Monday, June 24, 2013

Comments on GSA-DOD Cybersecurity RFI – 6-22-13

This is part of a continuing series of blog posts concerning the GSA-DOD request for information (RFI) concerning the use of federal acquisition regulations (FAR) as incentives to participate in the President’s Cybersecurity Framework being developed by NIST. The first post in the series was:

The comment period on this RFI closed on June 12th and the second batch of responses was posted to the docket on June 18th. Of course the GSA/DOD report to the President was due on June 19th {EO 13636, §3(e)}, so this was mainly an exercise in futility except for those entities that were preferentially given advance copies of the draft GSA/DOD report upon which to base their comments (see comments from ACT-ICT and Tech-America).

EO Mandates

Dakkota Integrated Systems suggests that EO 13636 should be used as the authority to “compel
the acquisition of secure IT and telecommunications equipment by critical infrastructure elements” (pg 3).

CTIA, the Wireless Association, takes an opposing stance noting that “GSA should not seek to use procurement policy as a lever to effectively enforce compliance with otherwise “voluntary” programs that may come out of the EO” (pg 7, Adobe 9).

The Professional Services Council (PSC) suggests that the NIST Cybersecurity Framework be completed before GSA takes any steps to implement additional cybersecurity requirements in the FARS process, noting that “the cybersecurity framework should drive acquisition requirements, not vice versa” (pg 5).

Limit Acquisition to US Manufacturers

Dakkota maintains that the only way to ensure that adequate inspections of the supply chain (from component manufacture to secure installation) can insure that devices have not been compromised is to limit the acquisition process to US manufacturers.

Lineage Technologies notes the problems associated with ensuring that security standards are maintained in overseas manufacturers. They explain that: “China and other nations have restricted enforcement, characterizing inspection, verification, validation and related activities as breaches to their national sovereignty.” (pg 3)

CTIA notes that component testing by independent laboratories can ensure that a global supply chain can be used to produce lower cost secure systems. Lineage thinks that existing testing methodologies are not adequate with new chip designs and suggest that new testing methodologies need to be developed and adopted.

The US Chamber of Commerce notes that limiting the acquisition process to US manufacturers would cause other countries to do the same, hurting the ability of US manufacturers to compete in the global market.

Data Breach Notification

The American Bar Association notes that each state has its own requirements for data breach notification. They recommend that “either a “unified” federal standard or a consistent state model law” should be developed.

Wide Application of Covered Systems

Dakkota suggests that that secure acquisition rules extend to the widest possible definition of equipment connected to sensitive networks due to “potential exposure for chain-link events to infect connected networks”.

Serco notes that due “to the increasing threat federal cyber standards should apply to all electronic devices”. (Response to Question #8)

On the other hand, the PSC suggest that “acquisitions in which the contract requirements present a low risk of cyber intrusion should include only minimal or basic cybersecurity requirements” (pgs 2-3).

SRA International suggests that a tiered approach to security requirements based upon the level of access to critical systems presents the best approach to securing critical infrastructure cyber-systems. They propose a base level of security standards based upon specific measures in NIST 800-53 controls and higher requirements based upon FISMA risk management standards.

Evaluating Suppliers

Rapid7, a cybersecurity research firm, uses the following four step process to evaluate the security programs of vendors:

• Identify vendor security practices;
• Validate vendor security practices;
• Check solution logs; and
• Identify and refine access management controls for the solution.

Barriers to Entry

Wyle, an R&D organization providing cyber support to DOD, addressed the issues of limiting barriers to entry into the federal acquisition process by noting that:

“Effective cybersecurity requires all stakeholders to make significant investments in personnel, training, organization and infrastructure to establish and maintain a common level of security within a circle of trust.” (pg 4)

Tibbs Information Systems (TIS) suggests that a solution to this relatively high-cost of entry would have to include financial “subsidizing to small/disadvantaged firms to enact cybersecurity protocols on a universal
system while still maintaining competition and fairness” (pg 2). They further suggest that the development of a “’security startup’ package could be provided to new firms to expedite
their development” (pg 4).

Cost of Secure Systems

Dakkota expects that the cost of secure equipment (made by trusted US manufacturers shipped and installed via a controlled process) will be about 2.5 times the cost of off the shelf equipment.

Moving Forward

The comment period is now closed, but (given the GSA performance on posting responses to the RFI docket) there is no telling if there are other comments still pending. In any case the date for the GSA/DOD report to the President has also passed, so additional comments would serve little or no purpose.

It is not clear whether or not the Administration will publish a copy of the GSA/DOD report to the President when it gets (was?) published. What is clear is that any significant changes to the acquisition process will have to go through the regulatory process. This is where the Obama programs have had a tendency to stall.

It will be interesting to see if/what the GSA makes public about their analysis of these comments and the report they prepare for the President.

No comments:

/* Use this with templates/template-twocol.html */