general services administration - recommendation …taxonomy... · web viewagencies and the...
TRANSCRIPT
APPENDIX I: Category Definitions, Prioritization, and Overlays
Improving Cybersecurity and Resilience through Acquisition
Implementation Plan
DISCUSSION DRAFT
DISCUSSION DRAFT
1. RECOMMENDATION IV REPORT TEXT...................................................................................................... III
2. FOREWORD........................................................................................................................................... IV
3. DRAFT TAXONOMY BASED ON COMMERCIAL ITEMS AND PRODUCT AND SERVICE CODES..........................63.1. Figure 1: Commercial ICT Categories and PSCs.............................................................................7
4. ICT PRODUCTS: HARDWARE.................................................................................................................. 84.1. Figure 2: Hardware Category...........................................................................................................8
5. ICT PRODUCTS: SOFTWARE................................................................................................................... 95.1. Figure 3: Software Category............................................................................................................9
6. ICT SERVICES: OUTSOURCING.............................................................................................................116.1. Figure 4: Outsourcing Category.....................................................................................................11
7. ICT SERVICES: CONSULTING SERVICES................................................................................................127.1. Figure 5: Consulting Services Category.........................................................................................12
8. ICT SERVICES: TELECOMMUNICATION SERVICES...................................................................................138.1. Figure 6: Telecommunication Services Category...........................................................................13
9. ICT SOLUTIONS: SECURITY..................................................................................................................159.1. Figure 7: Security Category...........................................................................................................15
10. PSC GLOSSARY.............................................................................................................................. 1611. FIGURE 8: COMPLETE CATEGORY HIERARCHY..................................................................................1812. ACQUISITION RISK ASSESSMENT AND PRIORITIZATION......................................................................1912.1. Total Federal “Commercial” ICT Spend.....................................................................................19
12.2. Top Three Subcategories by Spend FY11-FY13.......................................................................19
13. OVERLAYS...................................................................................................................................... 19
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page ii of xix
DISCUSSION DRAFT
DISCUSSION DRAFT
1. Recommendation IV Report TextFrom the Executive Summary of the Report (pg 7):
Institute a Federal Acquisition Cyber Risk Management Strategy.From a government-wide cybersecurity perspective, identify a hierarchy of cyber risk criticality for acquisitions. To maximize consistency in application of procurement rules, develop and use “overlays”1 for similar types of acquisition, starting with the types of acquisitions that present the greatest cyber risk.
From the body of the Report (pp 15-16):
Institute a Federal Acquisition Cyber Risk Management Strategy. The government needs an interagency acquisition cyber risk management strategy that requires agencies to ensure their performance meets strategic cyber risk goals for acquisition and is part of the government’s enterprise risk management strategy. The strategy should be based on a government-wide perspective of acquisition, and be primarily aligned with the methodologies and procedures developed to address cyber risk in the Cybersecurity Framework. It should identify a hierarchy of cyber risk criticality for acquisitions and include a risk-based prioritization of acquisitions. The risk analysis should be developed in alignment with the Federal Enterprise Architecture2 and NIST Risk Management Framework (RMF).3
The strategy should include development of “overlays” - fully specified sets of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments.4
When developing the strategy, the government should leverage existing risk management processes and data collection methodologies, and consistently incorporate cyber risk as an element of enterprise risk management. The strategy should encompass standard network security practices to address vulnerability of information to cyber intrusions and exfiltration. The strategy should leverage supply chain risk management processes to mitigate risks of non-conforming items (such as counterfeit and tainted products). And it should include appropriate metrics to define risk and to measure the ability of agencies to apply empirical risk modeling techniques that work across both public and private organizations. In developing the strategy, the
1 An overlay is a fully specified set of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments. 2 Available at http://www.whitehouse.gov/omb/e-gov/fea/. 3 See, NIST Special Publication 800-37, Revision 1 (Feb. 2010).4 See, e.g., The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Available at: http://www.gsa.gov/portal/category/102375. See also, the Information Systems Security Line of Business (ISSLoB) is a comprehensive and consistently implemented set of risk-based, cost-effective controls and measures that adequately protects information contained in federal government information systems. Available at: http://www.dhs.gov/information-systems-security-line-business.
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page iii of xix
DISCUSSION DRAFT
DISCUSSION DRAFT
government should use the active, working partnerships between industry, the civilian agencies and the intelligence community, and create such partnerships where they do not already exist, with the goal of leveraging validated and outcome-based risk management processes, best practices, and lessons learned.
Where appropriately defined categories of similar types of acquisitions already exist,5 the government should develop overlays for those types of acquisitions. The overlays should be developed in collaboration with industry, and consistently applied to all similar types of Federal acquisitions. The starting point for development of the requirements should be the Cybersecurity Framework.
The overlays should encompass realistic, risk-based controls that appropriately mitigate the risks for the type of acquisition, and should define the minimum acceptable controls for any acquisition that is of a similar type. The overlays should not, as a general rule, incorporate standards directly into contracts, and should avoid prescriptive mandates for specific practices, tooling, or country-specific standards, because the inflexibility of those approaches often inadvertently increases costs without actually reducing risk.6 Instead, the overlays should specifically identify security controls from within standards that should be applied to the type of acquisition being conducted. The overlays should also include acquisition and contractual controls like source selection criteria and contract performance measures. Finally, to the greatest extent possible, the overlays should be expressed as technical requirements. This approach will allow the government to describe top level cybersecurity requirements, decompose them to a lower level for an individual acquisition, and then articulate them consistent with and in a similar manner as other requirements for the fielded solution.
