u.s. general services administration highly adaptive ...june_2017)_6-19-17_v5.pdfprice the...
TRANSCRIPT
U.S. General Services Administration
Highly Adaptive Cybersecurity Services (HACS) Webinar - June 21, 2017 Terence Rountree – Deputy Director of the Office of IT Security Services (ITSS) Bradley Cornell – Director of the IT Services Contract Division (IT Schedule 70)
ITSS ● IT Security Category Mission ● Recent Executive Order ● HACS Driver ● Recent Cybersecurity Breaches
IT Schedule 70 ● Overview of IT Schedule 70 & HACS
ITSS ● Introduction to the HACS SINs
IT Schedule 70 ● Evaluation Factors for HACS SINs
ITSS ● Status of the HACS SINs ● HACS Vendors as of June 14, 2017
IT Schedule 70 ● Benefits of IT Schedule 70 HACS SINs ● GSA eTools to assist you ● How to Order from IT Schedule 70 ● Ordering Summary - IT Schedule 70 HACS ● Order Documentation Requirements
ITSS ● How to Order ● Resources ● Summary
2
Contents
The IT Security Category provides cross-category cybersecurity support, supply chain risk management, cyber acquisition assurance support, continuous monitoring support of Information Technology Category (ITC) systems, IT forensics in accordance with government-wide security mandates, and governance functions including Office of Management and Budget (OMB) reporting.
3
IT Security Category Mission
4
On May 11th, 2017, the President released Executive Order entitled, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” The Executive Order calls for greater risk management of the federal enterprise and hardening of the Nation’s critical infrastructure. Other initiatives include:
● Supporting risk transparency in the marketplace among critical infrastructure entities
● Enhancing resilience against botnets and other automated, distributed threats
● Assessing incident response capabilities in the event of prolonged power outages
● Securing Defense warfighting capabilities and the industrial base, including supply chain considerations
● Improving the overall cybersecurity of the Nation through: ○ Deterrence of and protection against online adversaries ○ Brokering of further international cooperation in addressing cyber
threats ○ Engagement in workforce development to augment domestic
knowledge of and skills in cybersecurity
Recent Executive Order
5
HACS was created in response to government cybersecurity initiatives. These initiatives called on GSA to develop appropriate procurement vehicles that allow departments and agencies to acquire equivalent Incident Response, Penetration Testing, Cyber Hunt, and Risk and Vulnerability Assessment services from leading commercial providers.
HACS Drivers
6
Cyberattacks have become an ever-increasing threat and cybersecurity spending has sharply increased. Recent significant cybersecurity breaches include:
● WannaCry Ransomware Attack (May 2017)
● Florida Department of Agriculture and Consumer Services Data Breach (May 2017)
● Office of Personnel Management (OPM) background investigation records (June 2015)
● Internal Revenue Service (IRS) 700,000 taxpayer accounts hacked (May 2015)
● Department of Navy reports 130,000 current and former sailor accounts lost (November 2016)
● Yahoo 1 billion accounts hacked (September 2016)
The marked increase in incidents is a major driver behind the development of recent cybersecurity guidelines.
Recent Cybersecurity Breaches
● Largest IT contract vehicle in the government ○ Govt-wide solution reduces contract duplication ○ Over $15 billion in procurements annually ○ Over $7.5 million products and services ○ Over 4600 contractors (over 80% are small businesses)
● Potential 20 year Period of Performance (POP) (5yr base + three 5yr options)
● Offers agencies a fast and efficient way to buy
● Open to all Federal agencies and State, Local, Regional, and Tribal agencies via Cooperative Purchasing Program
● Initiatives such as FASt Lane for expedited processing times on vendor offers or modifications to support customer requirements
7
Overview of IT Schedule 70 & HACS
GSA has established four (4) new Special Item Numbers (SINs) on IT Schedule 70 to offer cybersecurity services. The HACS SINs began offering cybersecurity services to agencies on October 1, 2016. The SINs feature high quality cybersecurity vendors that provide the following services:
● 132-45A: Penetration Testing ● 132-45B: Incident Response ● 132-45C: Cyber Hunt ● 132-45D: Risk and Vulnerability Assessment
The HACS SINs are available exclusively through IT Schedule 70, General Purpose Commercial Information Technology Equipment, Software and Services Solicitation.
8
Introduction to the HACS SINs
In order for vendors to add the HACS SINs on IT Schedule 70, they must successfully pass the following technical evaluation factors in addition to a price evaluation. New vendors without an IT Schedule 70 Contract
● Factor 1: Corporate Experience (new vendors)
● Factor 2: Past Performance (new vendors)
● Factor 3: Quality Control (new vendors)
All vendors adding HACS including those with an IT Schedule 70 contract
● Factor 4: Relevant Project Experience in HACS SINs (all vendors)
● Factor 5: Oral Technical Evaluation for HACS SINs offered (all vendors)
9
Evaluation Factors for HACS SINs
The new HACS SINs are actively taking applications and evaluating vendors. GSA currently has 58 vendors on the HACS SINs, as of June 14, 2017. This number will increase as vendor offers and modifications are received and vendors pass the evaluation process. GSA’s IT Schedule 70 has a standing solicitation, therefore evaluations will be conducted on a continuous basis.
GSA developed the following to support HACS:
● HACS Program Management Office (PMO) ● Media Blitz ● HACS Website ● IT Security Interact Community
10
Status of the HACS SINs
11
HACS Vendors as of June 14, 2017
12
IT Schedule 70 HACS SINs Benefits
IT
Schedule
70
Time
Savings
Cost
Savings
Built-in
Value Selection
Time Savings ● On-demand contracts for rapid ordering and deployment of services
● Addresses recent cybersecurity guidelines
● Quick and easy access to the right industry partners, allowing customers
to make the most use of their valuable time
13
Benefits of IT Schedule 70 HACS SINs
Cost Savings ● Up-to-date, FAR-compliant acquisition vehicles minimize risks
● Competitive market-based pricing that leverages the buying power of
the Federal government, with the ability to achieve further discounts at the order level
● Cybersecurity/Acquisition experts available to assist
● Complimentary on-site and online training
14
Benefits of IT Schedule 70 HACS SINs
Selection (flexibility and choice) ● Access to a pool of rigorously reviewed cybersecurity vendors
● Alternatives such a Blanket Purchase Agreements (BPAs) and Contractor
Team Arrangements (CTAs) that can replace the need for agency indefinite delivery/indefinite quantity contracts
● May set-aside orders for small business at Contracting Officer discretion
to meet agency socio-economic goals ● Agency contracting offices retain control of their procurements, including
requirements development, evaluation, award and administration (full service options also available at GSA)
15
Benefits of IT Schedule 70 HACS SINs
Built in Value ● One-stop shop for total solutions – IT Schedule 70 has both
HACS/services and products ● A suite of eTools that can be leveraged to identify contactors,
maximize competition, and streamline processes such as market research and procurement
● Statement of Work (SOW) reviews
● National IT Customer Service Center and HACS Team to Support
customer agencies
16
Benefits of IT Schedule 70 HACS SINs
17
®
www.gsaeLibrary.gsa.gov
www.eBuy.gsa.gov
GSA eTools to assist you…
www.ReverseAuctions.gsa.gov
● FAR 8.405 Ordering Procedures for Schedules
○ Procedures for procurements: without a SOW FAR 8.405 -1; with a SOW FAR 8.405-2 procedures (HACS)
○ Procedures for establishing BPAs in FAR 8.405-3
● Ordering Agencies may add supplemental terms and clauses
○ Ordering activity ensures agency statutory and regulatory requirements are met (For example, add agency supplemental clauses such as DFARS for DoD)
○ Add any order options
18
How to Order from IT Schedule 70
When ordering services requiring an SOW (FAR 8.405-2)
Ordering Summary - IT Schedule 70 HACS
FAR 8.405-2
Exceeds SAT
• Prepare SOW and establish evaluation criteria
• Receive ≥ 3 quotes (or post RFQ on eBuy meeting fair notice)
• Limited Sources Justification if applicable
• Seek price reduction
• Best value determination
• Overall price reasonableness determination (consider mix of labor and level of effort)
Micro – SAT
• Create SOW and evaluation criteria
• Issue RFQ to ≥ 3 contractors
• Limited Sources Justification if applicable
• Distribute orders among contractors
• Best value determination
Below Micro • Place order with contractor
• Distribute orders among contractors
19
Order Documentation Requirements-2
20
Minimum Documentation Requirements – FAR 8.405-2(f)
Services
Schedule contracts considered, noting the awardee ✓
Description of the service purchased ✓
Price ✓
The evaluation methodology used in selecting the contractor to receive the order
✓
The rationale for any tradeoffs in making the selection ✓
The price reasonableness determination required by paragraph (d) of this FAR subsection
✓
The rationale for using other than a Firm-Fixed-Price order or a performance-based order
✓
When an order exceeds the simplified acquisition threshold, the ordering contracting officer must document the file with evidence of compliance with the ordering procedures at 8.405-2(c).
✓
How to Order
Customers can place orders through eBuy and GSA Advantage or issue an RFI or RFQ and allow vendors to respond to their requirements. Federal, State, Local, Regional, and Tribal governments can also purchase cybersecurity services through IT Schedule 70. Learn more about how to order HACS at www.gsa.gov/schedule70 .
21
● Contact the HACS Team at [email protected], or please visit the HACS webpage at www.gsa.gov/hacs or the IT Schedule 70 webpage at www.gsa.gov/schedule70 to learn more.
● Statement of Work (SOW) and Request for Quote (RFQ) Templates are also available at www.gsa.gov/hacs
● For the FASt Lane Program, go to www.gsa.gov/fastlane ● For Vendor Training, go to www.gsa.gov/portal/category/27104 ● For Monthly Customer Webinars, go to www.gsa.gov/masnews ● For Training Videos, go to www.gsa.gov/portal/content/210517 ● For MAS Desk Reference, go to www.gsa.gov/masdeskreference ● Continuous Learning Modules are available through FAI and DAU ● Experts are available to advise agencies on procurements
22
Resources
GSA will continue to evaluate and add more vendors to make the HACS SINs even more robust.
The HACS SINs provide a way for our industry partners to more easily differentiate these specific cybersecurity services from other IT offerings.
As GSA partners with OMB to provide new capabilities, agencies are encouraged to buy cybersecurity services through IT Schedule 70.
Agencies can begin to establish Blanket Purchase Agreements (BPAs) and/or place task orders in accordance with Federal Acquisition Regulation (FAR) Subpart 8.4: “Federal Supply Schedules” procedures. Learn more at www.gsa.gov/hacs
23
Summary
Questions?
24
U.S. General Services Administration
Thank You