Security Assessments

[aerospaceindustriesassociation]

Section 3 is rather vague on the scope and expectations of conducting assessments on internal industry systems and could become a significant effort. Consequently, it would be beneficial to identify the cost category that will be utilized to capture the work associated with completing this activity. Self-assessments is recommended for internal non-Govt systems with documentation being provided if requested. In addition, given contractor concerns for protecting proprietary and/or privileged information, the guidance should address these concerns with Industry opposing when access to Industry facilities, systems, and other property for the purpose of conducting security assessments.

[mnighswander]

Also, suggest renaming this section to “Security Assessment and Authorization” to be consistent with NIST guidelines.

[BSATheSoftwareAlliance]

BSA| The Software Alliance Comments on Security Assessment Section of the Proposed Guidance

According to the Proposed Guidelines, the manner in which security assessment would be performed would depend on the discretion of the agency. Although there is mention to FIPS 199 and to potential use of third party verification of security assessment, the guidelines mention that each agency may select to perform its own monitoring and IT security scanning and apparently this could happen regardless of the circumstances. This approach is of great concern as explained below.

Continuous monitoring. Many companies already have their own continuous monitoring process in place which is evaluated by Third Party Assessment Organizations (3PAOs). 3PAOs are neutral and pre-approved through screening conducted by FedRAMP. If each agency were permitted and/or encouraged to perform their own monitoring in addition to what companies already have in place to satisfy FedRAMP, this practice would represent an extremely heavy burden on contractors without increasing cybersecurity. We urge OMB to reconsider this approach and to make reference to FedRAMP procedures regarding continuous monitoring.

Scanning. The broad IT security scanning access authorized by the Proposed Guidelines should not be the default. Access for monitoring purposes should only be required in exceptional circumstances and should be narrowly provided. Although the Proposed Guidelines indicate that access should be provided on an “event-driven basis,” there is no clear definition of what these events would be.

Continuous Diagnostics and Mitigation (CDM) seems to be the default authorized by the Proposed Guidelines, which would imply installation of sensors on networks. This practice would create a lot of legal uncertainty, unpredictability, and confusion and execution could be even unfeasible. Some contractors may not be able to provide products and services to federal agency if this requirement is not removed and this could prevent federal agencies from accessing innovative and effective technologies to meet their needs.

In addition, as we previously noted, this would create a very negative precedent and foreign governments will be emboldened to request broad access and/or right to monitor and scan U.S. companies’ systems using cybersecurity as a justification to advance other objectives. This would have a huge impact on U.S. companies doing business abroad as market barriers that would be very difficult to overcome would be created. We, therefore, urge OMB to reconsider this approach.

Furthermore, when addressing information security assessments, the Proposed Guidance states that a Senior Agency Official for Privacy (SAOP) must review and certify privacy controls. Further details on what specific elements would be reviewed would be necessary to enable companies to comply with the requirements. We, therefore, recommend that further details regarding how privacy controls will be assessed be provided by the Proposed Guidelines. There simply is not enough information provided about this topic to make a valid judgment as to whether the requirements will be appropriate.