The General Services Administration and the Pentagon are seeking industry’s feedback on how to incorporate cybersecurity standards into government buying requirements.
The GSA’s request for information, issued earlier this month, stems from a February executive order meant to improve cyber protection for critical infrastructure.
Now, the GSA and Defense Department’s request suggests they are weighing many options, from putting in place an accreditation program to making certain acquisitions exempt from federal cybersecurity standards.
To formulate their recommendations, the two agencies are seeking input from companies and other interested parties on a range of related issues. These include how the government can protect itself while not imposing new barriers to entry for companies seeking to get into contracting as well as what kinds of redundant standards already exist.
Emile Monette, senior adviser for GSA’s Office of Acquisition Management, said in an interview that companies are spending millions on cybersecurity.
“There’s already a significant cost to doing business with the federal government, and we don’t want to unduly increase that,” Monette said. “Any time you increase the requirements on a company just to do business with the government, you create barriers to entry.”
He said the government and industry “have to be able to share those costs equitably.”
The new document also solicits information about commercial standards and whether they might be applicable to federal purchases. Respondents are asked about their own processes and how they guard against risk.
Additionally, the GSA’s request delves into what it calls harmonization — or how conflicts in various regulations, contracts or policies related to cybersecurity can be resolved. Are there conflicting standards companies face or areas in which they deal with redundant requirements?
Alan Chvotkin, executive vice president and counsel at the Professional Services Council, an industry group, said the organization, which plans to submit comments, is pushing for requirements that focus on outcomes and attributes — rather than very specific designs. For instance, PSC would prefer to see the government obligate contractors be able to prove they have a specific level of cyber protection — not install a specific IT system — to provide some flexibility.
It “allows companies to approach those issues based on the size of the company, the amount of government business they’re doing and the nature of the work they’re doing,” Chvotkin said. “They all need something, but they all don’t need the same thing.”
Raymond O. Aghaian, a partner at McKenna Long & Aldridge who specializes in cybersecurity, said the request for information is an opportunity for contractors to be heard.
“The train is essentially leaving the station, and so [companies] should get on board,” he said. “It would be difficult if ... the government was to dictate what the standards [will] be without considering the practical effects.”
For instance, he said, if the government mandates that companies encrypt data closer to its source, that could add significant costs for companies.
“At the end of the day, they’re running a business and they’re trying to remain profitable,” Aghaian said of industry. “It’s important to try to strike the right balance, and it would be difficult to do so if it’s just a one-sided conversation.”
Monette said he expects significant feedback. The GSA has already received about 15 responses, and comments will be accepted until June 12.