Welcome Login

You are here

Interact Question #3 – Cyber Security Risk Management Plan

Cyber security is an issue with increasing focus and importance within the federal space. While discussion around this topic has increased, one method we've focused on is a more effective way to connect cyber requirements to the contract level rather than just the task order level. With a team of acquisition and cyber experts, the concept of a Cyber Security Risk Management Plan has emerged as a possible solution to bridging the gap between industry and government while checking all the boxes in FIPS200 (http://csrc.nist.gov/publications/PubsFIPS.html) and the underlying guidance as published by The National Institute of Standards and Technology (NIST).  We would be interested in and value your opinion regarding the proposed approach to addressing an overarching cyber security plan for IT government contracts.

Upload
Files: 
Attachment TitleSizeType
PDF icon Cyber_Risk_Management_Plan_Interact_Release.pdf34.71 KBPDF
 
 
Share

Views: 1606

Comments

KatieK
SRA International, Inc. (SRA) supports having a Contract Cyber Security Risk Management Plan (CCSRMP) as an approach to synchronizing requirements between industry and federal customers and establishing the expected security baseline for organizations wishing to conduct business with the Government. Doing so will allow industry and Government to mutually agree on the common set of controls, tactics and procedures necessary to effectively manage cybersecurity risks. We have reviewed the GSA’s proposal to require a Contract Cyber Security Risk Management Plan (CCSRMP), and are pleased to offer the following comments: 1. Based on the information provided, the government should consider an implementation methodology that can be tailored depending on a) the person who has accountability for the system in scope, b) whether the system is for production, development, or testing, c) whether production data will be processed or stored by the system, and d) the sensitivity of the data that is processed or stored by the system. We would also suggest that controls implemented for corporate, contract, task, or project purposes be counted toward CCSRMP compliance, as appropriate. 2. Proper selection and implementation of controls will depend on a number of factors including the types of systems and the sensitivity of the data being processed and stored. Since these factors may not be known until a later time -- for example, when a task order is released -- contractors will be hard-pressed to create a meaningful CCSRMP plan with information that is available at the vehicle level. For example, SRA has multiple environments in which we could host information or a system, and each has different levels of security implemented for very specific reasons. It would be a time-consuming and futile exercise if contractors were required to review each one of the 17 control families in NIST Special Publication (SP) 800-53, rev. 4 (which contain approximately 270 controls) for each possible scenario that may be presented by numerous task orders coming out of a contract vehicle. Additionally, within a given vehicle work could be performed on a government site or on the contractor’s (or subcontractor’s) site which alters which entity is responsible for implementing and maintaining the security controls. A possible solution at the vehicle level would be to use lower levels of basic controls such as those found in the DFARs Safeguards or the NIST Cybersecurity Framework. Additional controls can be added at the task order level in accordance with appropriate NIST risk management practices. 3. The information contained in a CCSRMP is likely to be sensitive and proprietary since it would describe specific protections and unique methodologies that have been implemented to manage cyber risk. Unauthorized access to and disclosure of the CCSRMP to competitors and potential adversaries could put highly sensitive corporate and government information at risk. SRA recommends the Government develop an approach to allow the secure submittal, storage and destruction of this information. 4. It is unclear when, within the RFP process, the CCSRMP would be evaluated. If CCRSP evaluation will be a pass/fail test before the contractor may submit an RFP response, will the contractor be notified that their proposal was rejected due to the inadequacy of their CCSRMP, will deficiencies be identified and will there be a corrective action process (before or after award)? If failing the CCSRMP evaluation means that the contractor will not be able to participate in the RFP response, we strongly suggest that the government provide clear and consistent guidance on the CCSRMP requirements, hold workshops on how to successfully prepare and implement a CCSRMP, and provide all contractors with an adequate period of time to implement their CCSRMP before the rule becomes effective. This will encourage all contractors to improve their information security programs while protecting integrity in the procurement process. Thank you for considering our comments. We look forward to continuing our support of GSA and the entire government initiative to Improve Cybersecurity and Resilience through Acquisition.
