Services contractors are dealing with a lot of new federal mandates
From zero trust roadmaps to carbon reduction, federal agencies are moving under a lot of agendas. They all end up being contractors’ concerns, too. To get some details on those agendas, the Federal Drive with Tom Temin spoke with Stephanie Kostro, executive vice president for policy at the Professional Services Council.
Tom Temin: Let’s start with the carbon reduction mandate executive order. I talked to the construction industry association about this. And of course, there you have an industry that really consumes a lot of energy and moving steel and concrete and glass around and digging holes with big machinery. In the professional services, the contractors are going to be affected by the same rule. But what does software coding or a management consulting firm do about carbon here? What’s your industry’s take on all of this?
Stephanie Kostro: Thanks for having me, Tom. And this is a great topic; a lot of time and energy has been spent by the White House and in fact, international bodies talking about climate change and greenhouse gas emissions and the like. And it’s worth a few seconds just to familiarize your audience with what this proposed rule does. It was released on November 14, but it is really about disclosing greenhouse gas emissions and climate related financial risks for government contractors. And it really imposes a lot of disclosure requirements on you mentioned the building industry, but products producers as well as services contractors. It’s interesting from our perspective, because they slice and dice this a lot of different ways. The first way they differentiate companies is determining whether you’re a major contractor or a significant contractor. Now, that might be splitting hairs to some folks. But as defined in the proposed rule, major contractors have at least $50 million in the prior fiscal year in government contracts. And they have to report three different scopes of emissions. One is ones that they actually own and control, so their greenhouse gas emissions from their actual business. The second scope is all those emissions associated with the generation of electricity, utilities, heating and cooling or steam that they use to do what it is that they do. And scope three is really the most difficult one, which is those in their supply chain. And so when you’re looking at it from a professional services perspective, we may have low scope one: greenhouse gases that we ourselves are producing. But the heating and cooling of mainframes, you mentioned IT, and cyber type stuff, software, that kind of stuff is going to be significant. And the scope three is really again, going to be difficult. What do your downstream providers have within their emissions basket? And that’s going to be a challenge.
Tom Temin: Yeah, that gets to be really strange when you think about it. Suppose I’m doing SecDevOps for a military agency. And I buy, I don’t know, Red Hat software tools to help me. I mean, I have to know Red Hats’. And then Red Hat has to know its suppliers. And it gets, I don’t know, it just doesn’t seem like it’s something that is practical to come up with realistic numbers.
Stephanie Kostro: U.S. suppliers, and then also your foreign suppliers, where they may not track the same kinds of omissions, etc, that other U.S. companies might do. But also highlight that they’ve created a new category of contractors called significant contractors. And those are the folks who have at least $7.5 — but the less than $50 — million in annual contracts with the U.S. government. They don’t have to look into their supply chain as deeply, they just have to report on scope one, scope two. This is expensive. And all of this has to happen within a year. And this I think is going to be a challenge. Because companies don’t have record keeping in this way. They have to find someone who can help them create a regime, they have to employ it, and then they have to report on it. A year is a very aggressive timeline for this.
Tom Temin: And so will the council be issuing a comment?
Stephanie Kostro: The proposed rule was released on November 14. And so what we’re talking about here is the proposed rule that would implement the executive order. And so the comments are due on January 13. And we are going to go ahead as the Professional Services Council and submit comments on this rule.
Tom Temin: Will you generally say “kill it?” Or modify it in some way?
Stephanie Kostro: So we are politically aware, and I don’t think killing it is an option for us. But we will have suggestions. They had put out an advanced notice of proposed rulemaking on something similar about a year ago and we had fulsome comments on that, what we call an ANPR, the advanced notice of proposed rulemaking. They did take some of our comments about using existing regimes, etc. Like the greenhouse gas protocol, etc. But I would say we have some robust commentary to provide on this proposal as well.
Tom Temin: We’re speaking with Stephanie Kostro, executive vice president for policy at the Professional Services Council. And then there is the DoD zero trust strategy which DoD has imposed on itself. I think by 2027, everything will be zero trust, but that’s got to somehow translate back to what they want from contractors.
Stephanie Kostro: I used the phrase “to slice and dice” earlier about how how we have three different scopes for two different kinds of contractors for the the climate change and the greenhouse gas emissions rule. This one is sliced and diced in so many more ways. They talk about seven different pillars, they talk about 45 key capabilities, etc, they talk about target zero trust, and then advanced zero trust. It is a lot to wade through. Not only did they release their strategy, but they also released a roadmap, which, if I could suggest to your listeners that perhaps they go ahead and access the Pentagon CIO’s website and look at it, it is very detailed about the kinds of capabilities that they’re going to require here before FY27. and beyond. That said, I’m a little leery on the resourcing of this. And when you’re asking contractors to do something like zero trust and have lots of different authentication requirements, etc, there has to be funding associated with this. And I’m looking forward to seeing the President’s FY24 budget request, because I really need to see if they’re going to put their money where their mouth is.
Tom Temin: Because there is a governmentwide zero trust executive order. And that’s famously been out now for almost a couple of years. So I don’t know whether there’s funding for federal agencies on the civilian side to do that. Some of them have, I guess, gotten [Technology Modernization Fund] money to modernize and thereby get towards zero trust.
Stephanie Kostro: Yeah, I think if you look at zero trust, it does fit into the five cybersecurity functions which are identify, protect, detect, respond and recover. Zero trust is really the front end of that in terms of making sure that those who can enter your system are in fact trusted. What I find interesting about this strategy is that they start out with four strategic goals. Again, I said before that they slice and dice, they’ve got five pieces of cybersecurity, but four strategic goals here. But the first one is cultural adaptation. Not everyone accepts zero trust as a principle. And I think that’s always going to be the long pole in the tent. And to be honest, in the strategy, they had very few references to contractors, and contractors are going to play a key role in in implementing this. And they have as one of their strategic goals, zero trust enablement. And that’s sort of where I think contractors come to play and tech acceleration. Again, it’s going to cost something and we’re waiting to see how that might be reflected in the President’s budget request.
Tom Temin: And related to that, there is a White House cybersecurity apprenticeship sprint, and there was a DoD memo recently on that, to lessen the restrictive labor category requirements. What’s your take on this?
Stephanie Kostro: Yeah, there is 120-day sprint led by the White House with the departments of Labor, Commerce and likely others about registered apprenticeship programs for cybersecurity. They’ve created a lot of new apprenticeship programs. The DoD’s piece of this was they again on November 14 released a memo saying they’d like to expand the workforce in cybersecurity by eliminating barriers. There’s been a long-voiced concern among industry that some of the requirements in solicitations coming from the Department of Defense, specify educational requirements, and you’re really looking for that unicorn who is 22 years old with a four year degree and 20 years of experience, and they just don’t exist. And so they’re looking at apprenticeship programs, and thinking through what that might entail. Again, I come back to a resource question here is because the memo tells contracting officers or program officers to go ahead and reach out to their contracting partners so that contracting partners can develop apprenticeship programs. Those are obviously going to cost money. Where’s that money going to come from? And is there going to be an actual acknowledgement within the Department of Defense that having a cybersecurity certification could be the requirement versus a four year degree and X number of years of experience