In the latest major regulatory development on cybersecurity, a Working Group of the General Services Administration (GSA) and the Department of Defense (DoD), in consultation with the Department of Homeland Security (DHS) and the FAR Council, has invited the public to comment on what cybersecurity measures and parameters would be appropriate to be adopted in federal procurements. In a Request for Information (RFI) published on May 13 in the Federal Register, the Working Group advised it is accepting input until June 12, but in actuality input must be received by May 15 if it is going to be fully considered in the final report. The RFI provides a critical opportunity for industry to comment on potentially significant changes to cybersecurity requirements in federal acquisitions.
The Working Group is implementing requirements under Executive Order (EO) 13636. Much of the early focus on EO 13636 centered on the development of a voluntary cyber framework by the National Institute of Standards and Technology (NIST), which would then be implemented by the DHS. Indeed, much attention was paid to what incentives the DHS would utilize to encourage companies to adopt the voluntary cyber framework.
With so much focus on the framework, Section 8(e) of the Executive Order was almost lost in the noise. Section 8(e) quietly but emphatically directed that within 120 days of the issuance of the EO, the GSA and the DoD, along with the DHS and the FAR Council, were to deliver recommendations on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The agencies would also recommend what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity. The GSA established the DoD-GSA Sec. 8(e) Working Group, which includes representatives from the DoD, the DHS, the Office of Federal Procurement Policy, and NIST.
The reality here is that government contractors MUST provide their input in a timely fashion to the Working Group, because the report and the recommendations will fundamentally alter government contracting for years to come. The cyber threat is real, present, and growing, and the federal government will not sit idly by and allow its contractors to conduct business without any meaningful cybersecurity requirements placed on them.
Thus, it will be vital for companies to submit their comments and do so in a way that recognizes the seismic changes occurring. As these cybersecurity requirements are implemented, they could alter a company’s business model, by:
- Creating new grounds on which to determine whether a company’s proposal is technically acceptable;
- Creating new bases to protest contracts pre and post award;
- Creating increased requirements that, if breached, could lead to contract termination or even debarment; and
- Fundamentally altering the financial resources that must be invested in order to be a government contractor in good standing.
Comments being solicited from industry are essentially broken down into three key areas: 1) Feasibility & Federal Acquisition – addressing the development of acquisition standards and evaluation criteria that should be incorporated into federal procurements; 2) Commercial Practices – addressing current commercial cybersecurity practices, policies, and procedures; and 3) Harmonization – addressing how to align federal cybersecurity standards with state, local, national, and international standards.
FEASIBILITY & FEDERAL ACQUISITION: In general, the DoD and the GSA seek input about the feasibility of incorporating cybersecurity standards into federal acquisitions.
- What is the most feasible method to incorporate cybersecurity relevant standards in acquisition planning and contract administration? What are the cost and other resource implications for the federal acquisition system stakeholders?
- How can the federal acquisition system, given its inherent constraints and the current fiscal realities, best use incentives to increase cybersecurity amongst federal contractors and suppliers at all tiers? How can this be accomplished while minimizing barriers to entry to the federal market?
- What are the implications of imposing a set of cybersecurity baseline standards and implementing an associated accreditation program?
- How can cybersecurity be improved using standards in acquisition planning and contract administration?
- What are the greatest challenges in developing a cross-sector standards-based approach cybersecurity risk analysis and mitigation process for the federal acquisition system?
- What is the appropriate balance between the effectiveness and feasibility of implementing baseline security requirements for all businesses?
- How can the government increase cybersecurity in federal acquisitions while minimizing barriers to entry?
- Are there specific categories of acquisitions to which federal cybersecurity standards should (or should not) apply?
- Beyond the general duty to protect government information in federal contracts, what greater levels of security should be applied to which categories of federal acquisition or sectors of commerce?
- How can the federal government change its acquisition practices to ensure that the risk owner (typically the end user) makes the critical decisions about that risk throughout the acquisition life cycle?
- How do contract type (e.g., firm fixed price, time and materials, cost-plus, etc.) and source selection method (e.g., lowest price technically acceptable, best value, etc.) affect your organization’s cybersecurity risk definition and assessment in federal acquisitions?
