Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition, 27966-27968 [2013-11239]

Download as PDF 27966 Federal Register / Vol. 78, No. 92 / Monday, May 13, 2013 / Notices Hours per response FDIC Document Declaration Declaration Declaration Declaration Declaration Declaration Declaration Declaration Declaration Declaration Declaration Declaration Declaration Number of respondents Burden hours for Government Deposit, Form 7200/04 .................................................................. for Revocable Trust, Form 7200/05 ......................................................................... of Independent Activity, Form 7200/06 .................................................................... of Independent Activity for Unincorporated Association, Form 7200/07 ................. for Joint Ownership Deposit, Form 7200/08 ............................................................ for Testamentary Deposit, Form 7200/09 ................................................................ for Defined Contribution Plan, Form 7200/10 .......................................................... for IRA/KEOGH Deposit, Form 7200/11 .................................................................. for Defined Benefit Plan, Form 7200/12 .................................................................. of Custodian Deposit, Form 7200/13 ....................................................................... for Health and Welfare Plan, Form 7200/14 ............................................................ for Plan and Trust, Form 7200/15 ............................................................................ for Irrevocable Trust, Form 7200/18 ........................................................................ 0.50 0.50 0.50 0.50 0.50 0.50 1.0 0.50 1.0 0.50 1.0 0.50 0.50 30 150 5 5 5 50 10 5 10 5 20 20 10 15 75 2.5 2.5 2.5 25 10 2.5 10 2.5 20 10 5 Sub-total ............................................................................................................................... ........................ 5025 182.5 Additional Burden for Deposit Brokers Only ............................................................................... ........................ 70 Total ............................................................................................................................... ........................ 5095 General Description of Collection: The collection involves forms used by the FDIC to obtain information from individual depositors and deposit brokers necessary to supplement the records of failed depository institutions to make determinations regarding deposit insurance coverage for depositors of failed institutions. The information provided allows the FDIC to identify the actual owners of an account and each owner’s interest in the account. Request for Comment tkelley on DSK3SPTVN1PROD with NOTICES Comments are invited on: (a) Whether these collections of information are necessary for the proper performance of the FDIC’s functions, including whether the information has practical utility; (b) the accuracy of the estimate of the burden of the information collection, including the validity of the methodology and assumptions used; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology. All comments will become a matter of public record. Dated at Washington, DC, this 7th day of May, 2013. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. [FR Doc. 2013–11205 Filed 5–10–13; 8:45 am] BILLING CODE 6714–01–P VerDate Mar<15>2010 16:13 May 10, 2013 Jkt 229001 FEDERAL RESERVE SYSTEM Formations of, Acquisitions by, and Mergers of Bank Holding Companies The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The applications will also be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than June 7, 2013. A. Federal Reserve Bank of St. Louis (Yvonne Sparks, Community Development Officer) P.O. Box 442, St. Louis, Missouri 63166–2034: PO 00000 Frm 00032 Fmt 4703 Sfmt 4703 137 319.5 1. Wildcat Bancshares, Inc., Springfield, Missouri; to become a bank holding company by acquiring 100 percent of the voting shares of CBR Bancshares, Corporation, and thereby acquire Citizens Bank of Rogersville, both in Rogersville, Missouri. Board of Governors of the Federal Reserve System, May 8, 2013. Michael J. Lewandowski, Assistant Secretary of the Board. [FR Doc. 2013–11248 Filed 5–10–13; 8:45 am] BILLING CODE 6210–01–P GENERAL SERVICES ADMINISTRATION [Notice–OERR–2013–01; Docket No. 2013– 0002; Sequence 10] Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition Office of Emergency Response and Recovery, U.S. General Services Administration (GSA). ACTION: Request for information. AGENCY: SUMMARY: On February 12th, 2013, the President issued the Executive Order for Improving Critical Infrastructure Cybersecurity (Executive Order 13636). In accordance with Section 8(e) of Executive Order 13636, within 120 days, the General Services Administration and the Department of Defense, in consultation with the Department of Homeland Security and the Federal Acquisition Regulation Council, are required to make recommendations on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration and address what steps E:\FR\FM\13MYN1.SGM 13MYN1 Federal Register / Vol. 78, No. 92 / Monday, May 13, 2013 / Notices tkelley on DSK3SPTVN1PROD with NOTICES can be taken to harmonize, and make consistent, existing procurement requirements related to cybersecurity. Public outreach is a critically important activity for implementation of the Executive Order. In an effort to obtain broad stakeholder involvement, the General Services Administration and the Department of Defense are publishing this Request for Information (RFI) seeking information that can be used in the Section 8(e) report. DATES: Effective date: Submit comments on or before June 12, 2013. ADDRESSES: Submit comments in response to Notice–OERR–2013–01 by any of the following methods: • Regulations.gov: http:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by searching for ‘‘Notice–OERR–2013–01’’. Select the link ‘‘Submit a Comment’’ that corresponds with ‘‘Notice–OERR– 2013–01’’. Follow the instructions provided at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘Notice– OERR–2013–01’’ on your attached document. • Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street NE., 7th Floor, Washington, DC 20417. Instructions: Please submit comments only and cite ‘‘Notice-OERR–2013–01’’, in all correspondence related to this case. All comments received will be posted without change to http:// www.regulations.gov, including any personal and/or business confidential information provided. FOR FURTHER INFORMATION CONTACT: Mr. Emile Monette, U.S. General Services Administration, at emile.monette@gsa.gov or 703–605– 5470. SUPPLEMENTARY INFORMATION: A. Background On February 12th, 2013, the President issued the Executive Order for Improving Critical Infrastructure Cybersecurity (E.O. 13636) and the Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD–21). In accordance with Section 8(e) of Executive Order 13636 (EO), within 120 days, the General Services Administration and the Department of Defense, in consultation with the Department of Homeland Security and the Federal Acquisition Regulation Council, are required to make recommendations on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract VerDate Mar<15>2010 16:13 May 10, 2013 Jkt 229001 administration and address what steps can be taken to harmonize, and make consistent, existing procurement requirements related to cybersecurity. Among other things, PPD–21 requires the General Services Administration, in consultation with the Department of Defense and the Department of Homeland Security, to jointly provide and support government-wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for the security and resilience of critical infrastructure. In order to accomplish the task required by EO Section 8(e), the General Services Administration (GSA) and the Department of Defense (DoD) have formed the ‘‘Joint Working Group on Improving Cybersecurity and Resilience through Acquisition,’’ (Working Group) with GSA as the lead agency. The Working Group is comprised of topicknowledgeable members selected from the DoD, GSA, the Department of Homeland Security (DHS), the Office of Federal Procurement Policy (OFPP), and the National Institute of Standards and Technology (NIST). The Working Group is coordinating its efforts to obtain input from the stakeholder community, including industry, academia, and federal, state, and local government. Public outreach is a critically important activity for implementation of the EO and PPD. In an effort to obtain broad stakeholder involvement, the Working Group is publishing this Request for Information (RFI) seeking information that can be used in the Section 8(e) report. To the extent applicable, the Section 8(e) recommendations will also lay the foundation for establishment or identification of the government-wide cybersecurity contracts required by PPD–21. The Working Group is also directly engaged with the DHS Interagency Task Force (ITF). The ITF has been established to lead implementation of the EO and PPD–21, including, among other things, stakeholder engagement. The ITF has established working groups to accomplish the major deliverables and action items required by the EO and PPD, and this RFI for the Section 8(e) report is one element of the larger outreach efforts underway to address the requirements of the EO and PPD. The importance of common language cannot be overstated. It is apparent that a common lexicon is one of the critical gaps in harmonizing federal acquisition requirements related to cybersecurity. Given the limitations of the unsettled definition of the word, for purposes of this RFI, the term ‘‘cybersecurity’’ is given a broad meaning that includes PO 00000 Frm 00033 Fmt 4703 Sfmt 4703 27967 information security and related areas, like supply chain risk management, information assurance, and software assurance, as well as other efforts to address threats or vulnerabilities flowing from or enabled by connection to digital infrastructure. In responding to the questions below, please highlight any applicable distinctions in responses related to classified and unclassified acquisitions. Feasibility and Federal Acquisition: In general, DoD and GSA seek input about the feasibility of incorporating cybersecurity standards into federal acquisitions. For example: 1. What is the most feasible method to incorporate cybersecurity-relevant standards in acquisition planning and contract administration? What are the cost and other resource implications for the federal acquisition system stakeholders? 2. How can the federal acquisition system, given its inherent constraints and the current fiscal realities, best use incentives to increase cybersecurity amongst federal contractors and suppliers at all tiers? How can this be accomplished while minimizing barriers to entry to the federal market? 3. What are the implications of imposing a set of cybersecurity baseline standards and implementing an associated accreditation program? 4. How can cybersecurity be improved using standards in acquisition planning and contract administration? 5. What are the greatest challenges in developing a cross-sector standardsbased approach cybersecurity risk analysis and mitigation process for the federal acquisition system? 6. What is the appropriate balance between the effectiveness and feasibility of implementing baseline security requirements for all businesses? 7. How can the government increase cybersecurity in federal acquisitions while minimizing barriers to entry? 8. Are there specific categories of acquisitions to which federal cybersecurity standards should (or should not) apply? 9. Beyond the general duty to protect government information in federal contracts, what greater levels of security should be applied to which categories of federal acquisition or sectors of commerce? 10. How can the Federal government change its acquisition practices to ensure the risk owner (typically the end user) makes the critical decisions about that risk throughout the acquisition lifecycle? 11. How do contract type (e.g., firm fixed price, time and materials, cost- E:\FR\FM\13MYN1.SGM 13MYN1 tkelley on DSK3SPTVN1PROD with NOTICES 27968 Federal Register / Vol. 78, No. 92 / Monday, May 13, 2013 / Notices plus, etc.) and source selection method (e.g., lowest price technically acceptable, best value, etc.) affect your organization’s cybersecurity risk definition and assessment in federal acquisitions? 