Section 8(e) of Executive Order (EO) 13,636, Improving Critical Infrastructure Cybersecurity, issued on Feb 13, 2013, requires the Department of Defense (DoD) and the General Services Administration (GSA), in coordination with the FAR Council, to make recommendations to the President within 120 days of enactment on “incorporating security standards into acquisition planning and contract administration [including] what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.” The recommendations will take the form of an interagency report by the DoD-GSA Section 8(e) Working Group, which also includes representatives from the Department of Homeland Security (DHS), the Office of Federal Procurement Policy (OFFP), and the National Institute of Standards and Technology (NIST).
To that end, a long awaited Request for Information (RFI) was published in the Federal Register on May 13, 2013. In general, the RFI seeks industry input on the feasibility of incorporating cybersecurity standards into federal acquisitions; best commercial practices; and comments about how the government can address any conflicts in existing procurement rules related to cybersecurity. Due to the late release of the RFI and the imminent due date of the report to the President, GSA can only incorporate comments received by May 24th, 2013 into the draft report.
A discussion draft of the report for industry review is available here. The key highlights in the draft report are:
- Cybersecurity must be practiced in all stages of the acquisition lifecycle.
- There is a need for a common set of definitions in the federal acquisition system that reconciles cybersecurity and acquisition terminology.
- Federal acquisitions should be (1) categorized, (2) assessed for cybersecurity risk, and (3) prioritized according to risk, essential functions, and agency mission.
- Based on the prioritized list of acquisition categories developed through the process described above, the government should develop cybersecurity overlays for each category, starting with the highest priority category.
- The acquisition system should mandate formal approval by agency cybersecurity authorities in various stages of the acquisition lifecycle, including: early in the requirements definition phase; prior to issuing the solicitation and again prior to contract award; and review of contractor cybersecurity performance during contract administration.
- The Government should develop common, but role-specific cybersecurity risk and acquisition training across functional disciplines in the federal acquisition workforce.
Industry groups have already submitted comments responding to the RFI. TechAmerica’s Letter to the Section 8(e) Working Group has already been used in the IT Sector Coordinating Council’s (IT SCC) overall response from the IT industry. TechAmerica’s concerns include:
- The Federal Acquisition Process Must Be Reviewed for Risk. TechAmerica states that often the root cause of cybersecurity breaches have been federal acquisition practices and processes, not shortcomings on the part of the industry. The Government must acknowledge and address its own weaknesses, including weighing the push for lowest priced items against increased cyber risks.
- Avoid Static Regulations and Standards. Standards will have to change as cyber threats change and TechAmerica cautions against “prescriptive administrative actions that become static, or at least too static to keep up with the pace of innovation.”
- Create a Risk-Based Tiered Approach to Identify and Apply Requirements. TechAmerica recommends that “a hierarchy of criticality should be identified on a program-by-program basis and that any recommendations proposed by the Working Group would only be applicable as a baseline, minimal supply chain assurance criteria.”
- Provide Training Across Programs and Sectors. TechAmerica recommends “that the federal government develop procedures for program managers to identify items at risk for cybersecurity threats and utilize current industry standards.”
In order to implement the recommendations in the Working Group report, we expect to see proposed changes to the FAR and DFARS addressing cybersecurity over the next year.