Post-Quantum Cryptography — What is it and where to start?

We all know cybersecurity is a dynamic field that is constantly evolving to protect people from the malicious use of technology. As we’ll explore in this post, cybersecurity professionals may soon be called to defend against technologies that blur the limits of classical physics.

What we know

Think back to high school physics, old episodes of the TV show “Nova,” or even the latest superhero movies, and you’ll recall the term “quantum” or “quantum mechanics.” Quantum, simply speaking, refers to what goes on at the subatomic level.

For decades, our friends at the National Institute of Standards and Technology (NIST) marshaled the resources of the federal government in applying the principles of quantum mechanics to information processing. They helped shape the field of quantum information science and birth an entirely new class of devices: quantum computers.

Right now, when a computer tries to solve a complex problem it has to check every possible solution one by one. That takes an enormous amount of time and computational power. Here’s where quantum computers shine. Because they operate at the subatomic level, they can actually explore and check multiple solutions simultaneously, drastically reducing the time needed to find the right answer. This means that tasks that would take classical computers years or even centuries to complete could be done by quantum computers in a matter of minutes or hours. It’s mind-boggling!

The problem

Here’s the catch: quantum computers could also break many of the encryption algorithms we currently rely on to protect sensitive data. We rely on encryption to keep information and data transfers safe both in our government work and everyday life – everything from logging into networks and websites to paying with credit cards. Quantum computers put all of that encryption at risk.

In 2022, the National Security Council issued a warning that certain quantum computers could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”

The Office of Management Budget then issued M-23-02 advising agencies how to take the threat seriously. Importantly, OMB said agencies should prepare to protect their data from quantum computers trying to break their encryption. Such stronger data protections became known as Post-Quantum Cryptography (PQC).

So what technologies and services will agencies need to transition to PQC?

Where to start

The first step, per M-23-02, is for agencies to inventory their active cryptographic systems and re-inventory them annually through 2035. That includes looking at all deployed cryptographic systems used for creating and exchanging encryption keys, providing encrypted connections, or creating and validating digital signatures. GSA has multiple acquisition vehicles ready to help you find the right resources to do that.

  • The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) also offers quick access to vendors who have been technically evaluated to do such inventories.
  • If an agency has Enterprise Infrastructure Solutions (EIS) Managed Services awarded, it can tap into those suppliers to conduct these assessments.

The way forward

The experts at NIST are leading the effort to develop algorithms designed to withstand quantum computer attacks. NIST has begun the process of standardizing these algorithms — named CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, and FALCON. This is the final step before making these mathematical tools available so that organizations can integrate them into their encryption infrastructure. NIST also notes that there will be more post-quantum encryption standards to follow.

Some agencies may wish to start testing the PQC algorithms before they are standardized by NIST. Hardware, web browsers, content delivery networks, cloud service providers, devices and endpoints, and enterprise devices that initiate or terminate encrypted traffic all rely on encryption and might be areas to test pre-standardized PQC algorithms.

If your agency is ready to test or explore quantum computing further, GSA has contracts for that too:

Together, we’re on it

Quantum computers are advancing quickly, increasing the need for reliable PQC solutions. GSA works in close collaboration with NIST and the Cybersecurity and Infrastructure Security Agency (CISA) to keep our contracts aligned with the latest technical and security requirements including emerging PQC standards.

Agencies will need to protect their information systems and data from growing threats. The right suppliers can complement an agencies’ IT and information security staff and resources with relevant products, services and solutions to assess cryptographic risks, test safeguards and identify needed investments.

We look forward to working with more agencies to help them prepare for this imminent post-quantum future. We’re planning to host an in-person Quantum Summit at GSA headquarters on April 16, 2024 from 9-12 EST where you can learn more about quantum resilience from Federal practitioners, so save the date! And while we probably won’t be able to help you traverse time and multiverses like a movie superhero, we are ready to help you get your systems prepared for what comes next. Contact us with your needs and we will help guide you to a solution.

Follow ITC on LinkedIn and subscribe for blog updates.

Procurement and the AI EO — Helping federal CAIOs navigate the path ahead

Recently, the White House issued Executive Order 14110 – Safe, Secure, and Trustworthy Artificial Intelligence. It’s the first governmentwide directive encouraging the responsible use of artificial intelligence.

Welcome CAIOs!

For many agencies, implementing EO 14110 means formalizing a new position: the Chief Artificial Intelligence Officer, who will drive the creation of each agency’s AI strategy and establish new governance. CAIOs will be tasked with implementing sophisticated risk management requirements so the projects they oversee comply with all applicable laws, regulations, and policies, including those addressing privacy, confidentiality, copyright, human and civil rights, and civil liberties.

In industry, companies of all shapes and sizes have brought on CAIOs to manage their workflows and augment their organizations’ skill sets. I’m encouraged to see their counterparts arrive in government, including our own at GSA, Zach Whitman.

