U.S. General Services Administration

Highly Adaptive Cybersecurity Services (HACS) Webinar - June 21, 2017 Terence Rountree – Deputy Director of the Office of IT Security Services (ITSS) Bradley Cornell – Director of the IT Services Contract Division (IT Schedule 70)

ITSS ● IT Security Category Mission ● Recent Executive Order ● HACS Driver ● Recent Cybersecurity Breaches

IT Schedule 70 ● Overview of IT Schedule 70 & HACS

ITSS ● Introduction to the HACS SINs

IT Schedule 70 ● Evaluation Factors for HACS SINs

ITSS ● Status of the HACS SINs ● HACS Vendors as of June 14, 2017

IT Schedule 70 ● Benefits of IT Schedule 70 HACS SINs ● GSA eTools to assist you ● How to Order from IT Schedule 70 ● Ordering Summary - IT Schedule 70 HACS ● Order Documentation Requirements

ITSS ● How to Order ● Resources ● Summary

2

Contents

The IT Security Category provides cross-category cybersecurity support, supply chain risk management, cyber acquisition assurance support, continuous monitoring support of Information Technology Category (ITC) systems, IT forensics in accordance with government-wide security mandates, and governance functions including Office of Management and Budget (OMB) reporting.

3

IT Security Category Mission

4

On May 11th, 2017, the President released Executive Order entitled, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The Executive Order calls for greater risk management of the federal enterprise and hardening of the Nation’s critical infrastructure. Other initiatives include:

● Supporting risk transparency in the marketplace among critical infrastructure entities

● Enhancing resilience against botnets and other automated, distributed threats

● Assessing incident response capabilities in the event of prolonged power outages

● Securing Defense warfighting capabilities and the industrial base, including supply chain considerations

● Improving the overall cybersecurity of the Nation through: ○ Deterrence of and protection against online adversaries ○ Brokering of further international cooperation in addressing cyber

threats ○ Engagement in workforce development to augment domestic

knowledge of and skills in cybersecurity

Recent Executive Order

5

HACS was created in response to government cybersecurity initiatives. These initiatives called on GSA to develop appropriate procurement vehicles that allow departments and agencies to acquire equivalent Incident Response, Penetration Testing, Cyber Hunt, and Risk and Vulnerability Assessment services from leading commercial providers.

HACS Drivers

6

Cyberattacks have become an ever-increasing threat and cybersecurity spending has sharply increased. Recent significant cybersecurity breaches include:

● WannaCry Ransomware Attack (May 2017)

● Florida Department of Agriculture and Consumer Services Data Breach (May 2017)

● Office of Personnel Management (OPM) background investigation records (June 2015)

● Internal Revenue Service (IRS) 700,000 taxpayer accounts hacked (May 2015)

● Department of Navy reports 130,000 current and former sailor accounts lost (November 2016)

● Yahoo 1 billion accounts hacked (September 2016)

The marked increase in incidents is a major driver behind the development of recent cybersecurity guidelines.

Recent Cybersecurity Breaches

● Largest IT contract vehicle in the government ○ Govt-wide solution reduces contract duplication ○ Over $15 billion in procurements annually ○ Over $7.5 million products and services ○ Over 4600 contractors (over 80% are small businesses)

● Potential 20 year Period of Performance (POP) (5yr base + three 5yr options)

● Offers agencies a fast and efficient way to buy

● Open to all Federal agencies and State, Local, Regional, and Tribal agencies via Cooperative Purchasing Program

● Initiatives such as FASt Lane for expedited processing times on vendor offers or modifications to support customer requirements

7

Overview of IT Schedule 70 & HACS

GSA has established four (4) new Special Item Numbers (SINs) on IT Schedule 70 to offer cybersecurity services. The HACS SINs began offering cybersecurity services to agencies on October 1, 2016. The SINs feature high quality cybersecurity vendors that provide the following services:

● 132-45A: Penetration Testing ● 132-45B: Incident Response ● 132-45C: Cyber Hunt ● 132-45D: Risk and Vulnerability Assessment

The HACS SINs are available exclusively through IT Schedule 70, General Purpose Commercial Information Technology Equipment, Software and Services Solicitation.

8

Introduction to the HACS SINs

In order for vendors to add the HACS SINs on IT Schedule 70, they must successfully pass the following technical evaluation factors in addition to a price evaluation. New vendors without an IT Schedule 70 Contract

● Factor 1: Corporate Experience (new vendors)

● Factor 2: Past Performance (new vendors)

● Factor 3: Quality Control (new vendors)

All vendors adding HACS including those with an IT Schedule 70 contract

● Factor 4: Relevant Project Experience in HACS SINs (all vendors)

● Factor 5: Oral Technical Evaluation for HACS SINs offered (all vendors)

9

Evaluation Factors for HACS SINs

The new HACS SINs are actively taking applications and evaluating vendors. GSA currently has 58 vendors on the HACS SINs, as of June 14, 2017. This number will increase as vendor offers and modifications are received and vendors pass the evaluation process. GSA’s IT Schedule 70 has a standing solicitation, therefore evaluations will be conducted on a continuous basis.

