GSA seeks encryption deal

The Office of Management and Budget issued a memo in June 2006 requiring agencies to encrypt data on mobile devices. But many agencies have not acted because they are undecided about what technologies to buy and which vendors to buy from.Those decisions could soon become easier. General Services Administration and Defense Department officials say they now have a process for prescreening encryption vendors to ensure that their software will meet agencies’ needs. And they expect to have a governmentwide contract for encryption software in place by summer.GSA and DOD have issued a request for quotations to vendors on the GSA schedule that offer data-at-rest encryption software for a variety of hardware and software platforms. Officials from GSA’s SmartBuy program and DOD’s Enterprise Software Initiative are spearheading the procurement.“It is the first time a co-branded ESI/SmartBuy agreement will be established using competitive procedures with technical requirements provided by a joint DOD/federal civilian team,” said Maj. Patrick Ryder, a DOD spokesman. Several events led to the encryption initiative, including numerous cases involving the loss of mobile computing devices and removable media containing sensitive-but-unclassified information. OMB’s memo gave agencies 45 days to comply with the new mandatory encryption policy, and officials quickly recognized that a governmentwide contract for procuring the software would benefit most agencies. But for more than a year, DOD, OMB and GSA discussed how to develop a solicitation, according to officials familiar with the process. Most of the discussions centered on which cryptography standard the solicitation should cite: the National Institute of Standards and Technology’s Federal Information Processing Standard 140-2 or the National Security Agency’s encryption standard — or both.Tom Kireilis, SmartBuy program director, said owners of classified applications pushed for the stronger NSA standard. However, OMB finally decided to require only FIPS 140-2, according to the solicitation.“This [blanket purchase agreement] will further decrease costs, reduce paperwork and save time by eliminating the need for repetitive, individual purchases from the schedule contract,” the RFQ states. It also states that GSA and OMB intend to issue regulations to make the BPA a mandatory source for federal agencies. The RFQ lists 103 requirements, of which 40 are critical. The software must work with the public-key infrastructure components of DOD’s Common Access Card and the Personal Identity Verification card required by Homeland Security Presidential Directive 12. The software must be capable of automatically encrypting data that is transferred to removable storage media without user intervention or circumvention. It also must encrypt data on personal digital assistants, smart phones and similar devices. The solicitation seeks software that can run on 12 operating systems or platforms, including four versions of Microsoft Windows, Unix, Mac OS X, Palm, Red Hat Linux and Novell’s SUSE Linux.The RFQ “will give agencies technologies that meet stringent policies and certifications,” said Nate Niederkohr, federal sales manager for SafeBoot, an information security company.However, some industry experts said the RFQ’s two-week response time is too short. Others said the requirement that each bidder must offer all needed services could exclude many vendors.“The RFQ is broad, so some encryption-product vendors can’t reply to it on their own,” said Phil Kiviat, a partner at consulting firm Guerra Kiviat. “Industry thought they would be able to bid by function. Now they will have to go through resellers. That could make nominal competitors use the same reseller and agencies go to different resellers to buy the functional capabilities they want.”The Government Accountability Office has started evaluating federal agencies’ use of data encryption and other access-control technologies. Under a request by Reps. Bennie Thompson (D-Miss.), chairman of the Homeland Security Committee, and Zoe Lofgren (D-Calif.), GAO will survey the largest federal agencies, academic institutions and other organizations.GAO has no fixed date to complete the study, but it expects to finish it later this year, said Greg Wilshusen, the agency’s director of information security issues.Thompson and Lofgren requested the study after GAO officials testified during a June hearing about federal efforts to protect personal information.