IMPROVING CYBERSECURITY AND RESILIENCE

THROUGH ACQUISITION

Implementation of the Final Report of the

Department of Defense and

General Services Administration

Emile Monette, GSA Office of Mission Assurance

23 Oct 2014

Acquisition Reform is Part of the Answer

When the government purchases products or services with

inadequate in-built “cybersecurity,” the risks created persist

throughout the lifespan of the item purchased. The lasting effect of

inadequate cybersecurity in acquired items is part of what makes

acquisition reform so important to achieving cybersecurity and

resiliency.

Currently, government and contractors use varied and nonstandard

practices, which make it difficult to consistently manage and

measure acquisition cyber risks across different organizations.

Executive Order 13636 and Presidential Policy Directive 21, issued

concurrently in February, 2013, require the agencies to take an

integrated approach to cybersecurity through a variety of channels,

including Federal acquisition.

1

Executive Order 13636

On February 12, 2013, the President issued an Executive

Order for “Improving Critical Infrastructure Cybersecurity,”

directing Federal agencies to provide stronger protections

for cyber-based systems that are critical to national and

economic security.

Section 8(e) of the EO required GSA and DoD, in

consultation with DHS and the FAR Council:

Within 120 days of the date of this order, the Secretary of Defense and the Administrator

of General Services, in consultation with the Secretary and the Federal Acquisition

Regulatory Council, shall make recommendations to the President, through the Assistant

to the President for Homeland Security and Counterterrorism and the Assistant to the

President for Economic Affairs, on the feasibility, security benefits, and relative merits of

incorporating security standards into acquisition planning and contract administration. The

report shall address what steps can be taken to harmonize and make consistent existing

procurement requirements related to cybersecurity.”

2

Joint Working Group

The “Joint Working Group on Improving Cybersecurity and Resilience

through Acquisition,” was formed to prepare the Section 8(e) Report

Core group comprised of topic-knowledgeable individuals representing

broad expertise in information security and acquisition disciplines

selected from: DoD: USD-AT&L (DPAP, SE, C3CB), DoD-CIO, DISA, DIA

GSA: OMA, FAS (ITS/SSD), OCIO, OGP (ME, MV), OGC, OCSIT, PBS

DHS: NPPD (CS&C), USM (OCPO, OSA)

Commerce: NIST

EOP: OMB (OSTP, OFPP), NSC

120-day collaborative effort with high level of stakeholder input– Over 60 individual engagements

Industry Associations, Critical Infrastructure Partnership Advisory Council Sector

Coordinating Councils, individual large and small companies, media interviews

– Federal Register Notice – 28 comments received (closed June 2013)

3

Section 8(e) Report

Ultimate goal of the recommendations is to strengthen the federal

government’s cybersecurity by improving management of the people,

processes, and technology affected by the Federal Acquisition System

The Final Report, "Improving Cybersecurity and Resilience through

Acquisition," was publicly released January 23, 2014:

(http://gsa.gov/portal/content/176547)

Recommends six acquisition reforms:I. Institute Baseline Cybersecurity Requirements as a Condition of Contract

Award for Appropriate Acquisitions

II. Address Cybersecurity in Relevant Training

III. Develop Common Cybersecurity Definitions for Federal Acquisitions

IV. Institute a Federal Acquisition Cyber Risk Management Strategy

V. Include a Requirement to Purchase from Original Equipment Manufacturers,

Their Authorized Resellers, or Other “Trusted” Sources, Whenever

Available, in Appropriate Acquisitions

VI. Increase Government Accountability for Cyber Risk Management

4

Next Steps

Working Group leads:1. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for

Appropriate Acquisitions

- Don Davidson, OSD/CIO donald.r.davidson4.civ@mail.mil

2. Address Cybersecurity in Relevant Training

- Andre Wilkins, DHS/HSAI andre.wilkins@hq.dhs.gov

3. Develop Common Cybersecurity Definitions for Federal Acquisitions

- Jon Boyens, NIST jon.boyens@nist.gov

4. Institute a Federal Acquisition Cyber Risk Management Strategy

- Don Johnson, OUSD/AT&L donald.b.johnson1.civ@mail.mil

5. Include a Requirement to Purchase from Original Equipment Manufacturers, Their

Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate

Acquisitions

- Emile Monette, GSA/OMA emile.monette@gsa.gov

6. Increase Government Accountability for Cyber Risk Management

- Joe Jarzombek, DHS/NPPD/CS&C Joe.Jarzombek@hq.dhs.gov

Working Group will continue stakeholder-centric process Federal Register Requests for Comment

Conferences, symposia, meetings, media

Iterative implementation, linked to existing rules / practices

Focus on mission/function prioritization and criticality to assess risk 5