Skip to main content

GSA Online Marketplaces: Plans to Measure Progress and Monitor Data Protection Efforts Need Further Development

GAO-21-104572 Published: Sep 28, 2021. Publicly Released: Sep 28, 2021.
Jump To:

Fast Facts

The General Services Administration developed an "online marketplace program" to make it easier for agencies to buy commercially available products, e.g., office supplies.

GSA started testing the program since our 2018 report, contracting with 3 online marketplace providers. So far, 13 agencies have signed up as testers.

The marketplace providers can see data about government purchasing and suppliers but aren't allowed to use it for marketing, pricing, or other business purposes. We found GSA's plans to oversee data protection may not fully prevent data misuse.

We recommended improving the plans to monitor providers' use of data, and more.

graphic with a lock in the center representing cybersecurity

Skip to Highlights


What GAO Found

The General Services Administration (GSA) is testing the concept of using online marketplaces where purchase card holders at federal agencies can easily buy commercially available products. In June 2020, GSA awarded contracts to three platform providers in what it calls the commercial platforms program. Through the program, 13 participating federal agencies can purchase products up to the micro-purchase threshold (generally $10,000). The three platforms vary, but all have characteristics that serve the needs of government purchase card holders. See table.

Selected Online Platform Characteristics

Platform characteristic

Amazon Business


Scientific Company L.L.C.

Overstock Government

Tailored commercial site for government platform




Promotes own products




Ability to restrict sale of prohibited products/suppliersa




Ability to designate preferred products/suppliersa




Source: GAO analysis of platform providers' information. | GAO-21-104572

aSuspended or debarred contractors are examples of prohibited suppliers. Preferred products or suppliers include environmentally sustainable products or small businesses.

GSA has established initial metrics for measuring program implementation, but it has not yet created a comprehensive plan with goals or clear time frames for assessing program progress. For example, GSA stated that it will track how sales are distributed across the three platforms, but it has not identified a goal of what percentage of sales across them is appropriate or the time frame to achieve that goal. As the program progresses, GSA can start to change its focus from testing the commercial platforms program concept to measuring progress. Establishing a comprehensive plan that outlines goals and time frames for each metric will better position GSA to measure if the program is being implemented successfully or if the program needs changes before it is ultimately expanded government-wide, as is the current plan.

GSA developed a plan to oversee each platform provider's compliance with requirements to protect government and supplier data. But it did not address some areas of compliance, and some actions within the plan may not effectively prevent unauthorized activity. For example, the data protection requirement prohibits providers from using third-party supplier data for pricing, marketing, or other activities. GSA's monitoring plan states that it will track sales of products supplied by the providers and compare them to products from third-party suppliers. However, this approach does not clearly demonstrate whether a provider violated the data protection requirement. By including specific actions, such as regular reviews of providers' policies in its monitoring plan, GSA will be better positioned to ensure that providers comply with the requirements to protect supplier or government data from unauthorized use.

Why GAO Did This Study

In fiscal year 2018, Congress directed GSA and the Office of Management and Budget to establish and implement a program for agencies to buy products through online marketplaces to, among other things, enhance competition and expedite the procurement process for certain commercial products. It also directed GSA to include in related contracts certain requirements to protect government and supplier data from unauthorized disclosure and use.

A House report accompanying the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 included a provision for GAO to review GSA's ability to monitor providers' compliance with data protection requirements. This report examines GSA's implementation of the commercial platforms program, the extent to which GSA is measuring program progress, and GSA's oversight of platform providers' efforts to protect data from unauthorized disclosure and use.

GAO reviewed GSA's program guidance, and the three commercial platform providers' contracts, policies, and practices. GAO also reviewed GSA's plan for measuring metrics and oversight and interviewed GSA officials and platform representatives about data protection and monitoring policies and practices.


GAO recommends that GSA establish a comprehensive plan with goals and time frames for measuring program implementation and further develop its monitoring plan with specific actions to ensure that platform providers are complying with data protection requirements. GSA agreed with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
General Services Administration The Administrator of the General Services Administration (GSA) should ensure the Federal Acquisition Service establish, before the proof of concept ends, a comprehensive plan for how GSA will measure implementation outcomes and progress of the commercial platforms program including, but not limited to, key details such as goals or targets for each metric, time frames to achieve them, and any planned analyses. (Recommendation 1)
Closed – Implemented
GSA agreed with the recommendation. In April 2022, GSA provided us documentation of a three step process they completed from January 2022 to April 2022 to implement this recommendation. The steps included updating performance measures that established specific baselines, objectives, and targets for each metric, and an action plan that included ongoing reviews of these performance measures with executive stakeholders on a quarterly basis.
General Services Administration The Administrator of the General Services Administration (GSA) should ensure the Federal Acquisition Service further develop its monitoring plan to include specific actions GSA will take to monitor each data protection requirement including, for example, regular, ongoing reviews of platform provider data compliance policies. (Recommendation 2)
Closed – Implemented
GSA agreed with the recommendation. In May 2022, GSA updated its monitoring plan to specifically outline all three data protection requirements and include ongoing reviews of platform provider data compliance policies on a quarterly basis.

Full Report

GAO Contacts

Office of Public Affairs


CybersecurityData elementsCompliance oversightE-commerceInformation securityInternal controlsPurchasingProgram implementationProof of conceptGovernment procurement