Tech and Government: Risk and Rewards Illustrated in Contracting Dispute Over Vulnerability Disclosure Program
Tech companies considering government business must anticipate risks, including from competitors. A forward-looking initiative from the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) has run into traditional federal procurement obstacles, demonstrating the challenges innovators can face in securing government contracts.
Government Has Been Prioritizing Vulnerability Disclosure
Addressing security vulnerabilities in systems, hardware and software is a complex challenge for the public and private sectors. In November of 2019, CISA initiated a process to use its relationships with the private sector and its new authority to compel federal agency activity to address federal security. After public comment, CISA issued a Binding Operational Directive (BDO) requiring civilian agencies to have programs that encourage researchers, cyber experts, and the general public to find and report vulnerabilities in internet-accessible federal systems. As CISA framed its announcements, the push for vulnerability disclosures policies (VDP) government-wide is to serve as a cyber “see something, say something” campaign for federal civilian networks.
VDP and bug-bounty programs are not entirely new to government. The Department of Defense began the “Hack the Pentagon” challenge in 2016, and is now taking comment on VDP pilot program or the defense industrial base. CISA’s initiative, however, is unique in that it is using its BDO authority under the Federal Information Systems Modernization Act (FISMA), to require civilian agencies to develop and implement enterprise-level VDP policy.
Under the BDO issued in September, CISA is requiring federal agencies to develop a VDP policy that clarifies how discovered vulnerabilities are to be shared with federal agencies; what processes the agency will employ to address reports received from the public; and how those who report vulnerabilities will be assured that the agency is taking steps to remediate the vulnerability. Further, the BDO requires each agency’s policy to:
Clarify the methods of testing that will be allowed under the agency’s program and what systems fall within the scope of the agency’s VDP.
Commit not to recommend or pursue legal action for vulnerabilities that were discovered in a good faith effort to follow the agency’s VDP.
Establish clear handling procedures that will articulate how the agency will track resolution of the reported vulnerability, how the impact of the vulnerability will be evaluated and prioritized for action, and how the agency will communicate with the reporter and other interested stakeholders.
CISA is Offering Shared Cyber Services to Other Agencies
CISA has been implementing guidance issued by the Office of Management and Budget and in April of 2020 was designated as the federal government’s Quality Service Management Office (QSMO) for cybersecurity services. Thus, CISA became one of only a handful of agencies designated with the responsibility to help centralize common services across federal agencies. As the Cyber QSMO, CISA has been working to identify common technology services to meet agency cybersecurity needs, and to assist agencies with the implementation of those services to reduce costs and increase standardization across government networks.
VDP Procurement Has Been Paused By Bid Protest
One of CISA’s first initiatives as the Cyber QSMO was the acquisition of a VDP management platform, which could be offered as a shared service to other federal agencies as they implemented the VDP BDO. In August 2020, the General Services Administration (GSA), with technical support from CISA, issued a solicitation seeking a VDP platform. The solicitation followed a Request for Information (RFI) issued late last year, in which GSA and CISA sought input from industry about a number of considerations, including: (1) whether the government should procure an existing software-as-a-service VDP, design and build a customized VDP solution, or support to build a new software-as-a-service solution; (2) what additional functionalities the government should require; and (3) what scalability the government should consider if the platform were to support vulnerability disclosure across all federal civilian executive branch (FCEB) agencies.
The solicitation called on offerors to conduct a live demonstration of existing VDPs, including how the functionality of the platforms meet government specifications. The solicitation advised that evaluation and award would not be based solely on this demonstration, as the agency would also be evaluating offerors’ past performance and proposed price.
The VDP contract was awarded to EnDyna, Inc. earlier this year, but the award has been protested by HackerOne, Inc. This is common for competitive solicitations but can be a surprise to companies that are not regular contractors. Post-award protests often allege that the agency misevaluated proposals—e.g., by straying from or misapplying the evaluation criteria outlined in the solicitation—leading to an unfounded and unreasonable award decision. Although HackerOne’s protest is not publicly available, a HackerOne spokesperson reportedly characterized the protest as seeking to “ensure eligibility requirements . . . are fully met” and to make sure that the vendor selected “can support the work CISA is entrusting them to do.” This suggests that HackerOne will assert familiar bid protest considerations. Bid protests typically move very quickly, so we expect a decision will be issued no later than January 19, 2021.
Takeaways for Tech
Tech companies looking to expand their business in the government marketplace should take note. Cyber companies in particular should look at this and future CISA initiatives. Because CISA is tasked with overseeing so much FISMA and related work across government, contractors working with CISA may have access to a variety of agencies. Future procurements under CISA’s Cyber QSMO program could open the door for tech and cybersecurity providers to gain visibility across federal civilian agencies and set the stage for expanding state work. Industry would do well to pay attention to where CISA is headed. The QSMO is also focused on other shared services like security operations services and protective DNS resolver services. Monitoring RFIs and solicitations issued by GSA and CISA can help companies stay abreast of opportunities, anticipate proposal deadlines, and be competitive in future procurements.
Of course, as the protest of the VDP procurement underscores, it is critical for companies to understand the requirements, evaluation criteria, and instructions to offerors in government solicitations. Attention to these details is key both during the proposal stage, when offerors need to ensure the proposed solution is not only responsive to the agency’s specific needs but also the specific evaluation criteria, and following award, when an unsuccessful vendor needs to act fast to preserve its rights and potentially challenge an award.
Wiley Rein advises innovators of all sizes about emerging trends in federal IT security, innovation policy, and government contracting requirements. It can take a while to be ready to compete for federal contracts, and companies should evaluate their existing compliance posture and readiness before entering the market. Once in the market, an array of obligations attach to business operations, products and services. If you have questions about the government marketplace and the requirements that attend government contracting, please contact one of us:
Tara L. Ward