The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for GSA

By

GSA could be vulnerable to security threats from ‘trusted insiders’

The General Services Administration needs to bolster its efforts to protect against insider threats from current and recently separated employees, a watchdog reported recently.

The GSA inspector general reviewed the agency’s processes to thwart harmful actions from “trusted insiders” to its personnel, facilities, operations and resources. GSA has about 12,000 employees throughout its central office, Federal Acquisition Service, Public Buildings Service, Office of Governmentwide Policy, 11 national staff offices, 11 regional offices and two independent offices. An October 2011 executive order and subsequent policy from November 2012 laid out requirements for agencies’ insider threat programs. In 2014, GSA established its own program (a two-person team that reports to the senior designated official who is the associate administrator of GSA’s Office of Mission Assurance) and in 2017 the National Insider Threat Task Force certified it met the minimum standards. However, the inspector general found some areas of concern since then.

“We found that GSA’s [insider threat program] does not consistently collaborate with other GSA staff offices to gather key threat information proactively and does not communicate insider threat risks and program challenges to the GSA administrator as required,” said the report.  “Instead, the [program] senior designated official has taken a reactive approach that leaves GSA susceptible to insider threats.”

Another issue was that after the National Insider Threat Task Force deemed GSA’s insider threat program was at full operational capacity in November 2017, GSA’s insider threat working group disbanded because staff thought it was no longer needed.  The group had members from the Office of Human Resources Management, Office of GSA IT, Office of the Chief Financial Officer and Office of Mission Assurance.

Keep reading this article at: https://www.govexec.com/oversight/2021/02/watchdog-says-gsas-insider-threats-program-needs-improvement/172147/

By

CMMC language is in GSA’s latest contracts, but requirements will be order-specific

Any new cybersecurity requirements the General Services Administration (GSA) asks of contractors will be introduced at the order — not the contract — level, according to the deputy assistant commissioner of IT acquisition.

While language from the Department of Defense‘s Cybersecurity Maturity Model Certification (CMMC) has been included in GSA‘s latest governmentwide acquisition contracts (GWACs), any application of its five levels will be order specific, Keith Nakasone, deputy assistant commissioner for acquisition in GSA’s Office of IT Category, said during a recent AFFIRM event.  (AFFIRM is the Association for Federal Information Resources Management.)

That way GSA can begin requiring contractors to prove their networks meet a certain maturity level while still ensuring agencies’ mission requirements are met.

“Not every single system is equal,” Nakasone said. “So we have to have the flexibility in the contracts to deliver the acquisition solutions.”

Keep reading this article at: https://www.fedscoop.com/cmmc-requirements-order-specific-gsa/

Also see: https://fcw.com/articles/2021/02/17/cmmc-gsa-gwacs-get-ready.aspx

By

GSA to verify identities of some SAM users after transition

New capabilities being added in May to beta.SAM.gov — the General Services Administration’s consolidated procurement website — will come with new, stringent security protocols requiring certain users to verify their accounts are connected to real-world people.

On May 24, the entity registration functions of SAM.gov will be moved over to beta.SAM.gov and the latter will lose the “beta” and become the one and only SAM.gov. At that time, GSA plans to institute new security measures for entity registration — voluntary at first but mandatory come October.

As GSA consolidates all of its procurement tools into a single site, the agency has been incorporating Login.gov as the single sign-on for all of these capabilities. When the System for Award Management, or SAM, registration functions are ported over, the system will take advantage of Login’s identity proofing capability for an added layer of security.

The identity proofing — verifying that an online account is connected to a specific, real person — will be for users who manage organizations’ SAM registration, which includes the unique identifier used to reference entities receiving federal contracts and grants and all the identifiable information about that organization.

Keep reading this article at: https://www.nextgov.com/cio-briefing/2021/02/gsa-verify-identities-some-sam-users-after-transition/172216/

By

GSA’s central procurement hub — SAM — will keep the ‘beta’ a little longer

Users will get a preview in April of the new SAM.gov — a central, one-stop website for all of the General Services Administration’s acquisition tools — but will have to wait a bit longer to access the full capabilities of the current SAM.gov.

Since 2017, GSA’s Integrated Award Environment has been operating two websites with the SAM moniker: the original SAM.gov, where companies and organizations register before vying for federal contracts and grants, and beta.SAM.gov, soon to be the central procurement website. Beta.SAM will ultimately consolidate 10 acquisition tools, and already includes Contract Opportunities — formerly Federal Business Opportunities, better known as FedBizOpps or FBO — and the reporting functions of the Federal Procurement Data System, or FPDS, which now reside on the Data Bank page.

The next major transition will be moving functionality from the current SAM.gov to beta.SAM, shuttering the former and dropping the “beta” from the latter.  GSA officials had planned to finalize the transition before the end of April but have since revised that timeline.

Keep reading this article at: https://www.nextgov.com/cio-briefing/2021/02/gsas-central-procurement-hub-will-keep-beta-little-longer/171951/

By

GSA introduces vendor risk assessment program in draft solicitation

The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain. 

Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors.”  It would use classified and unclassified sources.

GSA said once the tool it’s developing—referred to as the Vendor Risk Assessment Program — is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.”

The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems.  And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-introduces-vendor-risk-assessment-program-draft-solicitation/171289/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter