As threats to the Federal IT supply chain grow, the federal acquisition workforce must keep pace with cybersecurity and other risk management efforts in the products, services, and solutions we buy. These risks are present in all items that connect in any way to a government information system that contain, transmit, process, and communicate information for a Federal agency. Cybersecurity extends to all companies directly involved in delivery of products, services, and solutions to the Federal government, and through all tiers of the global supply chain.
To assist the Federal acquisition workforce with understanding cybersecurity and other risks, below are educational resources dedicated to cybersecurity & supply chain risk management.
Prepared by the Office of the Director of National Intelligence's National Counterintelligence and Security Center, Know the Risk - Raise Your Shield: Supply Chain Risk Management, is an awareness video about cybersecurity and other risks in the products, services, and solutions we buy. These risks are present in all items that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a Federal agency. The concerns extend to all companies directly involved in delivery of products, services, and solutions to the government, and through all tiers of the global supply chain.
This presentation introduces supply chain risk management and cybersecurity risks issues in acquisition processes. It also discusses the requirements that must be adhered to when a product that has risk enters the Federal Supply system. It also identifies common issues to avoid and provides information that should be included in all contracts.
This training covers:
- How Acquisition Professionals address information system risk management.
- The NIST SP 80037, Rev. 1, methodology that incorporates the Federal Information Security Modernization Act (FISMA) into the NIST security standards.
- Guidance to provide a holistic approach for managing risk to an organization’s information and information system.
This training focuses on two phases of the procurement process: Product Evaluation and Contract Negotiation.
- Product Evaluation Phase: Provide Acquisition Professionals with security and privacy considerations that should be discussed when entering contract negotiations for purchasing IoT solutions, products, and services.
- Contract Negotiation Phase: Explain how Acquisition Professionals may address IoT risk management during the contract negotiation process.
The purpose of this training is to improve the awareness of Acquisition Professionals regarding the potential threats, impacts, and countermeasures of PTC.
This training provides:
- The different roles and responsibilities in managing and handling incidents.
- A framework for organizing the SCRM Response Team (RT), key contacts, and supporting materials to assist in managing and executing the incident response.
- SCRM RP best practices.