Cybersecurity Has Become a Competitive Discriminator in Contract Awards

By Eric Noonan • February 12, 2018

As the mandate to achieve compliance with The National Institute of Standards and Technology (NIST) SP 800-171 Rev. 1 went into effect December 31, 2017, many DoD contractors wondered how compliance, or lack thereof, will impact competitiveness in winning new contracts. We covered this topic in a blog post titled “Understanding NIST 800-171 Impact on Acquisition”, located here:

http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/

More recently, the U.S. Government Accountability Office (GAO) has provided an example of how compliance with both mandatory and non-mandatory cybersecurity requirements can be a discriminator in evaluation for awarding contracts.

The GAO denied a protest made by IPKeys Technologies, LLC (IPKeys), B-414890; B-414890.2 on October 4, 2017. The awardee was given a higher score by the Defense Information Systems Agency (DISA) for an evaluation factor specific to cybersecurity than the protestor, IPKeys was given. The GAO’s decision serves as a clear example of how seriously prime and subcontractors need to be treating cybersecurity requirements to stay competitive.

In the IPKeys decision, the Defense Information Systems Agency (DISA) issued a Request for Proposal (RFP) for the “provision of engineering, transition, implementation, sustainment, and cybersecurity monitoring support services for DISA’s Global Video Service (GVS),” used by DoD and other government departments and agencies for unclassified and classified videoconferencing services. The RFP required that offerors demonstrate their ability to provide engineering support related to cybersecurity issues with DISA’s GVS (Subfactor 2). Although the awardee’s costs were higher than the protestor, it was awarded the contract under a best value determination because the awardee was given a higher rating for two subfactors, one of which related to cybersecurity (Subfactor 2). The awardee proposed to utilize both the Risk Management Framework (RMF) (“RMF Framework”) and the NIST Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), which DISA evaluated as being more valuable than just meeting the requirements of the RMF Framework. DISA determined that the two standards were distinct and complementary despite the Cybersecurity Framework not being a requirement of the proposal.

In detailing why, it agreed with DISA’s evaluation, the GAO’s decision demonstrated a clear preference for a comprehensive cybersecurity solution and not check the box compliance. “NIST SP 800-37 details the NIST RMF, which is a six-step process that provides a method of coordinating the inter-related Federal Information Security Management Act of 2002 (FISMA) standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security.” The Cybersecurity “Framework is designed to complement existing business and cybersecurity operations.” Specifically, the “framework core” provides a set of activities to achieve cybersecurity outcomes to manage cybersecurity risks that are broadly divided into five functions: identify, protect, detect, respond, and recover.  The framework core, and its functions and their constituent categories and subcategories, “is not a checklist of actions to perform.” Additionally, the RMF Framework is directed towards agencies and compliance is mandatory for the agencies. On the other hand, the Cybersecurity Framework is voluntary and targeted to the private sector. This distinction is important, said another way, compliance with the RMF Framework was a requirement of the RFP, compliance with the Cybersecurity Framework was not a requirement. DISA determined that compliance with both the mandatory requirements and the non-mandatory requirements merited a higher evaluation score.

We can expect to see more contract award decisions that treat cybersecurity as a critical factor for award. Specific to NIST 800-171 Rev. 1, it’s not likely that simply having a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) will be considered comprehensive. The controls must actually be implemented and even doing that is just meeting the mandatory requirements, will that be enough?

Cybersecurity has become a competitive discriminator in contract awards, decisions are already being made, in part, based on compliance with mandatory requirements and non-mandatory requirements.

Don’t wait any longer, act now and build a comprehensive solution to the growing list cybersecurity compliance requirements. Contact CyberSheath at sales@cybersheath.com for immediate assistance.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO