Click to edit Master title style

(1)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

– Fourth level » Fifth level

(2)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Integrating Cybersecurity

Requirements into Source

Selection and Contracts

Breakout Session #F15

Alex Odeh, Cost Analysis, Lead, The MITRE Corporation

Erin Schultz, Department Head, The MITRE Corporation

Virginia Wydler, CPCM, Fellow, Principal Analyst, The MITRE Corporation

Date: July 28, 2015

Time: 4:00 – 5:15 pm

(3)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level – Fourth level » Fifth level

Outline

• What is Cybersecurity?

• Federal Guidance

• Contracting Life Cycle

• Evaluation Criteria

• Proposal Instructions

• Best Practices

• Q&A

• Resources

2

(4)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Cybersecurity Threats

DOD Cybersecurity Gaps Could Be Canary in Federal Acquisition Coal

Mine

Intangible Assets Create Vulnerabilities

Workplace and Personal Lives are Blurring

(5)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Cybersecurity Defined

• Process of applying security measures to ensure

confidentiality, integrity, and availability of data –

Wikipedia

• Collection of tools, policies, security concepts,

security safeguards, guidelines, risk management approaches, actions, training, best practices –

International Telecommunications Union (ITU)

• Prevention of damage to, protection of, and

restoration of computers, electronic

communications systems and services … to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation – DoD

Instruction 8500.01, 14 Mar 2014

(6)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Cybersecurity and Acquisition

Low Low High Hig h Maturity Co m p le x it y

2015: Federal IT Acquisition Reform Act 2013: DoDI 5000.02 Acquisition Process 2010: DoD Better Buying Power

1996: FAA & US MINT exempt from FAR 1996: Federal Acquisition Reform Act 1994: Federal Acquisition Streamlining Act 1993-98: Defense Acquisition Reform Initiatives

1982: Special Panel on Defense Procurement 1981: Carlucci Thirty-Two Acquisition

Initiatives

1979: Defense Resources Board 1962: Truth in Negotiating Act (TINA) 1947: Armed Services Procurement Act 1941: Berry Amendment

1861: Civil Sundry Appropriations Act 2014: National Cybersecurity Protection Act

2014: Cybersecurity Workforce Assess Act 2014: Cybersecurity Enhancement Act

2013: DoDI 5000.02 Acquisition Process(cyber) 2013: EO 13636: Imp Critical Infrastructure Cyber

2002: Federal IS Management Act (FISMA) 2002: Homeland Security Act (creates DHS) 2000: First Denial of Service attack

1995: AOL phishing (AOHell) 1988: Morris Worm appears

1986: Computer Fraud and Abuse Act 1986: Malware virus “Brain” emerged

Cybersecurity

Agencies developing guidelines May involve all complexity

levels (low to high) Relatively new and still emerging

Federal Acquisition

Not a “one-size fits all”

Levels of program complexity Very mature, yet still evolving

(7)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Paradigm Shift in Contracting

6

From Bolt On

 Stove-piped, bolted onto contract SOW

 Compliance checklist

 Reactive and tactical

 Point in time review

 Little source review

To Baked In

 Integrated and built into contract SOW, T’s & C’s

 Apply risk management

 Proactive, and strategic

 Full lifecycle, start early

(8)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Why Should You Care?

• Cyber breaches and threats are real and increasing

• Government cybersecurity policies and

guidance have increased in last few years, impacting the contracting process

• Government is shifting from compliance-based security requirements to cybersecurity

risk-based management

• Cybersecurity needs to be integrated into programs and contracts to facilitate program management success

(9)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Federal Cybersecurity Guidance

• Executive Branch identified cybersecurity as a serious economic national security challenge • DHS assigned primary responsibility for

federal-wide information security program compliance • GSA and DoD developed implementing

recommendations

Executive Order 13636: Improving Critical

Infrastructure Cybersecurity February 2013

Presidential Policy Directive 21: Critical Infrastructure Security

and Resilience February 2013

(10)

Click to edit Master title style

• Click to edit Master text styles

– Second level

Cybersecurity Frameworks

9

Existing Frameworks Updated

EO generated a cyber framework and roadmap, aligning with risk and personnel frameworks

(11)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Working Group status: https://interact.gsa.gov/group/software-and-supply-chain-assurance-ssca-forum-wg

