[Federal Register Volume 78, Number 92 (Monday, May 13, 2013)]
[Notices]
[Pages 27966-27968]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-11239]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-OERR-2013-01; Docket No. 2013-0002; Sequence 10]


Joint Working Group on Improving Cybersecurity and Resilience 
Through Acquisition

AGENCY: Office of Emergency Response and Recovery, U.S. General 
Services Administration (GSA).

ACTION: Request for information.

-----------------------------------------------------------------------

SUMMARY: On February 12th, 2013, the President issued the Executive 
Order for Improving Critical Infrastructure Cybersecurity (Executive 
Order 13636). In accordance with Section 8(e) of Executive Order 13636, 
within 120 days, the General Services Administration and the Department 
of Defense, in consultation with the Department of Homeland Security 
and the Federal Acquisition Regulation Council, are required to make 
recommendations on the feasibility, security benefits, and relative 
merits of incorporating security standards into acquisition planning 
and contract administration and address what steps

[[Page 27967]]

can be taken to harmonize, and make consistent, existing procurement 
requirements related to cybersecurity.
    Public outreach is a critically important activity for 
implementation of the Executive Order. In an effort to obtain broad 
stakeholder involvement, the General Services Administration and the 
Department of Defense are publishing this Request for Information (RFI) 
seeking information that can be used in the Section 8(e) report.

DATES: Effective date: Submit comments on or before June 12, 2013.

ADDRESSES: Submit comments in response to Notice-OERR-2013-01 by any of 
the following methods:
     Regulations.gov: http://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by searching for ``Notice-
OERR-2013-01''. Select the link ``Submit a Comment'' that corresponds 
with ``Notice-OERR-2013-01''. Follow the instructions provided at the 
``Submit a Comment'' screen. Please include your name, company name (if 
any), and ``Notice-OERR-2013-01'' on your attached document.
     Mail: General Services Administration, Regulatory 
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street NE., 7th 
Floor, Washington, DC 20417.
    Instructions: Please submit comments only and cite ``Notice-OERR-
2013-01'', in all correspondence related to this case. All comments 
received will be posted without change to http://www.regulations.gov, 
including any personal and/or business confidential information 
provided.

FOR FURTHER INFORMATION CONTACT: Mr. Emile Monette, U.S. General 
Services Administration, at emile.monette@gsa.gov or 703-605-5470.

SUPPLEMENTARY INFORMATION: 

A. Background

    On February 12th, 2013, the President issued the Executive Order 
for Improving Critical Infrastructure Cybersecurity (E.O. 13636) and 
the Presidential Policy Directive on Critical Infrastructure Security 
and Resilience (PPD-21). In accordance with Section 8(e) of Executive 
Order 13636 (EO), within 120 days, the General Services Administration 
and the Department of Defense, in consultation with the Department of 
Homeland Security and the Federal Acquisition Regulation Council, are 
required to make recommendations on the feasibility, security benefits, 
and relative merits of incorporating security standards into 
acquisition planning and contract administration and address what steps 
can be taken to harmonize, and make consistent, existing procurement 
requirements related to cybersecurity. Among other things, PPD-21 
requires the General Services Administration, in consultation with the 
Department of Defense and the Department of Homeland Security, to 
jointly provide and support government-wide contracts for critical 
infrastructure systems and ensure that such contracts include audit 
rights for the security and resilience of critical infrastructure.
    In order to accomplish the task required by EO Section 8(e), the 
General Services Administration (GSA) and the Department of Defense 
(DoD) have formed the ``Joint Working Group on Improving Cybersecurity 
and Resilience through Acquisition,'' (Working Group) with GSA as the 
lead agency. The Working Group is comprised of topic-knowledgeable 
members selected from the DoD, GSA, the Department of Homeland Security 
(DHS), the Office of Federal Procurement Policy (OFPP), and the 
National Institute of Standards and Technology (NIST). The Working 
Group is coordinating its efforts to obtain input from the stakeholder 
community, including industry, academia, and federal, state, and local 
government.
    Public outreach is a critically important activity for 
implementation of the EO and PPD. In an effort to obtain broad 
stakeholder involvement, the Working Group is publishing this Request 
for Information (RFI) seeking information that can be used in the 
Section 8(e) report. To the extent applicable, the Section 8(e) 
recommendations will also lay the foundation for establishment or 
identification of the government-wide cybersecurity contracts required 
by PPD-21.
    The Working Group is also directly engaged with the DHS Interagency 
Task Force (ITF). The ITF has been established to lead implementation 
of the EO and PPD-21, including, among other things, stakeholder 
engagement. The ITF has established working groups to accomplish the 
major deliverables and action items required by the EO and PPD, and 
this RFI for the Section 8(e) report is one element of the larger 
outreach efforts underway to address the requirements of the EO and 
PPD.
    The importance of common language cannot be overstated. It is 
apparent that a common lexicon is one of the critical gaps in 
harmonizing federal acquisition requirements related to cybersecurity.
    Given the limitations of the unsettled definition of the word, for 
purposes of this RFI, the term ``cybersecurity'' is given a broad 
meaning that includes information security and related areas, like 
supply chain risk management, information assurance, and software 
assurance, as well as other efforts to address threats or 
vulnerabilities flowing from or enabled by connection to digital 
infrastructure.
    In responding to the questions below, please highlight any 
applicable distinctions in responses related to classified and 
unclassified acquisitions.
    Feasibility and Federal Acquisition: In general, DoD and GSA seek 
input about the feasibility of incorporating cybersecurity standards 
into federal acquisitions.
    For example:
    1. What is the most feasible method to incorporate cybersecurity-
relevant standards in acquisition planning and contract administration? 
What are the cost and other resource implications for the federal 
acquisition system stakeholders?
    2. How can the federal acquisition system, given its inherent 
constraints and the current fiscal realities, best use incentives to 
increase cybersecurity amongst federal contractors and suppliers at all 
tiers? How can this be accomplished while minimizing barriers to entry 
to the federal market?
    3. What are the implications of imposing a set of cybersecurity 
baseline standards and implementing an associated accreditation 
program?
    4. How can cybersecurity be improved using standards in acquisition 
planning and contract administration?
    5. What are the greatest challenges in developing a cross-sector 
standards-based approach cybersecurity risk analysis and mitigation 
process for the federal acquisition system?
    6. What is the appropriate balance between the effectiveness and 
feasibility of implementing baseline security requirements for all 
businesses?
    7. How can the government increase cybersecurity in federal 
acquisitions while minimizing barriers to entry?
    8. Are there specific categories of acquisitions to which federal 
cybersecurity standards should (or should not) apply?
    9. Beyond the general duty to protect government information in 
federal contracts, what greater levels of security should be applied to 
which categories of federal acquisition or sectors of commerce?
    10. How can the Federal government change its acquisition practices 
to ensure the risk owner (typically the end user) makes the critical 
decisions about that risk throughout the acquisition lifecycle?
    11. How do contract type (e.g., firm fixed price, time and 
materials, cost-

[[Page 27968]]

plus, etc.) and source selection method (e.g., lowest price technically 
acceptable, best value, etc.) affect your organization's cybersecurity 
risk definition and assessment in federal acquisitions?
    12. How would you recommend the government evaluate the risk from 
companies, products, or services that do not comply with cybersecurity 
standards?
    Commercial Practices: In general, DoD and GSA seek information 
about commercial procurement practices related to cybersecurity.
    For example:
    13. To what extent do any commonly used commercial standards 
fulfill federal requirements for your sector?
    14. Is there a widely accepted risk analysis framework that is used 
within your sector that the federal acquisition community could adapt 
to help determine which acquisitions should include the requirement to 
apply cybersecurity standards?
    15. Describe your organization's policies and procedures for 
governing cybersecurity risk. How does senior management communicate 
and oversee these policies and procedures? How has this affected your 
organization's procurement activities?
    16. Does your organization use ``preferred'' or ``authorized'' 
suppliers or resellers to address cybersecurity risk? How are the 
suppliers identified and utilized?
    17. What tools are you using to brief cybersecurity risks in 
procurement to your organization's management?
    18. What performance metrics and goals do organizations adopt to 
ensure their ability to manage cybersecurity risk in procurement and 
maintain the ability to provide essential services?
    19. Is your organization a preferred supplier to any customers that 
require adherence to cybersecurity standards for procurement? What are 
the requirements to obtain preferred supplier status with this 
customer?
    20. What procedures or assessments does your organization have in 
place to vet and approve vendors from the perspective of cybersecurity 
risk?
    21. How does your organization handle and address cybersecurity 
incidents that occur in procurements? Do you aggregate this information 
for future use? How do you use it?
    22. What mechanisms does your organization have in place for the 
secure exchange of information and data in procurements?
    23. Does your organization have a procurement policy for the 
disposal for hardware and software?
    24. How does your organization address new and emerging threats or 
risks in procurement for private sector commercial transactions? Is 
this process the same or different when performing a federal contract? 
Explain.
    25. Within your organization's corporate governance structure, 
where is cyber risk management located (e.g., CIO, CFO, Risk 
Executive)?
    26. If applicable, does your Corporate Audit/Risk Committee examine 
retained risks from cyber and implement special controls to mitigate 
those retained risks?
    27. Are losses from cyber risks and breaches treated as a cost of 
doing business?
    28. Does your organization have evidence of a common set of 
information security standards (e.g., written guidelines, operating 
manuals, etc)?
    29. Does your organization disclose vulnerabilities in your 
product/services to your customers as soon as they become known? Why or 
why not?
    30. Does your organization have track-and-trace capabilities and/or 
the means to establish the provenance of products/services throughout 
your supply chain?
    31. What testing and validation practices does your organization 
currently use to ensure security and reliability of products it 
purchases?
    Harmonization: In general, DoD and GSA seek information about any 
conflicts in statutes, regulations, policies, practices, contractual 
terms and conditions, or acquisition processes affecting federal 
acquisition requirements related to cybersecurity and how the federal 
government might address those conflicts.
    For example:
    32. What cybersecurity requirements that affect procurement in the 
United States (e.g., local, state, federal, and other) has your 
organization encountered? What are the conflicts in these requirements, 
if any? How can any such conflicts best be harmonized or de-conflicted?
    33. What role, in your organization's view, should national/
international standards organizations play in cybersecurity in federal 
acquisitions?
    34. What cybersecurity requirements that affect your organization's 
procurement activities outside of the United States (e.g., local, 
state, national, and other) has your organization encountered? What are 
the conflicts in these requirements, if any? How can any such conflicts 
best be harmonized or de-conflicted with current or new requirements in 
the United States?
    35. Are you required by the terms of contracts with federal 
agencies to comply with unnecessarily duplicative or conflicting 
cybersecurity requirements? Please provide details.
    36. What policies, practices, or other acquisition processes should 
the federal government change in order to achieve cybersecurity in 
federal acquisitions?
    37. Has your organization recognized competing interests amongst 
procurement security standards in the private sector? How has your 
company reconciled these competing or conflicting standards?

    Dated: May 7, 2013.
Darren Blue,
Associate Administrator for the GSA, Office of Emergency Response and 
Recovery.
[FR Doc. 2013-11239 Filed 5-10-13; 8:45 am]
BILLING CODE 6820-89-P