Cybersecurity

Tech council blasts IT acquisition report

broken lock

A group of tech industry heavy hitters says there are fundamental flaws in a GSA/Pentagon report on how to establish contractor cybersecurity baselines to protect government IT acquisitions.

In comments to the GSA, the Information Technology Industry Council and its Information Technology Alliance for Public Sector (ITAPS) division said while they supported the agency's effort to strengthen cybersecurity measures in federal technology goods and services procurement, they had problems with some of the plan's basics.

According to an April 30 blog post by ITAPS Senior Director, Homeland Security, Pamela Walker, the ITI and ITAPS told GSA that the agency's draft plan takes a product- and service-centric approach based on Product Service Codes (PSCs). PSCs are used in the Federal Procurement Data System to report government procurement transactions. The group called the approach "inadequate" because it did not include a judgment on the importance of the mission, or how  and where a product would be used in a given project.

Using the codes, according to ITAPS, means the government would address cyber risk in federal acquisition based on perceived risks inherent to the product or service, ignoring how a given product would be used.

"This approach also fails to assess risks inherent in processes and practices that may be used by the government for acquisition, such as using the lowest-priced item if technical specifications are met," said Walker's post. "In short, the proposed approach does not support effective risk mitigation practices, and in fact, may actually increase the government’s cyber risks."

ITI's members include Dell, eBay, IBM, Intel, Microsoft and Oracle SAP.

GSA is looking for public input and stakeholder engagement on how to incorporate the protections as part of the White House's cybersecurity order.

The PSC-based approach assigns risks based on product groupings, incorrectly assuming risk is generated only in the product or service to be acquired, said the group. ITAPS listed a number of reasons why product/ service-centric approach wouldn't ease cyber risks to federal acquisition. For instance, it said the sheer number of products the government can use is vast, and product categories and diversity constantly change.

"Finally, a product and service-centric approach also would unfortunately send the wrong signal to other governments that the U.S. government believes cybersecurity, first and foremost, is based on products and services," Walker wrote.

The group recommended the government create a risk-based mission-focused process, where risk assessments occur at the front end of procurements.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group