8HARDQUESTIONS

FEDERAL“Elephant in the room” topics

for the Government and contractors

Who make up the information technology ecosystem of the Federal marketplace.

CYBERSECURITY

IN 2016 FOR

2

These are eight questions regarding the Federal

Cybersecurity National Action Plan (CNAP) that will need to

be addressed in the 2016.8

3

• The Federal Government has data on every citizen in the U.S. This personal data is spread across hundreds of agencies. Which agency has primary ownership of that data?

• Is the most critical information (health records and security background data) protected better than general information such as the seating chart for the upcoming holiday party?

Who owns the data…. and where is it located?1

4

• Government contractors create, manage and process billions of critical records in support of the Federal government. If a contractor is hacked, who pays for the system recovery, data monitoring services, public relations, etc.?

• If the breach bankrupts the company, is the Government responsible for this cost?

• Should the Government require insurance to share this risk?

Should the Government require contractors to have cyber insurance?2

5

• Government contractors create, manage and process billions of critical records in support of the Federal government. If a contractor is hacked, who pays for the system recovery, data monitoring services, public relations, etc.?

• If the breach bankrupts the company, is the Government responsible for this cost?

• Should the Government require insurance to share this risk?

Can the Government use past cyber breaches in the source selection of contractors?3

6

• From automated buildings to medical devices, the Federal government has an enormous supply chain for products and services. Recent events surrounding medical devices have shown that certain devices are not only threats to patients but to the networks they are connected to. Should each item in the chain have a cyber rating or evaluation?

• Is it time for a UL-like rating to be applied to all devices purchased by the Government?

Should products have a cyber rating as part of the Government supply chain evaluation?4

7

• Unlike many commercial entities, a basic construct of Federal contracting is that competition is open and fair to qualified vendors. Given that most cyber products are only a few years old and that the threat is changing daily, is trying to provide fair opportunity to service and product providers (and therefore slower) putting the Federal systems at risk?

• Would the faster purchase of a “good enough” solution be better than using a slower path to buy the best solution?

Is the process of fair bidding more important than acquisition and implementation speed?5

8

• Anybody that attended the recent RSA Conference in San Francisco saw booth upon booth of new cybersecurity products. Exactly how does the Government determine if one product is worth more than another?

• Is spending a million dollars on a new technology going to get ten times more protection than a solution that costs ten thousand?

What is the value of a cyber solution?6

9

• In the end, there is always a legal component to major issues that confront the nation. Cyber is no different. A key element of the Government’s approach is greater sharing of incidents and threats to shorten the time of response and protection.

• How do you get greater cyber breach information sharing and legal protection at the same time?

How does Government deal with cyber breach information sharing and the inherent conflict with outside legal counsel?7

10

• In the commercial world, there is a rapid growth of outside cyber breach response teams who work with companies that have been hacked to get them quickly back up and running. A key component of this strategy is the breach response team is an outside entity.

• Who is this entity for a Federal agency?• Should this responsibility rest with on-call

contractors or with an on-call Federal group?

Who cleans up the mess of a cybersecurity breach?8

11

Has approaches to many of the questions surrounding cybersecurity for Federal agencies.

volverE

12

Evolver's cybersecurity teams currently protect tens of thousands of Government and commercial clients.Our specialization is in protecting highly critical, large data and transactional enterprises.Our experience spans more than 15 years

YBERSECURITY TEAMSC

13

Includes tools to – Identify–Measure– Track– Reduce

cybersecurity risks

ybersecurity ApproachC

14

Click here for a downloadable PDF of the 8 Hard Questions for Federal Cybersecurity (CNAP)

15

Chip Block

Vice President

1943 Isaac Newton SquareReston, VA 20190

703-889-9353

cblock@evolverinc.com

www.evolverinc.com