The US General Services Administration is seeking comments from the private sector on draft Alliant II Government Wide Acquisition Contract (GWAC) cybersecurity requirements (available here). The Alliant GWAC provides flexible access to customized IT solutions from a large, diverse pool of industry partners. We urge contractors whose business may be affected by the cybersecurity requirements to participate in this process. The comment period will be open for 45 days. After the comment period closes, the target date for implementation is January 2015.
The draft language addresses cybersecurity requirements for the Alliant II GWAC, which is currently in the acquisition phase. The purpose of these requirements is to improve cybersecurity risk management in the services purchased through orders placed under the Alliant II GWAC. In drafting the cybersecurity requirements, the Alliant Program Office was assisted by the interagency working group responsible for drafting the recommendations included in the joint report by the GSA and the Department of Defense, Improving Cybersecurity and Resilience through Acquisition (available here).
Specifically, the draft language requires contractors to provide a Contract Cybersecurity Risk Management Plan, outlining the contractor’s “systematic and organizational” ability to provide solutions that include “appropriate security controls” for any task within the scope of the contract. “Cybersecurity Risk Management” is defined as technologies, practices and policies that address “threats and vulnerabilities in networks, computers, programs and data.” The draft language describes the submittal, review and acceptance process for risk management plans, as well as the process for updating plans and correcting deficiencies.
The proposed Contract Cybersecurity Risk Management Plan will become a part of the base contract and will provide a high-level summary of a contractor’s plan to address common, high-level security requirements. It is not intended to duplicate, or replace, the more detailed security requirements included in individual orders under the GWAC.
Contractors are encouraged to provide input on any aspect of the draft document. Comments may be submitted as “redline” or “track changes.” Additionally, the GSA has provided a list of eight questions (set forth below) for contractors to consider when reviewing the draft language:
- In general, is the approach articulated in the draft document a workable way to achieve the goals of the effort? What, if anything needs to be added or removed?
- Is the Cybersecurity Risk Management Plan, as described, adequate and appropriate to provide increased cybersecurity and resilience in the Alliant contracts and orders?
- In addition to information security controls derived from the Cybersecurity Framework and other relevant NIST guidance and international standards, what other management safeguards that address business cyber risk should be included in the Contract Cybersecurity Risk Management Plan?
- Should the Cybersecurity Risk Management Plan requirement “flow down” to subcontractors?
- How should the Cybersecurity Risk Management Plan be priced in firm fixed price contracts when the Government unilaterally requires an update to an accepted plan? When a company submits an update to an accepted plan of its own accord?
- Should the Government establish a minimum weighting for the Cybersecurity Risk Management Plan when it is used as a comparative source selection evaluation factor?
- What should the Government use as minimum acceptance criteria for Cybersecurity Risk Management Plans?
- Do the security-related areas listed in paragraphs (b)(3)(i)-(iii) provide an objective and measurable basis for comparative source selection evaluation of the Cybersecurity Risk Management Plans?
This request for comment is being conducted through “GSA Interact,” which is a program established by the GSA to obtain public and private sector input on requirements as they are being developed.
This is an excellent opportunity for contractors to provide input, prior to the release of the draft RFP, on the GSA’s ongoing efforts to strengthen cybersecurity and the government’s resilience to cyberattacks. It also provides industry with the chance to weigh in on the implementation of practical, cost-effective approaches to achieving the government’s goals.