American Bar Association Section of Public Contract Law
Comments on OMB’s Draft Guidance
“Improving Cybersecurity Protections in Federal Acquisitions”
Security Controls
The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") concurs that it would serve the interests of both the Government and industry to address enhanced cybersecurity controls for systems operated on behalf of the Government and for internal contractor systems that include controlled unclassified information (“CUI”), in light of the evolving cyber threat environment. The Section agrees with the draft guidance’s recognition that different baseline security standards should apply to systems operated on behalf of the Government versus contractor internal systems with CUI (i.e., National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-53) versus NIST SP 800-171). The draft guidance specifically acknowledges that “the application of NIST SP 800-53 controls [to contractors’ internal systems that incidentally contain CUI] is generally not appropriate.”1
The draft guidance recognizes the security of information systems should be “clearly, effectively, and consistently addressed in Federal contracts.”2 Consistent with that understanding, the Section recommends that the security controls applicable to contractor internal systems that include CUI be uniformly applied across the Government. Such harmonization is consistent with the Cybersecurity Executive Order that required acquisition regulators to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”3 Such harmonization would also serve other fundamental principles governing federal acquisitions and cybersecurity needs, including regulatory consistency, cost-effective cybersecurity, greater competition, and enhanced cybersecurity:
• Regulatory Uniformity. As its core purpose, the Federal Acquisition Regulation (“FAR”) seeks “uniform policies and procedures for acquisition by all executive agencies.” FAR 1.101; see also FAR 1.302.
• Cost Effective Cybersecurity. As a key principle, federal law requires that agencies’ cybersecurity programs and risk analyses consider cost-effectiveness (see, e.g., 44 U.S.C. § 3554), a factor likely to be enhanced by uniform acquisition regulations governing cybersecurity.
• Greater Competition. Like the Federal Risk and Authorization Management Program (“FedRAMP”) objective for federal cloud cybersecurity (“approve once, use often”), uniform acquisition regulations for cybersecurity would encourage competition by reducing the burden for contractors—particularly small businesses—to comply with cybersecurity requirements. See, e.g., 10 U.S.C. § 2304(a)(1)(A) (specifying “full and open competition”).
• Enhanced Cybersecurity. In response to the Cybersecurity Executive Order, both the Department of Defense and the General Services Administration acknowledged that harmonized acquisition regulations would enhance cybersecurity.4
Such harmonization of security controls, wherever possible, is crucial to enhancing our cybersecurity posture in light of the technical complexities and significant costs of implementing such safeguards and the scarcity of skilled cybersecurity resources to implement those solutions. As noted in NIST SP 800-171, a forthcoming single FAR clause “will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies.”5
The Section recognizes that under certain circumstances individual agencies may need to tailor the recommended security controls to account for unique risks or legal or governmentwide policy requirements associated with a particular system operated on behalf of the Government. The Section recommends, however, that OMB encourage as much harmonization as possible. Variations in federal information security requirements and standards make compliance more difficult and costly, and could undermine the goal of enhancing cyber protections.
In that spirit, the Section also recommends that OMB consider revising the draft guidance to adopt language similar to a clause at Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Unclassified Controlled Technical Information,” which had been effective until a DFARS interim rule published on August 26, 2015.6 DFARS 252.204-7012 permitted contractors to deviate and/or propose alternatives to specified security controls. In particular, the clause had allowed contractors the flexibility of suggesting an alternative to a required control by submitting a written explanation to the contracting officer of one of the following:
(A) How the security control identified by the then-existing DFARS rule did not apply; or
(B) How an alternative control or protective measure could be used to achieve equivalent protection.7
The inclusion of such flexibility would enable companies to take advantage of the cybersecurity efforts that have already been undertaken (and the associated sunk costs) by many contractors to comply with industry standards or with requirements that have been imposed by individual government agencies.
In addition, such flexibility is critical to the objectives of the Federal Acquisition Streamlining Act (“FASA”) and FAR part 12 that promote the acquisition of commercial items. In FASA’s legislative history, Congress recognized that restrictive acquisition provisions had limited federal agencies’ access to technologies widely available in the commercial marketplace.8 As the first step in remedying this problem, Congress directed federal agencies to acquire commercial items “to the maximum extent practicable.”9 Thus, when applied to the acquisition of commercial items, the federal security requirements should include flexibility for revision to be consistent with commercial practices to the maximum extent practicable.10
Finally, the draft guidance does not address certain key implementation issues that should be considered before the security controls section is finalized. For example, the draft guidance does not specifically address what information constitutes CUI. The Section notes that the long-standing National Archives and Records Administration (“NARA”) effort under Executive Order 1355611 has still not advanced past a proposed rule.12 Consistent with the prior version of DFARS 252.204-7012, we recommend that the draft guidance require government marking of data to trigger classification and protection as CUI.13 Contractors need these markings to identify the data subject to government controls to be housed in a compliant section of their networks. The draft guidance also does not address when contractor internal systems will need to be compliant with NIST SP 800-171, which was just issued as final guidance to federal agencies in June 2015 and is a robust document with many requirements and provisions. For small and mid-size companies with less mature cybersecurity measures in place, compliance will not be achieved without a significant expenditure of costs, time, and resources, with much required from external sources. Lastly, we recommend that the final guidance clarify that legal authority to require compliance with reporting obligations presently allows for imposing these requirements only on a contractual basis—either on (a) a prime contractor that has received or produced CUI under a government contract, or (b) a subcontractor that has received CUI from a higher-tier contractor or has produced such CUI while performing a government subcontract.
