Veteran Owned Companies Bring Cybersecurity Expertise to Federal Customers

As we celebrate Veterans Day, we want to take a moment to appreciate all of the men and women who contribute to this great nation through their service in our military. America’s veterans are one of our most valued resources. Veterans bring a unique skill set, knowledge, and experience to everything they do; and GSA has been able to tap into their valuable expertise through our Service-Disabled Veteran-Owned Small Business (SDVOSB) contract for IT Services, VETS 2.

GSA’s VETS 2 Governmentwide Acquisition Contract is available to all federal customers. Agencies purchasing IT services through the VETS 2 contract demonstrate how prevalent veterans are in supporting mission-critical IT services needs across the federal landscape. One of the important core capabilities of VETS 2 is Cybersecurity. The SDVOSB firms on the contract have done the work, and 77 percent of the firms have extensive experience in cybersecurity. More than 60 of the VETS 2 industry partners have a secret or top-secret facilities clearance. These companies are well established in the IT industry. The background they bring with their previous military experience has been key to their success.

The IRS, Treasury, DHS, DoD, Army, and Air Force have all tapped into the expertise of our VETS 2 Industry Partners. They have placed task orders on the contract for IT Security and Cybersecurity requirements. Since the inception of the VETS 2 contract in February of 2018, there have been 21 task orders specifically to support IT Security needs within the government. This shows that veterans can provide the specialized knowledge, skills, and abilities that are needed today.

The single largest task order that has been issued on the VETS 2 contract was completed by GSA’s Federal Systems Integration and Management Center (FEDSIM) on behalf of the United States Army Pacific (USARPAC). This task order will help USARPAC in providing a quality-focused process and capability that enables effective sustainment and modernization of critical Command, Control, Communications, Computers (C4), and IT systems. These services include site surveys, engineering, design, procurement, logistics, implementation, operations and maintenance, knowledge management, cybersecurity, and training of new and existing C4 IT systems. This is an excellent example of the broad capabilities available through VETS 2.

2020 has been hugely successful for the VETS 2 contract, with 97 task orders worth more than $1 billion. This contract is only in its third year and is already surpassing expectations. There are 69 industry partners on the contract with a variety of specialized IT services core capabilities. VETS 2 is also a Best-in-Class contract as designated by the Office of Management and Budget. Federal customers using VETS 2 will receive socioeconomic credit toward small business goals as well as credit toward their
Spend Under Management goals.

On Veteran’s Day each year, we reflect on the hard, mission-enabling work our veterans continue to deliver for our government every day, and I couldn’t be more proud of our VETS 2 team and industry partners.

For more information about the industry partners on the contract, check out our VETS 2 website.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Authorization to Operate: Preparing Your Agency’s Information System

To close out National Cybersecurity Awareness Month, here are some steps federal agencies can take to protect their IT systems from cyber attacks and cybersecurity vulnerabilities using the Authorization to Operate (ATO) process.

An ATO demonstrates that a federal agency has gone through a federally approved, detailed process to protect an IT system from incidents such as cyberattacks, security breaches, malware, and phishing attempts. Many federal IT systems are required to obtain an ATO to process government data and federal regulations recommend that agencies follow the Risk Management Framework (RMF) to become authorized.

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides solutions for all of an agency’s cybersecurity service needs, including RMF. The HACS SIN connects agencies with vendors who have passed oral technical evaluations for cybersecurity services performed within the RMF, and who are ready to assist agencies with the RMF process for a successful authorization.

RMF Graphic full definitions ATO highlight (3)
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

All of the steps, tasks, and activities that precede the “Authorize” step of the RMF help to prepare the information system for the authorizing official’s appraisal. The authorizing official is not a contractor, but a federal employee of whichever agency is seeking ATO.

The HACS SIN connects federal agencies with contractors who can help in each stage of the RMF. Contractors can assist agencies in producing the deliverables associated with each RMF step listed in the chart below.