12. How would you recommend the government evaluate the risk from companies, products, or services that do not comply with cybersecurity standards? Commercial Practices: In general, DoD and GSA seek information about commercial procurement practices related to cybersecurity. For example: 13. To what extent do any commonly used commercial standards fulfill federal requirements for your sector? 14. Is there a widely accepted risk analysis framework that is used within your sector that the federal acquisition community could adapt to help determine which acquisitions should include the requirement to apply cybersecurity standards? 15. Describe your organization’s policies and procedures for governing cybersecurity risk. How does senior management communicate and oversee these policies and procedures? How has this affected your organization’s procurement activities? 16. Does your organization use ‘‘preferred’’ or ‘‘authorized’’ suppliers or resellers to address cybersecurity risk? How are the suppliers identified and utilized? 17. What tools are you using to brief cybersecurity risks in procurement to your organization’s management? 18. What performance metrics and goals do organizations adopt to ensure their ability to manage cybersecurity risk in procurement and maintain the ability to provide essential services? 19. Is your organization a preferred supplier to any customers that require adherence to cybersecurity standards for procurement? What are the requirements to obtain preferred supplier status with this customer? 20. What procedures or assessments does your organization have in place to vet and approve vendors from the perspective of cybersecurity risk? 21. How does your organization handle and address cybersecurity incidents that occur in procurements? Do you aggregate this information for future use? How do you use it? 22. What mechanisms does your organization have in place for the secure exchange of information and data in procurements? 23. Does your organization have a procurement policy for the disposal for hardware and software? VerDate Mar<15>2010 16:13 May 10, 2013 Jkt 229001 24. How does your organization address new and emerging threats or risks in procurement for private sector commercial transactions? Is this process the same or different when performing a federal contract? Explain. 25. Within your organization’s corporate governance structure, where is cyber risk management located (e.g., CIO, CFO, Risk Executive)? 26. If applicable, does your Corporate Audit/Risk Committee examine retained risks from cyber and implement special controls to mitigate those retained risks? 27. Are losses from cyber risks and breaches treated as a cost of doing business? 28. Does your organization have evidence of a common set of information security standards (e.g., written guidelines, operating manuals, etc)? 29. Does your organization disclose vulnerabilities in your product/services to your customers as soon as they become known? Why or why not? 30. Does your organization have trackand-trace capabilities and/or the means to establish the provenance of products/ services throughout your supply chain? 31. What testing and validation practices does your organization currently use to ensure security and reliability of products it purchases? Harmonization: In general, DoD and GSA seek information about any conflicts in statutes, regulations, policies, practices, contractual terms and conditions, or acquisition processes affecting federal acquisition requirements related to cybersecurity and how the federal government might address those conflicts. For example: 32. What cybersecurity requirements that affect procurement in the United States (e.g., local, state, federal, and other) has your organization encountered? What are the conflicts in these requirements, if any? How can any such conflicts best be harmonized or deconflicted? 33. What role, in your organization’s view, should national/international standards organizations play in cybersecurity in federal acquisitions? 34. What cybersecurity requirements that affect your organization’s procurement activities outside of the United States (e.g., local, state, national, and other) has your organization encountered? What are the conflicts in these requirements, if any? How can any such conflicts best be harmonized or deconflicted with current or new requirements in the United States? 35. Are you required by the terms of contracts with federal agencies to comply with unnecessarily duplicative PO 00000 Frm 00034 Fmt 4703 Sfmt 4703 or conflicting cybersecurity requirements? Please provide details. 36. What policies, practices, or other acquisition processes should the federal government change in order to achieve cybersecurity in federal acquisitions? 37. Has your organization recognized competing interests amongst procurement security standards in the private sector? How has your company reconciled these competing or conflicting standards? Dated: May 7, 2013. Darren Blue, Associate Administrator for the GSA, Office of Emergency Response and Recovery. [FR Doc. 2013–11239 Filed 5–10–13; 8:45 am] BILLING CODE 6820–89–P GENERAL SERVICES ADMINISTRATION [FMR Bulletin–PBS–2013–01; Docket 2013– 0002; Sequence 5] Federal Management Regulation; Redesignations of Federal Buildings Public Buildings Service (PBS), General Services Administration (GSA). ACTION: Notice of a bulletin. AGENCY: SUMMARY: The attached bulletin announces the designation and redesignation of six Federal buildings. DATES: Expiration Date: This bulletin announcement expires July 30, 2013. The building designations and redesignations remains in effect until canceled or superseded by another bulletin. U.S. General Services Administration, Public Buildings Service (PBS), 1800 F Street NW., Washington, DC 20405, telephone number: 202–501–1100. FOR FURTHER INFORMATION CONTACT: Dan Tangherlini, Acting Administrator of General Services. U.S. GENERAL SERVICES ADMINISTRATION DESIGNATIONS AND REDESIGNATION OF FEDERAL BUILDINGS TO: Heads of Federal Agencies SUBJECT: Redesignations of Federal Buildings 1. What is the purpose of this bulletin? This bulletin announces the designation and redesignation of six Federal buildings. 2. When does this bulletin expire? This bulletin announcement expires July 30, 2013. The building designations and redesignations remain in effect until E:\FR\FM\13MYN1.SGM 13MYN1

