Feds plan hub for risk info on IT supply chain, contractors

Shutterstock image: a global system of information relays.

WHAT: GSA is tapping industry to provide ideas on a due diligence solution for acquisitions personnel across government, to help guide buying decisions.

WHY: The government loves low, low prices when acquiring IT and services, but it does not love missed deadlines, poor performance, counterfeit parts and insecure systems. A new request for information put out by the General Services Administration seeks ideas on arming federal acquisitions personnel with tools to perform due diligence assessments of technology and services, as required under federal law and regulations. The plan is to develop a service to give government buyers a window into supply chain vulnerabilities, financial red flags, potential insider threats, and other factors that might cast doubt on a proposal for a federal IT contract.

"Federal buyers need better visibility into, and understanding of, how the products, services, and solutions they buy are developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of those products and services," according to the RFI.

There are existing protocols within government used to detect potential problems in IT systems. Technology acquisition at the departments of Justice and Commerce along with NASA and the National Science Foundation are governed by an appropriations policy rider in effect since fiscal 2013 that requires supply chain certification for systems deemed high-risk, including those manufactured by or including parts from firms linked to the Chinese government and military. The Department of Defense also maintains policy on supply-chain security. The GSA plan isn't meant to supplant or duplicate these policies, but instead looks to "establish a common set of risk indicators that can be used as the baseline for business due diligence research," per the RFI.

The capability sought by GSA extends to all "purchased items that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a Federal agency," according to the RFI. Risk factors include the financial history and health of a contractor or subcontractor, information on company leadership, cybersecurity practices, foreign ownership or control, supply chain controls, historical performance on government contracts and compliance with government standards.

Click here to read the full RFI.

Posted by Adam Mazmanian on Dec 17, 2014 at 8:45 AM


Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.