This is part of a continuing series of blog posts concerning the GSA-DOD request for information (RFI) concerning the use of federal acquisition regulations (FAR) as incentives to participate in the President’s Cybersecurity Framework being developed by NIST. The first post in the series was:
With four days left in the short comment period for the GSA-DOD request for information on the use of we finally see some of the comments that have been posted to the Federal eRulemaking Portal (www.Regulations.gov; Docket # Notice-OERR-2013). Actually each of these 15 comments was posted to that site on Tuesday (6-4-13); the actual dates of submission look like they go back as far as May 16th. No other comments have been posted since the 4th. It looks like GSA is batch posting comments.
There seems to be a basic misunderstanding of the GSA/DOD RFI; neither GSA nor DOD (mostly) is responsible for the implementation of the Cybersecurity Framework being developed by NIST. That will be the responsibility of DHS and those agencies already responsible for overseeing cybersecurity in critical infrastructure (DOD does have a minor role here).
Still the Edison Electric Institute mentions in their response “EEI strongly believes that any GSA implementation of the cybersecurity framework for government contractors should be based on each contractor’s sector-specific policies”. This comment would have been more appropriately made in response to the NIST RFI.
The RedSeal Networks spends most of their comment ink on a discussion of the need for continuous monitoring of networks not incentives for framework implementation. Lancope echoes these comments but reminds GSA that the “greatest challenge to cross-sector standards is rigidity in the system”.
RFI Time Frame
The Information Technology Information Council (ITI) comments on the short time frame for the comments and report to the President, noting that this should be “be the start of long-term engagement with industry throughout the policy development process and implementation”.
The Software and Information Industry Association (SIIA) goes a step further and recommends that the FAR implementation be put on hold until the NIST Cybersecurity Framework is completed. They assume that the “NIST framework will establish a baseline for cybersecurity and critical infrastructure protection across a wide spectrum of industries”.
Supply Chain Security
The TechAmerica comments concentrate on methods of protecting the supply chain side of cybersecurity. The Semiconductor Industry Association also address supply chain security; suggesting that semiconductors only be purchased through authorized distributors. The Open Group offers a vendor accreditation program for vendors that have processes in place to ensure that the products they sell, install or service have not been tainted or have counterfeit parts.
The Telecommunications Industry Association (TIA) enumerates six principles that they believe should guide GSA’s efforts to improve cybersecurity in Federal procurement; the last one notes that “a global supply chain can only be secured through an industry-driven adoption of best practices and global standards”.
Covanta Energy Company’s comments address the other end of cyber product life-cycle; encouraging proper disposal/destruction of outdated equipment to protect the security of the data still remaining in memory.
DRAFT GSA-DOD Report
The comments from ACT-ICT were made on a copy of what appears to be a draft of the report that the Department of Defense and General Services Administration Joint Working Group on Improving Cybersecurity and Resilience through Acquisition will be presenting to the President based upon the comments received from this RFI.
TechAmerica attached a marked-up copy of the same draft to their comments.
ACT-ICT recommends that a copy of proposed contract language should be included in the recommendations making it easier for all contracting officers to ensure that the subject is properly addressed. TechAmerica objects to including boilerplate language, noting that “it would serve to freeze the status quo, hampering or preventing the evolution of countermeasures required to address ever-changing threat and technology landscapes”.
TIA recommends that “the government set objectives in its procurement policies, but avoid in all cases possible the dictating of how a company that is involved in a procurement meets that objective”. They maintain that this would promote innovation and promote competition.
Risk Assessment and Tiered Approach
The Microsoft comments are detailed and far ranging, as one would expect. One area that they do stress is that the acquisition process must include a detailed risk assessment for the process before deciding on the level of security implementation is required. ITI reminds GSA that security is not the goal, it is “is a means to achieve and ensure continued trust in various technologies that comprise the cyber infrastructure”.
ATSEC comments that regulators need to remember that “baseline standards may not be applicable for high risk environments”. Nor is setting high-standards always a good approach either; what is necessary “is a clear procurement strategy defining the conditions when a specific assurance level is required”.
The SafeCode organization supports safe coding practices, but maintains that government coding standards are bound to fail because each organization will “use different compilers, different operating system platforms and versions, and build software that’s used for different purposes”.
FireEye recommends that GSA develop acquisition regulations that require vendors and agencies “to expressly address emerging cyber threats, including advanced persistent threats, polymorphic malware and zero-day attacks, as part of mandatory IT security plans”. To ensure that such subjects are appropriately addressed, they recommend that “implement mandatory training and education for contracting officers and other procurement and acquisition officials about evolving cyber threats with an emphasis on the techniques, tactics and procedures used by sophisticated cyber adversaries”.
The comments listed above are only a small selection of the information provided by these 15 commenters. They are not necessarily to most important point, but the ones that peaked my interest. Many of the above comments were very lengthy and detailed. I hope that NIST will provide GSA with their automated methodology for parsing the wide variety of comments and information provided in these comments. Otherwise, GSA is just going to have to essentially ignore these and subsequent comments as they proceed with developing their report for the President this week.
BTW: I did not notice any references to industrial control systems in the comments (though I admit I may have missed some in the high-speed scanning I did with these responses). That isn’t really unexpected; the US government does not procure a large number of control systems (at least in relation to their IT purchases). Still it is disappointing.