So, to the AI specialists and leaders joining federal agency C-Suites, welcome! We at GSA’s Federal Acquisition Service are excited to help you get the tools you’ll need to accomplish your missions.

The work ahead

The promise of AI is incredible. The latest advancements in Large Language Models and Generative AI take a field that has been building up for more than 50 years to a new level. We can see agencies using AI to speed up workflows, improve how the public interacts with federal information, reveal new insights in our data, and improve how we design and deliver programs.

Over the next few months, CAIOs will work on strategies to drive innovation and manage the risks of AI. According to EO 14110, CAIOs will serve as the senior AI advisors to agency leadership and start weighing in on strategic decisions. You’ll work closely with Chief Information Officers and Chief Information Security Officers to set up the right safeguards for how the AI tools your teams and others within your agencies use will meet cybersecurity standards and best practices. Working together with leaders and staff throughout the organization, you may even prototype solutions that can illustrate the capabilities and risks of AI when delivering on your agency’s mission.

But wait, there’s more! You’ll also compile inventories, evaluate products, influence workforce development, prioritize projects, remove barriers, document use cases, assess performance, implement internal controls, and ensure your agency’s AI efforts comply with a host of existing laws and policies.

Time to prioritize

That is a big to-do list! To succeed, you may need outside resources like AI-centric development environments and hardware; SaaS providers who can provide access to AI modules; and early assistance from AI experts who can create custom AI solutions for specific purposes in your agency. You will also need to implement training for agency staff on how to use AI systems.

Several different GSA acquisition solutions can help CAIOs procure the AI products, services and solutions they need to achieve their missions. Here are a few:

  • GSA offers easy access to AI development tools from Federal Risk and Authorization Management Program (FedRAMP) – approved cloud service providers on the Multiple Award Schedule – IT Category.
  • Our Governmentwide Acquisition Contracts — Alliant 2, 8(a) STARS III, and VETS 2 — help agencies quickly and efficiently bring on IT service providers, some of whom can provide targeted AI services.
  • GSA’s Rapid Review report service scans the Multiple Award Schedule and provides a list of approved vendors that meet particular criteria, including common AI services from coding to training, typically in as little as one day. To get started, visit our Market Research as a Service page and order a Rapid Review.

Above all, remember that we’re here to facilitate the business of connecting you with the right technology solution. Contact us with your needs and we will guide you there.

Know the risks

EO 14110 provides the most comprehensive guidance to date on the necessity for agencies to fully consider the risks from their use of AI.

AI tools will be subject to rigorous assessment, testing, and evaluation before they may be used. After that, according to EO 14110, CAIOs must ensure that their AI systems undergo ongoing monitoring and human review, that emerging risks are identified quickly, that its operators are sufficiently trained, and that the AI functionality is documented in plain language for public awareness.

Importantly, EO 14110 charges CAIOs with ensuring their agency’s AI will advance equity, dignity, and fairness. This will require a mix of thoughtful stakeholder engagement and the sophisticated use of data and analytics to anticipate, assess, and mitigate disparate impacts. That includes being alert to factors that contribute to algorithmic discrimination or bias and proactively removing them.

We’re constantly calibrating the balance between convenience and compliance, which is particularly important when preparing to acquire technologies like AI that are new and evolving. Our contracts require vendors to comply with rules, policies, and regulations — including EO 14110 and the NIST AI Risk Management Framework — to ensure you have a safe, secure, sustainable IT infrastructure.

More to come

In 2020, GSA launched the AI Community of Practice to get practitioners from across government talking and sharing best practices, then set up an AI Center of Excellence to put their knowledge into action. Much of their work helped lay the intellectual infrastructure needed to carry out the governmentwide objectives of EO 14110. GSA itself is named in three:

  1. Develop and issue a framework for prioritizing critical and emerging technologies offerings in the FedRAMP authorization process, starting with generative AI.
  2. Facilitate access to governmentwide acquisition solutions for specified types of AI services and products, such as through the creation of a resource guide or other tools to assist the acquisition workforce.
  3. Support the National AI Talent Surge by accelerating and tracking the hiring of AI and AI-enabling talent across the Federal Government through programs including the Presidential Innovation Fellows and the U.S. Digital Corps.

As you can see, there will be much more to come as the government’s AI strategy goes into action. To quote GSA Administrator Robin Carnahan, “GSA is proud to play key roles in supporting this Executive Order to help ensure the federal government leads the way in the responsible, effective use of AI.”

Follow ITC on LinkedIn and subscribe for blog updates.

What does the future of cybersecurity look like?

As we look ahead, there are several key areas of focus that will undoubtedly shape the virtual battleground. Government agencies who proactively embrace and implement current high priorities in these key areas will be better prepared to navigate the evolving digital threatscape and safeguard their sensitive information and assets. Here are some top drivers we anticipate will impact agencies’ cybersecurity strategy and spending plans.

