On August 17, 2016, the General Services Administration (GSA) released the long-awaited draft solicitation for a government-wide cybersecurity acquisition vehicle. With the solicitation, GSA has created new IT Schedule 70 special item numbers (SINs) for “Highly Adaptive Cybersecurity Services” (HACS). The idea behind the HACS SINs is for agencies to have a single vehicle (the IT Schedule 70 contract) to purchase cybersecurity products and services. Its development is an outgrowth of the President’s Cybersecurity National Action Plan and the Office of Management and Budget’s Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government.
GSA is requiring that all current IT Schedule 70 vendors that offer services within the scope of the HACS SINs migrate those services to the new HACS SINs. Written narratives describing vendor capabilities will need to be submitted to GSA, and GSA will conduct oral interviews to confirm capabilities. GSA has indicated that it plans to begin vendor evaluations on September 1, 2016. Offerors will be given a rating of either Acceptable/Pass or Unacceptable/Fail. Agencies can begin ordering from the new SINs as of October 1, 2016.
Release of the solicitation follows an RFI process, during which GSA sought information about the types of cyber products and services that agencies need as well as input from vendors regarding any concerns about the development of the HACS SINs.
The four new HACS SINs encompass proactive, reactive and remedial cybersecurity services. They are:
|132- 45A||Penetration Testing||security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network|
|132- 45B||Incident Response||help organizations impacted by a cybersecurity compromise determine the extent of the incident, remove the adversary from their systems, and restore their networks to a more secure state|
|132- 45C||Cyber Hunt||responses to crisis or urgent situations within the pertinent domain to mitigate immediate and potential threats. Cyber Hunt activities start with the premise that threat actors known to target some organizations in a specific industry, or specific systems, are likely to also target other organizations in the same industry or with the same systems. Use information and threat intelligence specifically focused on the proximate incident to identify undiscovered attacks; investigates and analyzes all relevant response activities|
|132- 45D||Risk and Vulnerability Assessment (RVA)||assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations; RVA services include but are not limited to: Network Mapping, Vulnerability Scanning, Phishing Assessment, Wireless Assessment, Web Application Assessment, Operating System Security Assessment (OSSA), and Database Assessment.|
GSA anticipates that the HACS SINs will provide benefits to agencies and vendors alike by centralizing and facilitating the purchase and sale of cybersecurity products and services. Among the additional anticipated benefits are:
- aligning of IT Schedule 70 cybersecurity offerings to meet customer needs;
- consolidating of cybersecurity product and service offerings for ease of customer use and better acquisition planning;
- providing agencies with a means to compare and differentiate vendor offerings;
- giving GSA greater visibility into cybersecurity purchases through Federal Supply Schedule sales reporting; and
- offering agencies high-level vetting of contractors whose services are offered on the HACS SINs to provide higher quality and certainty.
Notably, the labor categories and prices stated under the HACS SIN will apply only to that SIN and not to other Schedule 70 offerings. Hardware and software purchases will be out of scope for HACS and covered by other Schedule 70 SINs.
Vendors with HACS SINs on their Schedule 70 contract will be required to comply with FAR 52.204-21 concerning the basic safeguarding of contractor information systems that process, store, or transmit federal contract information. Compliance with several identified National Institute of Standards and Technology (NIST) IT security standards also will be required.
Solicitation terms and conditions require that the contractor describe each HACS offered in a way that mirrors the manner by which the contractor sells to commercial customers. Pricing shall also be in accordance with the contractor’s customary commercial practices.
It remains to be seen whether the HACS SINs will become a widely used mechanism for federal cybersecurity service purchases. However, consolidation of service offerings on Schedule IT 70 makes a lot of sense, and could be a boon to those contractors with HACS SINs.
Please contact us if you need assistance with the consolidation process or with general questions about the HACS SINs.