NCOA-GTSC Partner to find meaningful employment for our nation’s veterans
ABOUT GTSC
ABOUT GTSC
GTSC working in collaboration with Brian Finch, of Strategic Partner Dickstein Shapiro and GTSC members Robert V. Jones, CEO of PReSafe Technologies, Larry Grant, CEO, EnProVera and Gary Daemer and Mark Dale, InfusionPoints submitted comments to the Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition. GTSC’s comments focused on clear and achievable cyber requirements that will not provide a competitive disadvantage for small and mid-sized companies. Additionally, GTSC highlighted that an “LPTA” environment is not conducive to robust cybersecurity and that procurements that seek best value are more appropriate. Please email us if you’d like a copy of our comments.
The views expressed in this article are solely those of the author and do not reflect the opinion of the General Services Administration or the Department of Defense.
I always start out any discussion of cybersecurity by emphasizing the context of the problem. In our increasingly hyper-connected world, cyber risks affect us all – governments, private sector organizations, and individuals. Cybersecurity events have become commonplace, almost daily occurrences, and with the advent of the “internet of things,” they are only going to increase in frequency and magnitude. It is a shared problem. And it demands a shared solution. We have an obligation to take actions in our personal and professional lives to help provide for our personal, national and economic security. Changing how the federal government buys things using our tax dollars is an important part of the solution.
Last week DoD and GSA released a report that provides six strategic acquisition reforms to improve cybersecurity. I’m pleased that the recommendations have been well received by the federal acquisition community. In my opinion, the report has been well received because it is a community product. The recommendations reflect the views and expertise of a diverse set of stakeholders from sole proprietors and individual citizens to multinational corporations and government agencies. The report does a decent job of articulating what needs to be done; now the hard work of figuring out how it gets done is in front of us.
As a threshold matter, it’s important to know that the order of the recommendations in the report is not indicative of their relative importance or the sequence of implementation. The most important recommendation is actually number four. Why is number four most important? Because the other recommendations can’t be fully implemented until number four is. For example, recommendation number one suggests including new “cybersecurity hygiene” requirements for appropriate contracts. However, we won’t know which contracts are appropriate until the risk management strategy of number four is at least partially developed. I’ll explain below.
Recommendation number four is titled: “Institute a Federal Acquisition Cyber Risk Management Strategy.”
The goal of this recommendation is to develop a repeatable, scalable process for addressing cyber risk in federal acquisitions based on (1) the risk inherent to the product or service being purchased, and (2) the risk tolerance of the end user.
The first step is to develop a consistent method to measure cyber risk in the things the government buys. Once we specifically identify which types of acquisitions present cyber risk, we can decide which types are “appropriate.” From National Security Systems to paper clips – a primary question here is, which types of buying do or don’t present cyber risk?
Because we can’t possibly address all the types of acquisition at once, the next step is to prioritize the types of federal acquisition by risk so we can identify the right starting point. The prioritization should probably consider cyber risk, mission-criticality of the function supported by the type of acquisition, and the amount of money spent on the type of acquisition annually, among other things. Which other things should this prioritization consider?
After the prioritization is complete, starting with the highest risk type of buying, develop acquisition-cybersecurity “overlays” applicable to all buys of that type. The overlays will include both procurement and information security practices – two very different and arcane disciplines. Which security controls from NIST SP 800-53 revision 4 should apply to a type of acquisition? Which acquisition practices should apply? When should the government not use lowest-price-technically-acceptable source selection?
The DoD-GSA report gives us a good strategy, and it provides a solid frame of reference, but as the old saying goes – the devil is in the details. Nothing could be truer about the next steps here.
The government has committed to continuing the collaborative process used to develop the recommendations as it develops the implementation plan. In the next few weeks, the agencies will publish a request for comment on a draft plan for implementing the recommendations. The draft plan will propose specific actions to accomplish the recommendations, starting with the cyber risk management strategy.
So, stay engaged. And when the request for comment is published, do your part to help solve one of the most pressing issues of our time by submitting your suggestions.
By Contributing Author: Emile Monette
Emile Monette is a recognized authority in the legal and operational aspects of public procurement, cybersecurity supply chain risk, and supply chain sustainability. His background includes domestic, international, and U.S. military experience investigating, negotiating, and managing multimillion-dollar contracts. Emile is a fifteen-year veteran of procurement law and policy development, and he has served in various positions in the legislative and executive branches of the federal government.
On January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) submitted its eagerly anticipated final report on integrating cybersecurity requirements into all federal procurements. This report, which satisfies Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21, includes recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development.
