On March 12, 2014, General Services Administration (“GSA”) issued a Request for Information (“RFI”) to obtain stakeholder input on implementing the recommendations contained in the joint GSA and Department of Defense (“DOD”) report, Improving Cybersecurity and Resilience through Acquisition (“Joint Report”), issued on January 23, 2014.
The Joint Report and, in turn, the RFI from GSA were issued in furtherance of Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity, which called for GSA and DOD, in consultation with the Secretary of Homeland Security and the Federal Acquisition Regulatory Council, to make recommendations to the President “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” The Joint Report responded to this request with six recommendations for strengthening the federal government’s cyber resilience:
- Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
- Address cybersecurity in relevant training;
- Develop common cybersecurity definitions for federal acquisitions;
- Institute a federal acquisition cyber risk management strategy;
- Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources, whenever available, in appropriate acquisitions; and
- Increase government accountability for cyber risk management.
Through the RFI issued on March 12, GSA has requested stakeholder input on how to implement the Joint Report’s recommendations. To this end, GSA provided a draft Implementation Plan, which addresses the implementation of the Joint Report’s fourth recommendation, “institute a Federal acquisition cyber risk management strategy.” The Implementation Plan explains that GSA will implement the Joint Report’s fourth recommendation first because “the risk management strategy and processes to institute it provide the foundation that is necessary for the other recommendations to be implemented.”