Improving Cyber Resilience Through Acquisition
|
|
- Shon Henry
- 7 years ago
- Views:
Transcription
1 Improving Cyber Resilience Through Acquisition Independent Telecommunications Pioneer Association (ITPA) Luncheon Series DON JOHNSON Office of the Secretary of Defense C3 and Cyber February 6,
2 Today s Objective Provide background in acquisition of IT and related cyber systems Provide insight into January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition Another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. 2
3 Improving Cyber Security In the Larger Context The best cyber program is only as good as a agile environment where IT is able to adapt to rapidly changing environment Requires changes in culture (not a short term effort) Requires change in processes Requires enterprise governance Requires standardization
4 Challenges - Patchwork & Cyber Vulnerabilities The problem is that too many parts of the department, especially in the information technology arena, cling to separate infrastructure and processes. All of our bases, operational headquarters and defense agencies have their own IT infrastructures, processes, and application-ware. This decentralization approach results in large cumulative costs, and a patchwork of capabilities that create cyber vulnerabilities and limit our ability to capitalize on the promise of information technology. Therefore, I am directing an effort to consolidate these assets to take advantage of the Department s significant economies of scale, thereby creating savings in acquisition, sustainment, and manpower costs My hope and expectation is that the efforts we have launched will lead to the kind of cultural changes that over time become a part of this department s DNA and institutional memory 4
5 Call for Fundamental Change Acquisition Long acquisition cycle-times Limited flexibility and agility Requirements Understanding and prioritizing requirements IT requirements are overly detailed Test/Evaluation Testing is too late and serially Funding & Governance Program-centric Overlapping decision layers Funding inflexibility & negative incentives 5
6 2010 National Defense Authorization Act IMPLEMENTATION OF NEW ACQUISITION PROCESS FOR INFORMATION TECHNOLOGY SYSTEMS NEW ACQUISITION PROCESS REQUIRED The Secretary of Defense shall develop and implement a new acquisition process for information technology systems Be based on the recommendations in Chapter 6 of the March 2009 report of the DSB Task Force on DoD and Procedures for the Acquisition of Information Technology Be designed to include (A) early and continual involvement of the user; (B) multiple, rapidly executed increments or releases of capability; (C) early, successive prototyping to support an evolutionary approach; (D) a modular, open-systems approach 2
7 Acquisition Model Chapter 6 of March 2009 DSB Report Milestone Build Decision ICD Business Case Analysis and Development Architectural Development and Risk Reduction Coordinated DOD stakeholder involvement Up to 2 years CDD RELEASE 1 Development & Demonstration Prototypes Iteration1 Iteration 2 Iteration N Integrated DT / OT 6 to 18 months Fielding RELEASE 2 Prototypes Development & Demonstration Iteration 1 Iteration 2 Iteration 3 Fielding ICD Initial Capability Document CDD Capabilities Development Document Decision Point RELEASE N Prototypes Development & Demonstration Iteration 1 Iteration 2 Iteration 3 Fielding Acquisition Model: Continuous Technology/Requirements Development & Maturation Impact to Core DoD Processes Requirements: From: fix set of requirements; To: evolving requirements & user role throughout Delivery: From: static waterfall model; To: Agile model with user feedback driving priorities Governance: From: Driven by Milestones & breaches ; To: More frequent review- delivery focused Functional Areas: From: rigor tied to documentation for single milestone; To: rigor tied to demonstrated risk and delivery of capabilities
8 Improving Cybersecurity and Resilience Through Acquisition On February 12, 2013, the President issued Executive Order for Improving Critical Infrastructure Cybersecurity (EO) directing Federal agencies to use their existing authorities and increase cooperation with the private sector to provide stronger protections Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity. 8
9 Jan 23, 2014 DoD & GSA Joint Report on Improving Cybersecurity and Resilience Through Acquisition 1. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisition 2. Address Cybersecurity in Relevant Training 3. Develop Common Cybersecurity Definitions for Federal Acquisitions 4. Institute a Federal Acquisition Cyber Risk Management Strategy 5. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, Whenever Available, in Appropriate Acquisitions 6. Increase Government Accountability for Cyber Risk Management Ultimate goal of the recommendations is to strengthen the federal government s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System
10 Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions Recommendation Potential Impact Basic cybersecurity hygiene is broadly accepted across the government and the private sector as a way to reduce a significant percentage of cyber risks. For acquisitions that present cyber risks, the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver. The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified. FAR 4.17 Basic Safeguarding of Contractor Information (not in FAR yet) could be updated to add definitions and solicitation provisions/contract clauses. FAR Part 7 Acquisition Planning, could be updated to more explicitly require the government to consider cybersecurity requirements in the technical requirements of contracts. FAR Par 12 Acquisition of Commercial Items could be updated to require solicitation provisions/contract clauses to apply to commercial items. FAR 52 Development of solicitation provision(s) and contract clause(s) for cybersecurity. FAR4.4 Safeguarding Classified Information Within Industry should also be reviewed for updates related to cybersecurity. FAR Part Management of Risk could be updated to address certain types of cyber risk associated with IT contracts.
