{"id":70287,"date":"2019-10-23T00:31:20","date_gmt":"2019-10-23T00:31:20","guid":{"rendered":"https:\/\/essays.homeworkacetutors.com\/2019\/10\/improving-risk-management-in-departmnet-of-defense-government-contracting\/"},"modified":"2019-10-23T00:31:20","modified_gmt":"2019-10-23T00:31:20","slug":"improving-risk-management-in-departmnet-of-defense-government-contracting","status":"publish","type":"post","link":"https:\/\/www.colapapers.com\/us\/improving-risk-management-in-departmnet-of-defense-government-contracting\/","title":{"rendered":"Improving Risk Management in Departmnet of Defense Government Contracting"},"content":{"rendered":"
\n
\n

\nIMPROVING RISK MANAGEMENT IN DEPARTMNET OF DEFENSE GOVERNMENT CONTRACTING: ESTABLISHING A CYBER SECURITY GRANT PROGRAM\n<\/p>\n

\nI. Introduction\n<\/p>\n

\nII. Background: The Current Cybersecurity Regime\n<\/p>\n

\nA. A Framework for Risk Management: The DFARS and the NIST SP 800-171\n<\/p>\n

\nB. Cybersecurity as an Evaluation Criteria: Syneren<\/em> and IP Keys Tech<\/em>\n<\/p>\n

\nIII. Improving Small Business Cybersecurity\n<\/p>\n

\n\u00a0A. Potential Solutions\n<\/p>\n

\n\u00a0B. Establishing a Cybersecurity Grant Program\n<\/p>\n

\nIV. Conclusion\n<\/p>\n

\nI. INTRODUCTION<\/strong>\n<\/p>\n

\n\u00a0<\/strong>\n<\/p>\n

\nIn 2013, Target experienced a massive data breach[1]<\/a> which left up to 70 million customer\u2019s personal information vulnerable to hackers.[2]<\/a>\u00a0 Information such as personal phone numbers, addresses, and credit card information was compromised after a phishing email allowed a bot access to company log in credentials.[3]<\/a>\u00a0 Not only was the CEO of Target forced to resign after the incident[4]<\/a>\u2014a first for a major company suffering a data breach\u2014but the company became the subject of multistate litigation stemming from its failure to protect customer data.[5]<\/a>\n<\/p>\n

\n\u00a0Interestingly, the hackers did not gain access to Target\u2019s systems directly, but through a small vendor it contracted with for HVAC services, Fazio Mechanical Services Inc.[6]<\/a>\u00a0 A third-party vendor, Fazio\u2019s only defense against malicious software was the free version of Malwarebytes Anti-Malware.[7]<\/a> The free version does not scan for real-time threats and was not even licensed for corporate use.[8]<\/a>\u00a0 Once Fazio\u2019s vendor credentials were obtained, hackers used malware to access billing and invoicing systems, and Target\u2019s own software spread the malware to virtually all of Target\u2019s Point of Sale systems.[9]<\/a>\n<\/p>\n

\nTarget\u2019s vulnerability through a small, third party vendor which was not even involved in its billing systems is an illustrative example of how targets can be compromised through a small business. Criminals are increasingly using small businesses as a backdoor into larger organization, as their cybersecurity systems tend not to be as sophisticated.[10]<\/a> Smaller businesses are less likely to have thorough cybersecurity systems in place, and are more likely to be unprepared for the costs of losses when a data breach occurs.[11]<\/a>\u00a0 For small government contractors who deal with sensitive information crucial to national security, the stakes are even higher.\u00a0\n<\/p>\n

\nIn 2011, a Chinese citizen who was living in Canada hacked into Lockheed Martin\u2019s networks and gained access to info about several military aircraft.[12]<\/a> Given other recent breaches of government computer systems[13]<\/a>, the executive branch has recognized the importance of strict cybersecurity compliance as a cornerstone of national security.\u00a0 The Federal Modernization Security Act (FISMA) of 2002, which was amended in 2014, was passed by Congress in order to protect defined categories of information and information systems in order to provide a \u201ccomprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets\u201d and to \u201cprovide for development and maintenance of minimum controls required to protect Federal information and information systems.\u201d[14]<\/a>\n<\/p>\n

\nAlthough small government contractors have limited resources, they are still subject to the same cybersecurity requirements that larger contractors with more resources must abide.[15]<\/a> Recently, the Department of Defense has employed the Defense Federal Acquisition Regulation Supplement (DFARS), to institute uniform cybersecurity requirements for all covered DOD contractors and subcontractors, regardless of size.[16]<\/a>\n<\/p>\n

\nAdditionally, the DOD has specified the inclusion of small businesses in its federal contracting process in order to support local economic development, offer opportunities to disadvantaged socio-economic groups, and gain access to new ideas that small businesses provide.[17]<\/a> The DoD aimed to award at least 22 percent of small-business-eligible prime-contract spending to small businesses in fiscal year 2017.[18]<\/a>\n<\/p>\n

\nThe impetus of the Small Business Act of 1953, was to establish the Small Business Administration, and to \u201caid, counsel, assist and protect, insofar as is possible, the interests of small business concerns.\u201d[19]<\/a>\u00a0 Included in the SBA\u2019s mandate was the assurance that it would give small businesses a \u201cfair proportion\u201d; of government contracts and sales of surplus property.[20]<\/a>\u00a0 In short, the DOD is required to ensure that a significant portion of its contracts are awarded each year to small businesses, all of whom must comply with the DFARS cybersecurity standards.\u00a0 This represents a significant challenge for both the government and small government contractors, as the percentage of federal contract dollars set aside for small businesses is likely to grow.[21]<\/a>\n<\/p>\n

\n\u201cOne of the major impediments to changing how cybersecurity is addressed in Federal acquisitions is the differing priorities of cyber risk management and the Federal Acquisition System. The Acquisition Workforce is required to fulfill numerous, sometimes conflicting, policy goals through their work, and cybersecurity is but one of several competing priorities in any given acquisition.\u201d[22]<\/a>\u00a0 The government must attempt to allocate its target amount of contracts to small businesses while making sure to not compromise its cybersecurity goals at the same time.\u00a0 For small businesses, they must strategically allocate limited resources while remaining in step with the myriad and increasing security goals mandated by the government.\u00a0 The Director of the Kansas University Small Business Development Center, stated \u201cAmerica\u2019s small businesses have not made a dedicated effort to build cybersecurity into their P&Ls [Profits and Losses]. That lack of funding on the small business side has been noticed by hackers. Small businesses are the backdoor into big business. A Fortune 500 company or the U.S. Government can throw as many dollars as they want at the threat of a\u00a0cybersecurity breach, but all it takes is one small business vendor to take down the whole thing.\u201d[23]<\/a>\n<\/p>\n

\n\u00a0Although several government entities have implemented programs to assist small businesses which contract with the DOD by focusing on outreach and education efforts[24]<\/a>, they have fallen short. These attempts typically centered more on creating broad initiatives and policy advice than concrete solutions.\u00a0 These programs are no doubt helpful, but they have not targeted the underlying issue which small government contractors face when attempting to comply with cybersecurity mandates\u2014allocation of limited financial resources.\u00a0 This note argues that congress should pass legislation giving the Small Business Administration the authority to establish a federally funded grant program for cyber security in which eligible small business defense contractors will be directly provided with funds which can be used for internal cyber security improvements.\u00a0 Congress should give the SBA authority to make cybersecurity grants to assist small businesses with Department of Defense contracts in order to meet their DFARS and NIST 800-171 SP cybersecurity requirements.\u00a0 This will help the DOD achieve its cybersecurity objectives, which include expanding cyber cooperation with the private sector, and securing DOD information on non-DOD owned networks.[25]<\/a>\u00a0 Putting the power of compliance in the hands of individual businesses who are most equipped to know where to allocate their resources would help alleviate inefficiency and the funding of duplicate resources.\n<\/p>\n

