While OMB notes that its goal is to "allow for a better understanding of the perspectives of the broader community and to identify areas for improvement to make this guidance even more meaningful and effective," TIA notes that this guidance was not published in the Federal Register, and recommends that OMB ensure that it’s development of guidance meets governmental transparency requirements, such as the Administrative Procedure Act. We appreciate the unique GitHub platform, but believe that publication in the Federal Register will help improve participation in OMB's important efforts towards improving cybersecurity protections in Federal acquisitions.
Further, OMB does not mention ongoing Federal acquisition efforts to address cyber-based threats in its draft save for one reference to the FAR, giving rise to questions on TIA's part around, for example, the interplay of this effort and Department of Defense Interim Rules. OMB should ensure close coordination with all other Federal entities when adopting rules for improving cybersecurity acquisition. For example, on August 26, 2015, the Department of Defense (DoD) issued an interim rule that expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information. The interim rule revises the Defense Federal Acquisition Regulation Supplement (DFARS) to implement section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 and section 1632 of the NDAA for FY 2015. In addition, the interim rule implements DoD policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services. DoD’s interim rules go into effect as of their publication (Aug 26), and comments are being accepted until Oct 26). TIA is unclear about why this draft OMB policy is moving forward, apparently in parallel, when DOD has initiated the rule changes described above. Duplicative and/or redundant Federal policies, particularly in the information security space, needlessly increase complexity for contractors and vendors, and disincent investment and innovation in this space.
TIA urges OMB to acknowledge the related DoD rulemaking (and other related Federal efforts), and provide a description of the relationship of this effort to them. OMB should also summarize it’s efforts to ensure that its guidance is not duplicative or conflicting with other related Federal efforts.
While OMB notes that its goal is to "allow for a better understanding of the perspectives of the broader community and to identify areas for improvement to make this guidance even more meaningful and effective," TIA notes that this guidance was not published in the Federal Register, and recommends that OMB ensure that it’s development of guidance meets governmental transparency requirements, such as the Administrative Procedure Act. We appreciate the unique GitHub platform, but believe that publication in the Federal Register will help improve participation in OMB's important efforts towards improving cybersecurity protections in Federal acquisitions.
Further, OMB does not mention ongoing Federal acquisition efforts to address cyber-based threats in its draft save for one reference to the FAR, giving rise to questions on TIA's part around, for example, the interplay of this effort and Department of Defense Interim Rules. OMB should ensure close coordination with all other Federal entities when adopting rules for improving cybersecurity acquisition. For example, on August 26, 2015, the Department of Defense (DoD) issued an interim rule that expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information. The interim rule revises the Defense Federal Acquisition Regulation Supplement (DFARS) to implement section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 and section 1632 of the NDAA for FY 2015. In addition, the interim rule implements DoD policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services. DoD’s interim rules go into effect as of their publication (Aug 26), and comments are being accepted until Oct 26). TIA is unclear about why this draft OMB policy is moving forward, apparently in parallel, when DOD has initiated the rule changes described above. Duplicative and/or redundant Federal policies, particularly in the information security space, needlessly increase complexity for contractors and vendors, and disincent investment and innovation in this space.
TIA urges OMB to acknowledge the related DoD rulemaking (and other related Federal efforts), and provide a description of the relationship of this effort to them. OMB should also summarize it’s efforts to ensure that its guidance is not duplicative or conflicting with other related Federal efforts.