11 Change is Beginning November 18, New DoD Rules on Cyber DFARS Safeguarding Unclassified Controlled Technical Information and corresponding contract clause (DFARS Safeguarding of Unclassified Controlled Technical Information. This clause will be included in all DOD contracts beginning November 18, 2013, and prime contractors must include the clause in all subcontracts from that point on, including subcontracts for commercial items. DFARS New Data Security Requirements. Requires contractors to implement security programs on any systems that store or transmit unclassified controlled technical information. The new category of unclassified controlled technical information includes all technical data and computer software with military or space application that is subject to DOD access controls. DFARS (d)(1), New Cyber Incident and Compromise Reporting. The new reporting component requires contractors to report cyber incidents to DOD within 72 hours of discovering the incident. 11
12 Address Cybersecurity in Relevant Training Recommendation As with any change to practice or policy, there is a concurrent need to train the relevant workforces to adapt to the changes. Incorporate acquisition cybersecurity into required training curricula for appropriate workforces. Require organizations that do business with the government to receive training about the acquisition cybersecurity requirements of the organization s government contracts. Potential Impact FAR 52 clauses might be developed to require specific training for certain types of contracts where cyber risks are high. Note: OFPP, GSA (FAI), DHS (HSAI), and DoD (DAU) met to start implementing this recommendation. Administrator for Acquisition Workforce Programs in the Office of Federal Procurement Policy, has agreed to convene/charter this informal group with the purpose that the initial training be developed and provided to Acquisition Workforce personnel government-wide.
13 Change is Beginning DoD establishing a Cyberspace Training Advisory Council to help guide Training of cyberspace-related workforce: Identify, review and assess training standards Identify gaps in workforce capabilities Establish training solutions 13
14 Develop Common Cybersecurity Definitions for Federal Acquisitions Recommendation Potential Impact III. Develop Common Cybersecurity Definitions for Federal Acquisitions Unclear and inconsistently defined terms lead, at best, to suboptimal outcomes for both efficiency and cybersecurity. Increasing the clarity of key cybersecurity terms in federal acquisitions will increase efficiency and effectiveness for both the government and the private sector. Key terms should be defined in the Federal Acquisition Regulation. One option is to consider efforts already underway dealing with higher-level quality standards and detection and avoidance of counterfeit electronic parts. (FAR Case Higher-Level Contract Quality Requirements). This case revises FAR to add new higher-level quality standards developed by industry for counterfeit goods. Using this case as an example, FAR 46 Quality Assurance, could also be revised to include industry standards for cybersecurity in commercial items. FAR 39 Acquisition of Information Technology could be updated to consider applicable definitions. FAR 2 Definitions of Words and Terms, is probably the most obvious place to promulgate new acquisition definitions.
