Robert Metzger

We urge Congress to establish and fund a National Cyber Hardening and Resilience Program, with three central purposes: hree central purposes: (1) provide significant new funding to accomplish the objectives of Presidential Executive Order (EO) 14028 to move to the cloud, adopt zero trust architecture, and assure software security; (2) provide significant new funding to harden the sixteen critical infrastructure sectors; and (3) establish a Cyber Safety Fund to provide low-interest, potentially… Show more

We urge Congress to establish and fund a National Cyber Hardening and Resilience Program, with three central purposes: hree central purposes: (1) provide significant new funding to accomplish the objectives of Presidential Executive Order (EO) 14028 to move to the cloud, adopt zero trust architecture, and assure software security; (2) provide significant new funding to harden the sixteen critical infrastructure sectors; and (3) establish a Cyber Safety Fund to provide low-interest, potentially forgivable loans to industry, giving preference to small- and medium-sized enterprises to bolster cyber hardening and resilience immediately. Show less

DoD's new cyber rules require defense contractors to self-assess against cyber requirements and report their scores and planned date of full compliance. Soon to come will be "CMMC" which mandates cyber certification as a precondition to eligibility for award. These new initiatives are new sources for claims and disputes.

Suppliers to the Department of Defense now are subject to an Interim Rule that increases security demands and launches the Cybersecurity Maturity Model Certification (CMMC) initiative. This article explores how DoD will respond to industry Comments to the Interim Rule and what to expect from the incoming Biden Administration.

Published just as the nation learned of the "SolarWinds" attack, this article anticipates cyber attacks delivered through the supply chain and warns specifically that hackers may attempt to "trick unsuspecting software developers into doing the work for them, by incorporating hidden code into target applications and environments. We urge formation of a "National Supply Chain Intelligence Center" to better acquire, accumulate, assess and act upon supply chain threat intelligence.

DoD's new cyber Interim Rule e will require 20,000-plus companies to report a self-assessment of
their cyber compliance to the DOD. This article explores how DoD contracting officers will use the self-assessment scores in the supplier risk assessment that is part of contractor responsibility determinations.

DoD's new cyber Interim Rule requires organizations to submit self-assessment scores of their compliance with NIST cyber controls. This creates risks under the False Claims Act which should be recognized and managed.

Cyber has been rising for years in public consciousness. Recent events place us on the brink of a new era where nation-states execute open and attributable cyber attacks targeting homeland infrastructure and the fabric of our electronically enabled society. In such an era, public safety may come to dominate how security professionals address cyber security.

A recent decision of a U.S. District Court allows an action to proceed, under the False Claims Act, where a qui tam "relator" alleges a contractor knowingly misled the government about its cyber security. We examine the background, review the decision, and offer an assessment of issues presented to contractors as well as government officials.

Federal protection of privacy interests is insufficient. Legacy categories of protected information fail to recognize many forms of data and new methods of collection and exploitation that expose individuals to data abuse, misuse or insecure protection. Security is a component of privacy but respect for privacy demands new policies and new laws to better balance corporate interests in data monetization and regard for individual rights and respect for personal choice.

California is following the federal lead to use new acquisition methods to improve access to innovation and accelerate demonstration and deployment of new technologies. This article explores the State's "Innovation Procurement Sprint" initiative and draws parallels to federal experience with "Other Transaction Agreements."

This report that makes recommendations on how the U.S. government and private sector can address growing asymmetric threats like counterfeit parts that pass ordinary inspection but fail operationally and malware that exploits latent vulnerabilities in firmware or software and threaten unintended or unexpected physical results. The report's recommendations will likely require a government-wide approach spanning legislation and regulation, policy and administration, acquisition and oversight… Show more

This report that makes recommendations on how the U.S. government and private sector can address growing asymmetric threats like counterfeit parts that pass ordinary inspection but fail operationally and malware that exploits latent vulnerabilities in firmware or software and threaten unintended or unexpected physical results. The report's recommendations will likely require a government-wide approach spanning legislation and regulation, policy and administration, acquisition and oversight, and programs and technology. Show less

New threats to defense manufacturing require realism and action. This article offers specific recommendations for DoD and the defense industrial base.

