GSA seeks public comments on infrastructure protection

The General Services Administration has issued a request for information on the topic of making the federal government's cybersecurity more resilient.

The RFI, issued in partnership with a federal cybersecurity interagency working group, is "a key step to improving acquisition cybersecurity policy, implementation, and consistency to better manage risks and security," according to GSA's announcement.

It specifically pertains to an executive order and a presidential policy directive dealing with cybersecurity to protect the nation's critical infrastructure, such as power, transportation, health care and other sectors that are vital to the country's daily life. President Barack Obama issued the documents in February.

"Collaboration and cooperation allow government to deliver critical services to our federal partners and, most importantly, the American people," GSA Acting Administrator Dan Tangherlini said in the announcement. "The RFI is an important first step to a public/private partnership that will help secure our nation's infrastructure. Developing these cybersecurity procurement recommendations is a priority for GSA and the interagency working group."

The announcement comes on the heels of Capitol Hill testimonies from three top Homeland Security Department officials who on May 16 underscored current threats to critical infrastructure.

Charles Edwards, DHS deputy inspector general, told a House Homeland Security subcommittee that industrial control systems used in much of the nation's critical infrastructure is increasingly under attack. Edwards warned of dire consequences should the attacks continue to escalate, and noted five specific attacks on various parts of the energy sector, including oil and gas companies and power distribution companies.

"A recent survey revealed that a majority of the companies in the energy sector had experienced cyber attacks, and about 55 percent of these attacks targeted [industrial control systems," Edwards said in his testimony. "These attacks involved large-scale denial-of-service and network infiltrations. Successful attacks on ICS can give malicious users direct control of operational systems, creating the potential for large-scale power outages or man-made environmental disasters and cause physical damage, loss of life, and other cascading effects that could disrupt services."

Two other officials highlighted growing efforts to better share information between agencies, something the cybersecurity executive order specifically mentions.

"Successful response to dynamic cyber threats requires leveraging homeland security, law enforcement, and military authorities and capabilities, which respectively provide for domestic preparedness, criminal deterrence and investigation, and national defense," Roberta Stempfley, acting assistant secretary of the office of cybersecurity and communications in DHS' National Protection and Programs Directorate, and Larry Zelvin, director of DHS' National Cybersecurity and Communications Integration Center (NCIC), wrote in a joint testimony.

Stempfley and Zelvin outlined work at the NCIC as it ramps up activities in conjunction with the executive order, and also discussed the changing role of the government writ large in its approach to national cybersecurity.

"As today's physical and cyber infrastructures become increasingly linked, critical infrastructure and emergency response functions grow ever more inseparable from the information technology systems that support them," they noted. "The government's role in this effort is to share information and encourage enhanced security and resilience, while identifying and addressing gaps not filled by the marketplace."

To read the RFI and provide comments, click here to go to the Federal Register.