15 DoD Adopts NIST s Risk Management Framework, used by Civil and Intel Communities 15
16 Institute a Federal Acquisition Cyber Risk Management Strategy Recommendation Potential Impact IV. Institute a Federal Acquisition Cyber Risk Management From a government-wide cybersecurity perspective, identify a hierarchy of cyber risk criticality for acquisitions. To maximize consistency in application of procurement rules, develop and use overlays for similar types of acquisition, starting with the types of acquisitions that present the greatest cyber risk. The FAR could be updated to provide standardized source selection criteria, weighting for those criteria, and contract performance measures for procurements that present high levels of cyber risk. Note: OMA/FAS/OGP are engaged in market research and needs assessment with DHS, DoD OCIO, DIA, DISA and NIST to develop a supply chain risk management function to complement the processes used for National Security Systems. An overlay is a fully specified set of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments.
17 DIACAP Activities as Replaced by RMF Steps 17
18 Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, in Appropriate Acquisition Recommendation V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, in Appropriate Acquisitions In certain circumstances, the risk of receiving inauthentic or otherwise nonconforming items is best mitigated by obtaining required items only from OEMs, their authorized resellers, or other trusted sources. The cyber risk threshold for application of this limitation of sources should be consistent across the Federal government. Potential Impact The FAR could be updated to require consideration of cyber risk when determining the type of acquisition method (best value vs. LPTA) used. The FAR could be updated to require purchases from a reseller, distributor, wholesaler or broker that is a trusted supplier with the original equipment manufacturer (OEM) or obtain assurances that the supplier can guarantee the security and integrity of the item being purchased. Potential conflicts with competition rules would have to be addressed. VI. Increase Government Accountability for Cyber Risk Management Identify and modify government acquisition practices that contribute to cyber risk. Integrate security standards into acquisition planning and contract administration. Incorporate cyber risk into enterprise risk management and ensure key decision makers are accountable for managing risks of cybersecurity shortfalls in a fielded solution. The FAR could be updated to ensure contract administration matters relevant to cybersecurity are considered (i.e., past performance, Federal Awardee Performance and Integrity Information Systems (FAPIIS), debarment/suspension, etc.)
19 White House Response DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on cybersecurity hygiene baseline requirements for all IT contracts. DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities. 19
No. 33 February 19, 2013. The President
Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001
More informationSeptember 10, 2015. Dear Administrator Scott:
September 10, 2015 Tony Scott United States Chief Information Officer Administrator, Office of Electronic Government and Information Technology Office of Management and Budget 725 17th Street, NW Washington,
More informationTELECOMMUNICATIONS INDUSTRY ASSOCIATION
April 28, 2014 General Services Administration Regulatory Secretariat Division (MVCB) ATTN: Ms. Flowers 1800 F Street NW, 2nd Floor Washington, DC 20405 Comments of the Telecommunications Industry Association
More informationWhat The OMB Cybersecurity Proposal Does And Doesn't Do
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com What The OMB Cybersecurity Proposal Does And Doesn't
More informationHow To Protect Your Data From Being Hacked
Cyber Division & Manufacturing Division Joint Working Group Cyber Security for the Advanced Manufacturing Enterprise Manufacturing Division Meeting June 4, 2014 Michael McGrath, ANSER michael.mcgrath@anser.org
More informationCYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South
CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS Steve Mills DAU-South 1 Overview Questions Cybersecurity Owners and Stakeholders Cybersecurity Why It Matters to DoD Program Managers Defense Science
More informationImproving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN
Improving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN Version 1.0 February 2014 Page 1 of 7 Table of Contents Introduction... 3 Purpose... 3 Plan Development Process...
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationGAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks
GAO For Release on Delivery Expected at 10:00 a.m. EDT Tuesday, March 27, 2012 United States Government Accountability Office Testimony Before the Subcommittee on Oversight and Investigations, Committee
More informationApril 28, 2014. Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC
April 28, 2014 Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC RE: Information Technology Sector Coordinating Council (IT SCC)
More informationWhy Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP
Why Cybersecurity Matters in Government Contracting Robert Nichols, Covington & Burling LLP Cybersecurity is the No. 1 Concern of General Counsel and Directors 2 Cybersecurity Concerns in the Government
More informationCRISIS MANAGEMENT AND FIRST AID: WHEN GOVERNMENT CONTRACTORS ARE THE HEADLINERS WELCOME
CRISIS MANAGEMENT AND FIRST AID: WHEN GOVERNMENT CONTRACTORS ARE THE HEADLINERS WELCOME CYBER CRISIS MANAGEMENT: ARE YOU PREPARED? Evan Wolff David Bodenheimer Kelly Currie Kate Growley Overview Cybersecurity
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationWritten Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.