The "cyber DFARS" requires both safeguarding of Covered Defense Information and incident reporting after a cyber event. This article examines the importance of incident reporting, how DoD uses reports for damage assessment, and recommends means for contractors to satisfy this important obligation.

This is a short, focuses article looks at the most important issues in interpretation and application of the Pentagon’s cyber security contracting rules

Compliance with the 'Network Penetration' DFARS (and NIST SP 800-171) is due by 12/31/2017. This article looks at key implementation issues and makes recommendations to both government and industry in five areas: Designation (who determines what is CDI?); Scope (does CDI include non-federal information?); Methods (what is permissible use of cloud services); Adoption (how can the DIB and DoD help small business), and Compliance (what is sufficient to demonstrate 'adequate security').

Mark Northrup of IEC and I take on the new microelectronic parts standard, JESD243, and consider its sufficiency in light of August 2016 changes to the DFARS regulations that obligate defense suppliers to have systems to detect and avoid counterfeit electronic parts. We offer insights into where JESD243 could be improved to better assist industry in the effort to mitigate risk of counterfeit electronics.

DoD has made major changes to regulations that obligate defense suppliers to avoid and detect counterfeit electronic parts. This article closely examines the revised rules, focusing on new categories of permitted sources (including "contractor-approved suppliers"), changed demands on traceability, increased emphasis on inspection, testing and authentication, and relaxed rules on allowable costs in the event of a counterfeit part "escape."

Federal initiatives to protect "Covered Defense Information" (CDI) and "Controlled Unclassified Information" (CUI) have focused on the "on-premises" information systems of government contractors. In this White Paper, I advocate recognition of cloud-based "Security as a Service" as superior to premises measures for many defense suppliers and other federal contractors. I contend that better cyber security results will be achieved through cloud-delivered solutions and I recommend specific… Show more

Federal initiatives to protect "Covered Defense Information" (CDI) and "Controlled Unclassified Information" (CUI) have focused on the "on-premises" information systems of government contractors. In this White Paper, I advocate recognition of cloud-based "Security as a Service" as superior to premises measures for many defense suppliers and other federal contractors. I contend that better cyber security results will be achieved through cloud-delivered solutions and I recommend specific measures for the federal government to enable this outcome. Show less

This article focuses on proposed revisions to NIST SP 800-171 that will affect government contractors and other entities entrusted with Controlled Unclassified Information (CUI). If adopted, the revision would require preparation of a System Security Plan and Plan of Action and Milestones (POAM) that a government contracting officer can request to demonstrate the nonfederal orga-nization’s implementation or planned implementation of the CUI safeguarding requirement.s

Increasingly, government and industry rely upon standards and best practices to improve supply chain security. A new standard on counterfeit electronic parts, JESD 243, does little to help organizations who need out-of-production parts to sustain equipment. My article points to gaps in this standard and suggests ways it can be improved.

DoD on Dec. 30 revised the 'Network Penetration' DFARS to postpone the obligation of defense contractors to protect sensitive but unclassified information using the new NIST SP 800-171 safeguards. In this article, I break down the changes to the Rule, consider the reasons explaining the changes, offer recommendations to industry and suggestions for how DoD can further clarify and improve this important rule.

DoD's 'Network Penetration' DFARS requires defense contractors (and their subcontractors) to protect four categories of "covered defense information." This article examines six key implementation issues and offers recommendations for improvements to the rule as well as practical advice to contractors.

