Category Definitions, Prioritization, and Overlays

DISCUSSION DRAFT

APPENDIX I:

Category Definitions, Prioritization, and Overlays

Improving Cybersecurity and

Resilience through Acquisition

Implementation Plan

1.Recommendation IV Report Text

2.Foreword

3.Draft Taxonomy based on Commercial Items and Product and Service Codes

3.1.Figure 1: Commercial ICT Categories and PSCs

4.ICT Products: Hardware

4.1.Figure 2: Hardware Category

5.ICT Products: Software

5.1.Figure 3: Software Category

6.ICT Services: Outsourcing

6.1.Figure 4: Outsourcing Category

7.ICT Services: Consulting Services

7.1.Figure 5: Consulting Services Category

8.ICT Services: Telecommunication Services

8.1.Figure 6: Telecommunication Services Category

9.ICT Solutions: Security

9.1.Figure 7: Security Category

10.PSC Glossary

11.Figure 8: Complete Category Hierarchy

12.Acquisition Risk Assessment and Prioritization

12.1.Total Federal “Commercial” ICT Spend

12.2.Top Three Subcategories by Spend FY11-FY13

13.Overlays

1.Recommendation IV Report Text

From the Executive Summary of the Report (pg 7):

Institute a Federal Acquisition Cyber Risk Management Strategy.
From a government-wide cybersecurity perspective, identify a hierarchy of cyber risk criticality for acquisitions. To maximize consistency in application of procurement rules, develop and use “overlays”[1] for similar types of acquisition, starting with the types of acquisitions that present the greatest cyber risk.

From the body of the Report (pp 15-16):

Institute a Federal Acquisition Cyber Risk Management Strategy.

The government needs an interagency acquisition cyber risk management strategy that requires agencies to ensure their performance meets strategic cyber risk goals for acquisition and is part of the government’s enterprise risk management strategy. The strategy should be based on a government-wide perspective of acquisition, and be primarily aligned with the methodologies and procedures developed to address cyber risk in the Cybersecurity Framework. It should identify a hierarchy of cyber risk criticality for acquisitions and include a risk-based prioritization of acquisitions. The risk analysis should be developed in alignment with the Federal Enterprise Architecture[2] and NIST Risk Management Framework (RMF).[3]

The strategy should include development of “overlays” - fully specified sets of security requirements and supplemental guidance that provide the ability to appropriately tailor security requirements for specific technologies or product groups, circumstances and conditions, and/or operational environments.[4]

When developing the strategy, the government should leverage existing risk management processes and data collection methodologies, and consistently incorporate cyber risk as an element of enterprise risk management. The strategy should encompass standard network security practices to address vulnerability of information to cyber intrusions and exfiltration. The strategy should leverage supply chain risk management processes to mitigate risks of non-conforming items (such as counterfeit and tainted products). And it should include appropriate metrics to define risk and to measure the ability of agencies to apply empirical risk modeling techniques that work across both public and private organizations. In developing the strategy, the government should use the active, working partnerships between industry, the civilian agencies and the intelligence community, and create such partnerships where they do not already exist, with the goal of leveraging validated and outcome-based risk management processes, best practices, and lessons learned.

Where appropriately defined categories of similar types of acquisitions already exist,[5] the government should develop overlays for those types of acquisitions. The overlays should be developed in collaboration with industry, and consistently applied to all similar types of Federal acquisitions. The starting point for development of the requirements should be the Cybersecurity Framework.

The overlays should encompass realistic, risk-based controls that appropriately mitigate the risks for the type of acquisition, and should define the minimum acceptable controls for any acquisition that is of a similar type. The overlays should not, as a general rule, incorporate standards directly into contracts, and should avoid prescriptive mandates for specific practices, tooling, or country-specific standards, because the inflexibility of those approaches often inadvertently increases costs without actually reducing risk.[6] Instead, the overlays should specifically identify security controls from within standards that should be applied to the type of acquisition being conducted. The overlays should also include acquisition and contractual controls like source selection criteria and contract performance measures. Finally, to the greatest extent possible, the overlays should be expressed as technical requirements. This approach will allow the government to describe top level cybersecurity requirements, decompose them to a lower level for an individual acquisition, and then articulate them consistent with and in a similar manner as other requirements for the fielded solution.

This recommendation is based on the fact that not all assets delivered through the acquisition system present the same level of cyber risk or warrant the same level of cybersecurity, and requiring increased cybersecurity in planning and performance of government contracts creates cost increases for contractors and the Federal government. Such cost increases must be balanced against the nature and severity of cyber risks and the corresponding cost or performance reductions in other functionality. The Federal government can mitigate the amount of any cost increases if it creates certainty by adopting cybersecurity requirements across market segments and similar types of procurement.