This recommendation is based on the fact that not all assets delivered through the acquisition system present the same level of cyber risk or warrant the same level of cybersecurity, and requiring increased cybersecurity in planning and performance of government contracts creates cost increases for contractors and the Federal government. Such cost increases must be balanced against the nature and severity of cyber risks and the corresponding cost or performance reductions in other functionality. The Federal government can mitigate the amount of any cost increases if it creates certainty by adopting cybersecurity requirements across market segments and similar types of procurement.
2. Foreword
5 See, e.g., FedRAMP, ISSLoB, and Federal Strategic Sourcing Initiative (FSSI) (available at: http://www.gsa.gov/fssi.), among others. These programs have defined categories of similar types of products and services.6 Directly incorporating standards could freeze the status quo and hamper or prevent the evolution of countermeasures required to address the dynamic threat and technology landscapes. It might also create a risk that other nations will adopt similar mandates which could further increase supply chain costs. Incorporating government-specific standards that would duplicate existing security-related standards or creating country-specific requirements that could restrict the use of long-standing and highly credible global suppliers of technology could have significant negative effects on the government’s ability to acquire the products and services it needs.
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page iv of xix
DISCUSSION DRAFT
DISCUSSION DRAFT
The set of notional Category definitions and taxonomy in this Appendix represents one way the Federal acquisition spend can be divided. This “model” was developed using a subset of Federal acquisition spend, and is intended to provide a starting point for the collaborative, stakeholder-centric development of a method for categorizing similar types of acquisition that achieves the goals of recommendation number four of the DoD-GSA Report “Improving Cybersecurity and Resilience through Acquisition.”
This categorization is intended to clearly define the structure and boundaries of the listed ICT categories, subcategories, and products and services. It was developed using a data-driven approach based on logical groupings of industry codes that align with available Federal spending data.
This draft only contains a subset of the types of Federal Information and Communications Technology (ICT) acquisition, “commercial” ICT, as defined by the Federal Acquisition Regulation (FAR). If the model presented here, or some version of it, is agreed to as a workable construct for accomplishing the tasks required to implement Recommendation IV from the DoD-GSA Report, the remaining types of acquisitions can be categorized using the same process. Once stakeholders reach agreement on the process used to define the Categories, the method can be expanded to cover all types of Federal contract spending. This subset of Categories is not exhaustive and is to be viewed only as an example of the output that can be achieved by applying a process to available spending data.
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page v of xix
DISCUSSION DRAFT
DISCUSSION DRAFT
3. Draft Taxonomy based on Commercial Items and Product and Service CodesThis draft model provides six categories that fall within three Information and Communications Technology (ICT) sectors – Products, Services, and Solutions. Each category addresses a unique market with distinct customer requirements, supplier segments, and products and services. The ICT products and services included in the categories are generally reflective of items that are encompassed by the FAR definition of “commercial.”7
Each category has an identifiable taxonomy based on Product and Service Codes (PSC).8 PSCs are used today by all federal government contracting activities for identifying and classifying the services, supplies, and equipment that are purchased under contract. This taxonomy is proposed because it encompasses all spending and is defined by the types of services and products being purchased and not what acquisition method was used or what organization did the buying. PSCs are readily available, accurate, and consistently recorded, unlike other classification codes used by various contracting offices. A PSC-based taxonomy is also currently used to support the strategic sourcing and Undersecretary of Defense for Acquisition, Technology and Logistics, Better Buying Power initiatives, as well as the General Services Administration’s Federal Supply Schedules, Governmentwide Acquisition Contracts, and other Federal acquisition programs. Finally, using a consistent taxonomy for this effort will foster communication and strategic decision-making across the various initiatives and programs.
7 FAR § 2.101 defines “commercial item” as(1) Any item, other than real property, that is of a type customarily used by the general public or by non-governmental entities for
purposes other than governmental purposes, and—(i) Has been sold, leased, or licensed to the general public; or(ii) Has been offered for sale, lease, or license to the general public;
(2) Any item that evolved from an item described in paragraph (1) of this definition through advances in technology or performance and that is not yet available in the commercial marketplace, but will be available in the commercial marketplace in time to satisfy the delivery requirements under a Government solicitation;
(3) Any item that would satisfy a criterion expressed in paragraphs (1) or (2) of this definition, but for—(i) Modifications of a type customarily available in the commercial marketplace; or(ii) Minor modifications of a type not customarily available in the commercial marketplace made to meet Federal Government
requirements. “Minor modifications” means modifications that do not significantly alter the nongovernmental function or essential physical characteristics of an item or component, or change the purpose of a process. Factors to be considered in determining whether a modification is minor include the value and size of the modification and the comparative value and size of the final product. Dollar values and percentages may be used as guideposts, but are not conclusive evidence that a modification is minor;
(4) Any combination of items meeting the requirements of paragraphs (1), (2), (3), or (5) of this definition that are of a type customarily combined and sold in combination to the general public;
(5) Installation services, maintenance services, repair services, training services, and other services if—(i) Such services are procured for support of an item referred to in paragraph (1), (2), (3), or (4) of this definition, regardless of
whether such services are provided by the same source or at the same time as the item; and(ii) The source of such services provides similar services contemporaneously to the general public under terms and conditions
similar to those offered to the Federal Government;(6) Services of a type offered and sold competitively in substantial quantities in the commercial marketplace based on established
catalog or market prices for specific tasks performed or specific outcomes to be achieved and under standard commercial terms and conditions. For purposes of these services—
(i) “Catalog price” means a price included in a catalog, price list, schedule, or other form that is regularly maintained by the manufacturer or vendor, is either published or otherwise available for inspection by customers, and states prices at which sales are currently, or were last, made to a significant number of buyers constituting the general public; and
(ii) “Market prices” means current prices that are established in the course of ordinary trade between buyers and sellers free to bargain and that can be substantiated through competition or from sources independent of the offerors.
