Comments on Information Security Continuous Monitoring (ABA Section of Public Contract Law)

[ABAPCLS]

American Bar Association Section of Public Contract Law
Comments on OMB’s Draft Guidance
“Improving Cybersecurity Protections in Federal Acquisitions”
Information Security Continuous Monitoring

The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") understands that continuous monitoring is increasingly important in assuring controlled unclassified information (“CUI”) and other controlled information remains secure. The Section also recognizes that Information Security Continuous Monitoring (“ISCM”) will be a key consideration in assuring adequate cybersecurity protections in federal acquisitions. The Section, however, has identified two sections of the guidance that would benefit from greater clarity around the factors that agencies should consider in setting the standards for ISCM.

First, although the draft guidance contemplates that agencies may need the assistance of the Department of Homeland Security’s (“DHS”) Continuous Diagnostics and Mitigation (“CDM”) program to “establish[] ISCM capabilities quickly,” the draft guidance also recognizes that it may not always be “feasible” to provide this tool to contractors operating information systems on behalf of the Government. Even if DHS’s CDM is not provided, the contractor-operated system must still meet or exceed the information security continuous monitoring requirements identified in OMB Memorandum M-14-03¹; and the agency may elect to perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing.

The cost in terms of time and resources necessary to create a system satisfying the requirements of M-14-03 could operate as a barrier to entry, particularly for small and mid-size businesses, which often lack the advantages of strategic sourcing to implement ISCM protections in their systems and have fewer resources available to develop ISCM capabilities. This barrier to entry is all the more disconcerting if agencies will have unfettered discretion to determine that it is “not feasible” to provide DHS’s CDM capabilities to a contractor operating information systems on behalf of the Government. Without knowing what factors an agency may consider in determining the feasibility of providing DHS’s CDM capabilities to contractors, it is difficult for contractors to undertake the business planning and resource allocation necessary to be ready to implement ISCM protections and “work together [with agencies] to determine and implement an appropriate solution that fulfills the ISCM requirements.” Thus, the Section encourages OMB to require agencies to consider the capabilities and availability of small business and mid-size contractors when determining the feasibility of providing DHS’s CDM capabilities to contractors operating information systems on their behalf.

Another potential barrier to entry is the discretion that the draft guidance would grant to agencies to “perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing.” The Section recommends that the draft guidance require agencies to communicate with the contracting community (and particularly small and mid-size businesses) and information-security standard-setting organizations regarding the factors it will consider in determining the tools and infrastructure it will use for ISCM monitoring. Further, the Section urges agencies to seek consistency in the tools and infrastructure used for monitoring. This consistency will enable the contracting community to better prepare to satisfy agencies’ ISCM needs and increase the number of contractors available to the Government.

¹ This memorandum is available at https://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-03.pdf.

The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.