Photo of Kate Growley

On February 12, 2013, President Obama signed Executive Order 13636 for Improving Critical Infrastructure Cybersecurity (EO), along with Presidential Policy Directive-21 on Critical Infrastructure Security and Resilience (PPD-21). Now, some 120 days later, federal agencies are feeling the crunch to report back to the White House with their findings on the state of federal cybersecurity and their recommendations going forward.

Among those with a June 12, 2013, deadline are the Department of Defense and the General Services Administration. Under Section 8(e) of the EO, the two agencies were to consult with the Department of Homeland Security (DHS) and the Federal Acquisition Regulation (FAR) Council to craft recommendations regarding how to improve cybersecurity within federal procurement. Specifically, their June 12 report should inform the President on the feasibility of incorporating cybersecurity standards into federal acquisitions, along with the security benefits and other relative merits of doing so.

The GSA took a crucial step in the right direction on May 13, 2013, when it issued a request for information (RFI) for public comment on cybersecurity (78 Fed. Reg. 27968). Therein, it solicited feedback from industry stakeholders on how to best implement the cyber EO, presenting 37 questions addressing three key areas: (1) the feasibility of adopting cyber acquisition standards, (2) current cyber-procurement practices in the commercial sector, and (3) reconciling potential conflicts between the EO mandate and other pre-existing contractor obligations.

As seen in the submissions that the GSA has received thus far, commentators are advocating for a risk-based, flexible approach to cyber standards and emphasizing the beneficial role that organizations like the National Institute for Standards and Technology (NIST) can play in their establishment. Many have also commended the GSA’s focus on “harmonization,” noting that the current patchwork of applicable statutes and regulations is confusing at best and irreconcilable at worst.

The RFI remained open to submissions until the date of the EO deadline, so contractors will likely have to wait a little bit longer for the final recommendations.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.
December 29, 2025
From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
October 15, 2025
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
April 10, 2025