Over the past decade, the U.S. federal government’s executive branch has promulgated numerous iterations of rules governing cybersecurity in government contracts. This includes, but is not limited to, the recent Cybersecurity Maturity Model Certification (CMMC) final rule released by the U.S. Department of Defense in October 2024. As this Note observes, the past decade’s rulemaking has arguably generated various problems, including (A) rules changing frequently and struggling with harmonization; (B) rules being costly and complicated; and (C) federal agencies driving policy change to an extent that implicates constitutional balance-of-powers concerns. This Note observes that these problems are reflective of agency rulemaking in general and its recurring criticisms. To address these problems, this Note contributes to the timely, ongoing conversation surrounding both cybersecurity and agency rulemaking in the wake of, e.g., Loper Bright Enterprises v. Raimando, and this Note proposes that Congress curtail agencies’ ability to promulgate government contracts-cybersecurity rules, in most circumstances. Instead, Congress would be the preferable forum for making these key policy decisions, and it should take a stronger lead in doing so. Having Congress drive policy decision-making in this area could improve regulatory stability, uniformity, cost-sharing between the public and private sectors, and accessibility to smaller-to-midsize contractors (especially since Congress has the power of the purse and can provide financial support for compliance in ways agencies cannot). It would also help rebalance the constitutional structure of government contracts-cybersecurity policymaking.
Picture a relatively smaller-to-midsize American business that frequently contracts with the U.S. federal government. Over the past few years, its lawyers have warned it, with increasing concern, to comply with the federal government’s complex, constantly-changing cybersecurity requirements for government contractors. Much of these conditions are promulgated by the executive branch. This smaller-to-midsize business is not the only one trying to figure out these requirements. For example, an estimated 200,000-plus companies in the defense industrial base will be affected by a recent Department of Defense (DoD) cybersecurity regulatory framework.
With cyberattacks now costing companies as much as several hundred thousand dollars per year, this smaller-to-midsize business appreciates the value of having robust cybersecurity protections. Nevertheless, it is arguably burdensome for it and its peers to comply with the executive branch’s many, and constantly changing, requirements.
First, the direction of these regulations changes frequently. To give one example, the initial iteration of the DoD’s flagship Cybersecurity Maturity Model Certification (CMMC) would have required small-to-midsize organizations to obtain costly third-party certification for cybersecurity compliance—causing anxiety among contractors. However, the second iteration, which came out a year later, did an about-face and dispensed with that requirement. In the meantime, some businesses had made “expensive investments” to prepare to comply with the earlier version of CMMC, only to be “burned” when DoD later changed direction.
Additionally, this business’s customer agencies (e.g., DoD, Department of Homeland Security, NASA, Department of Veterans Affairs, etc.) have numerous rules that are “very difficult for contractors to follow,” and the federal government has generally struggled with cybersecurity regulatory harmonization going back at least a decade. To give a recent illustration, an ongoing FAR case is still (as of this writing) trying to resolve inconsistencies in cybersecurity requirements for contractors who work on unclassified Federal Information Systems. These requirements vary from agency to agency.
Furthermore, complying with these rules can be costly, and businesses are uncertain whether they can afford to comply. Compliance costs for CMMC, for example, could range from $4,000 to $21.1 million depending on a business’s size and the applicable CMMC tiered “level” of compliance required for “the type and sensitivity of the information” the business handles.
It also does not help that these rules are, as described by commentators, “complex,” “esoteric,” “an intricate web,” “difficult . . . to navigate,” “assum[ing] an unrealistic level of cybersecurity sophistication across all contractors,” and subject to “inconsistent implementation.” The government continues to face calls to make compliance easier for small businesses. To be sure, the executive branch has commendably endeavored to listen to businesses’ concerns. As indicated above, for example, DoD relieved smaller contractors of the need to obtain third-party certification for CMMC in response to feedback. However, the ability of smaller businesses to comply is far from certain, and the regulatory environment remains arguably difficult and unwelcoming for many businesses.
Furthermore, contractors may question whether this level of executive branch rulemaking adheres to the constitutional promise the federal government has made with its people: to retain a separation of powers. Many legal experts—including powerful ones, such as U.S. Supreme Court Justice Neil Gorsuch—would argue that Congress should have the fundamental responsibility for setting the nation’s “controlling general policy” and for responding to “major questions” within its policy purview. These thinkers would argue this is what our Constitution requires. Right now, however, agencies make numerous policy choices on what members of the public must do, cybersecurity-wise, in order to contract with the world’s largest purchaser. To be sure, “policing the separation of powers ‘is a subject of delicate and difficult inquiry.’” Yet, on some significant level, the expansive role of agencies in setting cybersecurity policy seems generally amiss for the proper role of the executive branch, which is tasked with “tak[ing] [c]are that the Laws be faithfully executed.”
