GSA Seeks Comments on Cyber Security Related Regulation of Federal Suppliers
March 12, 2014. The General Services Administration (GSA) published a notice in the Federal Register (FR) that requests public comments regarding "how to implement" the "recommendations" contained in the joint GSA and Department of Defense (DOD) document titled "Final Report of the Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition".
The just released notice in the FR requests comments, but poses no specific questions. The deadline to submit comments is April 28, 2014. See, FR, Vol. 79, No. 48, March 12, 2014, Page 14042.
This GSA/DOD report is dated November 2013. The GSA and DOD released it on January 23, 2014.
First, this GSA/DOD document imposes requirements for cyber security in products and services procured by the federal government. The federal government is tasked by statute with maintaining cyber security in federal systems.
This document merely contains six broad, unspecified, and/or vague requirements related to federal procurement.
This document requires that the federal government and federal suppliers institute baseline cyber security requirements as a condition of contract award for appropriate acquisitions, address cyber security in relevant training, develop common cyber security definitions for federal acquisitions, institute a federal acquisition cyber risk management strategy, include a requirement to purchase from original equipment or component manufacturers, their authorized resellers, or other trusted sources, for appropriate acquisitions, increase government accountability for cyber risk management. Although, this document provides no definitions, and imposes no specific requirements.
However, this document also creates a process that goes beyond federal systems and federal procurement.
This document leverages the federal government procurement process to regulate private sector cyber security practices unrelated to procurement.
This documents also creates regulatory processes that may be employed the federal government, and lobbyists, to pursue policy goals unrelated to cyber security.
The Congress has not enacted a statute that gives the federal government general regulatory authority with respect to the cyber security practices in the private sector. In the 112th Congress, the House passed a bill, which the Senate did not consider. The Senate considered, but did not pass, a much different bill. It did not take up the House bill. The House has also passed a revised version of its bill in the current Congress. See, HR 624 [LOC | WW | PDF], the "Cyber Intelligence and Sharing Protection Act" or CISPA, in the 113th Congress, and HR 3523 [LOC | WW], a bill with the same title, in the 112th Congress.
The Obama administration did not work with the Congress to enact general cyber security laws, and then "take Care that the Laws be faithfully executed". Rather, the Obama administration proceeded to regulate by executive fiat.
The focus of House bills is incenting companies to share cyber threat information with relevant government agencies. The focus of the Obama administration is government regulation.
This GSA/DOD document states that it implements President Obama's Executive Order (EO) 13636, titled "Improving Critical Cybersecurity Infrastructure", and released in February of 2013. See also, story titled "Obama Signs Cyber Security Order and Policy Directive" and related stories in TLJ Daily E-Mail Alert No. 2,525, February 19, 2013.
Section 8(e) of that EO states in full that "Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity."
However, the GSA/DOD document goes beyond this language. It states that it imposes "requirements in both their own operations and in the products and services they deliver" to the government. (See, page 7.) That is, the document imposes company wide obligations on any company that does business with the federal government.
The GSA/DOD document also provides that the federal government may regulate not only the supplier's products and services, but also may limit with whom they do business. Their suppliers must be "trusted" and "authorized". And, the document provides that this means government authorization. (See, page 18.)
In recent years the US government has allowed trade protectionism considerations to creep into cyber security deliberations (as well as other ICT related processes, such as OUSTR reviews of Section 337 exclusion orders). The GSA/DOD document sets up a process that would be ripe for exploitation by US companies that would lobby to limit foreign competition under the guise of cyber security.
While the document asserts authority to regulate company wide, including non-procurement related, cyber security related practices of federal suppliers, it contains few words regarding the likely consequences of such an assertion.
For example, the GSA/DOD document is silent regarding what impact its requirements might have upon liability in civil litigation, and how anticipation of such liability might be used to obtain compliance. For example, if a federal contractor were sued in state or federal trial court for damages arising out of an alleged data breach, what impact would compliance, or non-compliance, with the requirements set by the GSA/DOD have upon that litigation?
(Published in TLJ Daily E-Mail Alert No. 2,634, March 19, 2014.)