As comments are due on April 28, 2014, federal contractors and other stakeholders should act quickly to submit their views on what will have a significant and lasting impact on federal cybersecurity acquisition practices.

The draft plan proposes a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions, and by design, it will affect nearly all contracting entities. The draft plan proposes a “taxonomy” for categorizing procurements so that the government can effectively prioritize those in need of additional resources, attention, and safeguards. As proposed, the taxonomy is modeled on Federal Information and Communications Technology (ICT) acquisitions—though the Working Group has asked whether this framework is a workable model for the categorization of all acquisitions. The Working Group would use the ICT framework to categorize all acquisitions that present cyber risk, after which it would separately assess the risks within each category. Categories that present greater cybersecurity risk (based on threats, vulnerabilities, and impacts) would receive more and faster attention in acquisitions. The taxonomy is, in our view, the most significant new development in the draft plan, as it will serve as the principal basis for categorizing the extent of cyber regulations for procurements. This aspect of the plan accordingly warrants particularly close attention.

The Working Group seeks comments in many areas, including whether:

(a) the approach is workable;

(b) the process will obtain sufficient stakeholder input;

(c) any additional assumptions, clarifications, or constraints should be expressed;

(d) the approach will satisfy the goals of Recommendation IV of the final report, i.e., whether it creates a repeatable, scalable, and flexible framework for addressing cyber risk in federal acquisitions;

(e) the major tasks and sub-tasks are appropriate and, if implemented, will achieve the identified outputs/completion criteria;

(f) the taxonomy and category definitions can be used to develop overlays (a fully specified set of security requirements and supplemental guidance that allow for the specific tailoring of security requirements;

(g) factors can be developed to assess each measure of cybersecurity risk (i.e., threat, vulnerability and impact);

(h) other aspects (e.g., annual spending) should be considered in category prioritization; and

(i) in addition to information security controls derived from the cybersecurity framework and other relevant NIST guidance and international standards, other procedural or technical safeguards that address business cyber risk should be included (e.g., source selection and pricing methodology, source selection evaluation criteria minimum weighting and evaluation methodology, etc).

Submit comments here or contact GTSC to provide input to the Coalition’s response.

Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies.  Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition.   You can reach Brian at finch@dicksteinshapiro.com (202)420-4823. 

Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.

Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements. 

John Morton, former director, U.S. Immigration & Customs Enforcement and John Fantini Porter, Chief of Staff, Management & Administration, were awarded Federal Small Business Champions of the Year; Chad Sweet, co-founder and CEO of the Chertoff Group received the Market Maven award; Robert V. Jones, CEO, PreSafe Technologies for Small Business Member of the Year; Brian Finch, Dickstein Shapiro for Strategic Partner of the Year; Bill Carroll, Managing Partner StrikeForce Consulting, Strategic Advisor of the Year and TASC Inc. for Mentor of the year.  Read the release.

The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril.

Cybersecurity issues will increasingly affect agency standard setting, coverage issues and incentives, government audits and investigations, security breach litigation, and other business drivers. Government contractors and other companies that handle government information or supply components that could be compromised electronically must begin, to the extent they have not already done so, to think both strategically and pragmatically about developing an integrated approach to these cybersecurity issues.

Background

On February 12, 2013, President Obama issued EO 13636 – Improving Critical Infrastructure Cybersecurity. Section 8(e) mandated that the Working Group, in consultation with the Department of Homeland Security (DHS) and the Federal Acquisition Regulatory (FAR) Council, “make recommendations to the President . . . on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Section 8(e) also directed the Working Group to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”

On May 13, 2013, the Working Group published a request for information (RFI), inviting public comment on the appropriate cybersecurity measures and parameters for federal procurements (summarized here). The Working Group also consulted with representatives from the DoD, GSA, DHS, FAR Council, the Office of Federal Procurement Policy, NIST, and others before issuing the final report.

Working Group Recommendations

The final report makes six recommendations, including that the federal government and/or contractors, as appropriate, should:

(1) institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;

(2) address cybersecurity in relevant training;

(3) develop common cybersecurity definitions for federal acquisitions;

(4) institute a federal acquisition cyber risk management strategy;

(5) include a requirement to purchase from original equipment or component manufacturers (OEM), their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and

(6) increase government accountability for cyber risk management.

For contractors, the most helpful recommendations ask the government to clarify, with more specificity, the standards to which contractors will be held accountable. For example, the first recommendation correctly observes that, “[o]ften, cybersecurity requirements are expressed in terms of compliance with broadly stated standards and are included in a section of the contract that is not part of the technical description of the product or service the government seeks to acquire.” This, the report concedes, “leaves too much ambiguity as to which cybersecurity measures are actually required in the delivered item.” Accordingly, the report recommends expressing baseline cybersecurity requirements as part of the acquisition’s technical requirements and including performance measures to ensure the baseline is maintained and risks are identified. The final report also recommends common cybersecurity definitions, which if adopted would dramatically advance anxiety about contractors’ and the government’s current and near-future cybersecurity obligations.

