GSA seeks encryption deal

RFQ specifies broad encryption offering to prevent future data privacy breaches

OMB emphasizes data security guidance

The Office of Management and Budget issued a memo in June 2006 requiring agencies to encrypt data on mobile devices. But many agencies have not acted because they are undecided about what technologies to buy and which vendors to buy from.

Those decisions could soon become easier. General Services Administration and Defense Department officials say they now have a process for prescreening encryption vendors to ensure that their software will meet agencies’ needs. And they expect to have a governmentwide contract for encryption software in place by summer.

GSA and DOD have issued a request for quotations to vendors on the GSA schedule that offer data-at-rest encryption software for a variety of hardware and software platforms. Officials from GSA’s SmartBuy program and DOD’s Enterprise Software Initiative are spearheading the procurement.

“It is the first time a co-branded ESI/SmartBuy agreement will be established using competitive procedures with technical requirements provided by a joint DOD/federal civilian team,” said Maj. Patrick Ryder, a DOD spokesman.

Several events led to the encryption initiative, including numerous cases involving the loss of mobile computing devices and removable media containing sensitive-but-unclassified information. OMB’s memo gave agencies 45 days to comply with the new mandatory encryption policy, and officials quickly recognized that a governmentwide contract for procuring the software would benefit most agencies.

But for more than a year, DOD, OMB and GSA discussed how to develop a solicitation, according to officials familiar with the process. Most of the discussions centered on which cryptography standard the solicitation should cite: the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 or the National Security Agency’s encryption standard — or both.

Tom Kireilis, SmartBuy program director, said owners of classified applications pushed for the stronger NSA standard. However, OMB finally decided to require only FIPS 140-2, according to the solicitation.

“This [blanket purchase agreement] will further decrease costs, reduce paperwork and save time by eliminating the need for repetitive, individual purchases from the schedule contract,” the RFQ states. It also states that GSA and OMB intend to issue regulations to make the BPA a mandatory source for federal agencies.

The RFQ lists 103 requirements, of which 40 are critical. The software must work with the public-key infrastructure components of DOD’s Common Access Card and the Personal Identity Verification card required by Homeland Security Presidential Directive 12. The software must be capable of automatically encrypting data that is transferred to removable storage media without user intervention or circumvention. It also must encrypt data on personal digital assistants, smart phones and similar devices.

The solicitation seeks software that can run on 12 operating systems or platforms, including four versions of Microsoft Windows, Unix, Mac OS X, Palm, Red Hat Linux and Novell’s SUSE Linux.

The RFQ “will give agencies technologies that meet stringent policies and certifications,” said Nate Niederkohr, federal sales manager for SafeBoot, an information security company.

However, some industry experts said the RFQ’s two-week response time is too short. Others said the requirement that each bidder must offer all needed services could exclude many vendors.

“The RFQ is broad, so some encryption-product vendors can’t reply to it on their own,” said Phil Kiviat, a partner at consulting firm Guerra Kiviat. “Industry thought they would be able to bid by function. Now they will have to go through resellers. That could make nominal competitors use the same reseller and agencies go to different resellers to buy the functional capabilities they want.”

**********

GAO examines the use of encryptionThe Government Accountability Office has started evaluating federal agencies’ use of data encryption and other access-control technologies. Under a request by Reps. Bennie Thompson (D-Miss.), chairman of the Homeland Security Committee, and Zoe Lofgren (D-Calif.), GAO will survey the largest federal agencies, academic institutions and other organizations.

GAO has no fixed date to complete the study, but it expects to finish it later this year, said Greg Wilshusen, the agency’s director of information security issues.

Thompson and Lofgren requested the study after GAO officials testified during a June hearing about federal efforts to protect personal information.

— Jason Miller

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.