Zero Trust Architecture (ZTA)

ZTA has been at the forefront of government guidance in recent years. Now that agencies have had time to plan for their ZTA requirements, implementing strategies should commence. ZTA provides agencies with the foundation to build a strong security posture that evolves with the ever-changing technological environment of dynamic and accelerating threats.

Cybersecurity Supply Chain Risk Management (C-SCRM)

The growing interconnectedness of systems, services, and products makes management and mitigation of supply chain risks even more important. Effective C-SCRM should be a fundamental component in cybersecurity strategy. Having C-SCRM as an essential element in procurement helps to ensure the resilience, security, and continuity of operations for organizations, government agencies, and critical infrastructure.

Post-Quantum Cryptography (PQC)

PQC is an emerging field within the cyber realm that is gaining increased relevance due to the potential threat quantum computers pose to traditional encryption methods. PQC involves the development of new cryptographic algorithms resistant to quantum computer attacks to ensure the security of digital communications and sensitive information. Agencies should begin to plan for future quantum resistant methods by inventorying their systems and engaging with vendors on how they are addressing quantum-readiness.

Some challenges agencies may face include:

  • The ability to identify PQ-vulnerable systems.
  • The ability to identify and implement appropriate PQC algorithms.
  • The high cost and complexity of implementation.
  • A gap in a trained and certified workforce to implement and maintain PCQ algorithms.

Artificial Intelligence (AI)

The rapid emergence and adoption of generative AI tools has created new challenges, especially for data security. As AI becomes more prevalent in our modern technology, agencies will need to assess the associated risks and develop strategies to mitigate vulnerabilities.

GSA and other agencies are working to support the new Executive Order to help ensure that AI systems are safe, secure, and trustworthy.

Follow ITC on LinkedIn and subscribe for blog updates.

Application Security Testing (AST) — reduce your cybersecurity risk

“Improving the Nation’s Cybersecurity” is a top priority across all federal agencies. Constant and fast-paced application innovation is the new norm of today’s digital enterprise. Vulnerabilities are waiting to be exploited by adversaries and their increasingly sophisticated malicious attempts such as the Log4J application exploitation.

The Office of Management and Budget’s (OMB) Memorandum 22-09 specifically charges agencies to operate dedicated Application Security Testing (AST) programs for a stronger and more robust cyber posture. Early and continuous AST minimizes the risk of sensitive data exposure and system compromise. To prevent most application security threats, agencies need a dedicated AST program that implements a variety of tools to continuously assess and address application vulnerabilities throughout the Security Development Life Cycle (SDLC).

The software development lifecycle begins with analysis before moving to design, development, and testing. Next comes deployment and finally, maintenance.

AST tools

Testing requirements and guidance released by OMB, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency will make applications more resistant to security threats and identify security weaknesses and vulnerabilities. Ultimately, the goal is to create a holistic AST program of automated tools and manual testing that continuously examines applications as they are developed and continue through the SDLC. AST methodologies can be categorized into:

  • Automated AST relies on written code/test scripts and tools to test and validate an application. It can be completed in less time than manual testing and covers more test permutations; however, it does require heavy coding and maintenance.
  • Manual testing is executed by human security testers to discover complex bugs for which automated testing cannot detect or to resolve automated testing’s false positives. It requires a substantial level of expertise, effort, and time.

An AST program uses a variety of tools throughout the SDLC, many of which are described in the table below.

A table that highlights AST testing tools, their purpose, proactive or reactive scanning, low false positives, and cost. Static application security testing is used to examine source code for weaknesses. Dynamic application security testing is used to find security vulnerabilities in a running environment. Interactive application security testing analyzes code for vulnerabilities by simulating scenarios in a running environment. Mobile application security testing identifies vulnerabilities in applications used with mobile platforms during or post development. Software composition analysis identifies open-source software in codebase. Manual testing examines all essential features to find more complex and logical vulnerabilities.

Top AST threats

According to the Open Web Application Security Project (OWASP), the top three application security threats are broken access control, cryptographic failures, and injection.

A table featuring best practices and AST tool(s) to address broken access control, cryptographic failure, and inject vulnerabilities.

Third-party application security testers

Another component of a dedicated AST program is the use of independent third-party application security testers who specialize in identifying vulnerabilities internal staff may miss. These expert firms have the skills and certifications required to provide high-quality results and ensure applications hold up against real-world cyber attacks.

GSA cybersecurity resources

GSA created the AST Buyer’s Guide to help federal agencies meet AST program requirements, provide Third-Party Application Security Tester selection criteria, and address application security threats. It provides an overview of AST, key considerations when implementing an AST program, and helps identify and procure AST offerings to improve your agency’s application security posture.

To make the acquisition experience easier and more efficient, GSA also provides useful resources like an AST summary sheet, AST statement of work template, and AST informational video. These and many other resources can be found at www.gsa.gov/ast.

