Click to edit Master title style Fourth level» Fifth level
Click Integrating to edit Master Cybersecurity title style Requirements into Source Selection and Contracts Breakout Session #F15 Alex Odeh, Third Cost level Analysis, Lead, The MITRE Corporation Fourth level Erin Schultz,» Department Fifth level Head, The MITRE Corporation Virginia Wydler, CPCM, Fellow, Principal Analyst, The MITRE Corporation Date: July 28, 2015 Time: 4:00 5:15 pm 1 Approved for Public Release; Distribution Unlimited. 15-1259 2015 The MITRE Corporation. ALL RIGHTS RESERVED.
Click Outline to edit Master title style What is Cybersecurity? Federal Guidance Contracting Life Cycle Evaluation Fourth level Criteria» Fifth level Proposal Instructions Best Practices Q&A Resources 2
Click to edit Master title style Cybersecurity Threats Fourth level» Fifth level Intangible Assets Create Vulnerabilities DOD Cybersecurity Gaps Could Be Canary in Federal Acquisition Coal Mine Workplace and Personal Lives are Blurring 3
Click Cybersecurity to edit Master Defined title style Process of applying security measures to ensure confidentiality, integrity, and availability of data Wikipedia Collection of tools, policies, security concepts, security Third safeguards, level guidelines, risk management approaches, Fourth actions, level training, best practices International» Fifth Telecommunications level Union (ITU) Prevention of damage to, protection of, and restoration of computers, electronic communications systems and services to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation DoD Instruction 8500.01, 14 Mar 2014 Know What Cybersecurity Means To Your Contract 4
Cybersecurity Click to edit Master and Acquisition title style High Complexity Low Low Cybersecurity 2014: National Cybersecurity Protection Act 2014: Cybersecurity Workforce Assess Act 2014: Second Cybersecurity Enhancement level Act 2013: DoDI 5000.02 Acquisition Process(cyber) 2013: EO 13636: Imp Critical Infrastructure Cyber 2002: Federal IS Management Act (FISMA) 2002: Homeland Fourth Security Act level (creates DHS) 2000: First Denial of Service attack 1995: AOL phishing (AOHell)» Fifth level 1988: Morris Worm appears 1986: Computer Fraud and Abuse Act 1986: Malware virus Brain emerged Agencies developing guidelines May involve all complexity levels (low to high) Relatively new and still emerging 2015: Federal IT Acquisition Reform Act 2013: DoDI 5000.02 Acquisition Process 2010: DoD Better Buying Power 1996: FAA & US MINT exempt from FAR 1996: Federal Acquisition Reform Act 1994: Federal Acquisition Streamlining Act 1993-98: Defense Acquisition Reform Initiatives 1982: Special Panel on Defense Procurement 1981: Carlucci Thirty-Two Acquisition Initiatives 1979: Defense Resources Board 1962: Truth in Negotiating Act (TINA) 1947: Armed Services Procurement Act 1941: Berry Amendment 1861: Civil Sundry Appropriations Act Maturity Federal Acquisition Not a one-size fits all Levels of program complexity Very mature, yet still evolving High 5
Click Paradigm to edit Shift Master in Contracting title style From Bolt On Stove-piped, bolted onto contract SOW Compliance checklist Reactive and tactical Fourth level Point in time review» Fifth level Little source review To Baked In Integrated and built into contract SOW, T s & C s Apply risk management Proactive, and strategic Full lifecycle, start early Verify trusted sources 6
Click Why Should to edit Master You Care? title style Cyber breaches and threats are real and increasing Government cybersecurity policies and guidance have increased in last few years, impacting Third the level contracting process Fourth level Government is shifting from compliance-based» Fifth level security requirements to cybersecurity riskbased management Cybersecurity needs to be integrated into programs and contracts to facilitate program management success 7
Click Federal to Cybersecurity edit Master title Guidance style Executive Branch identified cybersecurity as a serious economic national security challenge DHS assigned primary responsibility for federalwide information security program compliance GSA and DoD developed implementing Fourth level recommendations» Fifth level Executive Order 13636: Improving Critical Infrastructure Cybersecurity February 2013 Presidential Policy Directive 21: Critical Infrastructure Security and Resilience February 2013 Align cyber and acquisition processes 8
Click to edit Master Cybersecurity Frameworks title style Existing Frameworks Updated Fourth level» Fifth level EO generated a cyber framework and roadmap, aligning with risk and personnel frameworks 9
Click Implementation to edit Master Plans title style GSA/DoD Report Recommendations I. Institute Click baseline to edit security Master requirements text styles as condition for award II. Address cybersecurity in relevant training III. Develop common Fourth level cybersecurity definitions for federal» Fifth level acquisitions IV. Institute a Federal acquisition cyber risk management strategy V. Include requirement to purchase from OEM, authorized resellers, trusted sources VI. Increase Government accountability for cyber risk management* *Key contracting recommendation WG Lead Don Davidson, OSD Andre Wilkinson, DHS Jon Boyens, NIST Don Johnson, OSD Emile Monette, GSA Joe Jarzombek, DHS Working Group status: https://interact.gsa.gov/group/software-and-supply-chain-assurancessca-forum-wg 10