Agencies

[Federal Register Volume 78, Number 92 (Monday, May 13, 2013)]
[Notices]
[Pages 27966-27968]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-11239]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-OERR-2013-01; Docket No. 2013-0002; Sequence 10]


Joint Working Group on Improving Cybersecurity and Resilience 
Through Acquisition

AGENCY: Office of Emergency Response and Recovery, U.S. General 
Services Administration (GSA).

ACTION: Request for information.

-----------------------------------------------------------------------

SUMMARY: On February 12th, 2013, the President issued the Executive 
Order for Improving Critical Infrastructure Cybersecurity (Executive 
Order 13636). In accordance with Section 8(e) of Executive Order 13636, 
within 120 days, the General Services Administration and the Department 
of Defense, in consultation with the Department of Homeland Security 
and the Federal Acquisition Regulation Council, are required to make 
recommendations on the feasibility, security benefits, and relative 
merits of incorporating security standards into acquisition planning 
and contract administration and address what steps

[[Page 27967]]

can be taken to harmonize, and make consistent, existing procurement 
requirements related to cybersecurity.
    Public outreach is a critically important activity for 
implementation of the Executive Order. In an effort to obtain broad 
stakeholder involvement, the General Services Administration and the 
Department of Defense are publishing this Request for Information (RFI) 
seeking information that can be used in the Section 8(e) report.

DATES: Effective date: Submit comments on or before June 12, 2013.

ADDRESSES: Submit comments in response to Notice-OERR-2013-01 by any of 
the following methods:
     Regulations.gov: http://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by searching for ``Notice-
OERR-2013-01''. Select the link ``Submit a Comment'' that corresponds 
with ``Notice-OERR-2013-01''. Follow the instructions provided at the 
``Submit a Comment'' screen. Please include your name, company name (if 
any), and ``Notice-OERR-2013-01'' on your attached document.
     Mail: General Services Administration, Regulatory 
Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street NE., 7th 
Floor, Washington, DC 20417.
    Instructions: Please submit comments only and cite ``Notice-OERR-
2013-01'', in all correspondence related to this case. All comments 
received will be posted without change to http://www.regulations.gov, 
including any personal and/or business confidential information 
provided.

FOR FURTHER INFORMATION CONTACT: Mr. Emile Monette, U.S. General 
Services Administration, at emile.monette@gsa.gov or 703-605-5470.