More than 5,000 companies offer IT supplies and services off GSA's Federal Supply Schedule 70 (Information Technology Equipment), which accounts for $14 billion in sales annually. Billions more are spent for IT purposes on other FSS Schedules and on GWACS vehicles such as ALLIANT. Many federal agencies, and other eligible purchasers such as state and local governments, rely upon GSA purchasing vehicles for much of their needs for IT equipment, solutions and services. DoD is among if not the… Show more

More than 5,000 companies offer IT supplies and services off GSA's Federal Supply Schedule 70 (Information Technology Equipment), which accounts for $14 billion in sales annually. Billions more are spent for IT purposes on other FSS Schedules and on GWACS vehicles such as ALLIANT. Many federal agencies, and other eligible purchasers such as state and local governments, rely upon GSA purchasing vehicles for much of their needs for IT equipment, solutions and services. DoD is among if not the largest of users of GSA purchasing vehicles. Yet, today, GSA MAS vehicles contain no generally applicable requirements to address cybersecurity or supply chain security. My new article which concludes that there are important national interests to be served to elevating the protection against cyber and supply chain risks in GSA schedule purchases.

There is vast diversity to the base of commercial and specialist companies who sell using GSA purchasing vehicles. Equally true, the purposes for which agencies and other eligible buyers purchase IT off the Schedules is enormously varied. Cyber or supply chain risks are hardly common among such a range and scale of purchases - so a "monolithic" approach to improving security is impossible. My article acknowledges this challenge. I analyze key considerations for GSA as well as for contractors, and offer recommendations on how to develop measures and on strategies that might succeed. Show less

DoD has proposed changes to the Counterfeit Parts DFARS that will apply to small businesses, COTS and commercial suppliers. I've written this article to help affected companies understand what DoD is trying to achieve and how they can be compliant and remain competitive. I also focus on areas where the proposed rule should be improved and on how DoD can assure prospective suppliers of sensible administration and oversight.

GSA spends billions on commercial IT and software. But Commercial Sales Agreements often contain terms and conditions that conflict with federal law. This article looks at recent actions by GSA that resolve fifteen contract terms that regularly frustrated the ability of federal buyers to access commercial sources. The same GSA action, unfortunately, implemented a seemingly technical change - to the Order of Precedence Clause - that will create new tensions.

OMB's proposed Guidance signals new regulatory obligations to better protect the confidentiality of federal "controlled unclassified information" in the hands of private contractors. OMB's new initiative goes further than previous measures. Companies can expect specific contract terms to impose cyber reporting obligations. For more sensitive information, federal agencies likely will perform security assessments and demand continuous threat and event monitoring. Smart companies will… Show more

OMB's proposed Guidance signals new regulatory obligations to better protect the confidentiality of federal "controlled unclassified information" in the hands of private contractors. OMB's new initiative goes further than previous measures. Companies can expect specific contract terms to impose cyber reporting obligations. For more sensitive information, federal agencies likely will perform security assessments and demand continuous threat and event monitoring. Smart companies will self-assess against coming requirements and get ahead of them, rather than risk ineligibility for new awards, competitive disadvantage or non-compliance with contract obligations. Show less

The federal government is working to impose minimum cybersecurity safeguards on the hundreds of thousands of commercial companies who are entrusted with sensitive but unclassified federal information. This article explains the multiple federal initiatives and helps companies prepare for the new requirements. It supersedes and updates earlier works I've authored on this subject area.

The federal government shares sensitive information with contractors, state and local governments and educational institutions. While this information is at risk of attack, nonfederal users entrusted with "controlled federal information" are not now subject to minimum cybersecurity controls. This will change. The federal government will use acquisition methods and contracting tools to elevate cyber protection of its information.

Multiple Award Schedule procurements generated more than $32.7 billion in FY 2014 sales. The GSA's Office of Inspector General, though possessed of limited staff and budget, seeks to enforce compliance with the complex rules that control sales off the federal schedules. In this 2015 article, we focus on the enforcement results from 2014, identify trends, and offer advice to companies on how to conduct self-assessment that will reduce risk of non-compliance.