Of course, the federal government cannot sit back and do nothing about the quickly evolving cybersecurity threats in government contracting. The federal government and its contractors are facing cyber threats like never before. This includes, for example, the SolarWinds cybersecurity breach in 2019–2020—where Russian state actors succeeded in using compromised software distributed to nearly 18,000 customers to penetrate approximately a dozen government agencies and conduct espionage against the federal government. The result was “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government.”
However, this Note perceives, and seeks to address, a gap in the literature. Other authors, including those writing in this Journal, have provided wise recommendations for how executive branch agencies could better address competing government contracts-cybersecurity (GovCon-Cyber) priorities. Nevertheless, the author of this Note thinks a more fundamental solution might be more likely to bear fruit and be successful. This Note observes that executive branch rulemaking itself might be the root of many of these above-described problems (constitutional deviance, regulatory instability, incongruity, cost burden, and complexity). To slightly alter President Ronald Reagan’s oft-cited quote from his first inaugural address: “In this present crisis, government is not the solution to our problem; government is the problem.” in this present crisis, the agencies, here, may not be the solution to our problem; the agencies may be the problem themselves.
Problems such as regulatory instability, cost burden, complexity, and separation-of-powers concerns are frequently associated with federal agency-based rulemaking more broadly. As agencies—instead of Congress—have heavily driven GovCon-Cyber policy changes, GovCon-Cyber rulemaking has, in many ways, grown to mirror these undesirable characteristics.
This Note suggests a different path. This Note urges Congress to step in; in doing so, it would improve regulatory stability, uniformity, cost-sharing, and accessibility, and it would rebalance the constitutional structure of GovCon-Cyber policymaking. First, especially with the final CMMC rule now out, Congress should curtail agency authority to further issue new GovCon-Cyber regulations absent extenuating circumstances such as unusual and compelling urgency or national security. Second, Congress should pass a law, through standard constitutional bicameralism and presentment, that clearly spells out, simplifies, and harmonizes cybersecurity requirements for government contractors and—using Congress’s power of the purse, which agencies do not have—provides funding and administrative support to help private sector companies comply.
Despite its call for a slower, more stable rulemaking process, this Note does not seek to frustrate the adoption of new GovCon-Cyber rules, which may be needed. Rather, this Note proposes greater involvement of an institution that is at least somewhat well-situated to provide a “sober second thought” and to help “plead[] the cause of an enlarged and permanent interest” against a fast-moving area of the law with divergent needs and constituencies. Further, this Note envisions a one-off policy process change that could be more likely to gain bipartisan backing in a polarized political environment. This Note’s proposal is narrow to GovCon-Cyber; it can be passed without endorsing an across-the-board policy process revolution. Further, GovCon-Cyber is arguably less culturally or politically divisive than other issues in Congress, and, therefore, it may be less vulnerable to congressional gridlock and division.
This Note, does, however, seek to contribute to the larger, ongoing conversation about agency rulemaking playing out in real time. The U.S. Supreme Court is currently taking up consequential separation-of-powers issues; e.g., through its recent Major Questions Doctrine line of cases, which have held that “decision[s] of such magnitude and consequence” must be made by “Congress itself, or an agency acting pursuant to a clear delegation from that representative body.” The Supreme Court has recently changed key doctrines in this area of the law, such as overturning the Chevron deference doctrine in its 2024 decision in Loper Bright Enterprises v. Raimondo. Thus, this is an opportune time for Congress to revisit how expertise-driven policy problems are addressed, structurally, across the government.
Below, this Note proceeds by first outlining the current GovCon-Cyber regulatory landscape and its challenges: namely, (A) that GovCon-Cyber rules change frequently and struggle with harmonization; (B) that the rules are costly and complicated; and (C) that they do not embody the Constitution’s guarantee of the peoples’ representatives being vested with legislative power. This Note then draws connections between those problems and characteristics of agency rulemaking in general. This Note then turns to explaining why congressional lawmaking would likely provide a better policy process than agency rulemaking for GovCon-Cyber, and how congressional lawmaking could address each of the four identified problem areas. Along the way, this Note addresses anticipated counterarguments and the limitations of Congress.
