“…the rule requires contractors, within 30 days after contract award to submit an IT Security Plan to the contracting officer and contracting officer’s representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require that contractors submit written proof of IT security authorization six months after award, and verify that the IT Security Plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements.”

While the idea of 3rd party audits and attestations is common practice in the private sector, there are a few interesting considerations that businesses should consider adopting as appropriate based on the type of vendor.

“…ensure appropriate security of IT resources that are developed, processed, or used under the contract…”

Businesses when setting up agreements with third parties should be engaged at the relationship discovery stage and upon contract.  Specifically architect what are the appropriate security safeguards for the type of vendor and what will be the scope of processes of the vendor.  This is becoming more present across the spectrum of industries, but the maturity of the above process is just emerging in mature organizations.

“…verify that the IT Security Plan remains valid annually…”

Business relationships must be managed.  Operational and performance metrics exist for each vendor and if a vendor misses a contractual agreement, there are usual fines and contract adjustments that result.  The management of vendor operational information security to the agreed upon plan should also be executed.  This is a great opportunity to establish a routine, efficient, and appropriate validation / attestation process.

The takeaway here is that the practices securing businesses must evolve to address the introduced risks of third parties.  There is a need to be balanced in the requests to vendors and so a progressive security plan that reflects the relationship is appropriate.

InfosecIsland has a nice writeup of the full GSA Final Rule here, and the actual rule is available here too.

Other thoughts / Considerations?

James DeLuccia

//cc at PCI DSS & IT Controls

The first is that when a target is established and projects are executed to achieve that target, the business performs better.  This is demosntrated by a few examples of the author, and highlighted in the article:

“…we can ascribe to architecture is that when companies have competition, then they can establish any kind of performance target they want, whether it’s faster revenue growth or better profitability, and then architect themselves so they can achieve their goals. Then, we can monitor that.”

It seems ANY target will improve the business.  Grasping onto the Getting Things Done mindset, this leads teams all the way up to the CIO/CISO leaders to set stretch goals.  These targets could be lower incidents; better response time; lower downtime; lower end-user complaints; faster turn around of projects; lower fail rates; etc…  the key of course is to be ethical in how these metrics are achieved (obviously, or not, that reaching better customer complaint ratios should be done where quality and speed are measured to ensure that dual either are not lost as a result of the new target.

“We also have statistical support in some of the work we’ve done that shows that high performers in our sample of 102 companies, in fact, had greater architecture maturity. They had deployed a number of practices associated with good architecture.”

Architecture breeds discipline and matures an organization from “heroes’.  An interesting advantage for those growing their businesses in a rapid fashion and need to achieve a broader security posture.  This though is also true in most other businesses.  It is hard to consider a business where defining a discipline (that still enables brilliance and innovation) on architecture and in this case information security practices is not an advantage:

• Businesses grown by acquisition benefit from having a superior on-boarding process of new companies allowing for single measurable and manageable structures
• Historic / existing establishments benefit where processes gain efficiency and effectiveness against newly defined targets

“We really just need architecture to pull out unnecessary cost and to enable desirable reusability”

This is a key point – technology is evolving and is incredibly capable, but the utility of such are not efficient.  There is tremendous opportunity to remove duplication and leverage existing information security processes and technology.  This is a natural effect of systems and technology growing in capability, but also shifting needs directed by the business and risk landscape.  The joke of “shelf-ware” can be referred to here, just be sure it is not a reflection.

The article / interview for me brought forward ideas where we can be different within information security and leverage the approach and toolsets to enhance businesses.  I would encourage a read of the article, here, and a deeper consideration as to what goals the business could (or even a team within a larger entity) set and adjust accordingly.  Tis the New Year afterall.

Best,
James DeLuccia IV