Written Testimony of Dr. Andy Ozment Assistant Secretary for Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee on Oversight and Government
More informationClick to edit Master title style
Click to edit Master title style Fourth level» Fifth level Click Integrating to edit Master Cybersecurity title style Requirements into Source Selection and Contracts Breakout Session #F15 Alex Odeh, Third
More informationCybersecurity Enhancement Account. FY 2017 President s Budget
Cybersecurity Enhancement Account FY 2017 President s Budget February 9, 2016 Table of Contents Section 1 Purpose... 3 1A Mission Statement... 3 1.1 Appropriations Detail Table... 3 1B Vision, Priorities
More informationDoD Strategy for Defending Networks, Systems, and Data
DoD Strategy for Defending Networks, Systems, and Data November 13, 2013 Department DoDD of Defense Chief Information Officer DoD Strategy for Defending Networks, Systems, and Data Introduction In July
More informationRESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES
RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES Purpose and Scope The purpose of the Security Code of Management Practices is to help protect people, property, products, processes, information and
More informationImplementing Program Protection and Cybersecurity
Implementing Program Protection and Cybersecurity Melinda Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering Mark Godino Office of the Deputy Assistant Secretary of Defense
More informationBaseline Cyber Security Program
NNSA Policy Letter NAP-14.1-D Approved: Baseline Cyber Security Program NATIONAL NUCLEAR SECURITY ADMINISTRATION Office of Information Management and the Chief Information Officer AVAILABLE ONLINE AT:
More informationSupporting information technology risk management
IBM Global Technology Services Thought Leadership White Paper October 2011 Supporting information technology risk management It takes an entire organization 2 Supporting information technology risk management
More informationRecent Data Security Developments for Government Contractors
Recent Data Security Developments for Government Contractors November 4, 2015 Attorney Advertising Speakers Jonathan Cedarbaum Partner WilmerHale Barry Hurewitz Partner WilmerHale Ben Powell Partner WilmerHale
More informationPreventing and Defending Against Cyber Attacks November 2010
Preventing and Defending Against Cyber Attacks November 2010 The Nation s first ever Quadrennial Homeland Security Review (QHSR), delivered to Congress in February 2010, identified safeguarding and securing
More informationCOUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide
COUNTERINTELLIGENCE O F F I C E O F T H E N A T I O N A L C O U N T E R I N T E L L I G E N C E Protecting Key Assets: A Corporate Counterintelligence Guide E X E C U T I V E Counterintelligence for the
More informationRelease of the Draft Cybersecurity Procurement Language for Energy Delivery Systems
Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationChanging Legal Landscape in Cybersecurity: Implications for Business
Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics
More informationCYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.
CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS 1 Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.8761 Overview Cybersecurity Policy Overview Questions Challenge #1 -
More informationStatement of Gil Vega. Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer. U.S. Department of Energy
Statement of Gil Vega Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer U.S. Department of Energy Before the Subcommittee on Oversight and Investigations Committee
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationSeptember 28, 2 012 MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President
004216 THE WHITE HOUSE WASHINGTON MEMORANDUM FOR September 28, 2 012 MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President MR. STEPHEN D. MULL Executive
More informationDoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO
DoD CIO s 10-Point Plan for IT Modernization Ms. Teri Takai DoD CIO Executive Summary Proactive Partnerships for IT Modernization IT Modernization Strategy Consolidate Infrastructure Streamline Processes
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationThe Comprehensive National Cybersecurity Initiative
The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we
More informationRe: Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition [Notice- OMA- 2014-01; Docket No. 2014-0002]
April 28, 2014 Ms. Hada Flowers General Services Administration Regulatory Secretariat Division (MVCB) 1800 F Street, NW, 2 nd Floor Washington, DC 20405 Re: Joint Working Group on Improving Cybersecurity
More informationDesigning & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012
Designing & Implementing Enterprise Security Programs MBA Bank Expo 2012 April 11, 2012 Session Purpose G R O U P Premise: Security is institutionalized, but the enterprise is evolving. the enterprise
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationAS9100:2016 Transition Guide
AS9100:2016 Transition Guide Updated August 24, 2016 AS9100 Series Overview AS9100 Aerospace Management Systems is a widely adopted and standardized quality management system for the aerospace industry.