Government contractors are faced with an array of applicable cybersecurity requirements. As a Deltek publication succinctly put it, “Over the last 20 years, the [U.S. federal] government has rolled out a number of initiatives designed to protect sensitive data and improve digital security, and that work continues today.” Presently, some of the major requirements include FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-53, NIST SP 800-171, DoD’s CMMC, the Federal Risk and Authorization Management Program (FedRAMP), and the International Traffic in Arms Regulations (ITAR).
As the federal government has developed and promulgated these rules, however, problems have developed. This section identifies and explains those problems. These include the following: (A) the rules change frequently and struggle with harmonization; (B) the rules are costly and complicated; and (C) federal agencies are driving policy change to the extent that it raises constitutional balance-of-powers concerns.
GovCon-Cyber rules change frequently, remain unsettled, and struggle with harmonization, causing compliance burdens for contractors. This section explores these challenges with examples from both DoD and non-DoD contexts.
Frequent rule changes, and their corresponding burdens, have been especially pronounced with DoD, which spends about sixty percent ($414.5 billion, in FY2022) of the federal government’s contracting dollars. In the publication the Government Contractor, Jenner & Block, LLP, partners David Robbins, Tony Barkow, David Bitkower, and Aaron Cooper provided a helpful overview of how DoD GovCon-Cyber rules have evolved “in fits and starts” over the past decade. For example, in 2013, DoD’s Defense Federal Acquisition Regulation Supplement (DFARS) first published the DFARS 252.204-7012 clause, then entitled “Safeguarding Unclassified Controlled Technical Information.” That clause dealt with protecting Controlled Unclassified Information (CUI) and mandated that contractors implement upwards of 50 specific security controls. However, less than two years later, in 2015, DoD changed that clause “substantially.” Contractors were then expected to implement upwards of 100 safeguards based on a different baseline and were given a short period of time to adjust. The changes did not stop there. About a year later, in 2016, DoD added more requirements that, for instance, stretched the clause’s reach beyond CUI. Sensing contractor frustration, DoD promulgated a memorandum in 2017 regarding this clause’s implementation, which “provided some relief” to contractors. DoD required contractors to implement the clause by December 31, 2017, and now the clause appears in almost every DoD contract. The changes did not stop in 2017, however; the latest change to DFARS 252.204-7012 was adopted in May 2024.
In 2020, DoD continued its trajectory of changing its GovCon-Cyber rules when it introduced its CMMC program, which, like DFARS 252.204-7012, has exhibited inconsistency and uncertainty. CMMC is one of DoD’s more recent major initiatives to promote cybersecurity compliance in its contractor base. CMMC is a certification program that requires prospective contractors to meet cybersecurity standards as a condition of contracting with DoD. DoD promulgated its first version of CMMC, known as CMMC 1.0, in November 2020 and envisioned full compliance in five years, with phased implementation. The key feature of CMMC 1.0, and one of its raisons d’être, was its requirement that all contractors obtain third-party cybersecurity certification. CMMC 1.0 did not last long. Contractors were very confused about several key aspects of the program, and DoD received over 850 public comments on the interim rule. So, a year later, in November 2021, DoD changed course and announced CMMC 2.0. Some key differences between CMMCs 1.0 and 2.0 included a reduced three tiers of compliance versus five, and CMMC 2.0 permitted self-assessments for the lowest tier of compliance, whereas the key feature of CMMC 1.0 was third-party certification. After CMMC “ha[d] been in gestation at the Defense Department longer than a baby elephant,” DoD released a final rule in October 2024.
GovCon-Cyber rules and expectations outside DoD, some of which signal “significant new obligations” for contractors, continue to change and develop too. With the FAR, for example, November 2021 saw updates concerning “Basic Safeguarding of Covered Contractor Information Systems.” Additionally, in response to President Biden’s May 12, 2021 Executive Order on “Improving the Nation’s Cybersecurity,” the FAR Council continues to release new proposed FAR GovCon-Cyber rules, including a pair in October 2023.
Agency FAR supplements continue to see movement, too. For example, the U.S. Department of Homeland Security’s (DHS) FAR supplement, the Homeland Security Acquisition Regulations (HSAR), updated its “Safeguarding of Controlled Unclassified Information” clause, HSAR 3052.204-72, in July 2023. Similarly, the U.S. Department of Veterans Affairs updated its “Information and Information Systems Security” clause in October 2023.
Outside formal notice-and-comment rulemaking, changing agency cybersecurity preferences (or expectations) also plague contractors. This has been the subject of at least one recent GAO bid protest. In a 2022 protest decision, Meridian Knowledge Solutions, LLC, a company protested DHS’s decision to cancel its solicitation for IT support services because DHS wanted to change its cybersecurity requirements. The original solicitation said vendors did not need to be FedRAMP authorized at the time of award, but DHS later reconsidered and decided that it wanted vendors to be FedRAMP authorized. GAO denied Meridian’s protest because it found the agency was reasonable, but the protest underscores that, absent clear, fixed rules-of-the-road for cybersecurity in government contracts, agencies have been changing their expectations to the detriment of contractors.
