Cybersecurity is a key component of all contracts between U.S. government agencies and information technology vendors. Yet cyberbreaches continue to occur — some of them with alarming scope and depth.
The White House is seeking input from private sector vendors and others on how to improve the cybersecurity elements involved in federal government purchases of IT equipment and services. The Office of Management and Budget recently released draft guidance dealing with that issue, and it will accept input on the proposal until Sept. 10.
While the OMB initiative began well before the disclosures of recent federal agency breaches, those breaches demonstrate the need for significantly bolstering cyberprotection in IT-related contracts. The Office of Personnel Management in July revealed that a cybersecurity intrusion compromised sensitive information affecting more than 20 million people. The U.S. Internal Revenue Service last month disclosed that a breach, first reported in May, had affected the personal data of more than 330,000 individuals.
“The increase in threats facing federal information systems demand that certain issues regarding security of information on those systems is clearly, effectively and consistently addressed in federal contracts,” said Tony Scott, U.S. chief information officer, referring to OMB’s proposals.
Guidance Document Targets 5 Issues
The OMB guidance, “Improving Cybersecurity Protections in Federal Acquisitions,” focuses on five key elements:
- Security controls: The guidance calls for federal agencies to observe protocols recommended by the National Institute of Standards. One protocol covers IT systems operated on the government’s behalf. The second involves a contractor’s internal systems that are used to provide a product or service for the government, but that contain controlled unclassified information only incidentally.
- Cyber Incident Reporting: OMB attempts to clarify the definition of a cyberincident. It notes the differences in reporting requirements for incidents involving systems operated on behalf of the government, as opposed to those involving a contractor’s internal system.
- Information System Security Assessments: Contractors who operate information systems or provide related services on behalf of federal agencies must ensure that certain safeguards, along with an authority to operate, are in place prior to the operation of the system.
- Continuous Monitoring: Current protocols provide for continuous diagnostics and mitigation procedures, generally in conformity with NIST recommendations. Existing contracts may direct the contractor to self-report required information security continuous monitoring information to the agency, according to OMB, but that approach may not be sufficient. Agencies and contractors must collaborate to devise and implement an appropriate solution.
- Business Due Diligence: Federal agencies need to improve their knowledge of contractor capabilities, offerings and cybersecurity performance, as part of a business due diligence component in contracting, according to the OMB. The guidance recommends the use of public records, media reports and other commercial sector sources of information for that purpose.
Contract Experts Spot Gaps
The OMB guidance document may be more useful as a starting point for improving contracting protocols than as a definitive set of standards.
“It is helpful that the government is seeking comments on an approach to instituting cybersecurity requirements in federal procurements,” said Susan Cassidy, a partner at law firm Covington & Burling.
However, the OMB proposal falls short of the mark, she told the E-Commerce Times. For example, OMB’s proposal to ensure that cybersecurity is clearly, effectively and consistently addressed in federal contracts still gives agencies significant leeway in implementing cyber-requirements.
Vendor liability related to cybersecurity remains a vexing issue in federal IT contracting, and comes into play in several components of the OMB document. However, OMB’s proposal is still insufficient, according to Cassidy.
“The guidance does not address liability protection for contractors and vendors that report cyberincidents in any meaningful way. In the section on cyberincident reporting, the guidance notes that agencies should include language in their contracts stating that a properly reported cyberincident shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI — but that offers no real protection,” she maintained.
“Currently, contractor information systems may be subject to multiple and sometimes conflicting cybersecurity requirements, depending on the agencies with whom it contracts,” Cassidy said. “This guidance does not alleviate that problem and may even exacerbate it.”
Whether the guidance provides sufficient liability protection for vendors depends on your definition of “sufficient,” said Alan Webber, research director at IDC Government Insights.
“I believe it provides a basic level of protection for vendors and contractors. That being said, it doesn’t totally remove all liability for vendors and contractors for breaches,” he told the E-Commerce Times.
“For example, if a vendor’s employee violates a security policy and the vendor knows about it, or should have reasonably known about it, then there is still the potential for liability,” Webber explained. “If a vendor fails to stay up to date on system patches for some reason, then there is still liability.”
Due Diligence Needs Bolstering
The OMB’s proposal to use vendor information discovered in business due diligence efforts also is problematic, and it is unlikely that such efforts will enhance cyberprotection significantly, Webber said.
As long as vendors and contractors are selected on price, “there will be pressure to find the least-expensive solution possible. The key here is that due diligence is good, but comes at a cost, and there is no guidance from OMB on how to balance the cost with the benefits,” he pointed out.
“It is unclear exactly how the government is going to use the information from the business due diligence requirements. Additional information is needed from the government as to how this information will be collected and what it will be used for in acquisitions,” Covington & Burling’s Cassidy noted.
“Industry desperately needs more guidance in this area,” said Dan Waddell, director of U.S. Government Affairs for the International Information Systems Security Certification Consortium.
“I recommend that OMB investigate how the DHS’s Safety Act of 2002 can support this effort,” he told the E-Commerce Times.
The Safety Act is meant to provide critical incentives for the development and deployment of antiterrorism technologies by ensuring liability protection for sellers of qualified antiterrorism technologies, according to the Department of Homeland Security. The law includes information technology products as eligible for DHS approval. Protections include exclusive jurisdiction in federal courts, a bar against punitive damages, and other damage limitations.
Vendors theoretically could use DHS approval under the Safety Act as a positive factor in any business due diligence review.
Vendors judged competent, and even superior as a result of due diligence research, could parlay that standing into a marketing advantage — at least potentially.
“However, as with marketing in general, the devil is in the details. If a vendor is making these claims, I would want to be able to verify this independently as part of my due diligence before I decide to do business with them,” Waddell said
It would be helpful to have such information available in federal contractor databases, he added.
Judging by the analysis of the guidance document by these experts, OMB can expect a robust response in comments from the IT sector.
“I do think OMB’s effort is a good start,” said IDC’s Webber. “However, it is just a start. Given the evolving nature of cybersecurity, and that this is a very reactive approach and thus dated very quickly, I don’t see this as having a long-term impact.”