2.Foreword

The set of notional Category definitions and taxonomy in this Appendix represents one way the Federal acquisition spend can be divided. This “model” was developed using a subset of Federal acquisition spend, and is intended to provide a starting point for the collaborative,stakeholder-centric development of a method for categorizingsimilar types of acquisition that achieves the goals of recommendation number four of the DoD-GSA Report “Improving Cybersecurity and Resilience through Acquisition.”

This categorization is intended to clearly define the structure and boundaries of the listed ICT categories, subcategories, and products and services. It was developed using a data-driven approach based on logical groupings of industry codes that align with available Federal spending data.

This draft only contains a subset of the types of Federal Information and Communications Technology (ICT) acquisition, “commercial” ICT, as defined by the Federal Acquisition Regulation (FAR). If the model presented here, or some version of it, is agreed to as a workable construct for accomplishing the tasks required to implement Recommendation IV from the DoD-GSA Report, the remaining types of acquisitions can be categorized using the same process. Once stakeholders reach agreement on the process used to define the Categories, the method can be expanded to cover all types of Federal contract spending. This subset of Categories is not exhaustive and is to be viewed only as an example of the output that can be achieved by applying a process to available spending data.

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)

Page 1 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

3.Draft Taxonomy based on Commercial Items andProduct and Service Codes

This draft model provides six categories that fall within three Information and Communications Technology (ICT)sectors –Products, Services, and Solutions. Each category addresses a unique market with distinct customer requirements, supplier segments, and products and services. The ICT products and services included in the categories are generally reflective of items that are encompassed by the FAR definition of “commercial.”[7]

Each category has an identifiable taxonomy based on Product and Service Codes (PSC).[8] PSCs are used today by all federal government contracting activities for identifying and classifying the services, supplies, and equipment that are purchased under contract. This taxonomy is proposed because it encompasses all spending and is defined by the types of services and products being purchased and not what acquisition method was used or what organization did the buying. PSCs are readily available, accurate, and consistently recorded, unlike other classification codes used by various contracting offices. A PSC-based taxonomy is also currently used to support the strategic sourcing and Undersecretary of Defense for Acquisition, Technology and Logistics, Better Buying Power initiatives, as well as the General Services Administration’s Federal Supply Schedules, Governmentwide Acquisition Contracts, and other Federal acquisition programs. Finally, using a consistent taxonomy for this effort will foster communication and strategic decision-making across the various initiatives and programs.

The included items are mapped against the PSCs to form subcategories, which are allocated to a category depending on how Federal buyers typically purchase the items. Further sub-categorization may be required to define categories for which cyber risks can be appropriately mitigated using a single Overlay.

3.1.Figure 1: Commercial ICT Categories and PSCs

The commercial ICT segment of the Federal IT market consists of 322 products and services with a total spend of $62,817,311,432 for fiscal year 2013 (FY13) (based on FPDS net obligation data). Category boundaries were determined using the PSC taxonomy illustrated above, which contains six PSCs that overlap between categories and one PSC that overlaps between subcategories within the security category. Spend data for each subcategory is also provided in the following pages.

4.ICT Products: Hardware

The Hardware category consists of five subcategories, 68 products and services, and the associated taxonomy depicted in Figure 2.

4.1.Figure 2: Hardware Category

Computing Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $2,485,157,341 / $2,522,202,670 / $1,602,382,139 / $6,609,742,149

Peripherals and Storage Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $1,913,110,732 / $1,615,172,197 / $1,131,341,194 / $4,659,624,124

Communications Equipment Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $7,637,465,892 / $7,287,094,511 / $5,639,806,169 / $20,564,366,572

Electronic Equipment Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $2,797,074,354 / $2,691,021,777 / $2,301,052,570 / $7,789,148,701

Fiber Optic Equipment Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $143,004,161 / $117,391,069 / $103,200,520 / $363,595,749

5.ICT Products: Software

The Software category consists of four subcategories, 56 products and services, and the associated taxonomy depicted in Figure 3.

5.1.Figure 3: Software Category

Operations Management Software Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $1,980,848,928 / $1,958,071,636 / $1,944,640,692 / $5,883,561,256

Licensing and Maintenance Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $236,996,153 / $449,032,775 / $653,383,045 / $1,339,411,973

Geographic Software Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $22,109,932 / $37,430,936 / $13,231,914 / $72,772,782

System Programs Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $3,691,038,069 / $4,083,188,994 / $3,955,240,048 / $11,729,467,111

6.ICT Services: Outsourcing

The Outsourcing category consists of eight subcategories, 63 products and services, and the associated taxonomy depicted in Figure 4.

