Does the National Cybersecurity Strategy spell the end of the government market for commercial software?

Richard Beutel, senior researcher at the George Mason Center for Government Contracting and founder of Cyrrus Analytics LLC, a leading cloud policy boutique, ex...

The use of commercial buying practices under Federal Acquisition Regulation (FAR) Part 12 has been a boon to industry and government alike. These procedures allow agencies to adopt commercial terms and conditions and have greatly streamlined the government’s access to innovative commercial off-the-shelf (COTS) software capabilities essential to a modern customer experience and successful agency mission support. Using these streamlined procedures represents a significant public/private procurement partnership that assists agencies in providing a modern, 21st century digital government.

While the amount of commercial software that the government buys can vary depending on the specific government agency and its needs, it is safe to say that the government buys a significant amount of standard commercial software for a variety of purposes, including cybersecurity, data analysis and administrative tasks.

According to the Government Accountability Office (GAO), the federal government spends billions of dollars on COTS software each year. In 2020, the federal government spent $8.5 billion on software purchases, with the Defense Department accounting for the largest portion of that spending. Additionally, state and local governments also purchase significant amounts of standard COTS software.

Of course, in all of these technology procurements, the issue of cybersecurity has become paramount. Recent steps to better secure software products under the recently issued National Cybersecurity Strategy and accompanying National Institute of Standards and Technology guidance to drive industry towards secure software development appear to violate the existing legal framework that has governed commercial transactions for over 60 years. This guidance, called the Uniform Commercial Code (UCC) has defined the allocation of product liability between buyer and seller since 1951.

Under FAR Part 12, when the government buys commercial software, with some exceptions, it is generally expected to use the existing commercial license terms and conditions. These terms and conditions are governed by the UCC. The government may negotiate modifications to the UCC-based license terms and conditions, for example when the software is being used for a classified or sensitive application; however the basic policy behind FAR Part 12 is to use commercial buying habits as much as possible.

This policy was codified in the Federal Acquisition Streamlining Act (FASA). FASA section 8002 explicitly states that contracting officers must use terms and conditions that “are determined to be consistent with standard commercial practice.”

On March 2, the Biden administration released their National Cybersecurity Strategy. Like its predecessors, the Biden strategy seeks to incentivize adequate and long-term investment in cybersecurity to combat current risks and mitigate future ones. Unlike previous strategies however, the Biden administration seeks to fundamentally reshape the allocation of legal risks and liabilities by placing greater legal obligations on software producers.

Section 3.3 of the National Cybersecurity Strategy proposes shifting the liability for “insecure” software products and services to “prevent manufacturers and software publishers with market power from fully disclaiming liability by contract and establish higher standards of care for software in specific high-risk scenarios.” It goes on to reference the development of an “adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”

Software licenses and the allocation of liabilities between the software producer and its end users under the UCC specifically allow for the disclaimer of liability and the establishment of damage caps between the buyer and the seller. Over the years, the UCC has created a vast body of law regarding issues governing waivers of liability, the scope of acceptable disclaimers and the structure of software warranties.

While some of the commercial practices allowed by the UCC have been controversial, such as the onerous terms and conditions often imposed in so-called “box top” licenses (which no one ever reads), the shifting of liability by these emerging cybersecurity mandates creates an entirely different transactional regime that diverges dramatically from existing commercial practices.

Reallocating liability for commercial products, prohibiting the disclaimer of liability and establishing a “safe harbor” for companies that adhere to NIST dictated software design practices evoke a fundamental paradigm shift in legal exposure and liabilities for software providers selling standard commercial software products to the federal government.

The government’s new policy mandating this transactional shift may indeed be the proper policy conclusion. However, an easily foreseeable “second order effect” of this new liability regime is that the use of FAR Part 12 (and its goal to drive broader adoption of commercial transactional practices), will have to be discarded as a new, insular and bespoke government-only software marketplace is created.

Some would argue that this outcome violates the basic foundations of FASA. Proper implementation of this new shift may require amendments to, or even discarding, FASA that codified the mandate to use commercial practices.

Whatever the outcome, the new shift of product liability envisioned by the National Cybersecurity Strategy will obviate the widespread use of standard UCC-based commercial terms and conditions and upend long standing business practices for standard commercial software producers.

Whether the costs, as software producers inevitably choose to not engage or affirmatively withdraw from the govcon market, there will be inevitable acquisition delays and the potential curtailment of market opportunities to the commercial software industry. As a result, policy makers should at least contemplate the potential loss of product innovation and diversity available to the federal government under this new cybersecurity proposal.

Richard Beutel is a senior researcher at the George Mason Baroni Center for Government Contracting and the founder of Cyrrus Analytics LLC. As a congressional staffer, Rich was the original author of the Federal IT Acquisition Reform Act (FITARA), and is a nationally recognized expert in IT acquisition management and cloud policy with 25 years of private sector experience and more than a decade on Capitol Hill working on IT acquisition issues.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCDM

    Forthcoming national cyber strategy highlights 2023 cybersecurity agenda

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    Two keys to establishing a comprehensive cybersecurity strategy

    Read more
    Amelia Brust/Federal News Network

    When working in cybersecurity, there’s still risk ‘everywhere in the software supply chain’

    Read more