Thomson Reuters Legal comments on proposed OMB Guidance

[ThomsonReutersLegal]

Thomson Reuters Legal appreciates the efforts of the Office of Management and Budget (OMB) to draft the guidance “Improving Cybersecurity Protections in Federal Acquisitions” (OMB Guidance). While Thomson Reuters Legal supports the overall goal of this OMB Guidance, we offer this comment because, as proposed, the OMB Guidance could incorrectly impose federal data security standards on data vendors supplying non-federal information to the government as commercial items.

Specifically, the OMB Guidance applies NIST Special Publication (SP) 800-171 to contractor systems that “process CUI incidental to developing a product or service for [an] agency.” (OMB Guidance, Sec. 1 ¶ 2). Considering that the broad definition of Controlled Unclassified Information (“any information” requiring safeguarding or disseminating controls) does not differentiate between non-federal and federal information, unintended results could occur. For example, acquisition officials could incorrectly apply the OMB Guidance to privately sourced information supplied by a commercial vendor to the government.

Both the OMB Guidance and NIST SP 800-171 identify federal information as the intended foundation for the cybersecurity standards. A review of the history of the NIST special publication shows that it was intended to apply to “federal information” and not intended to apply to commercial data vendors supplying non-federal information to the government. For example, NIST SP 800-171 repeatedly refers to protecting “federal information” in its introduction (describing the problem the publication seeks to address). Further, the proposed OMB Guidance itself suggests it was not intended to apply to commercial data vendors supplying non-federal information to the government. The background section describes OMB’s mandate to make recommendations, “to ensure contractors provide adequate security for Federal information.” (OMB Guidance, Background ¶ 2) (emphasis added).

Parallel to this comment, Thomson Reuters Legal will be submitting suggested language to the proposed OMB Guidance clarifying that it (implementing NIST SP 800-171) does not apply to commercial data vendors supplying non-federal information to the government for the reasons stated above. Without further clarification, this Guidance could unintentionally be used to impose an additional regulatory and administrative burden to non-federal data residing in non-federal systems (but licensed to federal users).

We appreciate the opportunity to comment on the proposed OMB Guidance and thank you in advance for your consideration.