Cybersecurity

Tech council blasts IT acquisition report

broken lock

A group of tech industry heavy hitters says there are fundamental flaws in a GSA/Pentagon report on how to establish contractor cybersecurity baselines to protect government IT acquisitions.

In comments to the GSA, the Information Technology Industry Council and its Information Technology Alliance for Public Sector (ITAPS) division said while they supported the agency's effort to strengthen cybersecurity measures in federal technology goods and services procurement, they had problems with some of the plan's basics.

According to an April 30 blog post by ITAPS Senior Director, Homeland Security, Pamela Walker, the ITI and ITAPS told GSA that the agency's draft plan takes a product- and service-centric approach based on Product Service Codes (PSCs). PSCs are used in the Federal Procurement Data System to report government procurement transactions. The group called the approach "inadequate" because it did not include a judgment on the importance of the mission, or how  and where a product would be used in a given project.

Using the codes, according to ITAPS, means the government would address cyber risk in federal acquisition based on perceived risks inherent to the product or service, ignoring how a given product would be used.

"This approach also fails to assess risks inherent in processes and practices that may be used by the government for acquisition, such as using the lowest-priced item if technical specifications are met," said Walker's post. "In short, the proposed approach does not support effective risk mitigation practices, and in fact, may actually increase the government’s cyber risks."

ITI's members include Dell, eBay, IBM, Intel, Microsoft and Oracle SAP.

GSA is looking for public input and stakeholder engagement on how to incorporate the protections as part of the White House's cybersecurity order.

The PSC-based approach assigns risks based on product groupings, incorrectly assuming risk is generated only in the product or service to be acquired, said the group. ITAPS listed a number of reasons why product/ service-centric approach wouldn't ease cyber risks to federal acquisition. For instance, it said the sheer number of products the government can use is vast, and product categories and diversity constantly change.

"Finally, a product and service-centric approach also would unfortunately send the wrong signal to other governments that the U.S. government believes cybersecurity, first and foremost, is based on products and services," Walker wrote.

The group recommended the government create a risk-based mission-focused process, where risk assessments occur at the front end of procurements.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.