BSA | The Software Alliance (BSA) welcomes the opportunity to comment on the Office of Management and Budget’s Proposed Guidance on Improving Cybersecurity Protections in Federal Acquisitions (“Proposed Guidance”).
BSA | The Software Alliance (www.bsa.org) is the leading advocate for the global software industry before governments and in the international marketplace. Its members are among the world’s most innovative companies, creating software solutions that spark the economy and improve modern life. With headquarters in Washington, DC, and operations in more than 60 countries around the world, BSA pioneers compliance programs that promote legal software use and advocates for public policies that foster technology innovation and drive growth in the digital economy. BSA’s members include: Adobe, Altium, ANSYS, Apple, Autodesk, Bentley Systems, CA Technologies, CNC/Mastercam, DataStax, Dell, IBM, Intuit, Microsoft, Minitab, Oracle, salesforce.com, Siemens PLM Software, Symantec, Tekla, The MathWorks, and Trend Micro.
Cybersecurity is rightly a top priority for the Office of Management and Budget (OMB), and focusing on improving cybersecurity protections in Federal Acquisitions will help improve the Federal Government’s cyber resiliency. BSA shares the goals and interests of OMB on this issue because effective cybersecurity practices are critical for the health of IT infrastructure as a whole, and our member companies who seek to maintain the highest levels of integrity in their products and services, regardless of whether they are sold to commercial or government end-users. Moreover, as providers of cybersecurity products and services, our members have extensive experience working with governments around the world on cybersecurity policy. We are committed to supporting OMB in this regard and offer these comments to assist with your efforts.
General Comments
As an initial matter, BSA has general comments on the direction of the Proposed Guidance:
Overlap with Other Policies and Legislation
We are concerned that there seems to be a lack of harmonization and coordination between and among the recommendations made by the Proposed Guidance and the requirements mandated by other current and/or proposed policies and legislation. For example, there is no clear indication of how the Proposed Guidance relates to the Federal Risk and Authorization Management Program (FedRAMP). Many companies have invested a considerable amount of resources to become FedRAMP compliant, and the implementation of the Proposed Guidance could create requirements that are inconsistent or redundant with the standardized approach to security assessment and monitoring for cloud products and services provided by FedRAmp. If federal agencies were to follow the Proposed Guidance as it is currently written, the homogeneous approach to security FedRAMP seeks to achieve would be defeated.
In addition, OMB recently conducted its Cybersecurity Sprint through which Federal agencies were instructed to implement a number of actions to increase protection of information, assets and networks. It is important that the Proposed Guidance takes this initiative into account to avoid overlapping requirements.
Furthermore, Congress is currently working to expand the EINSTEIN program (e.g., S. 1869), which provides mechanisms to analyze the federal government cyber space environment and to identify network irregularities in federal government systems. It is critical that legislative and administrative branches coordinate to ensure that security requirements are not redundant or inconsistent.
Likewise, the Department of Defense (DoD) recently issued an interim rule addressing the protection of covered defense information, incident reporting, as well as the purchase of cloud computing services (e.g., DFARS Case 2013-D018). It is unclear how the Proposed Guidance relates to the requirements mandated by this DoD interim rule.
Finally, we understand that OMB is considering revising Circular A-130, which would most likely create or modify cybersecurity requirements that would impact procurement by Federal agencies. Proposed changes to the Circular A-130 should also be taken into consideration to ensure consistency.
Thus, we recommend that OMB revise the Proposed Guidance to ensure it is clearly aligned with the requirements mandated by other current and/or proposed policies and other legislation, including but not limited to FedRAMP, the Cybersecurity Sprint initiative, the EINSTEIN program, and other OMB efforts. This will help ensure clarity and uniformity, which will in turn facilitate compliance, as well as improved cybersecurity.
Amendments to Federal Acquisition Regulation (FAR)
According to the Proposed Guidance, the Federal Acquisition Regulation (FAR) will be amended to include recommendations provided as appropriate. The effects of the recommendations made by the Proposed Guidance will, obviously, have a great impact on contractors. It is vital that the recommendations are made in a partnership with industry and are aligned with other current and/or proposed policies and other legislation as explained above.
