On Wednesday, March 12, 2014, the Department of Defense (DOD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) requested public comments on its draft implementation plan (draft plan) for federal cybersecurity acquisition. See 79 Fed. Reg. 14042 (Mar. 12, 2014). The draft plan is the first of several steps toward implementing the recommendations outlined in the Working Group’s recently finalized report on Improving Cybersecurity and Resilience Through Acquisition (summarized here).
As comments are due on April 28, 2014, federal contractors and other stakeholders should act quickly to submit their views on what will have a significant and lasting impact on federal cybersecurity acquisition practices.
The draft plan proposes a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions, and by design, it will affect nearly all contracting entities. The draft plan proposes a “taxonomy” for categorizing procurements so that the government can effectively prioritize those in need of additional resources, attention, and safeguards. As proposed, the taxonomy is modeled on Federal Information and Communications Technology (ICT) acquisitions—though the Working Group has asked whether this framework is a workable model for the categorization of all acquisitions. The Working Group would use the ICT framework to categorize all acquisitions that present cyber risk, after which it would separately assess the risks within each category. Categories that present greater cybersecurity risk (based on threats, vulnerabilities, and impacts) would receive more and faster attention in acquisitions. The taxonomy is, in our view, the most significant new development in the draft plan, as it will serve as the principal basis for categorizing the extent of cyber regulations for procurements. This aspect of the plan accordingly warrants particularly close attention.
The Working Group seeks comments in many areas, including whether:
(a) the approach is workable;
(b) the process will obtain sufficient stakeholder input;
(c) any additional assumptions, clarifications, or constraints should be expressed;
(d) the approach will satisfy the goals of Recommendation IV of the final report, i.e., whether it creates a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions;
(e) the major tasks and sub-tasks are appropriate and, if implemented, will achieve the identified outputs/completion criteria;
(f) the taxonomy and category definitions can be used to develop overlays (a fully specified set of security requirements and supplemental guidance that allow for the specific tailoring of security requirements;
(g) factors can be developed to assess each measure of cybersecurity risk (i.e., threat, vulnerability and impact);
(h) other aspects (e.g., annual spending) should be considered in category prioritization; and
(i) in addition to information security controls derived from the cybersecurity framework and other relevant NIST guidance and international standards, other procedural or technical safeguards that address business cyber risk should be included (e.g., source selection and pricing methodology, source selection evaluation criteria minimum weighting and evaluation methodology, etc).