The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril.
Cybersecurity issues will increasingly affect agency standard setting, coverage issues and incentives, government audits and investigations, security breach litigation, and other business drivers. Government contractors and other companies that handle government information or supply components that could be compromised electronically must begin, to the extent they have not already done so, to think both strategically and pragmatically about developing an integrated approach to these cybersecurity issues.
Background
On February 12, 2013, President Obama issued EO 13636 – Improving Critical Infrastructure Cybersecurity. Section 8(e) mandated that the Working Group, in consultation with the Department of Homeland Security (DHS) and the Federal Acquisition Regulatory (FAR) Council, “make recommendations to the President . . . on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Section 8(e) also directed the Working Group to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”
On May 13, 2013, the Working Group published a request for information (RFI), inviting public comment on the appropriate cybersecurity measures and parameters for federal procurements (summarized here). The Working Group also consulted with representatives from the DoD, GSA, DHS, FAR Council, the Office of Federal Procurement Policy, NIST, and others before issuing the final report.
Working Group Recommendations
The final report makes six recommendations, including that the federal government and/or contractors, as appropriate, should:
(1) institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
(2) address cybersecurity in relevant training;
(3) develop common cybersecurity definitions for federal acquisitions;
(4) institute a federal acquisition cyber risk management strategy;
(5) include a requirement to purchase from original equipment or component manufacturers (OEM), their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and
(6) increase government accountability for cyber risk management.
For contractors, the most helpful recommendations ask the government to clarify, with more specificity, the standards to which contractors will be held accountable. For example, the first recommendation correctly observes that, “[o]ften, cybersecurity requirements are expressed in terms of compliance with broadly stated standards and are included in a section of the contract that is not part of the technical description of the product or service the government seeks to acquire.” This, the report concedes, “leaves too much ambiguity as to which cybersecurity measures are actually required in the delivered item.” Accordingly, the report recommends expressing baseline cybersecurity requirements as part of the acquisition’s technical requirements and including performance measures to ensure the baseline is maintained and risks are identified. The final report also recommends common cybersecurity definitions, which if adopted would dramatically advance anxiety about contractors’ and the government’s current and near-future cybersecurity obligations.
Though the recommendations are instructive, the final report does not actually mandate specific baseline requirements or propose common cybersecurity definitions. Nor does it propose a cyber risk management strategy or otherwise attempt to identify the acquisitions in which baseline requirements or OEM limitations are “appropriate.” Instead, the final report “intends” that others will harmonize these recommendations with ongoing rulemakings, cybersecurity standards, and statutory frameworks. In short: stay tuned.
Takeaways
First and foremost, change is coming. Although the final report recommendations are directed more toward government program managers and acquisition decision makers than industry, the harmonization of such recommendations with recent and forthcoming regulations, mandatory contract provisions, and other statutory requirements and protections will affect the industry directly and significantly.
Other critical points for government contractors to consider as the final report’s recommendations are implemented include:
The final report is a clear signal that mandatory baseline standards, training protocols, and other risk-based requirements are on the horizon. Those standards will likely be based on the NIST framework or, in specialized areas, even stricter protocols. Government contractors and other companies that handle government information must implement an integrated strategy that mitigates the risks associated with these cybersecurity issues, and where viable, the opportunities that these changes might create.
By Contributing Authors: Brian Finch, Justin Chiarodo, and Daniel Broderick from GTSC Strategic Partner Dickstein Shapiro
Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies. Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition. You can reach Brian at [email protected] (202)420-4823.
Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.
Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements.
Join GTSC for a Capacity Building session focused on assuring you don’t learn the hard lessons on your own skin!
Repeated project delays and cost overruns in Government contracts have turned the spotlight onto core issues of supplier selection, supplier integrity and supplier competence. Increasingly, Government agencies will test for a supplier’s capability to define and meet their contracted commitments – and this will include the need to demonstrate a robust commercial assurance and contract management process. For suppliers, this represents an opportunity to pro-actively demonstrate capability. This session will discuss the steps your organization could take to establish competitive advantage.
After years of practice and experience, the IACCM has brought together best practices in government contracting from around the globe. Paired with the former procurement officer of the U.S. Department of Homeland Security, this session will combine what best practices can be applied toward contracting with DHS and the Defense Department.
Guest Speakers:
The Government Technology & Services Coalition cordinally invites you to an Insight Session with Mr. Robert J. Carey, Principal Deputy Chief Information Officer at the Department of Defense.
