Download Cyber Compliance - Skyway Acquisition Solutions

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Shelley Hall
• 32 years in Department of Defense (retired Nov 2015)
• Held unlimited Contracting Officer’s warrant for 23 years
• Community Relations and Content Manager for Skyway
• Expertise in services and supplies, Federal Supply Schedules, pre-and
post-award, simplified acquisition to large dollar technically complex
source selections, Foreign Military Sales, and commercial and noncommercial
<< Record >>
Training From Contracting Officers
Topic: Cyber Compliance
May 11 2017
Host: Shelley Hall
• What Makes IT Different?
• FAR Requirements
• FAR Clause
• DFARS Requirement
• DFARS Clauses
• Final words
What Makes IT Different?
What Makes IT Different?
• It is constantly changing
• It cannot be controlled
• It is everywhere
• It is vulnerable
• It is crucial to the government
FAR Requirements
FAR 39 – Acquisition of Information
There are a LOT of things to consider:
• Security of resources, protection of privacy, national security and
emergency preparedness, accommodations for individuals with
disabilities, and energy efficiency;
• Electronic Product Environmental Assessment Tool (EPEAT®) standards;
• Policies to enable power management, double-sided printing, and other
energy-efficient or environmentally preferable features on all agency
electronic products;
• Best management practices for energy-efficient management of servers
and Federal data centers.
FAR 39 – Acquisition of Information
Technology (cont’d)
There are a LOT of things to consider:
• When developing an acquisition strategy, COs should consider the rapidly
changing nature of information technology through market research and
the application of technology refreshment techniques.
• Must include the appropriate information technology security policies
and requirements, including use of common security configurations
available from the National Institute of Standards and Technology’s
website at
• When acquiring information technology using Internet Protocol, agencies
must include the appropriate Internet Protocol compliance requirements.
FAR Requirements - What about Risk?
• Agency must analyze risks, benefits, and costs. Reasonable risk taking is appropriate if
risks are controlled and mitigated. Contracting and program office officials are jointly
responsible for assessing, monitoring and controlling risk.
• Types of risk may include schedule risk, risk of technical obsolescence, cost risk, risk
implicit in a particular contract type, technical feasibility, dependencies between a
new project and other projects or systems, the number of simultaneous high risk
projects to be monitored, funding availability, and program management risk.
• Appropriate techniques to manage and mitigate risk include: prudent project
management; use of modular contracting; thorough acquisition planning tied to
budget planning by the program, finance and contracting offices; continuous
collection and evaluation of risk-based assessment data; prototyping prior to
implementation; post implementation reviews to determine actual project cost,
benefits and returns; and focusing on risks and returns using quantifiable measures.
What about IT Services?
• When acquiring information technology services, solicitations must not
describe any minimum experience or educational requirement for
proposed contractor personnel unless the CO determines that the needs
of the agency—
• Cannot be met without that requirement; or
• Require the use of other than a performance-based acquisition.
FAR Clause
FAR Clause
• 52.239-1 -- Privacy or Security Safeguards.
• As prescribed in 39.106, insert a clause substantially the same as the following:
• Privacy or Security Safeguards (Aug. 1996)
• (a) The Contractor shall not publish or disclose in any manner, without the Contracting
Officer’s written consent, the details of any safeguards either designed or developed by
the Contractor under this contract or otherwise provided by the Government.
• (b) To the extent required to carry out a program of inspection to safeguard against
threats and hazards to the security, integrity, and confidentiality of Government data, the
Contractor shall afford the Government access to the Contractor’s facilities, installations,
technical capabilities, operations, documentation, records, and databases.
• (c) If new or unanticipated threats or hazards are discovered by either the Government or
the Contractor, or if existing safeguards have ceased to function, the discoverer shall
immediately bring the situation to the attention of the other party.
DFARS Requirements
DFARS 239 (where it becomes more
“Information assurance,” means measures that protect and defend
information, that is entered, processed, transmitted, stored, retrieved,
displayed, or destroyed, and information systems, by ensuring their
availability, integrity, authentication, confidentiality, and non-repudiation.
This includes providing for the restoration of information systems by
incorporating protection, detection, and reaction capabilities.
DFARS 239 (where it becomes more
complicated) (cont’d)
• Agencies shall ensure that information assurance is provided for information
technology in accordance with current policies, procedures, and statutes, to include—
• The National Security Act;
• The Clinger-Cohen Act;
• National Security Telecommunications & Information Systems Security Policy No. 11;
• Federal Information Processing Standards;
• DoD Directive 8500.1, Information Assurance;
• DoD Instruction 8500.2, Information Assurance Implementation;
• DoD Directive 8140.01, Cyberspace Workforce Management; and
• DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program.
DFARS 239 (where it becomes more
complicated) (cont’d)
• For all acquisitions, the requiring activity is responsible for providing to
the contracting officer—
• Statements of work, specifications, or statements of objectives that meet
information assurance requirements as specified in paragraph (a) of this
• Inspection and acceptance contract requirements; and
• A determination as to whether the information technology requires
protection against compromising emanations.
