Government Contracts Monitor

Final Report on Improving Cybersecurity through Acquisition

February 4, 2014

The Department of Defense (DOD) and the General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience through Acquisition recently issued the much-anticipated final report to the President. This report fulfills the requirements of Section 8(e) of Executive Order 13636 (previously discussed here), which sought recommendations from DOD and GSA on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

The final report makes six recommendations for using cybersecurity standards in federal acquisitions:

1.Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions

According to the Joint Working Group, “baseline cybersecurity” refers to first-level information and security measures used to deter unauthorized disclosure, loss, or compromise. The Group recommends that “[t]he baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified throughout the lifespan of the product or service acquired.” Additionally, “cybersecurity requirements need to be clearly and specifically articulated within the requirements of the contract.” The Group intends for this recommendation to be harmonized with the ongoing FAR and DFARS rulemaking entitled “Basic Safeguarding of Contractor Information Systems” and “Safeguarding Unclassified Controlled Technical Information.”

2.Address Cybersecurity in Relevant Training

The Group notes that, as with any change to practice or policy, there is a need to train the relevant workforces to adapt to the changes. Additionally, the Group recommends that the government “implement an acquisition cybersecurity outreach campaign targeted at industry stakeholders.” The Group hopes that “[i]ncreasing the knowledge of the people responsible for doing the work will facilitate appropriate cyber risk management and help avoid over-specifying cybersecurity requirements (which leads to high costs) or under-specifying cybersecurity requirements (which leads to greater risk).

3.Develop Common Cybersecurity Definitions for Federal Acquisitions

The Group believes that “[i]ncreasing the clarity of key cybersecurity terms in Federal acquisitions will increase the efficiency and effectiveness of both the government and private sector.” Accordingly, “[w]hen misunderstandings persist in the acquisition process, they may create inaccuracy or confusion about technical requirements, market research, cost estimates, budgets, purchase requests, solicitations, proposals, source selections, and award and performance of contracts.” The Group hopes to use consensus based, international standards to develop these definitions.

4.Institute a Federal Acquisition Cyber Risk Management Strategy

The Group believes the government “needs an interagency acquisition cyber risk management strategy that requires agencies to ensure their performance meets strategic cyber risk goals for acquisition and is part of the government’s enterprise risk management strategy.” The Group intends for this strategy to align with the “methodologies and procedures developed to address cyber risk in the Cybersecurity Framework” (previously discussed here), and “should identify a hierarchy of cyber risks critically for acquisitions and include a risk-based prioritization of acquisitions.” The Group intends for the government, in developing this strategy, to “use the active, working partnerships between industry, the civilian agencies, and the intelligence community” and to “create such partnerships where they do not already exist, with the goal of leveraging validated and outcome-based risk management processes, best practices, and lessons learned.”

5.Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions

The Group motes that “[e]nsuring that the goods provided to the government are authentic and have not been altered or tampered with is an important step in mitigating cyber risk.” As a result, the Group recommends obtaining required items from OEMs, their authorized resellers, or other trusted sources. However, the Group acknowledges that “[l]imiting eligibility to only these types of sources for all acquisitions may not be compatible with acquisition rules, socioeconomic procurement preferences, or principles of open competition.” Thus, the Group recommends using this limitation on sources only for “types of acquisitions that present risks great enough to justify the negative impact on competition or price difference between trusted and un-trusted sources.” And if the government chooses to use a reseller, distributor, wholesaler, or broker that is not in a trusted relationship with the OEM, the Group recommends that the government “obtain assurances of the company’s ability to guarantee the security and integrity of the item being purchased.”

6.Increase Government Accountability for Cyber Risk Management

The Group recommends a four step process for ensuring accountability for cyber risk management. First, cyber risk should be addressed when a requirement is being defined and a solution is being analyzed. Second, prior to release of a solicitation, acquisition personnel should certify that appropriate cybersecurity requirements are adequately reflected in the solicitation. Third, during the source selection process, acquisition personnel should participate in the proposal evaluation process and ensure that he apparent best value proposal meets the cybersecurity requirements of the solicitation. And finally, to the extent any conformance testing, reviews of technology refreshes, supply chain risk management measures, or any other post-award contract performance matters are relevant o cybersecurity, the accountable individual (e.g., program executive), with the assistance of acquisition personnel, should be required to certify that the activity was conducted in accordance with the prescribed standards.

While the final report addresses many important issues, it also leaves open several questions for contractors. For example, it is unclear whether these requirements will apply to all acquisitions and contractors, or whether certain types of acquisitions, such as small business contracts, will be exempted. It is also unclear exactly how existing procurement regulations will be changed or when the changes must be implemented. However, the report does make clear that changes are coming. Contractors should stay tuned for further developments and begin preparing themselves for the new requirements.

Katie Calogero is the attorney responsible for the content of this article.