Blog Archives - Page 3 of 7 - GTS CoalitionGTS Coalition

Username
Password
	Remember Me
	» Lost your Password?

THE PRIVACY & CIVIL LIBERTIES ASSESSMENT REPORT: WHAT DOES IT REALLY TELL US? A CHIEF PRIVACY OFFICERS’ PERSPECTIVE

The week of April 7, 2014, with little notice or fanfare, the Department of Homeland Security issued its first annual Executive Order 13636 Privacy and Civil Liberties Assessment Report 2014. The report addresses the privacy and civil liberties impacts of certain agencies’ undertakings with respect to critical infrastructure cybersecurity and resilience. It is revealing as much for what it says, as it doesn’t say, with regard to the protection of privacy and civil liberties in the Executive Branch. The report is a study of contrasting approaches to privacy and civil liberties among first tier federal agencies.

On February 12, 2013, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience. Combined, the documents call for the federal government to work with the private sector to strengthen the security and resilience of the Nation’s infrastructure – the vast majority of which is privately owned – and do so in a way that protects the privacy and civil liberties of Americans.

As set forth in the EO 13636 Report, departments and agencies are required to do the following:

Develop a technology-neutral voluntary cybersecurity framework;
Promote and incentivize the adoption of cybersecurity practices;
Increase the volume, timeliness, and quality of cyber threat information sharing;
Explore the use of existing regulation to promote cyber security; and
Incorporate strong privacy and civil liberties protections into every initiative to secure our CI.

Additionally, PPD-21 requires that departments and agencies:

Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time;
Understand the cascading consequences of infrastructure failures;
Evaluate and mature the public-private partnership;
Update the National Infrastructure Protection Plan to take into account cyber aspects of infrastructure; and
Develop a comprehensive research and development plan.

The Department of Homeland Security (DHS) is the lead agency under the EO and PPD. And, under Section 5 of the Executive Order, Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS, in consultation with the Privacy and Civil Liberties Oversight Board and in coordination with the Office of Management and Budget, are responsible for issuing a privacy and civil liberties assessment, with contributions from the privacy and civil liberties officials of the other agencies covered under the Executive Order (the Departments of Commerce, Defense, Health and Human Services (HHS), Justice, Transportation, Treasury, and Energy; the Office of the Director of National Intelligence (ODNI); and the General Services Administration (GSA)).

“Protections” include the Fair Information Practice Principles and any other privacy or civil liberties policies, principles or frameworks. The Fair Information Practice Principles to be used are those found in Appendix A of the National Strategy for Trusted Identities in Cyberspace, which mirrors the DHS Fair Information Practices (FIPPs), set forth in DHS Privacy Policy Guidance Memorandum 2008-1, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security.

At close to 50 pages, DHS’s section was the most comprehensive, robust assessment contained in the report. The two DHS offices addressed their authorities, frameworks, and involvement with the Administration’s critical infrastructure cybersecurity efforts, and then the four areas in which DHS was carrying out its responsibilities under EO 13636 and PDD 21: Cybersecurity Information Sharing–Sharelines; Expansion of the Enhanced Cybersecurity Services Program; the DHS Private Sector Clearance Program; and the DHS Loaned Executive Program. For each of the four areas, the DHS assessment provided a concise discussion of the agency’s actions, past and present, and the implications for privacy and civil liberties. Importantly, DHS addressed in very meaningful ways the circumstances under which it would use PII. After each area, the assessment listed recommendations to DHS, for a total of seven recommendations, many of which encourage increased transparency, oversight, and education.

The other departments and agencies assessments were far shorter, with far less detail. Significantly, many are sector-specific agencies in sectors with vast amounts of PII about American citizens. This month alone, the Government Accounting Office called out the SEC (GAO-14-419) to improve controls over financial systems and data, the IRS (GAO-14-405) and most notably, the overall lax Federal agency response to data breaches involving PII (GAO-14-487T). This sector-specific PII might well be the target of future cyber incidents, and it certainly would be connected to any future incidents, yet most of the other agencies required by the E.O. could only muster cursory assessments under 10 pages in length.

For example, Treasury, the sector-specific agency for banking and finance, lightly assessed its involvement in four pages with three programs, Critical Infrastructure Private Sector Clearance Program, Voluntary Critical Infrastructure Cybersecurity Program, and Identification of Critical Infrastructure at Greatest Risk. Treasury provided no meaningful discussion of the FIPPs in its assessment, a requirement of the Executive Order.