Mr. Robert J. Carey serves as the Department of Defense Principal Deputy Chief Information Officer. Selected to this position in October 2010, his main focus is to help lead the consolidation and standardization of the Defense information technology enterprise while strengthening its cybersecurity posture and the enterprise architecture. His additional focus is to align, strengthen and manage the office of the DoD Chief Information Officer to have it better serve the Department’s mission and help lead the IT/Cyber workforce into the 21st century.
From November 2006 to September 2010, he served as the fifth Department of the Navy (DON) Chief Information Officer (CIO) where he championed transformation, enterprise services, the use of the internet, and information security. Mr. Carey joined the staff of the DON CIO in February 2000, serving as the DON CIO eBusiness Team Leader through June 2003. During this period, he also served as the Director of the DON Smart Card Office from February through September 2001. Mr. Carey entered the Senior Executive Service in June 2003 as the DON Deputy Chief Information Officer and was responsible for leading the DON CIO staff to achieve IM/IT enterprise integration across the Navy & Marine Corps.
Mr. Carey’s Federal service began with the U.S. Army at the Aberdeen Proving Ground in October 1982, where he worked as a Test Director evaluating small arms, automatic weapons and ammunition. He began his service with the Department of the Navy in February 1985 with the Naval Sea Systems Command. He worked in the Anti-Submarine/Undersea Warfare domain where he served in a variety of engineering and leadership positions.
Mr. Carey earned a BS in Engineering in 1982 from the University of South Carolina and a Master of Engineering Management from the George Washington University in 1995. He has been awarded the Department of the Navy Distinguished Civilian Service Award (twice) as well as the Superior and Meritorious Civilian Service Awards. He received the prestigious Federal 100 Award in 2006, 2008, and 2009, recognizing his significant contributions to Federal information technology. He was selected to the InformationWeek Top 50 Government CIOs in 2009, 2010, and 2011. Mr. Carey was named the Defense Executive of the Year for 2009 by Government Computer News, and he also received the prestigious Association for Federal Information Resources Management (AFFIRM) Executive Leadership Award – Defense for 2011.
A native of West Chester, PA, Mr. Carey is an active member of the United States Navy Reserve and currently holds the rank of CAPTAIN in the Civil Engineer Corps. He was recalled to active duty for Operation Desert Shield/Storm and Operation Iraqi Freedom where, in 2006-2007, he served in the Al Anbar province with I Marine Expeditionary Force.
On October 22, the Department of Defense (DoD) finalized the details for its DoD-Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) threat sharing program with defense industrial base companies. No changes have been made to the interim final rule published in May 2012.
This final rule responds to public comments regarding the establishment of the DIB CS/IA program, a voluntary cyber security information sharing activity between DoD and eligible DIB companies to enhance and supplement DIB participants’ capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems. The program is codified at 32 CFR Part 236 and implements DoD statutory authorities to establish programs and activities to protect DoD information and DoD information systems, including information and information systems operated and maintained by contractors or others in support of DoD activities (see 10 U.S.C. 2224 and the Federal Information Security Management Act (FISMA), codified at 44 U.S.C. 3541 et seq.). It also fulfills important elements of DoD’s critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector see (Presidential Policy Directive 21 (PPD-21), “Critical Infrastructure Security and Resilience”). This program allows eligible DIB companies to receive U.S. Government (USG) threat information and to share information about network intrusions that could compromise DoD programs and missions. In addition, the program permits DIB companies and DoD to assess and reduce damage to DoD programs and missions when DoD information is potentially compromised. Furthermore, the information sharing arrangements between the DoD and each participating DIB company that implement the requirements of this are memorialized in a standardized bilateral agreement, known as a Framework Agreement (FA), signed by the participating DIB company and the Government.
The rule also provides the eligibility requirements for a company to participate in the DIB CS/IA program.
Costs for DIB participants include obtaining access to DoD’s secure voice and data transmission systems supporting the DIB CS/IA program and acquiring DoD approved medium assurance certificates. There also are costs associated with the collection requirements for providing point of contact information and cyber incident reporting. Government costs include onboarding new companies and collecting and analyzing cyber incidents from DIB participants.
A foundational element of this bilateral information sharing model is the recognition that the information being shared between the parties includes extremely sensitive nonpublic information, which must be protected against unauthorized uses and disclosures in order to preserve the integrity of the program.
For additional information regarding the Government’s safeguarding of information received from the DIB companies, with specific focus on PII, see the Privacy Impact Assessment (PIA) for the DIB CS/IA Program.