GSA cybersecurity support

The GSA IT category team is available to answer questions and provide subject matter expertise related to purchasing AST, cybersecurity, and a full range of IT products and services. Please contact the IT customer service center at 855-ITaid4U/855-482-4348 or itcsc@gsa.gov.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.

Celebrating our Veterans

In thinking about Veterans Day this year, I want to pay special tribute to America’s Veterans for their service and dedication to this great nation. I’m grateful for the sacrifices they have made to defend our nation. Our Veterans are an example of the strength, courage, and resolve that allows our country to overcome so many of the challenges we face.

I have spent time with Veterans and Service Disabled Veteran Owned Small Business (SDVOSB) owners and know their desire to serve continues after they leave active service. I am proud that GSA is committed to working with this community.

GSA working with Veterans

GSA is dedicated to tapping into that strength, courage, and resolve by bringing the SDVOSB community to the federal IT market.

There were more than 800 SDVOSBs across the entire government-wide IT category last year that reported sales. ITC is represented by 357 of those industry partners through our Multiple Award Schedule – IT (MAS-IT) contract and the Veterans Technology Services 2 (VETS 2) and 8(a) STARS III IT services Governmentwide Acquisition Contracts (GWAC). Through these acquisition vehicles, SDVOSBs won more than $1.46 billion of the IT market last year.

Through GSA contract vehicles like VETS 2, service-disabled veterans continue to serve our nation by providing innovative IT solutions in support of agency missions and the military. VETS 2 is currently the government’s only GWAC set aside exclusively for SDVOSBs.

The VETS 2 option period is coming up next year and we have every intention of exercising that option for those SDVOSBs meeting the terms and conditions of the contract. This will provide federal agencies with continued use of this socio-economic small business, best-in-class solution for their long-term IT service project needs, with the performance of task orders extending out through 2033.

SDVOSBs bringing real mission impact

While I can’t call out individual SDVOSBs, I do want to offer a couple of examples of their great work:

  • One of our customer agencies recently awarded a $248 million order through VETS 2 to provide IT Support Services for their digital infrastructure services center. Through these IT support services, the SDVOSB will fill the agency’s need for maintaining legacy operations and to innovate, at an accelerated pace, to meet the customer’s requirements into the future.
  • Another recent innovative task order award for $166 million was for enterprise services integration and modernization. The scope of the task order is to provide a quality-focused process and capability that enables effective sustainment and modernization of command, control, communication, computers, and information technology systems. The task order will modernize military headquarters to include operations centers, planning rooms, and conference rooms, utilizing innovative technologies such as video walls, audio processors, and multi-classification video teleconference systems.

Veterans, key to the future

Our commitment doesn’t stop with VETS 2 and MAS-IT. GSA’s next small business and socio-economic small business GWAC, Polaris, will have an SDVOSB pool. Polaris is designed to assist agencies in acquiring customized IT services and IT services-based solutions while expanding opportunities for SDVOSB firms. Stay tuned to our Small Business Community of Practice Interact page for updates.

These contracts drive progress on important public policy objectives, including the President’s Executive Order 13985 On Advancing Racial Equity and Support for Underserved Communities Through the Federal Government as we work to improve diversity, equity, inclusion, and accessibility.

I’m grateful for the meaningful partnership we have with our Service Disabled Veteran Owned Small Businesses and for their continued hard work and dedication to helping agencies achieve their missions every day. I’m really excited for what the future holds.

Visit our website to learn more about VETS 2, MAS-IT, and Polaris or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

October is Cybersecurity Awareness Month

Blue promotional image with laptop, desktop, and mobile device clipart on the right side of the image. White text on the left reads "Is your agency cyber ready? GSA can help."

Is your agency cyber ready?

October is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber.”
Planning and executing a cybersecurity acquisition is a winding road. It can be daunting without a clear place to start. Federal agencies are challenged with navigating changing threat environments, new policy mandates, and an ever-evolving technology landscape. Acquisition professionals within the federal government have a large role in helping to protect our Nation’s networks and assets but don’t have to take this on alone. GSA offers convenient access to a range of resources to help identify requirements and create a plan, compare contract vehicles, and develop a solicitation to award a contract.

GSA is here to help “See Yourself in Cyber” and get your agency one step closer towards being cyber ready.

Current cybersecurity requirements

Executive Order (EO) 14028: Improving the Nation’s Cybersecurity and associated Office of Management and Budget (OMB) memoranda established critical policy goals federal agencies must follow. These goals include implementation of a Zero Trust Architecture (ZTA) and the adoption of Cybersecurity Supply Chain Risk Management (C-SCRM) practices within Information and Communication Technology (ICT) supply chains. Federal agencies have also been targeted in a number of high-profile cyber attacks resulting in new and evolving program needs to protect their networks from and respond to future attacks.