Defense assessed of the Defense Industrial Base (DIB). Specific initiatives included: the DIB Cyber Security/Information Assurance (CS/IA) Program and the DIB Enhanced Cyber Security Services (DECS). Importantly, Defense noted that a “specific cyber incident may include PII that is incidental to, or embedded in, the information the DIB company has shared with [Defense] for cyber security analysis.” In the absence of a list of affected DIB companies, and the type and amount of PII that could be the subject of a cyber incident, the Defense assessment failed to provide a meaningful discussion of the privacy impacts associated with such sharing.

Justice’s assessment was surprisingly short, four pages, especially given that the Justice Privacy and Civil Liberties Officer is a senior position within the Department and an equal of DHS’s Chief Privacy Officer. The Justice assessment focused on iGuardian, “an unclassified web portal designed to accept cyber intrusion complaints from the private sector.” As the ACLU noted, Justice’s remark that only information that is “relevant” is maintained is dubious in a post-Snowden world, given that all information in the digital realm may be relevant to law enforcement and intelligence agencies.

Commerce’s very brief assessment focused on the National Institute of Standards and Technology’s (NIST) work on the Cybersecurity Framework in collaboration with industry. In fairness to Commerce, NIST has not yet issued its final version of the Framework, arguably limiting its ability to provide a thorough assessment of NIST’s efforts.

HHS – the sector-specific agency for health care – assessment ever so briefly touched on the various aspects of EO 13636 and PPD 21 with which it was involved: Cybersecurity Information Sharing; Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Greatest Risk. Transportation was the same, lightly touching on: Cybersecurity Information Sharing; Development of Cybersecurity Framework; The Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Risk. Energy’s assessment focused on its PPD-21 responsibilities related to the energy sector. Surprisingly, Energy failed to discuss those responsibilities from a civil liberties perspective.

ODNI assessed the implications of its issuance of “instructions for the Intelligence Community (IC) to ensure the timely production of unclassified cyber products to the U.S. homeland that identify a specific targeted entity”, otherwise known as “tearlines.” The ODNI assessment provided a passable discussion on the FIPPs, but in transitioning to the agency’s Intelligence Community responsibilities, it appeared to be accepting as true that any already collected PII was properly corrected. In light of the Snowden revelations and the bulk collection of telecommunications and internet service provider data, this part of the assessment rings hollow.

Finally, GSA addressed its responsibilities under the EO to work with Defense to make recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” GSA came to the remarkable conclusion that its joint report with Defense on acquisition “does not directly impact privacy and civil liberties as personally identifiable information (PII) is not collected, used, or disseminated.”

Taken as a whole, it is clear that privacy is not protected in an equal fashion across the Executive Branch. Many agencies do not grasp the policy implications of the FIPPs. Some did not even bother to address them. Lastly, there was an overall lack of transparency in the agencies’ critical infrastructure cybersecurity efforts. And that may be the most important aspect of this report: it shows how far tier one agencies have to go to get privacy right.

Contributing Author: Hugo Teufel

Hugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security. An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.

Government Contracting Matters

Each day you come to work you are privileged to have the opportunity to do something great, difficult, unlikely, or nearly impossible to achieve. Each time you pursue an opportunity, submit a proposal, or win a contract, you and your company make a vast difference. Once the contract begins, your company is able to provide a valuable service to the nation or to the community. If you can ever stop long enough to reflect, you know that the projects you pursue and eventually execute are intrinsically important.

As a professional devoted to business development, capture or proposal management, you help your company secure and win work. Once won, these contracts perform a valuable national service. Consider, therefore, your role in supporting your company’s role to…

You Help Your Companies, and Your Companies Help Government…

Alleviate poverty Save Lives
Combat terrorism Communicate globally
Cure cancer Enhance national security
Fight crime Maintain health
Manage vast amounts of critical data Prevent child abuse
Promote equality and human rights Pursue peace
Support air safety Clean up the environment

Many people live an entire lifetime hoping to have such an impact.

This is why we do what we do: it matters.

Be proud.

Jim McCarthy’s career spans 30 years of marketing strategy creation, proposal development, and oral presentation coaching to contractors seeking to expand their market shares or to enter the government contracts market sector. As President and co-founder of American Operations Corporation (AOC), and Principal Owner and Technical Director of AOC Key Solutions Inc. (KSI), he has built an organization that supports an average of $3.4 billion per year in client wins.

