Today the GSA’s Office of Mission Assurance (OMA) published a request for information (RFI) notice in the Federal Register (79 FR 14042) about recommendations that GSA and DOD have made to the President in response to §8(e) of the President’s Executive Order for Improving Critical Infrastructure Cybersecurity (EO 13636). Long time readers may remember a series of blog posts I did about the GSA’s original RFI that supported the preparations for the report about which this RFI is seeking comments.
NOTE: There is a problem with the SSL certificate for this site so it is not a secure web site, even though it has ‘https’ in the URL. The Feds certainly seem to have problems maintaining their certificates. Could this be the sign of a cybersecurity problem???
GSA is seeking comments on the six recommendations made in that report so that they can formulate a plan to go forward. The six recommendations are:
• Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
• Address cybersecurity relevant training;
• Develop common cybersecurity definitions for Federal acquisitions;
• Institute a Federal acquisition cyber risk management strategy;
• Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other ‘trusted’ sources, whenever available, in appropriate acquisitions;
• Increase government accountability for cyber risk management.
Most of these seem to be the cybersecurity equivalent of motherhood and apple pie requirements, but the devil is, of course in the detail. There is a lot of verbiage supporting each of these recommendations that deserve a closer look. I’ll add it to my list of things to look at since this may be a harbinger of cybersecurity requirements in other acquisition processes, in and out of the Federal government.
GSA is soliciting public comments. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # OMA-2014-01). Comments need to be submitted by April 28th, 2014. Please note that that is a short, 45 day comment period.