Tag Archives: GSA

General Services Administration Readies $300 to $5,000 “Bug Bounty” Program

Standard
bug bounty

Photo Credit: Nguyen Hung Vu via Flickr

“FIFTH DOMAIN CYBER”

“The GSA’s bug bounty platform would represent the first use of an ethical hacking program by a civilian agency in the federal government.

Bug bounty programs have been gaining steam in the federal government after the Department of Defense’s successful “Hack the Pentagon” and “Hack the Army” exercises in 2016.

The General Services Administration’s innovation arm, 18F, said the agency was edging closer to standing up its own bug bounty program after tapping a new provider for its reporting platform.

18F officials said in a May 11 blog post that GSA’s Technology Transformation Service had tapped HackerOne to provide its Software-as-a-Service bug-reporting platform.

The San Francisco-based company offers vulnerability coordination and platform services to reward ethical hackers to locate and report network security vulnerabilities.

GSA issued a solicitation for a bug bounty platform in January, calling for a SaaS to “allow TTS to manage and track issues across multiple public web applications, triage services for those reported vulnerabilities, disburse rewards for effective vulnerabilities and explain the reasons behind rejections,” and provide vulnerability, impact and monthly report services.

18F officials said that HackerOne would help set up bounties on “several TTS public-facing web applications” through its platform and will assess validity of the bug submissions.

The SaaS provider will then forward on the reports to active TTS components to correct the issues and the bug hunters will receive payouts running between $300 to $5,000.

TTS once the platform is in place, officials said they would look to extend it to most of its component websites and applications.”

http://fifthdomain.com/2017/05/12/gsa-readies-the-first-civilian-bug-bounty-program-with-new-platform/

 

Advertisements

Who’s Ripping Off the Government Now? The Government!

Standard

2013-12-16-save-our-slush-fund-350

“POGO”

“The GSA charges fees to other federal agencies that use GSA programs and contracts.

The General Services Administration (GSA) is making a profit off other federal agencies, and it has used that profit to build a billion-dollar slush fund.

Congress is in the unenviable position of appropriating money that it doesn’t have while the GSA is running a profitable business with a billion-dollar slush fund that was created at the expense of other agencies and taxpayers.

For example, goods and services are offered on GSA Federal Supply Schedules and GSA offers telecommunications services so that federal, state, and local agencies don’t have thousands of individual contracts for the same items. The consolidation of contracts allows the government to buy in bulk and save time and money.

What isn’t talked about in many government circles is the fact that agencies pay a markup to GSA on orders. GSA charges a .75 percent Industrial Funding Fee (IFF) to other agencies to cover GSA’s cost of operating the Schedules program. According to the GSA Inspector General, “[t]he IFF is set at a level that consistently generates net operating revenue in excess of amounts required to recover [Multiple Award Schedule (MAS)] Program costs, make MAS Program investments, and maintain a risk mitigating buffer.” GSA takes the excess revenue generated and stashes most of it away for a rainy day.

While the IFF is set and well-known, I wanted to learn more about other fees or markups that GSA charges for other programs, since GSA has not published a summary of rates and fees since FY 2011. Like the IFF, certain fees appear to be set. The up-charge on using the Networx telecommunications contract is 7 percent. That contract does over a billion dollars in business and was estimated to save taxpayers $670 million in FY 2014. The result is certainly due to buying in bulk and guaranteeing AT&T, CenturyLink, Level 3, Sprint, and Verizon a lot of business, but a 7 percent profit margin seems like the government is cheating itself and taxpayers.

Currently, GSA is charging a markup averaging 16.1 percent on its regional telecommunications programs, according to GSA’s reply to a Project On Government Oversight Freedom of Information Act (FOIA) request. The GSA explained that “it can be presumed that all net operating results for the years in question went into the funding of FAS [Federal Acquisition Service] Investment Reserves.” That slush fund was created by law in the Treasury based on profits generated from GSA business lines rather than on congressional appropriations. “The Fund is available for use by or under the direction and control of the Administrator” of the GSA for agency programs and missions.

In 2012, the GSA IG stated that in 2009 the agency’s profit-based enterprise created a slush fund that had “reserves totaling $687.5 million.” According to GSA’s most recent financial statements, that slush fund now exceeds $1.1 billion (p. 36). The GSA pointed out in its FOIA reply to POGO that it had returned “small sums … to Treasury.” GSA’s financials support that statement, showing that the agency had returned $6 million and $11 million that were in excess of GSA’s operating needs to the U.S. Treasury in 2013 and 2014 respectively. Simply stated, GSA is pitching in a mere 2 percent of its rainy day fund to taxpayers while it is sitting on a billion dollars.

At least the GSA is now telling other agencies that it is ripping them off to fund other GSA programs, which, according to the GSA IG, wasn’t always the case.

The IFF reimburses FAS for the costs of operating the Federal Supply Schedules Program. FAS recoups its operating costs from ordering activities as set forth in 40 U.S.C. 321: Acquisition Services Fund. Net operating revenues generated by the IFF are also applied to fund initiatives benefitting other authorized FAS programs, in accordance with 40 U.S.C. 321.

My interest in telecommunication contracts dates back to when the suspension of MCI/Worldcom was lifted only days before the next contract was up for bid. At that time, I was informed by GSA sources that the government needed MCI to compete for that contract to help obtain a good deal for taxpayers.

Certainly, we support GSA recouping the costs of operating government-wide buying systems and buying in bulk, which are both in the interest of taxpayers. Our main concern is that GSA is collecting millions of dollars each year from other agencies that pay for GSA to stay in business and there is little if any oversight of GSA’s overall spending. Other concerns have been raised about pricing and competition and whether agencies are getting good deals when using the Schedules.

Additionally, I have concerns about the plethora of wireless contracts that exist, whether they are being used effectively, and the rangy markup that GSA is charging.

My concerns led me to question GSA in February 2014 about its wireless contract, which was estimated to save taxpayers $300 million over five years. GSA gave me the run-around, so I submitted the FOIA request in April 2014 for information about the wireless contract as well as other contracts and fees that GSA is collecting from other federal agencies. After a lot of foot dragging and an initial effort to close my request, I’m now getting piecemeal responses, as inadequate as they may be. Stay tuned for more information and analysis as GSA sends me additional information.

GSA, which isn’t alone in charging fees to other agencies when they assist in buying goods and services, needs to reconsider the fees and markups that it charges or return the excess funds to the general treasury. Sitting on a billion-dollar taxpayer-funded slush fund isn’t the way the government should operate. As POGO urged over 5 years ago, there is a perverse incentive for GSA to run programs that funnel funds into its budget, and Congress should step in. Congress is in the unenviable position of appropriating money that it doesn’t have while the GSA is running a profitable business with a billion-dollar slush fund that was created at the expense of other agencies and taxpayers.”

By: Scott H. Amey, J.D.
General Counsel, POGO

samey-blog

http://www.pogo.org/blog/2015/10/government-ripping-off-government.html

GOVERNMENT AGILE TECHNOLOGY PROGRAM STEPS UP TO ITS ACQUISITION GAME

Standard
image 18F GSA .Gov

Image: 18F GSA.Gov

“GSA”

“18F is a team of top-notch designers, developers, and product specialists inside the General Services Administration, headquartered at 18 and F streets in Washington, D.C. 18 F Newsletter.”

“WASHINGTON TECHNOLOGY”

“They have approached the acquisition creatively, simplified the process for all and, perhaps most importantly, focused on outcomes rather than process.

When GSA’s “18F” team was stood up, many of us were concerned about their seeming indifference to the acquisition system. The ability to purvey their capabilities to agency components without having to go through the often tedious acquisition process was, in fact, one of their key selling points.

Like procurement challenges and contests, 18F was, in part, designed to skirt the vagaries of federal acquisition. Hence, they displayed no real interest in mapping their own experiences against the acquisition process so that we might use those lessons to improve the broader system.

For many of us, this insularity was a source of contention and the foundation of some of our early concerns and criticism.

But that was then. 18F is now in the acquisition business, as the core customer of GSA’s current “agile technology” BPA procurement.

In other words, they are one of the few organizations in government actually putting into action many of the recommendations that have formed the core of reform proposals from the Professional Services Council and others for a long time.

