APPENDIX I: Category Definitions, Prioritization, and Overlays

Improving Cybersecurity and Resilience through Acquisition

Implementation Plan

DISCUSSION DRAFT

DISCUSSION DRAFT

1. RECOMMENDATION IV REPORT TEXT...................................................................................................... III

2. FOREWORD........................................................................................................................................... IV

3. DRAFT TAXONOMY BASED ON COMMERCIAL ITEMS AND PRODUCT AND SERVICE CODES..........................63.1. Figure 1: Commercial ICT Categories and PSCs.............................................................................7

4. ICT PRODUCTS: HARDWARE.................................................................................................................. 84.1. Figure 2: Hardware Category...........................................................................................................8

5. ICT PRODUCTS: SOFTWARE................................................................................................................... 95.1. Figure 3: Software Category............................................................................................................9

6. ICT SERVICES: OUTSOURCING.............................................................................................................116.1. Figure 4: Outsourcing Category.....................................................................................................11

7. ICT SERVICES: CONSULTING SERVICES................................................................................................127.1. Figure 5: Consulting Services Category.........................................................................................12

8. ICT SERVICES: TELECOMMUNICATION SERVICES...................................................................................138.1. Figure 6: Telecommunication Services Category...........................................................................13

9. ICT SOLUTIONS: SECURITY..................................................................................................................159.1. Figure 7: Security Category...........................................................................................................15

10. PSC GLOSSARY.............................................................................................................................. 1611. FIGURE 8: COMPLETE CATEGORY HIERARCHY..................................................................................1812. ACQUISITION RISK ASSESSMENT AND PRIORITIZATION......................................................................1912.1. Total Federal “Commercial” ICT Spend.....................................................................................19

12.2. Top Three Subcategories by Spend FY11-FY13.......................................................................19

13. OVERLAYS...................................................................................................................................... 19

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page ii of xix

DISCUSSION DRAFT

DISCUSSION DRAFT

1. Recommendation IV Report TextFrom the Executive Summary of the Report (pg 7):

Institute a Federal Acquisition Cyber Risk Management Strategy.From a government-wide cybersecurity perspective, identify a hierarchy of cyber risk criticality for acquisitions. To maximize consistency in application of procurement rules, develop and use “overlays”1 for similar types of acquisition, starting with the types of acquisitions that present the greatest cyber risk.

From the body of the Report (pp 15-16):

Institute a Federal Acquisition Cyber Risk Management Strategy. The government needs an interagency acquisition cyber risk management strategy that requires agencies to ensure their performance meets strategic cyber risk goals for acquisition and is part of the government’s enterprise risk management strategy. The strategy should be based on a government-wide perspective of acquisition, and be primarily aligned with the methodologies and procedures developed to address cyber risk in the Cybersecurity Framework. It should identify a hierarchy of cyber risk criticality for acquisitions and include a risk-based prioritization of acquisitions. The risk analysis should be developed in alignment with the Federal Enterprise Architecture2 and NIST Risk Management Framework (RMF).3

The strategy should include development of “overlays” - fully specified sets of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments.4

When developing the strategy, the government should leverage existing risk management processes and data collection methodologies, and consistently incorporate cyber risk as an element of enterprise risk management. The strategy should encompass standard network security practices to address vulnerability of information to cyber intrusions and exfiltration. The strategy should leverage supply chain risk management processes to mitigate risks of non-conforming items (such as counterfeit and tainted products). And it should include appropriate metrics to define risk and to measure the ability of agencies to apply empirical risk modeling techniques that work across both public and private organizations. In developing the strategy, the

1 An overlay is a fully specified set of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments. 2 Available at http://www.whitehouse.gov/omb/e-gov/fea/. 3 See, NIST Special Publication 800-37, Revision 1 (Feb. 2010).4 See, e.g., The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Available at: http://www.gsa.gov/portal/category/102375. See also, the Information Systems Security Line of Business (ISSLoB) is a comprehensive and consistently implemented set of risk-based, cost-effective controls and measures that adequately protects information contained in federal government information systems. Available at: http://www.dhs.gov/information-systems-security-line-business.

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page iii of xix

DISCUSSION DRAFT

DISCUSSION DRAFT

government should use the active, working partnerships between industry, the civilian agencies and the intelligence community, and create such partnerships where they do not already exist, with the goal of leveraging validated and outcome-based risk management processes, best practices, and lessons learned.

Where appropriately defined categories of similar types of acquisitions already exist,5 the government should develop overlays for those types of acquisitions. The overlays should be developed in collaboration with industry, and consistently applied to all similar types of Federal acquisitions. The starting point for development of the requirements should be the Cybersecurity Framework.

The overlays should encompass realistic, risk-based controls that appropriately mitigate the risks for the type of acquisition, and should define the minimum acceptable controls for any acquisition that is of a similar type. The overlays should not, as a general rule, incorporate standards directly into contracts, and should avoid prescriptive mandates for specific practices, tooling, or country-specific standards, because the inflexibility of those approaches often inadvertently increases costs without actually reducing risk.6 Instead, the overlays should specifically identify security controls from within standards that should be applied to the type of acquisition being conducted. The overlays should also include acquisition and contractual controls like source selection criteria and contract performance measures. Finally, to the greatest extent possible, the overlays should be expressed as technical requirements. This approach will allow the government to describe top level cybersecurity requirements, decompose them to a lower level for an individual acquisition, and then articulate them consistent with and in a similar manner as other requirements for the fielded solution.

This recommendation is based on the fact that not all assets delivered through the acquisition system present the same level of cyber risk or warrant the same level of cybersecurity, and requiring increased cybersecurity in planning and performance of government contracts creates cost increases for contractors and the Federal government. Such cost increases must be balanced against the nature and severity of cyber risks and the corresponding cost or performance reductions in other functionality. The Federal government can mitigate the amount of any cost increases if it creates certainty by adopting cybersecurity requirements across market segments and similar types of procurement.

2. Foreword

5 See, e.g., FedRAMP, ISSLoB, and Federal Strategic Sourcing Initiative (FSSI) (available at: http://www.gsa.gov/fssi.), among others. These programs have defined categories of similar types of products and services.6 Directly incorporating standards could freeze the status quo and hamper or prevent the evolution of countermeasures required to address the dynamic threat and technology landscapes. It might also create a risk that other nations will adopt similar mandates which could further increase supply chain costs. Incorporating government-specific standards that would duplicate existing security-related standards or creating country-specific requirements that could restrict the use of long-standing and highly credible global suppliers of technology could have significant negative effects on the government’s ability to acquire the products and services it needs.

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page iv of xix

DISCUSSION DRAFT

DISCUSSION DRAFT

The set of notional Category definitions and taxonomy in this Appendix represents one way the Federal acquisition spend can be divided. This “model” was developed using a subset of Federal acquisition spend, and is intended to provide a starting point for the collaborative, stakeholder-centric development of a method for categorizing similar types of acquisition that achieves the goals of recommendation number four of the DoD-GSA Report “Improving Cybersecurity and Resilience through Acquisition.”

This categorization is intended to clearly define the structure and boundaries of the listed ICT categories, subcategories, and products and services. It was developed using a data-driven approach based on logical groupings of industry codes that align with available Federal spending data.

This draft only contains a subset of the types of Federal Information and Communications Technology (ICT) acquisition, “commercial” ICT, as defined by the Federal Acquisition Regulation (FAR). If the model presented here, or some version of it, is agreed to as a workable construct for accomplishing the tasks required to implement Recommendation IV from the DoD-GSA Report, the remaining types of acquisitions can be categorized using the same process. Once stakeholders reach agreement on the process used to define the Categories, the method can be expanded to cover all types of Federal contract spending. This subset of Categories is not exhaustive and is to be viewed only as an example of the output that can be achieved by applying a process to available spending data.

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page v of xix

DISCUSSION DRAFT

DISCUSSION DRAFT

3. Draft Taxonomy based on Commercial Items and Product and Service CodesThis draft model provides six categories that fall within three Information and Communications Technology (ICT) sectors – Products, Services, and Solutions. Each category addresses a unique market with distinct customer requirements, supplier segments, and products and services. The ICT products and services included in the categories are generally reflective of items that are encompassed by the FAR definition of “commercial.”7

Each category has an identifiable taxonomy based on Product and Service Codes (PSC).8 PSCs are used today by all federal government contracting activities for identifying and classifying the services, supplies, and equipment that are purchased under contract. This taxonomy is proposed because it encompasses all spending and is defined by the types of services and products being purchased and not what acquisition method was used or what organization did the buying. PSCs are readily available, accurate, and consistently recorded, unlike other classification codes used by various contracting offices. A PSC-based taxonomy is also currently used to support the strategic sourcing and Undersecretary of Defense for Acquisition, Technology and Logistics, Better Buying Power initiatives, as well as the General Services Administration’s Federal Supply Schedules, Governmentwide Acquisition Contracts, and other Federal acquisition programs. Finally, using a consistent taxonomy for this effort will foster communication and strategic decision-making across the various initiatives and programs.

7 FAR § 2.101 defines “commercial item” as(1) Any item, other than real property, that is of a type customarily used by the general public or by non-governmental entities for

purposes other than governmental purposes, and—(i) Has been sold, leased, or licensed to the general public; or(ii) Has been offered for sale, lease, or license to the general public;

(2) Any item that evolved from an item described in paragraph (1) of this definition through advances in technology or performance and that is not yet available in the commercial marketplace, but will be available in the commercial marketplace in time to satisfy the delivery requirements under a Government solicitation;

(3) Any item that would satisfy a criterion expressed in paragraphs (1) or (2) of this definition, but for—(i) Modifications of a type customarily available in the commercial marketplace; or(ii) Minor modifications of a type not customarily available in the commercial marketplace made to meet Federal Government

requirements. “Minor modifications” means modifications that do not significantly alter the nongovernmental function or essential physical characteristics of an item or component, or change the purpose of a process. Factors to be considered in determining whether a modification is minor include the value and size of the modification and the comparative value and size of the final product. Dollar values and percentages may be used as guideposts, but are not conclusive evidence that a modification is minor;

(4) Any combination of items meeting the requirements of paragraphs (1), (2), (3), or (5) of this definition that are of a type customarily combined and sold in combination to the general public;

(5) Installation services, maintenance services, repair services, training services, and other services if—(i) Such services are procured for support of an item referred to in paragraph (1), (2), (3), or (4) of this definition, regardless of

whether such services are provided by the same source or at the same time as the item; and(ii) The source of such services provides similar services contemporaneously to the general public under terms and conditions

similar to those offered to the Federal Government;(6) Services of a type offered and sold competitively in substantial quantities in the commercial marketplace based on established

catalog or market prices for specific tasks performed or specific outcomes to be achieved and under standard commercial terms and conditions. For purposes of these services—

(i) “Catalog price” means a price included in a catalog, price list, schedule, or other form that is regularly maintained by the manufacturer or vendor, is either published or otherwise available for inspection by customers, and states prices at which sales are currently, or were last, made to a significant number of buyers constituting the general public; and

(ii) “Market prices” means current prices that are established in the course of ordinary trade between buyers and sellers free to bargain and that can be substantiated through competition or from sources independent of the offerors.

(7) Any item, combination of items, or service referred to in paragraphs (1) through (6) of this definition, notwithstanding the fact that the item, combination of items, or service is transferred between or among separate divisions, subsidiaries, or affiliates of a contractor; or

(8) A nondevelopmental item, if the procuring agency determines the item was developed exclusively at private expense and sold in substantial quantities, on a competitive basis, to multiple State and local governments.8 Federal Procurement Data System Product and Service Codes Manual (Aug. 2011), available at: http://www.acquisition.gov/PSC%20Manual%20-%20Final%20-%2011%20August%202011.pdf.

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 6 of 19

DISCUSSION DRAFT

Commercial ICT

Solutions

Telecommunication Services

Services

Outsourcing

Products

Hardware

Consulting

Software

Security

D301 D304 D309 D316

AC63 AJ21 AJ22 B544 D306 D314

5805 5811 5815 5820 5821 5825 5826 5830 5831 5841

7030 D312 D313 D315 D317

5810 D310 D324

5895 5995 5998 6015 6020 6021 6030 6060 6110 7010

R408 R410 R413 R425 U012

D321 D322 D399 R707

7020 7021 7022 7025 7035 7042 7045 7050 7435 W070

D318 D319 D399 J070

D301 D302 D303 D305 D307 D308 D311 D316

D318 D320 D321 D325 D399 H170 H960 H961

H970 J058 J060 J070 K060 K070 L070 N058

N059 N060 N070 R415 R702

DISCUSSION DRAFT

The included items are mapped against the PSCs to form subcategories, which are allocated to a category depending on how Federal buyers typically purchase the items. Further sub-categorization may be required to define categories for which cyber risks can be appropriately mitigated using a single Overlay.

3.1. Figure 1: Commercial ICT Categories and PSCs

The commercial ICT segment of the Federal IT market consists of 322 products and services with a total spend of $62,817,311,432 for fiscal year 2013 (FY13) (based on FPDS net obligation data). Category boundaries were determined using the PSC taxonomy illustrated above, which contains six PSCs that overlap between categories and one PSC that overlaps between subcategories within the security category. Spend data for each subcategory is also provided in the following pages.

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 7 of 19

DISCUSSION DRAFT

ICT Products

Hardware

Computing7010, 7020, 7021, 7022,

7042

Peripherals & Storage7025, 7050

Communications Equipment

5800's (Excluding 5810)

Electronic Equipment5995, 5998, 6110, 7035,

7045, 7435, W070

Fiber Optic Equipment6000's

Control Devices Data Center Equipment Desktop PCs Laptop/Portable/Notebook

Computers/Tablet PCs Large Scale Computers Mainframe Microcomputer Servers Wearable Workstations

Bandwidth Management Devices

Bridges (Includes Wireless)

Cellular Paging Computer/Telephony (CTI) Data Service Unit/Channel

Service Unit Desktop Printers Digitizers Disk Arrays Embedded Technology

Devices Fabric Attached Storage Flash Drives Hard Disk Drives IP Storage Light Pens Monitors Multifunction Peripheral Network Attached Storage Optical and Imaging

Equipment Optical Recognition

Devices PDAs Printers RAID Controllers Scanners Storage Area Network Storage Devices Tape Drives Tape Libraries Touchscreens

Cellular Phones, Aircards or Cellular Ports

Diagnostic and Test Equipment

Fax Machines Gateways Hubs/Concentrators LAN Adapters Microwave Modems Multiplexers Network Interface Cards Private Branch Exchanges Public Address Systems Radar Radios Remote Access Devices Satellite Equipment Special Physical, Visual,

Speech and Hearing Aid Equipment

Smartphones Switches Telephone Equipment Video Teleconferencing

Equipment (VTC) Wireless Accessories Wireless Adapters Wireless Broadband

Devices

Cables, Cords, and Wire Assemblies, not Fiber

Fiber Optic Assemblies and Harnesses

Fiber Optic Cables Fiber Optic Devices Fiber Optic Interconnectors Fiber Optic Switches

DISCUSSION DRAFT

4. ICT Products: HardwareThe Hardware category consists of five subcategories, 68 products and services, and the associated taxonomy depicted in Figure 2.

