The General Services Administration (GSA) is creating a voluntary questionnaire to gather pertinent cybersecurity supply chain risk management (C-SCRM) information from vendors.
The questionnaire – developed by the Federal Acquisition Service’s Office of the IT Category – aims to ensure that the government can abide by the guidance to implement supply chain security practices when purchasing information and communications technology products and services.
GSA is seeking feedback from the vendor community regarding the questionnaire. Responses to the request for information (RFI) are due on Nov. 10.
The draft questionnaire contains a mix of nearly 200 yes or no and short answer questions regarding C-SCRM.
According to GSA’s RFI, the information gathered from the voluntary questionnaire will enable agencies to evaluate and characterize the level of threat to the integrity, trustworthiness, and authenticity of the product, service, or supplier.
The draft questionnaire includes simple yes or no questions like “Do you have a documented SCRM plan and policy?” and more complicated short answer questions like “What mechanisms are in place to ensure your policies are enforced within your supply chain?”
The agency’s RFI includes more than 10 questions, seeking feedback from the vendor community on topics like if the forthcoming questionnaire will reduce the burden of answering multiple C-SCRM questionnaires across the Federal government; what level of effort, including financial, the voluntary questionnaire will take; and whether or not the questionnaire would disadvantage small businesses.