Improving Cyber Resilience Through Acquisition

Similar documents
No. 33 February 19, The President

September 10, Dear Administrator Scott:

TELECOMMUNICATIONS INDUSTRY ASSOCIATION

What The OMB Cybersecurity Proposal Does And Doesn't Do

How To Protect Your Data From Being Hacked

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

Improving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN

FFIEC Cybersecurity Assessment Tool

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

CRISIS MANAGEMENT AND FIRST AID: WHEN GOVERNMENT CONTRACTORS ARE THE HEADLINERS WELCOME

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Written Testimony. Dr. Andy Ozment. Assistant Secretary for Cybersecurity and Communications. U.S. Department of Homeland Security.

Click to edit Master title style

Cybersecurity Enhancement Account. FY 2017 President s Budget

DoD Strategy for Defending Networks, Systems, and Data

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

Implementing Program Protection and Cybersecurity

Baseline Cyber Security Program

Supporting information technology risk management

Recent Data Security Developments for Government Contractors

Preventing and Defending Against Cyber Attacks November 2010

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Changing Legal Landscape in Cybersecurity: Implications for Business

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

Statement of Gil Vega. Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer. U.S. Department of Energy

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO

Cybersecurity Framework: Current Status and Next Steps

The Comprehensive National Cybersecurity Initiative

Re: Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition [Notice- OMA ; Docket No ]

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

AS9100:2016 Transition Guide

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

Understanding the NIST Cybersecurity Framework September 30, 2014

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

An Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Development

Department of Defense DIRECTIVE

Office of the Chief Information Officer

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.

Subject: Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Public Law th Congress An Act

Cyber Workforce Training

Building Security In:

ICBA Summary of FFIEC Cybersecurity Assessment Tool

DoD Software Assurance (SwA) Overview

Dean C. Garfield President & CEO, Information Technology Industry Council (ITI) Committee on Energy and Commerce

Our Commitment to Information Security

Washington Update: The Feds Impact Cybersecurity Without Passing Major New Laws

Cybersecurity Awareness for Executives

MODERNIZING IT PLATFORMS SUCCESSFULLY HOW PLATFORM RENEWAL PROJECTS CREATE VALUE

GAO s High-Risk Program

Cybersecurity in the States 2012: Priorities, Issues and Trends

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Managing Security Risk In a World of Complex Systems and IT Infrastructures

Export Controls and Cloud Computing: Complying with ITAR, EAR and Sanctions Laws

Overview of SAE s AS6500 Manufacturing Management Program. David Karr Technical Advisor for Mfg/QA AFLCMC/EZSM david.karr@us.af.

Department-wide Systems & Capital Investment Programs

Cybersecurity: Mission integration to protect your assets

Transforming the Marketplace: Simplifying Federal Procurement to Improve Performance, Drive Innovation, and Increase Savings

Enterprise Security Tactical Plan

Security Risk Management For Health IT Systems and Networks

Briefing Outline. Overview of the CUI Program. CUI and IT Implementation

Preventing and Defending Against Cyber Attacks October 2011

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

Privacy and Data Security Update for Defense Contractors

December 8, Security Authorization of Information Systems in Cloud Computing Environments

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Billing Code: 3510-EA

Preventing and Defending Against Cyber Attacks June 2011

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 16 R-1 Line #145

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Space project management

PROTIVITI FLASH REPORT

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

THE WHITE HOUSE Office of the Press Secretary

NASA PROCUREMENT TENETS

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

ARC VIEW. Industrial Defender and ABB Cyber Security Partnership Model. Summary. Cyber Security Strategies for Automation Suppliers.

Overview. FedRAMP CONOPS

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

Presentation of April 22, 2015

Following is a discussion of the Hub s role within the health insurance exchanges, the results of our review, and concluding observations.

Reaching CMM Levels 2 and 3 with the Rational Unified Process

CYBERSECURITY RISK MANAGEMENT

Cyber Security for Advanced Manufacturing Next Steps

The Role of Internal Audit in Risk Governance

Transcription:

Improving Cyber Resilience Through Acquisition Independent Telecommunications Pioneer Association (ITPA) Luncheon Series DON JOHNSON Office of the Secretary of Defense C3 and Cyber February 6, 2014 1

Today s Objective Provide background in acquisition of IT and related cyber systems Provide insight into January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition Another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. 2

Improving Cyber Security In the Larger Context The best cyber program is only as good as a agile environment where IT is able to adapt to rapidly changing environment Requires changes in culture (not a short term effort) Requires change in processes Requires enterprise governance Requires standardization

Challenges - Patchwork & Cyber Vulnerabilities The problem is that too many parts of the department, especially in the information technology arena, cling to separate infrastructure and processes. All of our bases, operational headquarters and defense agencies have their own IT infrastructures, processes, and application-ware. This decentralization approach results in large cumulative costs, and a patchwork of capabilities that create cyber vulnerabilities and limit our ability to capitalize on the promise of information technology. Therefore, I am directing an effort to consolidate these assets to take advantage of the Department s significant economies of scale, thereby creating savings in acquisition, sustainment, and manpower costs My hope and expectation is that the efforts we have launched will lead to the kind of cultural changes that over time become a part of this department s DNA and institutional memory 4