Besides GovCon-Cyber rules being in flux, a number of these rules are currently inconsistent across agencies. This variation has been something the federal government has been trying to address for at least a decade. One example of this has been agency GovCon-Cyber rules governing unclassified Federal Information Systems. These have developed agency by agency, leading to “inconsistent security requirements across contracts,” according to the federal government itself. The government has recognized that such inconsistent requirements can “be unclear, add costs, and restrict competition.” The FAR Council is currently trying to address this concern.
Rules governing CUI, for example, have also struggled with harmonization. DoD contractors—representing the vendors for roughly sixty percent of the federal government—“have long had to comply” with one set of standards, while civilian contractors—representing the vendors for the remaining forty or so percent of the federal government—“have had to comply with a much looser standard outlined in FAR 52.204-21.” Perhaps there was, or is, a justification for this variation, but, understandably, contractors would be frustrated by it.
The changing GovCon-Cyber regulatory landscape has also been identified as complicated, costly, and exacerbating imbalances between larger and smaller contractors. For example, cybersecurity expert Pete Sfoglia, Ph.D., described CMMC 2.0 as “an intricate web” of rules and technicalities. Complying with that program would “require[] in-depth knowledge [of] complex cybersecurity concepts like encryption, networking protocols and malware.” These are complicated to sift through without significant internal cybersecurity know-how or outside expertise.
At least partially as a result of the complexity, it is expensive to comply with GovCon-Cyber rules. For CMMC, for instance, expenses contractors may incur include “invest[ing] significantly in upgrading their systems,” “implementing the necessary cybersecurity measures,” “training their staff,” “maintaining compliance in an environment where cyber threats continually evolve[, which] could require further investment in technology, staffing and training,” and, for higher-level certifications, the cost of periodic third-party audits. Due to this complexity, it is expected that the majority of, if not most, contractors will hire outside help to assist them in remaining compliant, which will be another added cost. Depending on factors such as the level of certification and size of the contractor’s organization, CMMC compliance costs could range from $4,000 to $21.1 million, according to DoD estimates, with costs varying based on business size and level of compliance required for “the type and sensitivity of the information” handled.
With high complexity and costs, the added burdens are likely to fall harder on smaller contractors, as has previously been observed in this journal and elsewhere. With smaller operating budgets, hiring an outside cybersecurity professional to address a company’s cybersecurity vulnerabilities, for example, becomes a more burdensome expense. Now, to its credit, DoD “has a number of programs and entities that are in a position to help small businesses” with understanding how to comply with CMMC, such as its Project Spectrum initiative, and DoD has said it is seeking to do cost-benefit analyses of its GovCon-Cyber rules as they apply to small businesses. Nevertheless, significant regulatory financial/cost relief still remains an issue, especially given the myriad of expenses described just above that the government has not directly addressed. Further, agencies are still likely going to prioritize their own missions as they craft rules that may add costs to businesses. For example, as Matt Travis, CEO of the Cyber AB, the nonprofit accreditation body for the CMMC program, observed in January 2024, “[DoD is] responsible for protecting this information or having this information protected, and if they give small businesses a lesser standard then our adversaries will know that’s where we’re going to go to get this information.”
There are also constitutional and philosophical concerns that at least some of this rulemaking exceeds our constitutional structure. Article I of the U.S. Constitution vests “[a]ll legislative powers” of the federal government “in [the] Congress of the United States.” Drawing a clear line around what is a legislative power that Congress must exercise is difficult and debatable. But jurists from Justice John Marshall to Justice Neil Gorsuch have contended that Article I “means that ‘important subjects . . . must be entirely regulated by the legislature itself,’ even if Congress may leave the Executive ‘to act under such general provisions to fill up the details.’”
As Justice Gorsuch would readily admit, deciding where to draw the line between an important subject and a detail is no simple task. Nevertheless, when DoD acknowledges in its CMMC final rule that CMMC is a “major rule” under the Congressional Review Act that “is expected to have an annual effect on the economy of $100M dollars or more,” this begs the question as to whether this is something that Congress should really be making policy decisions about.
