The General Services Administration and the Department of Energy are launching initiatives to address cybersecurity risks, Federal News Network reported Friday.
Larry Hale, director of information technology security subcategory at GSA’s Federal Acquisition Service, said the agency is taking steps to ensure the security of products agencies procure from acquisition schedules.
“When a manufacturer doesn’t sell directly to the government, they usually have licensed resellers and I would encourage federal agencies to use those licensed resellers to reduce their risk of getting counterfeit or grey market goods,” Hale said. “We actively pursue reports of counterfeit technologies in the products that people buy from GSA. When we find out that vendors are selling counterfeit goods, we take action against them. We take them off the schedule. We shut them down. We involve law enforcement when appropriate.”
He noted that GSA collaborates with the Department of Defense and National Institute of Standards and Technology on supply chain risk management programs.
Emery Csulak, chief information security officer at DOE, said the department is adopting quantified risk management to reduce cyber risks.
“How can we evaluate whether or not a $1 million investment will give me a $1 million in reduced risk to do a modernization project or will it give me a $30,000 reduction in risk? You have to be able to have those conversations,” Csulak said at the 930Gov conference. “At Energy, we are looking at how historically we’ve spent a lot of time teaching the CFO or COO about how we talk about IT security, but we’ve barely scratched the surface of teaching security people about how to talk dollars, cents, probabilities and the exposure of that. We are embracing quantified risk management.”