4.1. Figure 2: Hardware Category

Computing Subcategory

FY11 FY12 FY13 TotalTotal Spend $2,485,157,341 $2,522,202,670 $1,602,382,139 $6,609,742,149

Peripherals and Storage Subcategory

FY11 FY12 FY13 TotalTotal Spend $1,913,110,732 $1,615,172,197 $1,131,341,194 $4,659,624,124

Communications Equipment Subcategory

FY11 FY12 FY13 TotalTotal Spend $7,637,465,892 $7,287,094,511 $5,639,806,169 $20,564,366,572

Electronic Equipment Subcategory

FY11 FY12 FY13 TotalTotal Spend $2,797,074,354 $2,691,021,777 $2,301,052,570 $7,789,148,701

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 8 of 19

DISCUSSION DRAFT

ICT Products

Software

Operations Management Software

D312, D399

Asset/Materials Management

Content Management Customer Initiated

Assistance Customer Preferences Customer Relationship

Management (CRM) Document Management Enterprise Resource

Planning (ERP) Financial Management Forms Management Human Capital/

Workforce Management Human Resources Investment

Management Knowledge

Management Office Automation Organizational

Management Records Management Reporting Routing and Scheduling Supply Chain

Management Systems Management Tracking and Workflow Visualization

Licensing & Maintenance

D317, D319, J070

Data Integration Tools Data Mart Data Quality Tools Database Management

System (DBMS) Software Licensing Software Maintenance

& Support Software Products and

Services, Operations and Maintenance Support

Geographic SoftwareD315

Geospatial GPS Navigation

Application Integration and Middleware

Audio conferencing Automated News/Data

Services Availability/Performance Collaboration Commercially Available

Business Applications Communication Computer-Aided

Design, Manufacturing, Engineering Services (CAD/CAM/CAE)

Configuration Management

Data at Rest (DAR) Distance Learning Encryption Software

Services Job Scheduling Knowledge Discovery Operating Libraries and

Archives Operating System

Software Publishing or

Broadcasting Search Special Physical,

Visual, Speech and Hearing Aid Software

Telemedicine Teleworking Solutions Utility Software Video Teleconferencing Web Conferencing Web Publishing and

Broadcasting

System ProgramsD313, D318, 7030

DISCUSSION DRAFT

Fiber Optic Equipment Subcategory

FY11 FY12 FY13 TotalTotal Spend $143,004,161 $117,391,069 $103,200,520 $363,595,749

5. ICT Products: Software The Software category consists of four subcategories, 56 products and services, and the associated taxonomy depicted in Figure 3.

5.1. Figure 3: Software Category

Operations Management Software Subcategory

FY11 FY12 FY13 TotalTotal Spend $1,980,848,928 $1,958,071,636 $1,944,640,692 $5,883,561,256

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 9 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

Licensing and Maintenance Subcategory

FY11 FY12 FY13 TotalTotal Spend $236,996,153 $449,032,775 $653,383,045 $1,339,411,973

Geographic Software Subcategory

FY11 FY12 FY13 TotalTotal Spend $22,109,932 $37,430,936 $13,231,914 $72,772,782

System Programs Subcategory

FY11 FY12 FY13 TotalTotal Spend $3,691,038,069 $4,083,188,994 $3,955,240,048 $11,729,467,111

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 10 of 19

DISCUSSION DRAFT

ICT Services

Outsourcing

Cloud Maintenance and Support

Cloud Products and Services, Operations and Maintenance Support

Cloud Configuration Services Cloud Integration/Consulting Cloud Licensing Cloud Modification and

Customization Cloud Office Automation Cloud Records Management Cloud Storage Email as a Service (EaaS) Infrastructure as a Service

(IaaS) Open Source Software Platform as a Service (PaaS) Software as a Service (SaaS) Virtual Machines Web Hosting and Related

Services

Business Continuity and Disaster recovery

Business Intelligence Data Center Configuration

Services Data Center Consolidation

and Modernization Services Data Center Design and

Architecture Data Center Integration/

Consulting Data Center Maintenance

and Support Data Center Operations Data Center Products and

Services, Operations and Maintenance Support

Helpdesk Management

Automatic Data Processing Equipment

Independent Verification and Validation (IV&V)

Inspection Services Testing services

Analysis and Design Services Analysis and Statistics Configuration Services Custom Web Design,

Development, and Support Development, Testing and

Implementation Services Modification and Customization Programming Services Wireless Applications/

Subsystems

Computer Systems Operations and Maintenance

Hardware Maintenance and Support

IT Facility Operations and Maintenance

Disposition/Disposal of IT Equipment

Disposition/Disposal of Wireless Equipment

Hardware Licensing Inside Cabling/Wiring

Installation Installation/Deinstallation Local Access Cabling/Wiring

Installation Long Distance Cabling/Wiring

Installation Wireless Antenna Installation

Cloud Brokerage Integration/Consulting Systems Integration Technology Sharing

Backup Services Data Classification Data Cleansing Data Conversion Services Data Exchange Data Hosting Data Warehousing Extraction and Transformation Loading and Archiving Metadata and Data Modeling

As-a-Service Solutions D305

Data Center and Helpdesk Services

D321, D325Quality Control ServicesH170, H960, H961, H970

Maintenance ServicesD301, D320, J058, J060, J070,

K060, K070

Technical ServicesL070, N058, N059, N060, N070

Application Development Services

D302, D307, D308Integrated Services

D316, D318, D399, R415Data Management Services

D303, D311, R702

DISCUSSION DRAFT

6. ICT Services: OutsourcingThe Outsourcing category consists of eight subcategories, 63 products and services, and the associated taxonomy depicted in Figure 4.

