Tech council blasts IT acquisition report

broken lock

A group of tech industry heavy hitters says there are fundamental flaws in a GSA/Pentagon report on how to establish contractor cybersecurity baselines to protect government IT acquisitions.

In comments to the GSA, the Information Technology Industry Council and its Information Technology Alliance for Public Sector (ITAPS) division said while they supported the agency's effort to strengthen cybersecurity measures in federal technology goods and services procurement, they had problems with some of the plan's basics.

According to an April 30 blog post by ITAPS Senior Director, Homeland Security, Pamela Walker, the ITI and ITAPS told GSA that the agency's draft plan takes a product- and service-centric approach based on Product Service Codes (PSCs). PSCs are used in the Federal Procurement Data System to report government procurement transactions. The group called the approach "inadequate" because it did not include a judgment on the importance of the mission, or how  and where a product would be used in a given project.

Using the codes, according to ITAPS, means the government would address cyber risk in federal acquisition based on perceived risks inherent to the product or service, ignoring how a given product would be used.

"This approach also fails to assess risks inherent in processes and practices that may be used by the government for acquisition, such as using the lowest-priced item if technical specifications are met," said Walker's post. "In short, the proposed approach does not support effective risk mitigation practices, and in fact, may actually increase the government’s cyber risks."

ITI's members include Dell, eBay, IBM, Intel, Microsoft and Oracle SAP.

GSA is looking for public input and stakeholder engagement on how to incorporate the protections as part of the White House's cybersecurity order.

The PSC-based approach assigns risks based on product groupings, incorrectly assuming risk is generated only in the product or service to be acquired, said the group. ITAPS listed a number of reasons why product/ service-centric approach wouldn't ease cyber risks to federal acquisition. For instance, it said the sheer number of products the government can use is vast, and product categories and diversity constantly change.

"Finally, a product and service-centric approach also would unfortunately send the wrong signal to other governments that the U.S. government believes cybersecurity, first and foremost, is based on products and services," Walker wrote.

The group recommended the government create a risk-based mission-focused process, where risk assessments occur at the front end of procurements.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group