Steve Charles


Cyber getting baked into more procurements

A new but not widely noticed provision in the recent White House Executive Order 13636 will mean a major change in federal procurement. The order, a companion directive accompanying Presidential Policy Directive 21, established a multi-agency work group that has been asking industry and federal agencies how cybersecurity could be made a baseline requirement in all acquisitions.

Not just buys of specific cybersecurity products, but of any items or services that somehow touch critical infrastructure. That’s a broad range of potential acquisitions.

If you sell software, any piece of electronic hardware, or systems integration services to the federal government, you need to know about the so-called DOD-GSA Section 8(e) Working Group. The output of this working group will eventually result in new Federal Acquisition Regulations covering anything with a potential cybersecurity element.

This is no long range effort. The EO, which came out in February, gave the working group 120 days to come up with its recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

The machinery necessary to get a FAR change implemented won’t produce the intended change overnight. But it’s not too early to start positioning your products in terms of how they support or enhance cybersecurity.

Basically, the administration wants to get as much cybersecurity progress as it can in the absence of legislation from an uncooperative Congress. It can only do so much with industry by fiat. But it can indirectly get more from industry by leveraging authority over federal agencies. Nothing new here, just a new application of advancing cyber policy via the government’s buying power.

Luckily, industry had the chance to weigh in, and presumably the task force is evaluating comments.

The working group has people from Defense, Homeland Security, and GSA. The group’s specific job is to carry out Section 8(e) of White House Executive Order for embedding cybersecurity requirements into all federal acquisition planning and procurement processes.

The working group, in a request for information, came up with 37 questions, grouped into three themes:

  • Is it feasible to incorporate cybersecurity standards into federal buys in the first place?
  • What are commercial procurement practices when it comes to cyber?
  • Would acquisitions containing specific cybersecurity requirements conflict with existing laws, regulations, or even common practices? If so, what should we do about it?

Comments have closed, but it’s not too late to become involved. At the least, read the executive order, especially Sections 7 and 8. Make sure it gets top management attention, especially if your company is headquartered outside of the Washington region where they might not be in tune with uniquely federal dynamics.

The questions are extensive, and probably no single individual can answer all of them. But since industry is helping prepare a dish companies will eventually be served, here are some things to keep in mind:

Understand that in seeking this public input, the working group defines cybersecurity rather widely, to include supply chain risk management and software assurance. Think about where your company would have potential responsibility. In PPD-21 and in the executive order, the White House is merging federal activities to deal with cyber and physical critical infrastructure threats.

Form a team to stay abreast of what the working group comes up with. There will be further chances to comment once its recommendations become actual proposed new rules, subject to the standard rule-making process.

From a sales standpoint, it’s time to start role-playing your approach. Ask yourself how you’d position your products in solicitations where cybersecurity and critical infrastructure protection warranties are included as boilerplate. For example:

  • Pre-solicitation, how will your sales messages raise the bar objectively so solicitations are reflecting the latest cybersecurity capability?
  • Long-term, what role will your company play in helping set the standards and best practices of today, and keep them evolving in the months, years, and decades to come?

We think it’s vital to future sales that marketers of any product with electronic hardware and software take an active role in shaping whatever cyber-related FAR changes emerge.

Apathy could result in industry becoming saddled with the burden and liability for cybersecurity. Or it could inadvertently freeze standards in contracting language while the real threat morphs at light speed.

Clearly we need to get this regulatory framework right, particularly those of us in the world of commercial-off-the-shelf IT.

About the Author

Steve Charles is a co-founder of immixGroup, which helps technology companies do business with government. He is a frequent speaker and lecturer on technology and the federal procurement process. He can be reached at or connect with him on LinkedIn at

Reader Comments

Tue, Jun 4, 2013

Based on the Monday May 13th entry in the Federal Register (27967 first column lines 13 and 14) comments close on June 12th, 2013. Perhaps there was an update that we missed?

Tue, May 28, 2013 Bill Caelli Australia

Wow - "C2 by '92" again?? Perhaps everyone should read the introduction and preface to the original "Orange Book" or TCSEC of 1983, then 1985 - yes 30 years ago. The problem wasn't definition of requirements - it was making such acquisition COMPULSORY! and REALLY mandatory under REAL penalties to procuring officers who just ignored the specs or claimed "oops - budgetary considerations!"

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here


  • POWER TRAINING: How to engage your customers

    Don't miss our Aug. 2 Washington Technology Power Training session on Mastering Stakeholder Engagement, where you'll learned the critical skills you need to more fully connect with your customers and win more business. Read More


    In our latest Project 38 Podcast, editor Nick Wakeman interviews Tom Romeo, the leader of Maximus Federal about how it has zoomed up the 2019 Top 100. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.