For one thing, the solicitation itself is only 15 pages. By any measure, that is remarkably concise. Compare it to the solicitation for support following the Office of Personnel Management data breach, which is 60 pages long, or many others, for even more basic needs, that can run 100 pages or more.

Their ability to be so concise was, in large part, driven by an extensive industry outreach effort, including rapid responses to most any questions that were raised. As a result, they could issue a solicitation that was focused and clear and for which the background had already been effectively laid.

Second, they took a “show me” rather than “tell me” approach, relying on the actual delivery of a working software prototype rather than a lengthy narrative. To enable this, they provided all offerors with extensive data guidelines and information and turned them loose. The narratives were limited to just 750 words. Here too, while not the first to do so, they are among the very few to take this approach.

Think about it.

A clearly defined and articulated requirement, open communications with industry, a working prototype, and a lot less prose to accomplish it all. What’s not to like?

Third, 18F enabled companies to take greater advantage of technology in proposal development than we generally see. Simple things like a compliance checklist on a Google form allows the vendors to electronically fill out all the relevant information rather than the two-step process of a paper submission. Or the electronic spreadsheet of evaluation factors the offerors fill out with the requisite evidence that they meet those factors, rather than requiring the government evaluator to go through the proposal looking for how and where it meets the criteria. This is a great idea that could be used widely in solicitations to speed up evaluations, and it aligns nicely with recommendations PSC made in 2014.

Admittedly, this particular procurement is not terribly complex and thus not all of its characteristics will be easily replicated in all cases.

In addition, offerors were required to use open source and post their solutions on a public version control website like Github. This raised some concerns even on this procurement and may be more controversial for those procurements involving more complex solutions in which the offerors are independently making significant advance investments.

Indeed, the protection of company intellectual property in federal procurement in this “new” and open tech era is an area ripe for far more extensive discussion. But that is beside the point for now.

I have been openly critical of 18F since its inception and still believe a lot must be done to rationalize its role and how it relates to other entities inside and outside of government. But in this acquisition foray, they have nonetheless demonstrated innovative and creative techniques well worth taking note of.

Their initial concept of operations may have created an overly insular environment with no intent to effect or improve the broad acquisition process. But to their credit, they are doing just that.”

18F steps up its acquisition game

At GSA Auctions – A Black Hawk Helicopter – All Your Own

Standard
91QSCI15272603

UH-60A BLACK HAWK, S/N: 85-24441 Sale-Lot Number: 91QSCI15272603 – Huntsville, AL

“THE D BRIEF”

“For the low, low price of $200k (though the bidding may rise at any point in the next 13 days, 3 hours and 59 minutes), you can have a Black Hawk helicopter all your own! Start here, at GSA Auctions. ”

resauclogo

“Aircraft, 1 each: Sikorsky Uh-60A Black Hawk Medium Lift Utility Helicopter: S/N: 85-24441. Please see “Additional Documents” for more item description. The condition of the property is “as is” condition. Physical inspection of the records and aircraft strongly recommended. All sales are final and no warranty is implied or applied. Aircraft may not be in compliance with applicable FAA requirements. Buyer is responsible for completing the End Use Certificate and bringing the aircraft into compliance with 14 CFR Chapter 1, or other applicable standards, by obtaining all necessary FAA inspections or modifications. The removal time frame will be extended so that the “End Use Certificate” DLA form can be completed by the winning bidder and must be approved by the Department of Defense before the aircraft shall be released to the winning bidder. The “End Use Certificate” form is attached below. **Note: If the reserve price is not met, the aircraft may be offered to high bidder at the discretion of the government. W81YUF52090003″

THE CONDITION OF THE PROPERTY IS NOT WARRANTED.”

http://gsaauctions.gov/gsaauctions/aucitdsc/?sl=91QSCI15272603

US Gov. Bid Solicitation: “Host and Protect in Excess of 21.5 Million Records”

Standard
gdb.voanews dot com

Image: gdb.voanews dot com

“WASHINGTON POST”

“The government plans to award a sweeping five-year contract in August to a private company to monitor the hacked security clearance data of 21.5 million people for identity theft — and ensure that the records are protected from further intrusions.

