Following the release of GAO and Congressional reports detailing counterfeit electronic parts in the Department of Defense (“DoD”) supply chain, Congress and the executive branch have made DoD supply chain security a priority. As part of the Government’s comprehensive approach to improving supply chain security for DoD, previously blogged about here and here, Congress passed legislation containing new reporting requirements for contractors who discover counterfeit or suspected counterfeit parts. The Government – Industry Data Exchange Program, or “GIDEP,” is a joint U.S. – Canadian program, funded by both governments, is currently DoD’s designated reporting organization for counterfeit parts. Continue Reading Reporting Counterfeit Parts to GIDEP Under the Proposed DoD Rule
The past year has showcased major developments in cybersecurity: unprecedented thefts and attacks, with losses estimated in the hundreds of billions of dollars; expanding sector-specific cybersecurity statutes and regulations; and a sweeping Executive Order on cybersecurity for critical infrastructure followed by a recent push for cyber intelligence sharing from Congress. Expect even more significant developments to follow in the coming months.
On May 15, at Crowell & Moring’s annual Ounce of Prevention Seminar (OOPS), C&M attorneys will describe the recent changes to the cyber landscape, as well as give a preview of things to come, in a program called Navigating Cyber Landmines in the Corporate Boardroom: Why & Where Government Contractors Must Tread Carefully. Jim Regan will lead a panel featuring David Bodenheimer, Bryan Brewer and me. We will discuss the exploding risks, escalating legal requirements, and expanding regulatory and RFP burdens in cybersecurity.
Government contractors can register and find more information on the 29th annual OOPS program, including the complete OOPS agenda, here.
The FAR Council issued a proposed rule on March 7, 2013, that would amend the FAR to mirror recent changes to the Small Business Administration’s procedures for protests and appeals of small business size and status determinations. The rule also seeks to provide uniformity for protests and appeals of status as a HUBZone small business concern, Service-Disabled Veteran-Owned Small Business (“SDVOSB”), Economically Disadvantaged Women-Owned Small Business (“EDWOSB”), or Women-Owned Small Business (“WOSB”). Finally, the proposed rule also includes several other revisions, including changes to the requirements of the “nonmanufacturer rule,” updates to small business status following size determinations, and guidance on NAICS determinations.
Size Protests & Appeals. The new rule would increase the time (from 10 to 15 days) for the SBA to make a size determination of a protested business concern. It would also provide the contracting officer with the authority and discretion to authorize more time for the SBA to make its determination, and to award contracts, if necessary, when the SBA has not completed its determinations within 15 days. For appeals, the proposed rule clarifies that it is entirely within the discretion of the SBA’s Office of Hearing and Appeals (“OHA”) whether to hear an appeal of a size determination, and within the contracting officer’s discretion whether to suspend an award to a party whose size determination has been appealed. The proposed rule also allows for email delivery of written protests.
After years of abortive attempts by Congress to enact comprehensive cybersecurity legislation, the President took matters into his own hands on February 12, signing an Executive Order, Improving Critical Infrastructure Cybersecurity. Identifying the cyber threat as “one of the most serious national security challenges we must confront,” this Order, along with its contemporaneous Presidential Policy Directive, lays out the policy goals for the President’s cybersecurity program, as well as some specific initiatives.
Overview. The Order is long on plans for coordinating government cyber efforts, but it is short on concrete details for just how to implement such a unified whole-of-government approach. The specifics in the eight-page document include two major initiatives relating to information sharing and cybersecurity standards.
Information Sharing. The Order lays out the goals and requirements for information sharing on cyber threats. Within 120 days, the Order provides: (1) the Secretary of Homeland Security(“the Secretary”), the Director of National Intelligence (“DNI”), and the Attorney General (“AG”) shall issue instructions on producing unclassified reports of cyber threats to specifically targeted entities; (2) the Secretary, the DNI, and the AG shall include in these instructions a process for disseminating classified reports to those entities authorized to receive such information; and (3) the Secretary, in coordination with the Secretary of Defense, shall establish a voluntary information-sharing network called the “Enhanced Cybersecurity Services Program,” which will provide classified threat information to eligible companies.