Considering the complexity of the issue and the various approaches that could be taken to address it, we respectfully request OMB meet with Industry to discuss concerns regarding the implications of this Proposed Guideline before it is finalized.
Negative International Implications
The Proposed Guidance indicates that agencies may choose to perform information security continuous monitoring and IT security scanning of contractor systems (FAQ # 3, bullet 7, and Proposed Guidance, item 4).
We are concerned that if the Proposed Guidance is issued in its current form, it would create a very negative precedent for foreign governments to follow. In other words, foreign governments will be emboldened to request broad access and/or the right to monitor and scan U.S. companies’ systems using cybersecurity as a justification. This would have a huge impact not only on cybersecurity in general, but also on U.S. companies’ ability to conduct business abroad. We, therefore, urge OMB to reconsider this approach.
Specific Concerns
Below are our specific concerns with particular portions of the Proposed Guidance.
Applicability and Scope
We are concerned that the Proposed Guidance appears to be overly broad in scope and, as such, will impact systems only tangentially related to an agency’s systems or agency’s data.
According to the current text of the Proposed Guidance, it “applies to information collected or maintained by or on behalf of an agency, such as information on systems that are used or operated by a contractor on behalf of the agency and on contractor information systems not operated on behalf of an agency, but incidental to providing a product or service for an agency which may store, collect, maintain, disseminate, process or provide access to information provided by or developed for the agency in order to provide the product or service.” (Proposed Guidance, Applicability and Scope)
We believe that narrowing the scope of the Proposed Guidance is important to ensure that companies have a clear understanding of the systems and data that need to be protected according to this Proposed Guidance and are able to allocate and prioritize resources accordingly.
Security Controls
The proposed guidance establishes that contractors whose internal information systems will process Controlled Unclassified Information incidental to developing a product or service for the agency should meet the requirements of NIST SP 800-171.
While we appreciate the intention to apply requirements that are less complex to contracts that do not collect or maintain information on behalf of an agency, NIST SP 800-171 has just recently been published (June 2015) and its impacts are still largely unknown. Considering that the Proposed Guidance will prompt amendments to the FAR, it is highly recommended further analysis of the impact of NIST SP 800-171 is conducted before the implementation of the requirement.
Incident Reporting
Definition of cyber incident. The Proposed Guidelines define cyber incidents as “actions taken through the use of computer networks that result in a compromise or actual or potentially adverse effect on an information system and/or the information residing therein.” This definition is overly broad and applies to every situation regardless of the circumstances. We believe that a risk-based approach should be applied to determine what is an “incident” for the purpose of incident reporting. To ensure that agencies are not inundated with notices regarding immaterial attempts to compromise networks, the notification obligation should be defined on a case-by case basis.
Required timeline. According to the Proposed Guidelines, contractual language must include a required timeline for first reporting to agency. To ensure that agencies receive meaningful notifications in the event of an incident, it is critical that contractors are afforded adequate time to perform a thorough assessment to determine the scope of the security risk and prevent future disclosure. A reasonable timeframe should be given to contractors so that they can investigate the potential breach and report it, if appropriate. We strongly recommend that agencies be advised to refrain from establishing a specific timeframe to report incidents, as the uniqueness of the circumstances involved in each incident should be considered on a case-by-case basis. We suggest that contract language be required to include provision stating that reporting should occur in a “reasonable time according to the circumstances” without reference to specific deadlines, e.g., a specific number of days.
Reporting on suspected incidents. The last paragraph of the section on “Reporting Cyber Incidents” is ambiguous and we would appreciate if it could be clarified. The language in the beginning of that paragraph seems to create an obligation to report on “suspected incidents” but further down the same paragraph there is mention that “contractor does not have to report all known or suspected cyber incidents.” Reporting on suspected incidents would be counterproductive as agencies would be overwhelmed by immaterial notices causing action on actual incidents to be delayed and resources to be use inefficiently. We, therefore, recommend that language referring to suspected incidents be removed and that a “reasonable timeline” is given to contractors to report on incidents.
Thus, we recommend the paragraph to be amended as follows:
At a minimum, contractual language shall ensure that all known cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within a reasonable timeline. All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system. but the contractor does not have to report all known or suspected cyber incidents.
