The federal contracting process is often a quagmire. But when it comes to cybersecurity — a space where the technology advances daily and the adversary adapts even faster — time is of the essence.
To find out how agencies are addressing this problem, Sen. Tom Carper, D-Del., ranking member of the Senate Homeland Security and Governmental Affairs Committee, drafted a letter to Office of Management and Budget Director Shaun Donovan asking specific questions about the acquisition process and the government's ability to work around roadblocks.
"As you well know, federal agencies are under a constant yet evolving threat from cyber attackers. From what I understand, however, flaws in the federal acquisition process can limit the tools agency network defenders can obtain," Carper wrote.
The senator said he recently held discussions with small businesses in the cybersecurity sector who stressed the importance of having the latest tools and cutting through the bureaucratic process to implement them in a timely manner.
Some options do exist, he noted, though he asked for clarification on exactly where and how agencies are taking advantage of those options.
Carper pointed to a number of ongoing initiatives meant to spur acquisition of new cybersecurity tools, including the General Services Administration's move to lift the two-year performance rule for young companies with innovative technologies and the Continuous Diagnostics and Mitigation (CDM) program managed by GSA and Homeland Security.
"CDM is starting to deliver tools and services to agencies but because of the complexity of the contracting process, it may not be able to offer new tools fast enough to keep up with the threat," Carper wrote.
He also noted that Congress gave agencies the ability to use "other transaction authority" to circumvent some of the more obstructionist contracting regulations. This has been used by DHS's Silicon Valley Office Innovation Program to find new tech in areas like securing the Internet of Things.
However, Carper cited a recent Government Accountability Office report that most agency contracting shops aren't using this authority, often because "agency implementation rules … may be too burdensome."
Carper sent Donovan a list of seven questions and asked for a response within 30 days.
1. What are agencies doing to acquire innovative cyber solutions developed by start-ups and other companies that have not traditionally done business with the government? How successful have agencies been in doing so? Are any agencies piloting innovative procurement processes for rapid acquisition of cybersecurity tools?
2. What action has OMB taken, or is planning to take, to guide agencies in the rapid procurement of new and emerging cybersecurity tools?
a. In particular, what will OMB do to promote the appropriate use of the […] acquisition tools listed above to acquire cybersecurity products and services?
b. How will each of these efforts need to be updated or addressed to better accommodate the quick purchase of such tools?
c. Are there any other avenues agencies can use to access new commercial cyber tools in a rapid manner?
d. Has OMB assessed the challenges start-ups face in doing business with the government? If so, what will OMB do to address these challenges?
e. How is OMB ensuring that contracting officers at agencies are knowledgeable and comfortable with the use of the […] acquisition tools discussed above, as well as any other ways of rapidly acquiring cyber tools, in an appropriate way?
f. What is OMB doing to ensure that best practices in this area of acquisition are being shared between defense, intelligence and civilian agencies?
3. When and how should Part 6.3 of the Federal Acquisition Regulation be applied in the acquisition of cybersecurity products?
4. Venture capital firms play an important role in bringing new and innovative cybersecurity tools to market. To what extent should venture capital firms be encouraged to pursue channels like Schedule 70 contracts from GSA to enable the firms to offer products and services of the companies they represent? How would the Schedule 70 program need to change to better accommodate the start-up nature of venture capital firms and the companies they support?
5. How can new and emerging products and services be considered and integrated into the CDM program?
6. The Chief Information Officers Council and the Chief Acquisition Officers Council are the primary bodies of the federal government where agencies collaborate and share best practices on information technology management and procurement activities. How will OMB work with these bodies to find solutions that facilitate the rapid acquisition of cybersecurity solutions?
7. Many agencies, including the research and development arms of the Department of Defense and the Department of Homeland Security, play important roles in fostering cybersecurity innovation and bringing new tools into government. What are OMB and other agencies doing to promote research and development efforts related to the acquisition of new cybersecurity tools and services to industry and the federal government? How are agency cyber research and development efforts of coordinated?