Cybersecurity Has Become a Competitive Discriminator in Contract Awards

By Eric Noonan • February 12, 2018

As the mandate to achieve compliance with The National Institute of Standards and Technology (NIST) SP 800-171 Rev. 1 went into effect December 31, 2017, many DoD contractors wondered how compliance, or lack thereof, will impact competitiveness in winning new contracts. We covered this topic in a blog post titled “Understanding NIST 800-171 Impact on Acquisition”, located here:

http://www.cybersheath.com/understanding-nist-800-171-impact-acquisition/

More recently, the U.S. Government Accountability Office (GAO) has provided an example of how compliance with both mandatory and non-mandatory cybersecurity requirements can be a discriminator in evaluation for awarding contracts.

The GAO denied a protest made by IPKeys Technologies, LLC (IPKeys), B-414890; B-414890.2 on October 4, 2017. The awardee was given a higher score by the Defense Information Systems Agency (DISA) for an evaluation factor specific to cybersecurity than the protestor, IPKeys was given. The GAO’s decision serves as a clear example of how seriously prime and subcontractors need to be treating cybersecurity requirements to stay competitive.

In the IPKeys decision, the Defense Information Systems Agency (DISA) issued a Request for Proposal (RFP) for the “provision of engineering, transition, implementation, sustainment, and cybersecurity monitoring support services for DISA’s Global Video Service (GVS),” used by DoD and other government departments and agencies for unclassified and classified videoconferencing services. The RFP required that offerors demonstrate their ability to provide engineering support related to cybersecurity issues with DISA’s GVS (Subfactor 2). Although the awardee’s costs were higher than the protestor, it was awarded the contract under a best value determination because the awardee was given a higher rating for two subfactors, one of which related to cybersecurity (Subfactor 2). The awardee proposed to utilize both the Risk Management Framework (RMF) (“RMF Framework”) and the NIST Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), which DISA evaluated as being more valuable than just meeting the requirements of the RMF Framework. DISA determined that the two standards were distinct and complementary despite the Cybersecurity Framework not being a requirement of the proposal.

In detailing why, it agreed with DISA’s evaluation, the GAO’s decision demonstrated a clear preference for a comprehensive cybersecurity solution and not check the box compliance. “NIST SP 800-37 details the NIST RMF, which is a six-step process that provides a method of coordinating the inter-related Federal Information Security Management Act of 2002 (FISMA) standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security.” The Cybersecurity “Framework is designed to complement existing business and cybersecurity operations.” Specifically, the “framework core” provides a set of activities to achieve cybersecurity outcomes to manage cybersecurity risks that are broadly divided into five functions: identify, protect, detect, respond, and recover.  The framework core, and its functions and their constituent categories and subcategories, “is not a checklist of actions to perform.” Additionally, the RMF Framework is directed towards agencies and compliance is mandatory for the agencies. On the other hand, the Cybersecurity Framework is voluntary and targeted to the private sector. This distinction is important, said another way, compliance with the RMF Framework was a requirement of the RFP, compliance with the Cybersecurity Framework was not a requirement. DISA determined that compliance with both the mandatory requirements and the non-mandatory requirements merited a higher evaluation score.

We can expect to see more contract award decisions that treat cybersecurity as a critical factor for award. Specific to NIST 800-171 Rev. 1, it’s not likely that simply having a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) will be considered comprehensive. The controls must actually be implemented and even doing that is just meeting the mandatory requirements, will that be enough?

Cybersecurity has become a competitive discriminator in contract awards, decisions are already being made, in part, based on compliance with mandatory requirements and non-mandatory requirements.

Don’t wait any longer, act now and build a comprehensive solution to the growing list cybersecurity compliance requirements. Contact CyberSheath at sales@cybersheath.com for immediate assistance.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO