Post-Quantum Cryptography — What is it and where to start?

We all know cybersecurity is a dynamic field that is constantly evolving to protect people from the malicious use of technology. As we’ll explore in this post, cybersecurity professionals may soon be called to defend against technologies that blur the limits of classical physics.

What we know

Think back to high school physics, old episodes of the TV show “Nova,” or even the latest superhero movies, and you’ll recall the term “quantum” or “quantum mechanics.” Quantum, simply speaking, refers to what goes on at the subatomic level.

For decades, our friends at the National Institute of Standards and Technology (NIST) marshaled the resources of the federal government in applying the principles of quantum mechanics to information processing. They helped shape the field of quantum information science and birth an entirely new class of devices: quantum computers.

Right now, when a computer tries to solve a complex problem it has to check every possible solution one by one. That takes an enormous amount of time and computational power. Here’s where quantum computers shine. Because they operate at the subatomic level, they can actually explore and check multiple solutions simultaneously, drastically reducing the time needed to find the right answer. This means that tasks that would take classical computers years or even centuries to complete could be done by quantum computers in a matter of minutes or hours. It’s mind-boggling!

The problem

Here’s the catch: quantum computers could also break many of the encryption algorithms we currently rely on to protect sensitive data. We rely on encryption to keep information and data transfers safe both in our government work and everyday life – everything from logging into networks and websites to paying with credit cards. Quantum computers put all of that encryption at risk.

In 2022, the National Security Council issued a warning that certain quantum computers could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”

The Office of Management Budget then issued M-23-02 advising agencies how to take the threat seriously. Importantly, OMB said agencies should prepare to protect their data from quantum computers trying to break their encryption. Such stronger data protections became known as Post-Quantum Cryptography (PQC).

So what technologies and services will agencies need to transition to PQC?

Where to start

The first step, per M-23-02, is for agencies to inventory their active cryptographic systems and re-inventory them annually through 2035. That includes looking at all deployed cryptographic systems used for creating and exchanging encryption keys, providing encrypted connections, or creating and validating digital signatures. GSA has multiple acquisition vehicles ready to help you find the right resources to do that.

  • The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) also offers quick access to vendors who have been technically evaluated to do such inventories.
  • If an agency has Enterprise Infrastructure Solutions (EIS) Managed Services awarded, it can tap into those suppliers to conduct these assessments.

The way forward

The experts at NIST are leading the effort to develop algorithms designed to withstand quantum computer attacks. NIST has begun the process of standardizing these algorithms — named CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, and FALCON. This is the final step before making these mathematical tools available so that organizations can integrate them into their encryption infrastructure. NIST also notes that there will be more post-quantum encryption standards to follow.

Some agencies may wish to start testing the PQC algorithms before they are standardized by NIST. Hardware, web browsers, content delivery networks, cloud service providers, devices and endpoints, and enterprise devices that initiate or terminate encrypted traffic all rely on encryption and might be areas to test pre-standardized PQC algorithms.

If your agency is ready to test or explore quantum computing further, GSA has contracts for that too:

Together, we’re on it

Quantum computers are advancing quickly, increasing the need for reliable PQC solutions. GSA works in close collaboration with NIST and the Cybersecurity and Infrastructure Security Agency (CISA) to keep our contracts aligned with the latest technical and security requirements including emerging PQC standards.

Agencies will need to protect their information systems and data from growing threats. The right suppliers can complement an agencies’ IT and information security staff and resources with relevant products, services and solutions to assess cryptographic risks, test safeguards and identify needed investments.

We look forward to working with more agencies to help them prepare for this imminent post-quantum future. We’re planning to host an in-person Quantum Summit at GSA headquarters on April 16, 2024 from 9-12 EST where you can learn more about quantum resilience from Federal practitioners, so save the date! And while we probably won’t be able to help you traverse time and multiverses like a movie superhero, we are ready to help you get your systems prepared for what comes next. Contact us with your needs and we will help guide you to a solution.

Follow ITC on LinkedIn and subscribe for blog updates.

What does the future of cybersecurity look like?

As we look ahead, there are several key areas of focus that will undoubtedly shape the virtual battleground. Government agencies who proactively embrace and implement current high priorities in these key areas will be better prepared to navigate the evolving digital threatscape and safeguard their sensitive information and assets. Here are some top drivers we anticipate will impact agencies’ cybersecurity strategy and spending plans.

Zero Trust Architecture (ZTA)

ZTA has been at the forefront of government guidance in recent years. Now that agencies have had time to plan for their ZTA requirements, implementing strategies should commence. ZTA provides agencies with the foundation to build a strong security posture that evolves with the ever-changing technological environment of dynamic and accelerating threats.

Cybersecurity Supply Chain Risk Management (C-SCRM)

The growing interconnectedness of systems, services, and products makes management and mitigation of supply chain risks even more important. Effective C-SCRM should be a fundamental component in cybersecurity strategy. Having C-SCRM as an essential element in procurement helps to ensure the resilience, security, and continuity of operations for organizations, government agencies, and critical infrastructure.

Post-Quantum Cryptography (PQC)

PQC is an emerging field within the cyber realm that is gaining increased relevance due to the potential threat quantum computers pose to traditional encryption methods. PQC involves the development of new cryptographic algorithms resistant to quantum computer attacks to ensure the security of digital communications and sensitive information. Agencies should begin to plan for future quantum resistant methods by inventorying their systems and engaging with vendors on how they are addressing quantum-readiness.

Some challenges agencies may face include:

  • The ability to identify PQ-vulnerable systems.
  • The ability to identify and implement appropriate PQC algorithms.
  • The high cost and complexity of implementation.
  • A gap in a trained and certified workforce to implement and maintain PCQ algorithms.

Artificial Intelligence (AI)

The rapid emergence and adoption of generative AI tools has created new challenges, especially for data security. As AI becomes more prevalent in our modern technology, agencies will need to assess the associated risks and develop strategies to mitigate vulnerabilities.

GSA and other agencies are working to support the new Executive Order to help ensure that AI systems are safe, secure, and trustworthy.

Follow ITC on LinkedIn and subscribe for blog updates.

Find cybersecurity solutions in IT Services GWACs

In a post earlier this month, I talked about the Cybersecurity Battle Ground with various Administration strategies, executive orders, and some of the resources that we’ve developed to help you navigate this guidance. If you haven’t read that post yet, I suggest you check it out.

Today, I thought I’d talk about some of the acquisition contracts that we’ve developed to help you get on-the-ground support with your cybersecurity efforts.

MAS and beyond

When you think cybersecurity, and you think GSA, the Multiple Award Schedule (MAS) for Information Technology (IT) probably comes to mind. We have a lot of great cybersecurity solutions there, including the Highly Adaptive Cybersecurity Solutions (HACS) Special Item Number (SIN), a variety of Continuous Diagnostics and Mitigation (CDM) tools, and Zero Trust Architecture (ZTA) solutions.

True, MAS-IT is a great place to cover your cybersecurity needs, but it’s not the only place. Depending on your overall acquisition goals, GSA’s Governmentwide Acquisition Contracts (GWACs) are a great path as well. These IT Services-first contracts are considered by the Office of Management and Budget to be Best-in-Class and have a host of capabilities to meet cybersecurity needs; from ZTA to IPv6, to insider threat detection and mitigation services.

I thought it would be interesting to analyze the data in our GWAC Dashboard to see what I could find by simply pulling the data by contract and searching for ‘Cyber’*. This is definitely not a comprehensive review of our cybersecurity offerings on the GWACs, but this gives a great sense of the work that’s happening.

* This can be done by going to the “DATA Feed” tab, clicking on the “Choose a format to download” icon at the bottom right, and selecting “Crosstab.” This will result in an Excel file with more information than can be easily displayed in the web dashboard.

8(a) STARS III

Federal agencies have leveraged the 8(a) STARS III GWAC, for example, to protect against cyber threats. 8(a) STARS III industry partners have supported America’s government by creating cyber risk assessments, performing enterprise penetration testing, and establishing security assessment reports. 8(a) STARS III has 23 task orders with an estimated value of more than $141.8 million for cyber-related activities. The Department of Treasury and the Department of Homeland Security are among the biggest users of 8(a) STARS III for cybersecurity services.

VETS 2

The VETS 2 GWAC is another great example. This Service-Disabled Veteran-Owned Small Business GWAC currently has more than $118 million in estimated value from 10 task orders ranging from IT Security Risk Management Framework (RMF) and Assessment and Authorization (A&A) Services to cybersecurity architecture and engineering services. Some of VETS 2’s biggest cybersecurity customers are the Department of Treasury, the Department of Homeland Security, and the Army.

Alliant 2

Alliant 2 data shows a similar story. There, we find 25 task orders for a total estimated value of $2.2 billion. These task orders relate to Federal Public Key Infrastructure (FPKI) support services to cybersecurity – supply chain risk management (C-SCRM) support services and beyond.

Again, these are just task orders with the term ‘cyber’ in the description field. Even more come through when we add the term ‘IT security’.

The right cybersecurity solutions

As we continue to observe Cybersecurity Awareness Month, I wanted to bring attention to the ‘where’ of conveniently getting the cybersecurity solutions agencies need to protect their systems as agencies move to create a safer and more secure digital future.

Visit our website to learn more about cybersecurity or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on LinkedIn and subscribe for blog updates.

The Cybersecurity Battleground

Reflecting on the past, envisioning the future

This month marks the 20th anniversary of Cybersecurity Awareness Month, as well as the beginning of a new government fiscal year. I’d like to take this milestone opportunity to delve into some recent notable cybersecurity events, the broader implications for government agencies, and my vision as GSA continues to play a pivotal role in positioning agencies to create a safer and more secure digital future.

The 2023 Verizon Data Breach Investigations Report shows external actors were responsible for 83% of breaches. Continued cyber breaches, such as Volt Typhoon and the MOVEit application exploit not only cause disruption and pose a serious threat to our national security, but lay the groundwork for more sophisticated cyber attacks. Hackers will leverage any flaw in the cyber environment to gain access to sensitive information. Our adversaries are not resting, and neither can we.

In March 2023, the White House released an updated National Cybersecurity Strategy with ongoing initiatives aimed at enhancing the nation’s cybersecurity capabilities and comprehensive approach. It aligns numerous strategic objectives under five pillars:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals

The White House later published its National Cybersecurity Strategy Implementation Plan which includes specific guidance for agencies as they implement the strategy’s requirements and key objectives.

The Department of Defense completed its Cyber Strategy in May 2023. The strategy underscores the ongoing advancement of Zero Trust Architecture (ZTA) and the technological solutions and services to fortify critical infrastructure, ensuring vital systems and assets are safeguarded. In August 2023, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Strategic Plan that aligns with the National Cybersecurity Strategy and lays out how agencies can fulfill their cybersecurity mission over the next three years. As plans are implemented, GSA is prepared to incorporate updated frameworks and standards into our solutions to meet agencies’ needs and requirements.

As we move forward into the new fiscal year, the Office of Management and Budget (OMB) continues to emphasize cybersecurity priorities for civilian agencies to consider when developing FY24 and FY25 budget requests. These include continued implementation of ZTA, investment in Cybersecurity Supply Chain Risk Management (C-SCRM) practices, and most recently Post-Quantum Cryptography (PQC). Details can be found in the OMB Memorandum M-22-16, M-23-18, and the Quantum-Readiness: Migration to Post-Quantum Cryptography fact sheet. Additionally, OMB outlined Research and Development Priorities for the FY25 budget which include addressing cybersecurity risks through resilient architectures. As the cybersecurity landscape is in a constant state of evolution, adapting to new guidance is imperative to Improving the Nation’s Cybersecurity.

How GSA supports agencies

GSA recognizes that every agency has unique needs, but the overarching goals remain. That is why GSA works diligently to support the modernization of security to enhance cyber resilience, protect important information, and maintain systems access and function.

To help agencies meet their goals, GSA developed a suite of resources on cybersecurity topics, such as ZTA and C-SCRM. Buyer’s guides and informational videos are available to help identify which solutions best fit agency IT security needs. In addition, our acquisition templates make procuring the products and services that modernize security and strengthen cyber resilience easy and efficient. Find the guides and more at www.gsa.gov/itsecurity.

Our commitment

At GSA we understand collaboration with other agencies, and our industry partners, is crucial for addressing the evolving and global nature of cybersecurity threats. We are committed to continue our efforts to provide comprehensive and impactful government-centric cybersecurity solutions that address the need for modernization today and protect assets from the cyber threats of tomorrow.

Stay up to date

We are available to agencies throughout the entire acquisition lifecycle. The GSA IT Category team offers subject matter expertise and is available to answer questions related to purchasing a full range of IT products and services. Please contact the IT Customer Service Center at 855-ITaid4U/855-482-4348 or itcsc@gsa.gov.

Follow ITC on LinkedIn and subscribe for blog updates.

October is Cybersecurity Awareness Month

Blue promotional image with laptop, desktop, and mobile device clipart on the right side of the image. White text on the left reads "Is your agency cyber ready? GSA can help."

Is your agency cyber ready?

October is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber.”
Planning and executing a cybersecurity acquisition is a winding road. It can be daunting without a clear place to start. Federal agencies are challenged with navigating changing threat environments, new policy mandates, and an ever-evolving technology landscape. Acquisition professionals within the federal government have a large role in helping to protect our Nation’s networks and assets but don’t have to take this on alone. GSA offers convenient access to a range of resources to help identify requirements and create a plan, compare contract vehicles, and develop a solicitation to award a contract.

GSA is here to help “See Yourself in Cyber” and get your agency one step closer towards being cyber ready.

Current cybersecurity requirements

Executive Order (EO) 14028: Improving the Nation’s Cybersecurity and associated Office of Management and Budget (OMB) memoranda established critical policy goals federal agencies must follow. These goals include implementation of a Zero Trust Architecture (ZTA) and the adoption of Cybersecurity Supply Chain Risk Management (C-SCRM) practices within Information and Communication Technology (ICT) supply chains. Federal agencies have also been targeted in a number of high-profile cyber attacks resulting in new and evolving program needs to protect their networks from and respond to future attacks.

GSA offers multiple resources to help make sense of these new policies and program drivers and translate them into requirements for a solicitation:

  • GSA’s EO 14028 webpage and the Zero Trust webpage connect users with resources related to recent cybersecurity requirements.
  • GSA subject matter experts (SMEs) offer focused cybersecurity training that discuss many of the policy and technology drivers impacting the Federal cybersecurity marketplace.
  • GSA has multiple videos on cybersecurity on ITC’s YouTube playlist. Topics include use case scenarios for agencies seeking to procure cybersecurity solutions and the journey toward implementing a ZTA.

Buyer’s Guides

GSA offers a wide range of cybersecurity services and solutions. We know it can be difficult to select the right fit for your agency’s requirements. To help demystify this process, GSA developed a number of buyer’s guides that identify which solutions meet your agency’s specific cybersecurity needs:

GSA-offered cybersecurity services and solutions

GSA has several cybersecurity-specific contracting offerings, including:

  • The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) on the Multiple Award Schedule Information Technology (MAS IT), established in collaboration with OMB and the Cybersecurity and Infrastructure Security Agency (CISA), which provides:
    • Proactive and reactive cybersecurity services.
    • A wide range of vendors capable of meeting your agency’s small business and socioeconomic contracting goals.
    • Access to technically evaluated cybersecurity vendors. Vendors must pass an oral-technical evaluation to be able to offer services through the HACS SIN.

If you have questions about whether your requirement fits within the scope of the HACS SIN, GSA SMEs are available to provide free and individualized consultations, and scope reviews.

  • The IT Professional Services SIN on MAS IT that offers agencies:
    • Access to pre-vetted IT solution providers.
    • Pre-negotiated prices that can be further discounted.
    • Established terms and conditions at the master contract level that can be customized at the task order level.
    • A diverse pool of vendors to help meet socioeconomic and small business contracting goals.
    • Two cybersecurity-specific subcategories: IT Backup and Security Services, and Information Assurance.
  • The Continuous Diagnostics and Mitigation (CDM) Tools. CISA maintains the CDM Approved Products List (APL), the authoritative catalog for CISA-approved CDM IT products. To purchase products on the APL, agencies can use:

Planning and procurement tools

GSA gives buyers an entire toolbox to guide the process of developing and releasing a solicitation, from market research to procurement.

  • GSA’s Market Research as a Service (MRAS) gives buyers access to rapid, targeted market research for their acquisitions at no cost. MRAS can be used to identify GSA contracts that might fit requirements, get information on vendor pools and market data, or compare and search products offered on GSAAdvantage!®.
  • Buyers can also use GSA’s IT Solutions Navigator to identify the right contract vehicles to meet cybersecurity needs. Users can select types of products or services to see a list of best-fit contract vehicles and solutions that meet requirements.
  • On GSA eLibrary, agencies can view vendor pools offered under different contract vehicles, review vendors’ terms and conditions, and view their socioeconomic designations and geographic locations.
  • The IT Security Hallway on the Acquisition Gateway displays multiple resources for government users in one convenient location. Users can access sample statements of work for the HACS SIN and a tool to help calculate Independent Government Cost Estimates (IGCE).
  • Agencies can also use GSA eTools, including GSA eBuy and GSA Advantage!® to initiate the procurement process and release documents to industry. On GSA eBuy, Requests for Information, Requests for Quote, and Requests for Proposals can be released to holders of the contract vehicle selected. On GSAAdvantage!® buyers can compare products and pricing to make purchases or view past solicitations released as a resource.

GSA offers continued support

GSA support doesn’t stop once you’ve released your solicitation. We are committed to providing support to agencies throughout the entire acquisition lifecycle. If you have questions related to an offeror’s submission, or need to clarify questions from industry, our experienced cybersecurity and contracting SMEs can assist. For SME support, contact the GSA IT Security Subcategory at ITSecurityCM@gsa.gov.

While cybersecurity acquisitions may seem intimidating at first glance, GSA offers plenty of resources to help demystify the process. If you need additional assistance, you can contact the Customer Service Director (CSD) dedicated to your agency and region, or your agency’s National Account Manager (NAM). CSDs and NAMs are a valuable source of information on GSA programs and can connect you with further support or training. To learn more about CSDs and how they can help, watch this video.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

C-SCRM Acquisition Community of Practice (ACoP) Interact Site

Cyber-Supply Chain Risk Management (C-SCRM) Whole of Government logo.

Since the launch of the C-SCRM Acquisition Community of Practice (ACoP), GSA and CISA have been co-leading an effort to broaden the level of awareness and develop agency maturity in the areas of acquisitions, supply chain risk management, and cybersecurity across the Federal Government for information communication technology and services (ICTS).

Many federal departments and agencies have limited C-SCRM capabilities, resources, governance, guidance, and training; especially in the acquisition of ICTS. We need governmentwide collaboration with industry and the sharing of ideas, tools, guidance, and best practices for C-SCRM as part of the acquisition of ICTS.

Many don’t see the acquisition workforce as a key component of agencies’ cybersecurity teams. But federal procurement professionals have unique opportunities, through contracting, to ensure the safety and security of the federal government’s ICTS, help strengthen cybersecurity across networks, and prevent incidents like Solarwinds from occurring.

To increase C-SCRM awareness and adoption government-wide, the C-SCRM ACoP launched an online collaborative space for the federal government’s IT community and industry to share best practices, ideas, guidance, tools, and expertise needed to implement C-SCRM requirements. Working together as a community and sharing information will help us improve our cybersecurity posture across all levels of government.

The C-SCRM ACoP has hosted key events such as the C-SCRM Shark Tank event in collaboration with the American Council for Technology – Industry Advisory Council (ACT-IAC) where industry experts showcased innovative C-SCRM solutions to a government panel. The C-SCRM ACoP also plans to conduct a survey of industry to identify C-SCRM challenges and suggest best practices from industry’s perspective.

Additionally, the C-SCRM ACoP hosts monthly sessions open to federal employees and agency support staff. These sessions and events, held in collaboration with CISA, offer opportunities for knowledge sharing and cross collaboration focusing on supply chain risk awareness and advancements in cyber-acquisitions. Subject matter experts are ‘on hand’ not only providing information related to cybersecurity and acquisition integrity, but also best practices and lessons learned. 

Joining the C-SCRM ACoP helps:

  • Enhance the Federal Government’s cross-agency collaboration
  • Identify agencies’ strengths and capabilities in leading strategic C-SCRM objectives
  • Rapidly disseminate best business practices & outcomes
  • Learn from other agencies

To join the C-SCRM ACoP, email us at C-SCRM_ACoP@gsa.gov.

Visit the C-SCRM ACoP’s Interact site to be part of this collaborative journey. Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Reducing Cyber Supply Chain Risks

From reports of large-scale cyber attacks such as Solarwinds to President Biden’s signing of Executive Order 14028, Improving the Nation’s Cybersecurity, cyber supply chain risks have been top of mind for policymakers and federal agencies governmentwide.

GSA is committed to helping agencies mitigate cyber supply chain risks. By understanding the threats, agencies are positioned to take defensive action against them.

Ecosystem threats

Government depends on a global supply chain ecosystem: vendors, distribution routes, technologies, laws, and policies. Each piece of this ecosystem works together to design, manufacture, distribute, use, and manage products and services.

However, these supply chains’ ecosystems can expose government organizations and enterprises to financial, governance and cybersecurity risks.

Of these risks, one of the most troubling is that someone will use vulnerabilities in a supply chain to carry out a cyberattack.

