Comments on Business Due Diligence (ABA Section of Public Contract Law)

[ABAPCLS]

American Bar Association Section of Public Contract Law Comments on OMB’s Draft Guidance “Improving Cybersecurity Protections in Federal Acquisitions” Business Due Diligence

The draft guidance to agencies would modify current pre-award and post-award business due-diligence processes to add a cybersecurity element. The draft guidance suggests leveraging a current General Services Administration (“GSA”) pilot to create a business due-diligence information shared service, which would provide agencies with access to various types of “risk information,” with data collected from multiple sources, including public records, publicly-available and commercial-subscription information, and voluntary contractor reporting. The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") identifies below areas that the Section believes require further attention and detail from the Office of Management and Budget (“OMB”).

First, the Section believes that this part of the draft guidance does not clearly state whether this new requirement would apply only to acquisitions and contracts in which systems are being operated on behalf of the Government or whether it also would extend to any procurement that would involve contractor access to controlled unclassified information.

The Section recommends that the OMB carefully consider any potential detrimental use of voluntary reporting of incidents by contractors. Information sharing is a critical component of effective cybersecurity and we suggest that the Government should refrain from using voluntary disclosures against participants. The Section further notes that the use of such data for acquisition purposes may violate the fundamental confidentiality obligations and use limitations agreed to by the Government in industry information-sharing framework agreements¹ and in some of the proposed information sharing legislation now being considered in Congress.² Indeed, the use of prior incidents as a negative in business due-diligence assessments could harm those companies that already have robust information security systems, with features including continuous monitoring and other mature cyber defenses in place, which would have made them more cognizant of and able to report on such matters even before the issuance of this policy.

Although the draft guidance refers to the collection and utilization of such data as based “on transparent, objective, and measurable risk indicators,”³ the draft guidance does not define what those indicators will be. Rather, OMB contemplates that, within 90 days of publishing the final guidance, an interagency cyber team will work with GSA to develop and recommend the specific risk indicators that should underlie this cyber due-diligence process. The Section recommends that the working group allow industry comment on any indicators before they are finalized.

The draft guidance also does not address how cyber due diligence will be used by the Government and whether contractors will be permitted input into any assessments that the Government makes based on this information.

Ultimately, unlike for the other four sections in the draft guidance, here OMB does not contemplate that this effort will be part of a forthcoming Federal Acquisition Regulation rulemaking. The draft guidance raises significant questions, including potential legal issues relating to de facto debarment and rulemaking requirements.⁴ In light of the relatively less mature status of this part of the draft guidance compared with the other recommendations, we recommend that the business due-diligence section be deleted from the guidance and be distributed separately in draft form for public comment and that any rule on this be issued in accordance with procurement rulemaking requirements once the matter is more clearly defined so that a similar level of transparency can be achieved with this important issue.

¹ See DFARS part 236, Department of Defense (DOD)-Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) Activities; see also http://dibnet.dod.mil/staticweb/Register.html ² See e.g., Protecting Cyber Networks Act, H.R. 1560, § 203; National Cybersecurity Protection Advancement Act of 2015, §§ 3, 7. ³ See https://policy.cio.gov. ⁴ A process that would result in debarment of a government contractor requires affording the contractor due process. See, e.g., FAR subpart 9.4. Procurement rules in general require rulemaking notice and comment as well. See, e.g., 41 U.S.C. § 1707(a).

The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.

[BSATheSoftwareAlliance]

Section 5 of the Proposed Guidance anticipates the creation of a business due diligence information shared service that would permit agencies to conduct cyber-related due diligence. However, details are not provided on standards that would apply or on how this database would be used by agencies as part of their procurement processes. We request OMB provide further details to clarify how this database would be created and used.

Furthermore, Section 5 of the Proposed Guidance also requires the interagency cybersecurity group to identify and recommend risk indicators to be used as part of the agencies’ due diligence process. However, the guidance is not clear as to how these indicators would be used by agencies as part of their procurement processes. This lack of clarity raises concerns including how uniform and consistent the evaluations would be, who would perform the evaluations, and how disagreements between contractors and acquisition staff on evaluation results would be reconciled.