Improving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN



Similar documents
April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

Re: Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition [Notice- OMA ; Docket No ]

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

December 8, Security Authorization of Information Systems in Cloud Computing Environments

PROTIVITI FLASH REPORT

How To Write A Cybersecurity Framework

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Advancing Access to Restricted Data: Regulations, Compliance, Continuous Monitoring. OH MY!!!

Policy on Information Assurance Risk Management for National Security Systems

September 10, Dear Administrator Scott:

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

BPA Policy Cyber Security Program

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Framework for Improving Critical Infrastructure Cybersecurity

No. 33 February 19, The President

NIST Cybersecurity Framework. ARC World Industry Forum 2014

How To Protect Your Data From Being Hacked

Overview. FedRAMP CONOPS

Approved for Public Release; Distribution Unlimited. Case Number The MITRE Corporation. ALL RIGHTS RESERVED.

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Cybersecurity Framework: Current Status and Next Steps

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

DoD CIO s 10-Point Plan for IT Modernization. Ms. Teri Takai DoD CIO

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

Statement of Gil Vega. Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer. U.S. Department of Energy

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

FREQUENTLY ASKED QUESTIONS

Appendix V Risk Management Plan Template

Implementing Program Protection and Cybersecurity

What The OMB Cybersecurity Proposal Does And Doesn't Do

Partnership for Cyber Resilience

CYBER SUPPLY CHAIN RISK MANAGEMENT FOR UTILITIES ROADMAP FOR IMPLEMENTATION

New Jersey City University Information Technology Equipment Policies & Procedures Page 1 of 5

Preventing and Defending Against Cyber Attacks November 2010

MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

DoD Software Assurance (SwA) Overview

NIST Cloud Computing Program Activities

Security Authorization Process Guide

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

NICE and Framework Overview

Positive Train Control (PTC) Program Management Plan

Notional Supply Chain Risk Management Practices for Federal Information Systems

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

Which cybersecurity standard is most relevant for a water utility?

Cyber Security Governance

GAO INFORMATION TECHNOLOGY REFORM. Progress Made but Future Cloud Computing Efforts Should be Better Planned

AHS Flaw Remediation Standard

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Why you should adopt the NIST Cybersecurity Framework

Army Regulation Product Assurance. Army Quality Program. Headquarters Department of the Army Washington, DC 25 February 2014 UNCLASSIFIED

Why you should adopt the NIST Cybersecurity Framework

Combating Cyber Risk in the Supply Chain

The PNC Financial Services Group, Inc. Business Continuity Program

Piloting Supply Chain Risk Management Practices for Federal Information Systems

How To Write An Article On The European Cyberspace Policy And Security Strategy

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

UNCLASSIFIED/FOR OFFICIAL USE ONLY. Department of Homeland Security (DHS) Continuous Diagnostics & Mitigation (CDM) CDM Program Briefing

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

[project.headway] Integrating Project HEADWAY And CMMI

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

Preventing and Defending Against Cyber Attacks October 2011

Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

CLOUD COMPUTING. Agencies Need to Incorporate Key Practices to Ensure Effective Performance

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Preventing and Defending Against Cyber Attacks June 2011

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Applying Framework to Mobile & BYOD

DHS IT Successes. Rationalizing Our IT Infrastructure

Cloud Security for Federal Agencies

Lecture 1 IEGR 459: Introduction to Logistics Management and Supply Chain. James Ngeru Industrial and System Engineering

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Subject: Information Technology Configuration Management Manual

RE: ITI comments in response to NIST RFI: Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework

DHS, National Cyber Security Division Overview

Framework for Improving Critical Infrastructure Cybersecurity

TELECOMMUNICATIONS INDUSTRY ASSOCIATION

Update on U.S. Critical Infrastructure and Cybersecurity Initiatives

Identity, Credential, and Access Management. Open Solutions for Open Government

MEMORANDUM FOR CHIEF FINANCIAL OFFICERS. Update on the Financial Management Line of Business and the Financial Systems Integration Office

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

Briefing Outline. Overview of the CUI Program. CUI and IT Implementation

Billing Code: 3510-EA

Project Management Guidelines

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Rebecca Massello Energetics Incorporated

Rising to the Challenge

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 16 R-1 Line #145

DRAFT RESEARCH SUPPORT BUILDING AND INFRASTRUCTURE MODERNIZATION RISK MANAGEMENT PLAN. April 2009 SLAC I

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

Strategic Risk Management for School Board Trustees

Security Controls Assessment for Federal Information Systems

Oil and Gas Industry A Comprehensive Security Risk Management Approach.

