Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

GSA Looks for Feedback on Improving Cybersecurity and Resilience

The U.S. General Services Administration (GSA) has issued a request for information (RFI) that it hopes will help make the federal government’s cybersecurity more resilient.

The U.S. General Services Administration (GSA) has issued a request for information (RFI) that it hopes will help make the federal government’s cybersecurity more resilient.

Issued in partnership with a federal cybersecurity interagency working group, the RFI is an important step to improving acquisition cybersecurity policy, implementation, and consistency to better manage risks and security, the agency said.

In February, warning that cyberattacks pose a danger to US security, President Barack Obama signed an executive order designed to improve critical Infrastructure Cybersecurity (Executive Order 13636).

The executive order (PDF) calls for voluntary reporting of threats to US infrastructure, such as power grids, pipelines and water systems.

In accordance with part of the Executive Order, within 120 days, the GSA and the Department of Defense, working with the DHS and the Federal Acquisition Regulation Council, are required to make recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration and address what steps can be taken to harmonize, and make consistent, existing procurement requirements related to cybersecurity”.

“Collaboration and cooperation allows government to deliver critical services to our federal partners and most importantly, the American people,” said GSA Acting Administrator Dan Tangherlini. “The RFI is an important first step to a public private partnership that will help secure our nation’s infrastructure. Developing these cybersecurity procurement recommendations is a priority for GSA and the interagency working group.”

Overall, the DoD and GSA are looking for input about the feasibility of incorporating cybersecurity standards into federal acquisitions.

Some examples include:

1. What is the most feasible method to incorporate cybersecurity-relevant standards in acquisition planning and contract administration? What are the cost and other resource implications for the federal acquisition system stakeholders?

2. How can the federal acquisition system, given its inherent constraints and the current fiscal realities, best use incentives to increase cybersecurity amongst federal contractors and suppliers at all tiers? How can this be accomplished while minimizing barriers to entry to the federal market?

3. What are the implications of imposing a set of cybersecurity baseline standards and implementing an associated accreditation program?

4. How can cybersecurity be improved using standards in acquisition planning and contract administration?

5. What are the greatest challenges in developing a cross-sector standards-based approach cybersecurity risk analysis and mitigation process for the federal acquisition system?

6. What is the appropriate balance between the effectiveness and feasibility of implementing baseline security requirements for all businesses?

7. How can the government increase cybersecurity in federal acquisitions while minimizing barriers to entry?

8. Are there specific categories of acquisitions to which federal cybersecurity standards should (or should not) apply?

9. Beyond the general duty to protect government information in federal contracts, what greater levels of security should be applied to which categories of federal acquisition or sectors of commerce?

10. How can the Federal government change its acquisition practices to ensure the risk owner (typically the end user) makes the critical decisions about that risk throughout the acquisition lifecycle?

11. How do contract type (e.g., firm fixed price, time and materials, cost-plus, etc.) and source selection method (e.g., lowest price technically acceptable, best value, etc.) affect your organization’s cybersecurity risk definition and assessment in federal acquisitions?

12. How would you recommend the government evaluate the risk from companies, products, or services that do not comply with cybersecurity standards?

Since the issuance of the EO and PPD inFebruary, the GSA said feedback has been collected from hundreds of stakeholder representatives at dozens of forums in industry, academia, and federal, state, and local government, which was taken into consideration as the team finalized the RFI.

Stakeholder input should be submitted on or before June 12, 2013, which will contribute to the final recommendations report to be issued in the early summer. 

More information from the GSA is available here.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.