The American Council of Engineering Companies (ACEC) -- the national association of the nation’s engineering industry – respectfully submits comments on the proposed guidance on Improving Cybersecurity Protections in Federal Acquisitions (published on August 11, 2015).
ACEC members have great concerns with the Office of Management and Budget’s (OMB) Interim Rules on Cybersecurity and do not believe the rules, as proposed, should be applied to the architecture and engineering industries. OMB’s goal is laudable as it attempts to improve cybersecurity protections within Federal acquisitions. The guidance directs all Federal agencies to increase cybersecurity protections for “products or services that generate, collect, maintain, disseminate, store, or provides access to CUI on behalf of the Federal government” while requiring companies to conform to the NIST guidelines for data security. ACEC firms have four key areas of concerns about the new guidance.
First, the NIST guidelines are overwhelmingly complex with over 400 pages of guidance. This guidance is not something that the Council’s members regularly use as construction professionals. There is a requirement for cyber incident reporting if the “incident impacts the CUI in the contractors’ internal information systems.” This requirement lacks definition and can create confusion within the industry. Adding this requirement to the incorporation of over 400 pages of guidance creates a burden for many firms in their contracting with the government. While it is laudable to be held to these high standards, many firms cannot meet the standards that were developed for IT system development rather than engineering specific issues.
Second, ACEC member firms are generally small businesses. Nearly 85 percent of the firms qualify as small businesses under the Small Business Administration’s (SBA) size standards. This new guidance will prove to be especially challenging for those firms. Many small firms typically do not have a mechanism to audit and track what files are accessed by each user and the accompanying time and date stamp. As the margins on engineering work are quite small, new overhead requirements may preclude firms, including many small firms, from participating in this market. These requirements could probably force most small businesses out of the government A/E market
Third, engineers work in a collaborative manner across subspecialties and other construction disciplines. This guidance is particularly problematic for engineering firms as these entities subcontract up to 50 percent of their contracts. This is required due to the level of technical specifications in engineering contracts, from geotechnical to HVAC to mapping, requiring multiple specialty firms to meet these needs. This dynamic creates the requirement to both physically and technologically share files. The physical security component will be a problem for many firms to implement, as they share workspace with subcontractors and other members of the construction team. Moreover, typically, there is no way to limit access to the IT equipment once an employee, contractor, or partner is present within the office. Data sharing is a key aspect of engineering and construction generally, so firms generally do not limit the use of external portable media with team members. Some of our members, especially the very large businesses, already have a framework in place to meet the new guidance. However, the requirement for our members to be nimble and work collaboratively dictate that the IT environment not be too restrictive so that engineers can create safe and secure buildings, roads, airports, highways, bridges and other key infrastructure without being stymied by security restrictions.
Finally, it is a concern that this process will be expensive to implement and burdensome to maintain. The systems will have to conform to the same standards as government systems and that this will exacerbate the dearth of qualified American engineers who are qualified to work on government projects. It could potentially drive small, medium, and large firms out of the federal market further limiting competition need for innovative infrastructure solutions.
The engineering and architecture industry is highly dependent on cyber communications and communications restrictions that affect the design process will have significant implications on design schedule and cost. In addition, the Government’s small business participation will be severely impacted due to the increased training costs which are not recoverable from current contracts. This creates a burden that inhibits participation in the federal market. Therefore the Council asks OMB to exclude engineering and architecture from the current rule development and requests that a separate, yet compatible rule, be developed for these industries. The Council appreciates the opportunity to submit comments on the guidance and we stand ready to work with OMB on implementing these changes to their proposal.
The American Council of Engineering Companies (ACEC) -- the national association of the nation’s engineering industry – respectfully submits comments on the proposed guidance on Improving Cybersecurity Protections in Federal Acquisitions (published on August 11, 2015).
ACEC members have great concerns with the Office of Management and Budget’s (OMB) Interim Rules on Cybersecurity and do not believe the rules, as proposed, should be applied to the architecture and engineering industries. OMB’s goal is laudable as it attempts to improve cybersecurity protections within Federal acquisitions. The guidance directs all Federal agencies to increase cybersecurity protections for “products or services that generate, collect, maintain, disseminate, store, or provides access to CUI on behalf of the Federal government” while requiring companies to conform to the NIST guidelines for data security. ACEC firms have four key areas of concerns about the new guidance.
First, the NIST guidelines are overwhelmingly complex with over 400 pages of guidance. This guidance is not something that the Council’s members regularly use as construction professionals. There is a requirement for cyber incident reporting if the “incident impacts the CUI in the contractors’ internal information systems.” This requirement lacks definition and can create confusion within the industry. Adding this requirement to the incorporation of over 400 pages of guidance creates a burden for many firms in their contracting with the government. While it is laudable to be held to these high standards, many firms cannot meet the standards that were developed for IT system development rather than engineering specific issues.
Second, ACEC member firms are generally small businesses. Nearly 85 percent of the firms qualify as small businesses under the Small Business Administration’s (SBA) size standards. This new guidance will prove to be especially challenging for those firms. Many small firms typically do not have a mechanism to audit and track what files are accessed by each user and the accompanying time and date stamp. As the margins on engineering work are quite small, new overhead requirements may preclude firms, including many small firms, from participating in this market. These requirements could probably force most small businesses out of the government A/E market
Third, engineers work in a collaborative manner across subspecialties and other construction disciplines. This guidance is particularly problematic for engineering firms as these entities subcontract up to 50 percent of their contracts. This is required due to the level of technical specifications in engineering contracts, from geotechnical to HVAC to mapping, requiring multiple specialty firms to meet these needs. This dynamic creates the requirement to both physically and technologically share files. The physical security component will be a problem for many firms to implement, as they share workspace with subcontractors and other members of the construction team. Moreover, typically, there is no way to limit access to the IT equipment once an employee, contractor, or partner is present within the office. Data sharing is a key aspect of engineering and construction generally, so firms generally do not limit the use of external portable media with team members. Some of our members, especially the very large businesses, already have a framework in place to meet the new guidance. However, the requirement for our members to be nimble and work collaboratively dictate that the IT environment not be too restrictive so that engineers can create safe and secure buildings, roads, airports, highways, bridges and other key infrastructure without being stymied by security restrictions.
Finally, it is a concern that this process will be expensive to implement and burdensome to maintain. The systems will have to conform to the same standards as government systems and that this will exacerbate the dearth of qualified American engineers who are qualified to work on government projects. It could potentially drive small, medium, and large firms out of the federal market further limiting competition need for innovative infrastructure solutions.
The engineering and architecture industry is highly dependent on cyber communications and communications restrictions that affect the design process will have significant implications on design schedule and cost. In addition, the Government’s small business participation will be severely impacted due to the increased training costs which are not recoverable from current contracts. This creates a burden that inhibits participation in the federal market. Therefore the Council asks OMB to exclude engineering and architecture from the current rule development and requests that a separate, yet compatible rule, be developed for these industries. The Council appreciates the opportunity to submit comments on the guidance and we stand ready to work with OMB on implementing these changes to their proposal.