Contractors are wary of the latest proposed rule giving DoD access to their IT systems. It is part of an effort to improve cybersecurity with incident reporting and information sharing. Another rule would impose new requirements on contractors unclassified systems. For reaction, the Federal Drive with Tom Temin spoke with Stephanie Kostro, vice president for Policy at the Professional Services Council.

Interview Transcript: 

Stephanie Kostro We’ve seen a flurry of cyber related and information system related proposed rules coming out. And these two rules that you highlighted, we had a lengthy time to comment on them. And I would highlight also that it’s not just the Department of Defense. These are FAR Council rules, so they’re applicable governmentwide. And so it’s not just DoD, it is the whole of government. And in some cases, as a previous guest on your show, it discussed, it could give Department of Homeland Security and the FBI access to your system and what the government is calling full access, which means if there’s an incident, go into your system and investigate, including parts of your contractor system that are not dedicated to government work. So it really, in our view, is ripe for correction an amendment, in terms of when we go into final rulemaking, because it is really overstepping on the government’s part.

Tom Temin Sounds like you’d have to designate someone from the government to have administrative privileges on your system.

Stephanie Kostro It does sound a bit like that. The incident reporting piece is something that we’ve discussed at length with both our member companies, as well as with the government about what is an appropriate time frame once you have a cyber incursion, how do you reported, etc., and to whom? These two rules do go a bit far in terms of not offering a lot of actions to government contractors. If you have a government person with had been privileges or not, going into your system and something happens as a result of that access, we believe federal contractors should be not held liable for that.

Tom Temin I can see the speeches now. We have all these unelected sysadmins coming in and messing with our systems. Anyway, we won’t go there on that one. So what have you proposed specifically to modify it should they decide to take your comments in?

Stephanie Kostro Well, for the first case that you mentioned, which is on cyber threat and incident reporting and information sharing. We’ve talked a lot about definitional changes. What does full access mean? And we’d really like to see the government limit it to contractor systems that are performing government work, not the whole enterprise system. We’re also talking a bit about protection of what is called government data or government related data. A lot of companies have trade secrets, have pricing models, have sensitive information on their systems. And one of the rules does go in to say, if it is on a system that performs government work, that is government related data. That’s an issue in terms of intellectual property, and it’s an issue in terms of privacy.

Tom Temin Yeah, it sounds like it’s an issue in terms of law, even.

Stephanie Kostro There are existing clauses out there that do protect intellectual property and the contractors right to own the data that it creates. We believe that the government is trying to get at the use of third party data, meaning the government holds a license for another company’s information, and they’re lending it to the contractor performing the work. Therefore, it should have protections, because the government is facilitating access to that data. We don’t argue about that, but we do think that if you are a contractor and you are creating data and you have access to the data that you yourself own, it shouldn’t automatically be transferred to the government.

Tom Temin And anyway, if this is all in a cybersecurity related context, maybe they should have a rule, or the rule should limit the government access simply to your logs for analysis to understand what might have happened in an incident.

Stephanie Kostro I think that’s exactly right. And to the extent that an incident is of concern to the contractor itself, we don’t want to presume that the contractor doesn’t care when there’s been a cyber incursion. They care very, very deeply about this. So understanding what happened and doing the forensics on it and then preventing similar incursions in the future is critical. And so what we believe, and we’ve said in our comments is that the government needs to talk to the industrial partners about intellectual property, trade secrets, litigation liabilities and claims against the federal government in the cyber realm. And as I mentioned, there’s been a flurry of cyber related proposed rules. And we do think it’s wise of the government to try to harmonize those. Again, the devil is in the details. And if you make a definition in one proposed rule in one way, and it has a different definition and another proposed rule, there’s a lot of cracks through which you could fall.

Tom Temin Well, there certainly flooding the zone. We’re speaking with Stephanie Kostro, executive vice president for policy at the Professional Services Council. And the other one rule that you’re talking about, too, is the standardizing cyber security requirements for unclassified federal information systems would impose rules on what your systems should look like, how they’re configured. You’ve got some issues there too.

Stephanie Kostro It’s very similar to what we have to the other rule. And I don’t know if this was by design, but the comments were due on both on the same day. So these are very, very fresh in my mind as our comments are trying to mutually reinforce each other. And part of it is again comes down to definitions. How do they define full access? How do they define government data and government related data? We are concerned that if they try to put this clause or the set of clauses in every contract, including things for commercial off the shelf items, it’s a little bit again, flooding the zone. I like that phrase that you use Tom, because there are certain contracts where this kind of information or this kind of rule should be applied, and others where it just doesn’t make sense. And one area where some of our members highlighted a real concern is if you are a company that has several government contracts and you have one security incident on your system, what are they going to investigate, which was considered the federal information system, and how do they dive into that? It’s a concern that many members had about the onerous reporting requirement. And do they have to report for every single contract? Are they all considered federal information systems? And so again, the devil is in the details. We’re working through this, and we hope to see some of these changes in the final rule.

Tom Temin And one more thing I wanted to ask you about is that the member companies are scratching their heads and turning to the council for what to expect in the upcoming presidential election. I can just hear them now.  Stephanie what’s going to happen if it’s Trump or Biden. And so,  it’s going to be Trump or Biden from the looks of it. So never have we been able to narrow it down so early, it seems.

Stephanie Kostro Tom, that’s exactly the point that I make to member companies. We’ve had several companies come and say, all right, so look in your crystal ball and see what’s going to happen in terms of contract spend and what the budgets are going to look like. And historically, PSC has looked at presidential elections closer to the actual general election. But it seems that the primary system has already picked winners and losers here, at least so far. It seems that the candidates are predetermined, and so we can look into the crystal ball a little bit. President Biden has signed out more than 130 executive orders. Some of them will be rescinded under a different president if that happens. So we’re trying to do a quick analysis of what policy issues might stick and what might go by the wayside under a potential Republican president. And so we’re looking at that. We’re also analyzing the transition from 2016 to 2017 to see what happened to budget requests and the contract spending. We’re also going way back into, well, it’s not technically way back to the origin of our country, but it is back to the Obama administration with the two terms under a Democratic president and what happened with contract spending there. I hate to use the word unprecedented, because it’s been hyped up over the last four years. Everything seems to be unprecedented. But we do have an opportunity here to do some analysis about presidential politics earlier in the cycle than we have in the past.

Tom Temin Well, things may not be unprecedented right now, but they’ve never happened before. So once we can put it that way.

Stephanie Kostro Yeah, I think that’s true. I think also we’ve talked about the flurry of cyber related activities. There have been a lot of proposed rules coming out in recent months, and that’s not unusual, this part of a presidential term, because everything that was put in place in the first year is finally hitting rulemaking now. And I would mention that in the first six weeks here in 2024. PSC has commented on eight proposed rules for other opportunities to comment, and that is probably twice the pace that we usually go. So eight rules in six weeks means that we’re all going to be very, very busy at PSC going forward.


The post Contractors on edge because of Pentagon’s proposed buying rules first appeared on Federal News Network.