In the acquisition process for Federal IT, agencies are trying to secure their supply chains in myriad ways, and that includes taking great caution with acquiring refurbished equipment.
Speaking at the 930Gov Conference in D.C. on August 21, a panel of experts from across Federal government spoke about risk management as it relates to cybersecurity, including risks that accompany used gear.
Lawrence Hale, Director of the IT Security Subcategory within the Office of Information Technology Category in the General Services Administration’s (GSA) Federal Acquisition Service, said GSA is being more cautious with refurbished tech and will be removing refurbished products Special Items Number from the GSA Schedule 70.
“The risk of using refurbished equipment on critical systems – on high-value assets – you know, any agency before making these decisions needs to do a risk management analysis and determine what they are willing to expose themselves to in terms of what provenance of equipment are they going to install in certain systems,” Hale said.
Sana Saleh, a Cybersecurity Adviser at the Department of Homeland Security, expanded on that sentiment when discussing risk management across agencies, and suggested that agencies will have to look at how much risk they are willing to accept.
“Without speaking specifically to zero trust, I’m just going to say sometimes you have to look at … what is the worst outcome you’re willing to tolerate,” Saleh said. “Because even within the same agency, sometimes there are different risk tolerances and different products—they just do not want [those products] on the network at all,” she added.
Saleh offered that agencies can ask “what is the worst that I can deal with?” and then work backwards from that premise.