Both industry and government officials are expressing concern over a proposed rule that would require every company selling software to federal agencies to provide a “self-attestation letter” declaring that a product adheres to National Institute of Standards and Technology guidance. We previously flagged the proposed rule for having the potential to substantially increase paperwork and overhead. Both government offices and contractors seem to now be paying attention and agree with us, according to a recent article in Bloomberg Government. NASA SEWP Program Manager Joanne Woytek expressed the concerns of some in government saying that the impetus behind the rule is “admirable”, but that it needs to be made “scalable and doable.” “We’re going to work as best we can,” said Woytek at a recent event, “working with GSA and NIST and others to determine what this policy means and how it might actually operate in a world in which there is not 10 companies but many thousands of companies selling software.” One industry group is pushing for the adoption of a single, standardized form through which attestations can be submitted. GSA does plan to use a Cybersecurity and Infrastructure Security Agency form that it expects to be available before June on GSA’s website.
This underscores a larger problem with which contractors should be concerned: GSA’s seeming disregard for the regulatory process. While the software rule is still technically in the proposed stage, GSA has indicated that it will begin requiring attestation letters in June, potentially moving forward before a rule is finalized or even modified. Other perceived “goods” are being incorporated into contracts and becoming requirements prior to a rule being issued or made final as well. The agency, for example, is performing an end-run around the Green House Gas rulemaking process by making compliance with industry standards a way to earn extra points on the Alliant III contract. Since it can’t require companies to meet a rule that doesn’t currently exist, it is offering a carrot approach instead. This, of course, will mostly benefit larger companies who are already aware of the pending rule and have the infrastructure to support it. Contractors may want to ensure that their internal and external representatives make any concerns with the bypassing of the rule making process known to GSA, OMB, and Congress.