6.1.Figure 4: Outsourcing Category

As-a-Service Solutions Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $40,998,557 / $42,081,280 / $46,341,575 / $129,421,413

Data Center and Helpdesk Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $3,853,958 / $177,152,484 / $255,149,129 / $436,155,571

Quality Control Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $21,438,953 / $20,007,959 / $22,400,636 / $63,847,548

Maintenance Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $5,458,837,874 / $5,521,747,931 / $4,305,154,329 / $15,285,740,135

Technical Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $660,734,550 / $730,382,690 / $358,719,301 / $1,749,836,542

Application Development Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $7,399,341,001 / $6,811,970,736 / $5,235,732,142 / $19,447,043,879

Integrated Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $10,843,351,633 / $12,421,800,085 / $12,244,402,608 / $35,509,554,326

Data Management Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $625,701,864 / $635,399,862 / $535,285,474 / $1,796,387,199

7.ICT Services: Consulting Services

The Consulting Services category consists of four subcategories, 12 products and services, and the associated taxonomy shown in Figure 5.

7.1.Figure 5: Consulting Services Category

Research & Development Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $1,414,468,378 / $1,525,718,192 / $1,051,144,890 / $3,991,331,460

Business Consulting Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $7,660,199,257 / $8,139,511,800 / $7,226,663,041 / $23,026,374,098

Operational Support Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $589,701,792 / $282,187,414 / $254,176,897 / $1,126,066,103

Systems Engineering Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $12,512,933,288 / $13,267,989,804 / $9,944,348,644 / $35,725,271,735

8.ICT Services: Telecommunication Services

The Telecommunication Services category consists of foursubcategories, 63products and services, and the associated taxonomy depicted in Figure 6.

8.1.Figure 6: Telecommunication Services Category

Advisory Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $609,941,886 / $557,752,925 / $477,881,170 / $1,645,575,982

Telecommunications & Transmission Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $2,475,043,843 / $2,270,530,931 / $2,077,412,064 / $6,822,986,839

Data & Network Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $572,144,178 / $647,597,791 / $538,809,622 / $1,758,551,592

Internet Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / N/A / $115,084,994 / $102,616,233 / $217,701,227

9.ICT Solutions: Security

The Securitycategory consists of two subcategories, 60products and services, and the associated taxonomy depicted in Figure 7.

9.1.Figure 7: Security Category

Identity and Access Management Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $915,099,172 / $1,035,729,671 / $503,931,148 / $2,454,759,991

Security Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $131,331,140 / $224,449,061 / $268,665,217 / $624,445,418