Disclaimer: RMF deliverables can vary based on an organization’s cybersecurity needs.

Once an agency has successfully completed the first four steps of the RMF (“Categorize” through “Assess”), an authorizing official will evaluate the system. The authorizing official for the federal agency in question evaluates residual risks identified during the security control assessment, and makes the decision to authorize the system to operate, deny its operation, or ask the agency to address any issues.

When granting an ATO, authorizing officials look for the following checklist of items:

  • Plan of Action and Milestones (POA&M)
  • Authorization Package
  • Final Risk Determination and Risk Acceptance
  • Authorization Decision

The POA&M is one of the most important deliverables produced in the RMF process. It reflects organizational priorities for addressing any remaining weaknesses and deficiencies in an information system and its environment of operation. The Authorization Package includes all key documents including the security plan, security assessment report, and the POA&M. 

Following the RMF steps helps your agency to achieve ATO, but the work does not end after an ATO is issued. Agencies must also continuously monitor their systems to ensure that security controls remain effective over time.

In addition, many federal agencies must reauthorize their information systems every three years by going through the RMF process again. This is where the final step of the RMF, “Monitor Controls,” is important. As part of continuous monitoring, a sample of the applicable security controls are tested annually, periodic vulnerability scanning is performed, and security impact analysis of changes are performed. If an agency continuously monitors its systems over those three years by documenting specific technical changes, environment changes, or changes to the organizational risk management strategy, it may be easier to renew an ATO because any security risks can  be mitigated at the time they occur. 

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to achieve an ATO, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Public Sector 5G Strategy Series – Part 1: Technology

The Wheel Is Turning

If you’ve scrolled through social media or watched live TV lately, you’ve likely seen an ad for 5G. If you find yourself wondering why there is so much conversation about 5G –you are not alone. Is it worth all of this attention?

We think so. 5G is set to revolutionize the world’s telecommunications infrastructure, paving the way for even greater use of autonomous devices and expanding the number of interconnected devices in the Internet of Things (IoT).

In October 2019, GSA held its first public event about 5G, where government and industry experts gave us a compelling look at the rollout of next generation networks, discussed how they’ll support IoT applications, and outlined the steps necessary to secure this new hyperconnected future.

Going forward, we’ll be sharing a series of posts outlining how we expect 5G will drive change across government, and what agencies should do to prepare. 5G means different things to different people, so our “5G for Government” strategy is best visualized as a wheel composed of six core concepts:

  • Technology
  • Standards
  • Security
  • Policy
  • Acquisition
  • Use Cases

This post will look at the evolution of the technology enabling 5G, and more importantly, the types of devices, applications, and services that will soon depend on it.

New Tech, Same Trends

The first cellular telephones hit the market in the mid-1970s and offered wireless voice calling over an analog network. In the early 90s, this first generation cellular technology, using analog telecommunications standards, transitioned to a 2G digital network, allowing both voice and data to travel wirelessly between devices.

3G and 4G gave us mobile internet and streaming video, respectively, leading to the rise of the smartphone and entirely new industries, such as mobile application development and cross-platform analytics.

Remember when you couldn’t open an email attachment on your phone or send a photo—let alone a video—over a wireless network? When did that change?

Most people could not tell you which network generation enabled what feature, only that devices became faster, applications more data dependent, and new services arose as capabilities increased.

The same will be true for 5G, but due to its engineered flexibility and vast capacity for high-speed data transfer, the changes will come sooner and reach far beyond communications.

Why 5G Is Different

Since 5G is still new to the market, what we can say about its current technology is limited. Indeed, many experts will tell you that 5G was designed to support applications and services that are still largely confined to a laboratory setting. For now, when we look at the technology, we can only compare it to what’s currently on the market, but when we do, it becomes apparent that we’re just seeing the tip of the iceberg.

