President Obama’s February 12, 2013 Executive Order, Improving Critical Infrastructure Cybersecurity, required the Department of Defense (DoD) and the General Services Administration (GSA) to make recommendations on the “feasibility, security benefits, and relative merits” of incorporating cybersecurity standards into government acquisition planning and contract administration. The DoD and GSA Working Group, which collaborated with the Department of Homeland Security (DHS) and other government agencies, released its final recommendations on January 23, 2014, in a report titled “Improving Cybersecurity and Resilience Through Acquisition” (the “Report”).
The Acquisition Working Group Report aims at providing “strategic guidelines for addressing relevant issues, suggesting how challenges might be resolved and identifying important considerations for the implementation of the recommendations.” These guidelines come in the form of six recommendations, supplemented by a background discussion for each. The report does not contain a timetable for consideration and implementation of its guidelines or a description of what form the implementation might take. Notwithstanding the lack of specifics, the Report’s background discussions for each of its six recommendations do provide a preview of what procurement changes government contractors might expect.
This Client Alert summarizes the recommendations and outlines the recommendations’ significant points that signal changes in government acquisition.
The specific recommendations
The Report recommends the following:
- Institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions. Notably, this recommendation calls for solicitation specifications that include performance measures not just for the product or service being delivered under the contract, but for the contractor’s own operations.
- Address cybersecurity in relevant training. This recommendation covers the government workforce and also calls for education of the private sector as to the government’s cybersecurity efforts.
- Develop common cybersecurity definitions for federal acquisitions. As discussed further below, the Report advocates use of consensus-based international standards to guide this effort.
- Institute a federal acquisition cyber risk management strategy. This recommendation envisions an “overlay” of security requirements and guidance that are common to similar categories of acquisitions across all government agencies.
- Include a requirement to purchase from original equipment or component manufacturers, their authorized resellers, or other “trusted sources,” whenever available, in appropriate acquisitions. A large portion of the Report is devoted to developing assurance in the supply chain at every level, and this set of recommendations can be expected to impact government contractors directly and relatively quickly.
- Increase government accountability for cyber risk management. This recommendation urges inclusion of cybersecurity standards early in the acquisition planning cycle as well as certification by procurement personnel that a solicitation adequately reflects cybersecurity considerations before it is issued.
significant points for government contractors
For contractors seeking to discern what, if any, impact the recommendations will have on future procurements, there are three key takeaways.
First, it is clear that both civilian and defense agency solicitations will soon begin – to the extent this is not already occurring – to contain specific cybersecurity protection standards and requirements for both the product or service to be delivered under a contract and for the contractor’s own business systems. It is also clear that offerors’ ability to meet these standards will be incorporated into agency evaluation and award decisions.
Second, contractors would be well advised to look to international cybersecurity standards that are relevant to their business. The Report notes that cyber standards are “continually being established and updated through the transparent, consensus-based procedures of standards development organizations….” It continues by urging consistency with these standards: “Cybersecurity standards used in acquisitions should align to the greatest extent possible with international standards and emphasize the importance of organizational flexibility in application.”
Finally, contractors should expect to see some type of qualification process for cybersecurity measures and processes. The Report spends a great deal of time discussing threats posed throughout the breadth of the government supply chain, particularly in light of the government’s increased reliance on purchases of commercial items and services. It cautions: “In some cases, advanced threat actors target businesses deep in the government’s supply chain to gain a foothold and then ‘swim upstream’ to gain access to sensitive information and intellectual property.” In addition to the products and systems themselves, the Report warns of the dangers posed by inadequate maintenance and upgrading of systems, as well as improper disposal. Accordingly, the Report favors restricting government purchases of information technology products and services to those offered by original equipment manufacturers, their authorized resellers, or other qualified sources. Sources that do not fit into one of these categories will be required to certify their products are safe in some cases.
In sum, the Report does provide federal government contractors valuable clues as to the incorporation of cybersecurity in future acquisitions, particularly with respect to requirements to be imposed on supply chain management.