Watchdog dings Public Buildings Service for bumpy cloud shift
A move of federal lease broker data to a cloud service snarled contracts, according to an oversight report.
Efforts by the General Services Administration to protect data gathered by its building lease support services providers got tangled in internal contracting rules, according to an inspector general report.
In 2017, data on building rental rates and federal tenants collected by GSA lease support brokers for GSA's Public Building Services was transferred to the agency's virtual desktop interface accounts that are used with GSA Google accounts, the GSA IG said in a report issued March 22.
GSA IT, which is information security manager for the lease support brokers, made the move because it saw some of the six contractors struggling with security requirements. Contractor support services include market surveys, site visits, document preparation and lease negotiations. The shifts were made after the contracts were awarded.
About half of the federal workforce is housed in leased buildings. At the end of fiscal year 2017, the Public Buildings Service had 187.6 million rentable square feet under lease nationwide, with a total annual rental of space expense of $5.5 billion.
A hotline complaint in May 2017, according to the report, alleged GSA changed the IT security requirements of the lease support contracts without putting out corresponding contract modifications. The contracts, the report said, contain "extensive IT security requirements" aimed at guarding vital data such as government market surveys on rental rates, data about federal employees as well as the floor plans for federal offices in the buildings.
After GSA awarded the contract, the report said the agency gave contractors an option to use GSA-managed systems to access and store the leasing data. That offer, said the GSA IG, "materially transferred" the contractors' security responsibilities to GSA and changed the scope of the competition for such contracts in contravention with federal acquisition rules. The IG also said the agency also didn't issue contract modifications on the security changes for almost a year, leaving contractors' security requirements unclear.
The GSA IG recommended the Public Buildings Service commissioner coordinate with GSA IT on security requirements for lease support contractors.
The IG also recommended that other contracts that use GSA internal cloud systems to host data spell out data security responsibilities.
In a March 8 letter to the GSA IG's property and finance office, Public Buildings Service Commissioner Daniel Mathews concurred with both recommendations. However, he also asked the GSA IG for advice and guidance on the huge job of reviewing current lease contracts, saying such a review could have "significant resourcing implications."