Archives page

Posts Tagged ‘cyber regulations’

Comments on Cyber Requirements for Alliant II & Alliant Small Business Needed
Read More

Comments on Cyber Requirements for Alliant II & Alliant Small Business Needed

Information assurance, IT security and cybersecurity are issues with increasing critical focus and importance within the federal space.  In that view the concept of a Cyber Security Risk Management Plan has emerged as a possible solution to bridging the gap between industry and government while checking all the boxes in FIPS200 (http://csrc.nist.gov/publications/PubsFIPS.html) and the underlying guidance as published by The National Institute of Standards and Technology (NIST).  We would be interested in and value your opinion regarding the proposed approach to addressing an overarching cyber security plan for IT government contracts.

More information and the proposed plan are here.

1.      This request for comment is one of several such requests being conducted through “GSA Interact” to obtain public and private sector input on the contract requirements as they are developed.  The purpose of this activity is to collaborate with government and industry to gain sufficient input and feedback regarding the pre-planning phase of the follow on contracts to the very successful Alliant and Alliant Small Business Governmentwide Acquisition Contracts (GWACs).

2.      The ultimate goal of including these requirements in the Alliant contracts is strengthening the cybersecurity and resilience of the Federal government by improving cybersecurity risk management in the solutions procured by agencies through the Alliant GWACs.  The proposed Contract Cybersecurity Risk Management Plan will become part of the base contract and is intended to provide a high level summary of an industry partner’s plan to address common, high level security requirements that are pertinent to any information technology project/order.  It is not intended to duplicate the more detailed security deliverables that may be associated with an order requiring an authorization to operate.

3.      It is important for stakeholders to note that this effort is intended is to align with the recommendations made by GSA and DoD in the joint report “Improving Cybersecurity and Resilience through Acquisition,” which can be downloaded at this link: http://www.gsa.gov/portal/content/176547.  The interagency working group that drafted the recommendations has been directly involved in developing this draft language with the Alliant program office, and the ongoing implementation of the report’s recommendations will also be informed by input received in response to this request for comment.  The team that drafted this contract language also plans to develop a template for the Cybersecurity Risk Management Plans, and overlays (as referenced in the aforementioned report) for the Alliant II ordering guidance.  Public input on the plan template and overlays will also be sought.

4.      Interested parties are encouraged to respond to this request for comment in any way that provides relevant input about any aspect of the draft document, including “redline” or “track changes” versions of the actual document.  In addition, addressing the draft in the context of the following questions may be instructive.

a.       In general, is the approach articulated in the draft document a workable way to achieve the goals of the effort?  What, if anything needs to be added or removed?

b.      Is the Cybersecurity Risk Management Plan, as described, adequate and appropriate to provide increased cybersecurity and resilience in the Alliant contracts and orders?

c.       In addition to information security controls derived from the Cybersecurity Framework and other relevant NIST guidance and international standards, what other management safeguards that address business cyber risk should be included in the Contract Cybersecurity Risk Management Plan?

d.      Should the Cybersecurity Risk Management Plan requirement “flow down” to subcontractors?

e.       How should the Cybersecurity Risk Management Plan be priced in firm fixed price contracts when the Government unilaterally requires an update to an accepted plan?   When a company submits an update to an accepted plan of its own accord?

f.       Should the Government establish a minimum weighting for the Cybersecurity Risk Management Plan if/when it is used as a comparative source selection evaluation factor?

g.      What should the Government use as minimum acceptance criteria for Cybersecurity Risk Management Plans?

h.      Do the security-related areas listed in paragraphs (b)(3)(i)-(iii) provide an objective and measurable basis for comparative source selection evaluation of the Cybersecurity Risk Management Plans?

 

Comments on DOD-GSA Cyber Resilience Rules Needed!
Read More

Comments on DOD-GSA Cyber Resilience Rules Needed!

On Wednesday, March 12, 2014, the Department of Defense (DOD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) requested public comments on its draft implementation plan (draft plan) for federal cybersecurity acquisition. See 79 Fed. Reg. 14042 (Mar. 12, 2014). The draft plan is the first of several steps toward implementing the recommendations outlined in the Working Group’s recently finalized report on Improving Cybersecurity and Resilience Through Acquisition (see our previous blog post for a summary).

As comments are due on April 28, 2014, federal contractors and other stakeholders should act quickly to submit their views on what will have a significant and lasting impact on federal cybersecurity acquisition practices.

The draft plan proposes a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions, and by design, it will affect nearly all contracting entities. The draft plan proposes a “taxonomy” for categorizing procurements so that the government can effectively prioritize those in need of additional resources, attention, and safeguards. As proposed, the taxonomy is modeled on Federal Information and Communications Technology (ICT) acquisitions—though the Working Group has asked whether this framework is a workable model for the categorization of all acquisitions. The Working Group would use the ICT framework to categorize all acquisitions that present cyber risk, after which it would separately assess the risks within each category. Categories that present greater cybersecurity risk (based on threats, vulnerabilities, and impacts) would receive more and faster attention in acquisitions. The taxonomy is, in our view, the most significant new development in the draft plan, as it will serve as the principal basis for categorizing the extent of cyber regulations for procurements. This aspect of the plan accordingly warrants particularly close attention.

The Working Group seeks comments in many areas, including whether:

(a) the approach is workable;

(b) the process will obtain sufficient stakeholder input;

(c) any additional assumptions, clarifications, or constraints should be expressed;

(d) the approach will satisfy the goals of Recommendation IV of the final report, i.e., whether it creates a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions;

(e) the major tasks and sub-tasks are appropriate and, if implemented, will achieve the identified outputs/completion criteria;

(f) the taxonomy and category definitions can be used to develop overlays (a fully specified set of security requirements and supplemental guidance that allow for the specific tailoring of security requirements;

(g) factors can be developed to assess each measure of cybersecurity risk (i.e., threat, vulnerability and impact);

(h) other aspects (e.g., annual spending) should be considered in category prioritization; and

(i) in addition to information security controls derived from the cybersecurity framework and other relevant NIST guidance and international standards, other procedural or technical safeguards that address business cyber risk should be included (e.g., source selection and pricing methodology, source selection evaluation criteria minimum weighting and evaluation methodology, etc).

Submit comments here or contact GTSC to provide input to the Coalition’s response.

 

Brian Finch

Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies.  Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition.   You can reach Brian at [email protected] (202)420-4823. 

Justin C


Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.

broderick
Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements.