03.03.17

Daines, Duckworth Highlight GSA Cybersecurity Deficiency in Operations

U.S. SENATE —U.S. Senator Steve Daines (R-MT) and Tammy Duckworth (D-IL) today wrote to the General Services Administration (GSA) highlighting the clear deficiency in GSA’s operations regarding foreign-owned buildings. 

In a letter to GSA Acting Administrator Timothy Horne, the Senators expressed concern with GSA’s practice of leasing high-security space from foreign owners and the cybersecurity risks created by conducting high-security operations in foreign-owned buildings. Daines also requested a response by March 31, 2017 as to how GSA will address these issues.

“Federal agencies are among the top targets for cyber criminals, with many agencies experiencing thousands of attempted attacks daily,” Daines and Duckworth wrote. “Agencies must have the information necessary to assess and address the risks to their high-security facilities, including cybersecurity vulnerabilities that exist in foreign-owned buildings.” 

A recent GAO report revealed that GSA is leasing high-security space from foreign owners to at least 26 federal agencies including the Federal Bureau of Investigation (FBI) and the Drug Enforcement Administration (DEA). These agencies often store sensitive data on site and use the space for classified operations.

Further, over half of the tenants GAO interviewed for the report were unaware that the space they occupy is in a foreign-owned building. The report outlined the cybersecurity risks associated with operating in foreign-owned space. GAO ultimately concluded that there are inadequate processes and procedures in place to identify foreign-owned buildings and to notify tenants of such ownership.  

Daines’ and Duckworth’s letter is available for download HERE and below: 

Dear Administrator Horne:

            We write to request information regarding General Services Administration’s (GSA) policies and procedures governing the leasing of high security space from foreign owners. GAO recently released a report that revealed GSA is leasing high-security space from foreign owners in 20 buildings.[1] Federal agencies that occupy these buildings may not even be aware that they are occupying a foreign building. Yet, in some cases the space is used for classified operations and to store sensitive data. GAO determined that the space in question is owned by companies based in countries such as Canada, China, Israel, Japan, and South Korea. Further, the report revealed that GSA lacks complete information regarding foreign-owned leased space including beneficial owner information (which GAO defined as the person who ultimately owns and controls a company).

            The report noted that leasing space in foreign-owned buildings can present security risks including unauthorized cyber access. GAO ultimately concluded that GSA’s incomplete information and lack of policies and procedures regarding foreign ownership of high-security leased space may undermine facility security and leave facilities vulnerable to security breaches including cyber intrusions.

            Federal agencies are among the top targets for cyber criminals, with many agencies experiencing thousands of attempted attacks daily. Agencies must have the information necessary to assess and address the risks to their high-security facilities, including cybersecurity vulnerabilities that exist in foreign-owned buildings.

Given the highly sensitive information that is often stored at high-security leased sites, we are concerned with the lack of policies and procedures concerning the ownership of these sites. In an effort to better understand potential reforms to remedy this issue, we respectfully request the following information: 


1. In addition to existing requirements such as the System for Award Management’s collection of information regarding immediate and highest level ownership, as well as the collection of Tax Identification and DUNS numbers, what efforts has GSA made to ensure a complete account of foreign owned high-security leased space?

2. GSA is not required to consider beneficial ownership information and therefore does not know the identity of the beneficial owners of the buildings it leases. Will GSA implement new procedures to determine beneficial ownership before leasing high-security space? If so, through what procedures? Would GSA require additional authority to request this information from foreign owners leasing high-security space?


3. How will GSA notify tenants that their leased space is foreign owned? What policies and procedures does GSA plan to implement to provide tenants occupying foreign-owned space with the information necessary to perform facility risk assessments?              

            We request you provide this information no later than March 31, 2017. Thank you for your assistance.

###