(7) Any item, combination of items, or service referred to in paragraphs (1) through (6) of this definition, notwithstanding the fact that the item, combination of items, or service is transferred between or among separate divisions, subsidiaries, or affiliates of a contractor; or
(8) A nondevelopmental item, if the procuring agency determines the item was developed exclusively at private expense and sold in substantial quantities, on a competitive basis, to multiple State and local governments.8 Federal Procurement Data System Product and Service Codes Manual (Aug. 2011), available at: http://www.acquisition.gov/PSC%20Manual%20-%20Final%20-%2011%20August%202011.pdf.
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 6 of 19
DISCUSSION DRAFT
Commercial ICT
Solutions
Telecommunication Services
Services
Outsourcing
Products
Hardware
Consulting
Software
Security
D301 D304 D309 D316
AC63 AJ21 AJ22 B544 D306 D314
5805 5811 5815 5820 5821 5825 5826 5830 5831 5841
7030 D312 D313 D315 D317
5810 D310 D324
5895 5995 5998 6015 6020 6021 6030 6060 6110 7010
R408 R410 R413 R425 U012
D321 D322 D399 R707
7020 7021 7022 7025 7035 7042 7045 7050 7435 W070
D318 D319 D399 J070
D301 D302 D303 D305 D307 D308 D311 D316
D318 D320 D321 D325 D399 H170 H960 H961
H970 J058 J060 J070 K060 K070 L070 N058
N059 N060 N070 R415 R702
DISCUSSION DRAFT
The included items are mapped against the PSCs to form subcategories, which are allocated to a category depending on how Federal buyers typically purchase the items. Further sub-categorization may be required to define categories for which cyber risks can be appropriately mitigated using a single Overlay.
3.1. Figure 1: Commercial ICT Categories and PSCs
The commercial ICT segment of the Federal IT market consists of 322 products and services with a total spend of $62,817,311,432 for fiscal year 2013 (FY13) (based on FPDS net obligation data). Category boundaries were determined using the PSC taxonomy illustrated above, which contains six PSCs that overlap between categories and one PSC that overlaps between subcategories within the security category. Spend data for each subcategory is also provided in the following pages.
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 7 of 19
DISCUSSION DRAFT
ICT Products
Hardware
Computing7010, 7020, 7021, 7022,
7042
Peripherals & Storage7025, 7050
Communications Equipment
5800's (Excluding 5810)
Electronic Equipment5995, 5998, 6110, 7035,
7045, 7435, W070
Fiber Optic Equipment6000's
Control Devices Data Center Equipment Desktop PCs Laptop/Portable/Notebook
Computers/Tablet PCs Large Scale Computers Mainframe Microcomputer Servers Wearable Workstations
Bandwidth Management Devices
Bridges (Includes Wireless)
Cellular Paging Computer/Telephony (CTI) Data Service Unit/Channel
Service Unit Desktop Printers Digitizers Disk Arrays Embedded Technology
Devices Fabric Attached Storage Flash Drives Hard Disk Drives IP Storage Light Pens Monitors Multifunction Peripheral Network Attached Storage Optical and Imaging
Equipment Optical Recognition
Devices PDAs Printers RAID Controllers Scanners Storage Area Network Storage Devices Tape Drives Tape Libraries Touchscreens
Cellular Phones, Aircards or Cellular Ports
Diagnostic and Test Equipment
Fax Machines Gateways Hubs/Concentrators LAN Adapters Microwave Modems Multiplexers Network Interface Cards Private Branch Exchanges Public Address Systems Radar Radios Remote Access Devices Satellite Equipment Special Physical, Visual,
Speech and Hearing Aid Equipment
Smartphones Switches Telephone Equipment Video Teleconferencing
Equipment (VTC) Wireless Accessories Wireless Adapters Wireless Broadband
Devices
Cables, Cords, and Wire Assemblies, not Fiber
Fiber Optic Assemblies and Harnesses
Fiber Optic Cables Fiber Optic Devices Fiber Optic Interconnectors Fiber Optic Switches
DISCUSSION DRAFT
4. ICT Products: HardwareThe Hardware category consists of five subcategories, 68 products and services, and the associated taxonomy depicted in Figure 2.
