Statement of David Shive, Chief Information Officer, U.S. General Services Administration before the Subcommittee on Cybersecurity, Information Technology, and Government Innovation Committee on Oversight and Accountability
Good afternoon, Chair Mace, Ranking Member Connolly, and members of the subcommittee. My name is David Shive, and I am the Chief Information Officer at the U.S. General Services Administration (GSA). Thank you for the opportunity to come before you to discuss GSA’s purchase and secure use of our video conference equipment. I appreciate the opportunity to testify before you, alongside the Inspector General (IG) at GSA.
I want to thank the Office of Inspector General (OIG) for their evaluation and review of this matter. We appreciate their partnership and have already taken action to ensure we continuously improve and strengthen the management and controls of IT purchases within GSA.
Background and Market Research
GSA relies on a connected workforce, operating all across the country to meet the mission of the agency. Video conferencing equipment allows for seamless interaction, productive collaboration, and an enhanced user experience.
In February 2022, in light of increasing office presence with the return to facilities, employees provided feedback that indicated new requirements for video conferencing and thus new equipment was needed to support our workforce. The existing video conferencing solution was obsolete and initial input from employees during the scoping phase of the pilot suggested that a portable camera with a 360 degree view capability might address the shortcomings of the legacy video conferencing solutions. A joint pilot program between the Office of GSA IT (GSA IT) and several other offices sought to evaluate products that would improve collaboration and the user experience with modern telecommunications and video conferencing infrastructure and equipment. The team engaged in discussions with various conference room technology vendors to better understand their offerings, and the GSA IT conducted market research to identify portable and cost-effective solutions. Five products were initially identified as leading solutions with similar functionality for further evaluation. GSA’s decision to pilot teleconference equipment from Owl Labs was based in part on its unique capabilities of 360 degree view and portability. It also required no installation, was compact and easy to relocate and store, and was one of the least expensive among the options that were evaluated.
GSA accepts and acknowledges that there were gaps in its documentation of its requirements and market research for the video conferencing solutions in question, as identified in the IG’s report. In particular, we should have done a better job documenting our requirements, including the need for a camera with a 360 degree field of view that allows participants to easily track who is speaking. However, I am unaware of any evidence suggesting that GSA IT personnel sought to intentionally mislead acquisition officials.
As a result of this audit, GSA has put in place new processes and improved documentation requirements to prevent a similar situation from occurring. The team has strengthened our Alternatives of Analysis (AoA) documentation and process that uses requirements to objectively rate solutions. The improved documentation allows for the solutions identified to be adequately analyzed and locked down once the analysis is completed. GSA IT has also partnered with acquisition experts that focus primarily on market research to bolster any GSA IT future market research efforts.
We also acknowledge that our IT professionals who work regularly with procurements need a strong acquisition foundation. Procurement training courses, with respect to Buy American Act (BAA) and Trade Agreements Act (TAA) training, are required for personnel involved in such actions.
GSA complied with Acquisition and Procurement Requirements
GSA fully supports the purchase and use of American made products and is committed to complying with all acquisition statutes, including the BAA and TAA.
GSA was in full compliance with BAA for both the first and second procurement of OWL cameras. The TAA did not apply to either of these acquisitions because neither equaled or exceeded the threshold of $183,0001 . Instead, the Buy American Act (BAA) applied, and GSA fully complied with the BAA.
The value of an acquisition is a determining factor in the applicability of any of our trade agreements including the World Trade Organization Government Procurement Agreement (WTO GPA) trade agreement. To be clear, the applicability of BAA vs TAA is mutually exclusive, and the determination by the contracting officer of which statute to apply in any given acquisition is dictated by the dollar value of the acquisition. Neither a contracting officer nor any other authority has discretion to decide which statute to apply. Rather, the dollar value of the acquisition governs which requirements must be satisfied. The WTO trade agreement applies to acquisitions equal to or exceeding $183,000, on an acquisition by acquisition basis, when procuring the same or similar items. It is not aggregated across multiple acquisitions. GSA’s requirements did not reach the threshold to invoke TAA.
Foreign acquisition rules are complicated. Having recognized the importance of ensuring BAA compliance, in 2018 GSA raised approval levels to the Head of the Contracting Activity. As part of its corrective action plan, GSA is updating its TAA policy to ensure similar levels of approval as it requires for BAA. This will help ensure that GSA continues to correctly apply both BAA and TAA.
GSA OWL Device Deployment remains secure
GSA’s deployment of OWL cameras in its environment was done in a manner that was secure, and that remains true today. In line with our security protocols, GSA voluntarily removed older OWLs from use that the vendor indicated would no longer be supported.
For the remaining OWL devices, our security assessment determined that the Cybersecurity Supply Chain Risk Management (C-SCRM) risks were Low resulting in approval for use of the OWL Devices with the following mitigations in place:
Limited connection to the Guest wireless network ONLY to support monthly software
- Updates with no connection ability to the GSA production network.
- Hardening Guide that provides guidance on how to secure the OWLs
- Patching and Maintenance to maintain ongoing security posture.
- Prohibited usage of Cloud SaaS features including Whiteboard and Command Center functionality.
- Security threat monitoring and alerting to the Infrastructure Team.
OWLs can be deployed in various configurations, GSA chose to intentionally configure them for use in a more limited manner in order to reduce any potential vulnerabilities. GSA also performed Operational Technology (OT) and security testing of the OWL Devices following GSA’s Building Monitoring and Control (BMC) Systems Security Assessment Process as documented in GSA IT Security Procedural Guide 16-76. The process is used for evaluating the IT security risk posture of BMC solutions proposed for use within GA-owned facilities.
GSA is confident that the use of the OWL video conference cameras is secure under our current security protocols. While these choices made the devices inherently more secure, it did create other challenges, as mentioned by the OIG, requiring users to complete manual software updates rather than receiving automatic software updates by being continuously connected to the internet. While our protocols were robust, GSA recognizes the need to continuously improve our management and controls of these devices.
GSA has since strengthened how we manage the devices and software updating protocols so that going forward we can effectively locate and ensure timely updates of the devices that might be needed. We have put in formal processes in place to improve the management controls and accountability of the OWLs. Specifically, we have developed an OWL Device User Agreement that improves the responsibility and accountability related to timely patching of software updates. In addition, we have formalized the standard operating procedures (SOPs) for the management of the devices with processes and actions in place if policies are not adhered to. The current inventory of OWLs are all fully patched with respect to security updates.
Conclusion
Thank you for the opportunity to appear before you today. GSA is committed to delivering the best value in government services while promoting economic opportunities and access to services for all Americans, while ensuring the security of our technology environment and prudently utilizing taxpayer money. With respect to this audit, GSA appreciates the IG’s recommendations to improve our internal processes, but is confident that it did not violate the Trade Agreements Act, has consistently maintained robust mitigations to reduce security risks, and at no time intentionally misled acquisition officials. We believe that the actions taken so far as a result of our internal reviews - along with implementing the recommendations made by the OIG to strengthen our processes, will keep us on the path to continuously improve the security posture and IT purchases for GSA.
1 The threshold of $183,000 applied to calendar years 2022 and 2023. The current threshold is $174,000. See https://www.federalregister.gov/documents/2023/12/08/2023-27024/procurement-thresholds-for-implementation-of-the-trade-agreements-act-of-1979.