Information assurance, IT security and cybersecurity are issues with increasing critical focus and importance within the federal space. In that view the concept of a Cyber Security Risk Management Plan has emerged as a possible solution to bridging the gap between industry and government while checking all the boxes in FIPS200 (http://csrc.nist.gov/publications/PubsFIPS.html) and the underlying guidance as published by The National Institute of Standards and Technology (NIST). We would be interested in and value your opinion regarding the proposed approach to addressing an overarching cyber security plan for IT government contracts.
1. This request for comment is one of several such requests being conducted through “GSA Interact” to obtain public and private sector input on the contract requirements as they are developed. The purpose of this activity is to collaborate with government and industry to gain sufficient input and feedback regarding the pre-planning phase of the follow on contracts to the very successful Alliant and Alliant Small Business Governmentwide Acquisition Contracts (GWACs).
2. The ultimate goal of including these requirements in the Alliant contracts is strengthening the cybersecurity and resilience of the Federal government by improving cybersecurity risk management in the solutions procured by agencies through the Alliant GWACs. The proposed Contract Cybersecurity Risk Management Plan will become part of the base contract and is intended to provide a high level summary of an industry partner’s plan to address common, high level security requirements that are pertinent to any information technology project/order. It is not intended to duplicate the more detailed security deliverables that may be associated with an order requiring an authorization to operate.
3. It is important for stakeholders to note that this effort is intended is to align with the recommendations made by GSA and DoD in the joint report “Improving Cybersecurity and Resilience through Acquisition,” which can be downloaded at this link: http://www.gsa.gov/portal/content/176547. The interagency working group that drafted the recommendations has been directly involved in developing this draft language with the Alliant program office, and the ongoing implementation of the report’s recommendations will also be informed by input received in response to this request for comment. The team that drafted this contract language also plans to develop a template for the Cybersecurity Risk Management Plans, and overlays (as referenced in the aforementioned report) for the Alliant II ordering guidance. Public input on the plan template and overlays will also be sought.
4. Interested parties are encouraged to respond to this request for comment in any way that provides relevant input about any aspect of the draft document, including “redline” or “track changes” versions of the actual document. In addition, addressing the draft in the context of the following questions may be instructive.
a. In general, is the approach articulated in the draft document a workable way to achieve the goals of the effort? What, if anything needs to be added or removed?
b. Is the Cybersecurity Risk Management Plan, as described, adequate and appropriate to provide increased cybersecurity and resilience in the Alliant contracts and orders?
c. In addition to information security controls derived from the Cybersecurity Framework and other relevant NIST guidance and international standards, what other management safeguards that address business cyber risk should be included in the Contract Cybersecurity Risk Management Plan?
d. Should the Cybersecurity Risk Management Plan requirement “flow down” to subcontractors?
e. How should the Cybersecurity Risk Management Plan be priced in firm fixed price contracts when the Government unilaterally requires an update to an accepted plan? When a company submits an update to an accepted plan of its own accord?
f. Should the Government establish a minimum weighting for the Cybersecurity Risk Management Plan if/when it is used as a comparative source selection evaluation factor?
g. What should the Government use as minimum acceptance criteria for Cybersecurity Risk Management Plans?
h. Do the security-related areas listed in paragraphs (b)(3)(i)-(iii) provide an objective and measurable basis for comparative source selection evaluation of the Cybersecurity Risk Management Plans?