6.1. Figure 4: Outsourcing Category

As-a-Service Solutions Subcategory

FY11 FY12 FY13 TotalTotal Spend $40,998,557 $42,081,280 $46,341,575 $129,421,413

Data Center and Helpdesk Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $3,853,958 $177,152,484 $255,149,129 $436,155,571

Quality Control Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $21,438,953 $20,007,959 $22,400,636 $63,847,548

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 11 of 19

DISCUSSION DRAFT

ICT Services

Consulting Services

Business ConsultingB544, R408, R410, R413

Capital Planning Enterprise Architecture (EA) IT Policy and Guidance

Development Management Improvement Management of Process Social Media Strategic Planning

Research & DevelopmentAC63, AJ21, AJ22

Research and Development

Operational SupportD314, UO12

Acquisition Training Cyber Security Training IT Training

Systems EngineeringD306, R425

Systems Engineering and Integration Support Services

DISCUSSION DRAFT

Maintenance Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $5,458,837,874 $5,521,747,931 $4,305,154,329 $15,285,740,135

Technical Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $660,734,550 $730,382,690 $358,719,301 $1,749,836,542

Application Development Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $7,399,341,001 $6,811,970,736 $5,235,732,142 $19,447,043,879

Integrated Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $10,843,351,633 $12,421,800,085 $12,244,402,608 $35,509,554,326

Data Management Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $625,701,864 $635,399,862 $535,285,474 $1,796,387,199

7. ICT Services: Consulting ServicesThe Consulting Services category consists of four subcategories, 12 products and services, and the associated taxonomy shown in Figure 5.

7.1. Figure 5: Consulting Services Category

Research & Development Subcategory

FY11 FY12 FY13 TotalTotal Spend $1,414,468,378 $1,525,718,192 $1,051,144,890 $3,991,331,460

Business Consulting Subcategory

FY11 FY12 FY13 TotalTotal Spend $7,660,199,257 $8,139,511,800 $7,226,663,041 $23,026,374,098

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 12 of 19

DISCUSSION DRAFT

ICT Services

Telecommunication Services

Telecommunications & Transmission ServicesD304, D399

Satellite Services Bandwidth Broadcast Fixed Satellite Services Managed Satellite Services Mobile Satellite Services Satellite Access Subscription Services

Mobility/Wireless Services Broadband Access Cellular Digital Packet Data Cellular Encryption Services Cellular/PCS Land Mobile Radio Multimode Wireless Paging Wireless and Cellular Access Wireless and Cellular Domestic Service Plans Wireless and Cellular International Service Plans Wireline Access

Advisory ServicesR707

Contract Administration Contract Optimization Inventory Management Invoice Management and Audit Management Reporting Order and Billing Management Rate Plan Optimization

Transmission Services Asynchronous Transfer Mode Circuit Switched Data Combined Content Delivery Network Converged IP Dark Fiber Ethernet Frame Relay Internet Protocol IP Video Transport Layer 2 VPN Managed Trusted IP Service Network-based IP VPN Optical Wavelength Premises-based IP VPN Private Line Synchronous Optical Networking \Toll Free Voice Voice over IP (VOIP) Voice over IP Transport

Data & Network ServicesD301, D309, D316, D321

Call Center/Customer Contact Center Collaboration Support/Email Services Colocated Hosting Customer Specific Design and Engineering Dedicated Hosting Electronic Auctions GSA Telepresence Service Internet Facsimile Managed Telepresence Service Network Management Telecommunications Relay Services for

Deaf, Hard of Hearing, and Speech Disabled Unified Messaging

Internet ServicesD322

Cable Broadband Dial-up Digital Subscriber Line (DSL) Mobile Device/Application Management Mobility Life-Cycle (MLC) Support Satellite Internet WIFI

DISCUSSION DRAFT

Operational Support Subcategory

FY11 FY12 FY13 TotalTotal Spend $589,701,792 $282,187,414 $254,176,897 $1,126,066,103

Systems Engineering Subcategory

FY11 FY12 FY13 TotalTotal Spend $12,512,933,288 $13,267,989,804 $9,944,348,644 $35,725,271,735

8. ICT Services: Telecommunication ServicesThe Telecommunication Services category consists of four subcategories, 63 products and services, and the associated taxonomy depicted in Figure 6.

8.1. Figure 6: Telecommunication Services Category

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 13 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

Advisory Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $609,941,886 $557,752,925 $477,881,170 $1,645,575,982

Telecommunications & Transmission Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $2,475,043,843 $2,270,530,931 $2,077,412,064 $6,822,986,839

Data & Network Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $572,144,178 $647,597,791 $538,809,622 $1,758,551,592

Internet Services Subcategory

FY11 FY12 FY13 TotalTotal Spend N/A $115,084,994 $102,616,233 $217,701,227

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 14 of 19

DISCUSSION DRAFT

ICT Solutions

Security

Identity & Access Management5810, D310

Security ServicesD310, D324

Access Control Approved FIPS-201 Compliant Services Card Delivery Services Card Printer Stations Communications Security Equipment Credentialing and Identity Management Services Cryptographic Module Cryptography Services Digital Signature Management Electromagnetically Opaque Sleeve Electronic Personalization Encryption Services Facial Image Capturing (Middleware) Facial Image Capturing Camera Fingerprint Capture Station FIPS-201 Compliant Products Firewall Graphical Printing /Card Printer Identification and Authentication OCSP Responder PIV Card PIV Card Activation and Finalization Products PIV Card Activation and Finalization Services PIV Card Management and Production Products PIV Card Management and Production Services PIV Card Reader - Biometric PIV Card Reader - CHUID (Contact) PIV Card Reader - CHUID (Contactless) PIV Card Reader - Transparent PIV Enrollment and Registration , Products PIV Enrollment and Registration , Services PIV Infrastructure Products PIV Infrastructure Services PIV Integration Products PIV Integration Services PIV Logical Access Control Products PIV Middleware PIV Physical Access Control Products Single Fingerprint Capture Device Template Generator Template Matcher

Assessment and Authorization Audit Trail and Capture Analysis Contingency Planning Continuity of Operations Planning Emergency Response /Disaster Recovery Identification and Inventory of Cyber assets Incident Response Information Assurance Intrusion Detection and Prevention Managed Firewall Managed Tiered Security Physical Security Policy Development , Implementation , and

Compliance Recovery Planning Services Secure Managed Email Security Management /Technical Support

Services Situational Awareness and Incident

Response (SAIR) Virus Protection Vulnerability Scanning

DISCUSSION DRAFT

9. ICT Solutions: SecurityThe Security category consists of two subcategories, 60 products and services, and the associated taxonomy depicted in Figure 7.