Changing Devices

Take the smartphone, for instance. Right now, a phone on a 4G network downloads data at approximately 12-36 megabits per second (Mbps). A 5G enabled phone clocks in at 50 Mbps at minimum. Phones on the fastest commercial networks can reach 1,000 (1 gigabit) per second, and average speeds are expected to exceed 10 Gbps as the technology matures.

How does it reach these speeds? 5G transmitters use higher frequency radio waves, some in or near the millimeter wave band of the electromagnetic spectrum. Bandwidth is much more plentiful there, which greatly increases the capacity and speed of data transfer. Instead of a single cellular antenna, the 5G phone contains multiple receivers, allowing it to process all this data over multiple streams, in parallel. You could liken it to filling a glass of water from the bottom up, and the top down, at the same time. 

Smaller, More Flexible Networks

Like their predecessors, 5G networks are digital cellular networks, in which the service area covered by providers is divided into a mosaic of small geographical areas called cells. While conventional cell phone towers are hundreds of feet tall, millimeter wave antennas are only a few inches long. Though an individual antenna may only cover a small area, multiple antennas can work together as phased arrays to beam data straight to the user. This technique, known as beamforming, is one of many ways that 5G networks can be optimized to improve performance while it serves huge numbers of devices.

Open To Innovation

Small but mighty, 5G networks could be used to provide general home and office internet connections. A technique called network slicing could be used to segment a larger 5G network into highly customizable “slices,” managed and operated independent of the infrastructure owner, tailored to unique business needs. When used in conjunction with software-defined wide area networking (SD-WAN), 5G could replace outdated cable connections in government offices, campuses, and military bases.

Edge computing is another exciting concept made practical by 5G. This technique involves creating a cloud-based IT service environment at the edge of the cell, leveraging its unique properties and raw power to move computational workloads physically closer to the user. Theoretically, sophisticated edge computing could eliminate the need for physical hard drives and bulky device components, as the actual computing would occur in the cloud and beam compiled data directly to a screen or user interface. Battery sizes would shrink, ushering in new opportunities for wearable and drone technology.

Hypercharged wireless internet and robust cloud computing are just the start. The high data rate and low latency of 5G are envisioned as opening up many new applications in the near future. The use of data-heavy virtual and augmented reality applications in healthcare and research is one promising example. Another is 5G’s facilitation of fast machine-to-machine interactions in the coming Internet of Things . For example, computers in vehicles would continuously communicate with each other, sensors on the road, and real-time, artificial intelligence) generated directions using 5G. This is the kind of “smart grid” cities will have to deploy to support self-driving cars. Over time, communication capabilities and computing power will combine and extend across networks and devices, and information and computing power will be instantaneously available. This will encourage a wave of innovation in applications, services and functions built to run on the new infrastructure. 

Lightning speed, expanded capacity, and massive connectivity are the defining characteristics of current 5G networks and enabled devices. These conditions are ideal for emerging technologies to take root.  

More than that, 5G is widely expected to be a defining stage in the global evolution of IT in general, affecting almost all parts of industry and society. In subsequent posts, we’ll take a look at the standards on which it will all be built and explore the security considerations around its deployment. 

###

Until then, please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Cybersecurity Best Practices During the COVID-19 Pandemic

The unprecedented and extraordinary efforts by businesses and Federal agencies to keep employees and customers safe during the COVID-19 pandemic have also inadvertently opened the door to cyberattacks.

Large-scale transitions to work-from-home technologies, heightened activity on many public-facing networks, and greater use of online services have presented new openings for cyber attackers to exploit. As people around the world shelter in place, they turn to online platforms to chat with friends, shop, work, and go to school. That transition to virtual life puts a large strain on cybersecurity controls.

Federal agencies face new daily challenges in assuring the security of networks. In the midst of the current global pandemic that imperative is even greater — they must protect their institutions while ensuring that daily tasks go on uninterrupted. The Office of Management and Budget (OMB) recommends that agencies “make risk-based decisions as appropriate to meet mission needs” during the COVID-19 pandemic.