GSA/DoD Report Recommendations WG Lead

I. Institute baseline security requirements

as condition for award

Don Davidson, OSD

II. Address cybersecurity in relevant training

Andre

Wilkinson, DHS

III. Develop common cybersecurity

definitions for federal acquisitions

Jon Boyens, NIST

IV. Institute a Federal acquisition cyber risk management strategy

Don Johnson, OSD

V. Include requirement to purchase from

OEM, authorized resellers, trusted sources

Emile Monette, GSA

VI. Increase Government accountability

for cyber risk management*

Joe Jarzombek, DHS

Implementation Plans

*Key contracting recommendation

(12)

Click to edit Master title style

• Click to edit Master text styles

– Second level

Report Recommendation VI

Government Accountability

Recommendation _{Description and Highlights}

VI. Increase Government Accountability for Cyber Risk Management

A. Identify and modify acquisition practices that contribute to cyber risk

B. Integrate security standards into acquisition planning and contract administration

C. Incorporate cyber risk into enterprise risk management and ensure key decision makers (e.g., Program Executive) are accountable:

1. Address cyber risk when defining requirement and

analyzing solution

2. Ensure and certify cybersecurity requirements are

adequately reflected in the solicitation

3. Participate in evaluation, ensure best value proposal

meets cybersecurity requirements

4. Certify contract performance reviews of

cybersecurity (e.g., conformance testing, regression testing, technology refresh, supply chain

management, engineering change proposals, etc…) are conducted in accordance with prescribed

standards

Source: DoD and GSA Report on “Improving Cybersecurity and Resilience through Acquisition”

(13)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Contracting Life Cycle

• Acquisition Planning

– Conduct Market Research

– Release Request for Information – Develop Acquisition Plan

– Develop Cybersecurity Requirements • SOW, SOO, PWS, Specification

• References and applicable documents

• Solicitation Development

– Request for Proposal (RFP)

– Develop Contract Data Requirements List (CDRL)

– Identify clauses and special restrictions

– Instructions, Evaluation Criteria (L and M)

• Source Selection

• Award and Post-Award Management

SOW/RFP/L&M critical to integrate cybersecurity into the contracting process 12

(14)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Developing SOW/SOO/PWS

• Understand how cybersecurity relates to your contracting process

– Understand agency cyber policies, guidance – Solicit industry input early, continue dialog • Integrate cybersecurity throughout the

requirements development process – Ensure traceability between cyber

requirements, controls, and program needs – Ensure requirements provide defined

outputs to support decision making activities • Include cybersecurity requirements in all

applicable sections

– Identify applicable and reference documents – Identify security constraints

– Identify mandatory security reporting

(15)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Statement of Work (SOW)

Outline Example

• Section 1: Scope

– Section 1.1: Introduction – Section 1.2: Background – Section 1.3: Scope

• Section 2: Applicable Documents

– Section 2.1: Agency Specifications – Section 2.2: Agency Standards

– Section 2.3: Relevant Cyber Documents

• Section 3: Requirements

– Section 3.1: General Requirements

– Section 3.2: Technical Objectives and Goals

– Section 3.3: Specific Requirements

• Section 4: Contract Deliverables

• Section 5: Security

• Section 6: Personnel

Weave Cybersecurity content throughout

SOW sections

Source: DoD MIL HDBK 254D: DoD Handbook for

(16)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Solicitation (RFP) Content

• A: Solicitation/contract form - None anticipated • B: Supplies or services and prices/costs

– Review CDRL cybersecurity reporting

– Cost recovery (CLIN structure, cybersecurity) • C: Description/Specifications/SOW/SOO/PWS

– Performance-based cyber requirements

• D: Packaging and marking - None anticipated • E: Inspection and acceptance

– Develop cybersecurity quality assurance plan • F: Deliveries or performance

– Ensure cybersecurity items are addressed • G: Contract admin data - None anticipated • H: Special contract requirements

– Cybersecurity-specific contract clauses (e.g., reporting or disclosure)

Source: DoD Cybersecurity Implementation Guidebook for Acquisition Program Managers

(17)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

• I: Contract clauses

– Cybersecurity-specific contract clauses – Cybersecurity Personnel (also Section H) • J: List of Attachments

– Applicable attachments for cybersecurity

• K: Representations, Certifications

– Certifications that support the cybersecurity strategy (NSA certifications of cryptographic algorithms, cross-domain solutions)

• L and M: Proposal Information, Evaluation – Ensure factors differentiate proposals – Define qualification of cybersecurity staff

– Include critical cybersecurity program

objectives

Source: DoD Cybersecurity Implementation Guidebook for Acquisition Program Managers

Solicitation (RFP) Content

(18)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Evaluation Criteria (Section M)

Structure

• FAR provides broad discretion for criteria

HOWEVER, FAR mandates:

• Quality (example evaluation factors) – Technical Approach or Solution

– Program Management and Subcontracts – Staffing and Key Personnel – Resumes – Security

– Transition Plan

• Past performance

– Tailor past performance questionnaires – Address cyber breaches and mitigation

• Price or cost

– Watch for conditions to proposed technical approach that can impact costs or price

Consider Cybersecurity in each area of Section M

(19)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Evaluation Criteria (Section M)

Kinds of Contracts

• Kinds of cybersecurity contracts may include: – Hardware/Software

– Services

– Development – System

– Security Engineering

• Tailor each kind of cybersecurity contract – Prioritized quality against price/cost

• Consider industry reaction to “what is important” – Is the criteria and its relationship to cost

sending the right massage to industry?

(20)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Cybersecurity Evaluation Criteria

(Section M)

Hardware/Software

• Degree to which trusted

sources are used and proof is maintained

• Approach to restricting

physical access of non-authorized personnel

• Use of cyber-certified

products for hardware and software

• Approach to detecting

counterfeit components

• How is supply chain

diversity implemented

Services

• Approach to developing

information assurance

• Approach to ensuring

trusted key personnel

• Approach to conducting

vulnerability assessments

• Testing approach to ensure

services meet requirements

• Degree to which

cybersecurity is included in design trade analysis

• Degree to which service is

non-attributable to Agency

Notional or suggested factors

How Would You Prioritize These?

(21)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Cybersecurity Evaluation Criteria

(Section M)

System

• Demonstrated ability to

detect and prevent attacks

• Approach to detecting and

minimizing data breaches

• Approach to integrating and

enhancing operational tools

• Approach to validating staff

cyber competency

• Degree to which approach

integrates with CONOPS, information architecture, cyber programs Development • Approach to certifying developers, ensuring continued certifications

• Approach to integrating SSE

into the lifecycle (e.g., development, test)

• Approach to documenting and

managing risk (RMF)

• Tools for security selection

and application

• Approach to ensure Mission

Assurance, Resilience

(22)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Cybersecurity Evaluation Criteria

(Section M)

Security Engineering

• Approach to integrating architectural risk analysis,

threat modeling, testing, security governance as part of product lifecycle

• Degree to which development uses consistent coding

practices and standards throughout product lifecycle

• Degree to which testing and validation methodologies

simulate an attacker breaking an application

• Degree to which security testing is integrated into

software development

• Approach to respond/report security vulnerabilities

• Degree to which supply chain risk management

ensures security and integrity of sourced components

21

(23)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Proposal Instruction (Section L)

Technical approach

• Describe how technical approach integrates with current

or planed agency information architectures, programs, projects or initiatives

• Describe how cybersecurity is integrated into the

program’s SE, SSE, T&E processes, and CONOPS

• Ensure cybersecurity is explicit in the Basis of Estimate

(BOE), Work Breakdown Structure, Cost Estimating Approach

• Describe approach to supply chain vulnerability

assessments to comply with agency policy, RFP requirements, or other constraints

• Describe the technical data approach including

ownership, control, timely access, and delivery of all cybersecurity data, including raw test data, for evolving technical baseline

(24)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Proposal

Instruction

(Section L)

Management approach

• Define team organization

• Identify and describe key personnel who will ensure

cybersecurity compliance

• Describe staffing approach, qualifications and continued

proficiency for cybersecurity personnel

• Describe cybersecurity incident response, mitigation and

risk management processes

• Describe approach to transition to ensuring cybersecurity

Security

• Describe approach to detect and minimize data exfiltration

and data loss

• Describe how security integrates with current or planned

CONOPS, BCP, information architecture, programs or initiatives

(25)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Proposal Instruction (Section L)

Government Property

• Identify required Government Furnished Property (GFP)

(e.g., access to National Cyber Range, Government Blue and/or Red Teams to be used during initial testing)

Data Deliverables (CDRL)

• What data deliverables are required as part of the

proposal and during contract execution?