Essential Steps to Prioritizing IT expenditures

More and more Federal CIOs (and their staffs) are realizing a need to get their arms around their in-house IT requirements vetting. Since joining ISS in 2013, we have expanded our IT/Data requirements support at NOAA (National Ocean Service and National Weather Service) and Defense Logistics Agency (built and automated the “IT Front Door”). We’ve been able to support various levels of requirements automation and sophistication. Bottom line – we’ve had to serve the client’s mission to get a handle on what’s in their enterprise, and how to efficiently fill new requirements.

We’ve seen our clients realize that when a small agency becomes an enterprise, tools become capability suites and discussions become corporate communications. It happens when the Office of the Chief Information Officer (OCIO) realizes they’ve lost visibility over new IT spending for tools, technologies or capabilities, or when the integration and sustainment costs are growing out of control. CIOs need a structured, disciplined review and analysis of new and existing IT investments and capabilities, and they long for standard, repeatable processes. But where do you start?

There are several essential steps when trying to manage your “approval life cycle” and better prioritize IT expenditures:

Provide a single face to the internal customer concerning new capabilities and requirements. That person or office receives reviews, coordinates and tracks requests through a matrixed team of subject matter experts across the organization.
Define the roles and responsibilities of each party in the process, and clarify the rules and policies that make the IT requirements vetting process mandatory.
Establish evaluation and approval criteria, business rules, quality checks and feedback reporting for requirement submissions (business case and life cycle analysis).
Build a knowledge base of existing tools and licenses. Accelerate the approval process when the desired capability exists within current IT solutions or systems.
Check requests against Chief Information Officer (CIO) and Chief Technology Officer (CTO) strategies, ensuring correct vetting, and documenting approvals.
Advertise capabilities and approvals to leadership, internal customers, and stakeholders.
Document architecture/configuration changes.
Establish linkages to the budget process where business cases can be vetted.

A skeleton view of a requirements review process has three essential phases, which we have seen broken into more, but rarely fewer steps:

Coherent Requirement Documentation – Every internal request for IT capability (resource dedication) should be approved by a business process owner before submittal. This will help ensure both the clarity and completeness of the request. Once a request is submitted, it should be reviewed by the requirements process owner to ensure it makes sense to the IT subject matter experts (SMEs) who can help translate the request from business process to technology/tool/process definition. Once the analysts and the customers agree that they have accurately captured the essence of the need, the request moves forward to internal vetting and analysis.

Internal Vetting and Analysis – This is the most extensive step because it involves due diligence – ensuring the request improves either business operations or customer interface. Analysts will first check the existing library of technologies and tools to ensure this need can’t be covered by an existing (or planned) capability. If the need can be met with an existing technology or tool, the approval process can be accelerated.

Next the analysts work with the Chief Technology Officer to check for existing commercial-off-the-shelf (COTS) or government-off-the-shelf (GOTS) tools to fill the need. If there are no existing tools, the CTO may need to help draft documentation to guide a developmental effort, which can reflect a significant time and resource commitment for the organization.

Finally, the analysts assess the relevance to the CIO/CTO strategies, compatibility with existing architectures, and the time/money required to move forward. Once these issues are assessed, the request may be returned to the customer for adjustment/re-work, or forwarded for approval and funding.

Approval and Funding – When the team decides there is sufficient information and analysis to merit a decision, they recommend an approval level (based on resource commitment authorities). For inexpensive efforts, this could mean an approval notice which authorizes the customer to buy the COTS/GOTS tool using office funds. For more complex and expensive efforts, it may mean assigning a priority for resource competition at budget deliberation time.

The complexity of the mission, organization and supported processes will drive the complexity of the requirements approval process. But once it’s in place, a structured, disciplined review and analysis of new and existing IT investments and capabilities using standard and repeatable processes will help prevent redundancy, prioritize investments, ensure architectural integrity and reduce life cycle costs.

Implementation – Integrated Systems Solutions has been developing a variety of requirements management systems for federal customers since 2008. Whether it’s IT requirements, IT modernization, environmental observation requirements, ocean observation requirements, or data/metadata requirements, we have experts who can guide you to a user-friendly, enduring solution. We can match the sophistication and automation of your process (from hands-on committee-based discussions to end-to-end web-based solutions) based on your organizational needs, culture, time and fiscal resources.

Brigadier General Bob Ranck (ret.) is Vice President of Integrated Systems Solutions (ISS), a Service-Disabled, Veteran-Owned Small Business (SDVOSB) possessing a Top Secret Facility clearance and ISO 9001:2008 certification. General Ranck served as Director, Warfighter Systems Integration, Office of Information Dominance and Chief Information Officer, Office of the Secretary of the Air Force, the Pentagon, Washington, D.C.