Click Report to Recommendation edit Master title style VI Government Accountability Recommendation VI. Increase Government Accountability for Cyber Risk Management Fourth level Description and Highlights A. Identify and modify acquisition practices that contribute to cyber risk B. Integrate security standards into acquisition planning and contract administration C. Incorporate cyber risk into enterprise risk management and ensure key decision makers (e.g., Program Executive) are accountable: 1. Address cyber risk when defining requirement and» Fifth level analyzing solution 2. Ensure and certify cybersecurity requirements are adequately reflected in the solicitation 3. Participate in evaluation, ensure best value proposal meets cybersecurity requirements 4. Certify contract performance reviews of cybersecurity (e.g., conformance testing, regression testing, technology refresh, supply chain management, engineering change proposals, etc ) are conducted in accordance with prescribed standards Source: DoD and GSA Report on Improving Cybersecurity and Resilience through Acquisition 11
Click Contracting to edit Master Life Cycle title style Acquisition Planning Conduct Market Research Release Request for Information Second Develop Acquisition level Plan Develop Cybersecurity Requirements SOW, Fourth SOO, level PWS, Specification References» Fifth level and applicable documents Solicitation Development Request for Proposal (RFP) Develop Contract Data Requirements List (CDRL) Identify clauses and special restrictions Instructions, Evaluation Criteria (L and M) Source Selection Award and Post-Award Management SOW/RFP/L&M critical to integrate cybersecurity into the contracting process 12
Click Developing to edit SOW/SOO/PWS Master title style Understand how cybersecurity relates to your contracting process Understand agency cyber policies, guidance Second Solicit industry level input early, continue dialog Integrate Third cybersecurity level throughout the requirements Fourth development level process Ensure» traceability Fifth level between cyber requirements, controls, and program needs Ensure requirements provide defined outputs to support decision making activities Include cybersecurity requirements in all applicable sections Identify applicable and reference documents Identify security constraints Identify mandatory security reporting 13
Click Statement to edit of Master Work (SOW) title style Outline Example Section 1: Scope content throughout Section 1.1: Introduction SOW sections Second Section 1.2: level Background Section 1.3: Scope Section 2: Applicable Documents Fourth level Section 2.1: Agency Specifications» Fifth level Section 2.2: Agency Standards Section 2.3: Relevant Cyber Documents Section 3: Requirements Section 3.1: General Requirements Section 3.2: Technical Objectives and Goals Section 3.3: Specific Requirements Section 4: Contract Deliverables Section 5: Security Section 6: Personnel Weave Cybersecurity Source: DoD MIL HDBK 254D: DoD Handbook for Preparation of Statement of Work (SOW) 14
Click Solicitation to edit (RFP) Master Content title style A: Solicitation/contract form - None anticipated B: Supplies or services and prices/costs Review CDRL cybersecurity reporting Second Cost recovery level (CLIN structure, cybersecurity) C: Description/Specifications/SOW/SOO/PWS Performance-based Fourth level cyber requirements D: Packaging» Fifth and level marking - None anticipated E: Inspection and acceptance Develop cybersecurity quality assurance plan F: Deliveries or performance Ensure cybersecurity items are addressed G: Contract admin data - None anticipated H: Special contract requirements Cybersecurity-specific contract clauses (e.g., reporting or disclosure) Source: DoD Cybersecurity Implementation Guidebook for Acquisition Program Managers 15
Click Solicitation to edit (RFP) Master Content title style I: Contract clauses Cybersecurity-specific contract clauses Cybersecurity Personnel (also Section H) J: List Second of Attachments level Applicable attachments for cybersecurity K: Representations, Fourth level Certifications Certifications» Fifth level that support the cybersecurity strategy (NSA certifications of cryptographic algorithms, cross-domain solutions) L and M: Proposal Information, Evaluation Ensure factors differentiate proposals Define qualification of cybersecurity staff Include critical cybersecurity program objectives Source: DoD Cybersecurity Implementation Guidebook for Acquisition Program Managers 16
Click Evaluation to edit Criteria Master (Section title style M) Structure FAR provides broad discretion for criteria HOWEVER, FAR mandates: Quality Second (example level evaluation factors) Technical Approach or Solution Program Fourth Management level and Subcontracts Staffing» and Fifth Key level Personnel Resumes Security Transition Plan Past performance Tailor past performance questionnaires Address cyber breaches and mitigation Price or cost Consider Cybersecurity in each area of Section M Watch for conditions to proposed technical approach that can impact costs or price 17
