(This blog post is part of a multi-week series reviewing data and trends from GSA’s IT acquisition vehicles for FY15. Read previous posts at http://gsablogs.gsa.gov/technology/)
As many are aware, the Office of Management and Budget (OMB) is putting in place tactical and strategic cybersecurity measures in response to threats and events including the recent Office of Personnel Management (OPM) breach. The General Services Administration (GSA) Office of Integrated Technology Services (ITS) is active in this response. In FY15, GSA ITS continued to support government efforts to improve cybersecurity by developing and improving upon the following initiatives:
Supply Chain Risk Management (SCRM)
This initiative supports the IT Security Category Management Plan to establish a Supply Chain Risk Management capability to:
- Develop FAS ITS Cybersecurity SCRM guidance and controls;
- Conduct contract reviews of IT Schedule 70 vendors;
- Manage incidents within FAS ITS contracts;
- Establish and maintain contact with both internal GSA stakeholders and external agencies on cyber incidents; and
- Maintain awareness of government-wide supply chain policy/trends.
The implementation of a SCRM capability will give customers confidence that our IT products come from original equipment manufacturers, their authorized resellers, or other “trusted” sources. A policy of buying IT products from trusted sources supports a customer’s ability to strengthen their IT security posture.
Cybersecurity Strategy and Implementation Plan (CSIP)
The CSIP directs GSA, in coordination with OMB and DHS, to research contract vehicle options and develop a capability to deploy incident response services that can quickly be leveraged by federal agencies, on a reimbursable basis. ITS is currently working across GSA and with OMB and DHS to do this in accordance with the timeline established by OMB.
Cybersecurity and Information Assurance (CyberIA) Project
As part of the Federal Acquisition Service (FAS) Category Management Initiative, the Office of Integrated Technology Services (ITS) initiated the Cybersecurity/Information Assurance (CyberIA) Project. The scope of the project is to categorize CyberIA products and services based on the NIST “Framework for Improving Critical Infrastructure Cybersecurity”, which aligns with Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity” and OMB M-16-04 “Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government”. It will also allow federal agencies to more easily identify CyberIA products and services, and offer better access to support market research, acquisition planning, and category management.
GSA’s USAccess program supports improving government cybersecurity by providing over 100 civilian agencies with credentialing solutions: a vital nationwide, economical, secure, shared service facilitating identity credential issuance, maintenance, and lifecycle management. These identity credentials are used to control access to federal information and facilities. The program currently manages over 600,000 active credentials and has been able to significantly reduce the cost of credentialing for customer agencies of all sizes through the shared service platform.
Federal Public-Key Infrastructure (FPKI)
The Federal Public-Key Infrastructure Management Authority (FPKIMA) enables the best and most cost-effective identity management practices for secure physical and logical access, document sharing and communication across the federal government and with the private sector. The FPKIMA enables agencies to achieve their e-government and identity management goals. The FPKI Trust Infrastructure has helped agencies reduce document handling, shipping, and processing costs as well as reducing network intrusions. In addition, the Trust Infrastructure enables interoperability between the over 5 million issued HSPD-12 credentials and other industry approved digital certificates.
Alliant 2 and Alliant 2 Small Business Cyber Security Requirements
GSA has baked in minimum-security standards for select contractor systems, the handling of government sensitive data and information technology, contractor security clearances, and homeland security in our GWACs at the contract level. At the task order level, contractors must comply with all GSA IT Security Policies, all applicable GSA and NIST standards and guidelines, and other government-wide laws and regulations for protection and security of information technology, e.g., Federal Information Security Management Act (FISMA) of 2002.
Cybersecurity has always been a key aspect of GSA’s Network Services Programs, and we’re stepping it up in the Network Services 2020 era. Today, Networx includes baseline standards and security services, such as the Managed Trusted Internet Protocol Service (MTIPS) that currently provides Trusted Internet Connections-compliant managed security services to over 60 agencies.
Tomorrow, NS2020 will enable interoperability and further the migration from legacy technologies to a converged IP environment, ensuring cybersecurity is built in and inherently part of the government’s telecom infrastructure. Programs in the portfolio will specify cybersecurity requirements and include an even broader range of pre-defined, flexible security services.
For the Enterprise Infrastructure Solutions acquisition, we worked closely with DHS and ensured state of the art cybersecurity measures are applied to all applicable services. In addition to provisions to facilitate the implementation of EINSTEIN 3A for all agencies, EIS contains MTIPS, a range of Managed Protection Services, and Intrusion Prevention Services. And cybersecurity considerations appear throughout the NS2020 portfolio. For example, the recently launched Mobility 2.0 initiative will encompass managed mobility, including Mobile Device Management and Mobile Application Management, both critical aspects of mobile security.
ITS is committed to help government as a whole improve cybersecurity. We stand ready to work with agencies to explore ways our IT solutions can help reduce costs, minimize duplications and redundancies, and save money. Our job is to help support you to focus on your missions while maintaining quality and reducing costs.
And remember to follow us on Twitter@GSA_ITS to join the conversation.