Industry groups worry that cyber may get lost amid the contracting morass of federal orders

  • A pedestrian walks by the headquarters of The Boeing Company on January 29, 2020 in Chicago, Illinois. New reporting requirements for IT and OT contractors have led to consternation in the contracting community. (Photo by Scott Olson/Getty Images)

    In the contracting world, clarity matters.

    Nearly every task and service outlined in a federal contract is specific, outlining the services the vendor is expected to provide, for how long, to what degree of reliability, the headcount and location of staff expected to be available on or off-site, how much it all costs and what standards need to be followed.

    This is another way of saying that contractors – a community that regularly hosts weekly or monthly trainings to help companies match their services and products to regulatory requirements – abhors uncertainty.

    An executive order issued by the Biden administration in May would impose a range of new requirements on federal agencies, some that directly relate to the procurement process and others that could have trickle down effects on the community of vendors and contractors that provide those services.

    Industry groups have largely welcomed the idea in principle, but some have also raised concerns that the contracting community lacks crucial detail and context for what will be expected and if they will be able to meet the government’s new requirements.

    While the Biden executive order released in May clearly notes efforts by the government to raise the bar around security, Gordon Bitko, senior vice president for policy at the Information Technology Industry Council, noted that it’s only one of numerous new issues contractors are expected to prioritize. Other executive orders this year have similarly emphasized a range of other focus areas, from improving racial equity in the contracting process, to reducing a company’s carbon footprint and focusing on domestic manufacturing versus outsourcing internationally.

    While he supports all of those initiatives, Bitko expressed worry that the cumulative impact may result in a vendor community that is largely confused about what is needed to win a contract and what is not. For example, if an agency is bidding out a contract and one vendor has better cybersecurity but another has invested in reducing the environmental costs of their services, which one should an agency prioritize or reward over the other? How many agencies will throw up their hands and decide it’s less complicated to build a system in-house or abandon the project altogether?

    “Those are all admirable goals and it’s understandable why they are all being addressed through procurement, but when you take them together this is going to a real challenge for the government, for procurement staff within agencies,” he said during a June 29 press calI. “None of those requirements are about the typical ways that the government buys goods and services, they’re all about other priorities and indirect things that agencies are going to need to take into account as they go through procurements.”

    One of the more ambiguous changes could come in September, when leaders for the Department of Homeland Security and Office of Management and Budget must “take steps” to ensure IT and operational technology service providers who contract with the government are sharing data around breaches and cybersecurity incidents. It comes after a wave of damaging supply chain hacks over the past year targeted companies like SolarWinds that provide software and other technology services to the government as a conduit to compromise federal agency networks.

    The steps will certainly include updates to existing contracting language that limits or prohibits contractors from sharing such data with the Cybersecurity and Infrastructure Security Agency, the FBI and intelligence agencies that are often charged with incident response in the wake of a hack.

    Megan Petersen, senior director of policy, public sector and council at ITI and a former procurement attorney at the FBI, said there remains widespread confusion about what data or information contractors will be expected to share with those agencies. There’s also other equities, like data privacy, that make the details more than just an academic exercise.

    “The government will need to think through some of the legal and privacy requirements associated with all of this, to the extent that contractors are not already authorized or required to collect, monitor information and share it with the government,” Petersen said when asked about the comfort level of contractors who are expected to meet these new reporting requirements. “There will really need to be some specific changes to contracts [or] updates to authorities, but all of that has to be analyzed in terms of how can contractors actually provide this information, what authority do they have to do so? That has to be reviewed as well beyond just the technical implications of: ‘can they do this?’”

    Letetia Henderson, former assistant administrator for the Office of Acquisition at the Transportation Security Administration, told SC Media that this confusion is often the product of the federal bureaucracy and rulemaking process. An executive order may direct agencies to do something, but it’s often up to agencies and individual offices to determine the how.

    In this case, Henderson said the clarity contractors are seeking will likely not come from procurement officers, but the reporting requirements developed by the offices that own the affected systems and programs.

    “What I would say is that the contract community and procurement specifically has a responsibility to ensure that the government is getting value for what they purchase,” she said. “That passion associated with…resisting change or griping is more about just being clear about what the change is and how we implement it. I think it’s less about the procurement community and more about the requirement community and how they embrace the change and describe what the requirements should be.”