DFARS 239 (where it becomes more
complicated) (cont’d)
• For acquisitions requiring information assurance against compromising
emanations, the requiring activity is responsible for providing to the
contracting officer—
• The required protections, i.e., an established National TEMPEST standard (e.g.,
NACSEM 5100, NACSIM 5100A) or a standard used by other authority;
• The required identification markings to include markings for TEMPEST or other
standard, certified equipment (especially if to be reused);
• Inspection and acceptance requirements addressing the validation of
compliance with TEMPEST or other standards; and
• A date through which the accreditation is considered current for purposes of
the proposed contract.
Information assurance contractor training
and certification
For acquisitions that include information assurance functional services for DoD
information systems, or that require any appropriately cleared contractor
personnel to access a DoD information system to perform contract duties, the
requiring activity is responsible for providing to the contracting officer—
• A list of information assurance functional responsibilities for DoD information
systems by category (e.g., technical or management) and level (e.g., computing
environment, network environment, or enclave); and
• The information assurance training, certification, certification maintenance,
and continuing education or sustainment training required for the information
assurance functional responsibilities.
Information assurance contractor training
and certification (cont’d)
• After contract award, the requiring activity is responsible for ensuring that the
certifications and certification status of all contractor personnel performing
information assurance functions as described in DoD 8570.01-M, Information
Assurance Workforce Improvement Program, are in compliance with the
manual and are identified, documented, and tracked.
• The responsibilities specified apply to all DoD information assurance duties
supported by a contractor, whether performed full-time or part-time as
additional or embedded duties, and when using a DoD contract, or a contract
or agreement administered by another agency (e.g., under an interagency
• See PGI 239.7102-3 for guidance on documenting and tracking certification
status of contractor personnel, and for additional information regarding the
requirements of DoD 8570.01-M.
DFARS Clauses
DFARS Clauses
252.239-7000 Protection Against Compromising Emanations.
252.239-7001 Information Assurance Contractor Training and Certification.
252.239-7002 Access.
252.239-7003 Reserved.
252.239-7004 Orders for Facilities and Services.
252.239-7005 Rates, Charges, and Services.
252.239-7006 Tariff Information.
252.239-7007 Cancellation or Termination of Orders.
252.239-7008 Reuse Arrangements.
252.239-7009 Representation of Use of Cloud Computing.
DFARS Clauses (cont’d)
252.239-7010 Cloud Computing Services.
252.239-7011 Special Construction and Equipment Charges.
252.239-7012 Title to Telecommunication Facilities and Equipment.
252.239-7013 Obligation of the Government.
252.239-7014 Term of Agreement.
252.239-7015 Continuation of Communication Service Authorizations.
252.239-7016 Telecommunications Security Equipment, Devices, Techniques,
and Services.
• 252.239-7017 Notice of Supply Chain Risk.
• 252.239-7018 Supply Chain Risk.
Cloud Computing
“Cloud computing” means a model for enabling ubiquitous, convenient,
on-demand network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal management effort
or service provider interaction. This includes other commercial terms, such
as on-demand self-service, broad network access, resource pooling, rapid
elasticity, and measured service. It also includes commercial offerings for
software-as-a-service, infrastructure-as-a-service, and platform-as-aservice.
Cloud Computing (cont’d)
DoD shall acquire cloud computing services using commercial terms and
conditions that are consistent with Federal law, and an agency’s needs.
Some examples of commercial terms and conditions are license
agreements, End User License Agreements (EULAs), Terms of Service (TOS),
or other similar legal instruments or agreements. Contracting officers shall
incorporate any applicable service provider terms and conditions into the
contract by attachment or other appropriate mechanism. Contracting
officers shall carefully review commercial terms and conditions and consult
counsel to ensure these are consistent with Federal law, regulation, and
the agency’s needs.
Cloud Computing (cont’d)
Required storage of data within the United States or outlying areas.
• Cloud computing service providers are required to maintain within the 50
states, the District of Columbia, or outlying areas of the United States, all
Government data that is not physically located on DoD premises, unless
otherwise authorized by the authorizing official.
• The contracting officer shall provide written notification to the contractor
when the contractor is permitted to maintain Government data at a
location outside the 50 States, the District of Columbia, and outlying
areas of the United States.
Recent Updates
Recent Updates
Opportunities for Improving Acquisitions and Operations (GAO Report
released April 17, 2017)
Recommendation included:
• Strengthen the Federal Information Technology Acquisition Reform Act
• Improving CIO authorities
• Budget formulation
• Governance
• Workforce
• Operations
• Transition planning
Final Words
Final Words
• The Federal Government does not like things it can’t control – like IT
• Expect more and more emphasis on regulations that further restrict
IT products and services
• IT products and services are NORMALLY purchased using mandatory
source IDIQs, GWACs, MACs, GSA (is this the best way to purchase
• Fight the good fight. If you are providing IT products or services,
protest procurements that unfairly restrict true competition (you may
not win, but your voice will be heard).
Skyway Acquisition Solutions, LLC
Shelley Hall
Email: [email protected]
Łódź, dnia 20
Łódź, dnia 20