1 / 13

Effectively Integrating Information Technology (IT) Security into the Acquisition Process

Effectively Integrating Information Technology (IT) Security into the Acquisition Process. Section 4: Effective Integration. Section 4: Effective Integration. Overview: The IT system life cycle has 5 phases: 1. Initiation 4. Operation/Maintenance

everly
Télécharger la présentation

Effectively Integrating Information Technology (IT) Security into the Acquisition Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration

  2. Section 4: Effective Integration Overview: The IT system life cycle has 5 phases: 1. Initiation 4. Operation/Maintenance 2. Development/Acquisition 5. Disposal 3. Implementation • The procurement life cycle has 5 phases: • 1. Mission & Business Planning 4. Contract Performance • 2. Acquisition Planning 5. Disposal and Closeout • 3. Acquisition To effectively integrate IT security into the procurement process, security must be considered throughout the entire procurement life cycle.

  3. Section 4 cont’d: Effective Integration Overview: How do the Procurement and IT System life cycles relate? ALL 5 phases in the procurement life cycle must address IT security requirements.

  4. Section 4 cont’d: Effective Integration What Security Considerations need to be addressed during the Procurement Life Cycle? Mission/Business Planning results in a needs determination which defines the problem tobe resolved through the procurement process. PROCUREMENT CYCLE ACTIIVTIES • Components of the needs determination are: • basic system idea • preliminary requirements definition • approval

  5. Section 4 cont’d: Effective Integration • The Needs Determination for IT systems and applications should result in a Preliminary System Security Plan compliant with NIST Special Publication 800-18 that establishes the need, links the need to performance objectives, and addresses alternatives. • The Procurement Initiator must obtain a unique system identifier number from the bureau’s Office of the Chief Information Office (OCIO). • The procurement initiator should conduct a preliminary sensitivity assessment in accordance with Federal Information Processing Standard (FIPS)199. • The procurement initiator must utilize criteria in Federal Information Processing Standard 199 to determine sensitivity as High, Moderate, or Low

  6. Section 4 cont’d: Effective Integration Acquisition Planning results in a Requirements Analysis which is an in-depth study of the need and the initial beginnings of the Statement of Work (SOW). • Other activities in this phase include: • Considering market research, socioeconomic programs • Acquisition planning in accordance with FAR Part 7 • Funding the requirement: • The project team is responsible for funding the • requirement by completing a Capital Asset Plan as required by OMB Circular A-11, Section 300. The Capital Asset Plan and a Business Case may also be required to be presented to the ITRB when requested.

  7. Section 4 cont’d: Effective Integration Security Considerations include: • Integrity, Availability, and Confidentiality Analysis • Sensitivity Assessment Update • Level of Assurance Analysis • Risk Assessment Preparation • For IT systems or major applications, development of the Security Plan.

  8. Section 4 cont’d: Effective Integration This phase includes the development and issuance of the solicitation and the receipt and evaluation of offers or quotations. All considerations surrounding the acquisition of the product or service must be addressed in this phase. This includes the Statement of Work; how it will be acquired (Source Selection Plan); how it will be evaluated, tested, and accepted (offer or quotation evaluation plan); and how the contract will be administered.

  9. Section 4 cont’d: Effective Integration • Develop security requirements for inclusion in the Statement of Work. • Assignment of Contract Security Risk • Establish Personnel Security requirements • Establish Security Offer or Quotation Evaluation & Acceptance Criteria & Conduct Evaluation of offers or quotations • Security Review of Solicitation • Obtain Security Classification Guidance from Program Manager • Ensure Contractor IT Security Awareness Training

  10. Section 4 cont’d: Effective Integration This phase involves contractor monitoring. The COR may require IT security expertise to assist in reviewing contract performance measurement documentation, inspecting IT security deliverables, or evaluating contract modifications.

  11. Section 4 cont’d: Effective Integration • IT Security must be considered when: • Inspecting and accepting deliverables • Monitoring performance measures • Reviewing of contractor compliance with IT contract IT security requirements • Updating the Risk Assessment • Annual reviews of all systems and contracted IT facilities are required by DOC policy and FISMA in accordance with the NIST Special Publication 800-26 self-assessment guidance. The COR should participate in these reviews as well as monitor the contractor's daily operation of the system.

  12. Section 4 cont’d: Effective Integration The phase includes determining the following: • Appropriateness of disposal • Exchange and sale of property • Transfer and/or donation of property Contract Closeout activities are also performed.

  13. Module 2 Review Summary • Procurement & IT System Life Cycles • ALL 5 phases in the procurement life cycle must address IT security requirements.

More Related