NIST is asking industry for comments on the next cybersecurity framework

A call for comments from the National Institute for Standards and Technology gives industry a deadline of next week. NIST is looking for reactions to ideas for ...

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

A call for comments from the National Institute for Standards and Technology gives industry a deadline of next week. NIST is looking for reactions to ideas for critical infrastructure cybersecurity, and it could have a big impact on companies doing business with the government. The Federal Drive with Tom Temin got more now from the executive vice president for policy at the Professional Services Council, Stephanie Kostro.

Interview transcript:

Tom Temin: Stephanie, good to have you back. Tell us what NIST is specifically looking for and how industry is reacting.

Stephanie Kostro: That thanks for having me on again, Tom. NIST released a request for comments, as you noted, it was about a 60 day comment period. And comments are due here on April 25, next Monday. And it’s an interesting request for comments. It’s requiring some detailed response. They are updating what they call their framework for improving critical infrastructure, cybersecurity, and we’ll just call it the framework. The framework was last updated in 2018. And in this space, so much can happen, you know, you look at it and go, oh, it was only four years ago that it was last updated. But so much can happen in the cyber area and the IT sector. And so as we look at what they’re asking for, they’re looking for information, thoughts about procedures, about standards, about techniques and whatnot. This is really taking the government services technology sector by storm in terms of the level of interest in weighing into this framework. They’re also concurrently asking for information from industry on how they should tackle cybersecurity risks in supply chains. And they’ve created something they call the National Initiative for Improving Cybersecurity and Supply Chains, this should go hand in glove.

Tom, the concern that I have about all of this very good work that’s happening is that we’ve got so much information out there about cybersecurity, about frameworks, about these initiatives, what we will be looking for, and we will be submitting PSC comments on this request for comments, is some harmonization stronger guidance about what exactly government services companies should be doing in this space? For example, you’ve got DHS’s is cyber efforts under CISA, their Cybersecurity and Infrastructure Security Agency, you’ve got DoD’s Cybersecurity Maturity Model Certification process. And there’s also a process being run by the Defense Contract Management Agency. All of these different initiatives really need to be harmonized, and I suspect our comments will tackle very closely the issue of harmonizing them, and providing guidance that contractors can use in real time in the real world.

Tom Temin: It seems like there are two components basically to what everybody’s doing. One is vendors, cybersecurity systems, protecting the data that’s crucial to them and to the government, the CUI and the rest of it. And then there is the question of the security of what it is suppliers are delivering. And it’s mostly software. And even if it’s hardware, there’s a lot of software in it. And so they’re concerned with the bill of materials that’s in that software. Two related but really separate efforts and domains that both housed within the vendor community. Is that a fair way to put it?

Stephanie Kostro: It is a fair way to put it. And when you look at things like the NIST framework, companies will look at it and go, this is a framework, but is it really what we have to comply with? Is it a compliance model? And you know, when we look at what a framework might provide, you know, it’s thoughts, it’s procedures, it’s that kind of thing. It’s really meant to inform companies about what they should be looking at. But small and midsize companies are really struggling here, because they don’t have the internal resources to comply with several different models of how they should be attacking cybersecurity, and particularly in supply chains. Because when you think about how many prime contractors the government has, you multiply that tenfold by the number of subtier contractors they have, and making sure that you have a reasonable assessment of the things that are on your bill of materials, your your bill of goods, where that’s coming from, whose hands it passed through, who had access to it at any given time, it really is quite the knot to unravel. And so from a compliance perspective, what we’ll be looking for is clearer guidance on what exactly companies should be doing so they can dedicate the necessary resources to be able to work with the U.S. government.

Tom Temin: We’re speaking with Stephanie Kostro, she’s executive vice president for policy at the Professional Services Council. And something else I wanted to ask you about is the $800 million Ukraine package. I guess this is the second of them. And there’s some workforce support contractors in here not just delivering hardware to Ukraine.

Stephanie Kostro: Yes, Tom. So, you know, I think when people saw media reports about this $800 million package, their attention was grabbed by how many helicopters, drones,Javelins, which are now ubiquitous in headlines these days when it comes to Ukraine and the importance to Ukraine of this capability. But on the other side of the coin is how are you going to support, sustain, make sure that this equipment is operational, and that really does come down to contractor support. The other element of contractor support, and I’ll remind folks about the $13 billion supplemental that was going for Ukraine that was passed earlier this year. You know, half of that was for military support. And half of that, again, was for not only going to Ukraine for equipment and capabilities, but also what are we doing on the U.S. side to flow forces to the proximity of the fight. And services, contractors are playing a key role in sustaining and maintaining those lines of communication and those forces as well. So there’s a lot going on here on the contracting side, when you think about what it takes to maintain kind of artillery radar, what it takes to maintain, you know, some of the equipment that they’re sending over, I read that it’s 200 armored personnel carriers, you know, those come with quite the tail for sustainment and operations. So that’s where our contractors are lending not only their expertise, but putting their lives on the line to help support the equipment that we’re sending over.

