Did the federal acquisition website called FAITAS suffer a cyber incident? Are thousands of contracting officers and contracting officer representatives’ (COR) data at risk?
The government isn’t offering any details of what’s going on, so I pulled out my reporter’s notebook (pun intended) and started to do some digging.
Insight by Booz Allen Hamilton: Technology experts explore cyber engineering in government in this free webinar.
Let’s look at what we know for sure and you, the reader, can decide whether there is something more than meets the eye.
Fact 1: The Federal Acquisition Institute Training Application System (FAITAS) has been down for “unscheduled maintenance” only for civilian agencies for more than a month.
So if you have a .gov email address, you are out of luck.
But if you have a .mil email address, all is well and you can use the site to get training.
Fact 2: There is no timetable for FAITAS to come back online for civilian agencies. In the frequently asked questions on the FAITAS website, GSA seems to insinuate that the site will be down through February as it states, “If you are maintaining a certification and your continuous learning period is NOT due to expire before the end of February 2018, your request may not be processed, as priority will be granted to users with certifications whose CL Periods are ending within this timeframe.”
Fact 3: The Army, which runs the site governmentwide, and the General Services Administration, which runs the Federal Acquisition Institute (FAI), are not saying much about what’s going on.
An Army Cyber Command spokesman offered this comment:
“Some Army Web services are currently not available due to maintenance and implementation of security upgrades. We are working as quickly as possible to complete the required upgrades and restore website access. Apart from that, I can’t offer greater specificity or detail.”
A GSA spokeswoman offered me a similar statement:
“The Federal Acquisition Institute Training Application System (FAITAS) is currently unavailable from the public domain; however the system remains open through the .mil network. The Federal Acquisition Institute is posting updates on FAITAS to FAI.gov and GSA has put several temporary solutions in place to ensure critical tasks can proceed until access to FAITAS is fully restored. Acquisition professionals should work through their agency career manager to address any critical needs.”
Fact 4: Civilian agency contracting officers and CORs are not necessarily feeling the impact of FAITAS being down, but the longer it’s down, the more people the outage will impact. Acquisition workers use FAITAS to sign up for training courses so they can keep their certifications and warrants up-to-date.
As one government acquisition professional told me, “The civilian government acquisition community is paralyzed from taking advantage of what FAITAS offers: Getting certifications, renewing certifications and the whole professionalization of the acquisition community is on hold. They are trying to do work around, but really FAITAS is the single source to get that done.”
The source, who requested anonymity because they didn’t get permission to talk to the media, said the work arounds GSA is offering include taking free classes at the Treasury Acquisition Institute or other government and private sector sources aren’t always at the level that more advanced acquisition workers need.
“You have to take so many hours to renew certification before the end of the expiration date of your certification. I think it’s around 40 hours,” he said. “So you need to take several different acquisition courses to make sure you are up to speed. If you don’t make sure the certifications are still viable, you lose it.”
For this acquisition professional, that is only part of the problem.
And then this brings us to the circumstantial part of the discussion.
The inferred evidence of what’s going with FAITAS easily leads us down the path of this being a cyber incident.
The lack of specific communication from the Army and GSA insinuate that there is something more going on than just “unscheduled maintenance” and “upgrades,” especially since FAITAS has been down for more than a month. IT experts say replacing hardware or upgrading software shouldn’t take this long, and if it was a technology problem, not a cyber problem, then why wouldn’t the Army and GSA be more forthcoming?
“Unplanned maintenance suggests they are hiding the truth — was it a critical security vulnerability that had to be fixed? Say so, but it takes a month to fix it? If it was a serious security breach, say so and tell us if Personally Identifiable Information was stolen, and, if so, what, how much and what are you going to do about it?” said the government acquisition worker. “Why is it taking so long to get it fixed? Why is there no target date for availability? Could some hacker have stolen the profiles of certified contracting professionals and use that for illegal purposes by acting, for example, as a contracting officer and gain access to other sensitive information? One can imagine lots of dangerous scenarios, beyond delayed training and certifications. It’s a Wizard of Oz moment when you’re not supposed to look at that man behind the screen. The silence about this is deafening and surprising it is being tolerated.”
And remember, federal law and policy requires agencies to report to the Office of Management and Budget and Congress all major cyber incidents within seven days of it being discovered. Emails to the House Oversight and Government Reform Committee and the Senate Homeland Security and Governmental Affairs Committee asking about FAITAS were not returned. Other sources say OMB was not aware of any major cyber incidents at FAI.
At the same time, multiple sources in and out of government say FAITAS suffered some sort of cyber problem. Let me clear here, no one knows if it was a hack or just a critical vulnerability that the IT folks found and needed to close immediately. Sources say GSA and the Army are being “extremely tight lipped” about what’s really going on.
Even internal emails obtained by Federal News Radio do not offer any further insights, just the “unscheduled maintenance” rationale or that it’s a “systemwide outage.”
One cyber expert who is not familiar with FAITAS specifically, but is an government cyber expert more generally, said one theory is the site was hit by a distributed denial of service (DDOS) or other type of attack and the Army is whitelisting .mil address because they have an IP range for DoD and can confirm where visitors are coming from. But they are less certain about where the civilian agency employees are coming from because they don’t those IP addresses to whitelist.
Another cyber expert surmised if the FAITAS front end is just a common user interface and the back-end systems are split into two—one for the Defense Department and one for the civilian agencies. If the civilian side had a cyber vulnerability that the Army is working to close, but not the .mil side could be a reason why DoD acquisition workers are unaffected by these problems.
The vendor that runs FAITAS, ASM Research, which is an Accenture subsidiary, referred all questions to GSA.
So that’s everything we know about FAITAS. All signs point to the fact the site is dealing with something more than “unscheduled maintenance.” If it was a cyber incident, the tens of thousands of contracting officer and contracting officer representatives deserve to know what happened and what is GSA and the Army doing to protect their data.
If the problem actually just a hardware or software problem, then the Army and GSA need to be more forthcoming and explain what’s going on.
If there is one thing agencies struggle to learn, getting ahead of the story is always better than being behind it.