Federal agencies need a standardized way to talk with industry about the risk factors involved in IT projects, according to the General Services Administration.

GSA asked companies to offer insight on the indicators that should be assessed when determining whether a vendor can supply secure products and services, issuing a request for information on Dec. 12.

Read the full RFI

Agencies have guidance on risk management from the National Institute on Science and Technology (NIST) and federal programs like the Federal Risk and Authorization Management Program (FedRAMP). However, it is not incumbent on private companies to use these frameworks when describing their security standards, often leading to a disconnect.

Through the RFI, GSA is looking to standardized the conversation about risk and develop a set of factors agencies can use to ensure a company can deliver on security requirements.

"Federal agencies are concerned about risks in products, services and solutions they buy. These concerns extend to all purchased items that connect in any way to a government information system," GSA wrote. "The concerns also extend through all companies directly involved in delivery of products, services and solutions to the government, and through all tiers of the supply chain."

Specific concerns include:

■ Information Security (confidentiality, integrity, availability);

■ Financial and Managerial Controls;

■ Foreign Ownership and Influence;

■ Counterfeiting;

■ Tampering;

■ Insertion of Malicious Software;

■ Insider Threats; and

■ Manufacturing and Development Practices.

While procurement officers should be looking for the lowest price on products and services, the RFI notes poor security and data integrity will cost more in the long term.

"When the government purchases products, services or solutions from contractors with inadequate integrity, security, resilience and quality in their deliverables or operations, the risks created persist throughout the lifespan of the item purchased and often result in increased costs to the government and contractors," GSA stated.

GSA will be looking at the indicators that should be included in a company risk assessment, as well as technology that will allow agencies to share pertinent information.

Interested parties have until Feb. 16 to respond.

Share:
In Other News
Load More