DoD is determined that its supply chain elevate its cyber assurance and promptly support any cyber incidents. Though not well understood, the rule published in November 2014 on "Unclassified Controlled Technical Information" requires every company in the DoD supply chain to protect sensitive information and to adopt minimum cyber security measures. New guidance explains how DoD intends to apply this important rule. Our article explores the reasons for the rule and how it will impact the… Show more

DoD is determined that its supply chain elevate its cyber assurance and promptly support any cyber incidents. Though not well understood, the rule published in November 2014 on "Unclassified Controlled Technical Information" requires every company in the DoD supply chain to protect sensitive information and to adopt minimum cyber security measures. New guidance explains how DoD intends to apply this important rule. Our article explores the reasons for the rule and how it will impact the defense supply chain. Show less

This article examines key implementation issues in DoD's drive to eliminate counterfeit electronic parts from the defense supply chain. The focus is on how reliance upon industry standards can help resolve compliance questions and aid government in consistent oversight practices.

Proper reporting of counterfeit and suspect counterfeit parts is important. But that does not mean the DOD IG is correct in its view that contractors must make ethics program disclosures to the IG when they detect or suspect a counterfeit.

This article briefly summarizes the new regulations that require systems to detect and avoid counterfeit electronic parts and shows how these rules broadly affect companies at many levels of the aerospace and defense supply chain.

Here, we take some "lessons learned" from failed IT transformation projects and offer ten key recommendations on where to look for risk during the acquisition phase of IT procurements and how to address and manage those risks.

Indiana terminated IBM for default 3 years into a 10-year, $1.4 billion IT modernization project. The Indiana Supreme Court how is to decide whether the default was justified. Mark and I believe the appellate court applied the wrong standard to review whether IBM's performance was satisfactory. it elevated the state's "satisfaction" over all other criteria by which performance was to be measured.

This article shows how GAO can use available authority to take a more rigorous look at what remedies or corrective action to recommend in a protest that is successful on the merits.

In this article, I take a hard look at four of the toughest implementation issues that surround the new DFARS rule on detection and avoidance of counterfeit electronic parts and I offer pragmatic approaches to compliance and oversight.

Some federal buyers are pressing to narrow the definition of "commercial items" that are purchased with reduced cost or pricing disclosure obligations. This column examines the reasons behind the government's concerns and suggests ways to respond that would not frustrate federal access to commercial sources or impose costly new disclosure burdens on suppliers.

Open Magazine (India) asked 10 experts for "radical" ideas on how the next government of India can achieve 10% GDP growth. I proposed ways that India can develop and sustain an indigenous defense industry. India's security requirements are big enough, for sure. But big changes are required for India to become the principal source of its own military equipment.

This article examines the cyber threats posed by counterfeit parts that harbor malicious code and looks at new DoD rules to exclude suspect sources.

This article examines compliance and enforcement trends in GSA Multiple Award Schedule (MAS) contracting. The federal government spends $35 billion annually through these contracting vehicles. Key issues concern the use of schedule contracts for the pricing of services. MAS contractors are exposed to GSA oversight and audit, and should examine their practices to assure compliance.

India needs to grow its civil aviation capabilities. But getting this done given infrastructure constraints is a huge challenge. This article urges a national program to develop and build and advanced regional turboprop civil transport. Such an initiative should welcome foreign design and engineering partners. It will contribute also to India's indigenous aerospace industrial base and to manufacturing jobs.

India faces difficult choices as it seeks to modernize its aviation infrastructure and grow its civil aviation industry. This article surveys the range of challenges that confront India's leadership and companies that seek to participate in the dynamic, difficult multi-billion dollar Indian civil aviation market.

Offsets have become an enormous obligation of the world's leading aerospace and defense firms. This article explores the importance of offsets to securing foreign sales and the attending performance and compliance risks.