DOD Gets Serious About Supply Chain Integrity

The issue of counterfeit electronic parts in the Department of Defense (DOD) supply chain has taken center stage in recent years given the performance and security concerns that such parts can pose. Hearings before the Senate Armed Services Committee in November 2011 revealed an “open and notorious” counterfeit parts industry and led to the inclusion of Section 818 in the FY 2012 National Defense Authorization Act (NDAA), which was enacted on December 31, 2011. Section 818, which was further amended by the 2013 NDAA, requires the DOD to implement regulations to define, identify, and prevent the use of counterfeit electronic parts in DOD procurements as well as limit the allowability of costs to replace, rework, or take other corrective action in connection with such parts. Notably, the risks and costs associated with these requirements will largely be placed on contractors.

Although final regulations have yet to be issued, the DOD issued proposed rules on May 16, 2013 and December 3, 2013 for industry consideration. As issued, however, the proposals, which raise more questions than they answer, place significant cost and performance risks (including breach, termination, and perhaps even false claims liability) on covered contractors and will almost certainly and significantly increase compliance costs

Proposed Rules for Implementing Section 818 of the FY 2012 NDAA

DFARS Case 2012-D055—May 16, 2013 Proposed Rule

The May 16, 2013 proposed rule (78 Fed. Reg. 28,780) sought to define certain key terms in Section 818 and would, if enacted as proposed, impose new requirements on contractors subject to the Cost Accounting Standards (CAS) or to CAS-covered contracts. Thus, the rule is aimed at larger contractors that perform cost-type work for the military.

Under the proposed rule, a counterfeit electronic part would broadly be defined as any “item from a legally authorized source that is misrepresented by any source to the end user as meeting the performance requirements for the intended use.” Moreover, under the proposed rule: (1) covered contractors would be required to have contract purchasing systems and procedures for detecting and avoiding the use of counterfeit electronic parts or suspected counterfeit electronic parts, and would be responsible for detecting such parts; (2) the government would be authorized to withhold payment if the contractor’s purchasing system fails to meet these requirements; and (3) any costs incurred to replace or rework counterfeit electronic parts would be unallowable. The requirements would be flowed down to subcontractors.

While there is a safe harbor to the regulations, it is limited and would apply only where contractors received the counterfeit parts from the government, have a DOD-approved counterfeit-detection and avoidance system, and where they provided early notice to the government of the counterfeits.

DFARS Case 2012-0352—December 3, 2013 Proposed Rule

The December 3, 2013 proposed rule (78 Fed. Reg. 72,620) requires covered contractors to abide by the quality standards selected by the contracting officer, which would be incorporated into the contract. Specifically, the rule states that “[t]he contractor must ensure that its deliverables meet all the specified quality standards, which also entails ensuring that its subcontractors adhere to the higher level quality standard where appropriate.” Accordingly, as proposed, a contracting officer may unilaterally specify the quality and testing standards that are to apply not only as to the contractor, but any subcontractors (at potentially any tier) based on the particular requirements and risk profile of the engagement. Moreover, the proposed requirements will likely also impact contractors’ purchasing systems, as any such higher-level quality and testing standards, if directed, would presumably be incorporated into those systems and subject to Defense Contract Audit Agency (DCAA) business systems reviews.

The Implications to Contractors From the Section 818 Proposed Rules

The regulations proposed for implementing Section 818 raise a number of significant issues.

The rules present significant financial ramifications. Covered contractors would be responsible for the costs of removing and replacing any counterfeit parts outside of the narrow safe harbor, in addition to incurring substantial costs to augment, or even wholly revamp, their purchasing systems, procedures, and controls to meet the new anti-counterfeit detection and avoidance requirements and any more stringent quality or testing standards required by a contracting officer, at both the prime and subcontractor levels.

There is no apparent limit on DOD’s authority to require expensive rework or even wholesale replacement of actual or suspected counterfeit parts, even when there is no demonstrable impact on performance, security, or system integrity.

Although the rules are directed at larger, CAS-covered contractors, their reach will likely extend beyond this class given the requirements to flow down “counterfeit avoidance and detection requirements” to all subcontractors, regardless of their size or whether they are CAS covered.

Because the rules incorporate counterfeit avoidance procedures as criteria for an acceptable purchasing system, a matter which DCAA reviews during business systems evaluations, a covered contractor’s failure to adopt sufficient procedures could result in the disapproval of its purchasing system and having payments withheld.

