Contractors seek clarification on government cyber standards

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne

From lack of a new budget to roiling vaccine mandates, the federal government, from contractors’ point of view, has become, you might say, an even more difficult customer. And now, that cybersecurity maturity plan has them scratching their heads. Federal Drive with Tom Temin checked in with the president and CEO of the Professional Services Council, David Berteau.

Tom Temin: And David, I want to start with CMMC, Cybersecurity Maturity Model Certification program, just overhauled from the services contractor standpoint, it’s not quite what they’re saying it is.

David Berteau: Tom, there’s several aspects that we think need a lot further exploration here. And of course, we’ve been waiting a long time for this because the administration started its review of CMMC at the beginning back in January. And then finally, back earlier this month, they released the results of that. And it is a streamlined process. They’ve gone from five categories of requirements down to three. And they’ve basically eliminated any specific DoD standards. So all of the standards for compliance now are based on the National Institutes of Standards and Technology, the NIST standards 800-171 and 172. The implementation of this, of course, was already moving forward with a DFARS clause that was issued as an interim rule, not a proposed rule. DoD claims that they’ve taken account of all the comments on that, but they haven’t changed the rule yet, right. So we’re gonna go through another rulemaking process before anything is implemented, apparently. But there’s three questions that have come up from PSC’s point of view and our members’ point of view that I think are worth noting to you. Number one is the focus is still very much on technical data for major weapon systems. And while that’s a really vital thing to protect, it’s not the only thing to protect. And we think particularly on the services end, there’s a lack of attention that was true in the previous version of CMMC, it’s been through all through the process. But you take just for example, operational data, buying fuel, if you’re going to buy fuel, you’re going to buy it on the open market, through a global computer systems that are probably never going to be CMMC compliant, because they’re not operated by American companies if you’re overseas. Initially, it looks like it’s not protected data, right, you’re just putting a purchase order in for some fuel. But once you add in the amount and the delivery date and the location for the delivery date, now you’ve got something that might be operationally sensitive. And then none of that is taken into account here.

Tom Temin: That’s known as I guess, sensitive data or CUI data, depending on the agency, it’s unclear where that type of data falls. But they’ve been mentioning that kind of thing for years, if they buy 10 million rolls of toilet paper, does that mean there’s a deployment of troops happening, that kind of thing, I think is what you’re driving at.

David Berteau: But it doesn’t become CUI until the orders actually placed. And at which point, it’s already in the global commercial system. It’s not something that can be protected. So this is a big flaw in the in the fundamental operating system process. And that’s what you get when you focus on the important elements of technical data, but not the operational data.

Tom Temin: And collapsing the number of levels from five to three, you’re saying is actually six now?

David Berteau: Well, in the presentation material that we’ve seen, they’ve gone to three levels, right, the low, the medium, and the high. But they’ve also indicated that there’ll be minimum thresholds, not necessarily 100% of the parameters that will be required at the time of contract award. And then you’ll have to have a plan to get all the others in place within a reasonable period of time after contract award. So if each of the three categories actually has two levels, a minimum threshold and full compliance, that is not three, that’s six. So we’ve gone from five to six, that’s not actually simplifying and making it less, if you will. And then finally, I think the big issue from our perspective has always been driven by the threat, right. Because there’s no dispute that we need better cybersecurity, the threat is growing. What we’re doing now is clearly not good enough. And so we need to do more, not just in DoD, but across the federal government, and actually across all of America. But the reliance on solely on the NIST standards, I think does potentially slow down and reduce the speed with which we can respond to those emerging threats. DoD could move much faster if it were able to put its own requirements in. Maybe it’ll evolve that way. That’s one of the questions we’ve asked and don’t have an answer to yet.

Tom Temin: We’re speaking with David Berteau, president and CEO of the Professional Services Council. And also on the uncertainty front is the budget and the NDAA. And now contractors, from what I’m hearing kind of across the board, are getting set for a possible year long CR, given the state of congressional disagreement, possibly even worse.