GSA developed the following to support HACS:

● HACS Program Management Office (PMO) ● Media Blitz ● HACS Website ● IT Security Interact Community

10

Status of the HACS SINs

11

HACS Vendors as of June 14, 2017

12

IT Schedule 70 HACS SINs Benefits

IT

Schedule

70

Time

Savings

Cost

Savings

Built-in

Value Selection

Time Savings ● On-demand contracts for rapid ordering and deployment of services

● Addresses recent cybersecurity guidelines

● Quick and easy access to the right industry partners, allowing customers

to make the most use of their valuable time

13

Benefits of IT Schedule 70 HACS SINs

Cost Savings ● Up-to-date, FAR-compliant acquisition vehicles minimize risks

● Competitive market-based pricing that leverages the buying power of

the Federal government, with the ability to achieve further discounts at the order level

● Cybersecurity/Acquisition experts available to assist

● Complimentary on-site and online training

14

Benefits of IT Schedule 70 HACS SINs

Selection (flexibility and choice) ● Access to a pool of rigorously reviewed cybersecurity vendors

● Alternatives such a Blanket Purchase Agreements (BPAs) and Contractor

Team Arrangements (CTAs) that can replace the need for agency indefinite delivery/indefinite quantity contracts

● May set-aside orders for small business at Contracting Officer discretion

to meet agency socio-economic goals ● Agency contracting offices retain control of their procurements, including

requirements development, evaluation, award and administration (full service options also available at GSA)

15

Benefits of IT Schedule 70 HACS SINs

Built in Value ● One-stop shop for total solutions – IT Schedule 70 has both

HACS/services and products ● A suite of eTools that can be leveraged to identify contactors,

maximize competition, and streamline processes such as market research and procurement

● Statement of Work (SOW) reviews

● National IT Customer Service Center and HACS Team to Support

customer agencies

16

Benefits of IT Schedule 70 HACS SINs

17

®

www.gsaeLibrary.gsa.gov

www.eBuy.gsa.gov

GSA eTools to assist you…

www.ReverseAuctions.gsa.gov

● FAR 8.405 Ordering Procedures for Schedules

○ Procedures for procurements: without a SOW FAR 8.405 -1; with a SOW FAR 8.405-2 procedures (HACS)

○ Procedures for establishing BPAs in FAR 8.405-3

● Ordering Agencies may add supplemental terms and clauses

○ Ordering activity ensures agency statutory and regulatory requirements are met (For example, add agency supplemental clauses such as DFARS for DoD)

○ Add any order options

18

How to Order from IT Schedule 70

When ordering services requiring an SOW (FAR 8.405-2)

Ordering Summary - IT Schedule 70 HACS

FAR 8.405-2

Exceeds SAT

• Prepare SOW and establish evaluation criteria

• Receive ≥ 3 quotes (or post RFQ on eBuy meeting fair notice)

• Limited Sources Justification if applicable

• Seek price reduction

• Best value determination

• Overall price reasonableness determination (consider mix of labor and level of effort)

Micro – SAT

• Create SOW and evaluation criteria

• Issue RFQ to ≥ 3 contractors

• Limited Sources Justification if applicable

• Distribute orders among contractors

• Best value determination

Below Micro • Place order with contractor

• Distribute orders among contractors

19

Order Documentation Requirements-2

20

Minimum Documentation Requirements – FAR 8.405-2(f)

Services

Schedule contracts considered, noting the awardee ✓

Description of the service purchased ✓

Price ✓

The evaluation methodology used in selecting the contractor to receive the order

✓

The rationale for any tradeoffs in making the selection ✓

The price reasonableness determination required by paragraph (d) of this FAR subsection

✓

The rationale for using other than a Firm-Fixed-Price order or a performance-based order

✓

When an order exceeds the simplified acquisition threshold, the ordering contracting officer must document the file with evidence of compliance with the ordering procedures at 8.405-2(c).

✓

How to Order

Customers can place orders through eBuy and GSA Advantage or issue an RFI or RFQ and allow vendors to respond to their requirements. Federal, State, Local, Regional, and Tribal governments can also purchase cybersecurity services through IT Schedule 70. Learn more about how to order HACS at www.gsa.gov/schedule70 .

21

● Contact the HACS Team at HACS@gsa.gov, or please visit the HACS webpage at www.gsa.gov/hacs or the IT Schedule 70 webpage at www.gsa.gov/schedule70 to learn more.

● Statement of Work (SOW) and Request for Quote (RFQ) Templates are also available at www.gsa.gov/hacs

● For the FASt Lane Program, go to www.gsa.gov/fastlane ● For Vendor Training, go to www.gsa.gov/portal/category/27104 ● For Monthly Customer Webinars, go to www.gsa.gov/masnews ● For Training Videos, go to www.gsa.gov/portal/content/210517 ● For MAS Desk Reference, go to www.gsa.gov/masdeskreference ● Continuous Learning Modules are available through FAI and DAU ● Experts are available to advise agencies on procurements

22

Resources

GSA will continue to evaluate and add more vendors to make the HACS SINs even more robust.

The HACS SINs provide a way for our industry partners to more easily differentiate these specific cybersecurity services from other IT offerings.

As GSA partners with OMB to provide new capabilities, agencies are encouraged to buy cybersecurity services through IT Schedule 70.

Agencies can begin to establish Blanket Purchase Agreements (BPAs) and/or place task orders in accordance with Federal Acquisition Regulation (FAR) Subpart 8.4: “Federal Supply Schedules” procedures. Learn more at www.gsa.gov/hacs

23

Summary

Questions?

24

U.S. General Services Administration

Thank You