The winning bidder will be asked to monitor financial and health information of the breach victims — contractors and federal employees and their families — for fraudulent activity; set up call centers to answer questions;  train government employees how to prevent other hacks and restore stolen identities.

And the contractor must be on constant alert for further risks to the  hacked background investigation files, among the most sensitive data in the government, according to a 55-page solicitation the General Services Administration issued last week.

GSA has asked potential bidders if they have the capacity to host such a large trove of data: “In light of these requirements, does your company have the ability to host and protect in excess of 21.5 million records?”

GSA wrote in a letter accompanying the solicitation, “… We are launching an aggressive procurement cycle and activities to respond to recent data breaches.”  Officials from GSA and the Defense Department, which will oversee the contract, convened a handful of companies that specialize in data breaches and identity theft protection on a conference call to go over details.

[OPM director resigns under pressure]

The government expects to award the contract by Aug. 14.

The new contract, which will go to a single contractor or a team, will last five years, although the solicitation does not say how long credit monitoring and identity theft protection will last. The Office of Personnel Management has promised at least three years.

The contract will be far more expansive than the $21 million OPM awarded in June to Winvale Group and its partner, CSID, to respond to an earlier hack of personnel records of 4.2 million active and former federal workers. Together, the breaches — believed to have been carried out by the Chinese government — exposed the personal data of more than 22 million people, including Social Security numbers, performance evaluations, and names of family members and friends who were listed as references on millions of applications for security clearances.

[US won’t publicly name China in employee breaches]

CSID was widely criticized for poor customer service during the first few weeks it notified federal employees that their data was at risk. The company says its service has improved. It plans to bid on the new contract, where it will compete to serve a population more than five times as big as its earlier contract.

That population includes current and former federal government employees and contractors, their spouses, children and roommates and anyone else who  provided the government with Social Security numbers for background investigations.

In its solicitation, the government requires that the contractor’s staff respond to calls for information within 30 minutes. It also asks potential bidders if they will be capable of signing up millions of people for identity theft protection.

Can your company “meet a surge requirement to effectively support in excess of 21.5 million individuals where the demand for services entitlements could exceed 20 percent? ” the government asked.”

http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/23/government-asks-bidders-on-hack-contract-can-your-company-host-and-protect-in-excess-of-21-5-million-records/?wpisrc=nl_headlines&wpmm=1

General Services Administration Adding New Special Items for Cybersecurity and Health IT

Standard

HiRez4inchGSAStarMarkRGB“FEDERAL TIMES” “The General Services Administration is now looking to create two more SINs [Special Item Numbers] for targeted technologies, namely health IT and cyber security.

The Office of Integrated Technology Services (ITS) plans to issue a request for information in the next two weeks asking agencies and industry to comment on what needs to be included.

More: Schedule 70 refresh includes new cloud SIN

A cybersecurity-specific SIN is also in the works, with an RFI expected before the end of the year, Carty said at the June 2 Federal IT Acquisition Summit hosted by 1105 Media. “For health IT, we’re looking at things like interoperability and what actually makes health IT for both federal and civil health care,” Carty said, noting the sector hit $6 billion in 2014, up 14 percent over the prior year. “We’re looking to create a SIN for health IT so we have a central focal point where other agencies can go to get those needs. Currently it’s available because we offer IT services but we wanted one place where that can be offered.”

More: 65 contracts awarded on CIO-CS health IT GWAC

Carty encouraged all interested persons to comment once the RFI is out. “The question is what determines health IT?” said Angela Bumbrey, IT Schedule 70 Business Programs and Analysis branch chief. “We had to look to see if we already had those services existing on the current schedules. Some of them are but it’s not like they have a flashing neon sign saying ‘health IT.'”

Having an established SIN should simplify the process and aggregate all those options into a single place, making it easier for agencies to compare costs and capabilities. Bumbrey noted both proposed SINs are in their infancy stages but that the process is moving along.”

Video: GSA solutions for cybersecurity http://www.federaltimes.com/story/government/acquisition/gsa-gwac/2015/06/03/schedule-70-health-it-cyber/28411893/

Pentagon’s Real Estate Inventory Incomplete, Incorrect and Inconsistent

Standard

FOB Leatherneck

“THE PROJECT ON GOVERNMENT OVERSIGHT’

“The Department of Defense has no idea what’s going on in more than half the properties it owns and it has no plans to figure that information out, according to a new report from the Government Accountability Office.

