GSA working on corrective action plan following OIG report on ‘noncompliant’ video-conferencing camera purchase
Following scrutiny from both an agency watchdog and Congress for its purchases of Chinese-made video-conference cameras that were susceptible to security vulnerabilities, the General Services Administration said Thursday that it must deliver a corrective action plan to its inspector general’s office by March 25.
In a statement to FedScoop, a GSA spokesperson said the agency has put corrective actions in place and intends to provide the plan to OIG later this month. The spokesperson said the report will include “enhancements to acquisition processing procedures that ensure that compliance with all applicable laws is precisely documented.”
GSA’s Office of the Inspector General released a report in January detailing the agency’s purchase and use of Chinese-manufactured video-conference cameras with “known security vulnerabilities” that were not compliant with the Trade Agreements Act of 1979, or TAA.
At the time of the original report, OIG shared that GSA records indicated that the non-compliant video cameras had not been updated and remained susceptible to vulnerabilities. Out of 210 active cameras, the OIG report noted that 37 had not been updated with the most recent software version, which was from September 2022. Additionally, 29 of the cameras “had not been updated to the June and July 2022 software versions that addressed the prior security vulnerabilities,” the report found.
The GSA spokesperson told FedScoop that as of Friday, the agency “has 172 OWL devices that are approved for use around our environment. All 172 devices have been updated to the latest software version.” The spokesperson added that the GSA has not found any additional security vulnerabilities and that it has a “strong zero trust architecture to prevent cyber threats and bad actors.”
“GSA is confident that the use of the OWL video conference cameras has been and remains secure under our security protocols,” the spokesperson said. “GSA took several measures to assure the ongoing security of these devices, including limiting their connectivity to the internet, discontinuing a subset of the cameras that did not meet our standards and conducting ongoing threat monitoring, patching and maintenance.”
The agency’s Office of Digital Infrastructure Technologies (IDT) “misled a contracting officer with egregiously flawed information” to purchase 150 video cameras as part of a pilot project overseen by the GSA’s Federal Acquisition Services’ Federal Systems Integration and Management Center (FEDSIM), according to the report.
GSA Chief Information Officer David Shive and Deputy Inspector General Robert Erickson testified Thursday before the House Subcommittee on Cybersecurity, Information Technology, and Government Innovation regarding the audit’s findings. Shive said he was unaware of “any evidence suggesting that GSA IT personnel sought to intentionally mislead acquisition.”
“As a result of this audit, GSA has put in place new processes and improved documentation requirements,” Shive said. “The team has strengthened our alternatives of analysis documentation … [allowing] for possible solutions to be adequately analyzed and locked down once the analysis is completed.”
In response to a question from subcommittee Chairwoman Nancy Mace, R-S.C., about possible intentions behind the purchase, Erickson said that the OIG’s report did not find any evidence of ill intent, referring to the purchase as “gross incompetence.”
The OIG recommended four action items for the GSA in its original report, including to “return, or otherwise dispose of, previously purchased TAA-noncompliant cameras.” The agency partially concurred with that point, stating that a subset of cameras that did not meet GSA standards was discontinued and that it is “confident that the use of the detailed video conference cameras are secure under our current security protocols.”
The headline of this story was updated March 4, 2024, to better characterize the OIG’s findings.