The U.S. General Services Administration (GSA) has issued a request for information (RFI) that it hopes will help make the federal government’s cybersecurity more resilient.
Issued in partnership with a federal cybersecurity interagency working group, the RFI is an important step to improving acquisition cybersecurity policy, implementation, and consistency to better manage risks and security, the agency said.
In February, warning that cyberattacks pose a danger to US security, President Barack Obama signed an executive order designed to improve critical Infrastructure Cybersecurity (Executive Order 13636).
The executive order (PDF) calls for voluntary reporting of threats to US infrastructure, such as power grids, pipelines and water systems.
In accordance with part of the Executive Order, within 120 days, the GSA and the Department of Defense, working with the DHS and the Federal Acquisition Regulation Council, are required to make recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration and address what steps can be taken to harmonize, and make consistent, existing procurement requirements related to cybersecurity”.
“Collaboration and cooperation allows government to deliver critical services to our federal partners and most importantly, the American people,” said GSA Acting Administrator Dan Tangherlini. “The RFI is an important first step to a public private partnership that will help secure our nation’s infrastructure. Developing these cybersecurity procurement recommendations is a priority for GSA and the interagency working group.”
Overall, the DoD and GSA are looking for input about the feasibility of incorporating cybersecurity standards into federal acquisitions.
Some examples include:
1. What is the most feasible method to incorporate cybersecurity-relevant standards in acquisition planning and contract administration? What are the cost and other resource implications for the federal acquisition system stakeholders?
2. How can the federal acquisition system, given its inherent constraints and the current fiscal realities, best use incentives to increase cybersecurity amongst federal contractors and suppliers at all tiers? How can this be accomplished while minimizing barriers to entry to the federal market?
3. What are the implications of imposing a set of cybersecurity baseline standards and implementing an associated accreditation program?
4. How can cybersecurity be improved using standards in acquisition planning and contract administration?
5. What are the greatest challenges in developing a cross-sector standards-based approach cybersecurity risk analysis and mitigation process for the federal acquisition system?
6. What is the appropriate balance between the effectiveness and feasibility of implementing baseline security requirements for all businesses?
7. How can the government increase cybersecurity in federal acquisitions while minimizing barriers to entry?
8. Are there specific categories of acquisitions to which federal cybersecurity standards should (or should not) apply?
9. Beyond the general duty to protect government information in federal contracts, what greater levels of security should be applied to which categories of federal acquisition or sectors of commerce?
10. How can the Federal government change its acquisition practices to ensure the risk owner (typically the end user) makes the critical decisions about that risk throughout the acquisition lifecycle?
11. How do contract type (e.g., firm fixed price, time and materials, cost-plus, etc.) and source selection method (e.g., lowest price technically acceptable, best value, etc.) affect your organization’s cybersecurity risk definition and assessment in federal acquisitions?
12. How would you recommend the government evaluate the risk from companies, products, or services that do not comply with cybersecurity standards?
Since the issuance of the EO and PPD inFebruary, the GSA said feedback has been collected from hundreds of stakeholder representatives at dozens of forums in industry, academia, and federal, state, and local government, which was taken into consideration as the team finalized the RFI.
Stakeholder input should be submitted on or before June 12, 2013, which will contribute to the final recommendations report to be issued in the early summer.
More information from the GSA is available here.