\nPart II of this note lays out a brief overview of the DOD\u2019s current cybersecurity mandates, providing a look at the origins of the DFARS cybersecurity initiatives and the Department of Commerce\u2019s National Institute of Standards and Technology, and their increasing emphasis on standardization among all contractors.\u00a0 It will also take a look at two recent cases in which cybersecurity was used as an evaluation criteria by agencies.\u00a0 Part III will analyze ongoing efforts to ameliorate the unique difficulties faced by small federal contractors.\u00a0 It will then argue that establishing a cyber security grant program for eligible small government contractors who are subject to DFARS requirements would assist individual contractors in completing the three main tasks of DFARS 252.294-7012 and the NIST SP 800-171\u2014figuring out what information is covered, implementing cyber incidence reporting requirements, and developing a security system and plan of action.\n<\/p>\n

\nII. Background: The Current Cybersecurity Regime<\/strong>\n<\/p>\n

\n\u00a0<\/strong>\n<\/p>\n

\nThe Department of Defense protects sensitive information held by contractors through rules known as the \u201cFederal Acquisition Regulation\u201d (FAR), and the \u201cDefense Federal Acquisition Regulation Supplement\u201d (DFARS) which provides DOD specific acquisition regulations for the procurement process[26]<\/a>. In 2016 the DFARS supplement published a final ruling[27]<\/sup><\/a>, which was clarified by the DOD\u2019s Frequently Asked Questions (Network Penetration Reporting and Contracting for Cloud Services FAQ).\u00a0\u00a0 As of Dec. 31st<\/sup>, 2017, all Department of Defense (DoD) contractors that store, process, or transmit\u00a0covered defense information\u00a0(CDI) are subject to DFAR 252.204-7012.[28]<\/a>\u00a0 This clause requires that all contractors implement the security requirements in the NIST SP 800-171 standards for cybersecurity.[29]<\/a>\n<\/p>\n

\nCybersecurity regulations which govern government contracts require increasing levels of compliance across multiple categories in order for firms to remain competitive in the bidding process, placing placed major emphasis on requiring government contractors to adhere to stringent cybersecurity rules.\u00a0 The DOD also issued feedback on how a small business could approach meeting the requirements of NIST SP 800-171.\u00a0 It stated that most requirements could be met by instituting policy\/process changes or by adjusting the configuration of existing IT systems.[30]<\/sup><\/a>\n<\/p>\n

\nWhile the FAR rules create a baseline of protection,[31]<\/a> the final DFARS rule applies to all contractors and subcontractors which safeguard \u201ccovered defense information\u201d (CDI) residing in or transiting through \u201ccovered contractor information systems\u201d[32]<\/a>.\u00a0 Previously, this rule only applied to \u201ccleared\u201d and \u201coperationally critical\u201d contractors.\u00a0 The following highlights additional important changes to the final DFARS ruling.\n<\/p>\n

\nCoverage<\/u><\/em>\n<\/p>\n

\nThe final DFARS rule expands coverage.[33]<\/a> Unless a solicitation or contract is for the acquisition of COTS items[34]<\/a>, the clause must be required in all subcontracts for any \u201coperationally critical support\u201d[35]<\/a> provided, or if performance of the contract will require \u201ccovered defense information.\u201d[36]<\/a> The old clause only applied to \u201ccleared\u201d and \u201coperationally critical\u201d contractors as specified in the 2013 and 2015 National Defense Authorization Act (NDAA).\n<\/p>\n

\nIncidence reporting<\/u><\/em>:\n<\/p>\n

\nIn addition, the new DFARS requires a contractor to report any cyber \u201cincidents\u201d within 72 hours of discovery.[37]<\/a>\u00a0 Some public comments complained that reporting within 72 hours was too burdensome because it was highly likely that they have all the information required by the clause within 72 hours.\u00a0 But the DOD has issued clarification that contractors should report \u201cwhatever information is available to the DIBNet portal[38]<\/a> within 72 hours of discovery. When more information becomes available, the contractor\/subcontractor should submit a follow-on report with the added information.\u201d[39]<\/a>\n<\/p>\n

