Archives page

Posts Tagged ‘Emile Monette’

A Perspective on the DoD-GSA Recommendations to Improve Cyber Security and Resilience through Acquisition

The views expressed in this article are solely those of the author and do not reflect the opinion of the General Services Administration or the Department of Defense.

I always start out any discussion of cybersecurity by emphasizing the context of the problem.  In our increasingly hyper-connected world, cyber risks affect us all – governments, private sector organizations, and individuals.  Cybersecurity events have become commonplace, almost daily occurrences, and with the advent of the “internet of things,” they are only going to increase in frequency and magnitude.  It is a shared problem.  And it demands a shared solution.  We have an obligation to take actions in our personal and professional lives to help provide for our personal, national and economic security.  Changing how the federal government buys things using our tax dollars is an important part of the solution.

Last week DoD and GSA released a report that provides six strategic acquisition reforms to improve cybersecurity.  I’m pleased that the recommendations have been well received by the federal acquisition community.   In my opinion, the report has been well received because it is a community product.  The recommendations reflect the views and expertise of a diverse set of stakeholders from sole proprietors and individual citizens to multinational corporations and government agencies.  The report does a decent job of articulating what needs to be done; now the hard work of figuring out how it gets done is in front of us.

As a threshold matter, it’s important to know that the order of the recommendations in the report is not indicative of their relative importance or the sequence of implementation.  The most important recommendation is actually number four.  Why is number four most important?  Because the other recommendations can’t be fully implemented until number four is.  For example, recommendation number one suggests including new “cybersecurity hygiene” requirements for appropriate contracts.  However, we won’t know which contracts are appropriate until the risk management strategy of number four is at least partially developed.  I’ll explain below.

Recommendation number four is titled:  “Institute a Federal Acquisition Cyber Risk Management Strategy.”

The goal of this recommendation is to develop a repeatable, scalable process for addressing cyber risk in federal acquisitions based on (1) the risk inherent to the product or service being purchased, and (2) the risk tolerance of the end user.

The first step is to develop a consistent method to measure cyber risk in the things the government buys.  Once we specifically identify which types of acquisitions present cyber risk, we can decide which types are “appropriate.”  From National Security Systems to paper clips – a primary question here is, which types of buying do or don’t present cyber risk?

Because we can’t possibly address all the types of acquisition at once, the next step is to prioritize the types of federal acquisition by risk so we can identify the right starting point.  The prioritization should probably consider cyber risk, mission-criticality of the function supported by the type of acquisition, and the amount of money spent on the type of acquisition annually, among other things.  Which other things should this prioritization consider?

After the prioritization is complete, starting with the highest risk type of buying, develop acquisition-cybersecurity “overlays” applicable to all buys of that type.  The overlays will include both procurement and information security practices – two very different and arcane disciplines.  Which security controls from NIST SP 800-53 revision 4 should apply to a type of acquisition?  Which acquisition practices should apply?  When should the government not use lowest-price-technically-acceptable source selection?

The DoD-GSA report gives us a good strategy, and it provides a solid frame of reference, but as the old saying goes – the devil is in the details.  Nothing could be truer about the next steps here.

The government has committed to continuing the collaborative process used to develop the recommendations as it develops the implementation plan.  In the next few weeks, the agencies will publish a request for comment on a draft plan for implementing the recommendations.  The draft plan will propose specific actions to accomplish the recommendations, starting with the cyber risk management strategy.

So, stay engaged.  And when the request for comment is published, do your part to help solve one of the most pressing issues of our time by submitting your suggestions.

By Contributing Author:  Emile Monette

emile monettesquareEmile Monette is a recognized authority in the legal and operational aspects of public procurement, cybersecurity supply chain risk, and supply chain sustainability.  His background includes domestic, international, and U.S. military experience investigating, negotiating, and managing multimillion-dollar contracts.  Emile is a fifteen-year veteran of procurement law and policy development, and he has served in various positions in the legislative and executive branches of the federal government.

Nov. 19: GTSC Annual Member Meeting

Members of the Government Technology & Services Coalition for our third annual member meeting to learn about all the services of GTSC, provide your input on our letter to incoming DHS Secretary Jeh Johnson and share your feedback for our 2014-2015 priorities!

Emile Monette, the Senior Advisor for cyber security policy for the U.S. General Services Administration (GSA), will join us to discuss the agency wide and interagency implementation of cyber security initiatives related to government facilities and acquisition. Linda Mathes, CEO of the American Red Cross in the National Capital Region, will talk about the American Red Cross Ready Rating program and its importance to GTSC’s Designation of Leadership Excellence. Jose Arrieta, DHS Ombudsman, will discuss the year ahead at DHS.

Given sequestration, budget cuts and possible future government shutdowns, GTSC is committed to exploring every business opportunity possible for your success. From the Small Business Collaboration Group to forming vigorous Action Groups and developing the Contracting Officers workshop, we’ve accomplished a lot over the past year and we’re excited to keep moving!

Please note: this is a GTSC Member only meeting. Thank you!

Agenda

I. Welcome and overview of GTSC’s 2012-2013: Discussion of Lion’s Den, Mentor and Workgroup activity.

  • Kristina Tanasichuk, CEO, GTSC
  • Jon Ostrowski, COO, GTSC
  • Workgroup Chairs
    • Chair, International Initiative: RADM Donald P. Loren, CEO, Old Dominion Strategies
    • Chair, Human Capital and Learning: Dr. Sheri Dougherty, President & CEO, DAI
    • Co-Chair, DHS Engagement: Sara Kindsfater0-Yerkes, Managing Partner, The Big Brain Co.

II. A View of the Year Ahead

  • Jose Arrieta, Ombudsman, DHS

III. Meeting the Challenges

  • Emile Monette, Senior Advisor, Cyber Security Policy, GSA
  • Linda Mathes, CEO, American Red Cross in the National Capital Region
  • Bruce Davidson, Director, SAFETY Act Office, S&T, DHS

IV. Government Relations

  • Incoming Secretary Jeh Johnson
  • Hill Activity
    • Michelle Mrdeza, Partner, Cornerstone Government Affairs & GTSC Founding Strategic Advisor
    • Chani Wiggins, President & Founder, Winn Strategies & GTSC Strategic Advisor
  • Broadening our Base

V. Business Development

  • Overview of procurements and focus areas for business development
    • Bill Carroll, Senior Partner, Strike Force Consulting
    • Andrea McCarthy, Senior Director NTT Data
    • Tony Sacco, Former Vice President, SAIC

VI. What do you see as our top priorities for 2014-2015?

Register now

Key Cybersecurity Issues for Government Contractors

Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors.” This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority.

The discussion included:
– Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
– Planned changes to procurement requirements based on independent agency actions;
– Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes

Speakers included:

Brian Finch, Partner, Global Security, Dickstein Shapiro LLP

Justin Chiarodo, Partner, Government Contracts, Dickstein Shapiro LLP

Emile Monette, Senior Action Officer for Cyber Security Policy, Government Services Administration

Kristina Tanasichuk, CEO, Government Technology & Services Coalition

View the slides here or watch the webinar by clicking the link below.

Screen Shot 2013-10-09 at 2.21.39 PM