minimize disruption, and maintain access to cutting-edge technologies
Fairfax, Va., January 16, 2024 – The Greg and Camille Baroni Center for Government Contracting at George Mason University today issued a new report analyzing the potential impact of policy changes under consideration by the White House Office of the National Cyber Director (ONCD) and Cybersecurity and Infrastructure Security Agency’s (CISA) to shift liabilities for cyber breaches onto the producers of cybersecurity products sold to the federal government.
The report makes clear that the policy initiative would fundamentally alter existing (and ubiquitous) contracting practices governing the allocation of liabilities between buyer and seller by outlawing existing contract terms governing warranties and liabilities. Ultimately, Baroni Center researchers conclude that this approach could lead to a series of negative outcomes, including innovative small businesses and nontraditional contractors leaving the federal marketplace altogether.
“The ONCD/CISA’s efforts to raise the cybersecurity resilience of commercial software products are critically important and commendable,” said Rich Beutel, Senior Fellow of the Baroni Center. “The government can and should incentivize better software engineering and design. However, shifting the liability burden to software producers and developers by outlawing industry-standard contract terms would upend decades of existing contracting practices and could have serious ramifications by fundamentally changing the way the government and software industry do business.”
“The changes under consideration by ONCD/CISA represent a seismic shift in federal acquisition policy,” said Beutel. “Ultimately, it is going to take collaboration between government and industry to ensure the federal software marketplace is more secure and remains robust, competitive, innovative, and welcoming to small businesses and nontraditional contractors.”
The objective of the ONCD/CISA effort is to create “market signals” to the industry to design and deliver safer products by compelling the adoption of “cyber by design” engineering practices.
The report entitled, Creating Market Incentives to Improve Cybersecurity, reviews the three paths the government may take, including common law, regulatory, and/or safe harbor models. Each scenario was scrutinized to assess ramifications on the procurement practices necessary for governmental acquisition and deployment of state-of-the-art cybersecurity technologies essential to agency missions.
Ultimately, the analysis identified a series of potentially adverse outcomes if industry-standard warranties and damages terms were outlawed in federal contracts.
A Seismic Shift in Federal Acquisition Policy
The potential changes under consideration by ONCD/CISA represent a sea change in federal acquisition. They could prohibit the use of industry standard warranty and damage disclaimer contract provisions that have formed the basis for transactional practice for decades. These warranty and damage caps terms are present in virtually every existing contract that exists between the government and software producers.
Stifling Innovation and Disincentivizing Small Business Participation
If implemented, it is unlikely that software producers would take on the potential risks and liabilities necessary to sell their products to the federal government. As a result, the federal government could lose access to cutting-edge technologies from companies of all sizes, and see a reduction in small businesses and nontraditional contractors participating in the market.
Massive Cost & Disruption to Replace Existing IT Infrastructure
The risks and liabilities for even the largest corporations could be overwhelming and potentially existential. If companies were to pull back from engaging with the federal government, the time and cost to remove their products, re-compete the contracts, and onboard the new contractor and capability would impose a massive drain on agency budgets and manpower.
Setting the Government Up for Failure
The federal government is required by law to "go commercial first." The changes discussed publicly by ONCD/CISA could drive critical government IT infrastructure back "in-house" into government software development teams. Historically, the government has an extremely poor track record of successfully rolling out in house or government IT systems, costing American taxpayers billions of dollars.
Shifting Liability Means Sharing the Contracting Burden
The purpose of any ONCD/CISA changes to shift liability and risk onto private sector companies is to create incentives for them to do a better job in writing and quality-assuring their software. While this is a commendable goal, banning current contract terms would require changing virtually every existing contract. The burden on time, personnel, and budgets to update each contract will land on both government agencies and contractors across the federal government.
An Alternate Approach to Improving Market Incentives
To address these adverse outcomes, Baroni Center researchers propose the incoming Trump Administration takes an alternate framework for motivating cybersecurity and other software developers/producers to enhance the security of their designs and procedures. Recommendations include:
Leaving Contracting Practices alone and instead Modernizing & Reforming Current Tort Law. This could better serve the policy goal of moving industry towards adopting better quality and design practices. Additionally, this approach would create the least disruption to industry and preserve governments’ access to the latest cutting-edge commercial technologies.
Developing Standards of Care Informed by “Secure by Design” Best Practices. The expanded tort-based framework could be reinforced by developing standards for “engineering malpractice” based on emerging “secure by design” best practices. CISA and ONCD should work with NIST and others to codify a program to identify and articulate evolving best “security by design” engineering practices on an ongoing basis. The two recent CISA Guides provide an excellent starting point, as does the recent proposal in the pending (as of January 13, 2025) proposed Biden Cybersecurity Executive Order mandating adherence to a “Cyber Trust Mark” certification (based upon the adoption of NIST cybersecurity development standards) and more robust compliance with secure attestation reporting requirements monitored and enforced by the Federal Acquisition Regulatory Council.
Increasing Training for the Federal Acquisition Workforce
Working with the Chief Information Officer Council and agency Senior Procurement Executives, ONCD and CISA should develop training for agency personnel to incorporate CISA’s Guidelines into agency acquisition tradecraft at the most basic level.
Rewarding Positive Actors in the Marketplace. When the government sees demonstrable adoption and use of Guideline practices, awarding bidders extra credit in the evaluation formulae of major procurements could be effective. The market-based approach (as compared to mandatory regulations) would impose strong competitive pressure upon developers to adopt these practices.