Click Evaluation to edit Criteria Master (Section title style M) Kinds of Contracts Kinds of cybersecurity contracts may include: Hardware/Software Services Development System Fourth level» Fifth level Security Engineering Tailor each kind of cybersecurity contract Prioritized quality against price/cost Consider industry reaction to what is important Is the criteria and its relationship to cost sending the right massage to industry? 18
Click to edit Master title style Cybersecurity Evaluation Criteria (Section M) Hardware/Software Degree to which trusted sources are used and proof is Third maintained level Approach to Fourth restricting level physical access» Fifth of nonauthorized personnel level Use of cyber-certified products for hardware and software Approach to detecting counterfeit components How is supply chain diversity implemented Notional or suggested factors Services Approach to developing information assurance Approach to ensuring trusted key personnel Approach to conducting vulnerability assessments Testing approach to ensure services meet requirements Degree to which cybersecurity is included in design trade analysis Degree to which service is non-attributable to Agency How Would You Prioritize These? 19
Click to edit Master title style Cybersecurity Evaluation Criteria (Section M) Development Approach to certifying developers, ensuring continued Third certifications level Approach to Fourth integrating level SSE into the lifecycle (e.g.,» Fifth level development, test) Approach to documenting and managing risk (RMF) Tools for security selection and application Approach to ensure Mission Assurance, Resilience Notional or suggested factors System Demonstrated ability to detect and prevent attacks Approach to detecting and minimizing data breaches Approach to integrating and enhancing operational tools Approach to validating staff cyber competency Degree to which approach integrates with CONOPS, information architecture, cyber programs How Would You Prioritize These? 20
Click to edit Master title style Cybersecurity Evaluation Criteria (Section M) Click to edit Security Master Engineering text styles Approach to integrating architectural risk analysis, threat Second modeling, level testing, security governance as part of product lifecycle Notional or suggested factors Degree to Fourth which level development uses consistent coding practices and» Fifth standards level throughout product lifecycle Degree to which testing and validation methodologies simulate an attacker breaking an application Degree to which security testing is integrated into software development Approach to respond/report security vulnerabilities Degree to which supply chain risk management ensures security and integrity of sourced components How Would You Prioritize These? Primary Source: extracted from www.safecode.org 21
Click Proposal to edit Instruction Master title (Section style L) Technical approach Describe how technical approach integrates with current or planed agency information architectures, programs, projects Second or initiatives level Describe how cybersecurity is integrated into the program s Fourth SE, SSE, level T&E processes, and CONOPS Ensure cybersecurity» Fifth level is explicit in the Basis of Estimate (BOE), Work Breakdown Structure, Cost Estimating Approach Describe approach to supply chain vulnerability assessments to comply with agency policy, RFP requirements, or other constraints Describe the technical data approach including ownership, control, timely access, and delivery of all cybersecurity data, including raw test data, for evolving technical baseline 22
Click to edit Master title style Proposal Instruction (Section L) Management approach Click Define to team edit organization Master text styles Identify and describe key personnel who will ensure cybersecurity Second level compliance Describe staffing approach, qualifications and continued proficiency Fourth for cybersecurity level personnel Describe cybersecurity» Fifth level incident response, mitigation and risk management processes Describe approach to transition to ensuring cybersecurity Security Describe approach to detect and minimize data exfiltration and data loss Describe how security integrates with current or planned CONOPS, BCP, information architecture, programs or initiatives 23
Click Proposal to edit Instruction Master title (Section style L) Government Property Identify required Government Furnished Property (GFP) (e.g., access to National Cyber Range, Government Blue and/or Red Teams to be used during initial testing) Data Deliverables (CDRL) What data Fourth deliverables level are required as part of the proposal and» during Fifth level contract execution? Approach to satisfying Agency Cybersecurity Strategy Compliance with Security CONOPS and/or updates Managing Security Architecture and/or updates Developing Security artifacts for milestone reviews Updating Assessment and Authorization artifacts Approach to satisfying Program Protection Plan (PPP) 24
