Senator Susan Collins (R-ME), Chairman of the Homeland Security and Governmental Affairs Committee and Ranking Member Joe Lieberman (D-Conn.), have sent the following letter to David Bibb, Acting Administrator of the General Services Administration to seek further information on reports of a significant security flaw on the GSA’s website for government contractors.
January 31, 2006
The Honorable David L. Bibb Acting Administrator General Services Administration 1800 F Street, N.W. Washington, D.C. 20405
Dear Mr. Bibb:
We are writing to express concern and to seek additional information about recent reports describing a serious security flaw in a GSA website for government contractors called eOffer. This web-based application enables vendors to prepare and submit offers and contract modifications electronically. The security flaw apparently enabled any contractor that used the eOffer system to gain unauthorized access to other contractors’ submissions and to conduct corporate espionage or tamper with other companies’ bids. One independent computer security consultant attributed the security flaw to a series of bad decisions by the designers of the eOffer site. (See the article entitled “Web Site of Agency is Called Insecure,” The New York Times, January 12, 2006, page C1.) We are also concerned that the flaw was discovered by a user of eOffer, rather than through a government audit, and that GSA was slow to respond when informed of the security flaw. In a statement, GSA has acknowledged that the integrity of eOffer had been compromised, but said that GSA has shut the site down and is taking corrective action. GSA also said that it believes the problem came to the agency’s attention before it caused harm to other users. The basis for that assessment is unclear, as the web site had been in operation for more than 18 months before the flaw was discovered. Because contractors enter bid and proposal information onto the web site, any disclosure may have violated the Procurement Integrity Act. But even assuming that no individual user of eOffer was injured by the disclosure of sensitive material, this incident raises troubling questions about GSA’s information technology security program that may contribute to the reluctance of private-sector entities to entrust sensitive information to federal agencies generally. E-Government initiatives in procurement and many other areas can only realize their potential for improved efficiency and customer service if companies are convinced that when they submit confidential data electronically, it will be safe from disclosure or tampering. Our homeland security efforts depend on critical infrastructure facilities sharing highly sensitive information with government agencies that use the information to counter terrorist and other threats, and to reduce vulnerabilities. Insofar as this incident at GSA will contribute to companies’ resistance to sharing information with other agencies for fear that the government cannot secure it, the nation’s security efforts may suffer. To help set the record straight about how this security lapse occurred, and about GSA’s efforts to prevent a recurrence, we request that you promptly provide written answers to the following questions: 1. News reports indicate that the security flaw was brought to the attention of the GSA’s Inspector General by a user of eOffer on December 22, 2005, but that the system was not taken offline until the afternoon of January 11. Why did it take so long, after the flaw was reported, for the agency to test the system and take it offline? Do you believe that this 20-day delay was appropriate, or should eOffer have been taken offline more promptly? 2. EOffer has been in use since May, 2004, yet GSA has stated that it believes the problem at eOffer was brought to the agency’s attention before it injured other users. On what basis did GSA come to this belief? Is there more that GSA can do to confirm whether or not any eOffer data was disclosed or changed in a manner that might harm any user of the system? If so, what does GSA plan to do about this, and when will this inquiry be completed? 3. What is GSA doing to identify possible security flaws in other electronic tools that GSA provides to its vendors and customers, and when will this inquiry be completed? 4. In a statement, GSA said that it has a rigorous certification and accreditation process to ensure that management, operational, and technical controls are adequately implemented in its information systems. Moreover, the Federal Information Security Management Act of 2002 (FISMA) establishes a process intended to continuously improve the level of agency information security. Among other things, each agency must develop and implement an information security program and conduct an annual independent review of the information security program by the agency’s inspector general. Yet these processes, as applied at GSA, failed to prevent a serious security flaw from being incorporated into the design of eOffer. How did this happen? Were the certification and accreditation process and FISMA procedures appropriately established and implemented at GSA? Do you believe that GSA should make changes to minimize the chances of this happening again in the future? Thank you very much for your assistance. We look forward to receiving the requested information from you at your earliest convenience. Sincerely, Susan M. Collins Joseph I. Lieberman Chairman Ranking Member