Feds plan hub for risk info on IT supply chain, contractors
The GSA plan isn't meant to supplant or duplicate existing policies, but to establish a common set of risk indicators for due diligence research.
WHAT: GSA is tapping industry to provide ideas on a due diligence solution for acquisitions personnel across government, to help guide buying decisions.
WHY: The government loves low, low prices when acquiring IT and services, but it does not love missed deadlines, poor performance, counterfeit parts and insecure systems. A new request for information put out by the General Services Administration seeks ideas on arming federal acquisitions personnel with tools to perform due diligence assessments of technology and services, as required under federal law and regulations. The plan is to develop a service to give government buyers a window into supply chain vulnerabilities, financial red flags, potential insider threats, and other factors that might cast doubt on a proposal for a federal IT contract.
"Federal buyers need better visibility into, and understanding of, how the products, services, and solutions they buy are developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of those products and services," according to the RFI.
There are existing protocols within government used to detect potential problems in IT systems. Technology acquisition at the departments of Justice and Commerce along with NASA and the National Science Foundation are governed by an appropriations policy rider in effect since fiscal 2013 that requires supply chain certification for systems deemed high-risk, including those manufactured by or including parts from firms linked to the Chinese government and military. The Department of Defense also maintains policy on supply-chain security. The GSA plan isn't meant to supplant or duplicate these policies, but instead looks to "establish a common set of risk indicators that can be used as the baseline for business due diligence research," per the RFI.
The capability sought by GSA extends to all "purchased items that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a Federal agency," according to the RFI. Risk factors include the financial history and health of a contractor or subcontractor, information on company leadership, cybersecurity practices, foreign ownership or control, supply chain controls, historical performance on government contracts and compliance with government standards.
Click here to read the full RFI.