The General Services Administration is testing a voluntary questionnaire for vendors to self-certify the authenticity and security of the IT products and services they sell to government agencies.
GSA put out a request-for-information on the proposed survey to gather feedback with responses due Nov. 10.
It’s an interesting, though familiar, idea, said Joel Krooswyk, federal chief technology officer at GitLab Inc.
“It’s the first time I’ve seen something that looks like a long running industry standard,” he said in an interview. “And I wonder if that’s on purpose for people who have been in product manufacturing or product definition for a long time who are used to getting these kind of questions.”
The mix of 200 yes-or-no and short-answer questions are designed to help government assess details on hardware design, data protection and other cybersecurity supply chain risk management features. While responses to the RFI may change what the final questionnaire looks like, it’s the latest potential tool in the government’s arsenal to improve security in the federal industrial base.
However, there are some practical concerns with the way it’s looking to harness this input, said Chris Hughes, chief security advisor at Endor Labs and a fellow at CISA.
RELATED
For one, it risks becoming another form to fill out in an “ecosystem that already faces cumbersome compliance requirements,” Hughes said.
“Now someone at GSA and/or other agencies will have to ingest and make sense of all these [answers] that are going to get returned to them,” he added.
But Krooswyk said vendors may feel inclined to respond to show they are proactive compared to their competitors.
In the RFI, GSA said one additional objective is to potentially reduce industry burden from responding to several government questionnaires.
Since the questionnaire would be voluntary, there’s also a question of whether respondents will self-select among those who are willing, and able, to be transparent on a host of topics.
“Obviously, when there’s contracts and revenue on the line, companies may give favorable answers, or they may not be as forthcoming as they would be if a third party was evaluating them, for example,” said Hughes. “So I think it’s not beneficial in that regard, because it’s going to be self-reported.”
Though with heightened attention to the National Cyber Security Strategy, shifting software liabilities and IT best practices, suppliers looking to do business with government are used to being tested on their claims, Krooswyk said.
“They’re more concerned about that now,” he said. “So I think people will represent themselves.”
And the questionnaire could fill an information gap on aspects of the supply chain that haven’t been as deeply understood, Krooswyk said.
Experts also pointed out that the binary questions could yield some subjective answers, especially if a vendor’s response is somewhere between “yes” or “no.”
One proposed question asks whether vendors follow operational standards or frameworks for IT and cybersecurity. There are at least a handful of NIST and other frameworks that could be acceptable answers, so one vendor may satisfy that by adhering to just one, while another may follow them all.
RELATED
“Which ones are important? How do I know? ... Are they the same things that are important to GSA? And what does the alignment look like?” Krooswyk said, suggesting that some specificity could help.
Hughes vulnerability scans or machine-readable artifacts may be generally more effective ways of showing, rather than telling, a product’s capability.
“Self-attestation is a great start because it’s easy, it’s low friction, they can give us the information voluntarily,” said Hughes. “But maybe it’s not as forthcoming or truthful or rigorous as a third-party attestation. But also [that’s] very cumbersome, complex, time consuming and expensive. So it’s a delicate balance.”
As for what’s missing, Hughes said he’d like to see more on open source software, given many vendors may integrate it into their products and should have rigorous governance of them in place.
Krooswyk said where the questionnaire asks about hardware bill of materials, so too should it incorporate that for software to get a system-level vantage point.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.