Transcription:

Improving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN Version 1.0 February 2014 Page 1 of 7

Table of Contents Introduction... 3 Purpose... 3 Plan Development Process... 3 Assumptions/Clarifications/Constraints... 3 Recommendation IV: Acquisition Cyber Risk Management Strategy... 4 Outputs/Completion Criteria... 4 Overview of Major Tasks and Sub Tasks... 4 Task Descriptions... 5 MAJOR TASK 1: Develop Acquisition Category Definitions... 5 SUB TASK 1.a. Determine Taxonomy and Establish Category Definitions... 5 SUB TASK 1.b. Conduct Spend Analysis... 5 MAJOR TASK 2: Conduct Acquisition Risk Assessment and Prioritization... 6 MAJOR TASK 3: Develop Methodology to Create Overlays... 6 SUB TASK 3.a. Determine Appropriate Security Controls... 7 SUB TASK 3.b. Determine Appropriate Acquisition Mitigations... 7 SUB TASK 3.b. Determine Appropriate Other Safeguards... 7 Page 2 of 7

Introduction Section 8(e) of Executive Order (EO) 13636 directed that the Department of Defense and the General Services Administration make recommendations to the President on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The final report of the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience through Acquisition was signed by the Secretary of Defense and the Administrator of General Services on January 23, 2014. 1 The DoD-GSA report (Report) recommends six (6) strategic reforms to address issues relevant to cybersecurity in Federal acquisitions, suggests how challenges might be resolved, and identifies important considerations for the implementation of the recommendations. Purpose The Implementation Plan (Plan) translates the Report recommendations into onthe-ground actions that will improve cybersecurity and resilience by reforming management of the people, processes, and technology involved in Federal acquisitions. The government is committed to continuing the open, collaborative, stakeholder-centric process used to develop the recommendations in development of this Plan. The Plan incorporates the implementation considerations identified in the Report, breaks each recommended reform into identifiable outcomes and steps to achieve each outcome, assigns one or more office of primary responsibility for each step, presents specific actions Federal agencies will take to improve cybersecurity and resilience in acquisitions, and suggests when each step will be completed. Plan Development Process The Plan will be developed using an iterative process to facilitate sequential and concurrent implementation of the recommendations as appropriate. Planning will be accomplished through a series of stakeholder outreach and engagement activities for each recommendation, including but not limited to requests for public comment and inperson meetings. An Appendix to the Plan will be developed for each recommendation in the Report. Upon completion, each Appendix will provide a roadmap for implementation for the recommendation, and examples of how to accomplish the actions in the Plan. It is important to note that the order of the recommendations in the Report is not indicative of the sequence of implementation. The Plan is being developed by addressing the recommendations in the order in which they should be implemented. Assumptions/Clarifications/Constraints An open, collaborative, stakeholder-centric process will be used to accomplish all tasks required to achieve complete implementation of the Report recommendations. At a minimum, this process will include opportunities for public comment on documentation and interagency coordination through official channels. 1 The Report is available at http://gsa.gov/portal/content/176547. Page 3 of 7