9.1. Figure 7: Security Category

Identity and Access Management Subcategory

FY11 FY12 FY13 TotalTotal Spend $915,099,172 $1,035,729,671 $503,931,148 $2,454,759,991

Security Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $131,331,140 $224,449,061 $268,665,217 $624,445,418

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 15 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

10. PSC GlossaryPSC Name5805 Telephone and Telegraph Equipment 5810 Communications Security Equipment and Components5811 Other Cryptologic Equipment and Components5815 Teletype and Facsimile Equipment5820 Radio and Television Communication Equipment, Except Airborne5821 Radio and Television Communication Equipment, Airborne5825 Radio Navigation Equipment, Except Airborne5826 Radio Navigation Equipment, Airborne5830 Intercommunication and Public Address Systems, Except Airborne5831 Intercommunication and Public Address Systems, Airborne5841 Radar Equipment, Airborne5895 Miscellaneous Communication Equipment5995 Cable, Cord, and Wire Assemblies: Communication Equipment5998 Electrical and Electronic assemblies, Boards, Cards, and Associated Hardware6015 Fiber Optic Cables6020 Fiber Optic Cable Assemblies and Harnesses6021 Fiber Optic Switches6030 Fiber Optic Devices6060 Fiber Optic Interconnectors6110 Electrical Control Equipment7010 ADPE System Configuration7020 ADP Central Processing Unit (CPU, Computer), Analog7021 ADP Central Processing Unit (CPU, Computer), Digital7022 ADP Central Processing Unit (CPU, Computer), Hybrid7025 ADP Input/Output and Storage Devices7030 ADP Software7035 ADP Support Equipment7042 Mini and Micro Computer Control Devices7045 ADP Supplies7050 ADP Components7435 Office Information System EquipmentAC63 R&D- Defense System: Electronics/Communication Equipment (Advanced Development)AJ21 R&D- General Science/Technology: Mathematical/Computer Sciences (Basic Research)

AJ22 R&D- General Science/Technology: Mathematical/Computer Sciences (Applied Research/Exploratory Development)

B544 Special Studies/Analysis- TechnologyD301 IT and Telecom- Facility Operation and MaintenanceD302 IT and Telecom- Systems DevelopmentD303 IT and Telecom- Data EntryD304 IT and Telecom- Telecommunications and TransmissionD305 IT and Telecom- Teleprocessing, Timeshare, and Cloud ComputingD306 IT and Telecom- Systems AnalysisD307 IT and Telecom- IT Strategy and ArchitectureD308 IT and Telecom- ProgrammingD309 IT and Telecom- Information and Data Broadcasting or Data DistributionD310 IT and Telecom- Cyber Security and Data BackupD311 IT and Telecom- Data ConversionD312 IT and Telecom- Optical ScanningD313 IT and Telecom- Computer Aided Design/Computer Aided Manufacturing (CAD/CAM) D314 IT and Telecom- System Acquisition SupportD315 IT and Telecom- Digitizing; Includes: Cartographic and Geographic Information D316 IT and Telecom- Telecommunications Network ManagementD317 IT and Telecom- Web-Based SubscriptionD318 IT and Telecom- Integrated Hardware/Software/Services Solutions, Predominantly ServicesD319 IT and Telecom- Annual Software Maintenance Service PlansD320 IT and Telecom- Annual Hardware Maintenance Service PlansD321 IT and Telecom- Help DeskD322 IT and Telecom- Internet

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 16 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

PSC NameD324 IT and Telecom- Business ContinuityD325 IT and Telecom- Data Centers and StorageD399 IT and Telecom- Other IT and Telecommunications

H170 Quality Control- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

H960 Other Quality Control, Testing, and Inspection- Fiber Optics Materials, Components, Assemblies, and Accessories

H961 Other Quality Control, Testing, and Inspection- Electric Wire and Power Distribution Equipment

H970 Other Quality Control, Testing, and Inspection- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

J058 Maintenance, Repair, and Rebuilding of Equipment- Communication, Detection, and Coherent Radiation Equipment

J060 Maintenance, Repair, and Rebuilding of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories

J070 Maintenance, Repair, and Rebuilding of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

K060 Modification of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories

K070 Modification of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

L070 Technical Representative- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

N058 Installation of Equipment- Communication, Detection, and Coherent Radiation EquipmentN059 Installation of Equipment- Electrical and Electronic Equipment ComponentsN060 Installation of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories

N070 Installation of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

R408 Support- Professional: Program Management/SupportR410 Support- Professional: Program Evaluation/Review/DevelopmentR413 Support- Professional: Specifications DevelopmentR415 Support- Professional: Technology Sharing/UtilizationR425 Support- Professional: Engineering/TechnicalR702 Support- Management: Data CollectionR707 Support- Management: Contract/Procurement/Acquisition SupportU012 Education/Training- Information Technology/Telecommunications Training