– Approach to satisfying Agency Cybersecurity Strategy – Compliance with Security CONOPS and/or updates – Managing Security Architecture and/or updates

– Developing Security artifacts for milestone reviews – Updating Assessment and Authorization artifacts

– Approach to satisfying Program Protection Plan (PPP)

(26)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Proposal Evaluation Options

• Paper proposal

– Operation Capability Assessment (OCA) – Technical approach

• Live demonstration before award

– Operational Capability Demonstration (OCD) – Operational Capability Test (OCT)

• Sample Task Order or Problem Exercise • Oral proposal presentation

• Challenge-based acquisition

• Viability assessment of technical approach before RFP release

Don’t rely on a paper proposal to pick a winner

(27)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Best Practices – Acquisition

Planning

• Leverage industry during acquisition planning – Provide security documents, assumptions,

constraints, as early as possible to industry – Ensure critical classification levels and

special data protection are identified early (these can be expensive, cost drivers)

• Include security engineering instructions and policy mandates in the scope and objectives

– Consider who designs, develops, and

implements an integrated end-to-end security architecture (will you need an integrator?)

– Identify the relationships of security

deliverables to overall program activities

(28)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Best Practices – Solicitation

Development

• Recognize that no two acquisitions are alike – Avoid cut-and-paste (worked last time…..) • Identify key security personnel, qualifications,

collocation, and level of support (e.g., Chief Security Architect – Full Time on Site)

• Good criteria provide evaluators with latitude to evaluate what is important

– Bad criteria provide Yes/No or Checklist

– Too many criteria dilute core discriminators • Tell industry what are the most important areas

and factors (e.g., Price, Technical Approach, People/Resumes, Past Performance)

(29)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Best Practices – Source

Selection

• Selection needs to reflect evaluation criteria – Discriminate between competing Offerors • Ensure program and technical personnel are

experienced and/or seek help

• Incorporate key desired approaches, features, processes, or tools from the proposal into the final contract, since the proposal itself is not incorporated into the contract

• Follow your source selection plan and use

published evaluation criteria – BECAUSE GAO SAID SO (GAO 14-276SP)

What is MOST Important to YOUR Acquisition?

(30)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

News You Can Use

• DHS using cybersecurity contract clauses – OMB Guidance Memo out for comment • GSA/DoD Working Group Products

– Cyber Clauses, Qualified Bidders List, Trusted Sources

– https://interact.gsa.gov/group/software-and-supply-chain-assurance-ssca-forum-wg

• DoD Program Managers Guidebook for Cybersecurity Acquisitions – coming soon! • DoD Better Buying Power 3.0 new section

– Strengthen cybersecurity throughout lifecycle • Insurance policies for cyber breaches - $$$$$$

29

(31)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Summary

• You have an integral role in government contracts – Consequences of ignoring, misallocating

cybersecurity resources are growing • You can be the expert help

– Know who to ask and where to look

– Understand key developments in cybersecurity • You will intersect with multiple functional areas

– Contracting Officials

– Cybersecurity Technical Staff

– Acquisition and Program Management Staff – Systems Engineering Staff

• You are committed to advancing cybersecurity – Adopting standards and best practices 30

(32)

Click to edit Master title style

• Click to edit Master text styles

– Second level

Questions, Comments

Sharing Time

31

(33)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level – Fourth level » Fifth level 32

Contact Information

• Alex Odeh

– The MITRE Corporation

– [email protected]

• Erin Schultz

• Virginia Wydler, CPCM, Fellow

(34)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Applicable References

National Security System (NSS) National Standards, Guidance

Intelligence Community

NIST Framework

For more information see:

(35)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

DoD Reference Documents

Source: http://iac.dtic.mil/csiac/download/ia_policychart.pdf

(36)

Click to edit Master title style

• Click to edit Master text styles

– Second level

Cybersecurity Workforce

Framework

35

31 Specialty areas with sample job titles, tasks, knowledge, skills, and abilities (KSAs)

(37)

Click to edit Master title style

• Click to edit Master text styles

– Second level

• Third level

Program Manager’s Guidance

• Describe key concepts and

activities for successful implementation of

cybersecurity and system resilience throughout the acquisition lifecycle

• Familiarize program

managers with RMF

continuous monitoring to optimize mission effects throughout the acquisition lifecycle

• Relate content to DoD

cybersecurity policy, DoD acquisition policy, and other references

INTERNAL DRAFT V 0.9971 June 2015 release expected