GSA Online Marketplaces: Plans to Measure Progress and Monitor Data Protection Efforts Need Further Development

What GAO Found

The General Services Administration (GSA) is testing the concept of using online marketplaces where purchase card holders at federal agencies can easily buy commercially available products. In June 2020, GSA awarded contracts to three platform providers in what it calls the commercial platforms program. Through the program, 13 participating federal agencies can purchase products up to the micro-purchase threshold (generally $10,000). The three platforms vary, but all have characteristics that serve the needs of government purchase card holders. See table.

Selected Online Platform Characteristics

^{Source: GAO analysis of platform providers' information. | GAO-21-104572}

^aSuspended or debarred contractors are examples of prohibited suppliers. Preferred products or suppliers include environmentally sustainable products or small businesses.

GSA has established initial metrics for measuring program implementation, but it has not yet created a comprehensive plan with goals or clear time frames for assessing program progress. For example, GSA stated that it will track how sales are distributed across the three platforms, but it has not identified a goal of what percentage of sales across them is appropriate or the time frame to achieve that goal. As the program progresses, GSA can start to change its focus from testing the commercial platforms program concept to measuring progress. Establishing a comprehensive plan that outlines goals and time frames for each metric will better position GSA to measure if the program is being implemented successfully or if the program needs changes before it is ultimately expanded government-wide, as is the current plan.

GSA developed a plan to oversee each platform provider's compliance with requirements to protect government and supplier data. But it did not address some areas of compliance, and some actions within the plan may not effectively prevent unauthorized activity. For example, the data protection requirement prohibits providers from using third-party supplier data for pricing, marketing, or other activities. GSA's monitoring plan states that it will track sales of products supplied by the providers and compare them to products from third-party suppliers. However, this approach does not clearly demonstrate whether a provider violated the data protection requirement. By including specific actions, such as regular reviews of providers' policies in its monitoring plan, GSA will be better positioned to ensure that providers comply with the requirements to protect supplier or government data from unauthorized use.

Why GAO Did This Study

In fiscal year 2018, Congress directed GSA and the Office of Management and Budget to establish and implement a program for agencies to buy products through online marketplaces to, among other things, enhance competition and expedite the procurement process for certain commercial products. It also directed GSA to include in related contracts certain requirements to protect government and supplier data from unauthorized disclosure and use.

A House report accompanying the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 included a provision for GAO to review GSA's ability to monitor providers' compliance with data protection requirements. This report examines GSA's implementation of the commercial platforms program, the extent to which GSA is measuring program progress, and GSA's oversight of platform providers' efforts to protect data from unauthorized disclosure and use.

GAO reviewed GSA's program guidance, and the three commercial platform providers' contracts, policies, and practices. GAO also reviewed GSA's plan for measuring metrics and oversight and interviewed GSA officials and platform representatives about data protection and monitoring policies and practices.