W070 Lease or Rental of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 17 of 19

DISCUSSION DRAFT

Commercial ICT

Products

Software

Operations Management SoftwareD312, D399

Asset/Materials Management Content Management Customer Initiated Assistance Customer Preferences Customer Relationship Management (CRM) Document Management Enterprise Resource Planning (ERP) Financial Management Firewall Forms Management Human Capital/Workforce Management Human Resources Investment Management Knowledge Management Office Automation Organizational Management Records Management Reporting Routing and Scheduling Supply Chain Management Systems Management Tracking and Workflow Visualization

Licensing & MaintenanceD317, D319, J070

Data Integration Tools Data Mart Data Quality Tools Database Management System (DBMS) Software Licensing Software Maintenance & Support Software Products and Services, Operations and

Maintenance Support

Geographic SoftwareD315

Geospatial GPS Navigation

System ProgramsD313, D318, 7030

Application Integration and Middleware Audio conferencing Automated News/Data Services Availability/Performance Collaboration Commercially Available Business Applications Communication Computer-Aided Design, Manufacturing,

Engineering Services (CAD/CAM/CAE) Configuration Management Data at Rest (DAR) Distance Learning Encryption Software Services Help Desk Management Job Scheduling Knowledge Discovery Operating Libraries and Archives Operating System Software Publishing or Broadcasting Search Special Physical, Visual, Speech and Hearing Aid

Software Telemedicine Teleworking Solutions Utility Software Video Teleconferencing Web Conferencing Web Publishing and Broadcasting

Hardware

Computing7010, 7020, 7021, 7022, 7042

Control Devices Data Center Equipment Desktop PCs Laptop/Portable/Notebook Computers/Tablet PCs Large Scale Computers Mainframe Microcomputer Servers Wearable Workstations

Peripherals & Storage7025, 7050

Bandwidth Management Devices Bridges (Includes Wireless) Cellular Paging Computer/Telephony (CTI) Data Service Unit (DSU)/Channel Service Unit

(CSU) Desktop Printers Digitizers Disk Arrays Embedded Technology Devices Fabric Attached Storage Flash Drives Hard Disk Drives IP Storage Light Pens Monitors Multifunction Peripheral (MFP) Network Attached Storage (NAS) Optical and Imaging Equipment Optical Recognition Devices PDAs Printers RAID Controllers Scanners Storage Area Network (SAN) Storage Devices Tape Drives Tape Libraries Touchscreens

Communications Equipment5800's (Excluding 5810)

Cellular Phones, Aircards or Cellular Ports Diagnostic and Test Equipment Fax Machines Gateways Hubs/Concentrators LAN Adapters Microwave Modems Multiplexers Network Interface Cards Private Branch Exchanges Public Address Systems Radar Radios Remote Access Devices Satellite Equipment Special Physical, Visual, Speech and Hearing Aid

Equipment Smartphones Switches Telephone Equipment Video Teleconferencing Equipment (VTC) Wireless Accessories Wireless Adapters Wireless Broadband Devices

Electronic Equipment5995, 5998, 6110, 7035, 7045, 7435, W070

Cables, Cords, and Wire Assemblies, not FiberFiber Optic Equipment

6000's Fiber Optic Assemblies and Harnesses Fiber Optic Cables Fiber Optic Devices Fiber Optic Interconnectors Fiber Optic Switches

Solutions

Security

Security ServicesD310, D324

Assessment and Authorization Audit Trail and Capture Analysis Contingency Planning Continuity of Operations Planning Emergency Response/Disaster Recovery Identification and Inventory of Cyber assets Incident Response Information Assurance Intrusion Detection and Prevention Managed Firewall Managed Tiered Security Physical Security Policy Development, Implementation, and

Compliance Recovery Planning Services Secure Managed Email Security Management/Technical Support Services Situational Awareness and Incident Response

(SAIR) Virus Protection Vulnerability Scanning

Identity & Access Management5810, D310

Access Control Approved FIPS-201 Compliant Services Card Delivery Services Card Printer Stations Communications Security Equipment Credentialing and Identity Management Services Cryptographic Module Cryptography Services Digital Signature Management Electromagnetically Opaque Sleeve Electronic Personalization Encryption Services Facial Image Capturing (Middleware) Facial Image Capturing Camera Fingerprint Capture Station FIPS-201 Compliant Products Firewall Graphical Printing/Card Printer Identification and Authentication OCSP Responder PIV Card PIV Card Activation and Finalization Products PIV Card Activation and Finalization Services PIV Card Management and Production Products PIV Card Management and Production Services PIV Card Reader - Biometric PIV Card Reader - CHUID (Contact) PIV Card Reader - CHUID (Contactless) PIV Card Reader - Transparent PIV Enrollment and Registration, Products PIV Enrollment and Registration, Services PIV Infrastructure Products PIV Infrastructure Services PIV Integration Products PIV Integration Services PIV Logical Access Control Products PIV Middleware PIV Physical Access Control Products Single Fingerprint Capture Device Template Generator Template Matcher

Services

Telecommunication Services

Telecommunications & Transmission ServicesD304, D399

Contract Administration Contract Optimization Inventory Management Invoice Management and Audit Management Reporting Order and Billing Management Rate Plan Optimization

