The General Services Administration’s plans to develop a new way for agencies to buy cybersecurity services off of the IT schedule contracts is raising eyebrows across the vendor community.
Both for the potentially large amount of money agencies will spend — the White House did request $19 billion for cybersecurity in fiscal 2017 — and for the fact of creating a new special item number (SIN) may not make sense based on the sole fact that these services are constantly changing and improving and it’s unclear how GSA will keep up with the evolutions.
“Some might argue that the current requirements of the SIN are actually government-unique given the references to the four Office of Management and Budget memos and 16 National Institute of Standards and Technology documents! But, at the same time, the government does want to get everyone performing to the current standards and putting this kind of detail into the SIN requirements makes it contractually binding,” said Steve Charles, ImmixGroup co-founder. “It all seems good now, but GSA never seems to be able to keep things current so I think we should demand that they define the process whereby we all will know how to help keep everything current.”
Charles said GSA needs to establish a transparent and clear link in the contract to these standards and remain committed to pushing contract modifications to change when the government updates cyber requirements.
Charles and a host of other vendors are giving GSA feedback on the SIN through a request for information the agency released on June 13. This was the second RFI GSA issued over the last year as they were trying to decide how to create the SIN.
Responses are due June 21. The RFI kicks off a busy summer for GSA, which under the Cybersecurity National Action Plan must create this new, faster acquisition approach by Sept. 30.
The cyber SIN initially will address three main services:
Proactive services, which includes everything from network mapping to vulnerability scanning to penetration testing to phishing assessments to wireless assessments and Web application assessment.
Reactive services, which includes incident response and reactive hunt.
Remediation services, which includes security engineering services such as post-incident and post-assessment remediation.
GSA said at its industry day it would have the business case for the SIN ready by July 21 and have the final version ready for industry in August, giving them a month before opening it up for bids by Sept. 12.
Charles said GSA needs to provide a process to make sure any changes to both the standards as well as the commercial technologies are reviewed and kept current.
“At a minimum, a contractor or offeror should be able to appeal to someone with responsibility for all of this to propose language and scope definition changes beyond the level of an individual contracting officer,” he said. “This is a good example of where there needs to be a tighter linkage between the schedules program contracting officers and the general management of GSA. If modification requirements to keep the contract current are not baked into the contract itself, no one can be held responsible. The result is buyers and sellers going around the very vehicle they are supposed to use.”
While it’s unclear how GSA will ensure the SIN includes the most cutting edge technologies, what’s even more concerning is what one industry source said after reading the RFI is how the services will be different than what’s currently available.
“Having its own SIN under IT-70 would be cleaner,” the source said. “If there is intent that services could be procured and implemented quickly, you still have the clearance/public trust/reciprocity issues. If however, typical acquisition, e.g. 3/5 year terms, than maybe it’s not an immediate issue. I believe that some agencies would like ‘quick’ incident response, remediation and forensic support. Where vendors could get in and get out, like a cyber SWAT service.”
GSA tried something that, at least on the surface, looks similar back in 2009.
In the aftermath of the first public major cyber breach the government suffered — the loss of a laptop containing the data of 26 million veterans in 2006 — the White House reacted with a host of cyber efforts over the next three years. One of those was having GSA put in place an enterprise software license deal for situational awareness and incident response (SAIR) services.
GSA’s press release at the time sounds very similar to the recent RFI. The blanket purchase agreement under the SmartBuy program included “security solutions includes baseline configuration management, network mapping/path discovery and vulnerability management.”
Lloyd McCoy, the DoD manager for market intelligence at the ImmixGroup, said that while these services may already exist on the schedule now, having a SIN will make it easier for customer agencies to find and acquire because there will be a narrower pool of prequalified companies.
McCoy said vendors performing these services in any way, it makes sense to respond to the RFI and get on GSA’s radar.
“GSA made it clear at the industry day that the SIN will be pretty robust,” McCoy said. “There shouldn’t be a lot of hurdles to get under SINs. If the company already performs, say penetration testing, I don’t anticipate much in the way of added effort to get on the SIN.”
This is good news as GSA more recently has been more likely to create a new blanket purchase agreement or other contract vehicle requiring vendors to jump through a whole set of new hoops to earn an award instead of improving the schedule contract.
But at the same time, GSA has a short time frame to figure out many of these other challenges that come with creating a more flexible path to buying cybersecurity services.