In his dissent in Gundy v. United States, Justice Gorsuch proposes that Congress decides “controlling general policy,” while agencies, when delegated, can “fill up the details” or “make the application of that rule depend on executive fact-finding.” As applied to GovCon-Cyber, this constitutional policymaking dynamic may look like Congress deciding what the GovCon-Cyber security and compliance requirements would be, in general, while any remaining technical details required by those rules may be filled in by an agency, though not in a way that would deviate from Congress’s policy. Put more concretely, Congress would decide the “important subjects,” like whether contractors must obtain third-party certification or self-certify, whether there will be three tiers of compliance or five, and what specific attributes should guide an agency in selecting technical requirements. An agency may decide, in turn, what is an acceptable application of, for example, “[p]rovid[ing] protection from malicious code at appropriate locations within organizational information systems,” a phrase that appears in FAR 52.204-21. However, Congress should set that policy requirement initially, not an agency, if faithfully applying Justice Gorsuch’s test.
In addition to constitutional considerations, there are also practical concerns and evident downsides about agencies driving rulemaking. In the next section, this Note will highlight those and note how GovCon-Cyber concerns like frequent changes, harmonization, and cost burden, as just discussed, are characteristic of agency rulemaking in general.
The locus of GovCon-Cyber rulemaking right now is in the executive branch. Thus, to understand what may be driving problems with GovCon-Cyber rulemaking, it is prudent to review agency rulemaking in general and the criticisms that it frequently attracts.
As an initial comment, perhaps the most positive aspect of administrative agencies is arguably their subject-matter expertise. While this Note supports curtailing agency rulemaking authority in GovCon-Cyber, administrative agencies should still be a welcome place where GovCon-Cyber ideas should come from—“an ‘opportunity point’” for policy ideas and proposals to originate.
That being said, while American political figures from President Woodrow Wilson onward have promoted technocratic administration, and while this author does not condone unfairly vitriolic attitudes toward agency employees or sledgehammer approaches to government efficiency, agency rulemaking still has its limitations. The administrative state has generated some arguably fair criticism, which could fill at least a semester’s worth of a law school curriculum. Below is a discussion of some of the most common criticisms that are most relevant to this topic.
First, there is the claim that the administrative state as it exists today is unconstitutional. Of most relevance here is the argument that Congress unconstitutionally gives up too much legislative power to agencies, against the language of Article I. The principle that Congress should not delegate its core legislative powers is known as the non-delegation doctrine. These are the types of concerns that Justice Gorsuch engages with, as described in the previous section.
Second, agencies arguably promulgate too many rules, leaving the regulatory landscape suffocatingly complex. The Federalist Papers themselves observed that “[i]t will be of little avail to the people . . . if the laws be so voluminous that they cannot be read.” Yet, one only need look at the breadth of the Code of Federal Regulations to understand this statement’s significance today.
Third, agencies generally face less institutional friction and fewer stakeholders in rulemaking than legislators do. The result is that policy may come out differently: “[f]or agency officials, the costs of backing a given regulation are different than the legislator’s costs because the agency official is responsive to a smaller set of interests and influences than the legislator and thinks about public interests differently, as well.” In other words, significant differences exist between the forces affecting Members of Congress and unelected agency officials, shaping policy outcomes in different ways.
Fourth—and as a consequence of the former—agency rules can change direction too much or too easily, provoking regulatory whiplash. Changing policy through bicameralism and presentment is a “cumbersome process.” In contrast, the executive branch changes policy direction frequently, even as changing rules through notice and comment is not always pain-free. This phenomenon is especially pronounced, and receives a lot of media attention, when presidential administrations change. For example, during the first year of President Donald Trump’s first term, agencies “reversed course on key progressive initiatives such as reductions in carbon emissions, healthcare insurance enrollment, police reform, redress of campus sexual harassment and assault, and net neutrality.” James Madison, the “Father of the Constitution” himself, warned of the dangers of the “mutability of the law,” i.e., laws changing too much. Federalist No. 62 explained the problems of such phenomena:
The internal effects of a mutable policy . . . poisons the blessing of liberty itself. It will be of little avail to the people . . . if the laws . . . undergo such incessant changes that no man, who knows what the law is to-day, can guess what it will be to-morrow . . . .
Another effect of public instability is the unreasonable advantage it gives to the sagacious, the enterprising, and the moneyed few over the . . . mass of the people. Every new regulation concerning commerce or revenue . . . presents a new harvest to those who watch the change, and can trace its consequences . . . . This is a state of things in which it may be said with some truth that laws are made for the FEW, not for the MANY.