4.1. Figure 2: Hardware Category
Computing Subcategory
FY11 FY12 FY13 TotalTotal Spend $2,485,157,341 $2,522,202,670 $1,602,382,139 $6,609,742,149
Peripherals and Storage Subcategory
FY11 FY12 FY13 TotalTotal Spend $1,913,110,732 $1,615,172,197 $1,131,341,194 $4,659,624,124
Communications Equipment Subcategory
FY11 FY12 FY13 TotalTotal Spend $7,637,465,892 $7,287,094,511 $5,639,806,169 $20,564,366,572
Electronic Equipment Subcategory
FY11 FY12 FY13 TotalTotal Spend $2,797,074,354 $2,691,021,777 $2,301,052,570 $7,789,148,701
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 8 of 19
DISCUSSION DRAFT
ICT Products
Software
Operations Management Software
D312, D399
Asset/Materials Management
Content Management Customer Initiated
Assistance Customer Preferences Customer Relationship
Management (CRM) Document Management Enterprise Resource
Planning (ERP) Financial Management Forms Management Human Capital/
Workforce Management Human Resources Investment
Management Knowledge
Management Office Automation Organizational
Management Records Management Reporting Routing and Scheduling Supply Chain
Management Systems Management Tracking and Workflow Visualization
Licensing & Maintenance
D317, D319, J070
Data Integration Tools Data Mart Data Quality Tools Database Management
System (DBMS) Software Licensing Software Maintenance
& Support Software Products and
Services, Operations and Maintenance Support
Geographic SoftwareD315
Geospatial GPS Navigation
Application Integration and Middleware
Audio conferencing Automated News/Data
Services Availability/Performance Collaboration Commercially Available
Business Applications Communication Computer-Aided
Design, Manufacturing, Engineering Services (CAD/CAM/CAE)
Configuration Management
Data at Rest (DAR) Distance Learning Encryption Software
Services Job Scheduling Knowledge Discovery Operating Libraries and
Archives Operating System
Software Publishing or
Broadcasting Search Special Physical,
Visual, Speech and Hearing Aid Software
Telemedicine Teleworking Solutions Utility Software Video Teleconferencing Web Conferencing Web Publishing and
Broadcasting
System ProgramsD313, D318, 7030
DISCUSSION DRAFT
Fiber Optic Equipment Subcategory
FY11 FY12 FY13 TotalTotal Spend $143,004,161 $117,391,069 $103,200,520 $363,595,749
5. ICT Products: Software The Software category consists of four subcategories, 56 products and services, and the associated taxonomy depicted in Figure 3.
5.1. Figure 3: Software Category
Operations Management Software Subcategory
FY11 FY12 FY13 TotalTotal Spend $1,980,848,928 $1,958,071,636 $1,944,640,692 $5,883,561,256
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 9 of 19
DISCUSSION DRAFT
DISCUSSION DRAFT
Licensing and Maintenance Subcategory
FY11 FY12 FY13 TotalTotal Spend $236,996,153 $449,032,775 $653,383,045 $1,339,411,973
Geographic Software Subcategory
FY11 FY12 FY13 TotalTotal Spend $22,109,932 $37,430,936 $13,231,914 $72,772,782
System Programs Subcategory
FY11 FY12 FY13 TotalTotal Spend $3,691,038,069 $4,083,188,994 $3,955,240,048 $11,729,467,111
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 10 of 19
DISCUSSION DRAFT
ICT Services
Outsourcing
Cloud Maintenance and Support
Cloud Products and Services, Operations and Maintenance Support
Cloud Configuration Services Cloud Integration/Consulting Cloud Licensing Cloud Modification and
Customization Cloud Office Automation Cloud Records Management Cloud Storage Email as a Service (EaaS) Infrastructure as a Service
(IaaS) Open Source Software Platform as a Service (PaaS) Software as a Service (SaaS) Virtual Machines Web Hosting and Related
Services
Business Continuity and Disaster recovery
Business Intelligence Data Center Configuration
Services Data Center Consolidation
and Modernization Services Data Center Design and
Architecture Data Center Integration/
Consulting Data Center Maintenance
and Support Data Center Operations Data Center Products and
Services, Operations and Maintenance Support
Helpdesk Management
Automatic Data Processing Equipment
Independent Verification and Validation (IV&V)
Inspection Services Testing services
Analysis and Design Services Analysis and Statistics Configuration Services Custom Web Design,
Development, and Support Development, Testing and
Implementation Services Modification and Customization Programming Services Wireless Applications/
Subsystems
Computer Systems Operations and Maintenance
Hardware Maintenance and Support
IT Facility Operations and Maintenance
Disposition/Disposal of IT Equipment
Disposition/Disposal of Wireless Equipment
Hardware Licensing Inside Cabling/Wiring
Installation Installation/Deinstallation Local Access Cabling/Wiring
Installation Long Distance Cabling/Wiring
Installation Wireless Antenna Installation
Cloud Brokerage Integration/Consulting Systems Integration Technology Sharing
Backup Services Data Classification Data Cleansing Data Conversion Services Data Exchange Data Hosting Data Warehousing Extraction and Transformation Loading and Archiving Metadata and Data Modeling
As-a-Service Solutions D305
Data Center and Helpdesk Services
D321, D325Quality Control ServicesH170, H960, H961, H970
Maintenance ServicesD301, D320, J058, J060, J070,
K060, K070
Technical ServicesL070, N058, N059, N060, N070
Application Development Services
D302, D307, D308Integrated Services
D316, D318, D399, R415Data Management Services
D303, D311, R702
DISCUSSION DRAFT
6. ICT Services: OutsourcingThe Outsourcing category consists of eight subcategories, 63 products and services, and the associated taxonomy depicted in Figure 4.
