Letters

IRS’ closed doors
Federal Computer Week’s story “New (fiscal) year resolution: Get your IT budget fit” [Feb. 13] faithfully quoted Internal Revenue Service press releases on why the agency wanted to close 68 walk-in assistance centers for taxpayers. However, issuing a press release does not change the facts.

The proposal to eliminate taxpayers’ ability to obtain personal face-to-face tax help was a serious executive miscalculation that exposed just how out of touch IRS leaders are with the ground zero of tax administration. Taxpayers would have saved no money. Zero. Instead the funds used to assist folks in complying with complex tax laws would have been redirected to controversial pet projects, such as allowing private firms to collect federal income taxes.

Once the scheme was exposed to public scrutiny, embarrassed IRS executives were sent back to the drawing board.
Mike Peacher
National Vice President
District 4
National Treasury
Employees Union

Aronie’s bull’s-eye
Jonathan Aronie hit a bull’s-eye on possible solutions for the General Services Administration’s current malady [“Keep GSA schedules humming,” March 20].

He suggests assigning individuals to key leadership and management positions who have the knowledge of and passion for the schedules program, and who understand the program’s origins and its purpose as a special and unique contracting tool.

As Aronie points out, GSA already has such folks onboard and exhorts: “Let’s put these people in the game.”

Not only should we take those folks off the bench and put them in the game, we should provide them with sage advice from past leaders and heroes of the schedules program.

I suggest that FCW sponsor a blue-ribbon committee to come up with recommendations to invigorate the program. My vote for committee members would include the legendary four horsemen of the Federal Supply Service: Frank Pugliese, former commissioner; Bill Gormley, former assistant commissioner; Ed O’Hare, former chief information officer; and Roy Chisholm, former procurement director. Those individuals left their mark on GSA and the federal procurement community. They brought recognition to the phrase Federal Supply Schedules.
Nick Economou
President
FSL Procurement and Contracts Consulting

More on the Common Criteria
I just read your article “GAO: Common Criteria is not common enough” [April 3].

The Government Accountability Office’s auditors are correct that the process takes too long and its effectiveness is not well-understood, but the article has some inaccuracies. For one, small vendors do not need a subsidy. They do not care what it costs to do a Common Criteria evaluation as long as it is a dealmaker and they will make a profit on the venture.

Even though the Defense Department requires a Common Criteria evaluation, a small vendor often starts the process and a competitor wins the award without an evaluation. DOD does not enforce DOD 8500.1. I just received an e-mail from an officer asking me what I knew about a vendor claiming to be in the Common Criteria evaluation process.My reply was that the claim is false.

Any vendor can close a deal before an evaluation begins as long as they have a contract to get into a c e r t i f i e d C o m m o n Criteria Testing Laboratory, and that costs zero dollars. If customers require an evaluation, small vendors will gladly pay for one if the guaranteed revenue exceeds the evaluation cost.

Because the Common Criteria process evaluates information assurance, it has been difficult to identify appropriate metrics.We compare a vendor’s design specifications against their security claims for the product. Then we test the product against the vendor’s design specifications at the end of the evaluation process.

We evaluate whether external interfaces are tested, and then we evaluate to see if all errors and effects are tested by the vendor. But people want to hear how many viruses we found.We determine if the vendor can accurately build a version of the product and ship the appropriate installation and guidance instructions with it. But people want to hear if the product can protect against phishing. I guess it is good that the information technology security industry has entertainment value.

Once a product is evaluated against the Common Criteria, all agencies can recognize it. Unfortunately, many agencies have their own evaluation processes. But that is not a failure of the National Information Assurance Partnership or the Common Criteria. A center of excellence will not solve this problem.

I am tired of meaningless statements by well-selected sources that add nothing and, worse, confuse the reader. Progress only can be made if we start with accurate information. GAO auditors spent time at Science Applications International Corp. on two separate occasions and have communicated with us several times after the questionand- answer period. Their questions were to the point, and they took copious notes, so I assume that someone at GAO understands the Common Criteria process.

I am disappointed that you apparently did not question your sources or seek corroborating sources, as one might expect an investigative reporter to do.
Robert Williamson
AVP
Common Criteria Testing Laboratory
Science Applications International Corp.