Call for Fundamental Change Acquisition Long acquisition cycle-times Limited flexibility and agility Requirements Understanding and prioritizing requirements IT requirements are overly detailed Test/Evaluation Testing is too late and serially Funding & Governance Program-centric Overlapping decision layers Funding inflexibility & negative incentives 5

2010 National Defense Authorization Act IMPLEMENTATION OF NEW ACQUISITION PROCESS FOR INFORMATION TECHNOLOGY SYSTEMS NEW ACQUISITION PROCESS REQUIRED The Secretary of Defense shall develop and implement a new acquisition process for information technology systems Be based on the recommendations in Chapter 6 of the March 2009 report of the DSB Task Force on DoD and Procedures for the Acquisition of Information Technology Be designed to include (A) early and continual involvement of the user; (B) multiple, rapidly executed increments or releases of capability; (C) early, successive prototyping to support an evolutionary approach; (D) a modular, open-systems approach 2

Acquisition Model Chapter 6 of March 2009 DSB Report Milestone Build Decision ICD Business Case Analysis and Development Architectural Development and Risk Reduction Coordinated DOD stakeholder involvement Up to 2 years CDD RELEASE 1 Development & Demonstration Prototypes Iteration1 Iteration 2 Iteration N Integrated DT / OT 6 to 18 months Fielding RELEASE 2 Prototypes Development & Demonstration Iteration 1 Iteration 2 Iteration 3 Fielding ICD Initial Capability Document CDD Capabilities Development Document Decision Point RELEASE N Prototypes Development & Demonstration Iteration 1 Iteration 2 Iteration 3 Fielding Acquisition Model: Continuous Technology/Requirements Development & Maturation Impact to Core DoD Processes Requirements: From: fix set of requirements; To: evolving requirements & user role throughout Delivery: From: static waterfall model; To: Agile model with user feedback driving priorities Governance: From: Driven by Milestones & breaches ; To: More frequent review- delivery focused Functional Areas: From: rigor tied to documentation for single milestone; To: rigor tied to demonstrated risk and delivery of capabilities

Improving Cybersecurity and Resilience Through Acquisition On February 12, 2013, the President issued Executive Order 13636 for Improving Critical Infrastructure Cybersecurity (EO) directing Federal agencies to use their existing authorities and increase cooperation with the private sector to provide stronger protections Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity. 8

Jan 23, 2014 DoD & GSA Joint Report on Improving Cybersecurity and Resilience Through Acquisition 1. Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisition 2. Address Cybersecurity in Relevant Training 3. Develop Common Cybersecurity Definitions for Federal Acquisitions 4. Institute a Federal Acquisition Cyber Risk Management Strategy 5. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, Whenever Available, in Appropriate Acquisitions 6. Increase Government Accountability for Cyber Risk Management Ultimate goal of the recommendations is to strengthen the federal government s cybersecurity by improving management of the people, processes, and technology affected by the Federal Acquisition System

Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions Recommendation Potential Impact Basic cybersecurity hygiene is broadly accepted across the government and the private sector as a way to reduce a significant percentage of cyber risks. For acquisitions that present cyber risks, the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver. The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified. FAR 4.17 Basic Safeguarding of Contractor Information (not in FAR yet) could be updated to add definitions and solicitation provisions/contract clauses. FAR Part 7 Acquisition Planning, could be updated to more explicitly require the government to consider cybersecurity requirements in the technical requirements of contracts. FAR Par 12 Acquisition of Commercial Items could be updated to require solicitation provisions/contract clauses to apply to commercial items. FAR 52 Development of solicitation provision(s) and contract clause(s) for cybersecurity. FAR4.4 Safeguarding Classified Information Within Industry should also be reviewed for updates related to cybersecurity. FAR Part 39.102 Management of Risk could be updated to address certain types of cyber risk associated with IT contracts.

Change is Beginning November 18, 2013 - New DoD Rules on Cyber DFARS 204.73 Safeguarding Unclassified Controlled Technical Information and corresponding contract clause (DFARS 252.204-702 Safeguarding of Unclassified Controlled Technical Information. This clause will be included in all DOD contracts beginning November 18, 2013, and prime contractors must include the clause in all subcontracts from that point on, including subcontracts for commercial items. DFARS 252.227-7013 - New Data Security Requirements. Requires contractors to implement security programs on any systems that store or transmit unclassified controlled technical information. The new category of unclassified controlled technical information includes all technical data and computer software with military or space application that is subject to DOD access controls. DFARS 252.204-7012(d)(1), New Cyber Incident and Compromise Reporting. The new reporting component requires contractors to report cyber incidents to DOD within 72 hours of discovering the incident. 11