The rules lack the necessary specificity or detail to apply them with any acceptable predictability.The definitions for key terms such as “counterfeit electronic part,” “suspected counterfeit part,” and “trusted supplier” are poorly defined such that even new parts purchased from an OEM or other authorized source could still be deemed counterfeit.

Finally, the rules provide no specific standards, benchmarks, or best practices by which the DOD will approve a contractor’s purchasing system. The lack of meaningful guidance places contractors in an untenable position—contractors will have to make substantial investments to implement a counterfeit detection and avoidance system but have no assurances that the government will approve the system for safe harbor protection.

Given the morass of issues, it is unsurprising that DOD has invited stakeholders to attend another public meeting on March 27, 2014 to further discuss the “implementation of the requirements for detection and avoidance of counterfeit electronic parts,” including in particular, the definition and implementation of trusted suppliers. The DOD also indicated that it is preparing a final rule in connection with the May 16, 2013 proposal, so a final rule on the initial set of regulations may soon be forthcoming. However, the March 27 meeting could delay this effort. While there is much uncertainty regarding the direction the military will take to combat counterfeit electronics in its supply chain, we clearly have a long way to go before a fair, balanced, and workable system can be implemented.

Comments on DOD-GSA Cyber Resilience Rules Needed!

On Wednesday, March 12, 2014, the Department of Defense (DOD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) requested public comments on its draft implementation plan (draft plan) for federal cybersecurity acquisition. See 79 Fed. Reg. 14042 (Mar. 12, 2014). The draft plan is the first of several steps toward implementing the recommendations outlined in the Working Group’s recently finalized report on Improving Cybersecurity and Resilience Through Acquisition (see our previous blog post for a summary).

As comments are due on April 28, 2014, federal contractors and other stakeholders should act quickly to submit their views on what will have a significant and lasting impact on federal cybersecurity acquisition practices.

The draft plan proposes a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions, and by design, it will affect nearly all contracting entities. The draft plan proposes a “taxonomy” for categorizing procurements so that the government can effectively prioritize those in need of additional resources, attention, and safeguards. As proposed, the taxonomy is modeled on Federal Information and Communications Technology (ICT) acquisitions—though the Working Group has asked whether this framework is a workable model for the categorization of all acquisitions. The Working Group would use the ICT framework to categorize all acquisitions that present cyber risk, after which it would separately assess the risks within each category. Categories that present greater cybersecurity risk (based on threats, vulnerabilities, and impacts) would receive more and faster attention in acquisitions. The taxonomy is, in our view, the most significant new development in the draft plan, as it will serve as the principal basis for categorizing the extent of cyber regulations for procurements. This aspect of the plan accordingly warrants particularly close attention.

The Working Group seeks comments in many areas, including whether:

(a) the approach is workable;

(b) the process will obtain sufficient stakeholder input;

(d) the approach will satisfy the goals of Recommendation IV of the final report, i.e., whether it creates a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions;

(e) the major tasks and sub-tasks are appropriate and, if implemented, will achieve the identified outputs/completion criteria;

(f) the taxonomy and category definitions can be used to develop overlays (a fully specified set of security requirements and supplemental guidance that allow for the specific tailoring of security requirements;

(g) factors can be developed to assess each measure of cybersecurity risk (i.e., threat, vulnerability and impact);

(h) other aspects (e.g., annual spending) should be considered in category prioritization; and

(i) in addition to information security controls derived from the cybersecurity framework and other relevant NIST guidance and international standards, other procedural or technical safeguards that address business cyber risk should be included (e.g., source selection and pricing methodology, source selection evaluation criteria minimum weighting and evaluation methodology, etc).

Submit comments here or contact GTSC to provide input to the Coalition’s response.

Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies. Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition. You can reach Brian at [email protected] (202)420-4823.

Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.

Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements.

GTSC Capacity Building: The Key to Technical Solution Architecture

As a capture or proposal manager for a government contract, eventually someone will call for a technical “solution architecture.” Unfortunately, most do not know what one is, what it looks like, or the difference between a good one and a bad one. There is no commonly accepted definition or measure of merit for what constitutes a technical solution. Moreover, even experienced writers fail to realize that, for most proposals, there is usually not a (single) solution architecture, but many.

What is a technical solution? Simply stated: it is your answer to one or more of your customer’s pressing needs or significant challenges. There are many ways to approach your solution. Here is one proven to work.

Describe the Technical Challenge(s). What is the problem in need of a solution? How do we demonstrate that we “get it”? What are the risks? What are the consequences of failure to fix the problem? Demonstrate we understand the scope and complexity of the problem. Describe the “as-is” state, and why it is not optimal or could be improved.

