In 2013, the Department of Defense (DoD) played a lead role in the Obama Administration’s efforts to leverage the government’s buying power and existing regulatory authority to impose significant new obligations on defense contractors.1 Looking ahead to 2014, companies can expect other government agencies, including the Federal Acquisition Regulatory (FAR) Council, the National Institute of Standards and Technology (NIST), the Federal Energy Regulatory Commission, and potentially the Securities and Exchange Commission, to expand the Administration’s cybersecurity efforts beyond the defense industrial base by issuing new cybersecurity guidance and regulations that may impact a number of different industries.
DoD and the General Services Administration (GSA) called for government to “chang[e] its buying behavior with respect to cybersecurity” in their January 23, 2014 joint recommendations to President Obama on improving cybersecurity and resilience through acquisition.2 The six high-level recommendations in this recent report by DoD and GSA will influence the adoption of new government acquisition rules, including the new FAR contract provision the FAR Council is expected to issue regarding safeguarding of contractor information systems.3
The recent recommendations by DoD and GSA were required under the executive order President Obama issued last February after Congress failed to pass cybersecurity legislation.4 That executive order requires that federal agencies with responsibility for regulating the security of critical infrastructure determine if current cybersecurity regulatory requirements are sufficient and propose actions to address insufficiencies where necessary based on the cybersecurity framework that the NIST is expected to issue this month. It also requires DoD and GSA, in consultation with the FAR Council, to make recommendations to the President on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration, including steps that can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity. The result was the January 23, 2014 report by DoD and GSA, which recommends the following:
- Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions – For acquisitions that present cyber risks, the government should only do business with organizations that meet basic cybersecurity hygiene baseline requirements in both their own operations and in the products and services they deliver. This baseline should be expressed in acquisitions’ technical requirements and include performance measures to ensure the baseline is maintained and risks are identified. DoD has already initiated some variant of this requirement by requiring its contractors to use the controls in NIST Special Publication 800–53 for systems with unclassified controlled technical information.
- Address Cybersecurity in Relevant Training – The government should incorporate acquisition cybersecurity into required training for appropriate workforces and require contractors to receive training about acquisition cybersecurity requirements.
- Develop Common Cybersecurity Definitions for Federal Acquisitions – The government should increase the clarity of key cybersecurity terms in federal acquisitions by defining key terms in the FAR.
- Institute a Federal Acquisition Cyber Risk Management Strategy – The government should identify a hierarchy of cyber risk criticality for acquisitions and develop “overlays” for similar types of acquisitions, starting with acquisitions that present the greatest cyber risk.
- Include a Requirement to Purchase from Original Equipment Manufacturers (OEMs), Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions – The government should obtain required items only from OEMs, their authorized resellers, or other trusted sources, in certain circumstances, and the cyber risk threshold for application of this limitation should be consistent across the federal government. Again, DoD has already taken a step in this direction by issuing new supply chain risk rules.5
- Increase Government Accountability for Cyber Risk Management – The government should identify acquisition practices that contribute to cyber risk and integrate security standards into acquisition planning and contract administration. It should also incorporate cyber risk into enterprise risk management and ensure key decision makers are accountable for managing cybersecurity risks.
The changes to the FAR and DFARS called for in the report by DoD and GSA could impact a large number of U.S. companies by harmonizing cybersecurity requirements for many government contracts.