Alliant 2 Blogger (not verified)
<p>Thank you all for your valuable input and suggestions. In an effort to clear the confusion between the Alliant team&rsquo;s question and a more government wide effort that is currently being socialized, please consider the proposed Alliant II Cyber Risk Management Plan (CRMP) is separate from, but complementary to, the implementation of Executive Order 13636. &nbsp;The CRMP requirement is intended to be a top level management plan which provides information to the government sufficient to demonstrate an offeror&rsquo;s understanding of and ability to provide assured solutions under Alliant II contract and execute under the constraints of NIST 800-53 as supported by FIPS 200.&nbsp;&nbsp;The CRMP is a management plan, not a technical document and it is understood that specific technical requirements will be addressed at the individual task order level.</p>
lizwill99
<p>Greetings Alliant II Blogger!</p><p>After reviewing the Alliant Cyber Security Risk Management Plan, we recommend applying this requirement at the task-order level rather than at the IDIQ level.&nbsp;</p><p>Cyber security requirements will necessarily vary&nbsp;from task order to task order.&nbsp; In addition, an across-the-board&nbsp;requirement will&nbsp;impose another layer of &nbsp;cost and complexity -- and possibly contradiction and confusion&nbsp;-- to those&nbsp;task orders that are subject to existing agency/departmental cyber-security directives.</p><p>Providing guidance on this requirement, to support development of task order requirements, will&nbsp;be&nbsp;extremely helpful; imposing a unilateral requirement, applied to all task orders, could create as many problems as it solves.</p><p>We&nbsp;hope our input&nbsp;will be&nbsp;useful; we&nbsp;very much appreciate having a venue to provide feedback to the Alliant II team.</p><p>Best regards,</p><p>Liz</p>
Alliant 2 Blogger (not verified)
<p>@lizwill99: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.&nbsp;</p>
isalliance
<p>Thank you for the opportunity to provide comments on the implementation of the recommendations contained within the Final Report of the Joint Working Group on Improving Cybersecurity and Resilience through Acquisition issued by the Department of Defense (DoD) and General Services Administration (GSA). &nbsp;</p><p>We recognize the efforts of the DoD and GSA to involve industry in the development process and appreciate the collaborative approach that has been taken. The ISA strongly supports the government&rsquo;s efforts to secure cyberspace and believes the voluntary program is an important element in working to accomplish this goal. While progress is being made, we believe there is significant work that needs to be done to create a responsible, practical, and sustainable SCRM plan for certain US Government Acquisitions. The Internet Security Alliance looks forward to continuing to work with you on the development of this plan.</p><p><strong>General Comments on the Draft Implementation Plan</strong></p><p>The ISA understands that Recommendation IV of the Report, &ldquo;<em>Institute a Federal Acquisition Cyber Risk Management Strategy</em>&rdquo; will be a starting point for implementation.&nbsp; Beginning with this recommendation provides a foundation and general framework for subsequent recommendations to be implemented. We caution, however, that the Draft Implementation Plan must focus on the following issues if any resulting policy is to be effective and sustainable.</p><p>Specifically, the ISA recommends that this risk framework should focus on the following items:</p><p>1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>Address the problem currently in the FAR</strong> rather than create new guidance. This doesn&rsquo;t define if it&rsquo;s addressing the IT acquisition process or processes in the FAR that have cyber. This could add to the current bureaucracy and doesn&rsquo;t eliminate any of the current hurdles. For example, the government is the lack of the legal authorities to expend funds for continuous improvement and refinement of cyber defense tools.&nbsp;</p><p style="margin-left:1.0in;">a.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Current procurement system delivers tools without the Legal basis for using procurement funds to continually refine the tools the system become unusable. Unlike purchasing IT equipment, cyber defense tools must continually be refined because the adversary, criminal, hacker is always adapting.&nbsp; Cyber defense and for that matter Offensive tool sets must be purchased with resources allocated to continually refine the tool. Block deliveries on month or year schedules just does not work.. The need is to be able to use procurement funds to continually refine the tool. If the funding is left to Operational funds the tool will become obsolete quite quickly.&nbsp;</p><p>2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>Work from the strengths that are currently in place</strong> such as; supply chain management, SAFETY ACT, DoD and DHS have independent vendor management system, &nbsp;data/information protection, data loss prevention, etc. in the ICT Software Section. Specifically, SAFETY Act products (hardware, software, services) that have been arduously vetted by DHS Cybersecurity.</p><p>3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <strong>Draft could promote a &ldquo;tick box mentality&rdquo;.</strong> The key is not whether an entity can produce its policies, it&rsquo;s more about whether they adhere to them &ndash; i.e. qualitative, not quantities.</p><p>&nbsp;<strong>General Comments or Questions</strong></p><p>1.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The objectives of CCRMP are not clearly stated. &nbsp;Suggest it could simply say, for example, &ldquo;to ensure that products or services supplied to government are not vulnerable to cyber attack&rdquo;?</p><p>2.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Some of the language is over-complex or even unintelligible: &lsquo;Technical security control requirements will be specified in task order solicitations, based on the cybersecurity risk of the work required by the task order, as determined by the ordering activity&rsquo;</p><p>3.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The &lsquo;CCRMP should include&rsquo; section is simply a list of policies, where it should be pointing to outcomes / control objectives. This would make it a lot simpler to understand and to assess compliance versus the minimum acceptance criteria. &nbsp;It would also make it a lot harder for the third party/supplier to prevaricate success.</p><p>4.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Access to systems within 48 hours is too tight of a time constraint. Especially if classified (protectively marked) material is in any of them. &nbsp;This might lead to immediate standoff?</p><p>5.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; What is the frequency of review - annual?</p><p>6.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In terms of investigative support, is there a commitment to provide this on a reasonable basis?</p><p>7.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Does this apply to subcontractors? Given how much outsourcing happens, we would say that it should do. It is also a useful way to find out what has been subcontracted to India or China without your knowledge &ndash; and also, how much may have been subcontracted back to the original contracting party.</p><p>Again, thank you again for the opportunity to provide comments on the Draft Implementation Plan.&nbsp; As our comments demonstrate, we believe that a significant amount of progress has been made in developing a collaborative process by which government and industry can work to address SCRM issues.&nbsp; We also believe, however, that there is considerable work that needs to be done to create a responsible, practical, and sustainable SCRM plan for certain US Government Acquisitions. We look forward to continuing to work with you on the development of this plan.</p><p>&nbsp;</p><p>Sincerely,</p><p>Internet Security Alliance</p>
Alliant 2 Blogger (not verified)
<p>@isalliance: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.</p>
John.Turns
<p>We&#39;ve assessed the proposed approach and our only concerns are that this process will require that we develop a substantially large document, possibly, specific to each contract. This will necessitate that the agencies issuing the RFP provide some additional&nbsp;lead time in the RFP proposal submission date to accommodate&nbsp;even the&nbsp;&quot;tweaking&quot;&nbsp; of&nbsp;the document to meet the requirements in each unique proposal. The proposed process obviously favors companies that have a single product or service to sell, rather than those who may have many different types of support offerings.&nbsp; We are not certain, too,&nbsp;how the proposed CCRMP&nbsp;would be developed for services such as security assessments/pentesting., as it does not appear to have much relevance to that process.</p>
Alliant 2 Blogger (not verified)
<p>@J.Turns: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.</p>
chashina
<p><span style="font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: &quot;Times New Roman&quot;; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;"><font color="#000000">Information Innovators Inc (Triple-i) supports a Cybersecurity Risk Management Plan (CRMP) as a solution to synchronize requirements between industry and federal customers.&nbsp; By documenting the CRMP, along with the supporting policies and procedures, industry will establish proven methodologies to manage risks.&nbsp; This exercise will benefit the government as well as industry by ensuring a thorough&nbsp; and agreed-upon approach to cybersecurity.&nbsp; Unique customer security requirements can then be included through&nbsp;amendments at the task order level.&nbsp; &nbsp;</font></span></p><p><span style="font-family: &quot;Calibri&quot;,&quot;sans-serif&quot;; font-size: 11pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: &quot;Times New Roman&quot;; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;"><font color="#000000">We recommend further defining the corrective action process to include the timeline of identifying deficiencies (before or after award), what constitutes a deficiency, and if contractors will be notified that the proposal was rejected due to the attached CRMP.</font></span></p><p>&nbsp;</p>
