On February 19, 2013, President Obama issued Executive Order 13636—Improving Critical Infrastructure Cybersecurity—noting that cybersecurity represents one of the most serious national security challenges facing the United States and declaring that the U.S.’s policy is "to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."1 Pursuant to Executive Order 13636, among other initiatives, the Department of Defense ("DOD") and General Services Administration ("GSA") were ordered to make recommendations on "the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration" and the National Institute of Standards and Technology ("NIST") was directed to lead the development of a Cybersecurity Framework to reduce cyber risks.2
Improving Cybersecurity and Resilience through Acquisition
The DOD and GSA’s recommendations were published in a Final Report–Improving Cybersecurity and Resilience through Acquisition–on January 23, 2014.3 The Final Report recognizes that the government’s use of network connectivity, processing power, data storage, and other information and communications technology makes the government more efficient and effective, but also more vulnerable to cyber attacks and exploitation.4 The Final Report noted a majority of federal technical information resides on information systems susceptible to cyber attack, including mission-critical systems requirements, concepts of operations, technologies, designs, engineering, systems production, and component manufacturing, and found "the Federal government and its contractors, subcontractors, and suppliers at all tiers of the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries seeking to steal, compromise, alter or destroy sensitive information."5
In order to achieve cyber resiliency, the Final Report called for "a clear prioritization of cyber risk management as both element of enterprise risk management and as a technical requirement in acquisitions that present cyber risks."6However, the DOD and GSA also noted a "selective approach" is appropriate because all acquisitions for not present the same level of risk. Thus the Final Report made the following recommendations:
- Require Baseline Cybersecurity Requirements as a Condition of Contract Award: For acquisitions that present cyber risks, the Final Report calls for the government to only do business with organizations that meet baseline cybersecurity requirements in their operations as well as products or services delivered to the government. The DOD and GSA recommend that the cybersecurity baseline be expressed in technical requirements and that contracts include performance measures to ensure cybersecurity effectiveness. Basic protections identified by the Final Report include: updated virus protection, multiple-factor logical access, methods to ensure confidentiality of data, and maintaining current security software patches. Beyond the baseline requirements, the Final Report recommends that the government take an incremental, risk-based approach for each acquisition.7
- Require Contractor Cybersecurity Training: The Final Report calls for increased training among both government acquisition and contractor personnel. "As with any change to practice or policy, there is a concurrent need to train the relevant workforce to adapt to the changes."8
- Develop Common Cybersecurity Definitions in the Federal Acquisition Regulation: The Final Report recommends that uniform definitions be adopted for acquisitions in order to increase clarity and prevent disputes.9
- Prioritize Cyber Risks for Acquisitions: The Final Report calls for a government-wide, risk-based acquisition strategy, aligned with the NIST Cybersecurity Framework, to balance cost increases against the severity of the cyber threat and to mitigate cost increases by adopting cybersecurity requirements across market segments.10
- Require Items Be Sourced from OEMs, Authorized Resellers, or "Trusted" Sources: The Final Report identifies the problem of vulnerable counterfeit or "grey market" components and subcomponents introduced into the supply chain because inauthentic end items and components often do not have the latest security-related updates or are not built to the OEM’s security standards. Thus, in certain circumstances where appropriate, the Final Report recommends goods be required to be provided only from OEMs, their authorized resellers, or other trusted sources. If the government chooses to use a source that is not in a trusted relationship with the OEM, the Final Report recommends that the government obtain assurances of the company’s ability to guarantee the security and integrity of the item being purchased.11 The Final Report recognizes that this approach "represents a limitation of available sources and therefore should only be used for types of acquisition that present risks great enough to justify the negative impact on competition or price differences between trusted and un-trusted sources."12
- Increase Government Accountability for Cyber Risk Management: The Final Report notes the importance of integrating security standards into acquisition planning and contract administration to ensure key decision makers are accountable for cybersecurity risks and the fielded solutions.13
The Final Report recognizes that government purchases of products or services with adequate cybersecurity may have higher-upfront costs, but would reduce the total cost of ownership throughout the lifespan of the item purchased.14 "The cost of not using basic cybersecurity measures would be a significant detriment to contractor and Federal business operations, resulting in reduced system performance and the potential loss of valuable information."15 Implementation of the Final Report’s recommendations is expected to be aligned with the Comprehensive National Cybersecurity Initiative and the Cybersecurity Framework being developed by NIST pursuant to Executive Order 13636. The final version of the Cybersecurity Framework was released by NIST on February 13, 2014.
Cybersecurity Framework Version 1.0
Primarily aimed at organizations with critical infrastructure and sensitive information, such as those in the financial, energy, and healthcare industries, the goal of the Framework is to better protect critical information as well as critical physical assets from cyber attacks. The Framework adopts industry standards and best practices to help organizations manage cybersecurity risks "in a cost-effective manner." In addition to the Framework document, the NIST also released a "Roadmap" document that sets forth the path toward future updates of the Framework. NIST has referred to the Framework document (labeled as Version 1.0) as a "living" document that will be updated, as necessary, in response to industry feedback and to keep pace with improvements in technology and new threats.
The NIST emphasizes that the Framework is "technology neutral" and should complement, and not replace, an organization’s risk management process and cybersecurity program. The Framework provides a common taxonomy and method for organizations to accomplish the following:
- describe their current cybersecurity posture;
- describe their target state for cybersecurity;
- identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- assess progress toward the target state; and
- communicate among internal and external stakeholders about cybersecurity risk.
In keeping with the "living" nature of the Framework document, the NIST is expected to sponsor workshops with industry stakeholders over the next six months. These workshops will aim to assist organizations in adopting the Framework as well as to provide a forum where experiences with the Framework are shared and potential refinements identified. As noted above, the Framework is strictly voluntary and the NIST has no enforcement authority. However, Congress could enact legislation that would provide incentives for private entities that adopt the Framework.
The Framework document in its entirety can be downloaded here.