This column was originally published on Roger Waldron’s blog at The Coalition for Government Procurement and was republished here with permission from the author.
As promised last week, this blog addresses the recent hearing before the House Committee on Oversight and Reform entitled “Making IT a Priority for The Federal Government.” Recall that the hearing included testimony around the General Services Administration’s implementation of Section 846, the e-commerce provision. During the course of the hearing, GSA stated that customer agencies will bear the ultimate responsibility for compliance, meaning that neither GSA nor e-Marketplace platform providers have responsibility for the integrity of products offered to agencies.
Although that testimony is accurate, it does not tell the whole story. Specifically, it fails to recognize that the GSA’s e-Marketplace approach makes every single transaction under that program a unique risk decision for the buyer (i.e., buyer beware). The lack of accountability by GSA and GSA’s e-marketplace providers comes at a time of rising concerns regarding counterfeit products, IP theft, and cyber and supply chain security.
Section 846 questions arose in the hearing against a backdrop of other IT issues GSA is facing, and, although the members raised insightful e-commerce questions, the hearing did not cover all aspects of the program. For the benefit of stakeholders, the following chart identifies some of the key issues associated with GSA’s e-Marketplace effort and how that effort fares in comparison with the GSA existing schedules program:
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
|Low prices (See the Coalition’s and the Naval Post Graduate School’s studies.)||No||Yes|
|Requirement to list country of origin on product listings (See page 5 of the revised SOO and page 6 of the original SOO.)||No||Yes|
|Requirement to offer only products that comply with TAA (See page 19 of GSA’s Phase II Market Research Report.)||No||Yes|
|Requirements for a letter of supply to ensure supply chain risk protection and prevent counterfeit products (See Section IV (D) of the consolidated MAS Solicitation.)||No||Yes|
|Requirement to offer protections for AbilityOne by blocking and subbing ETS products (See page 4 of the revised SOO and page 5 of the original SOO.)||No||Yes|
|Opportunities to compete requirements for aggregated purchases by issuing RFQs (See page 17 of the Coalition’s e-Commerce report)||No||Yes|
|Requirements to comply with EPEAT and other “Green Procurement” clauses (See page 12 of the draft solicitation and page 12 of the final solicitation.)||No||Yes|
Although pricing available through GSA’s e-marketplace was discussed briefly during the hearing, a critical fact never came up: Multiple studies have demonstrated that, product for product, GSA’s existing online schedules prices are lower, a lot lower, than commercial e-commerce platform prices. Further, in response to a question regarding the how GSA’s e-Marketplace effectively will comply with Executive Order 13904, “Ensuring Safe and Lawful E-Commerce for United States Consumers, Businesses, Government Supply Chains, and Intellectual Property Rights Holders,” GSA stated that platform purchase data will be utilized, along with … automation to where when [sic] there has been identified providers of these products that are counterfeit or barred or removed, that the platform will be able to utilize that information to prevent them from being available to customers.
This approach, however, is flawed. First, it is reactive and, thus, puts the government at substantial risk because it relies on purchase data identified and reviewed after insecure or counterfeit products have been purchased and utilized. By way of example, from a forensic standpoint, it certainly is useful to identify a particular product as the cyber risk vector through which secret government information was exfiltrated. Few would argue, however, that, from the standpoint of protecting the government, the superior course of action would be to prevent that product from ever being purchased and installed in a government network in the first place. Second, the approach effectively assumes that few risky products will be purchased. In reality, many risky products could enter the government and cause great harm before data is analyzed and, if they even are found, are retrieved.
As the chart above shows, GSA’s e-Marketplace is an acquisition program grounded in the avoidance of law. As we have said, the central feature of GSA’s e-Marketplace approach is the limitation of purchases to those below the Micro Purchase Threshold (MPT), which permits agencies to avoid following the Trade Agreements Act (TAA), Buy American Act (BAA), and various Socioeconomic Laws. GSA has said that agencies already make open market purchases below the MPT, and its program merely aggregates information about their purchases to inform buying decisions and implement controls. This point, however, does not recognize that small, individual agency buys are not being made under the auspices of a multi-year, multi-billion-dollar program. GSA’s proposed transformation of the MPT process into a government-wide e-marketplace program institutionalizes avoidance of the law and undercuts government-wide programs, like the GSA schedules, NASA SEWP, and National Institutes of Health CIO-CS.
This approach cannot meet the fundamental mission requirements of customer agencies. The supply chain of an agency, like DoD, with significant obligations to safeguard the security of the nation, does not have the luxury to tolerate counterfeit products, or worse, cyber risk products through which, national defense is undermined, and national secrets are put at risk.
It is not sufficient to respond to e-Marketplace program compliance concerns by asserting that individual buyers have the responsibility for compliance. The Schedules program, by design, requires products to comply with the TAA and provide country of origin information, and it does so at prices consistently found to be lower than those of commercial e-commerce platforms. GSA validates contractors for compliance with these and other mandatory requirements, and customer agency surveys indicate that agencies value this assurance. Thus, agency purchasers using the schedules start from a position of reasonable reliance on product integrity, security, and value. The same simply cannot be said of GSA’s commercial e-Marketplace program.
For all its efforts to socialize the e-Marketplace, GSA has left these and other concerns unaddressed. In the meantime, Congress and the Trump administration have acted to address the increased concern about the integrity of the government’s supply chain. Given the ongoing e-Marketplace procurement, there is still time to address the integrity of the market by making e-commerce platform providers contractually responsible for the integrity of products that traverse their platforms, and by holding GSA accountable for enforcing that requirement. This critical action is needed to safeguard government systems and protect secure information. The Coalition for Government Procurement remains steadfast in its commitment to support such action.