As the mandate to achieve compliance with The National Institute of Standards and Technology (NIST) SP 800-171 Rev. 1 went into effect December 31, 2017, many DOD contractors wondered how compliance, or lack thereof, will impact competitiveness in winning new contracts.
More recently, the U.S. Government Accountability Office (GAO) has provided an example of how compliance with both mandatory and non-mandatory cybersecurity requirements can be a discriminator in evaluation for awarding contracts.
The GAO denied a protest made by IPKeys Technologies, LLC (IPKeys), B-414890; B-414890.2 on October 4, 2017. The awardee was given a higher score by the Defense Information Systems Agency (DISA) for an evaluation factor specific to cybersecurity than the protestor, IPKeys was given. The GAO’s decision serves as a clear example of how seriously prime and subcontractors need to be treating cybersecurity requirements to stay competitive.
In the IPKeys decision, the Defense Information Systems Agency (DISA) issued a Request for Proposal (RFP) for the “provision of engineering, transition, implementation, sustainment, and cybersecurity monitoring support services for DISA’s Global Video Service (GVS),” used by DOD and other government departments and agencies for unclassified and classified videoconferencing services. The RFP required that offerors demonstrate their ability to provide engineering support related to cybersecurity issues with DISA’s GVS (Subfactor 2). Although the awardee’s costs were higher than the protestor, it was awarded the contract under a best value determination because the awardee was given a higher rating for two subfactors, one of which related to cybersecurity (Subfactor 2). The awardee proposed to utilize both the Risk Management Framework (RMF) (“RMF Framework”) and the NIST Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), which DISA evaluated as being more valuable than just meeting the requirements of the RMF Framework. DISA determined that the two standards were distinct and complementary despite the Cybersecurity Framework not being a requirement of the proposal.
In detailing why, it agreed with DISA’s evaluation, the GAO’s decision demonstrated a clear preference for a comprehensive cybersecurity solution and not check the box compliance. “NIST SP 800-37 details the NIST RMF, which is a six-step process that provides a method of coordinating the inter-related Federal Information Security Management Act of 2002 (FISMA) standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security.” The Cybersecurity “Framework is designed to complement existing business and cybersecurity operations.” Specifically, the “framework core” provides a set of activities to achieve cybersecurity outcomes to manage cybersecurity risks that are broadly divided into five functions: identify, protect, detect, respond, and recover. The framework core, and its functions and their constituent categories and subcategories, “is not a checklist of actions to perform.” Additionally, the RMF Framework is directed towards agencies and compliance is mandatory for the agencies. On the other hand, the Cybersecurity Framework is voluntary and targeted to the private sector. This distinction is important, said another way, compliance with the RMF Framework was a requirement of the RFP, compliance with the Cybersecurity Framework was not a requirement. DISA determined that compliance with both the mandatory requirements and the non-mandatory requirements merited a higher evaluation score.
We can expect to see more contract award decisions that treat cybersecurity as a critical factor for award. Specific to NIST 800-171 Rev. 1, it’s not likely that simply having a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) will be considered comprehensive. The controls must actually be implemented and even doing that is just meeting the mandatory requirements, will that be enough?
Cybersecurity has become a competitive discriminator in contract awards, decisions are already being made, in part, based on compliance with mandatory requirements and non-mandatory requirements.