Though the recommendations are instructive, the final report does not actually mandate specific baseline requirements or propose common cybersecurity definitions. Nor does it propose a cyber risk management strategy or otherwise attempt to identify the acquisitions in which baseline requirements or OEM limitations are “appropriate.” Instead, the final report “intends” that others will harmonize these recommendations with ongoing rulemakings, cybersecurity standards, and statutory frameworks. In short: stay tuned.

Takeaways

First and foremost, change is coming. Although the final report recommendations are directed more toward government program managers and acquisition decision makers than industry, the harmonization of such recommendations with recent and forthcoming regulations, mandatory contract provisions, and other statutory requirements and protections will affect the industry directly and significantly.

Other critical points for government contractors to consider as the final report’s recommendations are implemented include:

The final report is a clear signal that mandatory baseline standards, training protocols, and other risk-based requirements are on the horizon. Those standards will likely be based on the NIST framework or, in specialized areas, even stricter protocols. Government contractors and other companies that handle government information must implement an integrated strategy that mitigates the risks associated with these cybersecurity issues, and where viable, the opportunities that these changes might create.

By Contributing Authors:   Brian Finch, Justin Chiarodo, and Daniel Broderick from GTSC Strategic Partner Dickstein Shapiro

Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies.  Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition.   You can reach Brian at finch@dicksteinshapiro.com (202)420-4823. 

Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.

Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements. 

The 2013 GTSC Holiday Awards honors:

Federal Small Business Champions of the Year Award: John Morton, former Director, U.S. Immigration and Customs Enforcement & Jonathan Porter, Chief of Staff, U.S. Immigration and Customs Enforcement

Federal Small Business Champion of the Year is awarded annually to the Federal official(s) who show a distinct commitment and tangible results toward improving the environment and success for small businesses in the Federal homeland and national security market.

Market Maven of the Year Award: Chad C. Sweet, Co-Founder & CEO, The Chertoff Group

Normally presented at the GTSC Anniversary, 2013 year’s Market Maven of the Year Award will be presented at the holiday party. It is presented to an exceptional individual who contributes in a concrete and tangible way to the efficiency, productivity and effectiveness of the homeland and national security market. Proven as a thought leader with a belief in increasing individual opportunity, the power of free enterprise and the nurture of innovation to advance and support the homeland and national security mission.

Strategic Partner of the Year Award: Brian E. Finch, Partner, Global Security Practice, Dickstein Shapiro LLP

The Strategic Partner of the Year is awarded annually to the Strategic Partner that demonstrates a clear commitment to GTSC, contributes significantly to the content and substance of the organization and provides GTSC members with counsel, insight and resources to perform exceptionally on behalf of the homeland and national security mission.

Strategic Advisor of the Year Award: Bill Carroll, Senior Partner, Strike Force Consulting

The Strategic Advisor of the Year is awarded annually to the Strategic Advisor who works on behalf of GTSC to increase our capacity, membership and opportunities to bring the innovation, creativity and solutions of small and mid-sized companies to the homeland and national security mission.

Small Business Member of the Year Award: PReSafe Technologies LLC

The award is presented annually to the GTSC Member that exemplifies exceptional quality and ethics for the Federal government, a commitment to GTSC’s small business members and advocacy on behalf of our community.

Mentor of the Year Award: TASC & Mike Kelly, Vice President, Business Development, Civil and Infrastructure Security Group, TASC

Mentor of the Year is awarded annually to the GTSC Mentor who has worked to increase members’ understanding of the homeland and national security market, increased business opportunities for small companies through formal and informal mentoring and engages with GTSC to promote an innovative, robust, fair market for all.

About the Border Patrol Foundation

The Border Patrol Foundation provides resources to the families of the fallen and creates awareness of the escalating risk of those who keep America’s borders safe. These services create a financial bridge through the turbulent time following a family’s loss. The Foundation supports programs improving awareness of United States border security and recognizes community leaders supporting the families of the U.S. Border Patrol. The Foundation’s volunteers have served with the U.S. Border Patrol or are professionals, friends and family committed to the importance of securing America’s borders and dedicate their lives to the same.

Thank You to our Sponsors!

Gold Sponsors

Silver Sponsors

Thank you to Old Dominion Strategies!

Support and sponsorships of our holiday event are welcome  — please contact us to help make this our best event ever!

Parking & Public Transportation

Parking: There is some on-site and two-hour metered street parking. Parking is also available at GMU.

Metrorail: The Arlington Arts Center is one block south of the Virginia Square-GMU metro station on the Orange line.

Metrobus: Line 24P and ART Line 41 stop directly in front of the AAC.