American Bar Association Section of Public Contract Law
Comments on OMB’s Draft Guidance
“Improving Cybersecurity Protections in Federal Acquisitions”
Business Due Diligence
The draft guidance to agencies would modify current pre-award and post-award business due-diligence processes to add a cybersecurity element. The draft guidance suggests leveraging a current General Services Administration (“GSA”) pilot to create a business due-diligence information shared service, which would provide agencies with access to various types of “risk information,” with data collected from multiple sources, including public records, publicly-available and commercial-subscription information, and voluntary contractor reporting. The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") identifies below areas that the Section believes require further attention and detail from the Office of Management and Budget (“OMB”).
First, the Section believes that this part of the draft guidance does not clearly state whether this new requirement would apply only to acquisitions and contracts in which systems are being operated on behalf of the Government or whether it also would extend to any procurement that would involve contractor access to controlled unclassified information.
The Section recommends that the OMB carefully consider any potential detrimental use of voluntary reporting of incidents by contractors. Information sharing is a critical component of effective cybersecurity and we suggest that the Government should refrain from using voluntary disclosures against participants. The Section further notes that the use of such data for acquisition purposes may violate the fundamental confidentiality obligations and use limitations agreed to by the Government in industry information-sharing framework agreements1 and in some of the proposed information sharing legislation now being considered in Congress.2 Indeed, the use of prior incidents as a negative in business due-diligence assessments could harm those companies that already have robust information security systems, with features including continuous monitoring and other mature cyber defenses in place, which would have made them more cognizant of and able to report on such matters even before the issuance of this policy.
Although the draft guidance refers to the collection and utilization of such data as based “on transparent, objective, and measurable risk indicators,”3 the draft guidance does not define what those indicators will be. Rather, OMB contemplates that, within 90 days of publishing the final guidance, an interagency cyber team will work with GSA to develop and recommend the specific risk indicators that should underlie this cyber due-diligence process. The Section recommends that the working group allow industry comment on any indicators before they are finalized.
The draft guidance also does not address how cyber due diligence will be used by the Government and whether contractors will be permitted input into any assessments that the Government makes based on this information.
Ultimately, unlike for the other four sections in the draft guidance, here OMB does not contemplate that this effort will be part of a forthcoming Federal Acquisition Regulation rulemaking. The draft guidance raises significant questions, including potential legal issues relating to de facto debarment and rulemaking requirements.4 In light of the relatively less mature status of this part of the draft guidance compared with the other recommendations, we recommend that the business due-diligence section be deleted from the guidance and be distributed separately in draft form for public comment and that any rule on this be issued in accordance with procurement rulemaking requirements once the matter is more clearly defined so that a similar level of transparency can be achieved with this important issue.
1 See DFARS part 236, Department of Defense (DOD)-Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) Activities; see also http://dibnet.dod.mil/staticweb/Register.html
2 See e.g., Protecting Cyber Networks Act, H.R. 1560, § 203; National Cybersecurity Protection Advancement Act of 2015, §§ 3, 7.
3 See https://policy.cio.gov.
4 A process that would result in debarment of a government contractor requires affording the contractor due process. See, e.g., FAR subpart 9.4. Procurement rules in general require rulemaking notice and comment as well. See, e.g., 41 U.S.C. § 1707(a).
The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.
American Bar Association Section of Public Contract Law
Comments on OMB’s Draft Guidance
“Improving Cybersecurity Protections in Federal Acquisitions”
Business Due Diligence
The draft guidance to agencies would modify current pre-award and post-award business due-diligence processes to add a cybersecurity element. The draft guidance suggests leveraging a current General Services Administration (“GSA”) pilot to create a business due-diligence information shared service, which would provide agencies with access to various types of “risk information,” with data collected from multiple sources, including public records, publicly-available and commercial-subscription information, and voluntary contractor reporting. The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") identifies below areas that the Section believes require further attention and detail from the Office of Management and Budget (“OMB”).
First, the Section believes that this part of the draft guidance does not clearly state whether this new requirement would apply only to acquisitions and contracts in which systems are being operated on behalf of the Government or whether it also would extend to any procurement that would involve contractor access to controlled unclassified information.
The Section recommends that the OMB carefully consider any potential detrimental use of voluntary reporting of incidents by contractors. Information sharing is a critical component of effective cybersecurity and we suggest that the Government should refrain from using voluntary disclosures against participants. The Section further notes that the use of such data for acquisition purposes may violate the fundamental confidentiality obligations and use limitations agreed to by the Government in industry information-sharing framework agreements1 and in some of the proposed information sharing legislation now being considered in Congress.2 Indeed, the use of prior incidents as a negative in business due-diligence assessments could harm those companies that already have robust information security systems, with features including continuous monitoring and other mature cyber defenses in place, which would have made them more cognizant of and able to report on such matters even before the issuance of this policy.
Although the draft guidance refers to the collection and utilization of such data as based “on transparent, objective, and measurable risk indicators,”3 the draft guidance does not define what those indicators will be. Rather, OMB contemplates that, within 90 days of publishing the final guidance, an interagency cyber team will work with GSA to develop and recommend the specific risk indicators that should underlie this cyber due-diligence process. The Section recommends that the working group allow industry comment on any indicators before they are finalized.
The draft guidance also does not address how cyber due diligence will be used by the Government and whether contractors will be permitted input into any assessments that the Government makes based on this information.
Ultimately, unlike for the other four sections in the draft guidance, here OMB does not contemplate that this effort will be part of a forthcoming Federal Acquisition Regulation rulemaking. The draft guidance raises significant questions, including potential legal issues relating to de facto debarment and rulemaking requirements.4 In light of the relatively less mature status of this part of the draft guidance compared with the other recommendations, we recommend that the business due-diligence section be deleted from the guidance and be distributed separately in draft form for public comment and that any rule on this be issued in accordance with procurement rulemaking requirements once the matter is more clearly defined so that a similar level of transparency can be achieved with this important issue.
1 See DFARS part 236, Department of Defense (DOD)-Defense Industrial Base (DIB) Voluntary Cyber Security and Information Assurance (CS/IA) Activities; see also http://dibnet.dod.mil/staticweb/Register.html
2 See e.g., Protecting Cyber Networks Act, H.R. 1560, § 203; National Cybersecurity Protection Advancement Act of 2015, §§ 3, 7.
3 See https://policy.cio.gov.
4 A process that would result in debarment of a government contractor requires affording the contractor due process. See, e.g., FAR subpart 9.4. Procurement rules in general require rulemaking notice and comment as well. See, e.g., 41 U.S.C. § 1707(a).
The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.