Contractors design strategies for dealing with the latest executive order on cybersecurity

 Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne. That ex...

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

That executive order on cybersecurity from the White House last week – where do you even begin with an 8,000-word tome with dozens of deadlines and action items? Contractors have been parsing it out. For one view, Federal Drive with Tom Temin turned to the Executive Vice President for Policy at the Professional Services Council Stephanie Kostro.

Interview transcript:

Tom Temin: Ms. Kostro, good to have you on.

Stephanie Kostro: Thanks so much for having me.

Tom Temin: So what did your members think of this executive order, because it is a lot in there, a lot to just even read and figure out – you almost need a whiteboard.

Stephanie Kostro: So Tom, as you know, we have over 400 member companies at the Professional Services Council, and many of them are interested in parsing out, as you put it, this executive order. It is surprisingly comprehensive, it claims to be bold, to push for bold changes and significant investments. Obviously, we haven’t seen any investments yet. It’s a little bit too early since the executive order just came out last week. But we should expect contractors to see new contract clauses in the next six to 12 months. This train has left the station and it is barreling down pretty fast. One area where we are particularly watching is this information sharing mandate that was laid out in the executive order. The goal was to remove barriers to threat information sharing. And what that means is that there will be new requirements for contractors to collect, preserve, and then report on some of the threat incidents that they’re seeing. And currently, you know, we are doing it in a very piecemeal way throughout the U.S. government. And this will take a more holistic approach to how we are applying government wide requirements to all agencies involved.

Tom Temin: Yeah, a couple of thoughts here: One, this information sharing that you mentioned – and it is emphasized heavily – in some ways, this idea goes back to the very beginnings of the Homeland Security Department itself, when each of the critical infrastructure pieces of the economy were supposed to have a federal agency counterpart to information share with. And that has happened only piecemeal even though it was enshrined in enabling legislation, and in the way the department was set up. So in some ways, it’s kind of forcing what should have have been going on all along. It’s not new in that sense.

Stephanie Kostro: That’s absolutely right. And when the Department of Homeland Security was created, back in the day, they had something called a National Communications Information Sharing Center (NCIC). That has been subsumed into this Cybersecurity and Infrastructure Security Agency, still resident at DHS, and actually, we’re having a – PSC is holding a tech trends conference next week, next Tuesday, with the director of the National Risk Management Center there, Bob Kolasky. And I suspect what we’re going to find is that CISA, as it’s called, is vastly underfunded to look at things like this beyond the .gov domains, but into the .com domains. And we’ve seen some of the wicked effects really, of infrastructure security as it plays out in the cyberspace with the dark side ransomware attack on Colonial Pipeline not too long ago, and what that impacted in terms of 5,500 miles of pipeline, and a lot of southeastern U.S. states scrambling to fill, sometimes Ziploc bags with gasoline. So this is not a small area in terms of cybersecurity and its impact on not only what government can do, but what industry can do. And this is a conversation that’s been long and coming. The fact that we have a new executive order that is just a tome in terms of direction that’s giving for tasks to various agencies, whether it’s OMB, whether it’s the National Institute for Standards and Technology and some NIST guidelines that have to come out for supply chain security. This is really a soup-to-nuts executive order. And the fact that we can probably see contract clauses change as soon as six months from now, I think there’s a lot of wood to chop in front of us.

Tom Temin: Yes, that was my other question, something you mentioned at the very beginning. And that’s the contract clauses. Because the opening of the executive order, the first segment is all about procurement more than cybersecurity measures themselves they want agencies to take. And so you’re getting a sense yet of what types of clauses or what the clauses will require at this point, or is that yet to be worked out?