- How would you recommend the government evaluate the risk from companies, products, or services that do not comply with cybersecurity standards?
COMMERCIAL PRACTICES: In general, the DoD and the GSA seek information about commercial procurement practices related to cybersecurity.
- To what extent do any commonly used commercial standards fulfill federal requirements for your sector?
- Is there a widely accepted risk analysis framework that is used within your sector that the federal acquisition community could adapt to help determine which acquisitions should include the requirement to apply cybersecurity standards?
- Describe your organization’s policies and procedures for governing cybersecurity risk. How does senior management communicate and oversee these policies and procedures? How has this affected your organization’s procurement activities?
- Does your organization use “preferred” or “authorized” suppliers to address cybersecurity risk? How are the suppliers identified and utilized?
- What tools are you using to brief cybersecurity risks in procurement to your organization’s management?
- What performance metrics and goals do organizations adopt to ensure their ability to manage cybersecurity risk in procurement and maintain the ability to provide essential services?
- Is your organization a preferred supplier to any customers that require adherence to cybersecurity standards for procurement? What are the requirements to obtain preferred supplier status with this customer?
- What procedures or assessments does your organization have in place to vet and approve vendors from the perspective of cybersecurity risk?
- How does your organization handle and address cybersecurity incidents that occur in procurements? Do you aggregate this information for future use? How do you use it?
- What mechanisms does your organization have in place for the secure exchange of information and data in procurements?
- Does your organization have a procurement policy for the disposal of hardware and software?
- How does your organization address new and emerging threats or risks in procurement for private sector commercial transactions? Is this process the same or different when performing a federal contract? Explain.
- Within your organization’s corporate governance structure, where is cyber risk management located (e.g., CIO, CFO, Risk Executive)?
- If applicable, does your Corporate Audit/Risk Committee examine retained risks from cyber threats and implement special controls to mitigate those retained risks?
- Are losses from cyber risks and breaches treated as a cost of doing business?
- Does your organization have evidence of a common set of information security standards (e.g., written guidelines, operating manuals, etc.)?
- Does your organization disclose vulnerabilities in your products/services to your customers as soon as they become known? Why or why not?
- Does your organization have track-and-trace capabilities and/or the means to establish the provenance of products/services throughout your supply chain?
- What testing and validation practices does your organization currently use to ensure security and reliability of products it purchases?
HARMONIZATION: In general, the DoD and the GSA seek information about any conflicts in statutes, regulations, policies, practices, contractual terms and conditions, or acquisition processes affecting federal acquisition requirements practices related to cybersecurity and how the federal government might address those conflicts.
- What cybersecurity requirements that affect procurement in the United States (e.g., local, state, national, and other) has your organization encountered? What are the conflicts in these requirements, if any? How can any such conflicts best be harmonized or de-conflicted?
- What role, in your organization’s view, should national/international standards organizations play in cybersecurity in federal acquisitions?
- What cybersecurity requirements that affect your organization’s procurement activities outside of the United States (e.g., local, state, national, and other) has your organization encountered? What are the conflicts in these requirements, if any? How can any such conflicts best be harmonized or de-conflicted with current or new requirements in the United States?
- Are you required by the terms of contracts with federal agencies to comply with unnecessarily duplicative or conflicting cybersecurity requirements? Please provide details.
- What policies, practices, or other acquisition processes should the federal government change in order to achieve cybersecurity in federal acquisitions?
- Has your organization recognized competing interests amongst procurement security standards in the private sector? How has your company reconciled these competing or conflicting standards?
At the end of the day, cybersecurity requirements are inevitable. Even if the Working Group moves slowly in implementing recommendations, Congress has shown a willingness to act independently and decisively on new procurement rules. Thus, contractors need to move quickly and decisively to submit comments by May 15, and they should work closely with their procurement counsel to determine what recommendations from the Working Group would be the least burdensome while effectively adding to the federal government’s cybersecurity posture. Failure to do both will mean a narrow window of opportunity will be missed, and much scrambling will have to be done in order to meet potentially unrealistic or irrelevant cybersecurity measures.
Brian Finch is GTSC’s Strategic Partner and a partner at Dickstein Shapiro LLP, where he leads the Global Security practice. He can be reached email@example.com or 202-420-4823.