The conflicting stories of cybersecurity
For a moment, pretend you're a member of Congress and you're thinking about federal procurement policy and economies of scale.[1]
One story you might tell yourself is that the United States government is the largest purchaser in the world and, therefore, the government can wield enormous market power to drive markets. This is a good story! The US government spends nearly $1 trillion each year on stuff. From this story, you might conclude that the government should dictate better terms of purchase to suit the government's needs.
Another story you might tell yourself is that the United States economy is the largest in the world and, therefore, the government can take advantage of the innovation and scale of domestic commercial markets. This is also a good story! The current Gross Domestic Product of the United States is over $27 trillion. From this story, you might conclude that the government should buy commercial products and services and gain the benefits of a much larger market.
These stories generally coexist peacefully. The federal government is a large enough customer that it can usually bend markets in its favor. Sure, it might cost a bit extra to get the government-tailored widget, but it's doable.
But there are times when they clash.
A few months ago, for example, I wrote about the FedRAMP program:
A consequence of the way FedRAMP has practically worked over time is that many cloud-service providers offer "government-only clouds" that are FedRAMP approved separate from commercial cloud offerings. Whether you like this or not is sort of irrelevant. It just is.
In the case of FedRAMP, the original goal was to promote the government's use of commercial cloud and get away from government-only data centers. But because FedRAMP implements NIST-promulgated, federal-government-specific security and privacy controls and because of the process that the FedRAMP program uses, the government doesn't actually get the commercial product! Instead, the government-specific tailoring meant that commercial cloud providers would create government-only data centers!
A few weeks ago, though, the government published a draft update to its FedRAMP policy that aims to reverse the trend. As the draft guidance explains:
FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated infrastructure for Federal use, whether through its application of Federal security frameworks or other program operations. The Federal Government benefits most from the investment, security maintenance, and rapid feature development that commercial cloud providers must give to their core products to succeed in the marketplace. Commercial providers should similarly be incentivized to integrate into their core services any improved security practices that emerge from their engagement with FedRAMP, to the benefit of all customers.
Here, the government is trying to shift from the story that the US government is the largest purchaser to the story that the US is the largest economy. But sometimes it's hard to keep that story straight!
A few weeks before the FedRAMP guidance came out, the government published two proposed changes to the Federal Acquisition Regulation that would move security and privacy compliance away from commercial practices. According to the government, these proposed changes are needed because commercial markets aren't working effectively enough:
Recent cybersecurity incidents such as those involving SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.
The story behind these proposed changes, then, is that the government needs to use its purchasing power to bend the market:
Contractors must be able to adapt to the continuously changing threat environment, ensure products are built and operate securely, and coordinate with the Government to foster a more secure cyberspace. It also is essential that the Government—and its contractors—take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines. In the end, the trust the United States places in its digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences it will incur if that trust is misplaced.
These proposed changes to the FAR are leaning heavily into the story of government as the biggest purchaser.
But do they go too far? At least one law firm[2] hints that they might:
The FAR Council’s proposed rules are a lot to take in at once. We anticipate they will create significant compliance burdens and costs for existing Government Contractors, and they could have a chilling effect on new market entrants. The proposed rules also bestow significant discretion and responsibility on contracting officers, many of whom may not have technical backgrounds or be equipped to make the types of determinations contemplated under the proposed rules. Finally, the False Claims Act implications of the rules cannot be ignored. The proposed rules expressly state that compliance with these requirements "is material to eligibility and payment under Government contracts," thus laying the groundwork for False Claims Act cases. With this language in the rule and with the added certification obligations in FAR 52.239-AA, relators and Government agencies will be able to establish False Claims Act liability for cybersecurity lapses or failure to report security incidents far more easily than currently.
And, following these proposed rules and the FedRAMP guidance, folks have questions about how the these stories can be harmonized:
More broadly, the memo does not address how cloud contractors should respond to potential clashes between those updated FedRAMP requirements and other federal cybersecurity requirements.
With the draft guidance open to comment until Nov. 27, and comment on related pending Federal Acquisition Regulation cybersecurity rules open until Feb. 2, cloud service providers should weigh in during those comment processes to try to get the government to "connect the dots between the two," Hadeka said.
It's definitely a challenge! If the government errs too far in the side of attempting to bend the market, it might reduce the availability of commercial products to the government. On the other hand, if the government doesn't effectively use its purchasing power, the government can end up in the headlines when failures occur.
Of course, there is another story that involves Congress enacting legislation that effectively regulates the market beyond the government's role as a purchaser. But if truth is stranger than fiction, the story that Congress will effectively figure it out is stranger still.
I don't know how this will all end up. I suspect getting to a perfect story will be hard here, given the intensity of the feelings surrounding cybersecurity. But we can hope, anyway, that when the federal government issues its final rules, whatever story it tells, the government tells at least the same story.
[1] Hahaha! As if.
[2] There are many similar variations on this. These proposed rules certainly kept associates busy at most law firms with government-contracts practices.