This is part of a continuing series of blog posts concerning
the GSA-DOD
request for information (RFI) concerning the use of federal acquisition
regulations (FAR) as incentives to participate in the President’s Cybersecurity
Framework being developed by NIST. The first post in the series was:
With four days left in the short comment period for the GSA-DOD
request for information on the use of we finally see some of the comments that
have been posted to the Federal eRulemaking Portal (www.Regulations.gov; Docket # Notice-OERR-2013).
Actually each of these 15 comments was posted to that site on Tuesday (6-4-13);
the actual dates of submission look like they go back as far as May 16th.
No other comments have been posted since the 4th. It looks like GSA is batch
posting comments.
Misunderstanding RFI
There seems to be a basic misunderstanding of the GSA/DOD
RFI; neither GSA nor DOD (mostly) is responsible for the implementation of the
Cybersecurity Framework being developed by NIST. That will be the responsibility
of DHS and those agencies already responsible for overseeing cybersecurity in
critical infrastructure (DOD does have a minor role here).
Still the Edison
Electric Institute mentions in their response “EEI strongly believes that
any GSA implementation of the cybersecurity framework for government
contractors should be based on each contractor’s sector-specific policies”.
This comment would have been more appropriately made in response to the NIST
RFI.
Network Monitoring
The RedSeal
Networks spends most of their comment ink on a discussion of the need for
continuous monitoring of networks not incentives for framework implementation. Lancope
echoes these comments but reminds GSA that the “greatest challenge to
cross-sector standards is rigidity in the system”.
RFI Time Frame
The Information
Technology Information Council (ITI) comments on the short time frame for
the comments and report to the President, noting that this should be “be the
start of long-term engagement with industry throughout the policy development
process and implementation”.
The Software
and Information Industry Association (SIIA) goes a step further and
recommends that the FAR implementation be put on hold until the NIST
Cybersecurity Framework is completed. They assume that the “NIST framework will
establish a baseline for cybersecurity and critical infrastructure protection
across a wide spectrum of industries”.
Supply Chain Security
The TechAmerica
comments concentrate on methods of protecting the supply chain side of
cybersecurity. The Semiconductor
Industry Association also address supply chain security; suggesting that semiconductors
only be purchased through authorized distributors. The Open
Group offers a vendor accreditation program for vendors that have processes
in place to ensure that the products they sell, install or service have not
been tainted or have counterfeit parts.
The Telecommunications
Industry Association (TIA) enumerates six principles that they believe
should guide GSA’s efforts to improve cybersecurity in Federal procurement; the
last one notes that “a global supply chain can only be secured through an
industry-driven adoption of best practices and global standards”.
Covanta
Energy Company’s comments address the other end of cyber product
life-cycle; encouraging proper disposal/destruction of outdated equipment to
protect the security of the data still remaining in memory.
DRAFT GSA-DOD Report
The comments
from ACT-ICT were made on a copy of what appears to be a draft of the
report that the Department of Defense and General Services Administration
Joint Working Group on Improving Cybersecurity and Resilience through
Acquisition will be presenting to the President based upon the comments
received from this RFI.
TechAmerica attached a marked-up copy of the same draft to
their comments.
Contract Language
ACT-ICT recommends that a copy of proposed contract language
should be included in the recommendations making it easier for all contracting
officers to ensure that the subject is properly addressed. TechAmerica objects
to including boilerplate language, noting that “it would serve to freeze the
status quo, hampering or preventing the evolution of countermeasures required
to address ever-changing threat and technology landscapes”.
TIA recommends that “the government set objectives in its
procurement policies, but avoid in all cases possible the dictating of how a
company that is involved in a procurement meets that objective”. They maintain
that this would promote innovation and promote competition.
Risk Assessment and
Tiered Approach
The Microsoft
comments are detailed and far ranging, as one would expect. One area that they
do stress is that the acquisition process must include a detailed risk
assessment for the process before deciding on the level of security
implementation is required. ITI reminds GSA that security is not the goal, it
is “is a means to achieve and ensure continued trust in various technologies
that comprise the cyber infrastructure”.
ATSEC
comments that regulators need to remember that “baseline standards may not be
applicable for high risk environments”. Nor is setting high-standards always a
good approach either; what is necessary “is a clear procurement strategy defining
the conditions when a specific assurance level is required”.
Secure Coding
The SafeCode
organization supports safe coding practices, but maintains that government
coding standards are bound to fail because each organization will “use
different compilers, different operating system platforms and versions, and
build software that’s used for different purposes”.
Acquisition
Regulations
FireEye recommends that GSA develop acquisition regulations
that require vendors and agencies “to expressly address emerging cyber threats,
including advanced persistent threats, polymorphic malware and zero-day attacks,
as part of mandatory IT security plans”. To ensure that such subjects are
appropriately addressed, they recommend that “implement mandatory training and
education for contracting officers and other procurement and acquisition
officials about evolving cyber threats with an emphasis on the techniques,
tactics and procedures used by sophisticated cyber adversaries”.
Commentary
The comments listed above are only a small selection of the information
provided by these 15 commenters. They are not necessarily to most important
point, but the ones that peaked my interest. Many of the above comments were
very lengthy and detailed. I hope that NIST will provide GSA with their
automated methodology for parsing the wide variety of comments and information
provided in these comments. Otherwise, GSA is just going to have to essentially
ignore these and subsequent comments as they proceed with developing their
report for the President this week.
BTW: I did not
notice any references to industrial control systems in the comments (though I
admit I may have missed some in the high-speed scanning I did with these
responses). That isn’t really unexpected; the US government does not procure a
large number of control systems (at least in relation to their IT purchases). Still
it is disappointing.
Posts
No comments:
Post a Comment