Alliant 2 Blogger (not verified)
<p>@chashina: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.</p>
Mike.McHugh
<p><em>We fully support </em><em>the government&rsquo;s efforts to enhance </em><em>Information Assurance, IT Security and Cybersecurity within Federal contracting.&nbsp; As a major Systems Integrator supporting the Federal government, we are keenly aware of the need to protect government information, whether that information is contained on government or contractor networks.&nbsp; We have reviewed the GSA&rsquo;s proposal to require a Cyber Security Risk Management Plan (CSRMP) that describes a contractor&rsquo;s internal IT cybersecurity management controls, policies and processes as part of the Alliant II acquisition, and are pleased to offer the following comments:</em></p><p><em>1.</em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>Based on the information provided, it&rsquo;s not clear if the proposed CSRMP is being suggested as a government-wide standard, or as a program unique standard for Alliant II.&nbsp; We believe strongly that overarching requirements such as the CSRMP should be standardized across the government.&nbsp; Without that standardization across the Federal government, there is a high likelihood that differing and potentially conflicting documentation requirements will be imposed on the contractor community by various agencies.&nbsp; This would not only require excessive contractor costs in preparing/maintaining different versions of CSRMPs for each agency, but could also lead to increased cyber security risk by shifting attention away from Cyber Security Risk Management and onto less effective &ldquo;document compliance&rdquo; approaches.</em></p><p><em>2.</em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>Once a contractor has prepared a CSRMP, that document will contain highly sensitive information about the security approaches (and potential weaknesses) for the contractor&rsquo;s internal IT systems.&nbsp; Unauthorized access to and disclosure of CSRMP information could put at risk highly sensitive Contractor information as well as the Government information contained within the contractor&rsquo;s IT systems that the CSRMP is intended to protect. &nbsp;Although the draft language provided by GSA indicates that the contractor can mark the CSRMP as Proprietary (if applicable), we believe that stronger protections are necessary to ensure that unauthorized disclosure (including precluding FOIA access) of a contractor&rsquo;s CSRMP cannot take place.&nbsp; One suggestion is for the government to formally classify an approved Contractor CSRMP as <strong><u>For Official Use Only (FOUO).</u></strong> &nbsp;However, regardless of the approach, we strongly encourage GSA to work with their counterparts throughout government to identify more stringent protections for this highly sensitive document.</em></p><p><em>3.</em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>The proposed requirement indicates that the CSRMP would have to be submitted with every Task Order (TO) response.&nbsp; Since we expect many TO responses to be submitted under Alliant II, that would result in substantial duplication and distribution of the highly sensitive information described in #2 above.&nbsp; This significantly increases the risk of accidental disclosure.&nbsp; We suggest that, once the CSRMP is approved, a &ldquo;CSRMP Letter-of-Approval&rdquo; (LOA) be issued, and that subsequent TO responses only be required to include that LOA, not the entire CSRMP, as part of the TO response submittal.&nbsp; Should an individual TO security manager want to see the contractor&rsquo;s approved CSRMP, they could be provided access upon request after TO award.</em></p><p><em>4.</em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <em>Although the draft CSRMP includes the need for a Prime Contractor&rsquo;s CSRMP to include descriptions of the protections that their Subcontractors will provide, it doesn&rsquo;t address a situation</em><em>where </em><em>internal affiliate companies </em><em>have formed a Joint Venture (JV) to pursue a contract such as Alliant II.&nbsp; We suggest that GSA&rsquo;s proposed CSRMP requirements be expanded to include the concept of a &ldquo;Joint CSRMP&rdquo; that encompasses multiple, &ldquo;separate-but-equal&rdquo; JV partners for this type of situation.&nbsp;&nbsp;</em></p><p><em>Thank you for considering our comments.&nbsp; We look forward to continuing our support of GSA and the entire government initiative to Improve Cybersecurity and Resilience through Acquisition.</em></p>
Alliant 2 Blogger (not verified)
<p>@Mike-M: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.</p>
