Federal Shared Services Provider Needs a System to ID Bots in Its Data Center

ipopba/istockphoto

One of the four central financial service providers wants to use more robotic process automation in its data centers but needs to be able to track those bots—and any potential malicious bots creeping in, as well.

As the Enterprise Services Center—one of the four financial shared services providers offering accounting services to programs across the federal government—employs more robotic process automation, the center is looking for ways to ensure malicious and wayward bots are not mucking up its systems.

ESC offers financial and accounting services to other federal agencies for a fee, along with the Administrative Resource Center, or ARC, managed by the Treasury Department’s Fiscal Service; the Interior Business Center, managed by the Interior Department; and the National Finance Center, managed by the Agriculture Department. ESC is run by the Transportation Department, under the Federal Aviation Administration.

“ESC Financial Services is implementing RPA to automate repetitive, manual, time-consuming, rule-based tasks to establish fully automated end-to-end processes,” according to a request for information published Monday. “RPA unattended automations provides an opportunity to increase financial services operational efficiencies and compliance by leveraging RPA in key business areas.”

But unleashing a swarm of unattended bots without an inventory or means of tracking them would be chaos, not to mention opening the way for bad actors to insert their own bots, officials said in a statement of objectives.

“Currently ESC does not have software to detect and identify information for a robotic process within the ESC Data Center environment,” according to the SOO, which asks for feedback about commercial-off-the-shelf options for monitoring bots within a system. “Operational, security and risk management leaders must ensure accountability for bot actions, avoid abuse from breaks in segregation of duties, protect log integrity and enable secure RPA development to prevent unplanned business exposures.”

The SOO notes security is often an afterthought when it comes to RPA, particularly when the bots are being created by “citizen developers,” which it defines as “a person with minimal IT experience, empowered to build an application, or bot, traditionally created by IT professionals, using drag and drop type tools.”

By installing a monitoring system for bots deployed in the ESC data center, IT officials can add a layer of security at the enterprise level, mitigating some of the risks posed by amateur developers.

The monitoring system will also enable security officials to spot unauthorized bots that could be evidence of malicious activity by outside hackers or insiders.

“The solution will include installation, validation testing, and training for users and administrators sufficient to satisfy a wide range of administrators and users,” the RFI states. “Training will include sufficient depth for operational competence, application configuration in the environment, software maintenance for patching and upgrades.”

The SOO notes ESC systems run “on a mixture of Linux and Windows Server environments.”

The contract is expected to run for a base one-year period, with an optional six-month extension.

Responses to the RFI are due April 15.