The DoD’s massive collection of military real estate holdings worldwide includes more than half a million facilities located on more than 5,000 sites valued at about $828 billion. Many of these properties hold important purposes, but an alarming number (about half) are underutilized or completely abandoned. Even worse, the department is terrible at tracking which ones are which.

“Since 1997, [GAO has] designated the Department of Defense’s (DOD) Support Infrastructure Management as a high-risk area, in part due to the challenges DOD faces in reducing excess and obsolete infrastructure,” the report says. The most recent audit is the latest in a string of reports (1997, 2011, 2013) that reveal little to no progress is being made.

Officially, the department’s real estate information is tracked by the Office of the Secretary of Defense using software called the Real Property Assets Database. But in reality, GAO found that more than half of the facilities lack utilization data, and that much of the utilization that does exist is incorrect.

The Pentagon and Congress were aware of the issue even before the GAO report was released. According to Pentagon estimates, the military has more than 20 percent excess infrastructure across the United States—facilities and bases that are sitting unused or unoccupied at a cost of at least $2 billion per year. The Project On Government Oversight, along with a coalition of organizations from across the ideological spectrum, supported an amendment offered by Rep. Patrick Murphy (D-Florida) to this year’s defense spending bill that would prevent the Pentagon from using funds on facilities that are not being utilized and are sitting unused. A final vote on the spending bill is still pending.

“Taxpayers cannot continue paying for unused and underused buildings, especially while the nation is at record debt levels,” Murphy said. “Federal agencies as a whole must do a better job at managing their facilities. I was pleased to see bipartisan support for my common-sense amendment to root out this wasteful spending.”

The recently released GAO report is the result of a GAO audit mandated by the National Defense Authorization Act for Fiscal Year 2014. Auditors visited 11 sites at random from the four branches of the military and compared their findings to the Pentagon’s software.

At the Army’s site, officials showed off software that checks for inconsistencies with the Pentagon property database. For the randomly selected site that the auditors planned to visit, the Army software found 45,000 discrepancies with the DoD’s information. Not to say that the Army’s system is that much more trustworthy—their records indicated that facilities had been reviewed in various years including 0013, 0201, 1776, 2201 and 3013.

The other visits didn’t go much better. Auditors found large, multi-building complexes listed as single structures, buildings that had been demolished but were listed as still in existence, and abandoned structures that were listed as in use.

Unfortunately, the Pentagon’s atrocious property record keeping is far from unique within the federal government. In 2013, GAO released a similarly discouraging investigation into the General Services Administration’s system for keeping track of federal buildings, the Federal Real Property Profile. Auditors discovered that 23 of the 26 federal buildings they visited had inaccurate information about utilization, condition, annual operating costs, and value. Among the 26, 19 had incorrect utilization information, such as a USDA site that has been abandoned since 2009 but was listed as in use both that year and 2010.

All types of errors are problematic, but inaccurate utilization data particularly leads to inordinate and unnecessary government waste. Federal agencies are paying to maintain buildings that could have been sold or leased by the government years ago for thousands or even millions of dollars each.

Old Post Office

The Old Post Office located in Washington, D.C. was identified as an underutilized federal property by the GSA and is being leased to the Trump Organization for the next 60 years.

Thankfully, GSA has made a concentrated effort to offload excess federal properties. According to Federal Times, the agency has identified 14,000 properties that the government no longer needs that cost about $190 million a year to maintain. In perhaps its most high profile project, GSA is leasing the Old Post Office building, located in the Federal Triangle area of Washington, D.C., to the Trump Organization for 60 years to transform it into an upscale hotel. Renovations began in July on the underused building, which previously cost the government $6 million a year in upkeep.

GSA reports that since 2012, property sales have brought in $139 million. The Pentagon needs to follow the lead of GSA and implement a better system to identify underused or abandoned buildings and subsequently sell or lease those facilities.”

Images from Flickr users Wyn Van Devanter and the U.S. Corps of Engineers Europe District.