Lawrence Muir
<p>My businesses involve the cyber security field. I&#39;ve written strategic plans for cyber security for government agencies, have prosecuted cyber crimes, and am a professor of law at a law school in Virginia where I teach a course on cyber crimes. From those vantage points I have comments that I hope can be helpful to this discussion.</p><p>I have lectured on the NIST framework to businesses.The NIST framework is for private businesses to assess their cyber risks to critical infrastructure. This document involves government contracts. The two do not square with each other. I think that the NIST falls short because it does not provide a business reason to draft a plan. The focus for a business is the protection of their intellectual property, which provides the true value of a modern company. The government may have its own purpose for having businesses protect critical infrastructure, but the primary business purpose of cybersecurity is to protect its information of value that, if stolen, would significantly impair the value of the company. The two can be squared, however. The NIST would have more business value if it guided the company to identifying its intellectual property, assessed that IP&#39;s vulnerability to internal and external cyber threat, and helped build structures and processes to better protect it. Most external threats to businesses attack the intellectual property of the business, and not the critical infrastructure. For instance, though the government has a vested interest in protecting the power grid operated by an electric utility, the electric utility also possesses customer payment information, plant schematics, and research and development that has significantly more financial value to cyber thieves. That information, therefore, is more likely to trigger a cyberattack, and thus security should be bolstered there. By getting businesses to focus on the business reasons for cybersecurity, the government may have more success reaching compliance levels. As it stands, the NIST report is of limited value to businesses.</p><p>However, the GSA framework can make a business case to businesses to promote compliance, and ultimately, cyber security. The contracts awarded to businesses will generate government data with value, such as research and development or strategic plans. The companies are the repositories of the government&#39;s value, in that sense. Thus, an effective GSA plan would accomplish four things: 1) tie awarding contracts that involve government intellectual property to having a compliant cybersecurity plan; 2) make clear the liability consequences for inadequate cybersecurity that leads to a loss or dimunition of value of this IP; 3) the plan should be written in such a way that allows the company to conduct its own cybersecurity assessment alongside of the GSA plan, thus lowering the cost of compliance and encouraging holistic company cybersecurity (promoting efficiency); and 4) is written in plain language such that it is clear what the government seeks of the business in the plan, and what it expects in return, making the GSA plan effective.</p><p>As a former prosecutor and lecturer on the CFAA, I would like to see the GSA plan focus on protecting the confidentiality and integrity of intellectual property generated on behalf of the government by and through the contract. My generic GSA plan who is seeking a government contract to have a plan in place that addresses the following four topics: 1) the contractor must&nbsp;understand the scope of the IP it will generate, where it will be stored,&nbsp;how it can be accessed, and who may access it, as well as seeking to&nbsp;put limitations around people not required to participate in the contract at that level; 2) it should require an assessment of the internal threats to that data (such as improper employee access, antivirus and software patching updates, exposure to outside sources, transmission of data, etc.) and an assessment of external threats to the data and network; 3) the GSA plan should require a threat mitigation plan that addresses each of those threats; and 4) it should require the action steps that will be taken should a compromise occur, including the internal chain of command that will remediate the threat, coordination with the government agency, action steps&nbsp;for mitigation, retrieval of data, etc. It is imperative that the government&nbsp;know the response steps of the private business, as it is their information at risk. It would be very helpful for&nbsp;the government to provide a sample, fictional, GSA plan to the contracting businesses to guide them through the development stages and reduce the burdens on the business while enhancing the efficacy of the plan&nbsp;ultimately produced.</p><p>Without being overly critical of the Draft GSA&nbsp;Plan, I do not think it makes the business case for compliance, nor does it provide sufficient direction that the&nbsp;resultant plan will fulfill the GSA&nbsp;expectations. It should be clearer, more focused on the&nbsp;specific needs of the government, and more&nbsp;helpful to the business. In the end, the government wants to protect its data and IP by improving the cyber risk management plan of the businesses. I&#39;m not convinced this draft accomplishes those goals.