List Your Assumptions. What, if any, prudent, reasonable, necessary or desirable assumptions must be made to bound or support our plan below?

Describe Your Plan or Solution. How do we solve the technical challenge(s)? Provide the a) who (organization or key personnel, responsibilities and authorities, labor categories and skill mix); b) what (system, technology, process, procedure, policy, steps, activities); c) when (timeframe, schedule, milestones, dates or phases); d) where (location(s) where the work will be performed); e) why (rationale for why our solution will work; and f) how (methods to measure our solution’s effectiveness—metrics, performance measures, success criteria, and relevant benchmarks).Identify potential risks of our plan…and eliminate or mitigate them.

Provide Your Experience. What is our relevant experience and past performance that demonstrates the credibility and effectiveness of our approach? Where has our solution, (or something closely akin to it) , been successful before?

Customer Benefits. How will our customer benefit from our understanding, plan, and relevant experience? Be specific. Think improved safety, enhanced quality, improved performance, reduced costs, accelerated schedule, fewer risks, and increased customer or stakeholder satisfaction.

Vision for the End State. Assume our solution was successfully implemented. What is the end state (or “to be” state)? What would it look like? Describe how activities would be carried out safer, better, faster, and cheaper.

Graphics. Include supporting graphics such as: process flows, charts, milestone schedules, matrices, risk registers, schematics, pictures, customer testimonials, snapshots of awards or commendations, feature/benefit charts, organizational charts, or related visuals.

Demystify the technical solution. Divide it into manageable parts. Always remember that the technical solution must solve a real problem (or don’t bother). Your customer will respect you for it.

By Contributing Author: Jim McCarthy

A Perspective on the DoD-GSA Recommendations to Improve Cyber Security and Resilience through Acquisition

The views expressed in this article are solely those of the author and do not reflect the opinion of the General Services Administration or the Department of Defense.

I always start out any discussion of cybersecurity by emphasizing the context of the problem. In our increasingly hyper-connected world, cyber risks affect us all – governments, private sector organizations, and individuals. Cybersecurity events have become commonplace, almost daily occurrences, and with the advent of the “internet of things,” they are only going to increase in frequency and magnitude. It is a shared problem. And it demands a shared solution. We have an obligation to take actions in our personal and professional lives to help provide for our personal, national and economic security. Changing how the federal government buys things using our tax dollars is an important part of the solution.

Last week DoD and GSA released a report that provides six strategic acquisition reforms to improve cybersecurity. I’m pleased that the recommendations have been well received by the federal acquisition community. In my opinion, the report has been well received because it is a community product. The recommendations reflect the views and expertise of a diverse set of stakeholders from sole proprietors and individual citizens to multinational corporations and government agencies. The report does a decent job of articulating what needs to be done; now the hard work of figuring out how it gets done is in front of us.

As a threshold matter, it’s important to know that the order of the recommendations in the report is not indicative of their relative importance or the sequence of implementation. The most important recommendation is actually number four. Why is number four most important? Because the other recommendations can’t be fully implemented until number four is. For example, recommendation number one suggests including new “cybersecurity hygiene” requirements for appropriate contracts. However, we won’t know which contracts are appropriate until the risk management strategy of number four is at least partially developed. I’ll explain below.

Recommendation number four is titled: “Institute a Federal Acquisition Cyber Risk Management Strategy.”

The goal of this recommendation is to develop a repeatable, scalable process for addressing cyber risk in federal acquisitions based on (1) the risk inherent to the product or service being purchased, and (2) the risk tolerance of the end user.

The first step is to develop a consistent method to measure cyber risk in the things the government buys. Once we specifically identify which types of acquisitions present cyber risk, we can decide which types are “appropriate.” From National Security Systems to paper clips – a primary question here is, which types of buying do or don’t present cyber risk?

Because we can’t possibly address all the types of acquisition at once, the next step is to prioritize the types of federal acquisition by risk so we can identify the right starting point. The prioritization should probably consider cyber risk, mission-criticality of the function supported by the type of acquisition, and the amount of money spent on the type of acquisition annually, among other things. Which other things should this prioritization consider?

After the prioritization is complete, starting with the highest risk type of buying, develop acquisition-cybersecurity “overlays” applicable to all buys of that type. The overlays will include both procurement and information security practices – two very different and arcane disciplines. Which security controls from NIST SP 800-53 revision 4 should apply to a type of acquisition? Which acquisition practices should apply? When should the government not use lowest-price-technically-acceptable source selection?

The DoD-GSA report gives us a good strategy, and it provides a solid frame of reference, but as the old saying goes – the devil is in the details. Nothing could be truer about the next steps here.

The government has committed to continuing the collaborative process used to develop the recommendations as it develops the implementation plan. In the next few weeks, the agencies will publish a request for comment on a draft plan for implementing the recommendations. The draft plan will propose specific actions to accomplish the recommendations, starting with the cyber risk management strategy.

So, stay engaged. And when the request for comment is published, do your part to help solve one of the most pressing issues of our time by submitting your suggestions.

By Contributing Author: Emile Monette

Emile Monette is a recognized authority in the legal and operational aspects of public procurement, cybersecurity supply chain risk, and supply chain sustainability. His background includes domestic, international, and U.S. military experience investigating, negotiating, and managing multimillion-dollar contracts. Emile is a fifteen-year veteran of procurement law and policy development, and he has served in various positions in the legislative and executive branches of the federal government.

Happy Days Are Here Again, For a Few

The year 2013 presented its share of challenges to the federal government, IT federal contracting community as well as, Congress and its budget process. Going into 2014 the sequestration as we have come to know it has taken a back seat to more forward thinking leadership from our political leaders.

Even though the sequestration didn’t last for a long time, it lasted long enough to cause crippling damage to both small and large business alike. The New Year has arrived and with it comes an end to the Continuing Resolution (CR) and a new approved two year congressional budget has been passed. The New Year also brings with it a couple of pieces of new legislation that are designed to make the government more efficient in its ability to do IT acquisitions….. The legislation purposes to provide a single point of responsibility and maybe… budget authority at the CIO level of each agency with the possibilities of establishing an Acquisition Center of Excellence to assist agencies with complex acquisitions and keep them apprised of lessons learned in acquiring technology. There is also consideration being given to establishing a Federal Infrastructure and Common Application Collaboration Center. Both could have significant impact on the contracting community and the way they pursue business opportunities.

Pending Legislation:

The House Oversight and Government Reform committee: “The Federal Information Technology Acquisition Reform Act” which they tried to pass through the National Defense Authorization Act via an amendment but did not sneak through.

The Senate Appropriations Committee/Bipartisan Budget Act of 2013…”The Federal Information Technology Savings, Accountability, and Transparency Act” which is still pending

Boy, isn’t this music to the ear? Does this bring about a sigh of relief to the IT contracting community? Are happy days really here again? Well, as the title of this article says “but only for a few” and here is why.

The budget struggle that the federal government faces is not going to go away anytime soon. Consolidation of resources, technology and staff will continue to be its focus for years to come. The vendor community must recognize this and adjust accordingly. Shrinking budgets means project consolidations, contract consolidation, staff reduction and yes, long-term vendor collaboration.

The vendor community must become more serious and aggressive in its abilities to form long-term strategic alliances. Many are still operating in the “old school” mode of simple teaming arrangements for subcontracting opportunities. I refer to this as the “meal or deal of the day” model. The landscape has changed in two very dynamic ways. 1.) Budgets require users to do more with less and 2.) The idea of optimal efficiencies is at the top of the organizational pyramid due to budget cuts.

From a vendor perspective responding to these dynamics can only be realized through forming long-term strategic alliances. The traditional teaming/subbing does not fulfill long- term growth, especially if your team isn’t winning. And, if it is winning, your success is only good for a couple of years.

Collaborating with the competition and sometimes with your customer can position you to capitalize on steady long-term growth in the marketplace. In order to do this you we recommend that you;

Change your focus from the short-term teaming/sub-contracting arrangements to mid-range and long-term opportunities. (30%, 25% 45%).
Identify potential partners that you can grow together with for a minimum of 5-7 years of growth and market positioning.
Make sure you perform comprehensive internal and external assessments on all potential partners and integrate as much as possible)
Find and align yourself with 3 long-term strategic partners that match your growth strategy.
Co-market, co-brand your business development and capture plan activities. When feasible you can co-develop technical solutions with your partners to pursue opportunities a minimum of 3 years out.

Doing these five things will definitely help you prepare and position your company for future trends in this changing landscape. You just might find yourself in the (few) category and end up having a prosperous New Year!

Contributing Author: Earl S. Holland, III

Earl is President /CEO of Growth Strategy Consultants, LLC and a Strategic Advisor to the Government Technology & Services Coalision (GTSC). Earl specializes in strategic alliance development and training, business development and capture planning and has worked for large and small companies in government contracting for over 20 years. Learn more about him here.

DOD & GSA Issue Final Report on Improving Cybersecurity & Resilience through Acquisition

On January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) submitted its eagerly anticipated final report on integrating cybersecurity requirements into all federal procurements. This report, which satisfies Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21, includes recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development.

The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril.

Cybersecurity issues will increasingly affect agency standard setting, coverage issues and incentives, government audits and investigations, security breach litigation, and other business drivers. Government contractors and other companies that handle government information or supply components that could be compromised electronically must begin, to the extent they have not already done so, to think both strategically and pragmatically about developing an integrated approach to these cybersecurity issues.

Background

On February 12, 2013, President Obama issued EO 13636 – Improving Critical Infrastructure Cybersecurity. Section 8(e) mandated that the Working Group, in consultation with the Department of Homeland Security (DHS) and the Federal Acquisition Regulatory (FAR) Council, “make recommendations to the President . . . on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Section 8(e) also directed the Working Group to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”

On May 13, 2013, the Working Group published a request for information (RFI), inviting public comment on the appropriate cybersecurity measures and parameters for federal procurements (summarized here). The Working Group also consulted with representatives from the DoD, GSA, DHS, FAR Council, the Office of Federal Procurement Policy, NIST, and others before issuing the final report.

Working Group Recommendations

The final report makes six recommendations, including that the federal government and/or contractors, as appropriate, should:

(1) institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;

(2) address cybersecurity in relevant training;

(3) develop common cybersecurity definitions for federal acquisitions;

(4) institute a federal acquisition cyber risk management strategy;

(5) include a requirement to purchase from original equipment or component manufacturers (OEM), their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and

(6) increase government accountability for cyber risk management.

For contractors, the most helpful recommendations ask the government to clarify, with more specificity, the standards to which contractors will be held accountable. For example, the first recommendation correctly observes that, “[o]ften, cybersecurity requirements are expressed in terms of compliance with broadly stated standards and are included in a section of the contract that is not part of the technical description of the product or service the government seeks to acquire.” This, the report concedes, “leaves too much ambiguity as to which cybersecurity measures are actually required in the delivered item.” Accordingly, the report recommends expressing baseline cybersecurity requirements as part of the acquisition’s technical requirements and including performance measures to ensure the baseline is maintained and risks are identified. The final report also recommends common cybersecurity definitions, which if adopted would dramatically advance anxiety about contractors’ and the government’s current and near-future cybersecurity obligations.

Though the recommendations are instructive, the final report does not actually mandate specific baseline requirements or propose common cybersecurity definitions. Nor does it propose a cyber risk management strategy or otherwise attempt to identify the acquisitions in which baseline requirements or OEM limitations are “appropriate.” Instead, the final report “intends” that others will harmonize these recommendations with ongoing rulemakings, cybersecurity standards, and statutory frameworks. In short: stay tuned.

Takeaways

First and foremost, change is coming. Although the final report recommendations are directed more toward government program managers and acquisition decision makers than industry, the harmonization of such recommendations with recent and forthcoming regulations, mandatory contract provisions, and other statutory requirements and protections will affect the industry directly and significantly.

Other critical points for government contractors to consider as the final report’s recommendations are implemented include:

What cybersecurity terms will be defined, and what will those definitions look like? Considering that the definitions will be used government-wide, it is imperative that contractors provide feedback lest a definition be issued that is contrary to their interests, much less defies common sense;

What topics will be covered in the cyber education program for the procurement work force? If procurement officials are not properly educated on a variety of threats, then they may fail to incorporate standards and requirements that are necessary for information protection;

How will federal risk management strategy be developed? And will it be flexible enough to account for the rapidly evolving threat environment?;

Are contractors prepared to fight back against cybersecurity requirements in federal acquisition programs that are being used to exclude otherwise acceptable vendors and technologies?; and

How deep will these requirements reach into federal contractors’ business? In other words, will the cybersecurity obligations be limited just to public-contracting programs, or will they effectively become company-wide requirements regardless of the buyer?

The final report is a clear signal that mandatory baseline standards, training protocols, and other risk-based requirements are on the horizon. Those standards will likely be based on the NIST framework or, in specialized areas, even stricter protocols. Government contractors and other companies that handle government information must implement an integrated strategy that mitigates the risks associated with these cybersecurity issues, and where viable, the opportunities that these changes might create.

By Contributing Authors: Brian Finch, Justin Chiarodo, and Daniel Broderick from GTSC Strategic Partner Dickstein Shapiro

Page 3 of 7
1
2
3
4
5
6
7