Stephanie Kostro: So there are several areas where contract clauses will need to be changed, or terms and conditions may need to be changed within existing contracts and certainly contracts going forward. One is on this information sharing that we raised early in our conversation here. The other one is on supply chain security, and what they’re calling critical software. And so in terms of what’s compliant, what’s not compliant, NIST, the National Institute for Standards and Technology, have to come up with the guidelines first, introduce them to DHS, and then have some regulations changes. So I think in the short term, we’ll see more regulations regarding this information sharing piece. And the longer or the, I guess taller a pole in this particular tent is the compliance with critical software and some of the other guidelines that will be coming out of NIST in a longer conversation with the Department of Homeland Security. So this is a space where a lot of our member companies are really not scrambling, but taking a step back and saying “Where can we influence the development of regulations? What’s in the realm of the possible?” Because they all understand it’s not just national security at this point. It’s economic security. It’s infrastructure security. It’s a much wider swath of government agencies involved.

Tom Temin: We’re speaking with Stephanie Kostro. She’s executive vice president for Policy at the Professional Services Council. And I want to switch subjects here a minute, because we could spend an hour on the executive order – takes two hours to read it. But I wanted to ask you about a letter that the Council has written to the heads of USAID, the State Department and the Secretary of Defense regarding this ongoing lingering, also an unknown is, what is to become of contractors that have been supporting operations in Afghanistan? What are you asking for from these leaders?

Stephanie Kostro: So we alongside the two other trade associations signed a letter to secretaries Blinken, Austin and also Ambassador Power over at USAID to ask for some collaborative forums – one in Kabul and one here in Washington, D.C., where contractor concerns can be given due consideration, but also where the government can benefit from lessons learned. This is not the first U.S. military drawdown that we’ve seen in the Middle East-South Asia. Contractors have been involved in every single drawdown in that region. And so there are lessons learned that if only they could mind the wealth of knowledge that exists within the government contracting community, we could probably take some steps forward. I would say some of the concerns that the contractors are voicing are not unfamiliar, it’s a lot of the security posture concerns that anytime US military forces withdraw or have retrograde operations out of a particular country or region. You know, contractors are often there with, you know, terms and conditions and requirements that they have to fulfill whether the US military, is there or not. How safe are those employees? What are the concerns that they have regarding their ability to get out for development projects to support diplomatic missions? It’s a real set of concerns that have existed before Afghanistan. But they would like to be included in this conversation, as the US government figures out what’s staying there and what’s leaving.

Tom Temin: That’s right, because even though the military is leaving, presumably by September, or whenever it is, contractors will be there a long time because the State Department’s not leaving.

Stephanie Kostro: In USAID is also staying, Tom. I think we’ve even seen some requests for proposals coming out from USAID that are five-year contracts that are firm-fixed price. And it’s a real struggle to find out how member companies can bid on those contracts without knowing basic questions like what’s the security going to be like in five months? Not only that, but five years from now it is unknowable at this point.

Tom Temin: And finally, a related matter of course, is contractor involvement right here in the U.S. of A. as the COVID guidance continuously changes and more people are vaccinated. What are you seeking and what are you hearing for contractors returning to the workplace?

Stephanie Kostro: So that’s a great set of questions too, Tom, because as you all know, the CDC came out with new mask guidance midweek last week. And states like Virginia and Maryland here close to home in the National Capital Region have also come out with new guidance over the weekend. Contracting community, some of them work on site side by side with civil servants and military personnel. They are thinking about what return to workplace looks like. We don’t we don’t call it return to work because they would argue that they’ve been working this entire time. But the return to workplace in terms of health considerations and cost. Some places have downsized over the last year or sublet out their space. And now they have to figure out how to come back into this area. So we at PSC are working with member companies as well as the Arlington economic development folks to figure out what exactly does workplace look like? And how can we have this conversation when we don’t have requirements for vaccinations because they are still under the emergency use authorization.

Tom Temin: Sometimes I wonder when to the world gets so complicated. Stephanie Kostro is executive vice president for Policy at the Professional Services Council. Thanks so much for joining me.

Stephanie Kostro: It was my pleasure. Thanks so much.

Tom Temin: We’ll post this interview at Subscribe to the Federal Drive at Apple Podcasts or wherever you get your shows.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News Network

    DHS set to launch its ‘most significant hiring initiative’ as part of cyber workforce sprint

    Read more

    More than troops will be departing Afghanistan — also a slew of contractors

    Read more