Government Contractors May See Changes in Cybersecurity and IT Procurement

Written by and

On Monday, June 19, 2017, President Trump’s newly established American Technology Council met for the first time at the White House to begin discussions on modernizing government information technology (IT) systems. As President Trump reportedly stated during the meeting, “Our goal is to lead a sweeping transformation of the federal government’s technology that will deliver dramatically better services for citizens.… Government needs to catch up with the technology revolution.” Executives from companies such as Amazon, Apple, Intel, Adobe, Akamai, and Microsoft were in attendance. When asked about how the meeting went overall, Akamai CEO Tom Leighton said, “This was an apolitical event. I think everyone in America, including the major parties, believe it would be helpful for the government to modernize its IT infrastructure. It benefits everyone to help make the government be more secure, and of course, it helps everyone to save money.”

The inaugural American Technology Council meeting came weeks after President Trump issued two Executive Orders focused on modernizing government IT. The first – the Executive Order on the Establishment of the American Technology Council – was issued on May 1, 2017, and as its title suggests, established the council to promote the transformation and modernization of the federal government’s IT and how the government uses and delivers digital services. The second – the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure – was issued on May 11, 2017, and focuses on cybersecurity for federal networks, critical infrastructure, and the nation.

According to the May 11 Executive Order, “The executive branch has for too long accepted antiquated and difficult-to-defend IT,” and as a result, government agency infrastructure has been exposed to vulnerabilities such as unauthorized access and other cyber threats. To combat these threats, the order identifies ways federal agencies might improve cybersecurity risk management policies and maintain a modern, secure, and more resilient Executive Branch IT architecture. Each federal agency head is required under the order to use the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology as a guide to managing the agency’s cybersecurity risk. Additionally, agency heads are required to produce management reports that document their strategic, operational, and budgetary considerations for risk mitigation decisions and describe the agency’s plan to implement the Framework. Further, they must “show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services” to develop interagency collaboration.

While it is too early to know how these recent Executive Orders and the American Technology Council’s work will affect government contractors, it is nearly certain to have some impact. Because agency heads must submit their management reports to the Secretary of Homeland Security and the director of the Office of Management and Budget within 90 days of the date of the order, vendors and contractors may want to offer proposed solutions or provide comments to agency heads regarding shared IT services and cybersecurity risk management.

If the Executive Branch eventually seeks to procure upgraded systems or requires federal agencies to integrate the purchase of IT services or products, contractors could expect to see an increase in IT procurements and changes in how these types of procurements are administered. For example, contractors may be required to develop cloud services that operate seamlessly across multiple agencies. Additionally, as the modernization process moves forward, government contractors should anticipate the possibility that current rules pertaining to government protection of sensitive data (such as the NARA CUI Rule and the DOD Cybersecurity Requirements) might also be amended or updated. Finally, contractors should review the 2017 proposed updates to the NIST Framework for a preview of what the Trump Administration will have agencies utilize to improve cybersecurity risk management. Newly proposed additions to the Framework address issues such as supply chain management and cybersecurity measurement.