Information Technology Contracting

IT-acquisition reform remains an area of ongoing concern for Federal agencies and government contractors.  Indeed, as we previously discussed, the GAO has added IT Acquisitions and Operations to its bi-annual list of programs it identifies as posing a high risk for fraud, waste, abuse, and mismanagement.  Strengthened by Congress’ passage in December 2014 of the Federal IT Acquisition Reform Act (“FITARA”), OMB has implemented several initiatives to reduce redundancy, improve efficiencies, and lower costs with respect to the government’s procurement and management of IT resources.  However, a recent Department of Defense (“DoD”) Inspector General (“IG”) audit report analyzing one of these initiatives—the Federal Data Center Consolidation Initiative (“FDCCI”) —highlights the ongoing struggle that Federal agencies face when seeking to execute IT reform.  If DoD responds to this audit report by stepping up its efforts under FDCCI, one result could be increased opportunities for IT contractors offering cloud computing and other services.
Continue Reading DoD IG Report Reveals Ongoing Struggles in IT-Acquisition Reform

On December 30th, the Department of Defense (DoD) issued a Second Interim Rule amending its “Network Penetration Reporting and Contracting for Cloud Services” Interim Rule and giving  contractors until December 31, 2017 to implement the NIST SP 800-171 security controls required by DFARS 252.204-7012.  As noted in a previous post, DoD has already issued a class deviation giving covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of NIST SP 800-171.  This current revision appears responsive to significant concerns raised by Industry about compliance with the remaining safeguarding requirements imposed overnight on contractors on August 26, 2015.

The Second Interim Rule imposes the following changes:
Continue Reading Time Is On My Side: DoD Hears Industry Concerns – Additional Time Provided to Implement Security Controls Under New Cyber Rule

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-7008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.”  While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule. 
Continue Reading DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last month, we discussed Information Technology (IT) Schedule 70, one of the largest contract vehicles administered by the U.S. General Services Administration (GSA). GSA now is evaluating whether Schedule 70 should be made more accessible to certain small contractors, new IT providers, and other, similarly situated firms.
Continue Reading GSA Seeks Input on Eliminating IT Schedule 70’s Two-Year Experience Requirement

Earlier this month, the U.S. General Services Administration (GSA) issued a Request for Information (RFI) soliciting feedback from industry on ways to improve the sale of Cybersecurity and Information Assurance (CyberIA) products and services through GSA’s multi-billion dollar Information Technology (IT) Schedule 70. IT Schedule 70 currently features more than a dozen special item numbers (SINs) for cybersecurity products and services.[1] In this RFI, GSA seeks information from vendors and federal agencies as to whether it should consolidate those SINs into one major CyberIA grouping, with a number of categories and subcategories.

The RFI, which was issued just weeks before the Office of Management and Budget (OMB) and the Department of Defense (DoD) announced their own major cybersecurity initiatives, is yet another sign that the federal government is leveraging its substantial buying power to harden government and contractor networks against cyber intrusions. As explained below, GSA’s appeal to industry offers a tremendous opportunity for the private sector to help shape the way commercial CyberIA products and services are bought by and sold to the government.
Continue Reading GSA Seeks Industry Input on Cybersecurity Schedule Offerings

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information.  Nearly three years in
Continue Reading DOD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.” CUI is defined in a recently issued proposed FAR rule as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”

Although the OMB memorandum is a laudable attempt to create uniformity across the federal government, the Guidance leaves many questions unanswered and the details of its implementation by federal agencies remains to be seen. As described below, even with this Guidance, contractors will continue to encounter inconsistent requirements for what constitutes a “cyber incident,” how quickly a cyber incident must reported to the government, and what security controls are considered “adequate” for safeguarding CUI.
Continue Reading OMB Issues New Draft Cyber Guidance for Contractors

On July 24, 2015, the Defense Information Security Agency (“DISA”) issued three draft documents (available here for download) concerning the adoption of secure cloud computing systems by the Department of Defense (“DoD”).  DISA is tasked with developing DoD’s security requirements guides for cybersecurity policies, standards, architectures, security controls, and validation procedures.  Here, the just-released, draft documents are: (1) a Security Requirements Guide; (2) a Cloud Access Point Functional Requirements Document; and (3) a Concept of Operations for Cloud Computer Network Defense.  Any comments on these draft documents must be submitted to DISA by August 22, 2015.

Additional information regarding each of these three documents is provided below.
Continue Reading DoD Issues Three Cloud Computing and Security Documents for Public Comment

The private sector is likely to produce critical cyber innovations—at least, that is what the U.S. Defense Advanced Research Projects Agency (“DARPA”) and the U.K. Centre for Defence Enterprise (“CDE”) would like to see.

In the United States, although the internet may have been invented at DARPA, DARPA is turning
Continue Reading U.S., U.K. Governments Seek Cyber Innovations from Private Sector

As federal agencies are slated to spend almost $80 billion on federal information technology (“IT”) acquisitions this fiscal year and the OMB prepares to issue its final guidance on the Federal Information Technology Acquisition Reform Act (“FITARA”), GAO has released two reports this month that discuss ongoing efforts to improve IT procurement.  Combined with GAO’s recent addition of IT acquisitions and operations to its list of high-risk programs (which we previously discussed), these new reports underscore GAO’s ongoing emphasis on reforming IT acquisitions to reduce redundancy and increase efficiency.

In the first report, GAO added federal software licenses to its list of twenty-four areas in which it discovered evidence of fragmentation, overlap, or duplication in federal government programs.  Citing its May 2014 report on federal agencies’ management of software licenses, GAO explained that a vast majority of agencies do not have sufficient policies to manage their software licenses.  According to GAO, this mismanagement results in over-purchasing licenses, which leads to unnecessary spending, and under-purchasing licenses, which leads to fees for violating licensing agreements.  Therefore, GAO reemphasized that agencies should implement software license management policies that, among other things, provide for centralized management of software licenses and ensure that a software license inventory is created and maintained.
Continue Reading GAO Reports Highlight Ongoing Struggles in Reforming IT Acquisitions and Operations