&nbsp;&nbsp;</p><p>If the government is serious about improving the cybersecurity of its contractors, for the benefit of the business and the government, then the government must go to the business with the business case for why they should make the improvements. It must make the business case for compliance, and then write guidelines that are easy to follow, beneficial to the business, and effectively protect the information being held and developed by the business on behalf of the government. The final product must meet the expectation level of the government.</p><p>&nbsp;</p><p>&nbsp;</p><div style="left: -1000px; top: 146.39px; width: 1px; height: 1px; overflow: hidden; position: absolute;">&nbsp;</div>
Alliant 2 Blogger (not verified)
<p>@Lawrence Muir: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.</p><p>&nbsp;</p>
Thomas R. Goldberg
<p>Cyber security threats have proliferated to such an extent that they are now epidemic throughout the Federal IT hardware and software marketplace. &nbsp;The sophistication of attacks has improved to the degree that countermeasures used just a few months ago, such as signature-based anti-virus and anti-malware systems, no longer work. Continuous monitoring and interdiction at machine speed is being promoted by some of the largest and most prestigious cyber security firms serving the US Government and industry, including FireEye, Mandiant, and McAfee. &nbsp;</p><p>GSA&#39;s proposed contract language for Alliant and Alliant II goes a long way toward setting enforceable objectives for securing ITC security in the Federal space. &nbsp;There will be costs associated with the proposed changes, but those cannot be avoided if cyber security is to be achieved.</p><p>To that end, Lineage Technologies, LLC recognizes that these objectives, when reduced to specific requirements, will impose burdens upon large and small businesses alike, and that such requirements will create market disruptions. &nbsp;Those impacts notwithstanding, Lineage believes that such burdens will be manageable, and can be absorbed by moving to more manageable supply-chains. &nbsp;It will be nearly impossible to comply with these new requirements if current supply-chain configurations remain unchanged. &nbsp;Current supply-chains facilitate the proliferation of counterfeit and tainted components and systems because of its size, and because its configuration is impenetrable below the second tier. &nbsp;Reducing exposure to countertfeit and tainted components and systems can only be accomplished by making the process of examining of the supply-base transparent and this can only be done if it is accessible and of a manageable size.</p><p>Discrete supply chains allow for the the instiution of effective management control regimes. &nbsp;Such controls that incorporate elements such as on-site inspections, verification, validation and certification, either by customers, or third-party inspectors ensure higher levels of surety than current mechanisms allow.</p><p>Management controls are also essential today because effective technical methods and procedures for examining chips and devices no longer exist. &nbsp;The ever increasing complexity of chips and devices has outstripped Industry&#39;s ability to interrogate chips during and after production, making it impossible to render empirical determinations of surety. &nbsp;Confidence intervals based upon empirical testing now hover between 35% - 70%, according to leading laboratories (Atsec &amp; Sandia). 30% - 65% uncertainty intervals make it impossible to rely upon those methods for establishing security in the near -mid-term. &nbsp;Thus, strict management controls and transparency are the only means by which we can boost the current empirical confidence intervals.&nbsp;</p><p>GSA&#39;s recommendations, while imposing costs and market disruptions will move the US Government closer to reducing its exposure to cyber threats. &nbsp;&nbsp;</p><p>&nbsp;</p><p>&nbsp;</p>
Alliant 2 Blogger (not verified)
<p>@Thomas R. Goldberg: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.&nbsp;</p>
mikken29
This is a critically important step toward protecting the post award procurement integrity at the contract level post award. Hopefully, the same planning logic has and is being applied to the acquisition, selection and procurement process by GSA pre-award to improve the Alliant II processes.
Alliant 2 Blogger (not verified)
<p>@mikken29: Thank you for your feedback. Careful consideration will be given as we continue to move forward with our research.&nbsp;</p>
Welcome! Thank you for visiting the GSA Alliant 2 (A2) & Alliant 2 Small Business (A2SB) GWACs Community. The purpose of this site is to... More

To stay informed on the group's latest updates, subscribe here.

  • elliezoepfl
  • kimja
  • crajhel