The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cyberthreat

By

GSA could be vulnerable to security threats from ‘trusted insiders’

The General Services Administration needs to bolster its efforts to protect against insider threats from current and recently separated employees, a watchdog reported recently.

The GSA inspector general reviewed the agency’s processes to thwart harmful actions from “trusted insiders” to its personnel, facilities, operations and resources. GSA has about 12,000 employees throughout its central office, Federal Acquisition Service, Public Buildings Service, Office of Governmentwide Policy, 11 national staff offices, 11 regional offices and two independent offices. An October 2011 executive order and subsequent policy from November 2012 laid out requirements for agencies’ insider threat programs. In 2014, GSA established its own program (a two-person team that reports to the senior designated official who is the associate administrator of GSA’s Office of Mission Assurance) and in 2017 the National Insider Threat Task Force certified it met the minimum standards. However, the inspector general found some areas of concern since then.

“We found that GSA’s [insider threat program] does not consistently collaborate with other GSA staff offices to gather key threat information proactively and does not communicate insider threat risks and program challenges to the GSA administrator as required,” said the report.  “Instead, the [program] senior designated official has taken a reactive approach that leaves GSA susceptible to insider threats.”

Another issue was that after the National Insider Threat Task Force deemed GSA’s insider threat program was at full operational capacity in November 2017, GSA’s insider threat working group disbanded because staff thought it was no longer needed.  The group had members from the Office of Human Resources Management, Office of GSA IT, Office of the Chief Financial Officer and Office of Mission Assurance.

Keep reading this article at: https://www.govexec.com/oversight/2021/02/watchdog-says-gsas-insider-threats-program-needs-improvement/172147/

By

GSA introduces vendor risk assessment program in draft solicitation

The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain. 

Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors.”  It would use classified and unclassified sources.

GSA said once the tool it’s developing—referred to as the Vendor Risk Assessment Program — is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.”

The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems.  And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-introduces-vendor-risk-assessment-program-draft-solicitation/171289/

By

GSA to remove almost all drones from contract offerings over China concerns

By Feb. 1, all but five unmanned aerial vehicles will be removed from the General Services Administration’s offerings.

The General Services Administration — the federal government’s central buyer — will no longer include drones in its suite of offerings, except those previously approved by a small innovation unit inside the Defense Department.

Citing the threat of Chinese manufacturers, GSA officials announced Tuesday the agency will be canceling contracts offering drones from all but five suppliers on the Multiple Award Schedules, the set of pre-vetted contracts that offer everything from paper clips to helicopters to data centers.

“GSA is removing all identified drones that are not approved through the [Defense Innovation Unit’s] Blue sUAS program from MAS contracts,” a GSA spokesperson told Nextgov. “Affected vendors will be notified by their contracting officer and only the identified drones will be removed from their MAS contract.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-remove-almost-all-drones-contract-offerings-over-china-concerns/171352/

By

Comments on government supply chain rule push for better definitions and more time

Industry groups and other comments highlight the difficulty of complying with a provision of last year’s defense authorization act that requires the removal of products from companies including Huawei and ZTE. 

The broad, ambiguous language of Congressionally-mandated rule for government contractors to remove products and services from companies that pose threats to national security is complicating implementation, according to public comments.

The comment period for the interim Federal Acquisition Rule implementing Part B of Section 889 — a provision of the 2019 National Defense Authorization Act — closed last week, and the more than 30 comments submitted raise questions related to fundamental compliance issues.

While in general, commenters agree with the rule’s intent, groups representing industry, including the National Defense Industrial Association, BSA | The Software Alliance, the Coalition for Government Procurement and the Internet Association submitted detailed letters to Regulations.gov outlining compliance challenges.  Nearly all asked for extended timelines for implementation and better definitions for key terms and phrases used in the regulation.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/09/comments-government-supply-chain-rule-push-better-definitions-and-more-time/168460/

By

Agencies faced 31,000 cyber incidents last year, but gave up no major breaches

The total number of incidents the government experienced last year dropped 12% from 2017, according to the Office of Management and Budget.

Federal agencies didn’t experience a single “major” cybersecurity incident in 2018, marking the first time in three years the government avoided such a severe digital incursion, according to a recent White House report.

Not one of the more than 31,000 cybersecurity incidents that agencies faced last year reached the “major incident” threshold, which is defined as an event that affects more than 100,000 individuals or otherwise causes “demonstrable harm” to the U.S, according to the Office of Management and Budget. The government fell victim to five major incidents in 2017 and 16 in 2016.

Overall, the total number of cyber events the government experienced dropped 12% from 2017, OMB officials told Congress in their annual report on the Federal Information Security Management Act.

While OMB called this downward trend “encouraging,” they warned that agencies shouldn’t let down their guard. Phishing and other email-based attacks remain a popular strategy for online bad actors, and the government is still struggling to attribute and label the thousands of attacks every year, officials said.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/08/agencies-faced-31000-cyber-incidents-last-year-gave-no-major-breaches/159290/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter