by Steve Charles, Co-founder and Executive Vice President
It may sound dull ⎯ Executive Order 13636 DOD-GSA Section 8(e) Working Group ⎯ but it’s a group with a lot of leverage. It could dramatically change the complexion of federal IT procurement.
The Working Group is drafting a request for information from industry for how to eventually bake cybersecurity standards into federal acquisitions. Using the authority of the February executive order, the administration wants to get increased cyber protection any way it can, whether Congress acts or not.
Any company selling electronic products, software, or IT services to the federal government should read it. And get involved with your association. The initial RFI was drafted by a team of people not only from GSA and Defense, but also Homeland Security, NIST, and the Office of Federal Procurement Policy. A final draft is due any day now, and you’ll have until May 15 to comment.
The heart of the RFI consists of 37 questions grouped around three themes:
- Is it feasible to incorporate cybersecurity standards into federal buys in the first place?
- What are commercial procurement practices when it comes to cyber?
- Would cyber-soaked acquisitions conflict with existing laws, regulations, or even common practices, and if so, what should we do about it?
No single company, much less any individual, can likely answer all 37 questions. It’s important to read them all, though, to get a thorough sense of where the administration might be going with this. For one thing, the working group points out a provision in the companion to the executive order (EO), namely Presidential Policy Directive 21. For governmentwide contracts for critical infrastructure systems, PPD-21 calls for GSA, DOD, and DHS to “ensure that such contracts include audit rights for the security and resilience of critical infrastructures.”
And, to insure governmentwide “consistency”, the workgroup is joining with another interagency task force led by DHS to implement the EO and PPD-21. To paraphrase the Chevrolet ads, this runs deep. And wide.
Consistency requires common language, and the federal parties involved want a “broad meaning” for the word cybersecurity “that includes…supply chain risk management, information assurance, and software assurance.”
It’s vital to future sales that your company helps shape whatever rules eventually emerge and that they don’t put all of the burden and liability for cybersecurity on industry–or freeze standards in contracting language when we are trying to address a threat that is evolving at light speed. To return to my first point ⎯ download the draft RFI, get your sales and business development teams together, and start penning some answers.