Security Assessment
According to the Proposed Guidelines, the manner in which security assessment would be performed would depend on the discretion of the agency. Although there is mention to FIPS 199 and to potential use of third party verification of security assessment, the guidelines mention that each agency may select to perform its own monitoring and IT security scanning and apparently this could happen regardless of the circumstances. This approach is of great concern as explained below.
Continuous monitoring. Many companies already have their own continuous monitoring process in place which is evaluated by Third Party Assessment Organizations (3PAOs). 3PAOs are neutral and pre-approved through screening conducted by FedRAMP. If each agency were permitted and/or encouraged to perform their own monitoring in addition to what companies already have in place to satisfy FedRAMP, this practice would represent an extremely heavy burden on contractors without increasing cybersecurity. We urge OMB to reconsider this approach and to make reference to FedRAMP procedures regarding continuous monitoring.
Scanning. The broad IT security scanning access authorized by the Proposed Guidelines should not be the default. Access for monitoring purposes should only be required in exceptional circumstances and should be narrowly provided. Although the Proposed Guidelines indicate that access should be provided on an “event-driven basis,” there is no clear definition of what these events would be.
Continuous Diagnostics and Mitigation (CDM) seems to be the default authorized by the Proposed Guidelines, which would imply installation of sensors on networks. This practice would create a lot of legal uncertainty, unpredictability, and confusion and execution could be even unfeasible. Some contractors may not be able to provide products and services to federal agency if this requirement is not removed and this could prevent federal agencies from accessing innovative and effective technologies to meet their needs.
In addition, as we previously noted, this would create a very negative precedent and foreign governments will be emboldened to request broad access and/or right to monitor and scan U.S. companies’ systems using cybersecurity as a justification to advance other objectives. This would have a huge impact on U.S. companies doing business abroad as market barriers that would be very difficult to overcome would be created. We, therefore, urge OMB to reconsider this approach.
Furthermore, when addressing information security assessments, the Proposed Guidance states that a Senior Agency Official for Privacy (SAOP) must review and certify privacy controls. Further details on what specific elements would be reviewed would be necessary to enable companies to comply with the requirements. We, therefore, recommend that further details regarding how privacy controls will be assessed be provided by the Proposed Guidelines. There simply is not enough information provided about this topic to make a valid judgment as to whether the requirements will be appropriate.
Business Due Diligence Information Shared Service and Risk Indicators
Section 5 of the Proposed Guidance anticipates the creation of a business due diligence information shared service that would permit agencies to conduct cyber-related due diligence. However, details are not provided on standards that would apply or on how this database would be used by agencies as part of their procurement processes. We request OMB provide further details to clarify how this database would be created and used.
Furthermore, Section 5 of the Proposed Guidance also requires the interagency cybersecurity group to identify and recommend risk indicators to be used as part of the agencies’ due diligence process. However, the guidance is not clear as to how these indicators would be used by agencies as part of their procurement processes. This lack of clarity raises concerns including how uniform and consistent the evaluations would be, who would perform the evaluations, and how disagreements between contractors and acquisition staff on evaluation results would be reconciled.
Use of Properly Licensed Software
Eliminating the use of unlicensed software could help reduce the risk of cybersecurity incidents. Ensuring that contractors’ software is genuine is therefore very important. A recent study by IDC found that there is a strong positive correlation (0.79) between the presence of unlicensed software and the likelihood of malware encounters , which could contribute to cybersecurity incidents. In addition, unlicensed software may not be updated with all the security patches that are often released by software publishers increasing vulnerability.
The importance of ensuring that only software that is compliant with applicable copyright laws has long been a United States government priority. Executive Order 13103 was issued in 1998 to further this objective. This practice not only ensures that the United States government leads by example combating the use of illegitimate software, but also helps strengthen cybersecurity.
We recommend the Proposed Guidance requires agencies to adopt procedures to ensure that contractors only use software that is compliant with applicable copyright laws.
Conclusion
In light of our shared interests and commitment in the area of cybersecurity, BSA and its members would welcome the opportunity to have in-person meetings with you at your convenience to discuss the issues raised through these comments before you finalize this Proposed Guidelines.
