The U.S. government plans to initiate an updated contracting vehicle for the acquisition of cybersecurity information technologies for federal agencies this month. The purpose of the program is to make it easier and more efficient for federal agencies to obtain cyberprotection services.
Specifically, the General Services Administration will include cybertechnology providers on a major listing of approved federal contractors known as “Schedule 70.”
The stakes are significant for vendors offering cyber-related capabilities to the federal government. The Obama administration earlier this year proposed the addition of US$6 billion to the fiscal 2017 budget for cybersecurity investments, bringing the total cyberbudget for that year to $19 billion. The proposal was linked to the Administration’s Cybersecurity National Action Plan, or CNAP, launched earlier this year.
GSA will add four new Highly Adaptive Cyber Security activities to the IT Schedule 70 contracting vehicle, according to the procurement plan, with special item numbers (SINs) assigned for acquisition purposes.
The IT Schedule 70 is the largest, most widely used acquisition vehicle in the federal government. The vehicle is an indefinite delivery, indefinite quantity (IDIQ) multiple award schedule, providing direct access to products, services and solutions from more than 4,700 certified vendors.
“In support of the Administration’s CNAP activities, these new SINs will provide government agencies with quicker and more reliable access to key, pre-vetted support services that will expand agencies’ capacity to test their high-priority IT systems, rapidly address potential vulnerabilities, and stop adversaries before they impact our networks,” said GSA Administrator Denise Turner Roth.
Vendors Must Qualify
GSA last month began vetting potential vendors. Vendors already on the Schedule 70 roster must requalify, and other vendors will be eligible for the roster after meeting GSA requirements.
It has been difficult for federal agencies to find a marketplace offering streamlined cybersecurity services that are both trusted and reliable, GSA said.
The four cyber-related SINs will be available exclusively through the update of the Schedule 70 program.
“While GSA does have other acquisition vehicles — such as government-wide acquisition contracts and the one acquisition solution for integrated services — that include the cyber special item numbers within scope, the four cyber specialties are uniquely dedicated to the services and include additional evaluation criteria,” GSA said.
GSA described the four special areas as follows:
- Penetration Testing: Security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system or network
- Incident Response Services: Services that help organizations impacted by a cybersecurity compromise determine the extent of the incident, remove the adversary from their systems, and restore their networks to a more secure state
- Cyber Hunt Activities: Responses to crises or urgent situations within the pertinent domain to mitigate immediate and potential threats
- Risk and Vulnerability Assessments: Assessments of threats and vulnerabilities to determine deviations from acceptable configurations, or enterprise or local policies; to gauge levels of risk; and to develop or recommend appropriate mitigation countermeasures
The administration expressed strong support for the GSA initiative.
The Office of Management and Budget will “work closely with agencies to encourage them to buy cybersecurity services through IT Schedule 70, and OMB will partner with GSA to provide new capabilities and add more vendors as these SINs evolve and grow more robust in their offerings,” said Federal Chief Information Officer Tony Scott.
GSA has partnered closely with the Department of Homeland Security to ensure that cybercapabilities provide a high level of service to agencies, and that companies providing the services will be vetted rigorously to ensure strong performance.
GSA could not estimate a potential market value for vendors because the initiative is a general program rather than a project-specific contract, but it indicated that it will be an important IT acquisition resource.
“Currently, the President’s Cybersecurity National Action Plan does not provide a specific breakdown of how funds will be budgeted and allocated for federal cybersecurity investments,” GSA said in a statement provided to the E-Commerce Times by spokesperson Cara Battaglini.
“However, we do realize there is an urgent and compelling need for HACS services from our customer agencies, which will lead to a significant amount of government spending through the Schedule 70 program,” GSA added.
“Cybersecurity-related procurements on the GSA Schedule 70 since 2012 have averaged over $730 million,” noted Ashley Marculescu, a consultant at Winvale.
“The CNAP program is calling for a 35 percent increase in fiscal 2017 versus 2016 for spending on resources for cybersecurity. Given the current 5,000-plus Schedule 70 contractors, and the new companies these special item numbers will attract, Winvale is projecting cybersecurity-related contracts on the GSA Schedule 70 to be in the range of $1 billion,” she told the E-Commerce Times.
The revised Schedule 70, with the inclusion of the four cyberspecialties, will be advantageous to government agencies and vendors, according to Marculescu.
“The main goal of the GSA in adding these types of acquisition resources is to try to make the agencies’ procurement process as efficient as possible,” she said. “We have seen that GSA is consistently trying to make the schedule program a preferred contract vehicle by adding new special item numbers relevant to the federal government’s needs.”
A cybersecurity subgroup for Schedule 70 will improve federal agencies’ ability to identify vendors and compare offerings and prices under the specific services, she noted.
Additionally, federal agencies will have access to a pool of vetted and highly qualified cybersecurity vendors with proven past performance to complete the services required. Federal agencies also will be able to execute rapid ordering and deployment services to meet urgent needs, Marculescu said.
Vendors Should Benefit
GSA will provide subject matter experts to help agencies fulfill their cybersecurity needs and requirements. The agency also will provide a quick-start ordering guide to help federal managers rapidly acquire services from the selected cybersecurity items. GSA further will provide agencies with sample acquisition documents, including statements of work.
Industry partners will have enhanced ability to market the cyberservices via the Schedule 70 process, GSA said.
“GSA has introduced these items as a result of market research and consumer demand, so vendors offering cybersecurity services will now have a designated acquisition category that will make accessing government contract opportunities for cybersecurity easier,” said Marculescu.
The procurement cycle for those vendors will be shorter, because the price, as well as the terms and conditions, will have been certified as fair and reasonable by GSA, she explained.
“Also, this will be one of the first federal supply schedules to have a formally identified cybersecurity category, so schedule holders will have a competitive advantage based on federal acquisition requirements,” Marculescu pointed out.