There is now more cyber guidance than ever for the companies that do business with the government. You can also expect even more when it comes to other new technologies, like artificial intelligence. Congress seems to be back up and running, and there is business to attend to. To start with, reauthorizing a major component of the Homeland Security Department, and also funding the rest of the government. For analysis, the Federal Drive with Tom Temin, Executive Eric White spoke with Stephanie Kostro, Executive Vice President at the Professional Services Council.
Stephanie Kostro So back in 2018, Congress established an office at DHS really to focus on countering weapons of mass destruction. So it’s detection, prevention, how to deal with issues in the aftermath if there is some sort of incident. That office was given a five year authority. And that does expire December 21st. It’s worth noting that folks who populate this office, both in the civil service and in the contractor realm, have really specialized skills. And if this office is dismantled, as it looks to be, unless it’s reauthorized, contracts will shift. It becomes unclear who will have oversight, who will do the work, etc.. And no one can say, you know, the tensions are easing around the world. If anything, they are increasing. And so to get rid of a countering WMD office that focuses on domestic territorial integrity really does seem to be a mistake at this point.
Eric White If the job is as important sounding as its title is, I imagine that the authorities and responsibilities would fall to probably other DHS offices and things would just be spread out. And that’s where you’re saying the confusion may lie. Nobody would know where to go to if you know, they have an issue or if something does happen.
Stephanie Kostro If something does happen or, you know, who has responsibility for what. The reason this office was created was to consolidate and to streamline issues and coverages and responsibilities. And so getting rid of it undoes all of that. And I would say it is up for renewal. There is a bill that has passed the Senate Homeland Security and Government Affairs Committee. We are encouraging folks on the Hill to find a vehicle to complete this reauthorization. One concern that we do have, Eric, and I’ll be frank about this, is that the office loses its authority on December 21st, as I said, but to get there, you have to start dismantling it weeks ahead of time. So civil servants who have been assigned to that office will either get reassigned or RIF’d. And that is not a word I use lightly. Contractors, you know, are retaining their workers on this work, but if they’re unsure, the contract is even going to continue. Those workers, contractor workers might be looking for other employment as well. So this is an area where we need to attack and get this authorized sooner rather than later before we lose all of this wealth of knowledge and expertise.
Eric White Yeah, you mentioned how unique this expertise is, and so the contracting field is probably not that large. But can you tell me a little bit about, you know, what sorts of contracts this office is involved with and just how many people that it is responsible for?
Stephanie Kostro Well, I don’t have the numbers of people in terms of the contractors assigned. I would say we have a range of contracting officials within the department itself. But on the private sector side, these run the gamut from very large corporations down to mid-size, even some small. They are involved. They handle things like radiation portal detection. So when you come into the port of Long Beach or whatnot, you do get screened for radiation, for nuclear, for, you know, some of the waves that you can detect to make sure that whatever is coming into the United States is safe. These are also used in postal facilities at airports. That is the kind of responsibility that contractors have in this space. And if there’s any gap or any question of gap or loss of expertise in this area, we could really feel it in the United States. So what we are doing is encouraging Congress to find a vehicle for this reauthorization, to get it done so that we can retain the goodness that’s been created over the last five years.
Eric White Speaking with Stephanie Kostro from the Professional Services Council, shifting gears a little bit here on the contracting side, a few more boxes to check for contractors when it comes to cyber hygiene, what is the first things, first sort of approach that contractors will have to take with all these new cyber rules coming across from several federal avenues?
Stephanie Kostro You know, Eric, it makes me smile because we’ve been talking about cybersecurity for so long now we are seeing a plethora of proposed rules, interim roles, including everything except the one that we’ve been waiting for most of the Department of Defense side, which is the Cyber Security Maturity Model Certification program, CMMC, which has become my favorite four letter word over the last few years. We are still waiting for the proposed rules. We understand that sitting with the Office of Information Regulatory Affairs at OMB, hopefully we’ll see that sometime soon. But I would say the executive branch has not stayed quietly on the sidelines waiting for CMC. They are pursuing the full charge ahead. We have lots of different proposed rules. Last year we talked on this program about activities the Securities and Exchange Commission was talking about cyber incident reporting. That rule went final not that long ago. We are looking at cyber information sharing, threat sharing, all sorts of information. Coming from the agencies. From NIST, the National Institute of Standards and Technology, we are seeing a lot of work on the cyber security framework, which is really what’s supposed to be the umbrella of standards that companies and agencies themselves have to adhere to different standards for different kinds of folks. But that is all a swirl right now. And then to add on to that, you know, the president signed an executive order on artificial intelligence, also getting some responsibilities to NIST. And so we’ll have to watch very carefully how the cybersecurity and the artificial intelligence worlds come together. You know, it’s a Venn diagram with a lot of overlap here of what artificial intelligence can do and what it can’t do or what it should do and what it shouldn’t do. So that’s what we’re watching very, very closely.
Eric White Yeah. And this is just the beginning, right? I imagine there are going to be several asks for extension, for commenting and compliance.
Stephanie Kostro Well, I’m glad you raised that, Eric. Two of these roles, proposed rules. The comments are due December 4th. But one of them is more than a hundred pages long with lots of detail. The other one is close to that length. We, along with many other associations, have asked for a 60 day extension. For both of those, bringing the due dates to early February. This is really to allow us to digest and see exactly what the implications are. One area I would mention is just due today, October 31st, is comments on an RFI that came out of the office of the National Cyber Director. The Office of the National Cyber Director is looking for how best to harmonize all of the cyber regulations. What I find interesting is that this request for information comes sort of at the beginning of this latest spate. You know, we’ll have a lot of things to talk about. These other proposed rules, again, I mentioned comments are due either in December or hopefully February. So remaining engaged with ONDC, the office, the national cyber director, to make sure everything is aligned and make sense. I think this is going to be a repeated conversation.
Eric White Yeah. And the one that kind of could sneak up on folks is the new NIST rules when it comes to protecting controlled, unclassified information. Just because contractors have already had a tough time even identifying what that is. And hopefully this will bring some clarification. I would hope.
Stephanie Kostro I would hope so, too. Eric, one of the issues that we’re facing is, you know, different agencies have different interpretations in practice of what controlled unclassified info. CUI or some people even call it CUI, what that means and who can own it, who can protect it and what to do. You know, it’s not classified, so it’s not governed by the structure of rules, regulations and policies that govern classified information. But understanding what it is that you have when you have controlled unclassified information and how to treat it, we’re really looking forward to getting the rules of the road there really defined so that we can move out what needs to happen.
Eric White All right. And new congressional leadership seems to be in place. Things are going to maybe get back to a little bit of sense of normality here, but he’s got his work cut out for him, the new speaker, because there’s always going to be a shutdown clock and now he’s on the docket. What is your hopes for the future as this new leadership team moves in?
Stephanie Kostro I love this question, Eric. Thanks for asking it. Speaker Johnson for many of us came out of nowhere. You know, we were so focused on some of the other speaker candidates, but Speaker Johnson, when he was a then candidate, Johnson for the speakership, released a letter where he outlined his intent to get all of the appropriations bill across the finish line before the current C.R. expires on November 17th. We saw them take action last week on Energy and Water. This week we are watching them try to move on the legislative branch, interior, environment, and then THUD, which is transportation and housing and urban Development. And then two more bills next week and two more bills the week after that. This was the same kind of plan that Speaker McCarthy had, but he ran into several roadblocks early on, not even getting rules passed so that they consider these bills. My understanding is that Speaker Johnson would like the House to pass all of these bills, send them over the transom to the Senate so that the Senate can take action and then focus on a C.R. for whatever length is needed for that full year appropriations cycle to go through. We are fingers crossed that this could happen. We’ll watch very, very closely what will happen with those three bills this week, because, you know, this is sort of what tripped Speaker McCarthy up, getting bills to the floor and out of the House over to the Senate. And so I wish Speaker Johnson all the luck in the world, but we’re really going to watch closely to see if he’s got the power necessary to get these off the floor.
Eric White And maybe be able to capitalize off of some sort of honeymoon period, if that even exists for a position like Speaker of the House.
Stephanie Kostro You know, it looks like that honeymoon is very, very short, maybe delayed even. I don’t even know. But November 17th, which is the end of the current C.R., will be here sooner than you know it. And there’s a lot of work to get done and very few legislative workdays to get it done in.