GSA offers multiple resources to help make sense of these new policies and program drivers and translate them into requirements for a solicitation:

  • GSA’s EO 14028 webpage and the Zero Trust webpage connect users with resources related to recent cybersecurity requirements.
  • GSA subject matter experts (SMEs) offer focused cybersecurity training that discuss many of the policy and technology drivers impacting the Federal cybersecurity marketplace.
  • GSA has multiple videos on cybersecurity on ITC’s YouTube playlist. Topics include use case scenarios for agencies seeking to procure cybersecurity solutions and the journey toward implementing a ZTA.

Buyer’s Guides

GSA offers a wide range of cybersecurity services and solutions. We know it can be difficult to select the right fit for your agency’s requirements. To help demystify this process, GSA developed a number of buyer’s guides that identify which solutions meet your agency’s specific cybersecurity needs:

GSA-offered cybersecurity services and solutions

GSA has several cybersecurity-specific contracting offerings, including:

  • The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) on the Multiple Award Schedule Information Technology (MAS IT), established in collaboration with OMB and the Cybersecurity and Infrastructure Security Agency (CISA), which provides:
    • Proactive and reactive cybersecurity services.
    • A wide range of vendors capable of meeting your agency’s small business and socioeconomic contracting goals.
    • Access to technically evaluated cybersecurity vendors. Vendors must pass an oral-technical evaluation to be able to offer services through the HACS SIN.

If you have questions about whether your requirement fits within the scope of the HACS SIN, GSA SMEs are available to provide free and individualized consultations, and scope reviews.

  • The IT Professional Services SIN on MAS IT that offers agencies:
    • Access to pre-vetted IT solution providers.
    • Pre-negotiated prices that can be further discounted.
    • Established terms and conditions at the master contract level that can be customized at the task order level.
    • A diverse pool of vendors to help meet socioeconomic and small business contracting goals.
    • Two cybersecurity-specific subcategories: IT Backup and Security Services, and Information Assurance.
  • The Continuous Diagnostics and Mitigation (CDM) Tools. CISA maintains the CDM Approved Products List (APL), the authoritative catalog for CISA-approved CDM IT products. To purchase products on the APL, agencies can use:

Planning and procurement tools

GSA gives buyers an entire toolbox to guide the process of developing and releasing a solicitation, from market research to procurement.

  • GSA’s Market Research as a Service (MRAS) gives buyers access to rapid, targeted market research for their acquisitions at no cost. MRAS can be used to identify GSA contracts that might fit requirements, get information on vendor pools and market data, or compare and search products offered on GSAAdvantage!®.
  • Buyers can also use GSA’s IT Solutions Navigator to identify the right contract vehicles to meet cybersecurity needs. Users can select types of products or services to see a list of best-fit contract vehicles and solutions that meet requirements.
  • On GSA eLibrary, agencies can view vendor pools offered under different contract vehicles, review vendors’ terms and conditions, and view their socioeconomic designations and geographic locations.
  • The IT Security Hallway on the Acquisition Gateway displays multiple resources for government users in one convenient location. Users can access sample statements of work for the HACS SIN and a tool to help calculate Independent Government Cost Estimates (IGCE).
  • Agencies can also use GSA eTools, including GSA eBuy and GSA Advantage!® to initiate the procurement process and release documents to industry. On GSA eBuy, Requests for Information, Requests for Quote, and Requests for Proposals can be released to holders of the contract vehicle selected. On GSAAdvantage!® buyers can compare products and pricing to make purchases or view past solicitations released as a resource.

GSA offers continued support

GSA support doesn’t stop once you’ve released your solicitation. We are committed to providing support to agencies throughout the entire acquisition lifecycle. If you have questions related to an offeror’s submission, or need to clarify questions from industry, our experienced cybersecurity and contracting SMEs can assist. For SME support, contact the GSA IT Security Subcategory at ITSecurityCM@gsa.gov.

While cybersecurity acquisitions may seem intimidating at first glance, GSA offers plenty of resources to help demystify the process. If you need additional assistance, you can contact the Customer Service Director (CSD) dedicated to your agency and region, or your agency’s National Account Manager (NAM). CSDs and NAMs are a valuable source of information on GSA programs and can connect you with further support or training. To learn more about CSDs and how they can help, watch this video.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

C-SCRM Acquisition Community of Practice (ACoP) Interact Site

Cyber-Supply Chain Risk Management (C-SCRM) Whole of Government logo.

Since the launch of the C-SCRM Acquisition Community of Practice (ACoP), GSA and CISA have been co-leading an effort to broaden the level of awareness and develop agency maturity in the areas of acquisitions, supply chain risk management, and cybersecurity across the Federal Government for information communication technology and services (ICTS).

Many federal departments and agencies have limited C-SCRM capabilities, resources, governance, guidance, and training; especially in the acquisition of ICTS. We need governmentwide collaboration with industry and the sharing of ideas, tools, guidance, and best practices for C-SCRM as part of the acquisition of ICTS.

