On cybersecurity SINs, what would Machiavelli have said?

“If the enemy should leave a considerable booty in your way, you should suspect there is a hook in the bait.”

That quote from Niccolo Machiavelli, the Italian Renaissance figure, is how Alex Major, partner at the law firm of McCarter and English, views the General Services Administration’s new cybersecurity SINs (special item numbers).

“Whenever you’re dealing with someone, you need to make sure that maybe they do know what they’re talking about, that they do know what they’re doing,” Major told the Federal Drive with Tom Temin . “And that if it looks to good to be true, sometimes it might be. So what Machiavelli has been translated as is if you see booty, there might actually be a hook in it.”

Major said that contractors have to be careful when dealing with GSA, especially in matters of cybersecurity, to ensure that it understands exactly what contractors are offering, and where the limitations lie.

Advertisement

“You’re sitting there talking with a professional who understands what you’re doing; they get it,” Major said. “But the contract is not for them. The contract … is for the [Justice Department] investigator suing your company for False Claims Act in six years. So make sure your contract is very very clear. Limitations are going to be critical in future litigation.”

Cybersecurity is especially vulnerable to this kind of situation; Major said that intrusions are a matter of when, not if. Contractors and federal IT professionals understand that, he said, but DoJ or inspectors general may not.

So Major recommended companies shield themselves against liability.

“Cybersecurity is so dynamic that the company and the customer needs to understand that just because you are secure today, and that they couldn’t get through in their penetration testing, for example, on Tuesday, that doesn’t mean it’s that same way on Wednesday, Thursday, Friday,” Major said. “There are so many challenges, so many threats, and the bottom line is with any cybersecurity effort, with any sort of penetration testing, to be secure, you have to be secure 100 percent of the time, but to be effective you only have to get through once.”

It requires a balance, Major said. Vendors need to educate customers on what they provide, and customers need to understand that all they can offer is a snapshot.

One of the biggest concerns Major has with the new SINs is the oral evaluation.

“It’s going to be unique. There are no recording devices during the … interview. It could be a 40 minute interview all the way up to three hours depending on how many SINs you’re actually negotiating,” Major said. “It’s sort of interesting, because whenever we’re talking about looking to compete or challenge a decision, you want a record. So I’m uncertain, I’m very curious to see how it actually turns out. How will these oral examinations find their way into the pre-negotiation memorandum? Will they find their way into the pre-negotiation memorandum?”

He assumes that the vendors will be able to take notes, and said that they should. He also cautioned making any promises that might be inferred or suggested. He even suggested that vendors might send IT personnel rather than vendors to the negotiations, in order to get a more careful description of capabilities devoid of any embellishment.

This could lead to a Catch-22 for contractors, however. Companies that provide careful descriptions and cover their bases when negotiating could lose contracts to more brash vendors who are setting themselves up for problems down the road.

In all, he said contractors need to tread carefully, understand their pricing because it will be susceptible to Commercial Sales Practices, limit the definition of the basis of award customers, ensure they categorize and catalog everything they’re saying, and if they don’t feel comfortable removing something from their solicitation, they shouldn’t do it.

“Just be very careful and very mindful going in, just like with any GSA contract,” Major said.