Emery Csulak, Energy’s chief information security officer, said while this discussion about reducing cyber risk isn’t new, agencies have a better understanding of how to mitigate and manage these challenges.
“We are trying to change that conversation. We are trying to figure out how best to apply quantified risk management. How can we evaluate whether or not a $1 million investment will give me a $1 million in reduced risk to do a modernization project or will it give me a $30,000 reduction in risk? You have to be able to have those conversations,” Csulak said during the recent 930Gov conference, which was a Live Ask the CIO event. “At Energy, we are looking at how historically we’ve spent a lot of time teaching the CFO or COO about how we talk about IT security, but we’ve barely scratched the surface of teaching security people about how to talk dollars, cents, probabilities and the exposure of that. We are embracing quantified risk management.”
GSA is quantifying risk management in a different way, through supply chain security. Earlier this summer, GSA announced it was thinking about no longer offering refurbished or used products through the schedule. It issued a request for comment over the summer, but in the recent update of moving special item numbers (SINs) to North American Industrial Classification Systems (NAICS) codes, the used or refurbished product listing remained part of the effort.
Securing schedule buys
Still, Larry Hale, the director of the IT Security Subcategory for GSA’s Federal Acquisition Service, said there are plenty of steps the agency is taking to ensure products agencies buy from the schedule are secure and trustworthy.
“There are steps customers should take in terms of making sure they are buying from reputable resellers and licensed resellers. When a manufacturer doesn’t sell directly to the government, they usually have licensed resellers and I would encourage federal agencies to use those licensed resellers to reduce their risk of getting counterfeit or grey market goods. We actively pursue reports of counterfeit technologies in the products that people buy from GSA. When we find out that vendors are selling counterfeit goods, we take action against them. We take them off the schedule. We shut them down. We involve law enforcement when appropriate.”
Along with that, Hale said GSA is working with the National Institute of Standards and Technology and the Defense Department on supply chain risk management initiatives.
GSA also is working on requirements under the Secure Technology Act, which gave the agency specific roles on the Federal Acquisition Security Council and the ensuring products that need to be excluded are removed from governmentwide contracts.
“Agencies need to do a risk management analysis and determine what they are willing to expose themselves to in terms of what provenance of equipment are they going to install in certain systems. The use of the system can determine whether they are willing to pay a premium for original equipment manufacturer-specific systems with specific security controls or if they are doing something routine with limited security exposure and would like to save money,” Hale said. “That is emblematic of the kind of thought that needs to go into a well-planned procurement, and that is not what always takes place. Very often, the pressure is ‘I need it fast and I need it cheap,’ so they find the reseller that gives them what they need at the lowest possible price. You are potentially opening yourselves up to supply chain attack in that sense because you could have counterfeit technology under the cover of what looks like legitimate piece of equipment.”
Understanding the procurement risks is part of the calculation that Csulak is trying to get a broader section of Energy to do.
Csulak said Energy awarded a contract recently to specifically do the supply chain assessments that will feed into the acquisition process.
“This will create a much more robust process of bringing in internal and external to make more informed product decisions,” he said. “We are working closely with procurement to say, ‘if this is critical path or essential information, how do we do that evaluation?’ we have a process and we are refining that process now, and basically any of our major investments would go through that analysis to see if those supply chain vendors are meeting our expectations.”
Csulak said the ability to quantify risk is already happening today whether it’s through the acquisition process or through investment review boards. But, he said, too often the decisions aren’t the best ones and mostly uniformed.
“We can start thinking more smartly about how we make decisions. If we want to talk about supply chain or about making investments in big data or artificial intelligence, we have to say ‘based on the value of the data we are protecting and the risk to national security, let’s look at what those investments do and have more meaningful discussions,’” he said. “What we are looking at this year is how can we make smarter and better decisions rather than just going on gut feelings or marketing pitches or a general consensus in the room that that’s a good idea.”
To that end, Energy is looking at its investments, including the cloud, and reviewing the reasons or factors that went into the decision.
“We did a huge market survey of leading vendors in this,” he said. “We are trying to say can we put a dollar value and a probability to the risk? Those are the two key things. Can we quantify our resistance strength? Can we bring in new or novel ideas such as crowd-sourced penetration testing to help us evolve our measure of defense? It’s about changing the rubric under how we talk about risk. We are still in the infancy session of running pilots and finding examples that really talk to us.”