President Obama’s February 12, 2013 Executive Order (“EO”) titled, “Improving Critical Infrastructure Cybersecurity,” defined the framework for improving the security of computer networks based on the designation of 16 areas of critical infrastructure. The EO also initiated a process to incorporate cybersecurity standards into federal procurement award and contract administration decisions. EO Section 8(e) instructed the Department of Defense (“DoD”), the General Services Administration (“GSA”), and the Federal Acquisition Regulatory Council (“FAR” Council”) to make recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” The recommendations must also address steps to harmonize existing procurement regulations related to cybersecurity. The EO gave DoD, GSA and the FAR Council 120 days to accomplish these tasks.
On May 12, 2013, GSA, on behalf of DoD, the Department of Homeland Security, and the FAR Council, published a Request for Information (“RFI”) seeking industry’s input in framing the response to the EO’s directive to incorporate cybersecurity standards into federal procurement decisions. Industry comments are due on June 12, 2013.
The RFI contains a list of 37 questions on which GSA seeks input. The questions fall into three categories. First, GSA is asking industry to comment on the best means to incorporate cybersecurity protections into the procurement process, including which types of contract – cost v. fixed price – and evaluation schemes – best value or low cost technically acceptable – will result in the optimum balance between cost, barriers to entry, and ultimate risk. The second group of questions is designed to elicit information on commercial best practices. For example, one question asks whether accepted risk analysis frameworks exist in various industry sectors for purposes of determining whether cybersecurity should be included as an evaluation factor in a procurement. The final group of questions seeks information as to conflicts in existing laws, policies, practices and contract terms regarding cybersecurity and methods to address the conflicts.
The RFI presents the affected industry with an early opportunity to have real input into, and perhaps shape, the federal government’s efforts to incorporate cybersecurity considerations in solicitation specifications, evaluation factors, and contract performance. The 37 questions are sufficiently wide-ranging so as to offer any stakeholder the chance to place its viewpoint squarely before the government.
GSA’s List of Questions
Feasibility and Federal Acquisition
In general, DoD and GSA seek input about the feasibility of incorporating cybersecurity standards into federal acquisitions.
- What is the most feasible method to incorporate cybersecurity-relevant standards in acquisition planning and contract administration? What are the cost and other resource implications for the federal acquisition system stakeholders?
- How can the federal acquisition system, given its inherent constraints and the current fiscal realities, best use incentives to increase cybersecurity amongst federal contractors and suppliers at all tiers? How can this be accomplished while minimizing barriers to entry to the federal market?
- What are the implications of imposing a set of cybersecurity baseline standards and implementing an associated accreditation program?
- How can cybersecurity be improved using standards in acquisition planning and contract administration?
- What are the greatest challenges in developing a cross-sector standards based approach to cybersecurity risk analysis and mitigation process for the federal acquisition system?
- What is the appropriate balance between the effectiveness and feasibility of implementing baseline security requirements for all businesses?
- How can the government increase cybersecurity in federal acquisitions while minimizing barriers to entry?
- Are there specific categories of acquisitions to which federal cybersecurity standards should (or should not) apply?
- Beyond the general duty to protect government information in federal contracts, what greater levels of security should be applied to which categories of federal acquisition or sectors of commerce?
- How can the federal government change its acquisition practices to ensure the risk owner (typically the end user) makes the critical decisions about that risk throughout the acquisition lifecycle?
- How do contract type (e.g., firm fixed price, time and materials, cost-plus, etc.) and source selection method (e.g., lowest price technically acceptable, best value, etc.) affect your organization’s cybersecurity risk definition and assessment in federal acquisitions?
- How would you recommend the government evaluate the risk from companies, products, or services that do not comply with cybersecurity standards?
In general, DoD and GSA seek information about commercial procurement practices related to cybersecurity.
- To what extent do any commonly used commercial standards fulfill federal requirements for your sector?
- Is there a widely accepted risk analysis framework that is used within your sector that the federal acquisition community could adapt to help determine which acquisitions should include the requirement to apply cybersecurity standards?
- Describe your organization’s policies and procedures for governing cybersecurity risk. How does senior management communicate and oversee these policies and procedures? How has this affected your organization’s procurement activities?
- Does your organization use ‘‘preferred’’ or ‘‘authorized’’ suppliers or resellers to address cybersecurity risk? How are the suppliers identified and utilized?
- What tools are you using to brief cybersecurity risks in procurement to your organization’s management?
- What performance metrics and goals do organizations adopt to ensure their ability to manage cybersecurity risk in procurement and maintain the ability to provide essential services?
- Is your organization a preferred supplier to any customers that require adherence to cybersecurity standards for procurement? What are the requirements to obtain preferred supplier status with this customer?
- What procedures or assessments does your organization have in place to vet and approve vendors from the perspective of cybersecurity risk?
- How does your organization handle and address cybersecurity incidents that occur in procurements? Do you aggregate this information for future use? How do you use it?
- What mechanisms does your organization have in place for the secure exchange of information and data in procurements?
- Does your organization have a procurement policy for the disposal for hardware and software?
- How does your organization address new and emerging threats or risks in procurement for private sector commercial transactions? Is this process the same or different when performing a federal contract? Explain.
- Within your organization’s corporate governance structure, where is cyber risk management located (e.g., CIO, CFO, Risk Executive)?
- If applicable, does your Corporate Audit/Risk Committee examine retained risks from cyber and implement special controls to mitigate those retained risks?
- Are losses from cyber risks and breaches treated as a cost of doing business?
- Does your organization have evidence of a common set of information security standards (e.g., written guidelines, operating manuals, etc)?
- Does your organization disclose vulnerabilities in your product/services to your customers as soon as they become known? Why or why not?
- Does your organization have track-and-trace capabilities and/or the means to establish the provenance of products/services throughout your supply chain?
- What testing and validation practices does your organization currently use to ensure security and reliability of products it purchases?
In general, DoD and GSA seek information about any conflicts in statutes, regulations, policies, practices, contractual terms and conditions, or acquisition processes affecting federal acquisition requirements related to cybersecurity and how the federal government might address those conflicts.
- What cybersecurity requirements that affect procurement in the United States (e.g., local, state, federal, and other) has your organization encountered? What are the conflicts in these requirements, if any? How can any such conflicts best be harmonized or deconflicted?
- What role, in your organization’s view, should national/international standards organizations play in cybersecurity in federal acquisitions?
- What cybersecurity requirements that affect your organization’s procurement activities outside of the United States (e.g., local, state, national, and other) has your organization encountered? What are the conflicts in these requirements, if any? How can any such conflicts best be harmonized or deconflicted with current or new requirements in the United States?
- Are you required by the terms of contracts with federal agencies to comply with unnecessarily duplicative or conflicting cybersecurity requirements? Please provide details.
- What policies, practices, or other acquisition processes should the federal government change in order to achieve cybersecurity in federal acquisitions?
- Has your organization recognized competing interests amongst procurement security standards in the private sector? How has your company reconciled these competing or conflicting standards?