It is important now for agency leaders to focus on supporting technologies and capabilities that are absolutely essential to their organizations’ operations. Priority actions — and relevant technologies — may include testing already existing security plans, continuously monitoring security systems, and maintaining access security. GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides Federal agencies with rapid access to cybersecurity vendors who can assist with the following priority actions and more.

Best practices

Testing and having incident response plans in place are helpful for any agency. If an agency has plans such as incident response, disaster recovery, or continuity, it is important to test those plans and assess any risks as soon as possible. GSA’s HACS SIN provides rapid access to vendors evaluated for incident response services.

Chief Information Security Officers (CISOs) should continue to monitor their systems closely in order to identify cybersecurity events and incidents as soon as they may appear. Focus areas include monitoring networks for new strains of malware, monitoring collaboration tools such as Google Drive or Dropbox, and monitoring personnel activity. CISOs can also monitor their systems by using Intrusion Detection Systems or their preferred live network monitoring software. The HACS SIN is an efficient way to access these capabilities.

Access management in a remote work environment is another essential focus area during the COVID-19 pandemic. Though cybersecurity is essential, so is the physical safety of the American people. Agencies are encouraging teleworking whenever possible to adhere to the Government’s social distancing guidelines, and cybersecurity experts are needed to help make telework safe and secure for employees.

With many — if not all — of an agency’s employees working from home, click-through rates for phishing emails may increase when employees no longer work closely enough with coworkers to ask them in person about suspicious activity. Remote work can also require agencies to enable offsite access to critical and/or confidential information, which can increase the risk of a cyber attack. Employees can mitigate this risk by adhering to their agency’s access control policy and utilizing secure connections (such as Two-Factor Authentication (2FA) and/or VPN) when accessing Government networks containing sensitive information.

The COVID-19 pandemic is first and foremost a human challenge, with heads of agencies and employees all juggling professional duties with personal and family responsibilities. The risk of cyberattacks will be elevated, but by focusing now on cyber activities — testing response plans, monitoring security systems, and maintaining personnel security — agencies can successfully maintain their security.

GSA is here to help connect Federal agencies with vendors that provide necessary cybersecurity services during this time through the HACS SIN solution. For more information, visit the HACS Homepage. To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Incident Response: Protecting Your Agency Before and After a Cyberattack

As cyberattacks increase in size and frequency, it is important for every agency to protect its network from incidents that can jeopardize the confidentiality, integrity, or availability of an information system. The Office of Management and Budget and the Department of Homeland Security determined that 74 percent of federal agencies participating in their 2018 assessment had cybersecurity programs that were either at risk or high risk.

While an agency can take proactive measures to prevent cyberattacks, an incident may still occur. When a cyberattack or other damaging incident occurs in an agency’s network, reactive measures such as incident response must be taken to preserve the integrity of the information system.

Incident response is the methodology an organization uses to respond to and manage a cyberattack. A data breach or cyberattack can wreak havoc and potentially affect employee security, intellectual property, and agency time and resources. Incident response protocol aims to reduce this damage and recover as quickly as possible.

Incident response protects organizations against four common types of incidents:

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) offers incident response services to help organizations with compromised systems. These services help to determine the extent of the incident, remove the adversary from systems, and restore networks to a more secure state.

HACS incident response services can also be used to proactively plan for future attacks. The benefits of preparing and maintaining an incident response plan helps agencies handle cybersecurity events and minimizes the impact of potential threats while strengthening an agency’s defenses against any future incidents.

Below is an example of an incident response plan:

Incident Response StepAction Taken
Preparation Create an asset list and system baseline.
Detection and AnalysisAnalyze events to determine whether they constitute an incident.
Containment, Eradication, and RecoveryPrevent further damage from an incident, and determine the cause of an incident so that the system can be returned to the previously known neutral state. Restore compromised system to operational status.
Post-Incident ActivityProvide final report of the incident identifying current procedures for efficacy and whether those procedures were followed properly.

