The General Services Administration is attempting to improve federal cybersecurity where it begins — at the acquisition process.
GSA is developing a cyber acquisition risk profile for agencies to apply when buying products and services. The cyber risk profile is one of six recommendations GSA and DoD submitted to the White House in January 2014.
But it may be the most important of the six as the other five all build off of the risk profile.
“When you think about having baseline cybersecurity requirements as a condition for contract award for appropriate acquisitions, well, we don’t really know what appropriate acquisitions are until we fully understand the risk posture of those acquisitions,” said Emile Monette, the senior adviser for resilience and cybersecurity in GSA’s Office of Governmentwide Policy in an interview with Federal News Radio. “When we started to do some work toward implementation of this risk management strategy for acquisitions, we pretty quickly came upon the fact that we’ve got a gap in how the federal acquisition system applies the NIST risk management framework to its activities, and to be more specific there, risk assessment is an important step in the application of the risk management framework. When we looked at how the risk management framework is used in the federal acquisition system, we found that acquisition decision makers often lack robust information about the decisions they are making. They are not able to make as good of an assessment about the risk as they might if they had more information. So that’s one of the goals we are after right now.”
As part of creating the risk framework, GSA hosted a public meeting June 5, to get further insights from industry and other interested parties. Monette said about 120 people attended the discussion, of which about two-thirds were from industry. He said the meeting mostly focused on the responses to the request for information GSA released in December. GSA received 29 responses from independent auditors, consultants, niche Providers, big data aggregators, IT product vendors, universities and an industry consortium.
President Barack Obama’s February 2013 executive order for securing the critical infrastructure called for an internal looking effort to better incentivize contractors and agencies to secure federal networks.
GSA and the Defense Department released its report in January 2014 with six acquisition reforms to improve cybersecurity as an enterprise:
Institute baseline cyber requirements as a condition of contract award
Address cybersecurity in relevant training
Develop common cybersecurity definitions for federal acquisitions
Institute a federal cybersecurity risk management strategy
Requirement to purchase from original equipment manufacturers, their authorized resellers or other trusted sources whenever available
Increase government accountability for cyber risk management in the acquisition cycle
This issue of supply chain risk management isn’t new. A 2012 report from NIST and the University of Maryland on supply chain risk management called for stricter procurement measures and more application of risk management by vendors. But the question continues to be what can be done about it that doesn’t burden vendors, add cost to the government and still has a positive impact across the board.
“There is a range of opinion and thought about how the government should approach cyber risk management in acquisitions,” he said. “One of the things that came out of the meeting, from my perspective, was the likelihood of obtaining an overwhelming consensus on how the government does this is probably pretty slim. But we are committed to the process of being transparent and inclusive, and getting as close to that consensus as possible. What did come out of the meeting that is very positive is that the attendees really strongly endorsed the common approach the government. In large part, that’s because it will reduce the cost of serving the federal customer by providing consistency and clarity in the federal acquisition process.”
Closing the gaps in cyber, acquisition speak
This lack of consistency has caused problems over the years.
Monette said he knows of one case from 2013 that resulted in a cyber breach, because the acquisition official didn’t include some of the NIST controls in the contract because they didn’t think they were buying technology. Monette said they were buying a service that included the transmission of data over the Internet, and that led to a breach.
He said this is but one example of many where the lack of training or a disconnect between the cybersecurity and acquisition processes occurred.
“If you dig into NIST special publications and start reading those things, they are relatively arcane and it’s a complex subject matter when you talk about information security and managing that risk,” Monette said. “There is sometimes a gap in the acquisition workforce’s application of the appropriate risk management guidance from NIST.”
He said what would help is a translation of the IT security language from the NIST risk management guidance into more business-centric practices as part of the training for contracting officers.
But this is also a big data problem and solution to understand a vendor’s risk profile.
Monette said a major piece to creating this approach bringing together government and industry data so contracting officers and other acquisition workers can make better decisions.
“Part of what we are looking at here is a way to pull in those existing government databases where you might have things in the Securities and Exchange Commission disclosures that are made by a public company that might inform risk in an acquisition and we should be using those things. We might have access to judicial proceedings or other things that are relevant to a company’s risk that we could also use in the procurement process,” he said. “But what we also are looking at, in addition to those other things, is all of the information that is available about contractors in big data, and we really think part of what we need to get to is taking a look at public records, publicly available information and some of the information that is available through commercial subscription services. We need to aggregate that data and have a risk picture about the companies that we do business with that is more robust than the risk picture that a contracting officer or acquisition official gets today.”
Initial indicators finalized by fall
The RFI, the public meeting and future efforts are around developing what data makes the most sense to use, where to find it and what set of indicators should be part of the discussion.
Monette said GSA will work with other agencies and industry to define each indicator and put them in a risk category. Then, GSA will put them out for public comment for about 30 days. By early fall, Monette said he expects to have that initial list finalized for implementation.
“One of the things that came up in the meeting is asking about foreign ownership of a company and what does that have to do with cybersecurity directly?” he said. “We do know that there are certain geographies in the world that are more conducive to bad actors subverting the supply chain and getting things into a line of software code or chip that ends up in a national security system, a weapons system or even another low or moderate impact system. It’s something we need to pay attention to.”
One big question that GSA still needs to address is where it will find the best information — commercial service providers, government databases or some combination of all of them.
“We think that the best approach is going to be something that taps multiple data sources for a single category or risk indicator. We know that any single data source is fallible,” he said. “If we can triangulate on the true risk picture by using multiple data sources, we will get a better idea of what the actual risk is.”
Monette said GSA recognizes industry will have some concerns over how agencies are going to collect and use this data.
He said that’s a major reason why contracting officers will have access to three different inputs or data streams: input from the buyer who will describe what they are buying and the seller they are looking to buy from, and the buyer’s risk tolerance for this product or service. The second input would be from the seller, who would voluntarily put in information about its own operations and its deliverables related to the risk categories.
The third input is the big data, looking at the seller as they relate to the risk categories.
“Putting all of those things together, we think, will give us a good risk picture,” he said.
Monette said GSA hopes to pilot these risk indicators and database in 2016 and move to initial operating capability in 2017.