The Cybersecurity EO Deadline Has Passed. What can Agencies Do To Quickly Meet the Mandates?

by | Aug 25, 2017

Over the past two years, we’ve seen a step-by-step evolution toward a cyber version of Sarbanes-Oxley. When that evolution is complete, it will be as natural to manage cyber risk through internal control systems as it now is to manage financial risk.

Working with the federal government can seem like an alien experience compared to commercial business sales, and dealing directly with an agency is almost impossible given the regulations and parameters involved in supplying a government entity with a product or service. One way to address this challenge is to get your product listed on the appropriate General Services Administration (GSA) schedule. Doing so not only makes it easier and faster for agencies to acquire a valuable new product or service, it streamlines your own sales efforts in the public sphere. On Thursday, August 24, 2017, the Cybernance Platform was added to the GSA IT Schedule 70, now available through its GSA reselling partner, PointStream, Inc.

At Cybernance, we began our quest to get listed on GSA Schedule 70 very shortly after the Executive Order (EO) on cybersecurity was published on May 11. A critical section of the EO mandates use of the NIST Cybersecurity Framework (CSF) by all agencies to evaluate their cybersecurity risk and resilience. Because the Cybernance Platform is based on NIST CSF and is fully automated, we knew we could help agencies get a rapid and comprehensive picture of cyber risk. The deadline to meet those reporting requirements passed on August 9, so we felt especially inspired to pursue a GSA IT Schedule 70 listing to help agencies tackle these otherwise costly and time-consuming mandates.

The GSA Schedules were devised to help agencies acquire high-quality goods and services with a minimum of red tape. By pre-negotiating contracts with vendors, GSA also assures agencies they are getting a fair price. In fact, GSA prices are often somewhat lower than the standard commercial prices for the same offerings, and never higher. For a small vendor, the months-long negotiation process can seem intimidating, but once a vendor’s offerings are on a GSA Schedule, sales can take place relatively quickly and without individual negotiations during the sales process.

With more than 7.5 million products and services from over 4,600 pre-vetted vendors, federal agencies, as well as civilian, state and local organizations, continue to maximize budgets and reduce buying cycles by up to 50 percent over open market.  – GSA IT Schedule 70 website

Here’s a screenshot of a listing on the GSA IT Schedule 70:

Comparison between the fields of cybergovernance and financial governance

The highlighted example lists PointStream, who recently attained a small business listing on the GSA IT Schedule 70 (contract number GS-35F-394GA). Clicking on PointStream takes you to their contractor information page where you can find the Cybernance Platform for purchase. Services offered by PointStream, including the Cybernance Platform, can be found by clicking the document icon under “Contractor T&Cs/Pricelist” which gives access to the specific contractual purchase terms and conditions.

Comparison between the fields of cybergovernance and financial governance

Acting as another driving force in August’s cybersecurity defense progress, the National Infrastructure Advisory Council (NIAC) released a report that is one of 14 required reports defined in the May 11 EO. One of its five key recommendations is encouraging widespread use of NIST CSF in the commercial sector. To promote it, key federal agencies are asked to establish incentives (e.g., tax credits and waivers from frequent audits) for companies who self-report their cyber risk posture using the Framework. This is an incredibly smart and predictably effective method of encouraging widespread use of NIST CSF in the private sector. Instead of regulations, financial and reputational motivations can drive enterprises to strictly and consistently reference NIST CSF to elevate their cyber maturity.

Over the past two years, we’ve seen a step-by-step evolution toward a cyber version of Sarbanes-Oxley. When that evolution is complete, it will be as natural for public companies, private companies, government agencies, and nonprofits to manage cyber risk through internal control systems as it now is to manage financial risk. The momentum for instituting NIST CSF as the standard way to assess and monitor cyber maturity is finally accelerating, thanks to the U.S. federal government.

Subscribe
Be notified of new Journal entries in your email box or Follow us on Twitter.