On February 12, 2013, President Obama signed Executive Order 13636 for Improving Critical Infrastructure Cybersecurity (EO), along with Presidential Policy Directive-21 on Critical Infrastructure Security and Resilience (PPD-21). Now, some 120 days later, federal agencies are feeling the crunch to report back to the White House with their findings on the state of federal cybersecurity and their recommendations going forward.
Among those with a June 12, 2013, deadline are the Department of Defense and the General Services Administration. Under Section 8(e) of the EO, the two agencies were to consult with the Department of Homeland Security (DHS) and the Federal Acquisition Regulation (FAR) Council to craft recommendations regarding how to improve cybersecurity within federal procurement. Specifically, their June 12 report should inform the President on the feasibility of incorporating cybersecurity standards into federal acquisitions, along with the security benefits and other relative merits of doing so.
The GSA took a crucial step in the right direction on May 13, 2013, when it issued a request for information (RFI) for public comment on cybersecurity (78 Fed. Reg. 27968). Therein, it solicited feedback from industry stakeholders on how to best implement the cyber EO, presenting 37 questions addressing three key areas: (1) the feasibility of adopting cyber acquisition standards, (2) current cyber-procurement practices in the commercial sector, and (3) reconciling potential conflicts between the EO mandate and other pre-existing contractor obligations.
As seen in the submissions that the GSA has received thus far, commentators are advocating for a risk-based, flexible approach to cyber standards and emphasizing the beneficial role that organizations like the National Institute for Standards and Technology (NIST) can play in their establishment. Many have also commended the GSA’s focus on “harmonization,” noting that the current patchwork of applicable statutes and regulations is confusing at best and irreconcilable at worst.
The RFI remained open to submissions until the date of the EO deadline, so contractors will likely have to wait a little bit longer for the final recommendations.