An industry group that represents several hundred government contractors wrote senior Obama administration officials to say that recently issued draft guidance covering cybersecurity in federal acquisitions falls far short of improving meaningful protection.
“We have significant concerns with the OMB guidance – both for what and how it covers the five topics and for what it fails to cover. We view the current draft version of the guidance as being too little, too late and too flexible in addressing even the five areas covered in the document,” according to the Sept. 10 letter from the Professional Services Council, which represents nearly 400 businesses.
The letter was addressed to Federal Chief Information Officer Tony Scott and Anne Rung, who heads the Office of Federal Procurement Policy, both housed under the Office of Management and Budget. PSC called for significant changes to the document or abandoning it altogether.
OMB issued draft guidance Aug. 11 for public comment regarding implementing stronger cybersecurity protections in federal acquisitions to reduce the risk of potential incidents in the future. The guidance was created in direct response to the escalation of cyberattacks and breaches that have occurred in recent years, including the hack of Office of Personnel Management databases that may have compromised millions of records of current, former and prospective federal employees.
“The proposed guidance will strengthen government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems,” according to the federal document. “In addition to this, the guidance outlines a business due diligence service that agencies can use to help ensure they are contracting for secure products and services.”
However, PSC’s letter points out that the draft “fails to provide meaningful standardized and uniform guidance” to agencies and contractors in the five areas – security controls, cyber incident reporting, information system security assessments, continuous monitoring and business due diligence.
“Instead, it offers only generalized statements with explicit authority for agencies to deviate from it almost at will,” according to the PSC letter.
Additionally, the industry group said the draft is “too late” because many agencies have already taken several regulatory and contractual steps in those five areas, “thus undercutting any hope for uniform, government-wide guidance resulting from this document in its current form.”
PSC also slammed OMB for being “too flexible” because it encourages agencies to determine which National Institute of Standards and Technology guidance documents can be applied to individual solicitations, making agency efforts even more complicated.
The group recommended that OMB either enhance the current guidance by “eliminating conflicts and overlaps with current coverage and reducing the vagueness” of how agencies apply future versions of the guidance or scrap the draft guidance altogether “and default to the standard federal acquisition regulatory process to establish the government-wide contracting standards.”
In a Sept. 14 press release from PSC, Dave Wennergren, the group’s senior vice president of technology, said OMB guidance is helpful when it provides streamlined, consistent reporting requirements and focuses on improving cybersecurity rather than increasing oversight.
View the original content and more from this author here: http://ift.tt/1KmgRRa
from cyber security caucus http://ift.tt/1OvrkQu
via IFTTT
No comments:
Post a Comment