Addressing cyber risks of e-commerce

This column was originally published on Roger Waldron’s blog at The Coalition for Government Procurement and was republished here with permission from the author.

As cyber and supply chain issues continue to evolve, perhaps now more so than ever before, the success of the federal procurement system is contingent upon the government’s ability to secure and defend the nation’s digital information infrastructure. Accordingly, this week’s blog examines the ever-increasing importance of understanding how the commercial sector addresses cyber and supply chain security challenges that are inherent to commercial e-Commerce platforms and, therefore, should be addressed by the General Services Administration (GSA) in its March 2019 Phase II report.

In December, the GSA hosted a Federal Marketplace Industry Day to discuss its ongoing implementation efforts related to Section 846 of the 2018 National Defense Authorization Act (NDAA). Notably, during the event, there was considerable discussion regarding how GSA is considering and addressing cyber and supply chain concerns as part of its implementation efforts.

Specifically, GSA stated that: “In the development of the latest RFI, there were a number of factors that we believe reduces risk…One is the dollar value. The proof of concept is limited to orders below the Micro Purchase Threshold…Dollar values of the transactions…our thought is that it increases as the dollar value goes up.”

As the Coalition noted in a prior blog, its members remain concerned that, as currently set forth, GSA’s approach for the Section 846 pilot would establish a channel to the government market that competes directly with existing programs — like the GSA Schedules — without accepting the standard compliance and other government-unique requirements. Specifically, this approach will establish dual procurement systems for commercial items:

• Procurement System 1: Where compliance with government unique requirements, like the Trade Agreements Act (TAA), is mandated.
• Procurement System 2: Where products, including IT, from non-TAA countries, like China, which is not a TAA-designated country, are available for purchase.

Under these circumstances, limiting the dollar value of purchases below the micro-purchase threshold made through this new, seemingly non-compliant, procurement system will not enhance the government’s ability to secure its supply chain or mitigate other cyber-related risks. In the absence of specific requirements or restrictions, such as limitations on the types or categories of products available for purchase through this new channel, GSA’s current approach will, in fact, increase the government’s cyber and supply chain risks by incentivizing the purchase of non-compliant, and potentially compromised, solutions.

At this time, it does not appear that GSA is considering any additional requirements or restrictions for the Section 846 pilot.

Indeed, during the Industry Day the agency provided that: “We heard this morning some comments about how supply chain is likely to be a major focus of the next several years. We think it’s early to be making decisions. We don’t think this is the moment when we should be establishing a buy and don’t buy list across government.”

For stakeholders, this decision is confusing, as it runs counter to the requirements set forth under Section 846. Indeed, pursuant to paragraph (c)(2) of the statute, Congress required GSA to include in its Phase II report, “an assessment of the products or product categories that are suitable for purchase on the commercial e-Commerce portals.”

Congress also instructed GSA to include an assessment of the necessary precautions that would need to be implemented to assure national security and cybersecurity.

Cyber and supply chain issues present a unique challenge for the Federal procurement community. Moving forward, the Coalition looks forward to seeing GSA address these cyber and supply chain concerns in its March 2019 report. As always, the Coalition stands ready to assist the agency in assuring a best value procurement solution that protects the strength and security of the nation’s digital information infrastructure.

Pursuant to of Section 846 of the 2018 NDAA, GSA is responsible for establishing and managing an e-Commerce portal program described under the statute. In March 2018, GSA, in consultation with the Office of Management and Budget (OMB), issued the Section 846 implementation plan, “Procurement Through Commercial E-Commerce Portals.”

The implementation plan is the end-product of Phase I of GSA’s Section 846 implementation efforts which focused on information gathering and analysis. Currently, GSA is in Phase II of Section 846 implementation focused on market research that will support the agency’s Phase III efforts to develop and implement e-Commerce procurement guidance.

GSA’s Phase II report is expected to be released in March 2019.

Roger Waldron is the president of the Coalition for Government Procurement, and host of Off the Shelf on Federal News Network.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.