Address Cybersecurity in Relevant Training Recommendation As with any change to practice or policy, there is a concurrent need to train the relevant workforces to adapt to the changes. Incorporate acquisition cybersecurity into required training curricula for appropriate workforces. Require organizations that do business with the government to receive training about the acquisition cybersecurity requirements of the organization s government contracts. Potential Impact FAR 52 clauses might be developed to require specific training for certain types of contracts where cyber risks are high. Note: OFPP, GSA (FAI), DHS (HSAI), and DoD (DAU) met to start implementing this recommendation. Administrator for Acquisition Workforce Programs in the Office of Federal Procurement Policy, has agreed to convene/charter this informal group with the purpose that the initial training be developed and provided to Acquisition Workforce personnel government-wide.

Change is Beginning DoD establishing a Cyberspace Training Advisory Council to help guide Training of cyberspace-related workforce: Identify, review and assess training standards Identify gaps in workforce capabilities Establish training solutions 13

Develop Common Cybersecurity Definitions for Federal Acquisitions Recommendation Potential Impact III. Develop Common Cybersecurity Definitions for Federal Acquisitions Unclear and inconsistently defined terms lead, at best, to suboptimal outcomes for both efficiency and cybersecurity. Increasing the clarity of key cybersecurity terms in federal acquisitions will increase efficiency and effectiveness for both the government and the private sector. Key terms should be defined in the Federal Acquisition Regulation. One option is to consider efforts already underway dealing with higher-level quality standards and detection and avoidance of counterfeit electronic parts. (FAR Case 2012-032 Higher-Level Contract Quality Requirements). This case revises FAR 46.202-4 to add new higher-level quality standards developed by industry for counterfeit goods. Using this case as an example, FAR 46 Quality Assurance, could also be revised to include industry standards for cybersecurity in commercial items. FAR 39 Acquisition of Information Technology could be updated to consider applicable definitions. FAR 2 Definitions of Words and Terms, is probably the most obvious place to promulgate new acquisition definitions.

DoD Adopts NIST s Risk Management Framework, used by Civil and Intel Communities 15

Institute a Federal Acquisition Cyber Risk Management Strategy Recommendation Potential Impact IV. Institute a Federal Acquisition Cyber Risk Management From a government-wide cybersecurity perspective, identify a hierarchy of cyber risk criticality for acquisitions. To maximize consistency in application of procurement rules, develop and use overlays for similar types of acquisition, starting with the types of acquisitions that present the greatest cyber risk. The FAR could be updated to provide standardized source selection criteria, weighting for those criteria, and contract performance measures for procurements that present high levels of cyber risk. Note: OMA/FAS/OGP are engaged in market research and needs assessment with DHS, DoD OCIO, DIA, DISA and NIST to develop a supply chain risk management function to complement the processes used for National Security Systems. An overlay is a fully specified set of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments.

DIACAP Activities as Replaced by RMF Steps 17

Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, in Appropriate Acquisition Recommendation V. Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other Trusted Sources, in Appropriate Acquisitions In certain circumstances, the risk of receiving inauthentic or otherwise nonconforming items is best mitigated by obtaining required items only from OEMs, their authorized resellers, or other trusted sources. The cyber risk threshold for application of this limitation of sources should be consistent across the Federal government. Potential Impact The FAR could be updated to require consideration of cyber risk when determining the type of acquisition method (best value vs. LPTA) used. The FAR could be updated to require purchases from a reseller, distributor, wholesaler or broker that is a trusted supplier with the original equipment manufacturer (OEM) or obtain assurances that the supplier can guarantee the security and integrity of the item being purchased. Potential conflicts with competition rules would have to be addressed. VI. Increase Government Accountability for Cyber Risk Management Identify and modify government acquisition practices that contribute to cyber risk. Integrate security standards into acquisition planning and contract administration. Incorporate cyber risk into enterprise risk management and ensure key decision makers are accountable for managing risks of cybersecurity shortfalls in a fielded solution. The FAR could be updated to ensure contract administration matters relevant to cybersecurity are considered (i.e., past performance, Federal Awardee Performance and Integrity Information Systems (FAPIIS), debarment/suspension, etc.)

White House Response DoD and GSA did an outstanding job engaging with public and private sector stakeholders to craft the report and provided realistic recommendations that will improve the security and resilience of the nation when implemented. Moving forward, we highlight that: We view the core recommendation to be the focus on incorporating cyber risk management into enterprise acquisition risk management, built on cybersecurity hygiene baseline requirements for all IT contracts. DoD and GSA must now move quickly to provide an implementation plan that includes milestones and specific actions to ensure integration with the various related activities like supply chain threat assessments and anti-counterfeiting. DoD and GSA should ensure the highest level of senior leadership endorsement, accountability, and sustained commitment to implementing the recommendations through near and long term action. This should be communicated clearly to the Federal workforce, government contractors, and the oversight and legislative communities. 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information