Tech council blasts IT acquisition report
- By Mark Rockwell
- Apr 30, 2014
A group of tech industry heavy hitters says there are fundamental flaws in a GSA/Pentagon report on how to establish contractor cybersecurity baselines to protect government IT acquisitions.
In comments to the GSA, the Information Technology Industry Council and its Information Technology Alliance for Public Sector (ITAPS) division said while they supported the agency's effort to strengthen cybersecurity measures in federal technology goods and services procurement, they had problems with some of the plan's basics.
According to an April 30 blog post by ITAPS Senior Director, Homeland Security, Pamela Walker, the ITI and ITAPS told GSA that the agency's draft plan takes a product- and service-centric approach based on Product Service Codes (PSCs). PSCs are used in the Federal Procurement Data System to report government procurement transactions. The group called the approach "inadequate" because it did not include a judgment on the importance of the mission, or how and where a product would be used in a given project.
Using the codes, according to ITAPS, means the government would address cyber risk in federal acquisition based on perceived risks inherent to the product or service, ignoring how a given product would be used.
"This approach also fails to assess risks inherent in processes and practices that may be used by the government for acquisition, such as using the lowest-priced item if technical specifications are met," said Walker's post. "In short, the proposed approach does not support effective risk mitigation practices, and in fact, may actually increase the government’s cyber risks."
ITI's members include Dell, eBay, IBM, Intel, Microsoft and Oracle SAP.
GSA is looking for public input and stakeholder engagement on how to incorporate the protections as part of the White House's cybersecurity order.
The PSC-based approach assigns risks based on product groupings, incorrectly assuming risk is generated only in the product or service to be acquired, said the group. ITAPS listed a number of reasons why product/ service-centric approach wouldn't ease cyber risks to federal acquisition. For instance, it said the sheer number of products the government can use is vast, and product categories and diversity constantly change.
"Finally, a product and service-centric approach also would unfortunately send the wrong signal to other governments that the U.S. government believes cybersecurity, first and foremost, is based on products and services," Walker wrote.
The group recommended the government create a risk-based mission-focused process, where risk assessments occur at the front end of procurements.
Mark Rockwell is a staff writer at FCW.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.