Tom Temin: I was going to say, it’s not simply a matter of something you can do from an office in McLean or Reston or Huntsville. But you’ve got to be there in Eastern Europe to do this.

Stephanie Kostro: Yeah. And companies have seen requests for quotes for sending personnel over to places like Poland, the Baltics, elsewhere. And I think a lot of times it gets lost in the mix here. You know, you often say the military forces, you know, sign up for risking their lives for a higher goal. Contractors do as well, because they are here to support the mission just as much as military personnel are and the civilians that support it. And so I think it’s important to remember that they are going into harm’s way as well.

The other element I would add, Tom, is that we are still supporting the people of Ukraine through humanitarian assistance. And those contractors are also putting their lives on the line, as well as their expertise, knowledge, know how and whatnot. So I don’t want us to forget that it’s not just always about the military equipment and support. It’s about the humanitarian support, the economic support, and that element of the services contractor community really deserves kudos for the work that they’ve been putting in.

Tom Temin: And this all occurs at a time when contractors are dealing with price pressure from inflation. And the government seems to be a step behind in making sure that its allowances and processes are keeping up with the inflation that contractors feel. What are you sensing there?

Stephanie Kostro: There’s a real dichotomy when we talk to the different agencies. If you talk to the General Services Administration, they recently released a letter that gave a moratorium, temporary moratorium, on how many price adjustments you can ask for dealing with inflation. But what I’ve read in the media is that folks like Deputy Secretary Hicks at Defense, are saying they’re not seeing a huge influx of requests for these equitable adjustments. And instead, the Defense Department, for example, is turning to Congress. And they plan to work with them this summer, on how to address inflation in the FY 23 fiscal year, which of course starts on Oct. 1. My concern is that inflation is now. People are leaving their jobs now, because they can no longer support their families in some cases. And so if the government could allow some flexibility, not just in GSA but elsewhere, to allow companies to come in and ask for equitable adjustments, that would go a long way to helping retain the workforce that’s necessary to support federal missions.

Tom Temin: So even though GSA is putting some sort of a clamp on those, that doesn’t mean you should abandon them and eat it, you should really do the exception requests that you’re entitled to do.

Stephanie Kostro: It’s actually the opposite. GSA has put a temporary moratorium on the limits for how many equitable adjustments you can ask. So they’re encouraging companies to come and say, here’s the situation we’re facing now. They could still deny them. Let’s be honest, a temporary moratorium on the limits is not saying we’re going to accept everything that comes across our desk. But it is a hopeful sign to companies that working with GSA, they will understand the pressures that they’re feeling, not only in the price of goods, but of the price of people. It’s a little disheartening to hear folks, senior leaders from the Defense Department come out and say, you know, we can ask companies just to take this out of their profits. Profit margins are very slim, and companies have given cost of living increases to their staff over and above what perhaps the government had thought they would, and that is coming out of profit. So there’s a very slim margin here. But I hope that across the government, there can be a solution for similar to what maybe GSA has done in allowing additional economic price adjustment requests.

Tom Temin: I imagine the pressure is more on goods deliverers, or services companies that have a good component to what they’re delivering, because goods require transportation and handling and packaging, all of those things, direct costs that are going up, perhaps faster than people costs are going up.

Stephanie Kostro: That is definitely a component of it. But I would say government contractors are also dealing with a commercial sector that doesn’t have necessarily the limits that being tied to a GSA schedule for labor categories and rates might have and so it is a tight marketplace for talent. We’ve heard about in the headlines, the great resignation, people you know, who have frozen in place during the first couple of years of COVID are now peeping their heads up almost like prairie dogs looking around and seeing what’s out there, and the game of musical chairs has begun again where people are leaving their jobs, whereas they might have hunkered down over the last few years. So, yes, there’s definitely a goods component to this. But the talent component is not inconsequential.

Tom Temin: Well, let’s hope they’re not going to California thinking they’re going to get a gasoline rebate card.

Stephanie Kostro: I did hear about that.

Tom Temin: Stephanie Kostro is executive vice president for policy at the Professional Services Council. Thanks so much.

Stephanie Kostro: Thanks, Tom, for having me.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories