Industry Group Raises Red Flags on New OMB Cybersecurity Guidance

In August, the Office of Management and Budget (OMB) issued for public comment some proposed guidance intended to bolster federal cybersecurity protections around sensitive information on contractor-operated computer systems or a contractor’s internal system that handles sensitive information. After reviewing it, an industry group representing federal contractors has raised concerns that the guidance may do more harm than good.

In a recent letter to OMB, Professional Services Council (PSC) president and CEO Stan Soloway provides detailed concerns, saying that it is “crucial to ensure that the guidance, and any subsequent Federal Acquisition Regulation (FAR) changes and related contract clauses, appropriately address issues of concern to contractors.”

When the draft guidance – “Improving Cybersecurity Protections in Federal Acquisitions” – was first released, I looked at the five areas addressed in the document and expressed that they could portend greater demands on agencies and contractors for more mature processes, standards, and IT management as well as more security-related contract riders that will raise the stakes for bidders and increased operating costs for federal contractors.  

Soloway shares similar concerns and is wary of both what the guidance covers, and how, as well as what it does not cover. Some of PSC’s concerns with the guidance include:

• The guidance fails to provide uniform guidance and standardized cybersecurity definitions instead of generalized statements and agencies have wide latitude to deviate as they deem necessary. Soloway encourages OMB to leverage existing federal best practices models to remedy this shortcoming.
  
  
• The guidance is inconsistent with existing guidance and rules already in use across federal agencies, many of which are instituted in existing regulatory and contractual actions, including some Schedules. As an example, Soloway cites the Defense Department’s Unclassified Controlled Technical Information (UCTI) rule from 2013 that already requires contractors handling UCTI to comply with more than fifty controls.
   
• The guidance affords agencies so much flexibility to adjust their security standards on a contract-by-contract basis and include specific contract clauses and remedies in individual solicitations and contracts that the resulting efforts end up being more complicated and perpetuate a lack of interoperability.
  
  

In light of these concerns and others PSC recommends that OMB either significantly enhance the guidance to remove these conflicts or withdraw the guidance and look to the standard FAR process to establish cybersecurity contracting standards government wide.

At the risk of overstating the issue, the sense I get from PSC’s assessment is almost like OMB is issuing new cybersecurity contracting rules in a vacuum – without reading existing rules, or at least not overtly explaining how the new rules align with, build upon, or supersede the existing rules on the books. Further, it highlights the challenge of trying to reconcile the flexibility agencies might need in devising technical solutions with the inflexibility that is typically inherent in government contract regulations.

Granted, OMB did submit the guidance for public comment and PSC and others have provided detailed feedback. Hopefully, what results will be a cohesive approach that serves the common interest while navigating the complexities of federal cybersecurity.