding of Contractor Information (not
in FAR yet) could be updated to add definitions and
solicitation provisions/contract clauses.
FAR Part 7 – Acquisition Planning, could be updated to more
explicitly require the government to consider cybersecurity
requirements in the technical requirements of contracts.
FAR Par 12 – Acquisition of Commercial Items could be
updated to require solicitation provisions/contract clauses to
apply to commercial items.
FAR 52 – Development of solicitation provision(s) and
contract clause(s) for cybersecurity.
FAR4.4 – Safeguarding Classified Information Within Industry
should also be reviewed for updates related to cybersecurity.
FAR Part 39.102 Management of Risk – could be updated to
address certain types of cyber risk associated with IT
contracts.
5
6. 8(e) Recommendations & Potential Impact (cont’d)
Recommendation
II. Address Cybersecurity in Relevant Training –
As with any change to practice or policy, there is a concurrent
need to train the relevant workforces to adapt to the changes.
Incorporate acquisition cybersecurity into required
training curricula for appropriate workforces. Require
organizations that do business with the government to receive
training about the acquisition cybersecurity requirements of
the organization’s government contracts.
Potential Impact
FAR 52 – clauses might be developed to require specific
training for certain types of contracts where cyber risks are
high.
Note: OFPP, GSA (FAI), DHS (HSAI), and DoD (DAU) are
meeting Jan 16th to start implementing this recommendation.
Ms. Joanie Newhart, Associate Administrator for Acquisition
Workforce Programs in the Office of Federal Procurement Policy,
has agreed to convene/charter this informal group with the purpose
that the initial training be developed and provided to Acquisition
Workforce personnel government-wide.
The meeting will gather stakeholder representatives from the
relevant acquisition training communities to begin development of
(1) course curriculum, (2) training policy, and (3) project plans.
6
7. 8(e) Recommendations & Potential Impact (cont’d)
Recommendation
III. Develop Common Cybersecurity Definitions for Federal
Acquisitions –
Unclear and inconsistently defined terms lead, at best, to
suboptimal outcomes for both efficiency and cybersecurity.
Increasing the clarity of key cybersecurity terms in federal
acquisitions will increase efficiency and effectiveness for both
the government and the private sector. Key terms should
be defined in the Federal Acquisition Regulation.
Potential Impact
One option is to consider efforts already underway dealing
with higher-level quality standards and detection and
avoidance of counterfeit electronic parts. (FAR Case 2012032 Higher-Level Contract Quality Requirements). This case
revises FAR 46.202-4 to add new higher-level quality
standards developed by industry for counterfeit goods. Using
this case as an example, FAR 46 – Quality Assurance, could
also be revised to include industry standards for cybersecurity
in commercial items.
FAR 39 – Acquisition of Information Technology could be
updated to consider applicable definitions.
FAR 2 – Definitions of Words and Terms, is probably the
most obvious place to promulgate new acquisition definitions.
7
8. 8(e) Recommendations & Potential Impact (cont’d)
Recommendation
Potential Impact
IV. Institute a Federal Acquisition Cyber Risk Management
Strategy –
The FAR could be updated to provide standardized source
selection criteria, weighting for those criteria, and contract
performance measures for procurements that present high
From a government-wide cybersecurity perspective , identify levels of cyber risk.
a hierarchy of cyber risk criticality for
acquisitions. To maximize consistency in application of
procurement rules, develop and use “overlays” for similar
types of acquisition, starting with the types of acquisitions
that present the greatest cyber risk. An overlay is a fully
specified set of security requirements and supplemental
guidance that provide the ability to appropriately tailor security
requirements for specific technologies or product groups,
circumstances and conditions, and/or operational
environments.
Note: OMA/FAS/OGP are engaged in market research and
needs assessment with DHS , DoD OCIO, DIA, DISA and
NIST to develop a supply chain risk management function to
complement the processes used for National Security
Systems.
8
9. 8(e) Recommendations & Potential Impact (cont’d)
Recommendation
V. Include a Requirement to Purchase from Original
Equipment Manufacturers, Their Authorized Resellers, or
Other Trusted Sources, in Appropriate Acquisitions –
Potential Impact
The FAR could be updated to require consideration of cyber
risk when determining the type of acquisition method (best
value vs. LPTA) used.
