Cyber getting baked into more procurements

Find opportunities — and win them.

Work is underway on increasing cybersecurity requirements on many of the IT products and services government agencies buy. Procurement expert Steve Charles explores the critical steps you must take to prepare for this change in the market.

A new but not widely noticed provision in the recent White House Executive Order 13636 will mean a major change in federal procurement. The order, a companion directive accompanying Presidential Policy Directive 21, established a multi-agency work group that has been asking industry and federal agencies how cybersecurity could be made a baseline requirement in all acquisitions.

Not just buys of specific cybersecurity products, but of any items or services that somehow touch critical infrastructure. That’s a broad range of potential acquisitions.

If you sell software, any piece of electronic hardware, or systems integration services to the federal government, you need to know about the so-called DOD-GSA Section 8(e) Working Group. The output of this working group will eventually result in new Federal Acquisition Regulations covering anything with a potential cybersecurity element.

This is no long range effort. The EO, which came out in February, gave the working group 120 days to come up with its recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

The machinery necessary to get a FAR change implemented won’t produce the intended change overnight. But it’s not too early to start positioning your products in terms of how they support or enhance cybersecurity.

Basically, the administration wants to get as much cybersecurity progress as it can in the absence of legislation from an uncooperative Congress. It can only do so much with industry by fiat. But it can indirectly get more from industry by leveraging authority over federal agencies. Nothing new here, just a new application of advancing cyber policy via the government’s buying power.

Luckily, industry had the chance to weigh in, and presumably the task force is evaluating comments.

The working group has people from Defense, Homeland Security, and GSA. The group’s specific job is to carry out Section 8(e) of White House Executive Order for embedding cybersecurity requirements into all federal acquisition planning and procurement processes.

The working group, in a request for information, came up with 37 questions, grouped into three themes:

  • Is it feasible to incorporate cybersecurity standards into federal buys in the first place?
  • What are commercial procurement practices when it comes to cyber?
  • Would acquisitions containing specific cybersecurity requirements conflict with existing laws, regulations, or even common practices? If so, what should we do about it?

Comments have closed, but it’s not too late to become involved. At the least, read the executive order, especially Sections 7 and 8. Make sure it gets top management attention, especially if your company is headquartered outside of the Washington region where they might not be in tune with uniquely federal dynamics.

The questions are extensive, and probably no single individual can answer all of them. But since industry is helping prepare a dish companies will eventually be served, here are some things to keep in mind:

Understand that in seeking this public input, the working group defines cybersecurity rather widely, to include supply chain risk management and software assurance. Think about where your company would have potential responsibility. In PPD-21 and in the executive order, the White House is merging federal activities to deal with cyber and physical critical infrastructure threats.

Form a team to stay abreast of what the working group comes up with. There will be further chances to comment once its recommendations become actual proposed new rules, subject to the standard rule-making process.

From a sales standpoint, it’s time to start role-playing your approach. Ask yourself how you’d position your products in solicitations where cybersecurity and critical infrastructure protection warranties are included as boilerplate. For example:

  • Pre-solicitation, how will your sales messages raise the bar objectively so solicitations are reflecting the latest cybersecurity capability?
  • Long-term, what role will your company play in helping set the standards and best practices of today, and keep them evolving in the months, years, and decades to come?

We think it’s vital to future sales that marketers of any product with electronic hardware and software take an active role in shaping whatever cyber-related FAR changes emerge.

Apathy could result in industry becoming saddled with the burden and liability for cybersecurity. Or it could inadvertently freeze standards in contracting language while the real threat morphs at light speed.

Clearly we need to get this regulatory framework right, particularly those of us in the world of commercial-off-the-shelf IT.