Private companies that do business with the U.S. government have a big stake in how federal agencies regulate the cybersecurity elements of federal contracts. As the number and sophistication of cyberthreats increases, the government is attempting to keep pace by upgrading cyber-requirements.
The government has now launched a program that gives the private sector an opportunity to shape the future design and scope of those requirements in federal contracts. Companies have until June 12, 2013, to respond to a General Services Administration request for information, or RFI, on a wide range of cyberissues that directly or indirectly affect federal contracting.
The initiative to obtain feedback from the private sector stems from a presidential executive order entitled “Improving Critical Infrastructure Cybersecurity.” The order, issued in February, is designed to “maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
Contract Clause Sparks Interest
The directive largely deals with issues related to power, water, communications and transportation, but it also covers a potentially broad scope of undefined private and public systems and assets that are deemed vital to the country.
A short sub-section tucked into the executive order deals with incorporating cybersecurity standards into federal acquisition planning and contract administration. That brief reference sparked GSA’s invitation to the private sector for comment — and also drew the attention of the federal IT contracting community.
The impact could be critical for federal contractors. “It could dramatically change the complexion of federal IT procurement,” said Steve Charles, cofounder and executive vice president of the immixGroup.
“Executive orders have the force of law unless or until they are overturned by a president,” he told the E-Commerce Times.
GSA, on behalf of a federal working group, will submit cybsersecurity contract recommendations to the Obama administration by early summer.
“The cyberthreat is real, present, and growing, and the federal government will not sit idly by and allow its contractors to conduct business without any meaningful cybersecurity requirements placed on them,” Justin Chiarodo, a partner at Dickenstein Shapiro, told the E-Commerce Times.
The contracting section of the policy brings up the idea of “how to improve agency security by adding more cyberconsiderations to each step of the acquisition and procurement processes,” Charles said.
“This is where manufacturers and software developers of anything that connects to networks could be affected,” he pointed out.
“All contractors — regardless of size or industry — need to be prepared for new cybersecurity regulations,” said Chiarodo.
“We expect that contractors in the information technology, intelligence, defense and critical infrastructure sectors will need to pay special attention to those requirements and are likely to be most impacted by enhanced requirements,” he noted. “However, all contractors that provide any sort of service or have their systems connected to a federal agency should expect to be impacted.”
Private-sector firms should examine the RFI and submit comments to ensure that their voices are heard in the drafting of any regulations, both Charles and Chiarodo strongly advised.
What Do They Want?
The RFI poses 37 questions for industry comment. No single company or industry is obliged to answer all questions — the scope is designed to cast a wide net in the hope of covering a broad range of issues. For matters directly related to cybersecurity factors in federal contracting, the RFI asks the following:
- What is the most feasible method to incorporate cybersecurity-relevant standards in acquisition planning and contract administration? What are the cost and other resource implications for stakeholders?
- How can the federal acquisition system, given its inherent constraints and the current fiscal realities, best use incentives to increase cybersecurity among federal contractors and suppliers at all tiers? How can this be accomplished while minimizing barriers to entry to the federal market?
- How do contract types such as firm fixed price, time and materials, cost-plus, lowest price technically acceptable, and best value affect your organization’s cybersecurity risk in federal acquisitions?
- Are you required by the terms of contracts with federal agencies to comply with unnecessarily duplicative or conflicting cybersecurity requirements?
Some groups have already submitted comments. The Telecommunications Industry Association stressed that the approach to setting cybersecurity standards in contracting should avoid a rigid regulatory structure.
“TIA believes that efforts to improve cybersecurity — including in federal procurement — should leverage existing standardization and related accreditation programs in all cases possible. Federal policies should be technology-neutral, shouldn’t pick winners and losers, and shouldn’t set rigid requirements for acquisition and procurements,” Danielle Coffey, TIA’s vice president for government affairs, told the E-Commerce Times.
“Sweeping one-size-fits-all government mandates cannot keep pace with changes in technology and threats. Instead, voluntary, open, industry-led and consensus-based standards allow for fluid, responsive and rapid changes to be made,” she said.
The Software and Information Industry Association also cautioned against the imposition of inflexible standards.
Federal agencies should “resist an approach that is overly prescriptive, where mandates would have the adverse effect of slowing the development of standards in the private sector or have the unintended effect of putting U.S. companies at a disadvantage to their counterparts around the world,” SIIA urged.
The result of such an approach “would be to stifle innovation and create an impediment to enhancing cybersecurity,” the association said.
In a similar vein, immixGroup’s Charles is looking for a flexible approach.
“I’m hoping there is a centralized way for all buyers throughout the ecosystem to see what works and what doesn’t before there is an actual contracting action, and that there is a marketplace of best practices where sellers are competing and always raising the bar,” he said.
Congressional Action Also Needed
The executive order was issued in the midst of congressional consideration of broad cybersecurity measures.
“Using the authority of the February executive order, the administration wants to get increased cyberprotection any way it can, whether Congress acts or not,” said Charles.
“Everyone agrees that legislation is required to address some components of cybersecurity policy such as information sharing — and for providing incentives to the private sector,” TIA’s Coffey said.
“We’re optimistic that as the executive order is implemented by the agencies, Congress will focus on passing complementary legislation to allow for truly effective [bidirectional] information sharing, along with bills that would improve cyber-research and development and the overall cybersecurity public-private ecosystem,” she added.
Whatever federal contracting changes emerge from the policy, the result could provide a market opportunity for IT firms that offer cybersecurity compliance tools.
“While larger contractors — particularly in the defense and IT sectors — are likely to be well-positioned to address new compliance requirements, we expect many contractors will need advisory support in both getting and staying compliant with these requirements,” Dickenstein Shapiro’s Chiarodo said.
“As we expect new regulations flowing from the working group’s efforts to require a huge range of contractors to implement new cybersecurity plans and solutions, we see tremendous opportunities for small and mid-size contractors in the space. We think innovation and a clear market focus will be critical to success,” he added, “as there is likely to be substantial competition in this area, given budget cuts in other areas and programs.”