David Berteau: Well, that’s certainly what it may look like. And Senate Minority Leader Mitch McConnell has gone on the record saying we’re not going to have a budget deal. We’re just going to have a year long CR. And of course, the continuing resolution has lots of problems. No new starts, uncertainty about funding, short periods of time for that funding, particularly since it’s unlikely we would get a continuing resolution for the rest of fiscal year 22, we’d likely get one, I don’t know, maybe we’ll get one for two or three weeks. And we’ll see if we get from December 3 to Christmas, then we’ll get another one that might punt till after Christmas, maybe February or March. Then you’ll get there and say, well it’s an election year, maybe we won’t finish it this year, so you just extend it to the end of the year. And then guess what, you start FY 23 with another continuing resolution because the election hasn’t occurred yet. This is the kind of chaos and confusion that just will make the government operate much less efficiently. It has consequences, negative consequences for every agency, but particularly for national security, where China is not waiting around for us to get to a budget resolution year and a half from now. They’re moving forward as they are, so are so many of our other adversaries.

Tom Temin: And it looks like there’s some action on the NDAA, which is in one chamber all set, the Senate still has to finish up. So what do you see there that is of concern in terms of the policy provisions in there?

David Berteau: It does appear that the Senate will be taking up the the FY 22 National Defense Authorization Act this week while waiting for the House to finish the reconciliation bill that they can go forward. Whether the Senate completes its actions or not, it depends on how fast the house moves, obviously. But we have quite a number of provisions that we’re worried about in there. Some are very positive aspects that we would like to see brought into play. You may remember our Section 3610 authority that authorized agencies to pay for people who couldn’t get to work because of the pandemic, right. And now we’re about to put a new mask mandate back in place on December 5. And we’ve got a surge going on in two thirds of America states already. And so there’s big question there. Well, that authority has lapsed, and so there’s a provision in the House bill that would create standby authority, can be activated, we’d like to see that added to the Senate bill and expanded to be government wide as well. There are opportunities here to address the vaccine mandate in ways that perhaps are constructive from an implementation point of view, not just the political support, or political potshot perspective, and we’d like to see some of those as well. There is one provision that we’d like to see taken out. The House version of the bill has a provision, you may recall the old fair play and safe workspaces issue from a couple of administrations ago, that took the enforcement out of the Labor Department’s hands and gave it to each contracting officer. And we’d much rather see beefing up the capabilities that the Office of Fair Labor Standards has for moving forward on that.

Tom Temin: And the other thing is we have not seen yet, as far as I’ve noticed, is a nominee for the Office of Federal Contract Compliance Programs at the Labor Department. That could be a potent place if they ever staff it up.

David Berteau: It becomes essential. I mean, that office is very important for suspending and barring contractors that are not complying with the rules. It is not only the place that issues the rules, it’s the place that enforces those rules. We support that enforcement. All of our members want to be in compliance with those requirements. And I think PSC would love to see that agency be able to completely perform its job, but without a head, you’re not going to do that. And of course, Tom, as of this morning, there are still more Senate confirmed positions with no nominee then there are Senate confirmed positions where they confirmed a nominee, so we need to we need to move forward faster across the board on that.

Tom Temin: David Berteau is president and CEO of the Professional Services Council. Can you ever remember a time where there’s this many unresolved issues floating around the contractor and contracting zone?

David Berteau: There are a lot of balls in the air. And sometimes when those balls come down, they have sharp edges on them. And so the juggling is is really quite difficult. It’s what PSC is here for, to wrestle with these issues on behalf of our members, and we’re gonna continue to do that as best we can. Thanks, Tom.

Related Stories

    Head shot of Larry Allen

    For contractors, the unthinkable is on the table: A year-long continuing resolution

    Read more
    (Army courtesy photo)To help make moving as stress-free as possible, Move.mil has partnered with Military OneSource to house all the moving support you need, all in one place. Starting October 4, 2021, moving customers are invited to visit the Moving & Housing section of MilitaryOneSource.mil to find web pages covering a wide range of information about everything from shipping household goods to settling into a new duty station. (Courtesy Photo)

    DoD makes $6.2B award in do-over of military household goods moving contract

    Read more
    (Pfizer via AP)FILE - This October 2021, photo provided by Pfizer shows kid-size doses of its COVID-19 vaccine in Puurs, Belgium. (Pfizer via AP, File)

    Contractors get new January deadline to comply with federal vaccine mandate

    Read more

Comments