A planned change to guidelines for cybersecurity acquisition has raised significant questions for trade groups in the federal contractor space, who say the rules come too late in the game and don’t go far enough compared to what individual agencies are already doing.
Federal contractor groups say a plan to ensure agencies remain focused on cybersecurity issues when procuring technology resources is looking half-baked.
The plan, introduced by the Office of Management and Budget (OMB) in August, was built through a stakeholder-driven process that involved publishing a draft form of the report on Github. It proved controversial among many of those stakeholders, with multiple industry groups criticizing the results during a month-long comment period. The Professional Services Council (PSC), in particular, said the plan was too vague and inconsistent to prove useful for federal contractors to follow.
“We have significant concerns with the OMB guidance—both for what and how it covers the five topics and for what it fails to cover,” PSC President and CEO Stan Soloway wrote in the group’s response. “We view the current draft version of the guidance as being too little, too late and too flexible in addressing even the five areas covered in the document.”
PSC noted in its response that many individual agencies have offered similar guidance on cybersecurity policies within their own organizations, making the five recommended steps redundant.
“OMB guidance will be most helpful if it ensures consistent, streamlined reporting requirements across federal agencies and focuses on improving cybersecurity outcomes rather than just increasing oversight,” PSC’s senior vice president of technology, Dave Wennergren, said in a news release.
The IT Alliance for Public Sector (ITAPS), meanwhile, recommended that OMB either “modify the guidance dramatically” or start over with a new process—a recommendation that PSC also made in its comments.
ITAPS also asked for an extension in comments, emphasizing that the use of Github in the feedback process had the opposite result of what the government was anticipating. The alliance noted that Github created “legal impediments” that limited the offering of transparent feedback.
“Because of these concerns, we believe that it is imperative that the comment period be extended and additional opportunity and means be afforded to stakeholders and the public to provide comment and feedback to the proposal,” ITAPS said in its comments [PDF].