Government management never sleeps. Even as the management side of the administration of President-elect Donald Trump still is far from coming together, the Office of Management and Budget isn’t taking it easy awaiting the new political appointees.
OMB issued two significant memos last week — one addressing challenges around agency-vendor communications and the other updating agency requirements for how they respond to breaches of personal information.
These two are among a boatload of memos coming from OMB over the last year. In fiscal 2017, OMB has issued 12 memos. Over the last 12 months, the administration sent out 31 memos ranging from the mundane, like apportionment requirements for the continuing resolution, to those trying to make major changes, like to how the government buys technology and pays senior executives.
The most recent two follow a long-held pattern by the Obama administration of updating, consolidating and hoping to leave policy in a better place.
In the data breach memo, released Jan. 3, OMB consolidates and updates four other memos and gives agencies six months to update or develop a response plan to a cyber breach involving personally identifiable information (PII).
“The goal here is to organize and take the lessons we’ve learned over the last 10 years,” said Ari Schwartz, a former White House cyber official and now the managing director of cybersecurity services at the Venable law firm. “Over the last 10 years since the breach at the Veterans Affairs Department, we learned a lot and there are things agencies have to do differently now than in the past and hopefully this will last longer than the last memos.”
Among the biggest changes in the PII memo is OMB outlined definitions of a breach versus an incident.
Previous guidance told agencies to report everything no matter how big or small. Schwartz said this led to confusion and inconsistent reporting.
The confusion also led to actions that cost agencies money unnecessarily. For example, VA must report monthly to Congress any and all PII breaches. In December 2010, for instance, VA detailed 10 incidents, including mishandled meal tickets, accounts without passwords and stolen computers.
Not all of these are breaches, and now agencies can determine the risk and the appropriate response, instead of just giving everyone identity protection.
“A breach is not limited to an occurrence where a person other than an authorized user potentially accesses PII by means of a network intrusion, a targeted attack that exploits website vulnerabilities, or an attack executed through an email message or attachment. A breach may also include the loss or theft of physical documents that include PII and portable electronic storage media that store PII, the inadvertent disclosure of PII on a public website, or an oral disclosure of PII to a person who is not authorized to receive that information. It may also include an authorized user accessing PII for an other than authorized purpose,” OMB wrote in the memo. “Agencies should not limit training on how to identify, report, and respond to a suspected or confirmed breach to annual security and privacy training. Rather, agencies should consider annual security and privacy training as the baseline and consider specialized training for specific groups, such as supervisors and employees who have access to or responsibility for High-Value Assets.”
Another important part of the memo is the requirement to create or update, and test a PII breach response plan.
Agencies must submit their response plan to OMB in the next six months. Additionally, the Federal Acquisitions Regulatory Council will develop clauses to implement the requirements of the memo for vendors.
“If agencies can respond quickly, then they can limit the damage from a breach,” Schwartz said. “If you build an incident response plan and exercise it, you will know what you need to work on first. If you try to go through in alphabetical order, you will have problems. It becomes very clear what you’ve done right and what you are missing, and then you can prioritize what you need to do if you exercise your response plan. It’s a risk management approach.”
Schwartz said the OMB memo, along with a new special publication from the National Institute of Standards and Technology 800-184, the Guide for Cybersecurity Event Recovery, gives agencies a great set of starting points to create incident response plans.
He added the NIST framework has five areas to help agencies get better in responding and recovering to PII breaches.
Busting more agency-vendor myths
In its second memo of the week, OMB also is trying to change how agencies interact with vendors. Lesley Field, the acting administrator of the Office of Federal Procurement Policy, issued the third “myth-busters” memo since 2011, with this new one focusing on debriefings. The first two focused on different aspects of agency-vendor communications such as discussions during market research for a request for proposals.
Field said in a statement that this memo “addresses misconceptions related to debriefings, and offers best practices to help agencies foster an environment conducive to productive interaction between government and industry. Further, the memorandum joins the growing list of actions OMB has taken to open the acquisition system to more robust vendor communications, including the launch of the Acquisition 360 survey, which collects feedback from the vendor community on their experiences with agency acquisitions — and ‘reverse industry day’ — an event aimed at helping agencies better understand industry’s perspective on workforce training.”
Rob Burton, a former OFPP deputy administrator and now an attorney with Crowell & Moring, said he hopes this memo changes the mind of acquisition officials about the value of debriefings.
“Most agencies are reluctant, for all the wrong reasons, to give robust and comprehensive debriefings to unsuccessful offerors after a contract award decision. OFPP is correct that contractors often file protests to get more information about the award decision,” he said. “Most of this information can be shared during a debriefing, and I have found that contractors who receive comprehensive debriefings are less likely to file protests. If agencies follow the OFPP guidance on debriefings, the result will be an improved federal acquisition system and better industry-government relations.”
This latest myth-busters memo attempts to dispel eight concepts about debriefings.
These range from debriefing always lead to protests to lawyers at briefings means a protest is inevitable to debriefings should only be in writing.
OFPP pushes back against each of these misconceptions. For instance, the myth that debriefings lead to protests is untrue because the Government Accountability Office says the most common reason why unsuccessful bidders file protests is they have concerns about the RFP’s evaluation criteria.
“Although offerors have access to the evaluation criteria, they often lack substantive insight into how the source selection officials assessed the proposal’s strengths and weaknesses,” OFPP wrote.
The memo is the first public output from the Acquisition 360 surveys OFPP conducted starting in March 2015 to use customer feedback to improve acquisition processes.
“Acquisition 360 survey feedback and input from other industry and agency outreach pointed to debriefings as one of the most valuable events during the acquisition lifecycle,” the Jan. 5 memo stated. “Debriefings offer multiple benefits. They help vendors better understand the weaknesses in their proposals so that they can make stronger offers on future procurements, which is especially important for small businesses as they seek to grow their positions in the marketplace. In addition to contributing to a potentially more competitive supplier base for future work, debriefings allow agencies to evaluate and improve their own processes. Further, agencies that conduct quality debriefings have found a decreased tendency by their supplier base to pursue protests. Studies of the acquisition process have observed that protests may be filed to get information — information that could have been shared during a debriefing — about the agency’s award decision to reassure the contractor that the source selection was merit-based and conducted in an impartial manner.”
OFPP is encouraging agencies to establishing or adopting a debriefing guide for contracting officers and vendors alike. Additionally, OFPP wants agencies to review the myth buster memo and update in existing policy or include it in new documents. OMB wants agencies to post their debriefing guidance, training tools and other materials to the OMBMax portal by March 1.
“As an acquisition reform initiative for 2017, OFPP should initiate a FAR case to require debriefings for all contract and task order awards over the simplified acquisition threshold,” Burton said. “Currently, there is no requirement for full debriefings for task orders issued under the GSA Schedules, regardless of the dollar amount. Considering the volume and value of GSA Schedule task order awards, this is an unacceptable situation and in need of immediate reform.”