6.1. Figure 4: Outsourcing Category
As-a-Service Solutions Subcategory
FY11 FY12 FY13 TotalTotal Spend $40,998,557 $42,081,280 $46,341,575 $129,421,413
Data Center and Helpdesk Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $3,853,958 $177,152,484 $255,149,129 $436,155,571
Quality Control Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $21,438,953 $20,007,959 $22,400,636 $63,847,548
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 11 of 19
DISCUSSION DRAFT
ICT Services
Consulting Services
Business ConsultingB544, R408, R410, R413
Capital Planning Enterprise Architecture (EA) IT Policy and Guidance
Development Management Improvement Management of Process Social Media Strategic Planning
Research & DevelopmentAC63, AJ21, AJ22
Research and Development
Operational SupportD314, UO12
Acquisition Training Cyber Security Training IT Training
Systems EngineeringD306, R425
Systems Engineering and Integration Support Services
DISCUSSION DRAFT
Maintenance Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $5,458,837,874 $5,521,747,931 $4,305,154,329 $15,285,740,135
Technical Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $660,734,550 $730,382,690 $358,719,301 $1,749,836,542
Application Development Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $7,399,341,001 $6,811,970,736 $5,235,732,142 $19,447,043,879
Integrated Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $10,843,351,633 $12,421,800,085 $12,244,402,608 $35,509,554,326
Data Management Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $625,701,864 $635,399,862 $535,285,474 $1,796,387,199
7. ICT Services: Consulting ServicesThe Consulting Services category consists of four subcategories, 12 products and services, and the associated taxonomy shown in Figure 5.
7.1. Figure 5: Consulting Services Category
Research & Development Subcategory
FY11 FY12 FY13 TotalTotal Spend $1,414,468,378 $1,525,718,192 $1,051,144,890 $3,991,331,460
Business Consulting Subcategory
FY11 FY12 FY13 TotalTotal Spend $7,660,199,257 $8,139,511,800 $7,226,663,041 $23,026,374,098
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 12 of 19
DISCUSSION DRAFT
ICT Services
Telecommunication Services
Telecommunications & Transmission ServicesD304, D399
Satellite Services Bandwidth Broadcast Fixed Satellite Services Managed Satellite Services Mobile Satellite Services Satellite Access Subscription Services
Mobility/Wireless Services Broadband Access Cellular Digital Packet Data Cellular Encryption Services Cellular/PCS Land Mobile Radio Multimode Wireless Paging Wireless and Cellular Access Wireless and Cellular Domestic Service Plans Wireless and Cellular International Service Plans Wireline Access
Advisory ServicesR707
Contract Administration Contract Optimization Inventory Management Invoice Management and Audit Management Reporting Order and Billing Management Rate Plan Optimization
Transmission Services Asynchronous Transfer Mode Circuit Switched Data Combined Content Delivery Network Converged IP Dark Fiber Ethernet Frame Relay Internet Protocol IP Video Transport Layer 2 VPN Managed Trusted IP Service Network-based IP VPN Optical Wavelength Premises-based IP VPN Private Line Synchronous Optical Networking \Toll Free Voice Voice over IP (VOIP) Voice over IP Transport
Data & Network ServicesD301, D309, D316, D321
Call Center/Customer Contact Center Collaboration Support/Email Services Colocated Hosting Customer Specific Design and Engineering Dedicated Hosting Electronic Auctions GSA Telepresence Service Internet Facsimile Managed Telepresence Service Network Management Telecommunications Relay Services for
Deaf, Hard of Hearing, and Speech Disabled Unified Messaging
Internet ServicesD322
Cable Broadband Dial-up Digital Subscriber Line (DSL) Mobile Device/Application Management Mobility Life-Cycle (MLC) Support Satellite Internet WIFI
DISCUSSION DRAFT
Operational Support Subcategory
FY11 FY12 FY13 TotalTotal Spend $589,701,792 $282,187,414 $254,176,897 $1,126,066,103
Systems Engineering Subcategory
FY11 FY12 FY13 TotalTotal Spend $12,512,933,288 $13,267,989,804 $9,944,348,644 $35,725,271,735
8. ICT Services: Telecommunication ServicesThe Telecommunication Services category consists of four subcategories, 63 products and services, and the associated taxonomy depicted in Figure 6.
8.1. Figure 6: Telecommunication Services Category
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 13 of 19
DISCUSSION DRAFT
DISCUSSION DRAFT
Advisory Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $609,941,886 $557,752,925 $477,881,170 $1,645,575,982
Telecommunications & Transmission Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $2,475,043,843 $2,270,530,931 $2,077,412,064 $6,822,986,839
Data & Network Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $572,144,178 $647,597,791 $538,809,622 $1,758,551,592
Internet Services Subcategory
FY11 FY12 FY13 TotalTotal Spend N/A $115,084,994 $102,616,233 $217,701,227
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 14 of 19
DISCUSSION DRAFT
ICT Solutions
Security
Identity & Access Management5810, D310
Security ServicesD310, D324
Access Control Approved FIPS-201 Compliant Services Card Delivery Services Card Printer Stations Communications Security Equipment Credentialing and Identity Management Services Cryptographic Module Cryptography Services Digital Signature Management Electromagnetically Opaque Sleeve Electronic Personalization Encryption Services Facial Image Capturing (Middleware) Facial Image Capturing Camera Fingerprint Capture Station FIPS-201 Compliant Products Firewall Graphical Printing /Card Printer Identification and Authentication OCSP Responder PIV Card PIV Card Activation and Finalization Products PIV Card Activation and Finalization Services PIV Card Management and Production Products PIV Card Management and Production Services PIV Card Reader - Biometric PIV Card Reader - CHUID (Contact) PIV Card Reader - CHUID (Contactless) PIV Card Reader - Transparent PIV Enrollment and Registration , Products PIV Enrollment and Registration , Services PIV Infrastructure Products PIV Infrastructure Services PIV Integration Products PIV Integration Services PIV Logical Access Control Products PIV Middleware PIV Physical Access Control Products Single Fingerprint Capture Device Template Generator Template Matcher
Assessment and Authorization Audit Trail and Capture Analysis Contingency Planning Continuity of Operations Planning Emergency Response /Disaster Recovery Identification and Inventory of Cyber assets Incident Response Information Assurance Intrusion Detection and Prevention Managed Firewall Managed Tiered Security Physical Security Policy Development , Implementation , and
Compliance Recovery Planning Services Secure Managed Email Security Management /Technical Support
Services Situational Awareness and Incident
Response (SAIR) Virus Protection Vulnerability Scanning
DISCUSSION DRAFT
9. ICT Solutions: SecurityThe Security category consists of two subcategories, 60 products and services, and the associated taxonomy depicted in Figure 7.
9.1. Figure 7: Security Category
Identity and Access Management Subcategory
FY11 FY12 FY13 TotalTotal Spend $915,099,172 $1,035,729,671 $503,931,148 $2,454,759,991
Security Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $131,331,140 $224,449,061 $268,665,217 $624,445,418
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 15 of 19
DISCUSSION DRAFT
DISCUSSION DRAFT
10. PSC GlossaryPSC Name5805 Telephone and Telegraph Equipment 5810 Communications Security Equipment and Components5811 Other Cryptologic Equipment and Components5815 Teletype and Facsimile Equipment5820 Radio and Television Communication Equipment, Except Airborne5821 Radio and Television Communication Equipment, Airborne5825 Radio Navigation Equipment, Except Airborne5826 Radio Navigation Equipment, Airborne5830 Intercommunication and Public Address Systems, Except Airborne5831 Intercommunication and Public Address Systems, Airborne5841 Radar Equipment, Airborne5895 Miscellaneous Communication Equipment5995 Cable, Cord, and Wire Assemblies: Communication Equipment5998 Electrical and Electronic assemblies, Boards, Cards, and Associated Hardware6015 Fiber Optic Cables6020 Fiber Optic Cable Assemblies and Harnesses6021 Fiber Optic Switches6030 Fiber Optic Devices6060 Fiber Optic Interconnectors6110 Electrical Control Equipment7010 ADPE System Configuration7020 ADP Central Processing Unit (CPU, Computer), Analog7021 ADP Central Processing Unit (CPU, Computer), Digital7022 ADP Central Processing Unit (CPU, Computer), Hybrid7025 ADP Input/Output and Storage Devices7030 ADP Software7035 ADP Support Equipment7042 Mini and Micro Computer Control Devices7045 ADP Supplies7050 ADP Components7435 Office Information System EquipmentAC63 R&D- Defense System: Electronics/Communication Equipment (Advanced Development)AJ21 R&D- General Science/Technology: Mathematical/Computer Sciences (Basic Research)
AJ22 R&D- General Science/Technology: Mathematical/Computer Sciences (Applied Research/Exploratory Development)
B544 Special Studies/Analysis- TechnologyD301 IT and Telecom- Facility Operation and MaintenanceD302 IT and Telecom- Systems DevelopmentD303 IT and Telecom- Data EntryD304 IT and Telecom- Telecommunications and TransmissionD305 IT and Telecom- Teleprocessing, Timeshare, and Cloud ComputingD306 IT and Telecom- Systems AnalysisD307 IT and Telecom- IT Strategy and ArchitectureD308 IT and Telecom- ProgrammingD309 IT and Telecom- Information and Data Broadcasting or Data DistributionD310 IT and Telecom- Cyber Security and Data BackupD311 IT and Telecom- Data ConversionD312 IT and Telecom- Optical ScanningD313 IT and Telecom- Computer Aided Design/Computer Aided Manufacturing (CAD/CAM) D314 IT and Telecom- System Acquisition SupportD315 IT and Telecom- Digitizing; Includes: Cartographic and Geographic Information D316 IT and Telecom- Telecommunications Network ManagementD317 IT and Telecom- Web-Based SubscriptionD318 IT and Telecom- Integrated Hardware/Software/Services Solutions, Predominantly ServicesD319 IT and Telecom- Annual Software Maintenance Service PlansD320 IT and Telecom- Annual Hardware Maintenance Service PlansD321 IT and Telecom- Help DeskD322 IT and Telecom- Internet
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 16 of 19
DISCUSSION DRAFT
DISCUSSION DRAFT
PSC NameD324 IT and Telecom- Business ContinuityD325 IT and Telecom- Data Centers and StorageD399 IT and Telecom- Other IT and Telecommunications
H170 Quality Control- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
H960 Other Quality Control, Testing, and Inspection- Fiber Optics Materials, Components, Assemblies, and Accessories
H961 Other Quality Control, Testing, and Inspection- Electric Wire and Power Distribution Equipment
H970 Other Quality Control, Testing, and Inspection- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
J058 Maintenance, Repair, and Rebuilding of Equipment- Communication, Detection, and Coherent Radiation Equipment
J060 Maintenance, Repair, and Rebuilding of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories
J070 Maintenance, Repair, and Rebuilding of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
K060 Modification of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories
K070 Modification of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
L070 Technical Representative- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
N058 Installation of Equipment- Communication, Detection, and Coherent Radiation EquipmentN059 Installation of Equipment- Electrical and Electronic Equipment ComponentsN060 Installation of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories
N070 Installation of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
R408 Support- Professional: Program Management/SupportR410 Support- Professional: Program Evaluation/Review/DevelopmentR413 Support- Professional: Specifications DevelopmentR415 Support- Professional: Technology Sharing/UtilizationR425 Support- Professional: Engineering/TechnicalR702 Support- Management: Data CollectionR707 Support- Management: Contract/Procurement/Acquisition SupportU012 Education/Training- Information Technology/Telecommunications Training
W070 Lease or Rental of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 17 of 19
DISCUSSION DRAFT
Commercial ICT
Products
Software
Operations Management SoftwareD312, D399
