Government contractors are urging OMB to go back to the drawing board and rewrite draft advice to federal officials about how to ensure the IT products they buy are cyber-secure.
In a letter released Monday, Stan Soloway, president and CEO of the Professional Services Council, a government contractors’ industry association, urges OMB to either extensively revise its draft cybersecurity acquisition guidance, or scrap it altogether and use new federal acquisition regulations to raise the cybersecurity bar for government IT purchases.
“We view the current draft version of the guidance as being too little, too late and too flexible,” wrote Soloway in the letter, addressed to Federal CIO Tony Scott and Office of Federal Procurement Policy Administrator Anne Rung.
The proposed guidance, posted on the federal CIO Council website for public comment on Aug. 11, lays out recommendations for U.S. government contracting officials to consider in five areas when buying IT. The five areas are: security controls, cyber-incident reporting, security assessments, continuous monitoring and due diligence.
“We have significant concerns with the OMB guidance—both for what and how it covers the five topics and for what it fails to cover,” wrote Soloway.
According to the contractors’ association, the draft guidance is “too little” because it doesn’t impose any uniformity on government agencies, offer any common definitions of cybersecurity terms or provide any outreach or training for the private sector.
It is “too late” because too many federal agencies, including contracting behemoth the Defense Department, have already issued regulations or taken other steps that address many of the five areas of the draft guidance, “thus undercutting any hope for uniform, government-wide guidance,” the letter states.
Finally, the guidance is “too flexible” because agencies are allowed to choose which of the National Institute of Standards and Technology guidance documents are applied to which solicitations, and recommends that agencies “address on a contract-by-contract basis the specific contract clauses and remedies” that apply.
“Today more than ever, additional attention needs to be focused on delivering measurable outcomes that improve cybersecurity,” said Dave Wennergren, PSC’s senior vice president of technology. “OMB guidance will be most helpful if it ensures consistent, streamlined reporting requirements across federal agencies and focuses on improving cybersecurity outcomes rather than just increasing oversight.”
“Given the significant flaws in the current draft guidance, we recommend that OMB significantly revise the guidance to ensure a consistent, unified approach that eliminates conflicts, overlaps, burdensome requirements and vagueness in the application of the guidance across federal agencies,” Wennergren said. “Or, in the alternative, OMB should just withdraw the guidance and use the federal acquisition regulatory process to establish government-wide contracting standards for this crucial issue.”
In response to PSC’s letter, an OMB spokesman told FedScoop: “The agency appreciates the Council’s input and will review alongside the valuable feedback received during the public comment period.”