Internet Security Alliance (ISA) Comments on OMB Proposed Guidance

[TannerDoucet]

The Internet Security Alliance (ISA) has reviewed the “Improving Cybersecurity Protections in Federal Acquisitions” draft guidance and welcomes the opportunity to provide comment. ISA has the following feedback regarding its content and proposed requirements:

Cyber Insurance Coverage -- The OMB guidance on due diligence should include as a best practice that federal agencies review whether contractors have adequate cyber insurance coverage, with limits appropriate for the number of records or type of data they are holding. Cyber insurance helps make organizations better protected against cyber threats in two ways:
o First, the underwriting process can identify key weaknesses in cyber defenses and encourage the adoption of more robust and strategic risk management policies.
o Second, policies respond to the often substantial, direct costs incurred by companies that have experienced a data breach, such as lost income, crisis communications and legal expenses.
Therefore, a due diligence review of cyber insurance could help federal agencies assess whether contractors are appropriately managing enterprise-wide cyber risk and have the resiliency to respond to a potential data breach, both financially and strategically.

Potential Conflict with Existing Frameworks -- Assuming the audience for this guidance are the US Government Agencies that procure goods and services, the scope of this guidance may conflict with and/or contradict other standards, guidelines and frameworks (e.g., NIST Special Publications, NIST Cybersecurity Framework), or even conflict with and/or contradict statements within the guidance document itself

Relevance to Aforementioned Standards -- It is unclear if this guidance is supplementary guidance to the other standards, guidelines and frameworks mentioned above – Question 3 in the FAQ Section of Improving Cybersecurity Protections in Federal Acquisitions (FISMA; NIST SP 800-37; NIST SP 800-53; NIST SP 800-171; EO 13556)

No Definition of Cyber Incident -- There are many statements that may have a wide range of interpretations. For example, section 3 on page 4 says “reviews will be conducted on an event-driven basis for the life of the contract.” But no definition is given for what constitutes an “event”. Again, in section 2 on cyber incident reporting, page 8 says “…contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported…” but no definition of what constitutes a cyber-incident is given. This vague and unclear language makes compliance questionable and of limited value.

Add Language to Better Reflect Mutual Agreement -- Statements such as the following under section 4 on continuous monitoring on page 12: “The agency may elect to perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing’” should be altered to reflect mutual agreement between the contractor and the government to address concerns of adversely impacting operations of the contractor beyond those provided to the government.

Potential to Reduce Competition -- Compliance with some of the verbiage may reduce competition by dramatically increasing costs for contractors, driving towards a monopoly market for products and services

Past Performance Issues Pertaining to Security Controls -- Great concern lies with the usage of past performance issues for “non-cost evaluation factors” as it pertains to security controls. Defense contractors have voluntarily been forthcoming in offering information on or related to cybersecurity compromises on their networks through the DIB CS/IA voluntary framework and similar channels. This was facilitated through the guarantee that such information would not be used against contractors in evaluating bids. In contrast, the OMB guidance as stated may result in decreased information sharing and collaboration across the DIB and reduce overall DIB’s cyber awareness.

Issues with Open Source Data in Due Diligence -- The policy states that due diligence may encompass “public record, publicly available… data,” would provide questionable benefit as many open sources struggle to present discrete cyber incidents accurately, much less the organization and the general concepts overall. In addition, the guidance does not indicate whether contractors will be able to view and provide input into any such diligence assessments, and does not delineate how exactly the government will use due diligence. We recommend due diligence without the use of public or commercial subscription data.

Expansion of Incident Reporting Requirement -- The expansion of the cyber incident reporting requirement will prove burdensome. Many large contractors already submits incident reports as needed. Multiple reporting stream requirements will result in inefficiencies and hinder the response and remediation process overall. We also recommend that the guidance make clear that the cyber incident reporting requirements apply only to CUI that is marked by the government or should be marked by contractors pursuant to clear government instructions in contract in order to assist contractors in their efforts to comply with the reporting requirements.

Thank you for the opportunity to provide feedback on the draft guidance.