Another benefit of the HACS SIN is that the vendors included under the incident response subcategory have passed a technical evaluation and can provide individualized incident response plans. If an agency already has an incident response plan, vendors can evaluate the plan and provide services that adapt to that individualized plan. Vendors use qualified resources to minimize the impact of cyber-attacks and avoid future incidents. Incident response services can also augment agency resources during a large scale incident.

For more information on incident response and how GSA’s HACS SIN can provide your agency with incident response services, please visit the HACS Homepage.

To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

GSA’s Federal Acquisition Service Training Conference: Register to Attend or Exhibit

Attend the most comprehensive federally sponsored training event for acquisition professionals – FAST 2020.

The GSA-hosted Federal Acquisition Service Training (FAST) Conference 2020 is a multi-day, national training conference for the federal acquisition workforce, industry partners, and customer agencies. FAST 2020 will be in Atlanta at the Georgia World Congress Center. GSA is offering comprehensive training led by renowned procurement experts free of charge to all federal acquisition professionals.

FAST 2020 will also offer industry the opportunity to network with large and small businesses within the same industry and develop teaming arrangements to win future business. Agency partners will be able to conduct market research with industry partners on-site!

Attend the FAST 2020 Training Conference to help you better meet your agency mission. Network with fellow acquisition professionals and learn from them. Earn up to 20 CLP credits, collaborate with your peers, and see the latest industry solutions in the exhibit hall. ITC is offering over 30 thought-provoking classes so you can learn IT procurement from every angle.

Upcoming training tracks:

  • Advanced Techniques in Acquisition
  • Being Brilliant at the Basics for Feds
  • Being Brilliant at the Basics for Industry Partners
  • IT Modernization Emerging Technologies and Innovation
  • Leveraging the Power of the Internet eTools
  • What’s Next in Acquisition

Add FAST 2020 to your Individual Development Plans (IDPs) to begin the travel and conference participation approval process within your agency. To help you, we’ve created a sample justification letter [doc] to attend the FAST conference.

Register Now! for the FAST 2020 conference in Atlanta, Ga., April 14-16. I hope to see you there!

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Attend GSA’s Federal Acquisition Service Training Conference

We pride ourselves on the close relationships that we’ve built with industry. These partnerships enable us to help agencies across the government achieve mission success.

Industry’s solutions and expertise are critical in helping government fuel IT modernization and transformation.

These close relationships don’t come easily, though. Both GSA and industry have to put in the time and effort to get to know each other. This helps us better understand industry’s latest solutions — enabling us to better represent them to the agencies who need them.

That’s why GSA’s Federal Acquisition Service is holding FAST 2020. FAST 2020 will bring together thousands of experts — both government and industry — in one place, allowing unparalleled collaboration. We encourage our industry partners to register today!

Why You Should Attend

Participating industry partners will be able to:

  • Benefit from accessing the most comprehensive federally sponsored training event for contract management, procurement, and acquisition professionals in the nation.
  • Directly engage with 3,000+ federal contracting professionals as well as senior policy and program leaders under one roof, saving travel and time away.
  • Master the latest government e-tools and processes, and learn from the experts.
  • Meet face-to-face with master contracting officers.
  • Network with large and small businesses in similar industries and develop teaming arrangements to win future business.
  • Showcase company offerings, live, on the show floor.
  • Gather more and better market intelligence to advance your company’s competitive advantage.

Small businesses will benefit in additional ways:

  • Meet multiple contracting officers in one setting.
  • Save money: participating in one large event is more efficient than many smaller events.

Two Ways to Participate

Industry can participate in FAST 2020 in two main ways:

Participant – Industry has an entire dedicated training track. We are planning other activities (such as industry matchmaking sessions) to benefit and strengthen our industry partner relationships. Find detailed information about Industry-focused training sessions under the Training Sessions tab on our conference registration site.

Industry Exhibitor – The FAST 2020 Exhibit Show Floor is 270,000 square feet and will be organized into 10 Category Communities.

As GSA, we’ve set aside two huge spaces (50 ft x 50 ft) for us:

  • We’ll use the first as our main GSA booth, where we’ll host a small training theater, with kiosks dedicated to each of the 10 federal categories.
  • We’ll use the second space to host our GSA e-lab, where conference participants can get hands-on experience with our suite of e-tools!

Industry exhibit space sales will be on a first-come, first-served basis. Sign up now to exhibit at FAST 2020.

Join Us

FAST 2020 is going to be big. It’s our first conference since 2011 in San Diego. I hope that you’ll join me in Atlanta, GA, April 14-16.

I look forward to meeting those of you I haven’t yet met and catching up with old friends.

To learn more about FAST 2020 visit www.gsa.gov/FAST.

Register here today!

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

GSA, Customers, and Vendors Meet in Texas for 2019 ITC Acquisition Summit

This August, we brought nearly 300 representatives from government and industry together for our 2019 IT Acquisition Summit. Collaborative events like this are critical to our success in supporting agency missions across government.

We met in Fort Worth, home of GSA’s Greater Southwest Region 7, which spans Texas, Louisiana, Arkansas, Oklahoma and New Mexico. We used a human-centered design approach to generate open communication and collaboration between GSA and our industry partners. Learning through use-cases and sharing information helps us better understand the challenges and constraints both government and industry have.

The summit was held in coordination with the Advanced Technology Academic Research Center (ATARC) and moderated by its president, Tom Suder. During the first day, attendees heard from various GSA and industry representatives on popular topics such as cybersecurity, mobility, 5G, emerging tech, and IT modernization. 

Dennis Shingleton, member of the City Council and mayor pro tempore, opened the summit with a boisterous Texas-style welcome.

I moderated the kick-off session with panelists Bill Zielinski, Assistant Commissioner of the IT Category; Anahita Reilly, Chief Customer Officer of the Office of Customer Experience; and Dominic Sale, Assistant Commissioner of the Office of Operations for Technology Transformation Services. They discussed GSA’s approach to IT modernization, category management, and shared services.

An afternoon panel from the Mobility Services Category Team discussed the 5G rollout, how it will shape public-sector adoption of Internet of Things applications, and its implications for supply chain security. Allen Hill, director of the Office of Telecommunications, opened the session, and Sam Navarro, program manager of the Enterprise Mobility Program, moderated the panel. Representatives from AT&T, Verizon, MetTel, and T-Mobile discussed the state of mobile technology and how consumers of 5G determine the new ways they will use the technology.

Our summit concluded with opportunities to attend one-on-one sessions with GSA acquisition professionals and an interactive use-case workshop.

We plan on hosting the IT Acquisition Summit again in 2020 — slated for Washington, D.C. The open communication and collaboration in a focused setting foster the type of game-changing ideas we need to continue enhancing IT acquisition for the whole of government.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

*Photographs above by James Wronski, Carahsoft

GSA Leading the Way for 5G

In July, we gave you a first look at the possibilities of 5th generation wireless technology (5G) in the public sector.

Commercially, 5G devices will deliver voice, video, and data to consumers with unparalleled efficiency for broadband mobility. Providers will upgrade their networks, manufacturers will develop new types of devices, and industry will market products and services around connectivity and mobility.

For the government, a 5G future is more complex since we’ll be tasked with making these technologies useful for everyone. That’s why we’re publishing a white paper on 5G — watch for that after our 5G Technology Customer Event on Oct. 3.

What’s Next for Government 5G

As new technology comes to market, we work with agencies and industry to pair the right wireless solutions to mission needs — focusing on wireless solutions security and cost efficiency.

Schedule 70 SIN 132-53 shows the robust capabilities we bring to the government market:

  • Wireless Carrier Services
  • End Point infrastructure
  • Mobility as a Service (MaaS), a.k.a Device as a Service (DaaS)
  • Enterprise Mobility Management (EMM)
  • Mobility Backend as a Service (MBaaS)
  • Telecommunications Expense Management System (TEMS)
  • Mobile Application Vetting
  • Mobile Threat Protection
  • Mobile and Identity Management
  • Internet of Things (IoT)

10/3 GSA 5G Event

To learn more about the possibilities of 5G, join us on Oct. 3 at the GSA 5G Government Symposium. We’ll cover:

  • how 5G can help agencies meet their mission,
  • the challenges facing government as we implement this new technology, and
  • how 5G will integrate into today’s networks.

View the agenda. Join us online or in person.

Stay Tuned to 5G

For our next 5G post, we’ll explore how unlicensed and lightly licensed spectrum could affect campus networks.

Until then, please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

New OMB Policy Puts Identity Management in Perspective

Identity, Credentialing, and Access Management (ICAM) is the set of security disciplines that allows agencies to manage, monitor, and secure access to protected resources. These resources may be electronic such as files or computer systems, or physical resources such as server rooms and buildings. 

In May of this year, the Office of Management and Budget (OMB) released an updated policy on Identity, Credentialing, and Access Management (ICAM). The policy provides ICAM guidance for the federal government and outlines specific responsibilities for federal agencies.

As one of the agencies that leads governmentwide ICAM efforts, GSA is committed to ensuring the federal government’s long-term viability, security, responsiveness, and efficiency. To do so, we have specific responsibilities regarding the ICAM acquisition solutions we make available to agencies.

ICAM Policy

This ICAM policy comes at a crucial time. The discussion around defining identity is evolving rapidly. Identity is now more than just a person; it is a unique representation of a subject and can include devices like cell phones, tablets, TVs, or any network connected item. Ensuring the right people (or device) have the right credentials and access are paramount.

OMB’s ICAM policy gives the federal government direction by first clarifying what it considers to be identity. The policy further defines what it means to:

  • manage those identities, 
  • provide credentials to not only government employees and contractors but the public as well, and 
  • allow access to the right information systems and physical access to buildings. 

Agency-Level Responsibility

ICAM is now an agency-level responsibility. Agencies’ approach to ICAM should consider governance, architecture, and acquisition. The ICAM policy lays out agency responsibilities to meet policy outcomes accordingly. 

What must agencies do? Here’s a high-level list:

  • Develop an agency-wide ICAM office, which may require more resources. 
  • Assess current ICAM capabilities, identify gaps for new capabilities, and develop plans to transition obsolete capabilities.
  • Use acquisition vehicles such as Best-In-Class, Tier 2, or federal shared services to procure new capabilities.

Also, the ICAM policy specifies responsibilities for agencies that lead governmentwide efforts in identity management. GSA, along with the National Institute of Standards and Technology (NIST), Office of Personnel Management (OPM), and Department of Homeland Security (DHS), will update to the ICAM guidance and develop ICAM roadmaps. The other agencies’ responsibilities are described within the policy.

GSA is specifically tasked with ensuring all current ICAM solutions and shared services are immediately available for agencies to use to begin meeting policy requirements.

Also, GSA will ensure ICAM acquisition solutions comply with this OMB ICAM policy as well as other relevant laws, standards, and guidance.

GSA’s ICAM Solutions

Agencies can visit GSA’s eLibrary to see the current ICAM SINs on IT Schedule 70 available, which includes the PKI Shared Service Provider (SSP) Program (132-61), HSPD-12 (132-62), and PKI Professional Services (132-60f).

Another important ICAM solution is the USAccess Program. GSA’s USAccess program provides federal government agencies with identity credential solutions. This shared service provides an efficient, economical and secure infrastructure to support agencies’ credentialing needs. Currently, the program supports over 600,000 users and continues to add more users.

The Department of Veterans Affairs is the most recent large federal agency to choose USAccess for its identity credentialing solution. When fully operational, this will bring over 500,000 additional cardholders onto the USAccess system.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.