SUPPLEMENTARY INFORMATION: 

A. Background

    On February 12th, 2013, the President issued the Executive Order 
for Improving Critical Infrastructure Cybersecurity (E.O. 13636) and 
the Presidential Policy Directive on Critical Infrastructure Security 
and Resilience (PPD-21). In accordance with Section 8(e) of Executive 
Order 13636 (EO), within 120 days, the General Services Administration 
and the Department of Defense, in consultation with the Department of 
Homeland Security and the Federal Acquisition Regulation Council, are 
required to make recommendations on the feasibility, security benefits, 
and relative merits of incorporating security standards into 
acquisition planning and contract administration and address what steps 
can be taken to harmonize, and make consistent, existing procurement 
requirements related to cybersecurity. Among other things, PPD-21 
requires the General Services Administration, in consultation with the 
Department of Defense and the Department of Homeland Security, to 
jointly provide and support government-wide contracts for critical 
infrastructure systems and ensure that such contracts include audit 
rights for the security and resilience of critical infrastructure.
    In order to accomplish the task required by EO Section 8(e), the 
General Services Administration (GSA) and the Department of Defense 
(DoD) have formed the ``Joint Working Group on Improving Cybersecurity 
and Resilience through Acquisition,'' (Working Group) with GSA as the 
lead agency. The Working Group is comprised of topic-knowledgeable 
members selected from the DoD, GSA, the Department of Homeland Security 
(DHS), the Office of Federal Procurement Policy (OFPP), and the 
National Institute of Standards and Technology (NIST). The Working 
Group is coordinating its efforts to obtain input from the stakeholder 
community, including industry, academia, and federal, state, and local 
government.
    Public outreach is a critically important activity for 
implementation of the EO and PPD. In an effort to obtain broad 
stakeholder involvement, the Working Group is publishing this Request 
for Information (RFI) seeking information that can be used in the 
Section 8(e) report. To the extent applicable, the Section 8(e) 
recommendations will also lay the foundation for establishment or 
identification of the government-wide cybersecurity contracts required 
by PPD-21.
    The Working Group is also directly engaged with the DHS Interagency 
Task Force (ITF). The ITF has been established to lead implementation 
of the EO and PPD-21, including, among other things, stakeholder 
engagement. The ITF has established working groups to accomplish the 
major deliverables and action items required by the EO and PPD, and 
this RFI for the Section 8(e) report is one element of the larger 
outreach efforts underway to address the requirements of the EO and 
PPD.
    The importance of common language cannot be overstated. It is 
apparent that a common lexicon is one of the critical gaps in 
harmonizing federal acquisition requirements related to cybersecurity.
    Given the limitations of the unsettled definition of the word, for 
purposes of this RFI, the term ``cybersecurity'' is given a broad 
meaning that includes information security and related areas, like 
supply chain risk management, information assurance, and software 
assurance, as well as other efforts to address threats or 
vulnerabilities flowing from or enabled by connection to digital 
infrastructure.
    In responding to the questions below, please highlight any 
applicable distinctions in responses related to classified and 
unclassified acquisitions.
    Feasibility and Federal Acquisition: In general, DoD and GSA seek 
input about the feasibility of incorporating cybersecurity standards 
into federal acquisitions.
    For example:
    1. What is the most feasible method to incorporate cybersecurity-
relevant standards in acquisition planning and contract administration? 
What are the cost and other resource implications for the federal 
acquisition system stakeholders?
    2. How can the federal acquisition system, given its inherent 
constraints and the current fiscal realities, best use incentives to 
increase cybersecurity amongst federal contractors and suppliers at all 
tiers? How can this be accomplished while minimizing barriers to entry 
to the federal market?
    3. What are the implications of imposing a set of cybersecurity 
baseline standards and implementing an associated accreditation 
program?
    4. How can cybersecurity be improved using standards in acquisition 
planning and contract administration?
    5. What are the greatest challenges in developing a cross-sector 
standards-based approach cybersecurity risk analysis and mitigation 
process for the federal acquisition system?
    6. What is the appropriate balance between the effectiveness and 
feasibility of implementing baseline security requirements for all 
businesses?
    7. How can the government increase cybersecurity in federal 
acquisitions while minimizing barriers to entry?
    8. Are there specific categories of acquisitions to which federal 
cybersecurity standards should (or should not) apply?
    9. Beyond the general duty to protect government information in 
federal contracts, what greater levels of security should be applied to 
which categories of federal acquisition or sectors of commerce?
    10. How can the Federal government change its acquisition practices 
to ensure the risk owner (typically the end user) makes the critical 
decisions about that risk throughout the acquisition lifecycle?
    11. How do contract type (e.g., firm fixed price, time and 
materials, cost-

