Comments on Information System Security Assessments (ABA Section of Public Contract Law)

[ABAPCLS]

American Bar Association Section of Public Contract Law
Comments on OMB’s Draft Guidance
“Improving Cybersecurity Protections in Federal Acquisitions”
Information System Security Assessments

The draft guidance requires agencies to develop an approach to assessing the security of information systems operated by contractors, including an assessment by the senior agency official for privacy as to the level of necessary privacy controls. The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") agrees with the recognition in the draft guidance that differing approaches may be appropriate depending on the information systems and data at issue. It would be helpful, however, if the Office of Management and Budget (“OMB”) revised the draft guidance to specify which portions of the guidance on information system security assessments apply to information systems managed “on behalf of” the Government and which portions apply to internal contractor systems that contain controlled unclassified information (“CUI”).

The Section applauds the draft guidance’s recognition that many contractors operating in the commercial market already receive a variety of independent assessments that may be useful for assessing the security of contractor systems. Consistent with the Federal Acquisition Streamlining Act and the Federal Acquisition Regulation’s promotion of commercial item contracting, OMB should maintain this flexibility as the guidance is finalized. Further clarification as to which independent assessments would meet the Government’s needs would allow contractors to allocate resources in a meaningful way and to plan appropriately.

There are two areas of the draft guidance where the Section notes concerns. First, in the assessment process, contractors will be required to give agencies access to the contractors’ “facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract, regardless of location.”¹ The draft guidance does not limit this access. This unlimited access would be a concern because contractor information is commingled with trade-secret, proprietary, privileged, and/or third party data subject to non-disclosure requirements. The Section recommends that the final guidance recognize these limitations. For example, a clause at Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Unclassified Controlled Technical Information,” which was effective until a DFARS interim rule published on August 26, 2015, provided that the obligation to share data in a post-cyber incident assessment “exists unless there are legal restrictions that limit a company’s ability to share digital media.”² The Section recommends that OMB include a similar recognition in the final guidance regarding any potential government access to contractor systems.

Second, the draft guidance states that agencies will be required to specify in each solicitation how contractors will be required to demonstrate that they meet the requirements of National Institute of Standards and Technology Special Publication 800-171, including a security assessment for contractor internal systems. The draft guidance indicates that could require submissions ranging from a simple attestation of compliance to a “detailed description of the system’s security architecture, controls and provision of supporting test data.”³ The Section recommends that any requirement to share this extremely sensitive data in proposals be eliminated from the guidance given the security concerns contactors will have with providing the Government (or any third party) with detailed information in writing about their security architecture or controls. These concerns will be amplified when this information would have to be shared with the Government electronically because such government portals and websites are often targeted for access by unauthorized groups and individuals.

¹ See https://policy.cio.gov.
² DFARS 252.204-7012(d)(5) (Nov. 2013 version replaced by interim rule on August 26, 2015).
³ See https://policy.cio.gov.

The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.