Executing CNAP at GSA

This interview is an excerpt from GovLoop’s recent research guide, The Current State of Government’s Cybersecurity.

Recognizing the need for a governmentwide approach to cybersecurity, the Obama administration announced the Cybersecurity National Action Plan (CNAP) in February 2016. The plan is ambitious, with directives to establish a cross-sector commission, fund a $3.1 billion Information Technology Modernization Fund and implement multifactor authentication in citizen-facing government services.

To implement CNAP, the administration is relying on several federal agencies to enact its objectives. In an interview with GovLoop, Matthew Cornelius, Innovation Specialist and Chief of Staff in the Office of Governmentwide Policy, explained the pivotal role the General Services Administration (GSA) will play in the plan’s execution.

Communicating With Agencies

“Executing the CNAP directives is a constantly evolving process. It is very clearly led by Office of Management and Budget (OMB) in partnership with the National Security Council (NSC), but because of the governmentwide role GSA has, as well as the primary cybersecurity mission of DHS, we are two of the agencies that are directly responsible for helping OMB and NSC act on the CNAP,” Cornelius said.

While DHS is providing critical intelligence, strategy and implementation, GSA is helping standardize and accelerate many cyber acquisition and program offerings and share best practices. Specifically, the agency is focused on helping others use the most appropriate contracting vehicles for their particular needs. “GSA is doing a top-down rethink of how we manage acquisition and how we push out better information,” Cornelius said. “We are determining how to not just give the IT folks in agencies, but also the procurement folks, access to more relevant information that allows them to make better purchasing decisions around cybersecurity products.”

Delivering Shared Services

A critical part of that message is educating acquisitions and IT professionals on the value of using shared services for technology procurement. By leveraging those, agencies can more quickly acquire technologies, at lower costs. “We’re helping agencies expedite the move to shared services,” Cornelius said. “In the CNAP, it explains that shared cybersecurity services can often make it more efficient, more effective and more secure for agencies, rather than having such fragmented IT management and different departments running their own systems.”

In addition to identifying potential shared services to leverage, GSA has also developed its own services, like cloud.gov and apps.gov, for agencies to access. And in scenarios where a shared service vehicle doesn’t match the agency need, GSA can help them craft new ones. “We’re facilitating development and partnership with other agencies to flesh out new shared services when necessary. Ultimately, we want to keep agencies from having to build, fund and secure fragmented IT,” he said.

Modernizing Technologies

The goal of many of these shared services contracts is to get new, more secure technologies into the hands of agencies faster – a move that supports a key component of CNAP. As part of the president’s fiscal year 2017 budget, a $3.1 billion IT Modernization Fund was proposed. “That would provide agencies with funding to help them expedite modernization by either replacing, repairing or overhauling legacy systems,” Cornelius said.

When appropriated, GSA is designated as the agency that will help administer the fund. The agency will also help other agencies develop modernization plans and, if appropriate, identify contracting vehicles to meet these new modernization requirements. “Whatever we can do through category management and making new vehicles more flexible and adaptable so that as threats evolve, the products and services we can offer will more quickly get into the agency, that’s what we’re going to do,” said Cornelius.

Additionally, GSA is identifying and vetting solutions to make sure that agencies are selecting secure technology that fits their needs. While many individual providers can incorporate a variety of cybersecurity functions into their solution, Cornelius explained that many agencies need stronger guidance to match unique offerings to mission objectives and IT infrastructure needs.

Building Security Into Everything

Vetting those solutions before procurement also achieves the primary objective of federal CIO Tony Scott, which is to engrain security in product development and acquisition, rather than adding features after deployment.

“What GSA is doing in partnership with a lot of agencies is making sure – as we are bringing vendors onto our schedules and making products and services available – that we’re doing due diligence to make sure that security is already baked into those offerings,” Cornelius said.

According to Cornelius, many agency CIOs have already adopted this security-first mindset. However, those leaders still need technologies and processes that enable secure adoption. “GSA wants to be an enabler for that standpoint,” he said. “We want to make sure that through acquisition and through outreach to agencies that we are helping CIOs act on and operate around these new assumptions of what security looks like.”

Ultimately, that’s the goal of GSA when it comes to executing CNAP. The agency wants to empower IT leaders to make better purchasing decisions that engrain cybersecurity into their infrastructure, operations and management.

“We make sure that we are always actively communicating ­­– that we have one message and that we are getting that message out to as many agencies as possible – so that they can then have those conversations internally and decide based on budget, mission and priorities how they are going to make the best cybersecurity decisions for themselves,” Cornelius said.

Leave a Comment

Leave a comment

Leave a Reply