President Donald Trump on Monday celebrated a new executive order designed to eliminate regulations on small businesses. But a series of new acquisition rules proposed weeks ago by the Department of Homeland Security (DHS) have Federal contracting experts worried about future governmentwide disruptions and a decrease in competition.
DHS’s Office of the Chief Procurement Officer on Jan. 18 issued three proposed rules that would require privacy training and security awareness training for contractors, and would add five new categories of Controlled Unclassified Information (CUI)—unclassified information that is still sensitive—that contractors will need to secure and manage.
DHS’s proposed regulations are troubling to some Federal contracting experts because they disrupt the governmentwide standards that took years to set up, and may impose costs on small businesses that make it impossible for them to compete for DHS contracts.
Alan Chvotkin, executive vice president and counsel for the Professional Services Council (PSC), said the new CUI categories “don’t square” with the governmentwide rule that took six years to create.
“It’s concerning to me that we’re creating additional acquisition regulations and not using the NARA rule,” said Chvotkin, referring to the six-year effort by the National Archives and Records Administration to create uniform CUI standards. Those standards went into effect last year.
“PSC would prefer one governmentwide standard,” Chvotkin said. “I’m very concerned about agencies taking an individual approach or creating additional requirements because it gets difficult, expensive, and risky for companies to manage these on a contract-by-contract basis. It’s certainly a diversion. It may be an inappropriate and unnecessary diversion.”
The NARA standards established a universe of terms, or categories, for discussing CUI that all Federal agencies could use. DHS’s proposed CUI rule introduces five new categories: Homeland Security Agreement Information, Homeland Security Enforcement Information, Operations Security Information, Personnel Security Information, and Sensitive Personally Identifiable Information.
Larry Allen, president of Allen Federal Business Partners, also said he was concerned about the CUI rule because it would force contractors to navigate a maze of rules that apply to both the Federal government and DHS.
Allen also said that the proposed rule will decrease competition among commercial companies, because abiding by these new measures will probably cost about $1 million per company. As a result, small businesses will be less inclined to engage in contracting, and fewer large companies will want to participate in contracts, he said.
“It’s not sending a strong message to small IT contractors. Small businesses are emotional discussions with emotionally charged outcomes that may or may not make business sense,” Allen said. “It’s a good way to narrow the field.”
Security & Privacy Training Requirements
Allen said that the proposed training rules were a good idea, but should not apply only to contractors. He said that internal employees are just as responsible for miscarriages of government information as Federal contractors, and that these internal people should be held to the same standards.
“If you’re going to penalize people for not handling private information properly, what are you going to do for the Federal employee who is not paying attention?” Allen said. “The Federal counterpart may not have the training. If we’re serious about this, and we should be, there should be similar rules and consequences regardless of the color of your badge.”
DHS’s second and third rules focus on the type of training a contractor must complete. According to the proposed rule on IT security awareness training:
- IT security awareness training and rules of behavior (RoB) protocol will become part of the Homeland Security Acquisition Regulation (HSAR), creating a standard for the entire agency.
- The training sessions and RoB will be accessible on a public website.
- Employees must sign RoB before gaining access to information systems. Contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.
- All contractor employees who will either access DHS information systems or contractor-owned information systems capable of collecting, processing, storing, or transmitting CUI must complete the training.
- “This approach ensures all applicable DHS contractors and subcontractors are subject to the same IT security awareness training and RoB requirements while removing the need for government intervention to provide access to the IT security awareness training and RoB,” the document says.
DHS’s proposed rule on privacy training is similar to the rule on IT security awareness training. According to the proposed rule on privacy training:
- Privacy training requirements will be included in the HSAR.
- The training will be accessible on a public website.
- All contractor employees that will have access to a Federal system of records, handle Personally Identifiable Information (PII) or Sensitive Personally Identifiable Information (SPII), or operate a system of records on behalf of the Federal government must complete this training.
The proposal says that all three of the rules are an attempt to bolster information security measures as a response to data breaches across the Federal government. The CUI rule stems from an initiative within DHS to ensure contractors understand their responsibilities protecting CUI and complete IT security training before accessing DHS information systems, according to the document.
Chvotkin said the blanket guidelines dictate that agencies can establish their own training program or allow contractors to use their own training materials. DHS’s proposed rules say the only alternative is DHS-specified training. The proposal also states “this training is completed upon award of the procurement and at least annually thereafter.”
Chvotkin pointed out that there is no separation between the training deadline and the date the contract is granted. While he stated he has no problem with the training mandate, he said PSC will review the proposal to make sure contractors have enough time to complete the training.
“Obviously, it’s adding another layer of complexity, and possibly a burden, on contractors. Any change like this could have an impact,” said Mike Hettinger, principal of Hettinger Strategy Group. “Contractors need to be aware of it. The agency is pushing forward some of the responsibility on contractors.”
He said the added “layer of complexity” could slow some contracts down. However, Hettinger also said he is not ruling out the possibility of an executive order that clarifies the proposed regulations, because some presidents have made a “cyber sprint” addressing such issues in their first 100 days.
A spokesperson from DHS declined to comment on the proposed rules because the agency did not “want to fall into a trap of speculating when it’s still in the proposed phase.” Contractors, on the other hand, are engaging in speculation, Allen said. While he acknowledged that contractors do not know what the final rule will look like, they will “put it on their playing board” and keep checking on it.
Contractors have until March 20 to submit their comments on the rules to DHS in writing. Allen stated that DHS will probably receive a substantial number of industry comments, and will take more than a year to vet those comments.
Hettinger said that Federal agencies have created more regulations and have been more attentive to compliance efforts since the Office of Personnel Management was breached in June 2015. DHS joins a group of agencies that have issued new clauses and amendments to the Federal Acquisitions Regulation, including the Department of Defense, the General Services Administration, and NASA.
“To great irony, there is a DoD acquisition panel to look at why commercial companies won’t work with DoD with the hypothesis that these rules keep commercial companies away,” Allen said. “While DHS is putting this out, DoD is looking at taking down barriers to entry.”