10.PSC Glossary

PSC / Name
5805 / Telephone and Telegraph Equipment
5810 / Communications Security Equipment and Components
5811 / Other Cryptologic Equipment and Components
5815 / Teletype and Facsimile Equipment
5820 / Radio and Television Communication Equipment, Except Airborne
5821 / Radio and Television Communication Equipment, Airborne
5825 / Radio Navigation Equipment, Except Airborne
5826 / Radio Navigation Equipment, Airborne
5830 / Intercommunication and Public Address Systems, Except Airborne
5831 / Intercommunication and Public Address Systems, Airborne
5841 / Radar Equipment, Airborne
5895 / Miscellaneous Communication Equipment
5995 / Cable, Cord, and Wire Assemblies: Communication Equipment
5998 / Electrical and Electronic assemblies, Boards, Cards, and Associated Hardware
6015 / Fiber Optic Cables
6020 / Fiber Optic Cable Assemblies and Harnesses
6021 / Fiber Optic Switches
6030 / Fiber Optic Devices
6060 / Fiber Optic Interconnectors
6110 / Electrical Control Equipment
7010 / ADPE System Configuration
7020 / ADP Central Processing Unit (CPU, Computer), Analog
7021 / ADP Central Processing Unit (CPU, Computer), Digital
7022 / ADP Central Processing Unit (CPU, Computer), Hybrid
7025 / ADP Input/Output and Storage Devices
7030 / ADP Software
7035 / ADP Support Equipment
7042 / Mini and Micro Computer Control Devices
7045 / ADP Supplies
7050 / ADP Components
7435 / Office Information System Equipment
AC63 / R&D- Defense System: Electronics/Communication Equipment (Advanced Development)
AJ21 / R&D- General Science/Technology: Mathematical/Computer Sciences (Basic Research)
AJ22 / R&D- General Science/Technology: Mathematical/Computer Sciences (Applied Research/Exploratory Development)
B544 / Special Studies/Analysis- Technology
D301 / IT and Telecom- Facility Operation and Maintenance
D302 / IT and Telecom- Systems Development
D303 / IT and Telecom- Data Entry
D304 / IT and Telecom- Telecommunications and Transmission
D305 / IT and Telecom- Teleprocessing, Timeshare, and Cloud Computing
D306 / IT and Telecom- Systems Analysis
D307 / IT and Telecom- IT Strategy and Architecture
D308 / IT and Telecom- Programming
D309 / IT and Telecom- Information and Data Broadcasting or Data Distribution
D310 / IT and Telecom- Cyber Security and Data Backup
D311 / IT and Telecom- Data Conversion
D312 / IT and Telecom- Optical Scanning
D313 / IT and Telecom- Computer Aided Design/Computer Aided Manufacturing (CAD/CAM)
D314 / IT and Telecom- System Acquisition Support
D315 / IT and Telecom- Digitizing; Includes: Cartographic and Geographic Information
D316 / IT and Telecom- Telecommunications Network Management
D317 / IT and Telecom- Web-Based Subscription
D318 / IT and Telecom- Integrated Hardware/Software/Services Solutions, Predominantly Services
D319 / IT and Telecom- Annual Software Maintenance Service Plans
D320 / IT and Telecom- Annual Hardware Maintenance Service Plans
D321 / IT and Telecom- Help Desk
D322 / IT and Telecom- Internet
D324 / IT and Telecom- Business Continuity
D325 / IT and Telecom- Data Centers and Storage
D399 / IT and Telecom- Other IT and Telecommunications
H170 / Quality Control- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
H960 / Other Quality Control, Testing, and Inspection- Fiber Optics Materials, Components, Assemblies, and Accessories
H961 / Other Quality Control, Testing, and Inspection- Electric Wire and Power Distribution Equipment
H970 / Other Quality Control, Testing, and Inspection- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
J058 / Maintenance, Repair, and Rebuilding of Equipment- Communication, Detection, and Coherent Radiation Equipment
J060 / Maintenance, Repair, and Rebuilding of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories
J070 / Maintenance, Repair, and Rebuilding of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
K060 / Modification of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories
K070 / Modification of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
L070 / Technical Representative- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
N058 / Installation of Equipment- Communication, Detection, and Coherent Radiation Equipment
N059 / Installation of Equipment- Electrical and Electronic Equipment Components
N060 / Installation of Equipment- Fiber Optics Materials, Components, Assemblies, and Accessories
N070 / Installation of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment
R408 / Support- Professional: Program Management/Support
R410 / Support- Professional: Program Evaluation/Review/Development
R413 / Support- Professional: Specifications Development
R415 / Support- Professional: Technology Sharing/Utilization
R425 / Support- Professional: Engineering/Technical
R702 / Support- Management: Data Collection
R707 / Support- Management: Contract/Procurement/Acquisition Support
U012 / Education/Training- Information Technology/Telecommunications Training
W070 / Lease or Rental of Equipment- Automatic Data Processing Equipment (Including Firmware), Software, Supplies and Support Equipment

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)

Page 1 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

11.Figure 8: Complete Category Hierarchy

Improving Cybersecurity and Resilience through Acquisition Implementation Plan (v1.0)

Page 1 of 19

DISCUSSION DRAFT

DISCUSSION DRAFT

12.Acquisition Risk Assessment and Prioritization

As described in the Implementation Plan, once Category definitions are established, the Categories need to undergo a comparative risk assessment to determine which Category presents the highest level of cyber risk. While not necessarily dispositive of the risk assessment outcome, the amount of money spent in a particular Category should be considered as part of the risk assessment because it is an indication of the scope of risk and the relative importance and impact of cybersecurity shortfalls in a particular Category.

12.1.Total Federal “Commercial” ICT Spend

FY11 / FY12 / FY13 / Total
ICT Spending / $72,833,048,867 / $75,172,381,174 / $62,817,311,432 / $210,822,741,473

12.2.Top Three Subcategoriesby Spend FY11-FY13

The three subcategories that the government spent the most money on over the last three fiscal years are as follows.

1. [Consulting Services] Systems Engineering Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $12,512,933,288 / $13,267,989,804 / $9,944,348,644 / $35,725,271,735

1. [Outsourcing] Integrated Services Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $10,843,351,633 / $12,421,800,085 / $12,244,402,608 / $35,509,554,326

1. [Consulting Services] Business Consulting Subcategory

FY11 / FY12 / FY13 / Total
Total Spend / $7,660,199,257 / $8,139,511,800 / $7,226,663,041 / $23,026,374,098

13.Overlays

[This section is TBD based on input received from stakeholders about above sections.]