In addition, this rule and program are intended to be consistent and coordinated with, and updated as necessary to ensure consistency with and support for, other federal activities related to the handling and safeguarding of controlled unclassified information, such as those that are being led by the National Archives and Records Administration pursuant to Executive Order 13556 Controlled Unclassified Information (November 4, 2010).
This rule is not intended to implement the new requirements from section 941 of the National Defense Authorization Act for Fiscal Year 2013.
For more information, read the full final DIB CS/IA rule in the Federal Register.
In 2012, U.S. foreign military sales topped $65 billion. This panel will introduce small and mid-sized companies to some of the possibilities and pitfalls that accompany expanding into the international market. The speakers will discuss the types of opportunities available and how to access them, the differences between foreign military sales (FMS) and direct commercial sales (DCS) and how to leverage the U.S. government and foreign embassies in the D.C. area. This will be the first in a series of events designed to get GTSC members and other small and mid-sized companies thinking about the possibility of diversifying their revenues through international work.
Speakers:
Evan Croen
Director, Government Sales Research
Bloomberg Government
Evan Croen is the Director of Government Sales Research at Bloomberg Government. Evan worked at Boston Consulting Group, focusing on the energy, chemical and health-care industries, and at Duke Energy, where he researched strategies to reduce carbon emissions from Chinese energy production. He earned an MBA and master’s degree in environmental policy from the University of Michigan along with an undergraduate degree from Princeton.
General Mark T. Kimmitt (ret.)
Principal, MTK Defense Consulting
Former Assistant Secretary of State for Political Military Affairs
Former D/Assistant Secretary of Defense for Middle East Affairs
Brigadier General, US Army (ret)
The Honorable Mark T. Kimmitt advises firms on security and defense matters in the Middle East. He is also an on-air commentator for the al Jazeera English network, and a contributor to Oxford Analytica.
Until December, 2011, Kimmitt served as Executive Vice President of Advanced Technology Systems Company, a defense advisory firm with an overseas focus, principally in the Middle East
While in government service as a Presidential appointee, Kimmitt served as Assistant Secretary of State for Political-Military Affairs in the U.S. State Department. In that capacity, he was responsible for worldwide State Department political-military issues, with particular emphasis on security assistance and defense trade, as well as serving as the principal liaison between the Departments of State and Defense.
From 2006 to 2008, Kimmitt served as the Deputy Assistant Secretary of Defense for Middle East Policy. In this position, he was responsible for defense policy development, planning, and guidance to include operations in Afghanistan and Iraq, and represented DOD in the 2008 Status of Forces negotiations with Iraq as well as leading DOD efforts to enhance security in the Middle East through the Gulf Security Dialogue.
Kimmitt served for over 30 years as an officer in the United States Army in a wide variety of command, operational, and policy positions with experience abroad in Iraq, Bosnia, Kosovo, Macedonia, Korea, Germany, and Belgium.
Kimmitt is a graduate of the United States Military Academy at West Point and earned a Masters Degree (with Distinction) from the Harvard Business School. He is a life member of the Council of Foreign Relations.
Ambassador Marisa R. Lino (ret.)
Corporate Director, Homeland/Civil/Regulatory/International
Government Relations, Northrop Grumman Corporation
Marisa Lino joined Northrop Grumman Corporation as Corporate Director in Government Relations in January, 2009. From 2007 to 2008, she served at the Department of Homeland Security as Assistant Secretary for International Affairs as a career appointee. Prior to joining DHS, she directed the Johns Hopkins University School of Advanced International Studies (SAIS) Bologna Center in Italy from 2003-2006.
During nearly 30 years of distinguished service in the U.S. Foreign Service, Ms. Lino held overseas positions in Albania, Italy, Pakistan, Syria, Iraq and Peru. In her last position at the U.S. State Department from 2000 to 2003, she served as Senior Negotiator for Base Access and Burdensharing in the Bureau of Political Military Affairs. In this role, she led various negotiations with foreign governments on the legal and financial arrangements and coverage for military and civilian Defense Department personnel deployed abroad.
From 1996 to 1999 she served as U.S. Ambassador to the Republic of Albania. She was Refugee Coordinator in Pakistan overseeing the Afghan refugee program from 1988 to 1990, during the Soviet withdrawal from Afghanistan, a particularly active period. Ms. Lino acted as Deputy Chief of Mission in Syria for almost a year of her tour as Economic and Commercial Counselor at Embassy Damascus (1986-88). She served in Iraq from 1979-81, as Economic and Commercial Officer, the second year of which coincided with the start of the Iraq-Iran War.