A supply chain cyber attack occurs when an attacker uses a trusted outside partner or vendor with access to a system’s data to infiltrate an information system.

Because supply chain attacks are difficult to prevent and can greatly harm any organization, federal agencies must identify, categorize, manage, and mitigate risks within their supply chains.

In its December 2020 report, the Government Accountability Office (GAO) assessed how 23 civilian CFO Act agencies’ implemented 7 Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) practices.

In their review, the GAO found that many agencies had not implemented the practices according to their evaluation criteria and that no agencies had fully implemented all 7 practices.

What you can do

You can take proactive information and operational technology acquisitions measures to reduce an organization’s cyber supply chain risks.

  • Evaluate your organizational structure. Set up a collective task force to secure your supply chain and empower this team to hold lower-level suppliers accountable and to have responsibility for overall supply chain security.
  • Identify and empower supply chain leadership. Review and monitor key contracts to verify that prime and subcontractors maintain security practices through the contract lifecycle. Threat intelligence and incident response capabilities must work together.
  • Put data protection and stakeholder communication processes in place. Set requirements for communicating and protecting data, specifically for incidents, breach notifications, and industry or legal reporting requirements.
  • Build trust by sharing threats with your supply chain partners. Prevent communication delays by being transparent about an attack or a potential breach. Transparent leadership and communication creates trust. Building that trust requires a commitment to straight talk, the ability to produce results, and the ability to restore trust when trust is lost.

GSA C-SCRM Resources

For the last 10 years, federal guidance and regulations have prioritized SCRM. This priority reflects the increasing threat of vulnerabilities in the nation’s supply chain.

We’re continuing to develop ways to help agencies reduce supply chain risk, like the Vendor Risk Assessment Program and the Cyber Supply Chain Risk Management Acquisition Community of Practice.

Vendor Risk Assessment Program

We are currently developing a program that can identify, assess, and monitor supply chain risks for vendors who do critical work for the federal government. It will audit supply chain risk processes or events and may include on-site assessments.

The following criteria will be monitored:

  • Risk of foreign ownership, control or influence;
  • Cyber risk; and
  • Factors that would affect the company’s vulnerability, such as financial performance.

If the risk assessment identifies supply chain risks, we will work with the vendor on a corrective action.

We take this seriously. Failing to resolve any identified risk may result in government action up to and including contract termination.

Cyber Supply Chain Risk Management Acquisition Community of Practice

In August 2021, we established a C-SCRM Acquisition Community of Practice (ACoP). It includes key acquisition stakeholders from GSA, Cybersecurity and Infrastructure Security Agency (CISA), Office of Management & Budget (OMB), and other federal agencies.

The goal of C-SCRM ACoP is to increase awareness and develop maturity in the areas of cyber-acquisitions and Information Communication Technology and Services (ICTS) supply chain risk management across the federal government.

Many federal departments and agencies need to mature C-SCRM capabilities, guidance, and training. This is particularly true for acquiring ICT hardware and software.

We need governmentwide contract language for getting ICT products that holds vendors accountable for assessing the risk of their supply channels, especially for embedded software.

To learn more about the C-SCRM ACoP or to join, email C-SCRM_ACoP@gsa.gov.

Coordination is key

Agencies must continuously monitor their interconnected IT ecosystem and establish the necessary contract requirements that ensure vendors are doing the same.

Stay up to date on the latest GSA C-SCRM initiative by following us on Twitter @GSA_ITC.

GSA’s Enterprise Infrastructure Solutions Instills Cybersecurity Confidence

On May 12, the White House issued the Executive Order on Improving the Nation’s Cybersecurity. This EO underlines the fundamental problem of how cybersecurity weaknesses leave critical infrastructure open to debilitating attacks. It also outlines what government agencies must do to improve their collective defensive posture, reduce risk, improve visibility and secure their infrastructure.

GSA’s Information Technology Category (ITC) tracks cybersecurity trends and is involved in conversations with industry experts on this topic. We incorporate the EO’s technological goals in our contract solutions, like Enterprise Infrastructure Solutions Contract, or EIS.

When it comes to network security, Zero-Trust Architecture (ZTA) is the gold standard. We even published a Zero Trust Architecture Buyer’s Guide to help agencies build toward it. EIS is featured prominently in the guide, because it offers baked-in security “building blocks” to create customizable solutions.