1Seehttps://policy.cio.gov.
2See id.3 Exec. Order No. 13636, 78 Fed. Reg. 11739, 11742 (Feb. 19, 2013).
4 Final Report of the Department of Defense and General Services Administration, Improving Cybersecurity and Resilience through Acquisition, p. 9 (Nov. 2013).
5 NIST SP 800-171, at iv.
6 On August 26, 2015, DoD published an interim rule removing the existing DFARS 252.204-7012 and replacing it with a new clause, Safeguarding Covered Defense Information and Cyber Incident Reporting. See Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018). 80 Fed. Reg. 51739 (Aug. 26, 2015). This interim rule was recently issued and comments on that rule are due by October 26, 2015.
7 DFARS 252.204-7012 (b)(1)(ii) (Nov. 2013 version in effect until Aug. 26, 2015 interim rule).
8 S. Rep. No. 103-258 (1978), as reprinted in 1994 U.S.C.C.A.N. 2561, 2563-66.
9 FASA, Pub. L. No. 103-355, § 8104(b), as reprinted in 1994 U.S.C.C.A.N. 3243, 3391; see also 10 U.S.C. § 2377(b); FAR 1.102(b)(1)(i) (“Maximizing the use of commercial products and services”), FAR 1.102-2(a)(4) (same), FAR 12.101 (“Acquire commercial items . . . when they are available”).
10 FASA, Pub. L. No. 103-355, § 8002 reprinted at 1994 U.S.C.C.A.N 3386 (to maximum extent practicable, agencies must only use contract clauses in commercial item acquisitions that “are determined to be consistent with standard commercial practice”); see also FAR 12.301(a) (same).
11See DFARS 252.204-7012(a); http://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf.
12 80 Fed. Reg. 26501 (May 8, 2015).
13Seehttp://www.acq.osd.mil/dpap/pdi/docs/ControlledTechnicalInformation_FAQ.pdf.
The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.
American Bar Association Section of Public Contract Law Comments on OMB’s Draft Guidance “Improving Cybersecurity Protections in Federal Acquisitions” Security Controls
The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") concurs that it would serve the interests of both the Government and industry to address enhanced cybersecurity controls for systems operated on behalf of the Government and for internal contractor systems that include controlled unclassified information (“CUI”), in light of the evolving cyber threat environment. The Section agrees with the draft guidance’s recognition that different baseline security standards should apply to systems operated on behalf of the Government versus contractor internal systems with CUI (i.e., National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-53) versus NIST SP 800-171). The draft guidance specifically acknowledges that “the application of NIST SP 800-53 controls [to contractors’ internal systems that incidentally contain CUI] is generally not appropriate.”1
The draft guidance recognizes the security of information systems should be “clearly, effectively, and consistently addressed in Federal contracts.”2 Consistent with that understanding, the Section recommends that the security controls applicable to contractor internal systems that include CUI be uniformly applied across the Government. Such harmonization is consistent with the Cybersecurity Executive Order that required acquisition regulators to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”3 Such harmonization would also serve other fundamental principles governing federal acquisitions and cybersecurity needs, including regulatory consistency, cost-effective cybersecurity, greater competition, and enhanced cybersecurity:
• Regulatory Uniformity. As its core purpose, the Federal Acquisition Regulation (“FAR”) seeks “uniform policies and procedures for acquisition by all executive agencies.” FAR 1.101; see also FAR 1.302.
• Cost Effective Cybersecurity. As a key principle, federal law requires that agencies’ cybersecurity programs and risk analyses consider cost-effectiveness (see, e.g., 44 U.S.C. § 3554), a factor likely to be enhanced by uniform acquisition regulations governing cybersecurity.
• Greater Competition. Like the Federal Risk and Authorization Management Program (“FedRAMP”) objective for federal cloud cybersecurity (“approve once, use often”), uniform acquisition regulations for cybersecurity would encourage competition by reducing the burden for contractors—particularly small businesses—to comply with cybersecurity requirements. See, e.g., 10 U.S.C. § 2304(a)(1)(A) (specifying “full and open competition”).
• Enhanced Cybersecurity. In response to the Cybersecurity Executive Order, both the Department of Defense and the General Services Administration acknowledged that harmonized acquisition regulations would enhance cybersecurity.4
Such harmonization of security controls, wherever possible, is crucial to enhancing our cybersecurity posture in light of the technical complexities and significant costs of implementing such safeguards and the scarcity of skilled cybersecurity resources to implement those solutions. As noted in NIST SP 800-171, a forthcoming single FAR clause “will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies.”5
The Section recognizes that under certain circumstances individual agencies may need to tailor the recommended security controls to account for unique risks or legal or governmentwide policy requirements associated with a particular system operated on behalf of the Government. The Section recommends, however, that OMB encourage as much harmonization as possible. Variations in federal information security requirements and standards make compliance more difficult and costly, and could undermine the goal of enhancing cyber protections.
In that spirit, the Section also recommends that OMB consider revising the draft guidance to adopt language similar to a clause at Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Unclassified Controlled Technical Information,” which had been effective until a DFARS interim rule published on August 26, 2015.6 DFARS 252.204-7012 permitted contractors to deviate and/or propose alternatives to specified security controls. In particular, the clause had allowed contractors the flexibility of suggesting an alternative to a required control by submitting a written explanation to the contracting officer of one of the following:
(A) How the security control identified by the then-existing DFARS rule did not apply; or
(B) How an alternative control or protective measure could be used to achieve equivalent protection.7
The inclusion of such flexibility would enable companies to take advantage of the cybersecurity efforts that have already been undertaken (and the associated sunk costs) by many contractors to comply with industry standards or with requirements that have been imposed by individual government agencies.
In addition, such flexibility is critical to the objectives of the Federal Acquisition Streamlining Act (“FASA”) and FAR part 12 that promote the acquisition of commercial items. In FASA’s legislative history, Congress recognized that restrictive acquisition provisions had limited federal agencies’ access to technologies widely available in the commercial marketplace.8 As the first step in remedying this problem, Congress directed federal agencies to acquire commercial items “to the maximum extent practicable.”9 Thus, when applied to the acquisition of commercial items, the federal security requirements should include flexibility for revision to be consistent with commercial practices to the maximum extent practicable.10
Finally, the draft guidance does not address certain key implementation issues that should be considered before the security controls section is finalized. For example, the draft guidance does not specifically address what information constitutes CUI. The Section notes that the long-standing National Archives and Records Administration (“NARA”) effort under Executive Order 1355611 has still not advanced past a proposed rule.12 Consistent with the prior version of DFARS 252.204-7012, we recommend that the draft guidance require government marking of data to trigger classification and protection as CUI.13 Contractors need these markings to identify the data subject to government controls to be housed in a compliant section of their networks. The draft guidance also does not address when contractor internal systems will need to be compliant with NIST SP 800-171, which was just issued as final guidance to federal agencies in June 2015 and is a robust document with many requirements and provisions. For small and mid-size companies with less mature cybersecurity measures in place, compliance will not be achieved without a significant expenditure of costs, time, and resources, with much required from external sources. Lastly, we recommend that the final guidance clarify that legal authority to require compliance with reporting obligations presently allows for imposing these requirements only on a contractual basis—either on (a) a prime contractor that has received or produced CUI under a government contract, or (b) a subcontractor that has received CUI from a higher-tier contractor or has produced such CUI while performing a government subcontract.
1 See https://policy.cio.gov. 2 See id. 3 Exec. Order No. 13636, 78 Fed. Reg. 11739, 11742 (Feb. 19, 2013). 4 Final Report of the Department of Defense and General Services Administration, Improving Cybersecurity and Resilience through Acquisition, p. 9 (Nov. 2013). 5 NIST SP 800-171, at iv. 6 On August 26, 2015, DoD published an interim rule removing the existing DFARS 252.204-7012 and replacing it with a new clause, Safeguarding Covered Defense Information and Cyber Incident Reporting. See Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018). 80 Fed. Reg. 51739 (Aug. 26, 2015). This interim rule was recently issued and comments on that rule are due by October 26, 2015. 7 DFARS 252.204-7012 (b)(1)(ii) (Nov. 2013 version in effect until Aug. 26, 2015 interim rule). 8 S. Rep. No. 103-258 (1978), as reprinted in 1994 U.S.C.C.A.N. 2561, 2563-66. 9 FASA, Pub. L. No. 103-355, § 8104(b), as reprinted in 1994 U.S.C.C.A.N. 3243, 3391; see also 10 U.S.C. § 2377(b); FAR 1.102(b)(1)(i) (“Maximizing the use of commercial products and services”), FAR 1.102-2(a)(4) (same), FAR 12.101 (“Acquire commercial items . . . when they are available”). 10 FASA, Pub. L. No. 103-355, § 8002 reprinted at 1994 U.S.C.C.A.N 3386 (to maximum extent practicable, agencies must only use contract clauses in commercial item acquisitions that “are determined to be consistent with standard commercial practice”); see also FAR 12.301(a) (same). 11 See DFARS 252.204-7012(a); http://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf. 12 80 Fed. Reg. 26501 (May 8, 2015). 13 See http://www.acq.osd.mil/dpap/pdi/docs/ControlledTechnicalInformation_FAQ.pdf.
The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.