Cybersecurity Concerns at GSA Procurement Website
In response to specific security concerns, GSA has temporarily shut down their eOffer website which lets companies respond via the internet to Requests for Proposals for computer products and services. Security flaws associated with the website had the potential to allow unauthorized persons to view and modify information submitted by vendors.
An article in The New York Times discussing the issue did not cite any instances of compromised bids associated with the eOffer website. A senior GSA official stated that they believed "the problem was brought to the agency's attention before it became a hazard to other users." The article also quotes a GSA spokewoman as explaining that the agency "had begun an ‘intensive search' to identify ‘possible irregularities within the electronic tools G.S.A. provides to its customers.'"
One security consultant traced the problem to the eOffer website "‘making it difficult to get in in the first place, by forcing you to get a client certificate for your browser,' a mechanism for establishing the user's identity...."
An official with the consulting company that detected the security flaw explained that because "each offer's electronic first page yielded the given company's business identifier, it was possible to paste that identifier into the eOffer sign-in page and adopt the identity of any company. All that was necessary was to have a valid security certificate for the eOffer system masquerade as any other company using the system." The official described the problem as "very common."
Although it appears that no harm has been done, the eOffer site offers a case study in the importance of all agencies carefully reviewing and exercising a heightened vigilance over their cybersecurity practices, including those related to the issuance of certificates.