Managed Security Services

The EIS Managed Security Service (MSS) is a comprehensive service that protects an agency’s information technology assets—hardware devices, network, software, and information—from malicious attacks. It includes capabilities such as authentication, anti-virus, anti-malware/spyware, intrusion detection, and security event management. MSS comprises the following sub-services: Trusted Internet Connections Service (TICS), Managed Prevention Service (MPS), Vulnerability Scanning Service (VSS), and Incident Response Service (INRS).

Managed Network Services

The EIS Managed Network Service (MNS) enables an agency to outsource a portion or all of its network planning, design, implementation, maintenance, operations and customer service as a strategic move to improve IT services and lower costs.

Software Defined – Wide Area Network (SD-WAN) Services

SD-WAN services provide significant benefits by giving agencies central security management and visibility, the ability to segment networks where security policies can be tailored per application and data type, and identity-based user access.

Managed Trusted Internet Protocol Services (MTIPS)

MTIPS version 2.2 provides security for all external connections to public Internet, Extranet, and Cloud Service Providers. As agencies look to implement the Cybersecurity and Infrastructure Security Agency (CISA) TIC 3.0 guidance, MTIPS may be complemented with additional EIS services to achieve the updated security capabilities of a TIC 3.0 Traditional TIC solution.

FedRAMP Authorized Software-as-a-Service (SaaS) Tools

SaaS gives an agency access to applications hosted in the cloud. The provider manages the security, availability, and performance of the applications as part of their service. Using SaaS allows an agency to reduce the time, expense, and risk associated with the installation and maintenance of software on agency computers. EIS SaaS meets all federally required security standards for Cloud services.

EIS delivers solutions to agencies that will meet CISA’s latest Trusted Internet Connections (TIC) 3.0 guidance and ZTA requirements which include the Core Zero Trust Logical Components described in the National Institute of Standards and Technology (NIST) Special Publication 800-207. GSA continues to collaborate with CISA to provide guidance to agencies advancing legacy networks towards a zero trust architecture.


In the past decade, the typical federal agency network has evolved from being static with a known perimeter to mobile-friendly with nodes across the country. We are now regularly reminded that security solutions must correspondingly evolve to secure agency data and be able to ensure the safe transport of information to and from cloud applications, data centers, and remote users. If they don’t, the U.S. will continue to be vulnerable to malicious actors all over the world.

The Cybersecurity EO prioritizes “accelerated movement to secure cloud services; centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investment in both technology and personnel to match these modernization goals.” EIS already supports these by supplying SD-WAN services, 5th Generation (5G) telecommunications technology, Internet of Things (IoT) offerings, and Cloud-based security solutions.

Using EIS to buy IT infrastructure ensures a greater degree of consistency in the government’s telecommunications and network infrastructure services. It also consolidates the government’s purchasing power, driving lower prices on products and services that to satisfy complex security, flexibility, and visibility needs. EIS solutions offer the foundation needed to adapt to evolving threats and continue accomplishing your mission. The sooner agencies transition, the sooner they can take advantage of the secure solutions available on EIS. Accelerate your transition progress by Taking A.I.M. at EIS.

Zero Trust Architecture: Acquisition and Adoption

What is Zero Trust Architecture (ZTA)?

Zero Trust is not a technology, but an approach to cybersecurity. It assumes all cyber networks and traffic are hostile in nature, and that any implicit trust in users should be eliminated. Now, more than ever, Zero Trust concepts are becoming increasingly important to an agency’s IT security posture as we see an increase in cyber attacks.

Zero Trust Architecture (ZTA) is a cybersecurity strategy that employs narrow and dynamic network defenses where every action, and use of resources is questioned, and where users are given the minimum levels of access to information needed to do their jobs.

To fully implement ZTA, organizations need to focus on the integration and implementation of a range of tactics and technologies. We can no longer rely on the concept of “trust, but verify”. Instead, agencies must verify, re-verify, and continue re-verifying with added layers of cybersecurity to establish true ZTA.

Why is ZTA important now?

Recent sophisticated cyber attacks and the shift to remote/virtual work environments highlight the importance of focusing on cybersecurity. The recent Sunburst and Colonial Pipeline cyber attacks exposed vulnerabilities in government and private sector computer systems. These attacks are a stark reminder that a weakness anywhere is a weakness everywhere. Furthermore, as organizations move to a mix of cloud-based, on-premises, and hybrid network models, traditional perimeter-focused network defenses can no longer protect an organization’s information communication technology assets. To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, government agencies must move quickly to modernize their cybersecurity capabilities and accelerate towards the adoption of ZTA.

