The General Services Administration’s (GSA) move to let contractors use GSA-managed IT systems may have improved IT security, but an Office of Inspector General (OIG) report released last week found that the move violated Federal competition requirements.
The report centers on the GSA Leasing Support Services (GLS) contracts, which deal with real estate brokers to provide market surveys, site visits, and lease negotiations for the Public Buildings Service (PBS). As part of the five-year contract award in 2015, GSA required bidders to have systems that complied with “all GSA and Federal IT security standards, policies, and reporting requirements.” GSA also emphasized that bidders must have FISMA-compliant systems by the start of the contract in early 2016.
However, in 2017, GSA recommended the six vendors on the GLS contracts use the agency’s Virtual Desktop Interface (VDI), allowing direct access to GSA’s network and reducing the need for contractors to have compliant systems. The report also found that GSA provided two smaller contractors access to GSA Google accounts for file storage, as they couldn’t offer compliant systems by the start of the contract.
“In providing GSA Google and VDI accounts to GLS contractors, PBS significantly changed the GLS requirements from the solicitation in two key areas – performance costs and level of effort,” the report states.
OIG estimated that the move eliminated 19 of 25 security requirements included in the original contract, and reduced the need for an estimated $500,000 to $1 million in administrative start-up costs. These impacts were deemed to alter the scope of competition, substantially alter the IT security requirements after the contract’s award, and violate Federal competition rules.
The report also noted that GSA was delayed in updating the contract to reflect the change. Without the contract modifications, there was confusion around IT security requirements for more than a year, with contractors continuing to use their own systems while not providing security deliverables, limiting GSA’s assurance of secure data.
The report recommends working with GSA IT to ensure that requirements for upcoming GLS contracts reflect the current situation, and looking for other contracts where the use of VDI and GSA Google accounts may require updated contract security requirements and guidance. The Public Building Service agreed with both recommendations.