Asset/Materials Management Content Management Customer Initiated Assistance Customer Preferences Customer Relationship Management (CRM) Document Management Enterprise Resource Planning (ERP) Financial Management Firewall Forms Management Human Capital/Workforce Management Human Resources Investment Management Knowledge Management Office Automation Organizational Management Records Management Reporting Routing and Scheduling Supply Chain Management Systems Management Tracking and Workflow Visualization
Licensing & MaintenanceD317, D319, J070
Data Integration Tools Data Mart Data Quality Tools Database Management System (DBMS) Software Licensing Software Maintenance & Support Software Products and Services, Operations and
Maintenance Support
Geographic SoftwareD315
Geospatial GPS Navigation
System ProgramsD313, D318, 7030
Application Integration and Middleware Audio conferencing Automated News/Data Services Availability/Performance Collaboration Commercially Available Business Applications Communication Computer-Aided Design, Manufacturing,
Engineering Services (CAD/CAM/CAE) Configuration Management Data at Rest (DAR) Distance Learning Encryption Software Services Help Desk Management Job Scheduling Knowledge Discovery Operating Libraries and Archives Operating System Software Publishing or Broadcasting Search Special Physical, Visual, Speech and Hearing Aid
Software Telemedicine Teleworking Solutions Utility Software Video Teleconferencing Web Conferencing Web Publishing and Broadcasting
Hardware
Computing7010, 7020, 7021, 7022, 7042
Control Devices Data Center Equipment Desktop PCs Laptop/Portable/Notebook Computers/Tablet PCs Large Scale Computers Mainframe Microcomputer Servers Wearable Workstations
Peripherals & Storage7025, 7050
Bandwidth Management Devices Bridges (Includes Wireless) Cellular Paging Computer/Telephony (CTI) Data Service Unit (DSU)/Channel Service Unit
(CSU) Desktop Printers Digitizers Disk Arrays Embedded Technology Devices Fabric Attached Storage Flash Drives Hard Disk Drives IP Storage Light Pens Monitors Multifunction Peripheral (MFP) Network Attached Storage (NAS) Optical and Imaging Equipment Optical Recognition Devices PDAs Printers RAID Controllers Scanners Storage Area Network (SAN) Storage Devices Tape Drives Tape Libraries Touchscreens
Communications Equipment5800's (Excluding 5810)
Cellular Phones, Aircards or Cellular Ports Diagnostic and Test Equipment Fax Machines Gateways Hubs/Concentrators LAN Adapters Microwave Modems Multiplexers Network Interface Cards Private Branch Exchanges Public Address Systems Radar Radios Remote Access Devices Satellite Equipment Special Physical, Visual, Speech and Hearing Aid
Equipment Smartphones Switches Telephone Equipment Video Teleconferencing Equipment (VTC) Wireless Accessories Wireless Adapters Wireless Broadband Devices
Electronic Equipment5995, 5998, 6110, 7035, 7045, 7435, W070
Cables, Cords, and Wire Assemblies, not FiberFiber Optic Equipment
6000's Fiber Optic Assemblies and Harnesses Fiber Optic Cables Fiber Optic Devices Fiber Optic Interconnectors Fiber Optic Switches
Solutions
Security
Security ServicesD310, D324
Assessment and Authorization Audit Trail and Capture Analysis Contingency Planning Continuity of Operations Planning Emergency Response/Disaster Recovery Identification and Inventory of Cyber assets Incident Response Information Assurance Intrusion Detection and Prevention Managed Firewall Managed Tiered Security Physical Security Policy Development, Implementation, and
Compliance Recovery Planning Services Secure Managed Email Security Management/Technical Support Services Situational Awareness and Incident Response
(SAIR) Virus Protection Vulnerability Scanning
Identity & Access Management5810, D310
Access Control Approved FIPS-201 Compliant Services Card Delivery Services Card Printer Stations Communications Security Equipment Credentialing and Identity Management Services Cryptographic Module Cryptography Services Digital Signature Management Electromagnetically Opaque Sleeve Electronic Personalization Encryption Services Facial Image Capturing (Middleware) Facial Image Capturing Camera Fingerprint Capture Station FIPS-201 Compliant Products Firewall Graphical Printing/Card Printer Identification and Authentication OCSP Responder PIV Card PIV Card Activation and Finalization Products PIV Card Activation and Finalization Services PIV Card Management and Production Products PIV Card Management and Production Services PIV Card Reader - Biometric PIV Card Reader - CHUID (Contact) PIV Card Reader - CHUID (Contactless) PIV Card Reader - Transparent PIV Enrollment and Registration, Products PIV Enrollment and Registration, Services PIV Infrastructure Products PIV Infrastructure Services PIV Integration Products PIV Integration Services PIV Logical Access Control Products PIV Middleware PIV Physical Access Control Products Single Fingerprint Capture Device Template Generator Template Matcher
Services
Telecommunication Services
Telecommunications & Transmission ServicesD304, D399
Contract Administration Contract Optimization Inventory Management Invoice Management and Audit Management Reporting Order and Billing Management Rate Plan Optimization
Advisory ServicesR707
Transport & Data Center ServicesD301, D309, D316, D321
Call Center/Customer Contact Center Collaboration Support/Email Services Colocated Hosting Customer Specific Design and Engineering Dedicated Hosting Electronic Auctions GSA Telepresence Service Internet Facsimile Managed Telepresence Service Network Management Telecommunications Relay Services for Deaf, Hard
