On February 12, 2013, the White House issued Executive Order No. 13636, Improving Critical Infrastructure Cybersecurity,1 encouraging a public-private collaboration to improve the nation’s cybersecurity. The intent of the executive order is to create a voluntary cybersecurity program relating to critical infrastructure. In order to do so, the National Institute of Standards and Technology (“NIST”) is “to lead the development of a frame work to reduce cyber risks to critical infrastructure,” including “a set of standards, methodologies, procedures, and process that align policy, business, and technological approaches to address cyber risks.”2
Another requirement of that executive order is that the General Services Administration and the Department of Defense, consulting with the Department of Homeland Security and the FAR Council, will “make recommendations on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration and address what steps can be taken to harmonize, and make consistent, existing procurement requirements related to cybersecurity.”3 The executive order gave the agencies just 120 days to address this requirement, making the final report due June 12, 2013.
To accomplish this task, a working group has been established that includes a group of “topic-knowledgeable members” selected from the agencies named in the executive order and also from the NIST.4 The working group published a Request for Information (“RFI”) on May 13, 2013, in the Federal Register seeking public comment that will be used in the development of the committee’s recommendations. The RFI has 37 questions, broken down into three categories: (1) Feasibility and Federal Acquisition, (2) Commercial Practices, and (3) Harmonization.
The first category relating to feasibility consists of 12 questions, including (1) how the “inherent constraints and the current fiscal realities” would affect the contractor's ability to incentivize better cybersecurity while minimizing barriers to entry to the federal market, and (2) potential “challenges in developing a cross-sector standards-based approach cybersecurity risk analysis and mitigation process for the federal acquisition system.” The next 19 questions pertain to actual commercial practices, such as (1) the organization’s policies and procedures with regard to cybersecurity risk, (2) where cybersecurity fits within the organization's corporate structure, and (3) whether the organization tested or validated its practices. The remaining category includes six questions about harmonization of policies and laws, such as (1) whether an organization has encountered other standards, and (2) the role that national/international standards should play in federal acquisitions.
At least one trade association representing contractors, the Professional Services Council (“PSC”), has urged leaders to suspend the multiple FAR and DFARS cybersecurity initiatives currently ongoing until NIST can develop the cybersecurity framework that it must create. According to PSC, it would make far more sense for NIST to complete the initial framework of the efforts prior to developing acquisition-specific requirements.
Comments are due no later than June 12, 2013, and may be submitted electronically or via mail. Note that June 12 is also the date that the agencies’ final report on this matter is due. Interested parties should submit their comments as far in advance as possible.
1 78 Fed. Reg. 27966-27968 (May 13, 2013).
2 78 Fed. Reg. at 11739, 11741 (Feb. 19, 2013).
3 78 Fed. Reg. at 27966-7 (emphasis added).
4 NIST is an non-regulatory agency within the U.S. Department of Commerce.