OMB, DoD, GSA Announce Data at Rest (DAR) Encryption Contracts
The Office of Management and Budget, U.S. Department of Defense and U.S. General Services Administration awarded 10 contracts for blanket purchase agreements (BPA) to protect sensitive, unclassified data residing on government laptops, other mobile computing devices and removable storage media devices. These BPAs could result in contract values
exceeding $79 million.
Awardees are MTM Technologies Inc.; Rocky Mountain Ram LLC; Carahsoft Technology Corp.; Spectrum Systems Inc.; SafeNet Inc.; Hi Tech Services Inc.; Autonomic Resources LLC; GovBuys Inc.; Intelligent Decisions Inc. and Merlin International.
Products are Mobile Armor LLCÕs Data Armor; Safeboot NVÕs Safeboot Device Encryption; Information Security Corp.Õs Secret Agent; SafeNet Inc.Õs SafeNet ProtectDrive; Encryption Solutions Inc.Õs SkyLOCK At-Rest; SPYRUS Inc.Õs Talisman/DS Data Security Suite; WinMagic Inc.Õs SecureDoc; CREDANT Technologies Inc.Õs CREDANTMobile Guardian and GuardianEdge TechnologiesÕ GuardianEdge.
The encryption of data-at-rest (DAR) information is now possible through these BPAs, which were successfully competed using DoDÕs Enterprise Software Initiative (ESI) and GSAÕs government-wide SmartBUY (Software Managed and Acquired on the Right Terms) programs.
DoD ESI and the U.S. Air ForceÕs 754th Electronic Systems Group at Maxwell-Gunter Air Force Base, Ala., will provide acquisition and contract support for the awards and administer the contracts throughout their five-year contract lives. GSAÕs SmartBUY program will provide all acquisition support for civilian agencies, including state and local governments.
ÒTodayÕs SmartBUY announcement demonstrates that we remain vigilant in our efforts to strengthen security and improve our efforts to safeguard sensitive and personal information across the board,Ó said Karen Evans. ÒThe government is accountable to AmericaÕs citizens for the privacy and protection of their sensitive information, while at the same time, improving services within the government. This agreement is critical to all levels of governmentÑFederal, state, and local. The DoD-GSA team solved a major data encryption issue and allows our state and local governments to share in the solution while saving substantial taxpayer dollars at all levels. This is a milestone that will help build public trust as we continue to improve security within our Information Technology systems government-wide.Ó It was EvansÕ OMB Memorandum 06-16, Protection of Sensitive Agency Information, in June 2006 that was a key impetus for federal action resulting in the agreements.
Protecting data-at-rest has become increasingly critical in todayÕs IT environment of highly mobile data and decreasing device size. Personal identity information or sensitive government information stored on devices such as laptops, thumb drives and PDAs is often unaccounted for and unprotected, and can pose a problem if these devices are compromised. In addition to saving taxpayer dollars, this enhances DAR information security and requires vendors to meet stringent technical and information assurance requirements.
Two months after OMB issued its memo, the DoD Data-at-Rest Tiger Team (DARTT) was developed to address technical requirements. The goal was to award multiple BPAs by mid-2007. Eventually, the DARTT evolved into an interagency team comprised of 20 DoD components, 18 federal agencies and NATO.
“This highly successful interagency team defined and agreed upon data-at-rest requirements, which enabled the government to establish these critically important BPAs,” said David Wennergren, DoD’s deputy chief information officer. “It is truly historic in that agencies from across all levels of the government came together to solve a problem and develop an acquisition solution to meet all federal and local government DAR security requirements in an incredibly short time-frame.Ó
The DARTT conducted an extensive threat/risk analysis and market survey prior to submitting recommendations to DoD military department chief information officers in October 2006. In November 2006, DARTT began the current acquisition process in conjunction with the DoD ESI. GSA SmartBUY and federal agencies joined the DARTT in December 2006 and NATO joined in January 2007, with state and local governments joining in March 2007.
ÒThese first-ever BPAs for data-at-rest encryption are also the first available for state and local government purchases,Ó said Jim Williams, GSAÕs Federal Acquisition Service Commissioner. ÒThe DOD-GSA team has leveraged the incredible buying power of the federal government to help state and local governments with their DAR solutions.Ó
State and local governments are participating under GSAÕs Cooperative Purchasing Program, which allows them to purchase IT products and services from both GSAÕs Multiple Award Schedule 70 and Consolidated Schedules that have IT special item numbers. Possible because Section 211 of the E-Government Act of 2002 amended the Federal Property and Administrative Services Act, cooperative purchasing is the means by which state and local governments have this first-time opportunity to join federal customers in purchasing encryption products fully compliant with FIPS 140-2. This federal standard defines national interoperability and security requirements for these governments electing to achieve this level for their networks.
“Protecting sensitive and private information, such as social security numbers and financial information, is an ongoing responsibility that New York State and its agencies are focused on each day,” said Governor Eliot Spitzer. “By working with the federal government to protect this important information we have the ability to add another layer of protection, to New York’s cyber security program, in an extremely cost-effective way.”
Three categories of software and hardware encryption products are available under the BPAs – full disk encryption (FDE), file encryption (FES), and integrated FDE/FES products. All products use cryptographic modules validated under FIPS 140-2 security requirements, and have met stringent technical and interoperability requirements.
Licenses are transferable within a federal agency and include secondary use rights. All awarded BPA prices are as low as or lower than prices each vendor has available on GSA schedules, with cost avoidance to the government estimated at up to $73 million over the life of the BPAs. Additionally discounts on volume pricing range up to 85% for volume pricing, and volume pricing is based on tiers for 10,000, 33,000, and 100,000 users.