We appreciate the opportunity to submit these comments and we look forward to continuing to work with you.
BSA | The Software Alliance (BSA) welcomes the opportunity to comment on the Office of Management and Budget’s Proposed Guidance on Improving Cybersecurity Protections in Federal Acquisitions (“Proposed Guidance”).
BSA | The Software Alliance (www.bsa.org) is the leading advocate for the global software industry before governments and in the international marketplace. Its members are among the world’s most innovative companies, creating software solutions that spark the economy and improve modern life. With headquarters in Washington, DC, and operations in more than 60 countries around the world, BSA pioneers compliance programs that promote legal software use and advocates for public policies that foster technology innovation and drive growth in the digital economy. BSA’s members include: Adobe, Altium, ANSYS, Apple, Autodesk, Bentley Systems, CA Technologies, CNC/Mastercam, DataStax, Dell, IBM, Intuit, Microsoft, Minitab, Oracle, salesforce.com, Siemens PLM Software, Symantec, Tekla, The MathWorks, and Trend Micro.
Cybersecurity is rightly a top priority for the Office of Management and Budget (OMB), and focusing on improving cybersecurity protections in Federal Acquisitions will help improve the Federal Government’s cyber resiliency. BSA shares the goals and interests of OMB on this issue because effective cybersecurity practices are critical for the health of IT infrastructure as a whole, and our member companies who seek to maintain the highest levels of integrity in their products and services, regardless of whether they are sold to commercial or government end-users. Moreover, as providers of cybersecurity products and services, our members have extensive experience working with governments around the world on cybersecurity policy. We are committed to supporting OMB in this regard and offer these comments to assist with your efforts.
General Comments
As an initial matter, BSA has general comments on the direction of the Proposed Guidance:
We are concerned that there seems to be a lack of harmonization and coordination between and among the recommendations made by the Proposed Guidance and the requirements mandated by other current and/or proposed policies and legislation. For example, there is no clear indication of how the Proposed Guidance relates to the Federal Risk and Authorization Management Program (FedRAMP). Many companies have invested a considerable amount of resources to become FedRAMP compliant, and the implementation of the Proposed Guidance could create requirements that are inconsistent or redundant with the standardized approach to security assessment and monitoring for cloud products and services provided by FedRAmp. If federal agencies were to follow the Proposed Guidance as it is currently written, the homogeneous approach to security FedRAMP seeks to achieve would be defeated.
In addition, OMB recently conducted its Cybersecurity Sprint through which Federal agencies were instructed to implement a number of actions to increase protection of information, assets and networks. It is important that the Proposed Guidance takes this initiative into account to avoid overlapping requirements.
Furthermore, Congress is currently working to expand the EINSTEIN program (e.g., S. 1869), which provides mechanisms to analyze the federal government cyber space environment and to identify network irregularities in federal government systems. It is critical that legislative and administrative branches coordinate to ensure that security requirements are not redundant or inconsistent.
Likewise, the Department of Defense (DoD) recently issued an interim rule addressing the protection of covered defense information, incident reporting, as well as the purchase of cloud computing services (e.g., DFARS Case 2013-D018). It is unclear how the Proposed Guidance relates to the requirements mandated by this DoD interim rule.
Finally, we understand that OMB is considering revising Circular A-130, which would most likely create or modify cybersecurity requirements that would impact procurement by Federal agencies. Proposed changes to the Circular A-130 should also be taken into consideration to ensure consistency.
Thus, we recommend that OMB revise the Proposed Guidance to ensure it is clearly aligned with the requirements mandated by other current and/or proposed policies and other legislation, including but not limited to FedRAMP, the Cybersecurity Sprint initiative, the EINSTEIN program, and other OMB efforts. This will help ensure clarity and uniformity, which will in turn facilitate compliance, as well as improved cybersecurity.
According to the Proposed Guidance, the Federal Acquisition Regulation (FAR) will be amended to include recommendations provided as appropriate. The effects of the recommendations made by the Proposed Guidance will, obviously, have a great impact on contractors. It is vital that the recommendations are made in a partnership with industry and are aligned with other current and/or proposed policies and other legislation as explained above.
