In 2013, GSA/DoD Final Report to The White House "Improving Cybersecurity and Resilience through Acquisition" outlined 6 recommendations. The first recommendation addressed the evaluation of the business associate's cyber hygiene.
With the intent to conform CUI as described in 800-171, you have multiple challenges:
1) The majority of commercial entities that support the US Gov. are small businesses. What is the "reasonableness" of a small or medium size business executing the controls and guidance as described in 800-171 or 800-53? HEMISPHERE has identified 78 controls that have the highest likelihood of resulting in a security event resulting in a likely formal sanction or litigant action.
These selected 78 controls are more robust that what traditional penetration testing provides, what the insurance industry currently evaluates, and exceeds the DFAR changes requiring the adherence to 51 of the 800-53 controls. However, it provides higher assurances, greater operational fidelity, and more manageable as well as "reasonable" for business entities that are not a part of the DIB. These controls also enable snapshots to illustrate before and after profiles as described with the NIST Cyber Framework.
2) What is the likelihood the Government will enact sweeping acquisition legislation to adopt such a practice to prevent "Its not in the FAR so who cares" mentality?
3) If #1 and #2 are successfully executed, how will contracting officers and specialists be trained to understand these requirements?
3) How will the Government police such an agenda?
4) What will priorities look like post-election, regardless of who takes office?
For several years, the Supply Chain Risk Management agenda led by DHS/DoD/GSA has evaluated cyber related threats but struggles because Industry wants the government to tell them what to do and the government wants industry to collaborate and create solutions before forcing their hand to create new mandates.
The Government is justified in creating an acquisition life-cycle that incentivizes better behaviors through the following:
A) Evaluation criteria during proposal submissions benefiting those who score higher on cyber hygiene criteria
B) Working with State legislatures to promote statutory limits of liability for end users when insurance carriers underwrite cyber/data breach policies for organizations that execute to the intent of this future requirement (incorporates elements of SECTIONS 4 & 5)
C) Creating a repository enabling government contracting representatives with the ability to rapidly assess an offer's state of cyber hygiene with a red "x" or green "Check" mark.
D) Allowing organizations to become IV&V providers for the US Gov to evaluate much like FedRAMP 3PAOs. In such instances, the approved provider will likely have conflicts of interests in providing technologies, technology as a service , or services to support technology.
SECTION 2
Requirements for incident reporting already exist within the FAR and DFAR.
The Government is presuming:
1) Company is cognizant when it is breached when statics show the majority of breaches reports are a result of a 3rd party bringing it to the owner's attention with an average incubation of compromise greater than 200 days.
2) Reporting mechanisms to the Government POC would not require enhanced protocols to protect the contents of the submission
3) A communication model exists within each agency or department enabling the Government to provide remedies in a timely manner after such a report is filed.
As of March 2015, DHS started instituting new procurement language which is cyber focused. However, a lack of demonstrated language focusing on data breach underwriting protection remains a risk for the Government when a breach occurs due to a business associate. In the case of many recent breaches, the lack of insurance coverage to offset the costs for respond and recover remains as a critical material weakness.
Recent RFP's at the State level have illustrated requirements for the offeror to have data breach protection > $2M to include breach notification and even credit monitoring if a breach is attributed to the offeror.
SECTION 1
In 2013, GSA/DoD Final Report to The White House "Improving Cybersecurity and Resilience through Acquisition" outlined 6 recommendations. The first recommendation addressed the evaluation of the business associate's cyber hygiene.
With the intent to conform CUI as described in 800-171, you have multiple challenges:
1) The majority of commercial entities that support the US Gov. are small businesses. What is the "reasonableness" of a small or medium size business executing the controls and guidance as described in 800-171 or 800-53? HEMISPHERE has identified 78 controls that have the highest likelihood of resulting in a security event resulting in a likely formal sanction or litigant action.
These selected 78 controls are more robust that what traditional penetration testing provides, what the insurance industry currently evaluates, and exceeds the DFAR changes requiring the adherence to 51 of the 800-53 controls. However, it provides higher assurances, greater operational fidelity, and more manageable as well as "reasonable" for business entities that are not a part of the DIB. These controls also enable snapshots to illustrate before and after profiles as described with the NIST Cyber Framework.
2) What is the likelihood the Government will enact sweeping acquisition legislation to adopt such a practice to prevent "Its not in the FAR so who cares" mentality?
3) If #1 and #2 are successfully executed, how will contracting officers and specialists be trained to understand these requirements?
3) How will the Government police such an agenda?
4) What will priorities look like post-election, regardless of who takes office?
For several years, the Supply Chain Risk Management agenda led by DHS/DoD/GSA has evaluated cyber related threats but struggles because Industry wants the government to tell them what to do and the government wants industry to collaborate and create solutions before forcing their hand to create new mandates.
The Government is justified in creating an acquisition life-cycle that incentivizes better behaviors through the following:
A) Evaluation criteria during proposal submissions benefiting those who score higher on cyber hygiene criteria B) Working with State legislatures to promote statutory limits of liability for end users when insurance carriers underwrite cyber/data breach policies for organizations that execute to the intent of this future requirement (incorporates elements of SECTIONS 4 & 5) C) Creating a repository enabling government contracting representatives with the ability to rapidly assess an offer's state of cyber hygiene with a red "x" or green "Check" mark. D) Allowing organizations to become IV&V providers for the US Gov to evaluate much like FedRAMP 3PAOs. In such instances, the approved provider will likely have conflicts of interests in providing technologies, technology as a service , or services to support technology.
SECTION 2
Requirements for incident reporting already exist within the FAR and DFAR.
The Government is presuming:
1) Company is cognizant when it is breached when statics show the majority of breaches reports are a result of a 3rd party bringing it to the owner's attention with an average incubation of compromise greater than 200 days.
2) Reporting mechanisms to the Government POC would not require enhanced protocols to protect the contents of the submission
3) A communication model exists within each agency or department enabling the Government to provide remedies in a timely manner after such a report is filed.
As of March 2015, DHS started instituting new procurement language which is cyber focused. However, a lack of demonstrated language focusing on data breach underwriting protection remains a risk for the Government when a breach occurs due to a business associate. In the case of many recent breaches, the lack of insurance coverage to offset the costs for respond and recover remains as a critical material weakness.
Recent RFP's at the State level have illustrated requirements for the offeror to have data breach protection > $2M to include breach notification and even credit monitoring if a breach is attributed to the offeror.