This is part of a continuing series of blog posts concerning
the GSA-DOD
request for information (RFI) concerning the use of federal acquisition
regulations (FAR) as incentives to participate in the President’s Cybersecurity
Framework being developed by NIST. The first post in the series was:
The comment period on this RFI closed on June 12th
and the second batch of responses was posted to the docket on June 18th.
Of course the GSA/DOD report to the President was due on June 19th {EO 13636,
§3(e)}, so this was mainly an exercise in futility except for those entities
that were preferentially given advance copies of the draft GSA/DOD report upon
which to base their comments (see comments from ACT-ICT
and Tech-America).
EO Mandates
Dakkota
Integrated Systems suggests that EO 13636 should be used as the authority
to “compel
the acquisition of secure IT and telecommunications
equipment by critical infrastructure elements” (pg 3).
CTIA,
the Wireless Association, takes an opposing stance noting that “GSA should
not seek to use procurement policy as a lever to effectively enforce compliance
with otherwise “voluntary” programs that may come out of the EO” (pg 7, Adobe
9).
The Professional
Services Council (PSC) suggests that the NIST Cybersecurity Framework be
completed before GSA takes any steps to implement additional cybersecurity
requirements in the FARS process, noting that “the cybersecurity framework
should drive acquisition requirements, not vice versa” (pg 5).
Limit Acquisition to
US Manufacturers
Dakkota maintains that the only way to ensure that adequate
inspections of the supply chain (from component manufacture to secure
installation) can insure that devices have not been compromised is to limit the
acquisition process to US manufacturers.
Lineage
Technologies notes the problems associated with ensuring that security
standards are maintained in overseas manufacturers. They explain that: “China and
other nations have restricted enforcement, characterizing inspection, verification,
validation and related activities as breaches to their national sovereignty.”
(pg 3)
CTIA notes that component testing by independent
laboratories can ensure that a global supply chain can be used to produce lower
cost secure systems. Lineage thinks that existing testing methodologies are not
adequate with new chip designs and suggest that new testing methodologies need
to be developed and adopted.
The US
Chamber of Commerce notes that limiting the acquisition process to US
manufacturers would cause other countries to do the same, hurting the ability
of US manufacturers to compete in the global market.
Data Breach
Notification
The American
Bar Association notes that each state has its own requirements for data
breach notification. They recommend that “either a “unified” federal standard
or a consistent state model law” should be developed.
Wide Application of
Covered Systems
Dakkota suggests that that secure acquisition rules extend
to the widest possible definition of equipment connected to sensitive networks
due to “potential exposure for chain-link events to infect connected networks”.
Serco
notes that due “to the increasing threat federal cyber standards should apply
to all electronic devices”. (Response to Question #8)
On the other hand, the PSC suggest that “acquisitions in
which the contract requirements present a low risk of cyber intrusion should
include only minimal or basic cybersecurity requirements” (pgs 2-3).
SRA
International suggests that a tiered approach to security requirements
based upon the level of access to critical systems presents the best approach
to securing critical infrastructure cyber-systems. They propose a base level of
security standards based upon specific measures in NIST 800-53 controls and
higher requirements based upon FISMA risk management standards.
Evaluating Suppliers
Rapid7,
a cybersecurity research firm, uses the following four step process to evaluate
the security programs of vendors:
• Identify vendor security
practices;
• Validate vendor security
practices;
• Check solution logs; and
• Identify and refine access
management controls for the solution.
Barriers to Entry
Wyle,
an R&D organization providing cyber support to DOD, addressed the issues of
limiting barriers to entry into the federal acquisition process by noting that:
“Effective cybersecurity requires
all stakeholders to make significant investments in personnel, training,
organization and infrastructure to establish and maintain a common level of
security within a circle of trust.” (pg 4)
Tibbs
Information Systems (TIS) suggests that a solution to this relatively
high-cost of entry would have to include financial “subsidizing to
small/disadvantaged firms to enact cybersecurity protocols on a universal
system while still maintaining competition and fairness” (pg
2). They further suggest that the development of a “’security startup’ package
could be provided to new firms to expedite
their development” (pg 4).
Cost of Secure
Systems
Dakkota expects that the cost of secure equipment (made by
trusted US manufacturers shipped and installed via a controlled process) will
be about 2.5 times the cost of off the shelf equipment.
Moving Forward
The comment period is now closed, but (given the GSA
performance on posting responses to the RFI docket) there is no telling if
there are other comments still pending. In any case the date for the GSA/DOD
report to the President has also passed, so additional comments would serve
little or no purpose.
It is not clear whether or not the Administration will
publish a copy of the GSA/DOD report to the President when it gets (was?)
published. What is clear is that any significant changes to the acquisition
process will have to go through the regulatory process. This is where the Obama
programs have had a tendency to stall.
It will be interesting to see if/what the GSA makes public
about their analysis of these comments and the report they prepare for the
President.
Posts
No comments:
Post a Comment