Many don’t see the acquisition workforce as a key component of agencies’ cybersecurity teams. But federal procurement professionals have unique opportunities, through contracting, to ensure the safety and security of the federal government’s ICTS, help strengthen cybersecurity across networks, and prevent incidents like Solarwinds from occurring.

To increase C-SCRM awareness and adoption government-wide, the C-SCRM ACoP launched an online collaborative space for the federal government’s IT community and industry to share best practices, ideas, guidance, tools, and expertise needed to implement C-SCRM requirements. Working together as a community and sharing information will help us improve our cybersecurity posture across all levels of government.

The C-SCRM ACoP has hosted key events such as the C-SCRM Shark Tank event in collaboration with the American Council for Technology – Industry Advisory Council (ACT-IAC) where industry experts showcased innovative C-SCRM solutions to a government panel. The C-SCRM ACoP also plans to conduct a survey of industry to identify C-SCRM challenges and suggest best practices from industry’s perspective.

Additionally, the C-SCRM ACoP hosts monthly sessions open to federal employees and agency support staff. These sessions and events, held in collaboration with CISA, offer opportunities for knowledge sharing and cross collaboration focusing on supply chain risk awareness and advancements in cyber-acquisitions. Subject matter experts are ‘on hand’ not only providing information related to cybersecurity and acquisition integrity, but also best practices and lessons learned. 

Joining the C-SCRM ACoP helps:

  • Enhance the Federal Government’s cross-agency collaboration
  • Identify agencies’ strengths and capabilities in leading strategic C-SCRM objectives
  • Rapidly disseminate best business practices & outcomes
  • Learn from other agencies

To join the C-SCRM ACoP, email us at C-SCRM_ACoP@gsa.gov.

Visit the C-SCRM ACoP’s Interact site to be part of this collaborative journey. Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Marking the One-Year Anniversary of Executive Order 14028 “Improving the Nation’s Cybersecurity”

May 2022 marked one year since President Biden signed Executive Order (EO) 14028 – “Improving the Nation’s Cybersecurity.” It directs sweeping changes to cybersecurity requirements and calls on federal agencies to address key issues critical to building a more resilient cybersecurity posture. The EO also requires federal agencies to take steps to implement a Zero Trust Architecture (ZTA) model to modernize and strengthen cybersecurity standards and detection.

Since May 12, 2021, the Office of Management and Budget (OMB) issued additional guidance to support the mission of “Improving the Nation’s Cybersecurity.”

Timeline of Key Policy and Guidance Associated with the EO beginning on May 12, 2021 when the EO was signed through January 26, 2022.
Figure 1: Timeline of Key Policy and Guidance Associated with the EO

The associated OMB memos outline the steps required for agencies to better protect federal information systems, making them more secure and resilient. The requirements include implementation of:

  • Strict security controls on critical software,
  • Mature event detection and analysis capabilities, and
  • Endpoint data collection within networks to detect and hunt cyber threats.

Federal agencies also have new ways to obtain funding for the cybersecurity products and services needed to implement the EO’s requirements. Bolstering cybersecurity defenses is one of the Technology Modernization Fund (TMF)’s focus areas, and it’s funded three projects to support ZTA implementation. The President’s FY23 Budget request includes increased funding for federal agencies as they implement the EO’s priorities and a ZTA strategy. The request is the largest such increase in over 12 years.

Resources to help meet the EO requirements

There is no single technology, product, or service that can achieve the goals of implementing ZTA. Each agency’s journey and solution will be unique, and GSA’s Federal Acquisition Service (FAS) is here to help.

The FAS Office of IT Category (ITC) has resources to help agencies, vendors, and acquisition professionals continue to work towards a mature ZTA and meet the Administration’s requirements.

Over the past year, GSA’s ITC has:

  • Participated in governmentwide working groups on Cybersecurity Supply Chain Risk Management (C-SCRM) and ZTA. To ensure GSA’s offerings are capable of delivering the products and services that support implementation of the EO’s requirements, subject matter experts (SMEs) participated in working groups led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).
  • Educated the acquisition workforce on EO 14028. GSA SMEs conducted multiple trainings and speaking engagements for IT and acquisition professionals on ZTA, C-SCRM, and the EO requirements. If your agency would like to schedule a session with GSA SMEs, reach out to the GSA National Account Manager dedicated to your agency.
  • Incorporated C-SCRM practices into GSA contract vehicles. To assist agencies with EO requirements to mitigate cyber risks in the Government’s IT supply chain, GSA continues to pursue efforts to ensure alignment with EO guidance.
  • Developed informational webpages and Buyer’s Guides to aid agencies navigating the EO requirements.

Other ways GSA can help

Whether your agency is small or large, GSA has solutions that can be tailored to your cybersecurity needs. In addition to the Buyer’s Guides, GSA offers multiple online tools to assist in planning a cybersecurity acquisition. 

