On March 12, 2014, General Services Administration (“GSA”) issued a Request for Information (“RFI”) to obtain stakeholder input on implementing the recommendations contained in the joint GSA and Department of Defense (“DOD”) report, Improving Cybersecurity and Resilience through Acquisition (“Joint Report”), issued on January 23, 2014.
The Joint Report and, in turn, the RFI from GSA were issued in furtherance of Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity, which called for GSA and DOD, in consultation with the Secretary of Homeland Security and the Federal Acquisition Regulatory Council, to make recommendations to the President “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” The Joint Report responded to this request with six recommendations for strengthening the federal government’s cyber resilience:
- Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
- Address cybersecurity in relevant training;
- Develop common cybersecurity definitions for federal acquisitions;
- Institute a federal acquisition cyber risk management strategy;
- Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources, whenever available, in appropriate acquisitions; and
- Increase government accountability for cyber risk management.
Through the RFI issued on March 12, GSA has requested stakeholder input on how to implement the Joint Report’s recommendations. To this end, GSA provided a draft Implementation Plan, which addresses the implementation of the Joint Report’s fourth recommendation, “institute a Federal acquisition cyber risk management strategy.” The Implementation Plan explains that GSA will implement the Joint Report’s fourth recommendation first because “the risk management strategy and processes to institute it provide the foundation that is necessary for the other recommendations to be implemented.”
The Draft Implementation Plan
The draft Implementation Plan addresses three major tasks to develop a federal acquisition strategy that addresses cyber risks:
1. Develop Acquisition Category Definitions. This task requires the government to create a taxonomy of categories of all the items it purchases. Overlays that identify the cyber risk and required minimum security controls would then be applied to these categories. The draft Implementation Plan does not specify the breadth of each category, but states only that categories need to be “right-sized to enable development of Overlays.”
The government will analyze each category on a “yes/no” basis to determine whether the acquisition of items within that category presents any cyber risk. Thus, items such as pens and pencils, which present no cyber risk, would not require a risk assessment and would not be included as a category in the taxonomy. Alternatively, printers or scanners connected to a federal network would present a cyber risk. Such items would therefore fall within one of the specified categories, and their acquisition would require a risk assessment.
A model taxonomy categorizing commercial Information and Communications Technology (“ICT”) was provided as Appendix I to the Implementation Plan. If approved, this model will be applied to additional categories of federal acquisition.
2. Conduct Acquisition Risk Assessment and Prioritization. Using the government-wide taxonomy, the government will then prioritize the list of categories based on the comparative cyber risk presented by each category’s acquisition. The comparative assessment answers the question “which of the Categories presents the greatest risk as compared to the other categories.” Thus, although the draft Implementation Plan notes that the “risk [an item (e.g., a printer)] presents varies greatly according to the specific end user,” the prioritization will be based on a comparison of cyber risk posed by category, not by end user.
3. Develop Methodology to Create Overlays. This task is the least developed of the three in the draft Implementation Plan. It entails establishing a process for developing overlays of information security, acquisition, and other controls for each category. The draft Implementation Plan states that each overlay will provide:
- An articulation of the risk presented by the category, which may be expressed as “high,” “moderate,” or “low” or by a numerical “level”;
- A specific set of minimum controls to be included in the technical specification, acquisition plan, and during contract administration and performance;
- A universe of additional controls, relevant to the category but not required; and
- Examples of the sets of identified additional controls applicable to particular cases.
As presented, it appears the draft Implementation Plan envisions the following process: (1) creating categories encompassing similar items purchased by the government; (2) determining which categories present a cyber risk; (3) prioritizing those categories based on their perceived cyber risk; and (4) applying overlays to each category, which will provide a specific set of minimum security controls applicable to the acquisition of items within each category.
Stakeholder Input
GSA has prepared a Memorandum for Commenters to help guide stakeholder input and welcomes input from industry. Comments are due on April 28, 2014.