A concise assessment of what's included and excluded from the long-awaited proposed DFAR rule on counterfeit parts detection and avoidance.

India's defence acquisition policies and process are now being changed as the Government responds to the revelations and allegations of bribery that surround a VVIP helicopter procurement. This article -- my third for Indian Defence Review -- offers an assessment of what lessons can be learned from the scandal and offers suggestions on how improved anti-corruption efforts will benefit India in its quest for military self-sufficiency and indigeneous defence production.

This article examines closely DoD's recently issued Counterfeit Parts Prevention policy. It is the 4th in a series of articles I've written on supply chain risk management for this Bloomberg publication. I appreciate the restraint of the new DoD policy but express concern that it leaves too much for future decision and implementation.

State and local governments rely on information technology. New and emerging technologies offer great opportunity to save money while improving responsiveness. To reach the best deal between buyer and seller, the award of state and local IT contracts should be achieved through competitive negotiations. This new article helps inform both state buyers and IT vendors of the reasons for use of a negotiation process. By comparing the experience of three states, California, Oregon and New York, it… Show more

State and local governments rely on information technology. New and emerging technologies offer great opportunity to save money while improving responsiveness. To reach the best deal between buyer and seller, the award of state and local IT contracts should be achieved through competitive negotiations. This new article helps inform both state buyers and IT vendors of the reasons for use of a negotiation process. By comparing the experience of three states, California, Oregon and New York, it offers valuable lessons to consider as more states are persuaded to use the competitive negotiations procurement technique. Show less

This article, for India's leading national security journal, takes a granular look at implementation and administration of India's defense offset program. It urges improvements to make the program more businesslike and successful for India's purposes.

This OpEd, published in The Economic Times, urges India to press for collaborative development of aerospace and defense systems with the U.S. Its premise is that India's sizable defense expenditures give it leverage to secure active U.S. cooperation in a joint development project optimized for India's security needs and national economic objectives.

This article continues my series examing legislative and regulatory initiaties to combat the threat of counterfeit parts and improve supply chain security against infiltration of malicious parts. The focus is on the latest Congressional enactments affecting item unique device identification, a qualified "safe harbor" for defense contractors, and reliance upon a domestic industrial base for key systems and networks.

IBM's implementation of an automated welfare system for the State of Indiana proved to be a disaster and provoked exhaustive litigation. Implementation of new IT systems for state governments always are difficult and often prove contentious. This article explores the controversy and offers prophylactic advice to systems integration contractors.

Intended to be a balanced, careful review of the opportunities and challenges for U.S.-India defense industrial cooperation.

This article - Part 2 of a series - explores DoD's "Overarching Guidance" of March 16, 2012 and examines practical measures industry can take now, before issuance of new DFARS and FAR regulations.

Reviewing opportunities presented by India's requirements for defense supplies and services and discussing India's procurement process

This article examines the previous ten years' history of GAO decisions on organizational conflict of interest (OCI).

On December 29, 2010, DoD issued its final rule on organizational conflict of interest (OCI) on major defense acquisition programs. It was a considerable retreat from what had been proposed - but still has powerful implications for systems engineering and technical advisory contractors. This is a thorough analysis

A thorough comparison of the process and methods employed by the GAO and the Court of Federal Claims in resolving contract award controversies

This article examines the Court of Federal Claims decision in Filtration Development Co., LLC v. U.S., in which protester successfully challenged an OCI waiver and use of an "urgent and compelling" exception to "full and fair competition" requirements of CICA

an early appreciation of the implications of IP telephony for the legacy categorical telecommunications regulatory regime, anticipating the decline of the circuit-switched network

This article was a "ground breaking" look at how overly restrictive, risk-averse terms and conditions could operate to frustrate competition and prevent realizing "best value" in state information technology procurement.

an assessment of the importance to the U.S. industrial base of security assistance arrangements and international defense markets

an examination of the security implications of the Soviet Union's intermediate range missiles to the U.S. and Europe