The Professional Services Council (PSC) has raised significant concerns about the Office of Management and Budget’s (OMB’s) draft cybersecurity acquisition guidance in a letter PSC sent to Federal CIO Tony Scott and OMB Office of Federal Procurement Policy Administrator Anne Rung last week.
The proposed OMB guidance, “Improving Cybersecurity Protections in Federal Acquisitions,” was posted on the Federal CIO Council website for public comment on August 11, 2015.
“We have significant concerns with the OMB guidance—both for what and how it covers the five topics and for what it fails to cover,” PSC President and CEO Stan Soloway stated in the letter. “We view the current draft version of the guidance as being too little, too late and too flexible in addressing even the five areas covered in the document.”
He said, OMB’s guidance is “too little” because it fails to provide meaningful uniform guidance to the federal agencies and contractors in the five areas covered; lacks common definitions for federal acquisition; and fails to outline government/contractor training or outreach to industry despite the existance of a number of best practice models.
The OMB guidance is “too late” because too many agencies have already taken regulatory and contractual actions (to include the Defense Department) to address many of the five components of this OMB guidance, thus undercutting any hope for uniform, government-wide guidance resulting from this document in its current form, PSC said in a statement.
Continuing, PSC said, “The OMB guidance is ‘too flexible’ in that agencies are encouraged to determine which of the NIST guidance documents are to be applied to individual solicitations. The OMB guidance also does not include any contract terms and conditions, and recommends that agencies address on a contract-by-contract basis the specific contract clauses and remedies to be applied in individual solicitations and contracts. Ironically, despite all of these issues, OMB compounds the problems of its own creation by directing federal agencies to ‘immediately begin working together to apply the [OMB] guidance.’”
“Today more than ever, additional attention needs to be focused on delivering measurable outcomes that improve cybersecurity,” said Dave Wennergren, PSC’s senior vice president of technology. “OMB guidance will be most helpful if it ensures consistent, streamlined reporting requirements across federal agencies and focuses on improving cybersecurity outcomes rather than just increasing oversight.”
“Given the significant flaws in the current draft guidance, we recommend that OMB significantly revise the guidance to ensure a consistent, unified approach that eliminates conflicts, overlaps, burdensome requirements and vagueness in the application of the guidance across federal agencies,” Wennergren said. “Or, in the alternative, OMB should just withdraw the guidance and use the federal acquisition regulatory process to establish government-wide contracting standards for this crucial issue.”