  • IT Security Acquisition Planning Package (APP) provides common resources agencies can use to plan a cybersecurity acquisition, including:
    • Overviews of GSA IT Security offerings,
    • IT Security Statement of Work (SOW) and Request for Quote (RFQ) templates, and
    • GSA’s Market Research As a Service (MRAS) tool to identify potential vendor pools and suggested contract vehicles. 
  • GSA developed Buy.GSA.gov, which can help you:
    • Plan – Determine the documents you need, and find vendors and contracts. 
    • Develop Documents – Find sample documents and templates.
    • Research – Find products, services, and pricing data.
    • Purchase – Review buying methods and request submissions for quotations.
  • GSA, in partnership with the Federal Chief Information Officers Council, is developing a series of ZTA Playbooks to help agencies move from the conceptual planning phase to actual implementation of a zero trust security model. Agencies can expect a “base playbook,” followed by playbooks dedicated to the pillars of a mature ZTA.
  • GSA has Customer Service Directors specifically assigned to your agency by location. You can also find the National Account Manager dedicated to your agency. 
  • For cybersecurity SME support, contact the IT Security Subcategory at ITSecurityCM@gsa.gov.

What’s next

As the Federal government improves its efforts to better protect Federal information systems, expect additional OMB guidance and updates to the Federal Acquisition Regulation (FAR), driving the need for modification of contract language. GSA will keep you informed, communicating with you the major developments.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Reducing Cyber Supply Chain Risks

From reports of large-scale cyber attacks such as Solarwinds to President Biden’s signing of Executive Order 14028, Improving the Nation’s Cybersecurity, cyber supply chain risks have been top of mind for policymakers and federal agencies governmentwide.

GSA is committed to helping agencies mitigate cyber supply chain risks. By understanding the threats, agencies are positioned to take defensive action against them.

Ecosystem threats

Government depends on a global supply chain ecosystem: vendors, distribution routes, technologies, laws, and policies. Each piece of this ecosystem works together to design, manufacture, distribute, use, and manage products and services.

However, these supply chains’ ecosystems can expose government organizations and enterprises to financial, governance and cybersecurity risks.

Of these risks, one of the most troubling is that someone will use vulnerabilities in a supply chain to carry out a cyberattack.

A supply chain cyber attack occurs when an attacker uses a trusted outside partner or vendor with access to a system’s data to infiltrate an information system.

Because supply chain attacks are difficult to prevent and can greatly harm any organization, federal agencies must identify, categorize, manage, and mitigate risks within their supply chains.

In its December 2020 report, the Government Accountability Office (GAO) assessed how 23 civilian CFO Act agencies’ implemented 7 Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) practices.

In their review, the GAO found that many agencies had not implemented the practices according to their evaluation criteria and that no agencies had fully implemented all 7 practices.

What you can do

You can take proactive information and operational technology acquisitions measures to reduce an organization’s cyber supply chain risks.

  • Evaluate your organizational structure. Set up a collective task force to secure your supply chain and empower this team to hold lower-level suppliers accountable and to have responsibility for overall supply chain security.
  • Identify and empower supply chain leadership. Review and monitor key contracts to verify that prime and subcontractors maintain security practices through the contract lifecycle. Threat intelligence and incident response capabilities must work together.
  • Put data protection and stakeholder communication processes in place. Set requirements for communicating and protecting data, specifically for incidents, breach notifications, and industry or legal reporting requirements.
  • Build trust by sharing threats with your supply chain partners. Prevent communication delays by being transparent about an attack or a potential breach. Transparent leadership and communication creates trust. Building that trust requires a commitment to straight talk, the ability to produce results, and the ability to restore trust when trust is lost.

GSA C-SCRM Resources

For the last 10 years, federal guidance and regulations have prioritized SCRM. This priority reflects the increasing threat of vulnerabilities in the nation’s supply chain.

We’re continuing to develop ways to help agencies reduce supply chain risk, like the Vendor Risk Assessment Program and the Cyber Supply Chain Risk Management Acquisition Community of Practice.

Vendor Risk Assessment Program

We are currently developing a program that can identify, assess, and monitor supply chain risks for vendors who do critical work for the federal government. It will audit supply chain risk processes or events and may include on-site assessments.

The following criteria will be monitored:

  • Risk of foreign ownership, control or influence;
  • Cyber risk; and
  • Factors that would affect the company’s vulnerability, such as financial performance.

If the risk assessment identifies supply chain risks, we will work with the vendor on a corrective action.

We take this seriously. Failing to resolve any identified risk may result in government action up to and including contract termination.

Cyber Supply Chain Risk Management Acquisition Community of Practice

In August 2021, we established a C-SCRM Acquisition Community of Practice (ACoP). It includes key acquisition stakeholders from GSA, Cybersecurity and Infrastructure Security Agency (CISA), Office of Management & Budget (OMB), and other federal agencies.