Hailing from Portland, Oregon, Ms. Lino has an M.A. in International Affairs from The George Washington University where she was the first woman granted a Scottish Rite Fellowship from the State of Oregon. She has a B.A. in political science from Portland State University. She later attended the University of Zagreb (then Yugoslavia), for a year of graduate studies in political science. On a State Department-sponsored mid-career program, she completed a Certificate in Advanced Engineering Studies in systems analysis at M.I.T. She also was awarded an honorary doctorate of international affairs by John Cabot University in 1999. Ms. Lino earned a Presidential Meritorious Service Award, four Superior Honor Awards and one Meritorious Honor Award during her Foreign Service career. In 2003, she was selected for the Secretary’s Distinguished Service Award by Secretary of State Colin Powell.
Vangala S. Ram
Office Director
Bureau of Political-Military Affairs/Office of Region Security and Arms Transfers
U.S. Department of State
Mr. Ram was born in New York City. He is a first-generation American of Indian heritage. Mr. Ram was raised in the Middle East, where he attended elementary and high school in Beirut, Lebanon. After graduating from college, Mr. Ram served as a Military Intelligence (MI) officer in the U.S. Army on active-duty for over ten years in a variety of assignments that included a tour as a paratrooper in the Fourth Psychological Operations Group (PSYOPS) in the 1st Special Operations Command (Airborne), before joining the U.S. Foreign Service in 1992.
Mr. Ram has served in the NEA, AF, EAP, EUR and SCA bureaus with previous postings in Amman, Seoul, St. Petersburg, Moscow, Cologne, Banjul, Herat, Tunis and Riyadh in addition to Washington DC. During his nine consecutive overseas tours Mr. Ram served as Vice-Consul, First Secretary in the Management and Public Diplomacy cones, besides his assignment as Senior Civilian Representative to Regional Command (RC) West in Afghanistan and Deputy Chief of Mission (DCM) in The Gambia.
Mr. Ram’s foreign languages include: German, French, Russian, Arabic and Persian-Farsi. He has earned awards during all his assignments and earned his MA in International Relations with Distinction from Boston University. Mr. Ram is a 2011 Distinguished Graduate (DG) of the Industrial College of the Armed Forces (ICAF) He is married to Marion H. Ram, also a Foreign Service Officer (FSO), now assigned as the Country Affairs Officer in the WHA/CCA bureau in Washington DC.
Thank you to Mr. Brandon Torres Declet, GTSC Strategic Advisor, and RADM Donald P. Loren (ret.), both of GTSC’s International Outreach workgroup, for putting this program together.
GTSC’s International Outreach Workgroup
Mr. Brandon Torres Declet, CEO, SouthernCrux International, LLC & GTSC Strategic Advisor
Brandon Torres Declet serves as Chief Executive Officer at Southern Crux International (www.socrux.com). Brandon brings more than a decade of experience working among senior government officials internationally and at the federal, state and local level. He previously served as Counsel to Senator Dianne Feinstein (D-CA) on the Senate Committee on the Judiciary and as Counsel to Representative Bennie Thompson (D-MS) on the House Committee on Homeland Security. He was previously a Senior Fellow at the Homeland Security Policy Institute (HSPI) at George Washington University, an advisor to the New York City Police Department (NYPD) Counter Terrorism Bureau and an adjunct professor at the Whitehead School of Diplomacy & International Relations at Seton Hall University. He also served as a senior analyst with Science Applications International Corporation (SAIC). Brandon earned a B.A. from Union College, a J.D. from the Fordham University School of Law and an L.L.M. from the Georgetown University Law Center.
RADM Donald P. Loren (ret.), U.S. Navy, President & CEO, Old Dominion Strategies
Don Loren is an independent international, national and homeland security professional, and a leading edge provider of Advisory and Assistance Services to government and commercial business. He formerly served as Special Assistant for National Security with The Tauri Group, a well respected innovator in systems-level strategic planning, technology assessment, and integration for the Department of Defense, the Department of Homeland Security, the Defense Threat Reduction Agency, and the commercial sector for mission critical projects for homeland defense, homeland security, countering weapons of mass destruction, and critical infrastructure protection. Prior to joining the private sector, Don was appointed as Bush administration Deputy Assistant Secretary of Defense for Homeland Security Integration, where he was responsible for strategic planning and policy development, capability and resource assessment, domestic and NATO/international partnership Defense Support of Civil Authority integration and capacity building, congressional activities, strategic communications, and education issues related to homeland defense and homeland security. Additionally, in this capacity he represented the Department of Defense on the Homeland Security Council Domestic Readiness Group.