In 2020, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, Zero Trust Architecture was released to provide agencies with guidance and detailed recommendations to improve their security posture using the core principles of ZTA. More recently, Executive Order 14028 “Improving the Nation’s Cybersecurity” requires all Federal agencies to develop a plan to implement ZTA in an effort to modernize and strengthen cybersecurity standards and detection.

What can agencies do to embrace ZTA?

Although there is no single end-to-end, comprehensive Zero Trust network solution, movement towards a Zero Trust security posture does not require agencies to rip and replace existing cybersecurity tools, hardware, or software products. Rather, agencies can make incremental steps to “re-tool” existing products to adhere to Zero Trust principles and supplement with GSA-offered products, services, and solutions to achieve ZTA.

GSA created a Zero Trust Architecture Buyer’s Guide for acquisition, network architect, and cybersecurity professionals who are seeking to implement ZTA. The guide is a roadmap to ZTA and provides helpful concepts and best practices. Zero Trust security models currently range between five and seven pillars. For the purposes of facilitating an acquisition-based perspective, GSA chose to represent a combination of eight unique pillars that agencies should consider when implementing a robust and efficient Zero Trust security model.

Zero Trust Architecture Pillars-User, Device, Network, Infrastructure, Application, Data, Visibility and Analytics, Orchestration and Automation

Getting to Zero Trust is a journey. Moving to ZTA will take time, and agencies will be at different starting points as they implement a Zero Trust strategy. When evaluating a ZTA solution, agencies should consider how well the product or service addresses these eight pillars and to what extent.

Zero Trust Pillars

PillarDescription
UserInvolves focus on user identification, authentication, and access control policies which verify user attempts connecting to the network using dynamic and contextual data analysis.
DevicePerforms “system of record” validation of user-controlled and autonomous devices to determine acceptable cybersecurity posture and trustworthiness.
NetworkIsolates sensitive resources from being accessed by unauthorized people or things by dynamically defining network access, deploying micro-segmentation techniques, and control network flows while encrypting end-to-end traffic.
InfrastructureEnsures systems and services within a workload are protected against unintended and unauthorized access, and potential vulnerabilities.
ApplicationIntegrates user, device, and data components to secure access at the application layer. Security wraps each workload and compute container to prevent data collection, unauthorized access or tampering with sensitive applications and services.
DataInvolves focus on securing and enforcing access to data based on the data’s categorization and classification to isolate the data from everyone except those that need access.
Visibility and AnalyticsProvides insight into user and system behavior analytics by observing real-time communications between all Zero Trust components.
Orchestration and AutomationAutomates security and network operational processes across the ZTA by orchestrating functions between similar and disparate security systems and applications.
Zero Trust Pillars

How can GSA help?

There are many elements of a Zero Trust solution that crosscut and incorporate GSA contract offerings. The information provided in the Zero Trust Architecture Buyer’s Guide can help agencies mature their Zero Trust implementation plans.

There are multiple GSA resources that support Zero Trust efforts, like the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) which provides access to vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors.

The Continuous Diagnostics and Mitigation (CDM) Tools SIN provides access to cybersecurity products included on the Department of Homeland Security Cybersecurity & Infrastructure Security Agency’s Approved Products List. Agencies can use these and other comprehensive GSA solutions to support the design and deployment of architectures that follow the tenets of Zero Trust.

FAST 2021: Incorporating IT Security into Acquisitions

Join us May 13th at 1:00 pm EDT for a live webinar led by GSA’s IT Acquisition experts as we explore:

  • Benefits in shifting from a compliance model to the cybersecurity maturity model
  • Adopting a supply chain risk evaluation approach in government contracting
  • Easy to understand acquisition planning packages (e.g., playbooks, checklists, templates)

The 3-hour session features an overview of requirements and evaluation factors used in developing the 2nd Generation Information Technology (2GIT) blanket purchase agreement; and a quick look into the GSA’s IT Solutions Navigator connecting buyers with resources, tools, and decision support for IT procurements.

This is the third session in GSA’s 2021 monthly Federal Acquisition Service Training (FAST) Conference series. Each session is worth up to 3 Continuous Learning Points. You can find the full lineup of events here.

Registration is open and free for agency and industry partners. Reserve your virtual seat today – we look forward to seeing you there!

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.