The U.S. government’s objectives for improving cybersecurity are taking shape in updated contracting procedures, contracts and projected increases in spending. Several recent developments have underscored the federal commitment to bolstering the protection of IT resources.
On the contracting front, the General Services Administration has asked vendors to respond by Wednesday to a research survey on what it should do to expedite federal acquisition of cybersecurity products and services. The quick-turnaround survey was released earlier this month.
Information from the survey will be used to develop contracting vehicles to help federal agencies “procure both proactive and reactive cybersecurity services, such as penetration testing, incident response and security engineering to include post-incident or post-assessment remediation,” said Shon Lyublanovits, acting director of theFederal Acquisition Service for Strategic Solutions and Security Services. FAS is a unit of GSA.
Vendors Asked for Input
“Providing federal agencies better access to private sector talent that can identify threats, address vulnerabilities and assist in recovery from malicious cyber events is a key component of helping the entire federal government improve its cyber posture,” she said.
GSA posed nearly 20 survey questions to vendors, including the following:
- How do private sector entities contract for cybersecurity products and services?
- What are the advantages or disadvantages of how the government currently purchases cybersecurity products and services?
- What contracting type and pricing methodology structures are currently offered, or should be offered, for the government to purchase proposed cybersecurity services?
The GSA reference for the survey document is Cybersecurity Services, Solicitation No. QTA00DF16DPI0002.
“We are encouraged that GSA is soliciting industry best practices in advance of putting into place contracts for buying cybersecurity services,” said David Wennergren, executive vice president of operations and technology at theProfessional Services Council.
“Cybersecurity is a national imperative, and it is crucial that federal agencies address long-standing requirements, like using their PIV cards for cryptographic logon, finishing their Trusted Internet Connection/Einstein monitoring work, patching software, and retiring legacy systems and infrastructure that are no longer secure or effective,” he said.
“Simultaneously, agencies must embrace additional cybersecurity priorities, to include continuous monitoring, mobile device management, managed security services, proactive assessments and trusted computing from untrusted devices. Taken together, these actions will help to ensure that cybersecurity is baked into IT solutions rather than trying to bolt on security measures after the fact,” he said.
Funds Still Rolling Out
While contracting procedures certainly could be improved, federal agencies still are utilizing existing acquisition vehicles for cybersecurity capabilities — often at hefty levels of investment.
For example, the U.S. Department of Homeland Security has set a deadline of May 13 for vendors to respond to a request for proposals on a cybersecurity contract with a potential value of US$395 million. The request was issued this month, but interested providers have had ample time to prepare for the final version as DHS released a preliminary draft last year. DHS also conducted information sessions for vendors.
The contract involves support services for the DHS Security Operations Center. The single-award, indefinite-delivery, indefinite-quantity contract covers a broad range of services for monitoring, intrusion detection and protective services. Tasks will involve wide area networks, Trusted Internet Connections, policy enforcement points, security devices, servers and workstation needs.
Also, the U.S. Defense Department has selected vendors for a $5 billion vehicle known as the Cyber Security and Information Systems Technical Area Tasks contract managed by the Defense Technical Information Center, or DTIC. The contract covers the full spectrum of IT capabilities, with an emphasis on cybersecurity, including research and development projects.
Contractors chosen for the work have been publicizing their participation since the DTIC revealed the selections late last year. Several have highlighted the cybersecurity elements of the program.
Booz Allen Hamilton was “honored to be a central component of this program, which will serve as an invaluable boost to the federal government’s cybersecurity research and development efforts,” said Robin Portman, executive vice president of Booz Allen Hamilton.
“Our team encompasses truly world-class cybersecurity analysis and management capabilities and looks forward to serving a lead role in improving the nation’s cyberdefenses,” she noted.
To date, the DTIC has not assigned any specific tasks to the selected vendors, according to Jennifer Heddings, contract office representative.
“Right now we are preparing the task packages, and we expect to issue various task orders during the current fiscal year,” she told the E-Commerce Times.
Pressure on OMB
Sen. Tom Carper, D-Del., has asked the Office of Management and Budget to respond by May 8 to his concerns that federal agencies are not taking advantage of innovative cybersecurity offerings, particularly from small businesses and startups.
“From what I understand, however, flaws in the federal acquisition process can limit the tools agency network defenders can obtain.” he noted in a letter to OMB Director Shaun Donovan.
“Our discussions made it clear that, because the techniques our adversaries use against us online are always evolving, deploying innovative products and services is critical to staying ahead of the threats we face online,” Carper said, referring to a meeting he attended with small businesses.
The companies pointed out that private sector financial institutions, power companies, retailers and others “are able to quickly reap the benefits of the many new and innovative cyberdefense products put on the market each year,” he said.
“It was not clear to them that federal agencies are similarly able to rapidly acquire new and innovative cybersecurity solutions,” Carper added.
“What are agencies doing to acquire innovative cybersolutions developed by startups and other companies that have not traditionally done business with the government? How successful have agencies been in doing so? Are any agencies piloting innovative procurement processes for rapid acquisition of cybersecurity tools? What action has OMB taken, or is planning to take, to guide agencies in the rapid procurement of new and emerging cybersecurity tools?” Carper asked.
In another initiative, GSA’s FASt Lane procurement system has benefitted cybersecurity vendors. The program was started last fall and is designed to speed up the process in which vendors qualify to participate in the GSA information technology procurement program known as “Schedule 70.”
“FASt Lane is a game changer. In the past it took an average of 110 days to get on Schedule 70. In our first pilot, we were able to cut that down to 45 days,” said Kay Ely, deputy assistant commissioner at FAS. “Over the past several months, we’ve used this process to bring on more than 40 new companies at an average time of only 29 days.”
While the schedule covers the full range of IT offerings — and not just cybersecurity — several cybersecurity vendors have recently qualified for the program. One isKryptowire, a DHS contractor.
The company will provide mobile app vetting for Android and iOS apps and mobile app archiving across 10 product lines, which will let the government analyze the security and privacy of its own apps as well as third-party apps used in the workplace, according to the department.
Another FASt Lane beneficiary isSynchroCyber, which obtained Schedule 70 status earlier this year. The company provides digital identity, credentialing and access management solutions.
“GSA was very accommodating and the process worked out well,” said company CEO James Burke.
“Our first step was to gain the status of a small-business HUBZone company. We were then a subcontractor to a prime vendor on a federal contract. In the future, the agency wanted to deal with us directly and assisted us in the FASt Lane program,” he told the E-Commerce Times.
These latest developments come against the background of President Obama’s Cybersecurity National Action Program, which was launched earlier this year.