A new set of recommendations aims to change the entrenched federal acquisition culture. The Defense Department and the General Services Administration made six suggestions Jan. 23 for addressing cybersecurity issues at the very beginning of any procurement.
The goal of the recommendations is to make the federal procurement community more cyber conscious.
“We identified gaps in the acquisition system, and one of the gaps is we don’t often understand what the risk is in terms of cyber in the solution or deliverable we are purchasing, and because we don’t understand the risks, we make decisions that are not informed and end up with a deliverable that doesn’t meet our needs,” said Emile Monette, GSA’s senior adviser for cyber in the Office of Mission Assurance, in an interview with Federal News Radio Wednesday. “The other gap is the risk tolerance of the end user is not always understood by the buyer. We really wanted to bring those two things to the forefront.”
GSA and DoD led the effort to come up with recommendations as required in President Barack Obama’s cyber Executive Order from last February.
The working group, which included the National Institute of Standards and Technology and the Office of Federal Procurement Policy, determined areas ripe for change based on gaps in federal procurement or based on industry best practices.
“There are a couple things here that are something that industry has been directly calling for for years, like the requirement to purchase from original equipment manufacturers, their authorized resellers or other trusted sources. That’s a low-hanging risk criteria that industry adopted many, many years ago in their supply chains to maintain the integrity of products they deliver, whether it’s commercial or the government. So we are happy to see things like that in there,” said Trey Hodgkins, the senior vice president of the public sector for the IT Alliance for the Public Sector (ITAPS). “The other thing we suggested to the government multiple times is that some of the acquisition practices and processes used today, and I’ll point to lowest-price, technically acceptable (LPTA) as a good example, in certain circumstances contribute or add to the risk that this effort is attempting to address. Seeking out and only using the lowest price as a filter or threshold for acquiring goods and services doesn’t get you the level of assurance this exercise and other exercises are seeking in government acquisitions.”
GSA and DoD held more than 40 meetings with industry associations and others, including TechAmerica, the Professional Services Council, the Coalition for Government Procurement, privacy companies and many others. Hodgkins said industry’s input is clear from both the draft recommendations issued last summer and these final ones.
Developing a baseline for cyber requirements as standard clauses in all contracts.
Developing standard definitions for cyber terms.
Developing and instituting a cyber risk management framework.
Requiring all contracts for agencies a clause that requires them to buy only from original equipment manufacturers or authorized resellers.
Increasing government accountability for cyber risk management.
Monette said of the six, the cyber risk management framework is among the most important of the recommendations because almost every other suggestion is dependent on that framework.
“It’s really about addressing security as the strategic issue that it is. The idea is at the end of this, we would be building security in instead of bolting it on and fixing field systems and things like that,” he said. “One of the outcomes that is sort of an interim step to implementing this recommendation is to define a repeatable process for addressing cyber risk in acquisitions. We are bringing together, blending what are traditional sourcing or procurement practices with information security practices.”
Monette said, for example, the working group could use NIST Special Publication 800-53, Rev 4 to identify which security controls apply to a particular acquisition. Then, the committee could match that process with OFPP guidance or Federal Acquisition Regulations clause on pricing data that would address, for instance, when it’s inappropriate to use LPTA or how you weigh source selection criteria or performance indicators.
“We would couple those together and identify them as a baseline or as a minimum or threshold requirement for different types of acquisitions,” he said.
Recognizing, accepting risk
Monette said the working group will look through the entire procurement spend and decide which types of acquisitions present the biggest cyber risks.
Monette said then the working group will develop overlays, which are a group of security controls that can be applied to acquisition practices.
The other recommendations that could have a big impact deal with lowering and recognizing risk that come with acquisitions.
“Purchasing from an original manufacturer, whether it’s an equipment manufacturer or component manufacturer, is the best practice. It’s the best mitigation to reduce risk,” Monette said. “The intent here is this would be pretty narrowly applied. It would apply to certain categories of acquisitions that are determined to be higher risk.”
The other way to reduce risk is to ensure the system owner understands what potential cyber threats or vulnerabilities exist.
“Throughout the acquisition lifecycle from the very beginning when requirements definition is happening, get a sign off from an accountable individual, whether that’s the program manager or budget owner, the idea is we get to that person who is the risk owner,” Monette said. “We want them to sign off on two things. One is they understand what the cyber risk is in the thing they are buying. Two is they are incorporating sufficient controls to meet their risk tolerance as an end user and risk owner.”
Hodgkins said the recommendation to improve the training of acquisition workers in cyber could have the most immediate dividends.
In fact, the Federal Acquisition Institute, the Defense Acquisition University and the Homeland Security Acquisition Institute are collecting the available courses governmentwide and figuring out how best to create a curriculum that helps contracting officers and others better understand cyber concepts.
Monette said the first meeting of this group happened last week, and they will set milestones and timelines in the coming weeks.
The devil is in the details
Jonathan Cedarbaum, a partner in WilmerHale’s government and regulatory litigation office, said the recommendations are really more like potential requirements for government contractors. He said on the surface the recommendations seem valuable, but the devil will be in the details.
“I think the issue of defining common cybersecurity terms for federal acquisitions will be an area where lots of companies will be interested in, because as anybody who follows government contracting knows, the way in which terms are defined can often have substantial effects. So that will be very important,” Cedarbaum said. “The issue about purchasing from trusted sources, which goes to this issue that extends beyond the government contracting sector about supply chain security, will be another area of great interest.”
As for the next steps, Monette said GSA will release a request for information around the cybersecurity risk framework in the next few months and ask industry and others for comment.
He said the recommendations will be phased in partly because of their interdependence, but also due to limited resources.
“We really have to have a balance and a mix of regulatory and non-regulatory. It has to be both because nothing happens until you have a clause in a contract. FAR changes will cause action both on the contracting officer’s side and on the contractor’s side. So we have to have some changes to the FAR,” Monette said. “I think they would be things that would be updates to existing policy, maybe incorporating things and changing things DoD is doing at a Defense FARs level and bring them up to the FAR. We will have to see. It’s a touchy subject in terms of changing the regulations. A lot of times the FAR cases collapse under their own weight. We need to be careful about it. We need to be deliberate about it. I think at the end of the day we will end up with something of a layered approach that includes best practices guides, agency level guidance, probably some policy and certainly some regulation.”
At the same time, however, Cedarbaum said the government has to be careful not to make the implementation details too prescriptive- or regulatory- focused, because that could create both roadblocks and unintended consequences.
Hodgkins added industry recognizes these suggestions on the surface as something vendors will have to do in order to participate in the federal market. But how the recommendations are implemented could include some incentives, such as extra evaluation factor points or other real incentives, to get industry on board more quickly.