Cybersecurity Standards. The Order also requires the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology (“NIST”) to develop a set of standards and processes, incorporating “voluntary consensus standards and industry best practices to the fullest extent possible,” to address cyber risks. The Order designates this set of standards as the “Baseline Framework.” In addition, the Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program, using the Baseline Framework as the foundation for entry into the program. The Order directs the Secretary to establish a set of incentives for private companies to enter into the Program, noting that some of the preferred incentives may require legislation. Finally, the Order directs the Federal Acquisition Regulatory Council to develop recommendations on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration,” thus signaling a likely push for new cybersecurity acquisition regulations for government contractors and the private sector.
No Safe Harbors. The Order is almost as notable for what it lacks as for what it includes. The executive branch lacks the legal authority to indemnify companies that meet certain minimum security standards or to exempt from FOIA any information shared by private entities. These steps will be vital to ensure private sector cooperation and buy-in to the federal government’s cybersecurity plans.
The Future. In his State of the Union address, the President underscored the continuing need for cyber legislation, concluding that “Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.” Until Congress acts, questions will remain on just what sort of public-private partnership can exist without protections for participating private entities. Similarly, government contractors will need to pay close attention to the forthcoming incentives and recommendations on security standards in acquisition planning and government contract administration.
Just before the closing bell for 2012, the federal government gave its first approval for government-wide security authorization to a cloud service provider. On December 26, the General Services Administration (GSA) certified its first cloud service provider under the Federal Risk and Authorization Management Program, more commonly known as FedRAMP. The GSA expects last month’s authorization to pave the way for more in early 2013, with some anticipating as many as 10 to 15 authorizations over the course of the year.
In an effort to better implement the government’s “Cloud First” policy, the GSA collaborated with private industry and other executive agencies – including the NIST, DHS, and DOD – to standardize security requirements for federal cloud contractors. Begun in June 2012, certification under the FedRAMP standards will become mandatory by the same month in 2014.
North Carolina-based Autonomic Resources has been the first cloud service provider to check all of FedRAMP’s boxes, but its journey to complete federal endorsement is not over. Cloud service providers seeking FedRAMP approval must undergo a four-step application process. Either a contractor or an agency may initiate a FedRAMP review. Contractors must then retain a “third party assessor” (3PAO) to perform an independent assessment of whether the contractor’s security systems comply with Federal Information Security Management Act (FISMA) and NIST standards. With a 3PAO’s security assessment package in hand, the contractor may then apply for provisional authorization from FedRAMP’s Joint Authorization Board (JAB), comprised of the Chief Information Officers (CIOs) from the DOD, DHS, and GSA. This is the certification that FedRAMP has granted Autonomic Resources, but the key word is “provisional.” The JAB “authorization to operate” (ATO) is but an initial endorsement of the contractor’s security controls and their acceptable risk. Specific agencies are to then leverage this threshold approval to streamline their more tailored ATOs. Although not formally a part of the application process, it is worth noting that, even after agency approval, the contractor must provide FedRAMP with continuous monitoring reports and various updates.
As the former federal CIO stated, the idea behind the FedRAMP process is “approve once, use often.” This practice seeks to maximize transparency between cloud contractors and the federal agencies, while minimizing duplicative efforts. The GSA expects the result to be a universal and trustworthy security authorization process that consumes less time and fewer taxpayer dollars. Current GSA estimates predict that, with the help of the FedRAMP system, agencies will save approximately $200,000 per authorization. Until the GSA ushers more prospective cloud contractors through the FedRAMP process, however, federal agencies will have to wait for such savings. In the meantime though, nothing is preventing agencies from relying on FedRAMP guidelines to independently scrutinize the security of their contractors.
For more information about federal cloud computing and acquisitions, see http://www.crowell.com/files/Cloud-Computing-Acquisitions-Cybersecurity.pdf.