Feds plan hub for risk info on IT supply chain, contractors

Shutterstock image: a global system of information relays.

WHAT: GSA is tapping industry to provide ideas on a due diligence solution for acquisitions personnel across government, to help guide buying decisions.

WHY: The government loves low, low prices when acquiring IT and services, but it does not love missed deadlines, poor performance, counterfeit parts and insecure systems. A new request for information put out by the General Services Administration seeks ideas on arming federal acquisitions personnel with tools to perform due diligence assessments of technology and services, as required under federal law and regulations. The plan is to develop a service to give government buyers a window into supply chain vulnerabilities, financial red flags, potential insider threats, and other factors that might cast doubt on a proposal for a federal IT contract.

"Federal buyers need better visibility into, and understanding of, how the products, services, and solutions they buy are developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of those products and services," according to the RFI.

There are existing protocols within government used to detect potential problems in IT systems. Technology acquisition at the departments of Justice and Commerce along with NASA and the National Science Foundation are governed by an appropriations policy rider in effect since fiscal 2013 that requires supply chain certification for systems deemed high-risk, including those manufactured by or including parts from firms linked to the Chinese government and military. The Department of Defense also maintains policy on supply-chain security. The GSA plan isn't meant to supplant or duplicate these policies, but instead looks to "establish a common set of risk indicators that can be used as the baseline for business due diligence research," per the RFI.

The capability sought by GSA extends to all "purchased items that connect in any way to a government information system and/or which contain, transmit, or process information provided by or generated for the government to support the operations and assets of a Federal agency," according to the RFI. Risk factors include the financial history and health of a contractor or subcontractor, information on company leadership, cybersecurity practices, foreign ownership or control, supply chain controls, historical performance on government contracts and compliance with government standards.

Click here to read the full RFI.

Posted by Adam Mazmanian on Dec 17, 2014 at 8:45 AM


Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.