By Michael Hardy
May 12, 2008
An encryption software company on the governmentwide Data-At-Rest
blanket purchase agreement is being accused of using a misleading matrix
in its marketing. The matrix implied that government officials had found
its product was better than its competitors'. However, no agency has
conducted such an assessment.
The company, Mobile Armor, has reportedly pulled the document from its
marketing materials. But questions have been raised about whether
agencies were misled and what contracting officials should do about it.
The contracting officer for the BPA has not indicated whether the
government will take further action against Mobile Armor.
Mobile Armor is one of 10 software companies on the Data-At-Rest BPA, a
joint effort of the Defense Department's Enterprise Software Initiative
and General Services Administrations SmartBuy programs. Soon after the
June 2007 award, companies started marketing their wares, and some
prospective customers began asking Mobile Armor's competitors to explain
their low scores on the competitive matrix.
The matrix showed several encryption software products, most of which
were available through the BPA, ranked on a scale of 0 to 5 in 11
specifications. Mobile Armor's product scored the highest ratings in all
categories on the chart. The chart's source line stated that the
information came from data the companies submitted to the Data At Rest
Tiger Team (DARTT), DOD and GSA. But competitors say they submitted no
information that could have been distilled into such numerical rankings.
Mobile Armor officials declined to comment for this story. However, they
told the BPA contracting officer that a consultant, who no longer works
for the company, created the matrix without the knowledge or approval of
company executives, sources said.
The case comes to light as contractors increasingly are under scrutiny
for ethical lapses. The Environmental Protection Agency abruptly
suspended IBM from all federal contracting for a week in early April
after reports surfaced that company employees obtained protected source
selection information from an EPA employee and used it in contract
The matrix has apparently circulated beyond the circle of government
customers for whom it was originally intended. Pete Morrison, vice
president of sales for Credant's North America operations, said a
commercial customer first brought the matrix to his attention.
"The key features as well as the rankings were a total fabrication,"
Morrison said. "This was not part of the process that the DARTT folks
went through when they awarded the contracts."
The companies vying for a place on the BPA answered a 103-question
questionnaire to establish that they met the minimum requirements for
inclusion, Morrison said. Because it was a BPA, the government made no
effort to sort out the better companies from weaker ones, he said. "If
you met the requirements, you got a contract. Nowhere was there any kind
of scoring or anything like this."
Companies submitted nothing that correlates to numerical scores, agreed
Joseph Belsanti, director of marketing at WinMagic, another of the
Maurice Griffin, the contracting officer overseeing the BPA, declined to
comment in detail. In a brief written statement, he said, "The matrix in
question was not a government document nor did the government direct,
require or provide input to development of the document." The evaluation
materials would be protected as source selection documents, he added.
Observers and competitors now wonder if Mobile Armor's agreement to stop
using the matrix will end the matter.
"Just pulling it down is a little weak," said Andy Solterbeck, chief
technology officer in the commercial security division of SafeNet,
another company on the BPA. "I think more of an active retraction would
be in order."
Solterbeck, like other competitors, said it would be difficult to know
whether his company lost any sales as a result of Mobile Armor's
marketing activities. His chief objection was that the matrix implied
that the data came from an official government source.
If the competitive matrix had been presented as anything other than a
government document, no one would have cared because it would have been
easy to refute, he added.
Belsanti said he doubted WinMagic had lost any sales because of the
matrix. "Our customer base within the federal government is a fairly
loyal one and a fairly educated one," he said. "I have not heard of this
document being detrimental to this success."
Nevertheless, security is primarily about trusting trustworthy people
and partners, Belsanti said. "The [fear, uncertainty and doubt] being
produced by some organizations in the marketplace isn't doing the market
any favors," he said. "If I was a customer in the marketplace, I would
think about who I put my trust in."
GSA officials declined to comment.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com