The General Services Administration has launched a full review of its key online procurement system, after discovering a security vulnerability that may have exposed users’ sensitive data.
The security flaw was reported to GSA on March 8, and the agency has since issued a software patch on the system and is investigating potential impacts to vendors registered in GSA’s System for Award Management (SAM).
“When we got the word that this might be the case, we got right on it,” GSA Acting Administrator Dan Tangherlini told reporters Tuesday following a congressional hearing. “And there is nothing that we won’t do, there’s no step we’re not going to take to ensure the safety and the security of people’s data within that system.”
Tangherlini said GSA is testing changes to the system and will continue to keep users informed. “I am incredibly concerned about it, and the good news is that everyone in the organization is incredibly concerned,” he said of the system’s known security flaw.
The vulnerability could have compromised sensitive information, including Social Security numbers, of individuals registered in the system, according to GSA.gov. Contractors that use Social Security numbers instead of taxpayer identification numbers could be at greater risk, and those individuals will receive credit monitoring.
The vision for the SAM system is to serve as a single access point for nine procurement systems, but GSA has yet to accomplish that goal. To date, the SAM system includes four of the nine systems and provides access to contractors’ business information, their certifications required to receive federal contractors and grants and which contractors have been suspended and debarred.
In 2008, GSA began consolidating its systems in a effort to reduce costs, eliminate redundancies and improve efficiency.
A March 2012 Government Accountability Office report found that “while GSA has taken some steps to reduce costs, it has not reevaluated the business case for SAM or determined whether it is the most cost-effective alternative.”
The Federal Acquisition Service and Office of the Chief Information Officer are now providing program oversight, following an internal review of all GSA operations last year. Tangherlini has also called for the development, reporting and monitoring of key metrics for the SAM project.
The House Oversight and Government Reform Committee will vote on legislation Wednesday to overhaul how agencies buy and manage information technology.
Rep. Darrell Issa, R-Calif., introduced the Federal Information Technology Acquisition Act on Monday after months of circulating the draft bill to industry groups for feedback.
Rep. Gerry Connolly, D-Va., has expressed general support for the bill, which has since undergone revisions to address concerns voiced by industry and others. (Click here to view the revisions)
Under Issa’s new plan:
- CIOs at 16 major civilian agencies, including Veterans Affairs and Agriculture department, must be presidential appointees or designees and report directly to the head of their agency. Today, most CIOs at large agencies are political appointees but not all of them report to the head of their agencies.
- The Government Accountability Office would review the effectiveness of the CIO Council, an interagency forum charged with improving federal IT practices. The council must also submit annual reports to Congress on its progress.
- CIOs would track and report the costs and savings under the administration’s data center consolidation initiative.
- The Office of Management and Budget would house a CollaborationCenter, aimed at assisting agencies with challenging IT projects. In the previous draft, agencies would have been required to consult with experts at a so-called commodity IT center for contracts exceeding $50 million. Use of newly created acquisition centers of excellence would be optional.
- OMB must publish the status of 80 percent of the government’s $80 billion IT portfolio on the Dashboard, and OMB must ensure data is current and accurate. Today, only 50 percent of the IT budget is publicly available on the Dashboard.
- CIOs would have greater flexibility to fund cloud projects through cloud service working capital funds at their agencies.
Federal officials are working to streamline the government’s security program for cloud products and services.
A critical part of the Federal Risk and Authorization Management Program (FedRAMP)mandates that cloud vendors hire a third-party organization to verify they meet federal security requirements. Today, the General Services Administration and the National Institute of Standards and Technology must first approve those third party-organizations, or 3PAOs. Then there’s the task of monitoring the performance of the 3PAOs and recommending whether to renew or revoke their status.
In a request for information to industry, GSA asked for input on how to privatize the accreditation process for 3PAOs. As FedRAMP evolves into a fully operational program within the next month or two, GSA is identifying ways to scale the program and get more cloud contractors through the FedRAMP process.
To date, there are 16 companies designated as approved 3PAOs, but that number is expected to increase. Only two vendors have completed the FedRAMP process.
GSA wants to contract with a privatized board to accredit 3PAOs, based on program standards. GSA wants industry to comment on the evaluation process for 3PAOs and how long those companies should have to comply with new accreditation standards. Those responses are due Feb. 26.
The Veterans Affairs Department’s chief information officer told employees Friday he will resign, the department confirmed.
In a message to IT staff, Baker did not say when his last day will be and offered no explanation about his resignation. The DorobekINSIDER hinted that Baker may leave as soon as March 1.
Here’s some of what Baker told employees:
I would like to thank each of you for your hard work and dedication in serving our VA customers and our Nation’s Veterans. Over the last four years, VA IT has come to be recognized as a leader in federal IT. We have improved our relationships with our IT customers; established one of the highest performing product delivery organizations in the world; achieved visibility to our networks and medical devices; focused our decision-making based on metrics and not by anecdotes; and become an IT organization that is seen as an investment for the VA rather than an expense.
Most critically, VA IT has become the backbone for the transformation of the VA into a 21stCentury organization that the Secretary has envisioned. Your ability to deliver the technology necessary to support that transformation and to reliably meet our commitments to our customers is fundamental to that transformation.
Under Baker’s watch, VA instituted a program that drastically improved the number of IT projects delivered on schedule.