\nSharing of malware<\/u><\/em>\n<\/p>\n

\nWhen malicious Malware is discovered, it should be submitted to the DoD Cyber Crime Center \u201cin accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.\u201d[40]<\/a>\u00a0Previously, contractors were required to \u201csubmit the malicious software in accordance with instructions provided by the Contracting Officer\u201d.\u00a0[41]<\/a>\n<\/p>\n

\n\u00a0<\/em>\n<\/p>\n

\n\u00a0<\/em>\n<\/p>\n

\n\u00a0<\/em>\n<\/p>\n

\nContractor network access<\/u><\/em>\n<\/p>\n

\n\u00a0<\/em>\n<\/p>\n

\nThe DoD\u2019s is now allowed access to contractor information and systems in the event of a cyber incident.[42]<\/a>\u00a0 Although this has been criticized as allowing the government to have too much access to contractor information, the DoD has stated in commentary to the rule that access is limited to \u201cdetermining if DoD information was successfully exfiltrated\u2026 and, if so, what information was exfiltrated.\u201d[43]<\/a>\n<\/p>\n

\nSubcontractor Reporting Obligations<\/u><\/em>\n<\/p>\n

\n\u00a0<\/em>\n<\/p>\n

\nWhen a subcontractor provides operationally critical support, or the execution of the contract involves covered defense information, they must report the cyber incident to the DOD.[44]<\/a>\u00a0 Additionally, the subcontractor must notify the prime when requesting a divergence from the NIST SP 800-171 security control requirements.[45]<\/a>\n<\/p>\n

\nCloud service providers <\/u><\/em>\n<\/p>\n

\n\u00a0<\/em>\n<\/p>\n

\nCloud Service Providers that are being operated on behalf of the government, and those that are not, receive different treatments. Cloud Service Providers which operate on behalf of the government must comply with the Cloud Computing Security Requirements Guide (SRG), also known as the FedRAMP+[46]<\/a> rules. Otherwise, Cloud Service Providers must meet the FedRAMP Moderate baseline[47]<\/a> requirements and comply with the Final Rule\u2019s \u201ccyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment\u201d.[48]<\/a>\n<\/p>\n

\n\u00a0Most covered contractor information systems are not operated on behalf of the government and must abide by the security requirements in NIST SP 800-171, \u201cProtecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations\u201d.[49]<\/a>\u00a0 The National Institute of Standards and Technology (NIST) is charged with \u201cdeveloping information security standards and guidelines, including minimum requirements for federal information systems\u201d.[50]<\/a>\u00a0 NIST developed this publication to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014.[51]<\/a> The requirements contractors adhere to in the NIST SP 800-171 are complex and expansive.\u00a0\n<\/p>\n

\nAs an example of the technical complexity contractors must grapple with, NIST SP 800-171 details 14 different \u201cFamilies\u201d of requirements for protecting the confidentiality of information: Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Risk Assessment; Security Assessment; System and Communications Protection; and System and Information Integrity.[52]<\/a> Each of these requirements need to be \u201capplied to the nonfederal organization\u2019s internal systems processing, storing, or transmitting CUI\u201d.[53]<\/a>\n<\/p>\n

\nThe measures needed to implement the requirements of the NIST SP 800-171 can be quite burdensome and may require continuous monitoring efforts.[54]<\/a> Compliance is demonstrated through having a robust system security plan alongside a plan of action describing how any non-compliant practices can be rectified.[55]<\/a> Any contractors new to the arena may acquire significant upfront costs that make it all but impracticable to thoroughly comply with all the guidelines set forth in the NIST publication. This is important for small businesses, which may find it challenging to comply with so many requirements, especially if their previous contracts with the DOD were limited.\u00a0 Some contractors may even decide that compliance is too costly and are willing to risk non-compliance.\n<\/p>\n

\n\u00a0However, noncompliance is not an option for government contractors looking to mitigate their risks and avoid potential negative outcomes from bid protestors.\u00a0 DFARS 252.204-7008 provides that \u201c[b]y submission of this offer, the Offeror represents that it will implement the security requirements specified by [NIST SP 800-171] . . . that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.\u201d[56]<\/a>\n<\/p>\n

\n\u00a0However, there is some relief for contractors who feel they cannot meet the full burden of the NIST up-front.\u00a0 In some cases, contractors are permitted to ask for deviances from the requirements after they have been awarded the contract if they believe they can offer an \u201cequally effective security measure in its place\u201d.[57]<\/a> Contractors can begin this process by submitting a written request to the Contracting Officer which will then be considered by the DOD Chief Information Officer.[58]<\/a>\u00a0 Contractors can also request a pre-award adjudication[59]<\/a> if they feel a security requirement is not consistent with the requirements of the contract, or they have \u201can alternative, but equally effective security measure that may be implemented in its place\u201d.[60]<\/a>\n<\/p>\n

\nB. Cybersecurity as an Evaluation Criteria: <\/strong>Syneren<\/em><\/strong> and <\/strong>IP Keys Tech<\/em><\/strong>\n<\/p>\n

\n\u00a0<\/strong>\n<\/p>\n

\n\u00a0Revision 1 of the NIST SP 800-171 states that agencies have the right to inspect any system security plans (SSP) and plan of actions and milestones (POAM) from government contractors.[61]<\/a>\u00a0 Additionally, these SSP and POAM may be used by agencies to as evaluation criteria in awarding contracts which require the processing, storing, or transmission of Covered Defense Information (CDI).[62]<\/a>\u00a0 The DOD can determine \u201cwhether it is an acceptable or unacceptable risk to process, store, or transmit\u201d CDI on any individual\u2019s system.[63]<\/a>\u00a0 Two recent cases help illustrate how cybersecurity has been used as an evaluation criteria for contractors.\n<\/p>\n

\nSyneren Tech Corp.<\/u><\/em>\n<\/p>\n

\nOn Feb. 10, 2016, The Department of the Navy issued an RFP asking contractors to provide support to the Sea Warriors Program[64]<\/a> for the \u201cdesign, development, implementation and sustainment of IT systems and software supporting enterprise business services, personnel and pay, position management, recruiting and accessions, workforce development, and distance support.\u201d\u00a0 The solicitation was an indefinite-delivery, indefinite-quantity (IDIQ) contract and had the following five evaluation factors:\n<\/p>\n

\n\u201c(1)\u00a0software development experience; (2) first sample task (net recruiting placement and alignment (NetRPA)[65]<\/a> development\/modernization); (3) second sample task (Department of Defense (DOD) IT portfolio repository\/database management system sustainment); (4)\u00a0cost; and (5) past performance.\u201d[66]<\/a>\n<\/p>\n

\nBecause the contract had work that was to be performed at a government site in New Orleans, Louisiana, and involved Department of Defense and Department of the Navy information, the winning contractor had to comply with both DOD and Navy cybersecurity requirements.[67]<\/a> Among them was the requirement that some of the software in use by the contractor meet certain accreditation standards.[68]<\/a>\u00a0 In addition, it was the bidder\u2019s responsibility to clearly show its ability to satisfy these requirements.[69]<\/a>\u00a0\n<\/p>\n

\nThe proposal received 20 offers, including Syneren\u2019s.[70]<\/a>\u00a0 Unfortunately, the software it proposed to use for the second evaluation factor, the Net Recruiting Placement and Alignment\n<\/p>\n

\n\u00a0(NetRPA), was not accredited for use by the Navy.[71]<\/a> Additionally, Syneren offered no explanation of how it planned to become accredited.[72]<\/a> Syneren\u2019s proposal was ultimately rejected and it subsequently filed a protest of the Navy\u2019s decision.[73]<\/a>\u00a0 Syneren protested that the Navy should not have evaluated its proposal as unacceptable for its use of an unaccredited software.[74]<\/a>\u00a0 In reference to its rejection, Syneren asserted that \u201cThere was no requirement for Syneren to address the accreditation process prior to award or to explain in its proposal how it would attain accreditation.\u201d[75]<\/a> The GAO ultimately rejected this argument and sided with the Navy.[76]<\/a>\u00a0 The decision explained \u201cbecause performance will occur in a government facility and involve DOD and Navy data, the solicitation provided that the contractor\u2019s system must comply with multiple cybersecurity requirements\u2026more importantly, that Syneren\u2019s proposal failed to address in any meaningful way how compliance would be achieved\u201d.[77]<\/a>\u00a0 The Navy concluded that \u201cSyneren\u2019s proposal failed to reflect an adequate understanding of both the time and costs associated with Syneren\u2019s successful contract performance, specifically including compliance with the solicitation\u2019s cybersecurity requirements.\u201d[78]<\/a>\u00a0 In short, Syneren was on notice of the Navy\u2019s cybersecurity requirements, and the Navy did not believe the Syneren fully understood what steps it needed to take to perform the work in the solicitation in order to remain complaint within the agency\u2019s cybersecurity requirements.[79]<\/a>\u00a0 It is likely that agencies will increasingly look to incorporate cybersecurity[80]<\/a> into their bidding process, and that those who fail to do so may be disqualified if they cannot meet the applicable qualifications.\n<\/p>\n

\nIPKeys Tech.<\/u><\/em>\n<\/p>\n

\nAnother decision by the GAO highlights the use of cybersecurity as a technical evaluation factor.\u00a0 IPKeys Technologies, LLC, a small business, challenged the Defense Information Systems Agency\u2019s (DISA) evaluation of By Light Professional IT Services, Inc.\u2019s\n<\/p>\n

\ncybersecurity solution.[81]<\/a>\u00a0 By Light, also a small business, submitted a proposal which was higher-priced than that of IPKeys.[82]<\/a>\u00a0 The RFP was for \u201cengineering, transition, implementation, sustainment, and cybersecurity monitoring support services for DISA\u2019s Global Video Service (GVS).\u201d[83]<\/a>\n<\/p>\n

\n\u00a0The request only considered two evaluation factors, \u201c(1) technical\/management approach; and (2) cost\u201d, with the technical\/management approach to be more important than the cost, and cost to be evaluated for completeness, reasonableness, and realism.[84]<\/a>\u00a0 As to the technical\/management approach factor, it was to be evaluated by four equally weighted factors.[85]<\/a>\n<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

IMPROVING RISK MANAGEMENT IN DEPARTMNET OF DEFENSE GOVERNMENT CONTRACTING: ESTABLISHING A CYBER SECURITY GRANT PROGRAM I. Introduction II. Background: The Current Cybersecurity Regime A. A Framework for Risk Management: The DFARS and the NIST SP 800-171 B. Cybersecurity as an Evaluation Criteria: Syneren and IP Keys Tech III. Improving Small Business Cybersecurity \u00a0A. Potential Solutions […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5810],"tags":[2048,2871,6551,6297,6300,6292],"class_list":["post-70287","post","type-post","status-publish","format-standard","hentry","category-security","tag-assessment-task-assignment-help","tag-cheap-essay-writer-australia","tag-research-essay-help-uk","tag-science-homework-assignment-help","tag-write-my-essay-today-in-hours","tag-write-my-paper-online-assignment-paper-writing-service"],"_links":{"self":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/posts\/70287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/comments?post=70287"}],"version-history":[{"count":0,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/posts\/70287\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/media?parent=70287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/categories?post=70287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/tags?post=70287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}