Fifth, agencies have particular perspectives that do not always align neatly with other conceptions of the public interest. Agencies are generally marked by, and set up to pursue, their agency’s own narrow mission (e.g., DoD being focused specifically on national security), as opposed to Congress, which may be responsive to a larger set of concerns. Agency officials are also, like most of the rest of us, generally self-interested individuals who may be “‘budget maximizers’ motivated by some combination of salary, prestige, and belief in their agency’s mission.”
Finally, agency rules can arguably be too costly, even as agencies engage in cost/benefit analysis. The U.S. regulatory system costs an estimated $1.9 trillion a year, due to such expenses as operational changes (“direct costs related to regulation’s mandated changes”) and compliance risks (“uncertainties for firms about how regulation will evolve . . . [which] may in turn prevent firms from undertaking attractive investments due to the fear of an unforeseen regulatory response”).
As one can see, the complaints outlined above closely overlap with the complaints, or at least observations, about GovCon-Cyber rulemaking. As explained above in Section II, these concerns include GovCon-Cyber rules changing frequently, struggle with harmonization, prioritizing agency needs while adding obligations to contractors, and creating barriers in terms of costs and compliance that fall hard on smaller or less sophisticated contractors.
James Madison and the Framers in some way foresaw these sorts of problems, and this appears to be partially why they designed Congress the way they did. Their insights may be helpful for GovCon-Cyber.
While Congress is an unpopular and flawed institution, it may nevertheless be a superior forum for addressing the above-described GovCon-Cyber problems of constitutional deviance, regulatory instability, incongruity, cost burden on contractors, and complexity. This is especially likely since the forum of agency rulemaking is likely connected with many of these problems. Having Congress curtail agencies’ authority to promulgate most GovCon-Cyber rules on their own, and having Congress pass a comprehensive bill itself, could offer several benefits. It would reorient legislative decision-making to Congress (as the Constitution promises the American people), and it could improve regulatory stability, uniformity across government, cost-sharing among the public and private sectors, and accessibility to smaller-to-midsize contractors.
With GovCon-Cyber rules expected to affect hundreds of thousands of businesses and cost hundreds of millions of dollars, these substantive rules ought to be addressed by the “a republic—a thing of the people,” as indicated by the Constitution in Article I: that Congress is to exercise “[a]ll legislative [p]owers herein granted.” This is the promise the federal government made with its people: that by centering legislative power in the “people’s elected representatives,” “all power [w]ould be derived from the people,” and “those [e]ntrusted with it should be kept in []dependence on the people,” in contrast with “a regime administered by a ruling class of largely unaccountable ‘ministers.’” By reclaiming the policy debates in GovCon-Cyber, Congress would be reasserting its constitutional role.
Like in other policy areas, policy goals in government contracting are often numerous and competing; Professor Steven L. Schooner has observed that “[t]here are many options [for objectives for a procurement system], and most are contradictory.” Someone has to reconcile them when deciding on policy, and the Constitution assigns that role to Congress.
To reassert its constitutional role, Congress can and should develop its expertise on GovCon-Cyber. Even though legislators may not initially possess expertise on a given subject, they can and do develop expertise themselves; they routinely obtain advice from internal and external sources in order to perform their roles:
[G]eneralist legislators often vote on laws—such as those setting the emission limits for new cars—the merits of which depend upon the resolution of hotly contested technical disputes. Although both agency heads and legislators often lack the expertise to evaluate technical arguments by themselves, they can get help from agency staff, government institutes (for example, the Centers for Disease Control), and private sources (for example, medical associations, private think tanks, and university scientists). In addition, legislators request advice from their own staffs, committee staffs, and various congressional offices.
As one Columbia Law School professor observed, Congress “doesn’t have that much difficulty going into detail when it wants to.” There are plenty of examples of Congress exercising expertise. For example, Congress legislates on complex subjects such as air pollution, taxes, and the federal budget:
For example, the Clean Air Act and many other statutes give agencies copious instructions on the handling of many complex questions. The 2,823-page-long Internal Revenue Code legislates in great detail, often creating rules so specialized that they apply to only one taxpayer. Congress legislates about details on an even more massive scale in the annual federal budget.
If Congress needs to hire additional experts or seek advice from outside sources, it should do so here. This would certainly demand more work and effort from Congress. However, Congress should see the incentives for investing in its GovCon-Cyber expertise. Not only would Congress reclaim its power and constitutional role, but Members of Congress could also potentially benefit from driving better GovCon-Cyber rulemaking—in the form of better public policy outcomes and potentially increased reelection prospects driven by happier constituents: two primary motivations for Members. Congress, with some effort and a sense of urgency stemming from no longer being able to rely on agencies, can muster the expertise needed to fulfill its constitutional role.
