The Washington Post

GSA seeking industry feedback on cybersecurity

The General Services Administration and the Pentagon are seeking industry’s feedback on how to incorporate cybersecurity standards into government buying requirements.

The GSA’s request for information, issued earlier this month, stems from a February executive order meant to improve cyber protection for critical infrastructure.

Now, the GSA and Defense Department’s request suggests they are weighing many options, from putting in place an accreditation program to making certain acquisitions exempt from federal cybersecurity standards.

To formulate their recommendations, the two agencies are seeking input from companies and other interested parties on a range of related issues. These include how the government can protect itself while not imposing new barriers to entry for companies seeking to get into contracting as well as what kinds of redundant standards already exist.

Emile Monette, senior adviser for GSA’s Office of Acquisition Management, said in an interview that companies are spending millions on cybersecurity.

“There’s already a significant cost to doing business with the federal government, and we don’t want to unduly increase that,” Monette said. “Any time you increase the requirements on a company just to do business with the government, you create barriers to entry.”

He said the government and industry “have to be able to share those costs equitably.”

The new document also solicits information about commercial standards and whether they might be applicable to federal purchases. Respondents are asked about their own processes and how they guard against risk.

Additionally, the GSA’s request delves into what it calls harmonization — or how conflicts in various regulations, contracts or policies related to cybersecurity can be resolved. Are there conflicting standards companies face or areas in which they deal with redundant requirements?

Alan Chvotkin, executive vice president and counsel at the Professional Services Council, an industry group, said the organization, which plans to submit comments, is pushing for requirements that focus on outcomes and attributes — rather than very specific designs. For instance, PSC would prefer to see the government obligate contractors be able to prove they have a specific level of cyber protection — not install a specific IT system — to provide some flexibility.

It “allows companies to approach those issues based on the size of the company, the amount of government business they’re doing and the nature of the work they’re doing,” Chvotkin said. “They all need something, but they all don’t need the same thing.”

Raymond O. Aghaian, a partner at McKenna Long & Aldridge who specializes in cybersecurity, said the request for information is an opportunity for contractors to be heard.

“The train is essentially leaving the station, and so [companies] should get on board,” he said. “It would be difficult if ... the government was to dictate what the standards [will] be without considering the practical effects.”

For instance, he said, if the government mandates that companies encrypt data closer to its source, that could add significant costs for companies.

“At the end of the day, they’re running a business and they’re trying to remain profitable,” Aghaian said of industry. “It’s important to try to strike the right balance, and it would be difficult to do so if it’s just a one-sided conversation.”

Monette said he expects significant feedback. The GSA has already received about 15 responses, and comments will be accepted until June 12.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
Deaf banjo player teaches thousands
Perks of private flying
Drawing as an act of defiance
Play Videos
Husband finds love, loss in baseball
Bao: The signature dish of San Francisco
From foster homes to the working world
Play Videos
How soccer is helping Philadelphia men kick the streets
Here's why you hate the sound of your own voice
The woman behind the Nats’ presidents ‘Star Wars’ makeover
Play Videos
How hackers can control your car from miles away
How to avoid harmful chemicals in school supplies
How much can one woman eat?

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.