More informationDocket No. DHS-2015-0017, Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations
Submitted via ISAO@hq.dhs.gov and www.regulations.gov July 10, 2015 Mr. Michael Echols Director, JPMO-ISAO Coordinator NPPD, Department of Homeland Security 245 Murray Lane, Mail Stop 0615 Arlington VA
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More informationU.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems
U.S. Office of Personnel Management Actions to Strengthen Cybersecurity and Protect Critical IT Systems June 2015 1 I. Introduction The recent intrusions into U.S. Office of Personnel Management (OPM)
More informationAn Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development
An Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development Wm. Arthur Conklin University of Houston, College of Technology 312 Technology Bldg, Houston, TX
More informationDepartment of Defense DIRECTIVE
Department of Defense DIRECTIVE NUMBER 5000.01 May 12, 2003 Certified Current as of November 20, 2007 SUBJECT: The Defense Acquisition System USD(AT&L) References: (a) DoD Directive 5000.1, The Defense
More informationOffice of the Chief Information Officer
Office of the Chief Information Officer Business Plan: 2012 2015 Department / Ministère: Executive Council Date: November 15, 2012 1 P a g e This Page Left Intentionally Blank 2 P a g e Contents The Business
More informationU.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO
U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and
More informationNational Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009
National Security & Homeland Security Councils Review of National Cyber Security Policy Submission of the Business Software Alliance March 19, 2009 Question # 1: What is the federal government s role in
More informationSECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.
SECTION-BY-SECTION Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. Section 2. Definitions. Section 2 defines terms including commercial information technology product,
More informationSubject: Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing
January 21, 2016 Anne E. Rung Administrator, Office of Federal Procurement Policy Office of Management and Budget 725 17 th Street, NW Washington, DC 20503 Tony Scott Administrator and Federal CIO Office
More informationCybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues
Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues Todd Bertoson Daniel Gibb Erin Sheppard Principal Senior Managing Associate Counsel todd.bertoson@dentons.com
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationPublic Law 113 283 113th Congress An Act
PUBLIC LAW 113 283 DEC. 18, 2014 128 STAT. 3073 Public Law 113 283 113th Congress An Act To amend chapter 35 of title 44, United States Code, to provide for reform to Federal information security. Be it
More informationCyber Workforce Training
Cyber Workforce Training Mr Steve Jurinko DISA/PEO-MA 13 May 2014 1 DISA Cybersecurity Workforce Initiatives Cyber Workforce Coding DOD CIO initiative To identify the Cyber Workforce (CWF) across DISA
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationDoD Software Assurance (SwA) Overview
DoD Software Assurance (SwA) Overview Tom Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection Summit / Workshop McLean, VA May 19, 2014 May 19, 2014
More informationDean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce
Written Testimony of Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Before the Committee on Energy and Commerce Subcommittee on Communications and Technology U.S. House
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More informationWashington Update: The Feds Impact Cybersecurity Without Passing Major New Laws
Washington Update: The Feds Impact Cybersecurity Without Passing Major New Laws Brian Finch Pillsbury Winthrop Shaw Pittman Brian Caudill American Gas Association Pillsbury Winthrop Shaw Pittman LLP Introduction
More informationCybersecurity Awareness for Executives
SESSION ID: SOP-R04 Cybersecurity Awareness for Executives Rob Sloan Head of Cyber Content and Data Dow Jones @_rob_sloan Session Overview Aim: Provide a high level overview of an effective cybersecurity
More informationMODERNIZING IT PLATFORMS SUCCESSFULLY HOW PLATFORM RENEWAL PROJECTS CREATE VALUE