of Hearing, and Speech Disabled Unified Messaging
Internet ServicesD322
Cable Broadband Dial-up Digital Subscriber Line (DSL) Mobile Device/Application Management Mobility Life-Cycle (MLC) Support Satellite Internet WIFI
Satellite Services Bandwidth Broadcast Fixed Satellite Services Managed Satellite Services Mobile Satellite Services Satellite Access Subscription Services
Mobility/Wireless Services Broadband Access Cellular Digital Packet Data Cellular Encryption Services Cellular/PCS Land Mobile Radio Multimode Wireless Paging Wireless and Cellular Access Wireless and Cellular Domestic Service Plans Wireless and Cellular International Service Plans Wireline Access
Transmission Services Asynchronous Transfer Mode (ATM) Circuit Switched Data Combined Content Delivery Network Converged IP Dark Fiber Ethernet Frame Relay Internet Protocol IP Video Transport Layer 2 VPN Managed Trusted IP Service (MTIPS) Network-based IP VPN Optical Wavelength Premises-based IP VPN Private Line Synchronous Optical Networking (SONET) Toll Free Voice Voice over IP (VOIP) Voice over IP Transport
Outsourcing
As-a-Service Solutions D305
Cloud Maintenance and Support Cloud Products and Services, Operations and
Maintenance Support Cloud Configuration Services Cloud Integration/Consulting Cloud Licensing Cloud Modification and Customization Cloud Office Automation Cloud Records Management Cloud Storage Email as a Service (EaaS) Infrastructure as a Service (IaaS) Open Source Software Platform as a Service (PaaS) Software as a Service (SaaS) Virtual Machines Web Hosting and Related Services
Data Center and Helpdesk ServicesD321, D325
Business Continuity and Disaster recovery Business Intelligence Data Center Configuration Services Data Center Consolidation and Modernization
Services Data Center Design and Architecture Data Center Integration/Consulting Data Center Maintenance and Support Data Center Operations Data Center Products and Services, Operations
and Maintenance Support Helpdesk Management
Consulting
Systems EngineeringD306, R425
Systems Engineering and Integration Support Services
Operational SupportD314, U012
Acquisition Training Cyber Security Training IT Training
Business ConsultingB544, R408, R410, R413
Capital Planning Enterprise Architecture (EA) IT Policy and Guidance Development Management Improvement Management of Process Social Media Strategic Planning
Research & DevelopmentAC63, AJ21, AJ22
Research and Development
Quality Control ServicesH170, H960, H961, H970
Maintenance ServicesD301, D320, J058, J060, J070, K060, K070
Technical ServicesL070, N058, N059, N060, N070
Application Development ServicesD302, D307, D308
Integrated Services D316, D318, D399, R415
Data Management ServicesD303, D311, R702
Automatic Data Processing Equipment Independent Verification and Validation (IV&V) Inspection Services Testing services
Computer Systems Operations and Maintenance Hardware Maintenance and Support IT Facility Operations and Maintenance
Disposition/Disposal of IT Equipment Disposition/Disposal of Wireless Equipment Hardware Licensing Inside Cabling/Wiring Installation Installation/Deinstallation Local Access Cabling/Wiring Installation Long Distance Cabling/Wiring Installation Wireless Antenna Installation
Analysis and Design Services Analysis and Statistics Configuration Services Custom Web Design, Development, and Support Development, Testing and Implementation Services Modification and Customization Programming Services Wireless Applications/Subsystems
Cloud Brokerage Integration/Consulting Systems Integration Technology Sharing
Backup Services Data Classification Data Cleansing Data Conversion Services Data Exchange Data Hosting Data Warehousing Extraction and Transformation Loading and Archiving Metadata and Data Modeling
DISCUSSION DRAFT
11. Figure 8: Complete Category Hierarchy
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 18 of 19
DISCUSSION DRAFT
DISCUSSION DRAFT
12. Acquisition Risk Assessment and PrioritizationAs described in the Implementation Plan, once Category definitions are established, the Categories need to undergo a comparative risk assessment to determine which Category presents the highest level of cyber risk. While not necessarily dispositive of the risk assessment outcome, the amount of money spent in a particular Category should be considered as part of the risk assessment because it is an indication of the scope of risk and the relative importance and impact of cybersecurity shortfalls in a particular Category.
12.1. Total Federal “Commercial” ICT SpendFY11 FY12 FY13 Total
ICT Spending $72,833,048,867 $75,172,381,174 $62,817,311,432 $210,822,741,473
12.2. Top Three Subcategories by Spend FY11-FY13The three subcategories that the government spent the most money on over the last three fiscal years are as follows.
1. [Consulting Services] Systems Engineering Subcategory
FY11 FY12 FY13 TotalTotal Spend $12,512,933,288 $13,267,989,804 $9,944,348,644 $35,725,271,735
2. [Outsourcing] Integrated Services Subcategory
FY11 FY12 FY13 TotalTotal Spend $10,843,351,633 $12,421,800,085 $12,244,402,608 $35,509,554,326
3. [Consulting Services] Business Consulting Subcategory
FY11 FY12 FY13 TotalTotal Spend $7,660,199,257 $8,139,511,800 $7,226,663,041 $23,026,374,098
13. Overlays[This section is TBD based on input received from stakeholders about above sections.]
Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 19 of 19
DISCUSSION DRAFT