In GovCon-Cyber, the rules are “constantly evolving, perhaps more so than any other set of requirements applicable to contractors.” In other words, the rules change frequently, arguably at a dizzying pace. Here, Congress may be able to help.
Scholars widely observe Congress to be a slower-functioning branch of government. This is consistent with the Framers’ hope that the Constitution’s design would “curb the ‘facility and excess of law‐making.’” In contrast, according to an empirical study published in the George Washington Law Review, agencies can and still do enact “historically large numbers of regulations . . . relatively quickly.” By forcing most policy changes to go through a slow institution that does not move as quickly, GovCon-Cyber rules would likely be more stable and predictable over the long run, to the benefit of the entire government contracting community.
Congress is slow in large part because of its abundance of institutional veto points—such as the committee system, bicameralism, and presentment—which are not as present in agency rulemaking. Going slow and steady often yields desirable benefits in policymaking. Indeed, one of the main rationales for including “political inertia” in our tripartite constitutional design is that it “rest[s] on a global judgment that the errors of going too fast are more dangerous than those of going too slow.” Of importance here, slower policymaking with more institutional friction ideally reduces or deters “mutability of the law.” That is, when a process to change the law requires government officials to expend more time or more effort, or to overcome more barriers (e.g., bicameralism and presentment), it becomes less likely that government officials will change the laws as often. This produces a positive stability that provides greater certainty and trust in the law—as Madison would say, “Stability in government [that] is essential to national character.”
Here, taking GovCon-Cyber rulemaking out of agencies and subjecting it to Congress’s greater general slowness and friction (when compared to agencies) could reduce the high-volume of rule changes in this hot policy area and provide greater, much-desired certainty for contractors. Likewise, by making clear to the contracting community that policy changes would not be final until they have passed through bicameralism and presentment, congressional policymaking would arguably reduce the frustrations and confusions associated with agencies telegraphing, slowly rolling out, or about-facing on their intentions for their proposed rules. This has arguably been particularly problematic with CMMC, where DoD had been announcing and developing multiple iterations of GovCon-Cyber rules for years, to the consternation and confusion of many contractors.
To be sure, potentially adding more slowness and more institutional friction/veto points risks negative outcomes: chiefly, that Congress ends up taking years to promulgate rules or becomes “hopelessly ‘gridlocked.’” Indeed, Congress has considered GovCon-Cyber-related legislation before, and often not coming away with much. However, there are good reasons to think GovCon-Cyber will be less likely to fall victim to congressional gridlock if Congress intentionally takes rulemaking away from agencies and into its own hands. First, such a decision would strongly signal congressional buy-in and commitment to doing the work, rather than remaining gridlocked on the issue. Second, with fresh memories of attacks like SolarWinds, the national-security subject matter, and Congress no longer being able to pass rulemaking off to agencies, Congress would arguably have an increased sense of urgency to help stimulate lawmaking. As journalist Sandra I. Erwin observed in National Defense magazine a decade ago, quoting a government contracts attorney: “In the absence of a sense of urgency, ‘different groups stall [cybersecurity] legislation’ [in Congress.]” This observation is consistent with arguments from political scientists that policymakers are more attentive to problems when there appears to be an urgency surrounding them, and with arguments that Congress is less likely to act if it has passed problem-solving off to agencies. Here, with agencies like the FAR Council or DoD no longer able to unilaterally respond to these national-security-related problems, Congress should have the urgency to break through gridlock.
Recent legislation has shown that Congress has been able to pass cybersecurity-related legislation around the time of, and in the wake of, the SolarWinds attack, ostensibly lending credence to the theory that Congress thinks this issue is urgent. This recent legislation includes the Internet of Things Cybersecurity Improvement Act of 2020, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), and the Quantum Computing Cybersecurity Preparedness Act, also in 2022.
That all being said, Congress’s institutional slowness should be celebrated so long as it is useful. This Note proposes that Congress allow some national security/urgency exceptions, similar to exceptions to full-and-open-competition in government contracts formation. That way, agencies can change GovCon-Cyber rules during a major catastrophe or war that requires real-time updates in order to preserve immediate national security interests.
GovCon-Cyber rulemaking has struggled with harmonization. As such, this Note makes the additional argument that Congress could improve harmonization by simply reining in multiple agencies’ ability to make different rules. Instead, Congress can be the sole entity that can change rules, thereby improving harmonization. Rather than “contractors [having] to follow the bouncing ball for all these different agencies,” Congress would be the clearinghouse for all policy changes. This would be simpler, and Congress would ostensibly have the perspective and incentive to ensure harmonized rules across the executive branch it oversees. An analogous situation is when Congress followed the recommendations in the 1970s of the Commission on Government Procurement—which “discovered a ‘burdensome mass and maze of procurement regulations’”—to pass, for example, the Office of Federal Procurement Policy Act “to establish a system of uniform procurement regulations coordinated on a government-wide basis.”
