Cybersecurity EO and FAR Incentives

The General Services Administration (GSA), in conjunction with the Department of Defense (DOD) published a request for information (RFI) in Monday’s Federal Register (78 FR 27966-27968) concerning the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration and address what steps can be taken to harmonize, and make consistent, existing procurement requirements related to cybersecurity”.

JWGICRA

The RFI announces the formation of the Joint Working Group on Improving Cybersecurity and Resilience through Acquisition (JWGICRA). The working group, under the leadership of the GSA, consists of members selected from the DoD, GSA, the Department of Homeland Security (DHS), the Office of Federal Procurement Policy (OFPP), and the National Institute of Standards and Technology (NIST).

The JWGICRA was formed to fulfill the 120-day reporting requirement of §8(e) of the President’s cybersecurity executive order (EO 13636). That report is supposed to address the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration”.

Definition of ‘Cybersecurity’

The RFI notes that the lack of a common lexicon is a “ is one of the critical gaps in harmonizing federal acquisition requirements related to cybersecurity”. For the purposes of this notice GSA is using the following definition of cybersecurity:

“(T)he term “cybersecurity” is given a broad meaning that includes information security and related areas, like supply chain risk management, information assurance, and software assurance, as well as other efforts to address threats or vulnerabilities flowing from or enabled by connection to digital infrastructure.”

Given this definition it is clear that industrial control systems (ICS) are included, but mainly as an afterthought.

Information Requested

This GSA RFI is looking for answers to a number of questions in a number of general categories. Those categories include:

• The feasibility of incorporating cybersecurity standards into federal acquisitions;

• Information about commercial procurement practices related to cybersecurity; and

• Information about any conflicts in statutes, regulations, policies, practices, contractual terms and conditions, or acquisition processes affecting federal acquisition requirements related to cybersecurity.

Public Comments

The GSA, on behalf of the JWGICRA, is soliciting public input in this RFI. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # Notice-OERR-2013). Comments must be submitted by June 12, 2013.

Commentary

This is a very late solicitation of information. The government has used up 90-days of the 120-day reporting limit working out the details of how the JWGICRA is going to operate. The NIST RFI was published within days of the President’s EO; they only had themselves to work with. The NTA-NIST RFI was almost a month in the making, they both worked for the Secretary of Commerce. Here the GSA was supposed to coordinate actions of the representatives of DOD and DHS in the area of acquisitions. I’m surprised that this was done as soon as it was.

The deadline for submitting comments is the same day that the GSA report is due to the President. Either the GSA is going to be late, ignore the public inputs solicited in this RFA, or is going to have a super human team of bureaucrats read, correlate, digest, compile and prepare a report in less than 24 hours.

I will prophesize that the report will be late and the President won’t even notice. I will assume that the public inputs will be generally ignored. And I will flatly state that making the time limit is bureaucratically impossible. Of course, I was saying this well before the EO was even published.