The General Services Administration is seeking industry input as it develops standard contract language to ensure cybersecurity measures are taken in federal procurements.
GSA and the Defense Department are required by an executive order to provide recommendations for standardizing cybersecurity contract requirements by June.
In a request for information issued last week, GSA posed nearly 40 questions to industry, including:
* What policies, practices, or acquisition processes should change in order to achieve cybersecurity in federal acquisitions?
* How does industry handle and address cybersecurity incidents that occur in procurements? Do they aggregate this information for future use and how do they use it?
* How does contract type and source selection method — such as lowest price, technically acceptable — affect how industry determines cybersecurity risk in federal acquisitions?
* What are the implications of imposing a set of cybersecurity baseline standards for industry to follow and adopting an associated accreditation program to verify they meet those standards?
Industry responses must be submitted by June 12.
“The RFI is an important first step to a public private partnership that will help secure our nation’s infrastructure,” GSA Acting Administrator Dan Tangherlini said in a statement.
President Obama’s executive order requires agencies to share more classified and unclassified cyber threat information with companies that operate systems critical to the nation, such as electric grids and water treatment facilities. It also calls for the creation of security standards those companies could voluntarily adopt to protect their systems from cyber attacks. However, the administration is seeking answers from industry on the ramifications of making baseline security standards a requirement for all federal contractors.