While 2017 was a busy year for DOD contractors as they worked hard to meet the Dec. 31, 2017, deadline to meet the 110 controls described in the National Institutes of Standards and Technology (NIST) SP 800-171, it was also a year in which the GAO upheld the government’s evaluations of proposals when cybersecurity was an issue for evaluation. The GAO denied a protest in IPKeys Technologies, LLC, B-414890; B-414890.2, Oct. 4, 2017, in which the awardee was given a higher score for an evaluation factor related to cybersecurity than the protestor. The GAO also denied a protest in Syneren Technologies Corporation, B-415058; B-415058.2, Nov. 16, 2017, where the agency rejected a proposal because the offeror failed to propose an accredited software program.
In IPKeys, the Defense Information Systems Agency (DISA) issued a small business set-aside Request for Proposals (RFP) for the “provision of engineering, transition, implementation, sustainment, and cybersecurity monitoring support services for DISA’s Global Video Service (GVS),” which is used by DoD and other government departments and agencies for unclassified and classified videoconferencing services. The RFP provided under a subfactor that offerors were to demonstrate their ability to provide engineering support related to cybersecurity issues with DISA’s GVS (Subfactor 2). Although the awardee’s costs were higher than the protestor, it was awarded the contract under a best value determination because the awardee was given a higher rating for two subfactors, one of which related to cybersecurity (Subfactor 2). The awardee proposed to utilize both the Risk Management Framework (RMF) (“RMF Framework) and the NIST Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), which DISA evaluated as being more valuable than just meeting the requirements of the RMF Framework. DISA determined that the two standards were distinct and complementary.
The GAO discusses in some detail why it concurs with DISA’s determination. “NIST SP 800-37 details the NIST RMF, which is a six-step process that provides a method of coordinating the inter-related FISMA standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security.” The Cybersecurity “Framework is designed to complement existing business and cybersecurity operations.” More specifically, “the ‘framework core’ provides a set of activities to achieve cybersecurity outcomes to manage cybersecurity risks that are broadly divided into five functions: identify, protect, detect, respond, and recover. … The framework core, and its functions and their constituent categories and subcategories, ‘is not a checklist of actions to perform.’” Moreover, the RMF Framework is directed towards agencies and compliance is mandatory for the agencies. Conversely, the Cybersecurity Framework is voluntary and targeted to the private sector. Thus, compliance with the RMF Framework was a requirement of the RFP, but the Cybersecurity Framework was not. DISA recognized that compliance with both the mandatory requirements and the non-mandatory requirements was a strength deserving of a higher evaluation score.
Syneren Technologies, while dealing with cybersecurity, can be characterized as more of a failure-to-meet-requirements protest. The Department of the Navy issued a RFP for support for the Sea Warrior Program in the “’design, development, implementation and sustainment of IT systems and software supporting enterprise business services, personnel and pay, position management, recruiting and accessions, workforce development, and distance support.’” Syneren, as part of its solution, proposed software that had not been accredited for use at the Navy datacenter. Nor did its proposal include any “meaningful explanation as to how accreditation of the software would be achieved.” Syneren’s position was that the RFP did not require it to “address the accreditation process prior to award or to explain in its proposal how it would attain accreditation.” The Navy responded that the solicitation specifically stated that performance of the contract would be on a government facility, involve DoD and Navy data, and be compliant with multiple cybersecurity requirements.
The GAO rejected Syneren’s argument and found that the cybersecurity requirements were a material solicitation requirement. Thus, a failure to comply with the requirement made Syneren’s proposal technically unacceptable and ineligible for award.
In the Semiannual Regulatory Agenda published in the Federal Register on Jan. 12, the DoD, GSA and NASA provided summary descriptions of regulations being developed by the Civilian Agency Acquisition Council and Defense Acquisition Regulations Council. Two proposed regulations are of note for the cybersecurity community.
FAR Case 2015-037, Definition of “Information Technology”
The proposed rule “broadens the definition of information technology to include services such as cloud computing and to remove an exemption for information technology embedded in other systems.” Information Technology is currently defined at FAR 2.101. The addition of cloud computing to the definition should have negligible impact. However, removal of the exemption may have some unintended consequences.
(3) The term “information technology” does not include any equipment that–
* * *
(ii) Contains imbedded information technology that is used as an integral part of the product, but the principal function of which is not the acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For example, HVAC (heating, ventilation, and air conditioning) equipment such as thermostats or temperature control devices, and medical equipment where information technology is integral to its operation, are not information technology.
Using the example in the FAR definition, as the government requires more compliance with cybersecurity, there is the potential that an HVAC system that has remote monitoring, depending on its location, may have to meet all the cybersecurity requirements of any other information technology system. This would drive up costs and in fact, may potentially not be feasible. Another potential area relates to printers. WiFi-enabled printers are usually only protected to the extent that the system that it is located on is protected. It may simply not be feasible to have the same cybersecurity requirements imposed on the printers.
FAR Case 2017-016, Controlled Unclassified Information (CUI)
This proposed rule is to implement the National Archives and Records Administration (NARA) CUI program of Executive Order 13556. NARA, as the executive agent designated to oversee the CUI program, issued implementing regulations in late 2016. This regulation is necessary to ensure uniform implementation of the requirements of the CUI program across all agencies within the government to avoid inconsistent agency-level action. This proposed rule should have little immediate impact; however, as the civilian agencies begin implementing additional cyber requirements, this rule will provide a framework for those regulations as they apply to CUI.