Baker also has a senior role in VA’s partnership with the Defense Department to integrate their electronic health record systems. That project recently came under fire from lawmakers, who criticized the departments’ decision to revise plans to create a single electronic health record system.
Tags: Roger Baker
President Barack Obama will issue an executive order Wednesday aimed at tightening the nation’s cybersecurity.
Senior administration officials, including White House Cybersecurity Coordinator Michael Daniel and Army Gen. Keith Alexander, head of U.S. Cyber Command, will provide details on cyber policy Wednesday morning at the Commerce Department. Officials will provide an update on cybersecurity priorities for 2013, including information sharing and reducing cyber risks, Commerce announced Tuesday.
The executive order is said to include provisions that will establish voluntary cybersecurity standards for critical infrastructure sectors, such as transportation and energy, where federal regulators have authority to enforce those standards. However, the order could not provide liability protections for companies that follow those standards but are attacked.
The order is also expected to direct agencies to share cyber threat information with companies operating critical infrastructure.
Lawmakers failed last year to pass comprehensive cybersecurity legislation, but Rep. Mike Rogers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, and Rep. Dutch Ruppersberger, D-Md., plan to reintroduce cyber legislation Wednesday.
The Cyber Intelligence Sharing and Protection Act (CISPA), HR 624, would allow the government and industry to voluntarily share information about malicious attacks and viruses. Companies that share information under the bill’s provisions or protect their networks would be granted legal protections if they’re subject to a cyber attack. The bill passed the House in April.
Tags: executive order
Agencies are anxiously awaiting governmentwide standards for securing smartphones and tablet computers.
Come May, they will have a checklist of security standards to use, organized by the sensitivity of data employees share or access on mobile devices and who data is shared with, whether another federal agency or citizens.
Federal officials working on the project refer to the guidelines as a playbook or list of security standards that agencies should consider when using mobile devices. The playbook will include five common ways that most agencies use mobile devices and provide recommendations for securing devices in those environments, said Margie Graves, deputy chief information officer at the Department of Homeland Security.
Graves, who spoke at mobile security event Thursday, is working with the National Institute of Standards and Technology, the Defense Department and the Justice Department to develop the playbook.
The security standards are based on revised NIST standards released Tuesday for final comment. Ron Ross, a senior computer scientist and information security researcher at NIST, said the final document is expected in April.
While many of the existing NIST standards can be applied to mobile devices, some may not be applicable, Ross said. For example, one NIST security standard recommends agencies disable or restrict unnecessary functions or services that their information systems may provide. For mobile devices, that may mean restricting what applications employees can download or disabling mobile capabilities that aren’t needed for work and could be a security risk.
DHS’ Graves described the playbook as an itemized checklist of security standards categorized by use case. However, she wouldn’t provide details on the use cases. DHS CIO Richard Spires has said these standards will help agencies in developing bring-you-own-device programs, where employees are able to use their personal devices for work.
How agencies implement or tailor security standards to meet their needs will vary, Graves said. For instance, the intelligence community, law enforcement agencies and DoD may use similar use cases for mobile, while DHS’ Federal Emergency Management Agency would need to use mobile devices to communicate with the public during a natural disaster.
Some guidance will be released in March on how agencies can best secure mobile devices used for communicating with other agencies. The entire playbook, however, will not be released until May.
CGI Federal this month became the second vendor to complete a new security review process for all federal cloud products and services.
The Virginia-based company already provides cloud computing services for several agencies, including the Department of Homeland Security, the General Services Administration and the Environmental Protection Agency.
The Federal Risk and Authorization Management Program (FedRAMP) was launched in June to standardize security reviews of commercial cloud products and is housed within GSA.
North Carolina-based Autonomic Resources was the first company to receive what’s called a provisional authority to operate from FedRAMP’s joint board of CIOs. The provisional ATO proves a vendor’s cloud services not only meet federal baseline standards, but also are secure enough for use by DHS, DOD and GSA.
GSA has not said how many cloud vendors will be certified through FedRAMP this year, but as of last month more than 80 companies were awaiting security reviews.
The Department of the Navy will not award a contract next month for its Next Generation Enterprise Network as planned.
Navy officials had originally planned to award one or two contracts by Feb. 12 to develop the massive private network, known as NGEN, but the award date has been pushed back to May 2013.
“Due to the complexities of the NGEN requirements, we are changing our contract award estimate in order to ensure a complete and thorough review of offerors’ bids,” Ed Austin, spokesman for the Program Executive Office for Enterprise Information Systems, said in a statement.
Three companies have already announced their intent to bid on the NGEN contract: HP; Computer Sciences Corp.; and its partner, Harris Corp.
So far, the continuing resolution and looming threat of automatic sequestration budget cuts have not impacted NGEN’s contract award schedule, the Navy said Thursday. But that could change in the future.
NGEN will replace the Navy-Marine Corps Intranet (NMCI), a contractor-owned network serving more than 700,000 Navy and Marine Corps personnel.
How would access to cellular or wireless services in your building help you do your job better? What challenges do you face today without those services, and does your agency have a plan for increasing mobility within its own walls?
Federal Times wants to hear from you. Contact Nicole Johnson at 703-750-8145 or via email at firstname.lastname@example.org.
Are you a federal or contractor IT professional who’s concerned about job security and workplace morale during these uncertain budget times? Are you considering work elsewhere, or are you hoping for the best and staying put in your current position?
Federal Times would like to hear from you. Contact Nicole Johnson at 703-750-8145 or email@example.com.