WhiteHouse / cyber-acquisitions

https://policy.cio.gov
Other
7 stars 36 forks source link

Fairness and Due Process in OMB's Business Due Diligence Section #55

Open bscarpelli opened 9 years ago

bscarpelli commented 9 years ago

For companies which contract with and vend to the Federal government, attaining and maintaining the proper level of trust is of the utmost importance. We urge that any actions by OMB towards improving cybersecurity reinforce the need for reasonable assessments along with a fair opportunity for concerns to be addressed by the contractor or vendor at issue. For example, the document explicitly says that third party validation is acceptable depending on the risk assessment, though a self-assessment may also often be an appropriate mechanism depending on the risks of the system.

TIA believes that OMB's guidance on due diligence process should include the following fairness and due process elements: •Right to see what is in the record relating to your company •Clear rules about what types / sources of information can and cannot be included in that record (e.g., to eliminate unsubstantiated rumors) •Freshness requirements so that information beyond a certain age does not stick in the file forever •Right to request corrections or deletions of inaccurate data •Right to comment on data that you believe to be inaccurate, which the government refuses to correct or delete •OMB should clarify what information, if any, will be subject to FOIA requests.

BSATheSoftwareAlliance commented 9 years ago

BSA| The Software Alliance Comments on Due Diligence

Section 5 of the Proposed Guidance anticipates the creation of a business due diligence information shared service that would permit agencies to conduct cyber-related due diligence. However, details are not provided on standards that would apply or on how this database would be used by agencies as part of their procurement processes. We request OMB provide further details to clarify how this database would be created and used.

Furthermore, Section 5 of the Proposed Guidance also requires the interagency cybersecurity group to identify and recommend risk indicators to be used as part of the agencies’ due diligence process. However, the guidance is not clear as to how these indicators would be used by agencies as part of their procurement processes. This lack of clarity raises concerns including how uniform and consistent the evaluations would be, who would perform the evaluations, and how disagreements between contractors and acquisition staff on evaluation results would be reconciled.