The goal of C-SCRM ACoP is to increase awareness and develop maturity in the areas of cyber-acquisitions and Information Communication Technology and Services (ICTS) supply chain risk management across the federal government.

Many federal departments and agencies need to mature C-SCRM capabilities, guidance, and training. This is particularly true for acquiring ICT hardware and software.

We need governmentwide contract language for getting ICT products that holds vendors accountable for assessing the risk of their supply channels, especially for embedded software.

To learn more about the C-SCRM ACoP or to join, email C-SCRM_ACoP@gsa.gov.

Coordination is key

Agencies must continuously monitor their interconnected IT ecosystem and establish the necessary contract requirements that ensure vendors are doing the same.

Stay up to date on the latest GSA C-SCRM initiative by following us on Twitter @GSA_ITC.

GSA’s Enterprise Infrastructure Solutions Instills Cybersecurity Confidence

On May 12, the White House issued the Executive Order on Improving the Nation’s Cybersecurity. This EO underlines the fundamental problem of how cybersecurity weaknesses leave critical infrastructure open to debilitating attacks. It also outlines what government agencies must do to improve their collective defensive posture, reduce risk, improve visibility and secure their infrastructure.

GSA’s Information Technology Category (ITC) tracks cybersecurity trends and is involved in conversations with industry experts on this topic. We incorporate the EO’s technological goals in our contract solutions, like Enterprise Infrastructure Solutions Contract, or EIS.

When it comes to network security, Zero-Trust Architecture (ZTA) is the gold standard. We even published a Zero Trust Architecture Buyer’s Guide to help agencies build toward it. EIS is featured prominently in the guide, because it offers baked-in security “building blocks” to create customizable solutions.

Managed Security Services

The EIS Managed Security Service (MSS) is a comprehensive service that protects an agency’s information technology assets—hardware devices, network, software, and information—from malicious attacks. It includes capabilities such as authentication, anti-virus, anti-malware/spyware, intrusion detection, and security event management. MSS comprises the following sub-services: Trusted Internet Connections Service (TICS), Managed Prevention Service (MPS), Vulnerability Scanning Service (VSS), and Incident Response Service (INRS).

Managed Network Services

The EIS Managed Network Service (MNS) enables an agency to outsource a portion or all of its network planning, design, implementation, maintenance, operations and customer service as a strategic move to improve IT services and lower costs.

Software Defined – Wide Area Network (SD-WAN) Services

SD-WAN services provide significant benefits by giving agencies central security management and visibility, the ability to segment networks where security policies can be tailored per application and data type, and identity-based user access.

Managed Trusted Internet Protocol Services (MTIPS)

MTIPS version 2.2 provides security for all external connections to public Internet, Extranet, and Cloud Service Providers. As agencies look to implement the Cybersecurity and Infrastructure Security Agency (CISA) TIC 3.0 guidance, MTIPS may be complemented with additional EIS services to achieve the updated security capabilities of a TIC 3.0 Traditional TIC solution.

FedRAMP Authorized Software-as-a-Service (SaaS) Tools

SaaS gives an agency access to applications hosted in the cloud. The provider manages the security, availability, and performance of the applications as part of their service. Using SaaS allows an agency to reduce the time, expense, and risk associated with the installation and maintenance of software on agency computers. EIS SaaS meets all federally required security standards for Cloud services.

EIS delivers solutions to agencies that will meet CISA’s latest Trusted Internet Connections (TIC) 3.0 guidance and ZTA requirements which include the Core Zero Trust Logical Components described in the National Institute of Standards and Technology (NIST) Special Publication 800-207. GSA continues to collaborate with CISA to provide guidance to agencies advancing legacy networks towards a zero trust architecture.


In the past decade, the typical federal agency network has evolved from being static with a known perimeter to mobile-friendly with nodes across the country. We are now regularly reminded that security solutions must correspondingly evolve to secure agency data and be able to ensure the safe transport of information to and from cloud applications, data centers, and remote users. If they don’t, the U.S. will continue to be vulnerable to malicious actors all over the world.

The Cybersecurity EO prioritizes “accelerated movement to secure cloud services; centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investment in both technology and personnel to match these modernization goals.” EIS already supports these by supplying SD-WAN services, 5th Generation (5G) telecommunications technology, Internet of Things (IoT) offerings, and Cloud-based security solutions.

Using EIS to buy IT infrastructure ensures a greater degree of consistency in the government’s telecommunications and network infrastructure services. It also consolidates the government’s purchasing power, driving lower prices on products and services that to satisfy complex security, flexibility, and visibility needs. EIS solutions offer the foundation needed to adapt to evolving threats and continue accomplishing your mission. The sooner agencies transition, the sooner they can take advantage of the secure solutions available on EIS. Accelerate your transition progress by Taking A.I.M. at EIS.