Click Proposal to edit Evaluation Master title Options style Paper proposal Operation Capability Assessment (OCA) Technical approach Live demonstration Third level before award Operational Capability Demonstration (OCD) Fourth level Operational» Fifth Capability level Test (OCT) Sample Task Order or Problem Exercise Oral proposal presentation Challenge-based acquisition Viability assessment of technical approach before RFP release Don t rely on a paper proposal to pick a winner 25
Click Best Practices to edit Master Acquisition title style Planning Leverage industry during acquisition planning Provide security documents, assumptions, constraints, as early as possible to industry Ensure Third critical level classification levels and special Fourth data level protection are identified early (these can» Fifth be level expensive, cost drivers) Include security engineering instructions and policy mandates in the scope and objectives Consider who designs, develops, and implements an integrated end-to-end security architecture (will you need an integrator?) Identify the relationships of security deliverables to overall program activities 26 (e.g., security analyses at major reviews)
Click Best Practices to edit Master Solicitation title style Development Recognize that no two acquisitions are alike Avoid cut-and-paste (worked last time..) Identify key security personnel, qualifications, collocation, and level of support (e.g., Chief Security Architect Fourth level Full Time on Site) Good criteria» Fifth provide level evaluators with latitude to evaluate what is important Bad criteria provide Yes/No or Checklist Too many criteria dilute core discriminators Tell industry what are the most important areas and factors (e.g., Price, Technical Approach, People/Resumes, Past Performance) 27
Click Best Practices to edit Master Source title style Selection Selection needs to reflect evaluation criteria Discriminate between competing Offerors Ensure program and technical personnel are experienced and/or seek help Incorporate Fourth key level desired approaches, features, processes,» or Fifth tools level from the proposal into the final contract, since the proposal itself is not incorporated into the contract Follow your source selection plan and use published evaluation criteria BECAUSE GAO SAID SO (GAO 14-276SP) What is MOST Important to YOUR Acquisition? 28
Click News to You edit Can Master Use title style DHS using cybersecurity contract clauses OMB Guidance Memo out for comment GSA/DoD Working Group Products Cyber Clauses, Qualified Bidders List, Trusted Sources https://interact.gsa.gov/group/software-and-supplychain-assurance-ssca-forum-wg Fourth level DoD Program» Fifth Managers level Guidebook for Cybersecurity Acquisitions coming soon! DoD Better Buying Power 3.0 new section Strengthen cybersecurity throughout lifecycle Insurance policies for cyber breaches - $$$$$$ - OR - 29
Click Summary to edit Master title style You have an integral role in government contracts Consequences of ignoring, misallocating cybersecurity resources are growing You can be the expert help Know Third who level to ask and where to look Fourth level Understand key developments in cybersecurity» Fifth level You will intersect with multiple functional areas Contracting Officials Cybersecurity Technical Staff Acquisition and Program Management Staff Systems Engineering Staff You are committed to advancing cybersecurity Adopting standards and best practices 30
Click Questions, to edit Comments Master title style Sharing Time Fourth level» Fifth level 31
Click Contact to edit Information Master title style Alex Odeh Click The to MITRE edit Corporation Master text styles aodeh@mitre.org Erin Schultz Third level The MITRE Corporation Fourth level eschultz@mitre.org» Fifth level Virginia Wydler, CPCM, Fellow The MITRE Corporation vwydler@mitre.org Website: http://www.mitre.org 32
Click to editreferences Applicable Master title style National Standards, Guidance National Security System (NSS) NIST Framework Fourth level» Fifth level Intelligence Community For more information see: http://iac.dtic.mil/csiac/download/ia_policychart.pdf 33
ClickReference DoD to edit Master Documents title style Fourth level» Fifth level Source: http://iac.dtic.mil/csiac/download/ia_policychart.pdf 34
Click Cybersecurity to edit Master Workforce title style Framework 31 Specialty areas with sample job titles, tasks, knowledge, skills, and abilities (KSAs) Fourth level» Fifth level 35
Click Program to edit Manager s Master title Guidance style Describe key concepts and activities for successful implementation of cybersecurity and system resilience Third throughout level the acquisition Fourth lifecycle level Familiarize program» Fifth level managers with RMF continuous monitoring to optimize mission effects throughout the acquisition lifecycle Relate content to DoD cybersecurity policy, DoD acquisition policy, and other references INTERNAL DRAFT V 0.9971 June 2015 release expected 36