To be sure, executive branch institutions are currently doing some work to harmonize cybersecurity requirements. However, these efforts appear to be largely reactive to current disharmony rather than proactively ensuring harmony at the outset of new policy developments. For example, in Fall 2023, the FAR Council announced two new GovCon-Cyber rule proposals aiming to “standardize security requirements for federal information systems.” One of the rules had the word “[s]tandardizing” in its title. However, this was explicitly reactive to unharmonized federal information systems requirements that were allowed to grow agency by agency. As another example, in Fall 2023, DHS published a report entitled “Harmonization of Cyber Incident Reporting to the Federal Government.” However, DHS drafted this report at least significantly in response to the existence of “52 in-effect or proposed Federal cyber incident reporting requirements,” and only after Congress mandated DHS submit such a report. Congress’s mandate there inspires confidence that Congress would be attentive to GovCon-Cyber harmonization. Further, by having policy changes come from one institution rather than several, Congress can proactively prevent harmonization issues from arising, rather than leaving executive branch institutions to inefficiently resolve problems after-the-fact.
The last of the recurring complaints identified in Section II above is that the GovCon-Cyber rules are complicated and costly and that these costs and complications are significantly borne by private contractors, especially smaller contractors. In short, this Note observes that Congress may be more motivated and better equipped than agencies to respond to or reconcile these concerns.
First, Members of Congress directly face reelection, and their job security directly depends on keeping constituencies happy, compared to agency officials who may be more insulated from public pressure. James Madison wrote that the Framers designed Congress to help guarantee that those in power would “be kept in []dependence on the people,” with whom they have “immediate dependence on, and an intimate sympathy with.” Reelection is perhaps the most important point of distinction between Members of Congress and administrative agency officials, and reelection affects Congress deeply. Classic political science research on congressional incentives agrees that reelection is one of, if not the most, powerful motivators of Members of Congress. For example, political scientist Richard F. Fenno, Jr. famously observed (in research that is included in political science curriculum across the country) that reelection is one of the three primary goals of Members of Congress. Political scientist David R. Mayhew similarly argued in his “canonical” 1974 work “that the principal motivation of legislators is reelection and that the pursuit of this goal affects the way they behave and the way that they make public policy.” It is worth remembering that an estimated 200,000 businesses will be affected by CMMC, and their employees and owners vote. Members of Congress, wary of acute political consequences, arguably may be more powerfully motivated to consider competing constituencies and try to reach a deal that helps as many constituencies as possible. Congress’s motivation to respond to constituents may be why it has historically been a locus of small business promotion, particularly in government procurement.
In contrast, agency officials do not directly rely on reelection for job security and thus are not as dependent on businesses’ votes to keep their positions, at least not directly. Agency officials are going to have a lower likelihood of directly personally experiencing political accountability (in the form of salary reduction or other employment consequences) if outside constituencies (e.g., businesses) are negatively affected. Furthermore, agency officials may be motivated to achieve their agency’s more specific mission (e.g., to preserve the national defense). Thus, Congress may arguably feel more acutely responsive to the needs of the contracting community, whose votes they depend on, compared to executive branch agencies, who are understandably principally focused on their own agencies’ needs.
In this context, too, Congress has a major advantage over agencies in that it has the power of the purse and that it can appropriate funds. For example, Congress could provide grants to small businesses for cybersecurity assistance as part of reaching a deal, whereas an agency has no such power. Even if an agency wanted to lift compliance costs from businesses, it would be difficult to do so, financially, without extra appropriated funds. Instead, Congress can appropriate funds to distribute the burden of compliance among both the private and public sectors. Placing GovCon-Cyber in Congress can put this tool front and center in policymaking discussions and ensure it is seriously considered as a means to create an accessible and secure contractor base.
In conclusion, Congress should curtail agencies’ ability to further promulgate GovCon-Cyber regulations (with limited exceptions for immediate national security/urgency), and Congress should instead enact legislation itself. The current system of agency-based rulemaking has led to a frequently-shifting, confusing, costly, and questionably constitutional regulatory landscape. Instead, Congress should reassert its constitutional role as the nation’s policymaker, and doing so would likely increase regulatory stability, uniformity, and ease of compliance.