MODERNIZING IT PLATFORMS SUCCESSFULLY HOW PLATFORM RENEWAL PROJECTS CREATE VALUE INTRODUCTION The machinery and plant engineering industry is under pressure to transform. Globalization, new competitors,
More informationGAO s High-Risk Program
GAO s High-Risk Program Mountains and Plains Intergovernmental Audit Forum September 1, 2015 William Reinsberg U.S. Government Accountability Office Outline Why was the High-Risk Program needed and what
More informationCybersecurity in the States 2012: Priorities, Issues and Trends
Cybersecurity in the States 2012: Priorities, Issues and Trends Commission on Maryland Cyber Security and Innovation June 8, 2012 Pam Walker, Director of Government Affairs National Association of State
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationManaging Security Risk In a World of Complex Systems and IT Infrastructures
Object Management Group Technical Meeting Managing Security Risk In a World of Complex Systems and IT Infrastructures NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Classes of Vulnerabilities A 2013
More informationExport Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws
Presenting a live 90-minute webinar with interactive Q&A Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws WEDNESDAY, APRIL 23, 2014 1pm Eastern 12pm Central 11am Mountain
More informationOverview of SAE s AS6500 Manufacturing Management Program. David Karr Technical Advisor for Mfg/QA AFLCMC/EZSM 937-255-7450 david.karr@us.af.
Overview of SAE s AS6500 Manufacturing Management Program David Karr Technical Advisor for Mfg/QA AFLCMC/EZSM 937-255-7450 david.karr@us.af.mil 1 Outline Background Objectives Requirements Implementation
More informationDepartment-wide Systems & Capital Investment Programs
Department-wide Systems & Capital Investment Programs Mission Statement The Department-wide Systems and Capital Investments Programs (DSCIP) is authorized to be used by or on behalf of the Treasury Department
More informationCybersecurity: Mission integration to protect your assets
Cybersecurity: Mission integration to protect your assets C Y B E R S O L U T I O N S P O L I C Y O P E R AT I O N S P E O P L E T E C H N O L O G Y M A N A G E M E N T Ready for what s next Cyber solutions
More informationTransforming the Marketplace: Simplifying Federal Procurement to Improve Performance, Drive Innovation, and Increase Savings
EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 OFFICE OF FEDERAL PROCUREMENT POLICY December 4, 2014 MEMORANDUM FOR CHIEF ACQUISITION OFFICERS SENIOR PROCUREMENT
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationSecurity Risk Management For Health IT Systems and Networks
Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Setting the stage. NATIONAL INSTITUTE OF STANDARDS AND
More informationBriefing Outline. Overview of the CUI Program. CUI and IT Implementation
Briefing Outline Overview of the CUI Program Establishment of the Program Elements of the CUI Executive Order Categories and Registry Handling CUI Current Efforts Implementation Plan CUI and IT Implementation
More informationPreventing and Defending Against Cyber Attacks October 2011
Preventing and Defending Against Cyber Attacks October 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationCybersecurity and Corporate America: Finding Opportunities in the New Executive Order
Executive Order: In the President s State of the Union Address on February 12, 2013, he announced an Executive Order Improving Critical Infrastructure Cybersecurity (EO) to strengthen US cyber defenses
More informationUpdate on U.S. Critical Infrastructure and Cybersecurity Initiatives
Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security
More informationPrivacy and Data Security Update for Defense Contractors
Privacy and Data Security Update for Defense Contractors T.J. Crane May 19, 2017 Overview DoD interim rule Expanded DFAR reporting obligations New DFAR definitions Cloud services Changes to local breach
More informationDecember 8, 2011. Security Authorization of Information Systems in Cloud Computing Environments
December 8, 2011 MEMORANDUM FOR CHIEF INFORMATION OFFICERS FROM: SUBJECT: Steven VanRoekel Federal Chief Information Officer Security Authorization of Information Systems in Cloud Computing Environments
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationBilling Code: 3510-EA
Billing Code: 3510-EA DEPARTMENT OF COMMERCE Office of the Secretary National Institute of Standards and Technology National Telecommunications and Information Administration [Docket Number: 130206115-3115-01]
More informationPreventing and Defending Against Cyber Attacks June 2011
Preventing and Defending Against Cyber Attacks June 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their unclassified
More informationUNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 16 R-1 Line #145
Exhibit R-2, RDT&E Budget Item Justification: PB 2015 Office of Secretary Of Defense Date: March 2014 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 6: RDT&E Management Support COST
More informationInternal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation
2015 State of the Internal Audit Profession Study Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation 68% of companies have gone through or
More informationSpace project management
ECSS-M-ST-80C Space project management Risk management ECSS Secretariat ESA-ESTEC Requirements & Standards Division Noordwijk, The Netherlands Foreword This Standard is one of the series of ECSS Standards
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationTHE WHITE HOUSE Office of the Press Secretary
FOR IMMEDIATE RELEASE February 13, 2015 THE WHITE HOUSE Office of the Press Secretary FACT SHEET: White House Summit on Cybersecurity and Consumer Protection As a nation, the United States has become highly
More informationNASA PROCUREMENT TENETS
NASA PROCUREMENT TENETS Introduction: The goal of procurement is to ensure the Agency executes its mission successfully by effectively and efficiently managing the acquisition process. NASA spends approximately
More informationNATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY
NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY JANUARY 2012 Table of Contents Executive Summary 1 Introduction 2 Our Strategic Goals 2 Our Strategic Approach 3 The Path Forward 5 Conclusion 6 Executive
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationARC VIEW. Industrial Defender and ABB Cyber Security Partnership Model. Summary. Cyber Security Strategies for Automation Suppliers.
ARC VIEW DECEMBER 9, 2010 Industrial Defender and ABB Cyber Security Partnership Model By Robert Mick Summary Securing industrial control systems (ICS) remains a challenge, partly because there are multiple
More informationOverview. FedRAMP CONOPS
Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,
More informationSecuring Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.
Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement June 2011 DISCLAIMER: This document is intended as a general guide only.
More informationPresentation of April 22, 2015
A Standards Based Way To Avoid Counterfeit Electronic Parts Presentation of April 22, 2015 Robert S. Metzger Rogers Joseph O Donnell, P.C. 750 Ninth Street, N.W., Ste 710 Washington, D.C. 20001 (202) 777
More informationFollowing is a discussion of the Hub s role within the health insurance exchanges, the results of our review, and concluding observations.
Testimony of: Kay Daly Assistant Inspector General for Audit Services Office of Inspector General, U.S. Department of Health and Human Services Hearing Title: The Threat to Americans Personal Information:
More informationReaching CMM Levels 2 and 3 with the Rational Unified Process
Reaching CMM Levels 2 and 3 with the Rational Unified Process Rational Software White Paper TP174 Table of Contents INTRODUCTION... 1 LEVEL-2, REPEATABLE... 3 Requirements Management... 3 Software Project
More informationCYBERSECURITY RISK MANAGEMENT
CYBERSECURITY RISK MANAGEMENT Evan Wolff Maida Lerner Peter Miller Kate Growley 233 Roadmap Cybersecurity Risk Overview Cybersecurity Trends Selected Cybersecurity Topics Critical Infrastructure DFARS
More informationCyber Security for Advanced Manufacturing Next Steps
Status Update Cyber Security for Advanced Manufacturing Next Steps NDIA Manufacturing Division February 19, 2015 Michael McGrath Consultant, Analytic Services Inc. michael.mcgrath@anser.org NDIA White
More informationThe Role of Internal Audit in Risk Governance
The Role of Internal Audit in Risk Governance How Organizations Are Positioning the Internal Audit Function to Support Their Approach to Risk Management Executive summary Risk is inherent in running any
More information