Considering the complexity of the issue and the various approaches that could be taken to address it, we respectfully request OMB meet with Industry to discuss concerns regarding the implications of this Proposed Guideline before it is finalized.
The Proposed Guidance indicates that agencies may choose to perform information security continuous monitoring and IT security scanning of contractor systems (FAQ # 3, bullet 7, and Proposed Guidance, item 4).
We are concerned that if the Proposed Guidance is issued in its current form, it would create a very negative precedent for foreign governments to follow. In other words, foreign governments will be emboldened to request broad access and/or the right to monitor and scan U.S. companies’ systems using cybersecurity as a justification. This would have a huge impact not only on cybersecurity in general, but also on U.S. companies’ ability to conduct business abroad. We, therefore, urge OMB to reconsider this approach.
Specific Concerns
Below are our specific concerns with particular portions of the Proposed Guidance.
We are concerned that the Proposed Guidance appears to be overly broad in scope and, as such, will impact systems only tangentially related to an agency’s systems or agency’s data.
According to the current text of the Proposed Guidance, it “applies to information collected or maintained by or on behalf of an agency, such as information on systems that are used or operated by a contractor on behalf of the agency and on contractor information systems not operated on behalf of an agency, but incidental to providing a product or service for an agency which may store, collect, maintain, disseminate, process or provide access to information provided by or developed for the agency in order to provide the product or service.” (Proposed Guidance, Applicability and Scope)
We believe that narrowing the scope of the Proposed Guidance is important to ensure that companies have a clear understanding of the systems and data that need to be protected according to this Proposed Guidance and are able to allocate and prioritize resources accordingly.
The proposed guidance establishes that contractors whose internal information systems will process Controlled Unclassified Information incidental to developing a product or service for the agency should meet the requirements of NIST SP 800-171.
While we appreciate the intention to apply requirements that are less complex to contracts that do not collect or maintain information on behalf of an agency, NIST SP 800-171 has just recently been published (June 2015) and its impacts are still largely unknown. Considering that the Proposed Guidance will prompt amendments to the FAR, it is highly recommended further analysis of the impact of NIST SP 800-171 is conducted before the implementation of the requirement.
Definition of cyber incident. The Proposed Guidelines define cyber incidents as “actions taken through the use of computer networks that result in a compromise or actual or potentially adverse effect on an information system and/or the information residing therein.” This definition is overly broad and applies to every situation regardless of the circumstances. We believe that a risk-based approach should be applied to determine what is an “incident” for the purpose of incident reporting. To ensure that agencies are not inundated with notices regarding immaterial attempts to compromise networks, the notification obligation should be defined on a case-by case basis.
Required timeline. According to the Proposed Guidelines, contractual language must include a required timeline for first reporting to agency. To ensure that agencies receive meaningful notifications in the event of an incident, it is critical that contractors are afforded adequate time to perform a thorough assessment to determine the scope of the security risk and prevent future disclosure. A reasonable timeframe should be given to contractors so that they can investigate the potential breach and report it, if appropriate. We strongly recommend that agencies be advised to refrain from establishing a specific timeframe to report incidents, as the uniqueness of the circumstances involved in each incident should be considered on a case-by-case basis. We suggest that contract language be required to include provision stating that reporting should occur in a “reasonable time according to the circumstances” without reference to specific deadlines, e.g., a specific number of days.
Reporting on suspected incidents. The last paragraph of the section on “Reporting Cyber Incidents” is ambiguous and we would appreciate if it could be clarified. The language in the beginning of that paragraph seems to create an obligation to report on “suspected incidents” but further down the same paragraph there is mention that “contractor does not have to report all known or suspected cyber incidents.” Reporting on suspected incidents would be counterproductive as agencies would be overwhelmed by immaterial notices causing action on actual incidents to be delayed and resources to be use inefficiently. We, therefore, recommend that language referring to suspected incidents be removed and that a “reasonable timeline” is given to contractors to report on incidents.
Thus, we recommend the paragraph to be amended as follows:
At a minimum, contractual language shall ensure that all known cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within a reasonable timeline. All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system. but the contractor does not have to report all known or suspected cyber incidents.
According to the Proposed Guidelines, the manner in which security assessment would be performed would depend on the discretion of the agency. Although there is mention to FIPS 199 and to potential use of third party verification of security assessment, the guidelines mention that each agency may select to perform its own monitoring and IT security scanning and apparently this could happen regardless of the circumstances. This approach is of great concern as explained below.
Continuous monitoring. Many companies already have their own continuous monitoring process in place which is evaluated by Third Party Assessment Organizations (3PAOs). 3PAOs are neutral and pre-approved through screening conducted by FedRAMP. If each agency were permitted and/or encouraged to perform their own monitoring in addition to what companies already have in place to satisfy FedRAMP, this practice would represent an extremely heavy burden on contractors without increasing cybersecurity. We urge OMB to reconsider this approach and to make reference to FedRAMP procedures regarding continuous monitoring.
Scanning. The broad IT security scanning access authorized by the Proposed Guidelines should not be the default. Access for monitoring purposes should only be required in exceptional circumstances and should be narrowly provided. Although the Proposed Guidelines indicate that access should be provided on an “event-driven basis,” there is no clear definition of what these events would be.
Continuous Diagnostics and Mitigation (CDM) seems to be the default authorized by the Proposed Guidelines, which would imply installation of sensors on networks. This practice would create a lot of legal uncertainty, unpredictability, and confusion and execution could be even unfeasible. Some contractors may not be able to provide products and services to federal agency if this requirement is not removed and this could prevent federal agencies from accessing innovative and effective technologies to meet their needs.
In addition, as we previously noted, this would create a very negative precedent and foreign governments will be emboldened to request broad access and/or right to monitor and scan U.S. companies’ systems using cybersecurity as a justification to advance other objectives. This would have a huge impact on U.S. companies doing business abroad as market barriers that would be very difficult to overcome would be created. We, therefore, urge OMB to reconsider this approach.
Furthermore, when addressing information security assessments, the Proposed Guidance states that a Senior Agency Official for Privacy (SAOP) must review and certify privacy controls. Further details on what specific elements would be reviewed would be necessary to enable companies to comply with the requirements. We, therefore, recommend that further details regarding how privacy controls will be assessed be provided by the Proposed Guidelines. There simply is not enough information provided about this topic to make a valid judgment as to whether the requirements will be appropriate.
Section 5 of the Proposed Guidance anticipates the creation of a business due diligence information shared service that would permit agencies to conduct cyber-related due diligence. However, details are not provided on standards that would apply or on how this database would be used by agencies as part of their procurement processes. We request OMB provide further details to clarify how this database would be created and used.
Furthermore, Section 5 of the Proposed Guidance also requires the interagency cybersecurity group to identify and recommend risk indicators to be used as part of the agencies’ due diligence process. However, the guidance is not clear as to how these indicators would be used by agencies as part of their procurement processes. This lack of clarity raises concerns including how uniform and consistent the evaluations would be, who would perform the evaluations, and how disagreements between contractors and acquisition staff on evaluation results would be reconciled.
Eliminating the use of unlicensed software could help reduce the risk of cybersecurity incidents. Ensuring that contractors’ software is genuine is therefore very important. A recent study by IDC found that there is a strong positive correlation (0.79) between the presence of unlicensed software and the likelihood of malware encounters , which could contribute to cybersecurity incidents. In addition, unlicensed software may not be updated with all the security patches that are often released by software publishers increasing vulnerability.
The importance of ensuring that only software that is compliant with applicable copyright laws has long been a United States government priority. Executive Order 13103 was issued in 1998 to further this objective. This practice not only ensures that the United States government leads by example combating the use of illegitimate software, but also helps strengthen cybersecurity.
We recommend the Proposed Guidance requires agencies to adopt procedures to ensure that contractors only use software that is compliant with applicable copyright laws.
Conclusion
In light of our shared interests and commitment in the area of cybersecurity, BSA and its members would welcome the opportunity to have in-person meetings with you at your convenience to discuss the issues raised through these comments before you finalize this Proposed Guidelines.
We appreciate the opportunity to submit these comments and we look forward to continuing to work with you.