Often, vendor advocates speak out against overly specific regulations that put additional requirements on federal contractors. However, when it comes to cybersecurity, the Professional Services Council believes new guidance from the Office of Management and Budget doesn't go far enough.
In a recent letter to OMB, PSC leadership decried the agency's memo on Improving Cybersecurity Protections in Federal Acquisitions as being too lenient to provide good security and too open-ended to be properly interpreted by agencies and companies vying for federal contracts.
PSC docked the guidance for only offering "generalized statements" on how cybersecurity should be written into contract documents, while also providing "explicit authority for agencies to deviate from it almost at will."
Specifically, the letter cites the section on security controls, which instructs agencies to adhere to standards published by the National Institute for Standards and Technology for managing controlled information on non-federal networks. However, the OMB guidance allows agencies to deviate from those standards as they see fit.
"This is exactly the interpretive, decentralized behavior that has produced the current state of network security vulnerabilities," the letter reads.
The Council suggested OMB either revise the document to provide a "consistent, unified approach for agencies" or pull back the guidance entirely and instead focus on revising standards in the federal acquisition regulation.