June 2, 2020

June 02, 2020

Subscribe to Latest Legal News and Analysis

June 01, 2020

Subscribe to Latest Legal News and Analysis

Federal Information Technology (IT) Acquisition Policy Recommendations Focus on Cybersecurity

The Department of Defense and the General Services Administration, which together spend more than $500 billion annually on information technology, have released a joint report to the White House recommending steps to upgrade the cybersecurity requirements of acquisitions of information technology and services throughout the federal government.  These recommendations will affect not only suppliers to federal agencies, but together with the NIST cybersecurity Framework for critical infrastructure to be released in mid-February, will be felt throughout the broader U.S. marketplace for IT goods and services.

Executive Order 13636, issued in February 2013, is best known for initiating development of the NIST cybersecurity Framework for critical infrastructure, which is due to be released in two weeks.  The EO had other, less well-known provisions, including a requirement that DoD and GSA make recommendations to incorporate cybersecurity requirements into standards for federal acquisitions of information technology products and services.  This report, completed in November but not released until yesterday, recommends adoption of standards and practices that will significantly affect both federal IT procurement and the broader U.S. market for information technology.

Among the recommendations are the following:

  •  For acquisitions that present cyber risks, the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver. The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified.

  • Require organizations that do business with the federal government to receive training about the acquisition cybersecurity requirements of the organization’s government contracts.

  • Mitigate the risk of receiving inauthentic or otherwise nonconforming items by obtaining required items only from original equipment manufacturers, their authorized resellers, or other trusted sources.

The report acknowledges that “while it is not the primary goal, implementing these recommendations may contribute to increases in cybersecurity across the broader economy, particularly if changes to Federal acquisition practices are adopted consistently across the government and concurrently with other actions to implement the [NIST] Cybersecurity Framework.”

Initially, the recommendation that technical requirements for cybersecurity in procurements will be implemented through two rulemakings currently underway: “Basic Safeguarding of Contractor Information Systems” published as a proposed rule in August 2012, and “Safeguarding Unclassified Controlled Technical Information” published by DoD as an interim rule in December 2013.

The recommendation to narrow the sources from which the government may buy information technology to OEMs, authorized resellers and “other trusted sources” inherently conflicts with broad competition and may place some smaller contractors at risk because they do not have, or cannot achieve the required status.  The report acknowledges that “limiting eligibility to only these types of sources for all acquisitions may not be compatible with acquisition rules, socioeconomic procurement preferences, or principles of open competition,” but leaves resolution of that difficult problem to another day.

The report contends that its recommendations are really more addressed to changing the behavior of government acquisition personnel than changing the behavior of industry, but the consequences of the acquisition rule and policy changes already underway on the larger industry are inevitable.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

The frictionless flow of information is a defining feature of today’s information economy. Your organization’s ability to transfer customer data, employee files, financial records, and other information around the country or the globe quickly and cheaply has opened a world of new opportunities. Privacy laws vary by jurisdiction and are interpreted unpredictably, and even if your business is extremely conscientious, it can make a false step as it captures, uses, transfers, and discloses personal information. The consequences can be serious and even devastating — heavy...