Government buys bulk encryption

The General Services Administration’s SmartBuy award for securing stored data could provide more value to federal agencies than the potential savings expected from the governmentwide buy. The award, to be officially announced Monday, will provide standard encryption products for federal agencies and state and local governments, which could significantly improve government data security, security experts say.

GSA and the Defense Department expect to sign purchase agreements with 11 company teams under a SmartBuy governmentwide enterprise license contract for data encryption products, said John Johnson, assistant commissioner of integrated technology services at GSA’s Federal Acquisition Service. Each of the teams offer mobile data security products, including capabilities for encrypting laptop PC hard drives, flash drives and personal digital assistants. Tom Kireilis, acting director of GSA’s Strategic Solutions Division, said company teams may offer additional services, technologies or capabilities that meet agencies’ unique needs.

“These are blanket purchase agreements that are written against GSA schedule prices that have been negotiated way lower,” Kireilis said. Agencies can begin purchasing products and services off the contracts immediately.

The SmartBuy program lets the federal government use its buying power to achieve cost savings and best value for commercial software, while improving security and configuration management governmentwide, Kireilis said.

The SmartBuy BPAs also support the Office of Management and Budget’s directive that agencies encrypt data on mobile devices. OMB issued that directive after the theft of a Veterans Affairs Department laptop PC last year from the home of a VA employee. The PC and a mobile hard drive taken from the home contained the personal data of 26 million veterans and active-duty service members.

The ground-breaking aspect of the encryption SmartBuy is its availability to state and local governments, said Karen Evans, OMB’s administrator for IT and e-government. “This is exactly what Congress had intended when they gave us those authorities in the E-government Act.”

States will get a better deal than they could on their own by making use of the federal government’s purchasing muscle, said David Wennergren, DOD’s deputy chief information officer.
“They’ll be able to buy products that they know are good because a lot of rigor has gone into the process on their behalf by experts in the field across DOD and federal agencies,” Wennergren said.

The state and local component of the Smart Buy contract grew out of activities that DOD conducted through the Multi-State Information Sharing and Analysis Center, a group formed during the Clinton administration. Providing data security for state and local governments is often daunting because the governments don’t have the resources or the buying power or don’t realize they need encryption, said Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure. He also leads the Multi-State ISAC, whose members include all the states. The group has agreed to common protocols for incident reporting and other cybersecurity measures.

“SmartBuy has made this incredibly easy for state and local governments to move from a point of vulnerability and it’s probably pure luck that they haven’t been hit to one of a better state of security,” Pelgrin said. He is considering organizing group buys through ISAC using the SmartBuy encryption contract.