GSA's product- and service-centric approach ignores how those products and services would be used, argues the Information Technology Industry Council.
A group of tech industry heavy hitters says there are fundamental flaws in a GSA/Pentagon report on how to establish contractor cybersecurity baselines to protect government IT acquisitions.
In comments to the GSA, the Information Technology Industry Council and its Information Technology Alliance for Public Sector (ITAPS) division said while they supported the agency's effort to strengthen cybersecurity measures in federal technology goods and services procurement, they had problems with some of the plan's basics.
According to an April 30 blog post by ITAPS Senior Director, Homeland Security, Pamela Walker, the ITI and ITAPS told GSA that the agency's draft plan takes a product- and service-centric approach based on Product Service Codes (PSCs). PSCs are used in the Federal Procurement Data System to report government procurement transactions. The group called the approach "inadequate" because it did not include a judgment on the importance of the mission, or how and where a product would be used in a given project.
Using the codes, according to ITAPS, means the government would address cyber risk in federal acquisition based on perceived risks inherent to the product or service, ignoring how a given product would be used.
"This approach also fails to assess risks inherent in processes and practices that may be used by the government for acquisition, such as using the lowest-priced item if technical specifications are met," said Walker's post. "In short, the proposed approach does not support effective risk mitigation practices, and in fact, may actually increase the government’s cyber risks."
ITI's members include Dell, eBay, IBM, Intel, Microsoft and Oracle SAP.
GSA is looking for public input and stakeholder engagement on how to incorporate the protections as part of the White House's cybersecurity order.
The PSC-based approach assigns risks based on product groupings, incorrectly assuming risk is generated only in the product or service to be acquired, said the group. ITAPS listed a number of reasons why product/ service-centric approach wouldn't ease cyber risks to federal acquisition. For instance, it said the sheer number of products the government can use is vast, and product categories and diversity constantly change.
"Finally, a product and service-centric approach also would unfortunately send the wrong signal to other governments that the U.S. government believes cybersecurity, first and foremost, is based on products and services," Walker wrote.
The group recommended the government create a risk-based mission-focused process, where risk assessments occur at the front end of procurements.