Cybersecurity permeates nearly every conversation in the federal community already. And it’s about to soak in much deeper. The Federal Acquisition Regulatory Council is reviewing a dozen different proposals to expand cybersecurity requirements across federal procurement.
The White House and Congress equally are driving many of these changes from the cybersecurity executive order, the national cyber strategy, the zero trust strategy and implementation plan and from supply chain laws.
Jeff Koses, the General Services Administration’s senior procurement executive, said in his 20-plus year career in federal procurement, he’s never seen so many FAR proposals on a single topic. Koses said it’s a signal of the importance Congress and the Biden administration are placing on cybersecurity.
Two of the rules working their way through the process are around secure software development and incident reporting; both of those came out of the executive order on cybersecurity.
“Hopefully you all have seen the recent form that the Cybersecurity and Infrastructure Security Agency issued. The basic requirement comes down to software producers are going to be required to attest that they have secure development practices. CISA have drafted and posted a common form that basically outlines what they will be looking for in that attestation. And that attestation itself is going to become the basis of the FAR case,” Koses said at the IT Vendor Management Office summit on Aug. 2, sponsored by GSA and ACT-IAC. “The incident reporting is really trying to put focus on the core ideas about prevent, detect, assess and remediate. They’re trying to put that focus on the role itself. The proposal currently is in that the Office of Information Regulatory Affairs (OIRA), part of the Office of Management and Budget.”
Other proposed rules before the FAR council also focus on:
- Standardizing cybersecurity requirements for unclassified information systems
- Implementation of Federal Acquisition Security Council (FASC) exclusion orders
- Prohibition on contracting with entities using certain telecommunications and video surveillance services or equipment
“There is a whole series of cases you will have watched in recent years dealing with exclusions and suspensions. You saw Congress start that journey with Kaspersky Lab software and telling the government ‘don’t buy Kaspersky software.’ You saw Congress continue that in the 2019 Defense authorization bill, saying, ‘Hey, don’t go buy certain Chinese telecommunications or video surveillance systems.’ We recently saw Congress passed the exclusion on TikTok and ByteDance. The FAR rule came out on that,” Koses said. “Watch in the near term for a role standing up the authority of the FASC to issue exclusions. The interim rule that’s pretty close to clearing [the OIRA] process. The last case on exclusions that’s starting to move, in the 2023 NDAA, Congress passed a limitation on certain semiconductors. So watch for that as part of that cybersecurity family of cases. More rules than anybody ever wanted.”
As these acquisition regulations make their way through the process, all of them will eventually reside in a new section of the FAR, which is another big change that agencies need to prepare for.
Koses said the importance of cybersecurity has and will continue to grow so much it needs its own place in the FAR.
“We are proposing to create a new part of the FAR, FAR Part 40, as the home for all of the cybersecurity requirements. We think it cannot be confused with pure IT requirements — cybersecurity is everything everywhere, and it needs its own home,” he said.
SBOM pilots underway
This new FAR part will provide contracting officers with a single, consolidated location in the FAR for cybersecurity supply chain risk management requirements.
In September last year, the FAR staff said it was writing a draft rule, which is expected to be published Wednesday.
Along with the FAR rules, agencies continue to focus on an assortment of cybersecurity efforts, with one of the biggest areas around the use of software bill of materials.
Sonny Hashmi, the commissioner of GSA’s Federal Acquisition Service, said the agency is spending a lot of time reviewing and managing its supply chain to guard against real or potential threats.
He said adversaries have figured out that the U.S. supply chains are vulnerable to influence, to attack and to infiltrate.
“Whether the rule goes in this way or that way, whether the disclosure requirement is this versus that, those are just details, but I want to make it very clear the future of public service and the future of government relies on digital as a foundational pillar. Digital is more important than real estate. It’s going to be a foundational element for getting any government mission delivered,” Hashmi said. “In order to do that, there is going to be a higher expectation between us and industry on how we manage this adversity element together. That is going to require more disclosure, more transparency and a higher level of trust that we have in you and that you have with your supply chain.”
Hashmi said prime contractors have to know more about their subcontractors and the risk up and down their supply chains.
“It’s not enough to say, ‘well, we don’t know that our subcontractor was compromised this way.’ We’re going to have an expectation of you to know your risk in your entire supply chain, where you’re sourcing parts from, where you’re sourcing code from, who your subcontractors are, who’s on their board. This is the life we’re walking into,” he said.
Alignment is key to software security
Hashmi said it’s important to further the partnership and collaboration about what each party is seeing.
He said this is why SBOM will require a big adjustment for both the government and industry because it’s a huge different approach to manage software.
“We’re obviously working very closely with CISA and with the National Institute of Standards and Technology to develop the standards, to develop the right templates, to make sure that the data we get back is machine readable so you can actually make some decisions on it,” Hashmi said. “My biggest fear with SBOMs is, with implementation through policy, it’s going to lead to a bunch of PDF documents sitting in a contract file somewhere, which is not going to make anything better. We need to make sure that the data comes in consistently and comes in to a central repository. That it’s machine readable. That we are creating taxonomies and that’s what we’re working on.”
Hashmi said GSA is following some SBOM pilots at the Army Research Lab and the Department of Energy to better understand how the process works.
He said how best to develop and use SBOMs are among the earliest conceptual topics the government is working on today.
“We know we need to do it, but there needs to be a lot of alignment on the government side because it can easily be done wrong and it’s a fairly big burden if it’s done wrong,” Hashmi said. “We want to make sure that, for example, the ideas that we’re negotiating right now and thinking through make sense. We could be like ‘why don’t we just work with the five or six major continuous integration, continuous delivery companies to actually do a direct application programming interface (API) based pull on the software supply chain, rather than asking the vendor?’ If you’re already using one of these products, you have a direct input into CISA or some other agency like that. But these are early stages of the conversations so there is more to come.”