The FAR could be updated to require purchases from a
In certain circumstances, the risk of receiving inauthentic or
reseller, distributor, wholesaler or broker that is a trusted
otherwise nonconforming items is best mitigated by obtaining supplier with the original equipment manufacturer (OEM) or
required items only from OEMs, their authorized
obtain assurances that the supplier can guarantee the
resellers, or other trusted sources. The cyber risk threshold security and integrity of the item being purchased. Potential
for application of this limitation of sources should be
conflicts with competition rules would have to be addressed.
consistent across the Federal government.
VI. Increase Government Accountability for Cyber Risk
Management –
Identify and modify government acquisition practices that
contribute to cyber risk. Integrate security standards into
acquisition planning and contract administration. Incorporate
cyber risk into enterprise risk management and ensure
key decision makers are accountable for managing risks
of cybersecurity shortfalls in a fielded solution.
The FAR could be updated to ensure contract administration
matters relevant to cybersecurity are considered (i.e., past
performance, Federal Awardee Performance and Integrity
Information Systems (FAPIIS), debarment/suspension, etc.)
9
10. Presidential Policy Directive 21
•
Designates GSA as Co-Sector Specific Agency (SSA) for Government
Facilities Sector with DHS
•
Requires GSA, in consultation with DoD and DHS, to:
– “[P]rovide or support government-wide contracts for critical infrastructure
systems and ensure that such contracts include audit rights for security of
critical infrastructure.”
– 1st next step - define which contracts are “for critical infrastructure systems,”
and what the “audit rights for security” specifically encompass
• Critical infrastructure systems could be any that support government essential
functions, agency mission essential functions, or any functions on the DHS list
of Critical Infrastructure at Greatest Risk of Cyber Attack
• GSAM 552.239-71 provides a good starting point for defining the limits of the
audit rights
10
11. Open Questions
•
•
Establish a govt-wide program/function at GSA?
– Is there an appetite in the community for starting to address the acquisition cyber
risk in “non-covered” acquisitions?
– Is it possible to define in a specific way which types of buys present cyber risks (i.e.,
NAICS, PSCs, FSCs, NSNs?)?
– How do we prioritize? Is FIPS-199 high or moderate a good starting point?
– What about non-covered, non-IT acquisitions (i.e., those that would not get a FIPS
rating)? No doubt, many present at least the possibility of cyber risk, how do/should
those risks be assessed? Ranked by mission criticality? and if yes, how is that
defined?
Business Case needs:
– An articulation of need for "commercial" (OSINT-based) SCRM from customers, and
– A general scope of what types of acquisitions the need applies to (e.g., a list of
PSCs, NAICS, FIPS ratings, ???).
11
Editor's Notes
Cybersecurity is the name for the policy – INFOSEC is the technical term
Basic terms: Buyers don’t always understand the risk or the risk tolerance of the organization
GSA/OMA and PBS/NCR are engaged with DHS/NPPD through the Interagency Security Committee, PPD-21 and Compliance Working Group, to accomplish the SSA deliverables.
Development and/or identification of the contracts will be accomplished through a multi-stakeholder deliberative process, leverage ongoing industry-government collaboration, and focus on transparency, efficiency, and consensus.
The clause at GSAM 552.239-71, Security Requirements for Unclassified Information Technology Resources (Jan. 2012), requires contractors that provide “information technology resources or services in which the Contractor has physical or electronic access to GSA’s information” to develop and maintain information technology security and continuous monitoring plans. The clause also provides GSA access to a contractor’s and subcontractors’ “facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location.” This clause provides access to contractors, subcontractors and potentially to suppliers at all tiers of the supply chain, and includes rights “to conduct an inspection, evaluation, investigation or audit, including vulnerability testing to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data or to the function of information technology systems operated on behalf of GSA, and to preserve evidence of computer crime.” Given the scope of this existing clause, the only change required to fulfill the critical infrastructure contracts requirements of PPD-21 might be an expansion of the applicability of the clause to a broader range of contracts.
48 C.F.R. § 552.239-71(b)-(d) (2013).
Id. at 552.239-71(k).
Id.