Advisory ServicesR707

Transport & Data Center ServicesD301, D309, D316, D321

Call Center/Customer Contact Center Collaboration Support/Email Services Colocated Hosting Customer Specific Design and Engineering Dedicated Hosting Electronic Auctions GSA Telepresence Service Internet Facsimile Managed Telepresence Service Network Management Telecommunications Relay Services for Deaf, Hard

of Hearing, and Speech Disabled Unified Messaging

Internet ServicesD322

Cable Broadband Dial-up Digital Subscriber Line (DSL) Mobile Device/Application Management Mobility Life-Cycle (MLC) Support Satellite Internet WIFI

Satellite Services Bandwidth Broadcast Fixed Satellite Services Managed Satellite Services Mobile Satellite Services Satellite Access Subscription Services

Mobility/Wireless Services Broadband Access Cellular Digital Packet Data Cellular Encryption Services Cellular/PCS Land Mobile Radio Multimode Wireless Paging Wireless and Cellular Access Wireless and Cellular Domestic Service Plans Wireless and Cellular International Service Plans Wireline Access

Transmission Services Asynchronous Transfer Mode (ATM) Circuit Switched Data Combined Content Delivery Network Converged IP Dark Fiber Ethernet Frame Relay Internet Protocol IP Video Transport Layer 2 VPN Managed Trusted IP Service (MTIPS) Network-based IP VPN Optical Wavelength Premises-based IP VPN Private Line Synchronous Optical Networking (SONET) Toll Free Voice Voice over IP (VOIP) Voice over IP Transport

Outsourcing

As-a-Service Solutions D305

Cloud Maintenance and Support Cloud Products and Services, Operations and

Maintenance Support Cloud Configuration Services Cloud Integration/Consulting Cloud Licensing Cloud Modification and Customization Cloud Office Automation Cloud Records Management Cloud Storage Email as a Service (EaaS) Infrastructure as a Service (IaaS) Open Source Software Platform as a Service (PaaS) Software as a Service (SaaS) Virtual Machines Web Hosting and Related Services

Data Center and Helpdesk ServicesD321, D325

Business Continuity and Disaster recovery Business Intelligence Data Center Configuration Services Data Center Consolidation and Modernization

Services Data Center Design and Architecture Data Center Integration/Consulting Data Center Maintenance and Support Data Center Operations Data Center Products and Services, Operations

and Maintenance Support Helpdesk Management

Consulting

Systems EngineeringD306, R425

Systems Engineering and Integration Support Services

Operational SupportD314, U012

Acquisition Training Cyber Security Training IT Training

Business ConsultingB544, R408, R410, R413

Capital Planning Enterprise Architecture (EA) IT Policy and Guidance Development Management Improvement Management of Process Social Media Strategic Planning

Research & DevelopmentAC63, AJ21, AJ22

Research and Development

Quality Control ServicesH170, H960, H961, H970

Maintenance ServicesD301, D320, J058, J060, J070, K060, K070

Technical ServicesL070, N058, N059, N060, N070

Application Development ServicesD302, D307, D308

Integrated Services D316, D318, D399, R415

Data Management ServicesD303, D311, R702

Automatic Data Processing Equipment Independent Verification and Validation (IV&V) Inspection Services Testing services

Computer Systems Operations and Maintenance Hardware Maintenance and Support IT Facility Operations and Maintenance

Disposition/Disposal of IT Equipment Disposition/Disposal of Wireless Equipment Hardware Licensing Inside Cabling/Wiring Installation Installation/Deinstallation Local Access Cabling/Wiring Installation Long Distance Cabling/Wiring Installation Wireless Antenna Installation

Analysis and Design Services Analysis and Statistics Configuration Services Custom Web Design, Development, and Support Development, Testing and Implementation Services Modification and Customization Programming Services Wireless Applications/Subsystems

Cloud Brokerage Integration/Consulting Systems Integration Technology Sharing

Backup Services Data Classification Data Cleansing Data Conversion Services Data Exchange Data Hosting Data Warehousing Extraction and Transformation Loading and Archiving Metadata and Data Modeling

DISCUSSION DRAFT

11. Figure 8: Complete Category Hierarchy

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 18 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

12. Acquisition Risk Assessment and PrioritizationAs described in the Implementation Plan, once Category definitions are established, the Categories need to undergo a comparative risk assessment to determine which Category presents the highest level of cyber risk. While not necessarily dispositive of the risk assessment outcome, the amount of money spent in a particular Category should be considered as part of the risk assessment because it is an indication of the scope of risk and the relative importance and impact of cybersecurity shortfalls in a particular Category.

12.1. Total Federal “Commercial” ICT SpendFY11 FY12 FY13 Total

ICT Spending $72,833,048,867 $75,172,381,174 $62,817,311,432 $210,822,741,473

12.2. Top Three Subcategories by Spend FY11-FY13The three subcategories that the government spent the most money on over the last three fiscal years are as follows.

1. [Consulting Services] Systems Engineering Subcategory

FY11 FY12 FY13 TotalTotal Spend $12,512,933,288 $13,267,989,804 $9,944,348,644 $35,725,271,735

2. [Outsourcing] Integrated Services Subcategory

FY11 FY12 FY13 TotalTotal Spend $10,843,351,633 $12,421,800,085 $12,244,402,608 $35,509,554,326

3. [Consulting Services] Business Consulting Subcategory

FY11 FY12 FY13 TotalTotal Spend $7,660,199,257 $8,139,511,800 $7,226,663,041 $23,026,374,098

13. Overlays[This section is TBD based on input received from stakeholders about above sections.]

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)Page 19 of 19

DISCUSSION DRAFT