The General Services Administration (GSA) Inspector General (IG) has found that the acquisition agency in 2022 purchased Chinese-manufactured videoconference cameras with known security vulnerabilities.
According to the Jan. 23 report, GSA Office of Digital Infrastructure Technologies (IDT) employees provided “egregiously flawed” information to acquire 150 videoconference cameras that were manufactured in China, and therefore not compliant with the Trade Agreements Act of 1979 (TAA).
GSA IG said it was contacted later in 2022 by a GSA employee who was concerned about the agency’s purchase and use of Chinese-manufactured videoconference cameras. “Our audit objective was to determine whether GSA’s purchase and use of these Chinese-manufactured videoconference cameras were in accordance with federal laws, regulations, and internal guidance,” the report says.
GSA IDT employees “misled a contracting officer with egregiously flawed information to acquire 150 Chinese-made, TAA-noncompliant videoconference cameras,” the report says. “Before completing the purchase, the contracting officer requested information from GSA IDT to justify its request for the TAA-noncompliant cameras, including the existence of TAA-compliant alternatives and the reason for needing this specific brand.”
“In response, GSA IDT provided misleading market research in support of the TAA-noncompliant cameras and failed to disclose that comparable TAA-compliant alternatives were available,” the IG said.
The agency’s watchdog said that the TAA-noncompliant cameras have known security vulnerabilities that need to be addressed with a software update. However, GSA records indicate that some of these TAA-noncompliant cameras have not been updated and remain susceptible to these security vulnerabilities.
The IG made five recommendations to GSA Administrator Robin Carnahan:
- Ensure that GSA no longer purchases TAA-noncompliant cameras if there are TAA-compliant cameras that meet the agency’s requirements;
- Return, or otherwise dispose of, previously purchased TAA-noncompliant cameras;
- Strengthen controls to ensure that TAA-compliant products are prioritized during future procurements; TAA contracting officer determinations are adequately reviewed prior to approval, including any comparisons or market research performed; and head of contracting activity non-availability determinations are obtained prior to procuring TAA-noncompliant products;
- Information technology equipment is being updated in a timely manner to reduce the risk of overlooking identified vulnerabilities; and
- Take appropriate action against the Office of GSA Information Technology and GSA IDT personnel to address the misleading information provided to the contracting officer for the purchase of TAA-noncompliant cameras.
In comments dated Dec. 22, 2023, GSA Chief Information Officer David Shive, Federal Acquisition Service Commissioner Sonny Hashmi – who left the agency last month – and Senior Procurement Executive of the Office of Governmentwide Policy Jeffrey Koses responded to the IG’s recommendations, agreeing with all except recommendation two.
In their comments, the officials stated they are confident that GSA’s current security protocols are sufficient to secure the TAA-noncompliant cameras and affirmed those security protocols included already discontinuing the use of some TAA-noncompliant cameras that do not meet GSA’s standards.
“Due to security and procurement concerns, we reaffirm our recommendation that GSA should return or dispose of these TAA-noncompliant cameras,” the IG said.