The majority of resources required to conduct the activities identified in the Plan have not been specifically identified. A lack of dedicated resources may inhibit or delay accomplishment of the actions in the Plan. The definition of overlays in the Report differs slightly from the definition in NIST SP 800-53 revision 4. To clarify, the definition in NIST SP 800-53 revision 4 will be used for purposes of implementation. Recommendation IV: Acquisition Cyber Risk Management Strategy The first recommendation that will be implemented is number four in the Report, Institute a Federal Acquisition Cyber Risk Management Strategy. This recommendation will be implemented first because the risk management strategy and processes to institute it provide the foundation that is necessary for the other recommendations to be implemented. Not all assets delivered through the acquisition system present the same level of cyber risk or warrant the same level of cybersecurity. Furthermore, resources to address acquisition cyber risk are scarce. Therefore, the government requires a riskbased, phased approach to managing these risks. Implementation of this recommendation draws from the sourcing practices of spend analysis, strategic categorization of buying activities, and category management, combined with application of information security controls and safeguards and procurement risk management practices like pricing methodology, source selection, and contract performance management. The goal of this recommendation is to develop a repeatable, scalable process for addressing cyber risk in federal acquisitions based on the risk inherent to the product or service being purchased, that is flexible enough to be adapted to the various risk tolerances of end users or risk owners. First, the government will specifically identify which types of acquisitions present cyber risk, group those types of acquisition together into Categories, and measure the comparative cyber risk presented by purchases of items 2 in the Category. Once a riskbased prioritization has been accomplished, the government can assign resources and develop Overlays that include risk mitigations drawn from both procurement and information security practices. This will include choosing security controls from NIST SP 800-53, source selection criteria, pricing methodologies, and contract performance indicators, among others. Outputs/Completion Criteria The implementation of this recommendation will be considered complete when the following are documented and disseminated throughout the stakeholder community: 1. A list of Categories of acquisition, prioritized by highest risk; and 2. A repeatable, scalable process for developing cyber risk Overlays for Categories of acquisition. Overview of Major Tasks and Sub Tasks Completion of the following sequential tasks is necessary to implement this recommendation. 1. Develop Acquisition Category Definitions a. Determine Taxonomy 2 Use of the term item in this Plan refers to purchases of either products, services, or both. Page 4 of 7

b. Conduct Spend Analysis 2. Conduct Acquisition Risk Assessment and Prioritization 3. Develop Methodology to Create Overlays a. Determine Appropriate Security Controls b. Determine Appropriate Acquisition Mitigations c. Determine Appropriate Other Safeguards Task Descriptions MAJOR TASK 1: Develop Acquisition Category Definitions The purpose of this task is to develop and instantiate a repeatable, scalable process for categorizing Federal acquisitions. The output of this task will be a list of Category definitions and a process that can be used by all Federal acquisition activities to consistently categorize acquisition activities in a way that facilitates cyber risk assessment and management. SUB TASK 1.a. Determine Taxonomy and Establish Category Definitions The goal of this sub task is to identify and gain stakeholder acceptance of taxonomy to describe the various types of Federal acquisition spending and the grouping of similar types of acquisition activity into Categories. Establishing an agreed upon common taxonomy will facilitate grouping similar types of acquisitions into Categories that can subsequently be assessed for cyber risks which can then be appropriately mitigated through application of a single Overlay for each Category. The taxonomy selected needs to facilitate definition of Categories that are broad enough to be understandable and provide economies of scale, but specific enough to enable development of Overlays that provide meaningful, adequate and appropriate safeguards for the types of risks presented by the products or services in the Category. The Category definitions should group similar types of acquisitions together based on characteristics of the product or service being acquired, supplier or market segments, and prevalent customer/buyer behavior. The Categories need to be rightsized, to enable development of Overlays. For example, a Category that includes all Information and Communication Technology (ICT) products and services would be overly broad because the cyber risks inherent to ICT products and services are different, so the appropriate mitigations need to be different. Similarly, ICT hardware and software are best mitigated using different controls, so a Category that included both is also too broad. A Category that includes all software might be appropriate (if the preponderance of cyber risks in software can be addressed using a single set of controls), but one that includes all hardware might still be too broad because of the differences between the numerous types of hardware (e.g., network equipment, peripherals, etc). SUB TASK 1.b. Conduct Spend Analysis The purpose of this sub task is to determine which Categories of acquisitions do and do not require greater cybersecurity protections for purposes of determining which types of acquisitions thereby do or do not require development of a Category Overlay. Using the agreed upon taxonomy, determine which types of acquisitions present potential cyber risk. To be accomplished properly, this task requires applied expertise in the acquisition and information security disciplines. Page 5 of 7

The reason for conducting the spend analysis is to reduce the number of Categories that need to have Overlays developed. This determination should be based on the inherent risk the type of acquisition presents for any end user. This sub task is essentially a binary assessment of the cyber risks presented by purchase of items in the various Categories. The risks inherent to each Category should be assessed objectively, in the context of the risk presented by any use case. The objective risk assessment is intended to answer the question, Does this Category present cyber risk to any possible end user? The Report explicitly states that acquisitions governed by CNSS are outside the scope of the recommendations, so National Security Systems, while higher risk, are not intended to be addressed in this process. In addition, certain Categories will be comprised of items that do not present cyber risks, and those Categories do not need increased cybersecurity protections. As an example, acquisitions of paper clips, pencils, paper and other items that do not or cannot connect to a Federal network or involve handling of Federal data probably do not present cyber risk, and if not, a Category comprised of these types of items does not require application of an Overlay. However, acquisitions of items that may not fall within traditional definitions of ICT, but are connected to networks and involve use and transmission of Federal data, such as printers or copiers, likely do present cyber risks, and therefore should be required to incorporate increased cybersecurity protections, as expressed in an Overlay. MAJOR TASK 2: Conduct Acquisition Risk Assessment and Prioritization The output of this task is a ranked list of Categories based on the comparative cyber risk presented by acquisitions included in the Categories. Absent other factors, such as timing of a major government-wide acquisition in another (less risky) Category that might warrant Overlay development in that Category first, the Category that is determined to have the highest risk through this comparative assessment would be the first one for which an Overlay is developed. Although all elements of the risk management cycle are important, risk assessments provide the foundation for other elements of the cycle. In addition to providing a prioritized list of Categories, this risk assessment will also provide a basis for establishing appropriate risk management controls and selecting cost-effective techniques to implement these policies. Where a Category is determined to have higher risk relative to other types of acquisitions, the level of resources expended to address those risks will also be justifiably higher. This sub task is comprised of a comparative risk assessment that answers the question, Which of the Categories presents the greatest cyber risk as compared to the other Categories? For example, a multi-function printer / scanner / copier can have multiple use cases and end users, and the risk the item presents varies greatly according to the specific end user, often because of differences in the sensitivity of data sent to the device and the network it is connected to. MAJOR TASK 3: Develop Methodology to Create Overlays Accomplishment of this task will produce a scalable, repeatable process to develop Overlays of information security, acquisition, and other controls for each Category. Page 6 of 7

The Overlays will provide a tool for acquisition officials to use throughout the acquisition lifecycle (see, Report, recommendation VI). Each Overlay will provide: 1. An articulation of the level of risk presented by the Category (this might be expressed as high, moderate, or low, or by some other nominal description (i.e., level 1, 2, 3, 4 etc.) that links the level of risk of the Category to the risk assessment conducted in Task 2, (see above); 2. A specific set of minimum controls that must be included in the technical specifications, acquisition plan, and during contract administration and performance for any acquisition in the Category; 3. The universe of additional controls that are relevant to the Category but are not required in the minimum (i.e., a menu ), and 4. Examples of sets of the identified additional controls that apply to particular use cases (e.g., FIPS 199 High or Moderate system acquisition), as applicable. Each Overlay will be developed using a collaborative process that includes stakeholder expertise and input from information security and acquisition (including supply chain, sustainment, procurement, and disposal) disciplines in both public and private sectors. Because risks and threats change over time, it is important that the government periodically reassess risks and reconsider the appropriateness and effectiveness of the policies and controls selected to manage the risks. Therefore, the Overlays should be adjusted periodically (e.g., annually), and on an as-needed basis, when changes occur in technology and market conditions. Therefore, the goal is to ensure the process used to create the Overlays should be repeatable, transparent, and scalable. SUB TASK 3.a. Determine Appropriate Security Controls [This section is TBD based on input received from stakeholders.] SUB TASK 3.b. Determine Appropriate Acquisition Mitigations [This section is TBD based on input received from stakeholders.] SUB TASK 3.b. Determine Appropriate Other Safeguards [This section is TBD based on input received from stakeholders.] Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information