GSA seeks help to ‘get across the finish line’ modernizing cybersecurity, adopting zero trust
The General Service Administration has made important strides adopting a zero-trust cybersecurity model and “raising the bar” modernizing its security, CIO David Shive recently told FedScoop. But now the agency needs help from industry to “help us get across the finish line,” he said.
GSA recently issued a solicitation for cybersecurity support services that is meant to help the agency take those final steps in modernizing the way it delivers cyber services internally, Shive told FedScoop on a recent episode of the Daily Scoop Podcast.
“We’ve developed some maturity with cyber here at GSA, and we’re looking for partners that can demonstrate mature cyber operations in their past and help us lean pretty far forward with the use of cyber and protecting the business interests of GSA,” Shive said. While the solicitation wasn’t publicly available, a GSA spokesperson pointed FedScoop to a listing on the agency’s Acquisition Hallway forecasting the opportunity.
Explaining the scope of the contract solicitation, Shive said it’s quite broad and that GSA “looks to deliver a unified, defensible cybersecurity boundary with a focus on operational excellence.” However, because the solicitation is still open for bidding, Shive said he had to refrain from commenting on it too extensively to provide a “fair and equitable acquisition experience for anybody who might like to do work with us.”
“They have to be able to demonstrate that they can drive down risks, strengthen resilience within the enterprise, and maintain effective and compliant programs to facilitate innovation,” he said, highlighting that innovation is “kind of one of the hallmarks here at GSA. And so they need to be able to deploy and defend in that attitude of innovation that’s present here at GSA.”
Shive continued listing out what types of services the contract seeks: “Zero trust architectures, security delivery via product versus services orientation, infrastructure and security as code, security operations … true enterprise security visibility, security automation and augmentation — we’ve been doing that for a long time here at GSA. They need to be able to help us run our security operations center and incident response centers, be able to do cyber threat intelligence … be able to do cyber threat hunting. And then because we’ve been doing DevSecOps here at GSA for a long time, using agile for a long time, they need to fit seamlessly into that because they’re the ‘Sec’ in DevSecOps.”
And, finally, as GSA continues its journey to zero trust, it’s placing more emphasis on “the application security layer,” Shive said, and it will need a partner who can support that.
That shift to zero trust has presented GSA with an opportunity to pivot in the way it thinks about cybersecurity, the CIO said.
“That pivot is we’ve evolved from that traditional perimeter-based, compliance-oriented model to a zero-trust architecture that considers resources and accesses as fundamentally untrusted,” Shive said. “Instead of verifying devices at the perimeter, we verify everything and anything attempting to access anything within GSA. And we do that continually. This represents one of the key changes from the traditional model that we’ve been operating against. We’re pretty far along and are seeing the results that we hoped for.”
Now, Shive said, the agency just needs a good partner from industry to help finish that journey.