In a previous article, Cyber-Too Big Not To Fail, I provided some comments on the recently signed Improving Cybersecurity and Resilience through Acquisition . This document lists six recommendations for doing just that. As I mentioned in the article, it’s very hard for a “cyber-outsider” to understand much of what it is saying (which is part of the problem IMHO). It does however prioritize the recommendations and pushes for tackling Recommendation 4 as a first step. Recommendation 4 is this: Institute a Federal Acquisition Cyber Risk Management Strategy. Here is a link to the draft of the plan to implement Recommendation 4. I had a chance the other day to have a look at a draft document which is in support of implementing Recommendation 4 entitled “Appendix I, Category Definition, Prioritization, and Overlays.”
This document is trying to show how Federal dollars are spent on cybersecurity and then provides a proposed structure on how to characterize the types of cyber acquisitions, based on Product and Service Codes. I just have to provide a quote to demonstrate just how confusing documents like this are to me (and I suspect to most of us non-geeks). Here it is,”..[This document]..is intended to provide a starting point for the collaborative, stakeholder-centric development of a method for categorizing similar types of acquisition that achieves the goals of recommendation number four…..” Can anyone tell me what the heck a “collaborative, stakeholder-centric development” means? (Now’s a good time to review my article on Self-Licking Ice Cream Cones.) I know it’s a complex subject, but geez-louise can we at least use plain English? It seems to me before we start diving into the pool we ought to see how deep the water is. By that I mean, I strongly believe that we should spend some time first developing a set of principles to guide us through the process. These principles should be simple, easily understood and brief. Once we get the principles right, all the other stuff is easy. So you heard it here first: Crenshaw’s Cyber Acquisition Guiding Principles.
- Government and Corporate data must be protected.
- Access to data must be controlled at all times.
- Risk to Government and Contractors should be considered.
- How the information is being used is as important as what hardware is being used to handle the information.
- Rules must be consistent with existing rules and regulations to minimize confusion.
- Leverage existing rules and regulations before inventing new ones.
- Rules must be executable by all, from the smallest 8A, SDVOSB, Hub Zone firms to world-wide corporations.
- Contracting Officers must have enough knowledge in cyber to make reasonable judgments when drafting RFPs
- Rules and Regulations must be verifiable with reasonable effort and minimum time (In other words, no 5 year long DCAA audits)
- Incident response responsibilities must be clear and incentivized.
OK. Now that we understand that, perhaps we can get down to putting something on paper that we can work with, not “a collaborative, stakeholder-centric approach”, whatever that means?