[[Page 27968]]

plus, etc.) and source selection method (e.g., lowest price technically 
acceptable, best value, etc.) affect your organization's cybersecurity 
risk definition and assessment in federal acquisitions?
    12. How would you recommend the government evaluate the risk from 
companies, products, or services that do not comply with cybersecurity 
standards?
    Commercial Practices: In general, DoD and GSA seek information 
about commercial procurement practices related to cybersecurity.
    For example:
    13. To what extent do any commonly used commercial standards 
fulfill federal requirements for your sector?
    14. Is there a widely accepted risk analysis framework that is used 
within your sector that the federal acquisition community could adapt 
to help determine which acquisitions should include the requirement to 
apply cybersecurity standards?
    15. Describe your organization's policies and procedures for 
governing cybersecurity risk. How does senior management communicate 
and oversee these policies and procedures? How has this affected your 
organization's procurement activities?
    16. Does your organization use ``preferred'' or ``authorized'' 
suppliers or resellers to address cybersecurity risk? How are the 
suppliers identified and utilized?
    17. What tools are you using to brief cybersecurity risks in 
procurement to your organization's management?
    18. What performance metrics and goals do organizations adopt to 
ensure their ability to manage cybersecurity risk in procurement and 
maintain the ability to provide essential services?
    19. Is your organization a preferred supplier to any customers that 
require adherence to cybersecurity standards for procurement? What are 
the requirements to obtain preferred supplier status with this 
customer?
    20. What procedures or assessments does your organization have in 
place to vet and approve vendors from the perspective of cybersecurity 
risk?
    21. How does your organization handle and address cybersecurity 
incidents that occur in procurements? Do you aggregate this information 
for future use? How do you use it?
    22. What mechanisms does your organization have in place for the 
secure exchange of information and data in procurements?
    23. Does your organization have a procurement policy for the 
disposal for hardware and software?
    24. How does your organization address new and emerging threats or 
risks in procurement for private sector commercial transactions? Is 
this process the same or different when performing a federal contract? 
Explain.
    25. Within your organization's corporate governance structure, 
where is cyber risk management located (e.g., CIO, CFO, Risk 
Executive)?
    26. If applicable, does your Corporate Audit/Risk Committee examine 
retained risks from cyber and implement special controls to mitigate 
those retained risks?
    27. Are losses from cyber risks and breaches treated as a cost of 
doing business?
    28. Does your organization have evidence of a common set of 
information security standards (e.g., written guidelines, operating 
manuals, etc)?
    29. Does your organization disclose vulnerabilities in your 
product/services to your customers as soon as they become known? Why or 
why not?
    30. Does your organization have track-and-trace capabilities and/or 
the means to establish the provenance of products/services throughout 
your supply chain?
    31. What testing and validation practices does your organization 
currently use to ensure security and reliability of products it 
purchases?
    Harmonization: In general, DoD and GSA seek information about any 
conflicts in statutes, regulations, policies, practices, contractual 
terms and conditions, or acquisition processes affecting federal 
acquisition requirements related to cybersecurity and how the federal 
government might address those conflicts.
    For example:
    32. What cybersecurity requirements that affect procurement in the 
United States (e.g., local, state, federal, and other) has your 
organization encountered? What are the conflicts in these requirements, 
if any? How can any such conflicts best be harmonized or de-conflicted?
    33. What role, in your organization's view, should national/
international standards organizations play in cybersecurity in federal 
acquisitions?
    34. What cybersecurity requirements that affect your organization's 
procurement activities outside of the United States (e.g., local, 
state, national, and other) has your organization encountered? What are 
the conflicts in these requirements, if any? How can any such conflicts 
best be harmonized or de-conflicted with current or new requirements in 
the United States?
    35. Are you required by the terms of contracts with federal 
agencies to comply with unnecessarily duplicative or conflicting 
cybersecurity requirements? Please provide details.
    36. What policies, practices, or other acquisition processes should 
the federal government change in order to achieve cybersecurity in 
federal acquisitions?
    37. Has your organization recognized competing interests amongst 
procurement security standards in the private sector? How has your 
company reconciled these competing or conflicting standards?

    Dated: May 7, 2013.
Darren Blue,
Associate Administrator for the GSA, Office of Emergency Response and 
Recovery.
[FR Doc. 2013-11239 Filed 5-10-13; 8:45 am]
BILLING CODE 6820-89-P