Agencies now can take advantage of a new blanket purchase agreement for cybersecurity services.
The General Services Administration and the Homeland Security Department awarded 14 vendors a place on the risk management framework or certification and accreditation BPA under the SmartBuy enterprise software licensing program.
“This BPA was developed in support of the Information Security Line of Business, which is under DHS but it incorporates a number of agencies concerned with information security,” said Lawrence Hale, director of GSA’s Center for Strategic Solutions and Security Services in the Federal Acquisition Services. “They came together and came to GSA to get help with standardizing the acquisition process around certification and accreditation services. We worked hard to make sure we met the needs of a broad range of federal customers and developed the tiers of services that we think is the full gamut of C&A.”
The BPA covers several different functional areas agencies need to get their system C&As done and receive an authority to operate (ATO), including testing, development of system security plan and the documents needed for the ATO.
Vendors can provide all of the services or just one or a few, Hale said.
According to GSA and DHS, the BPA also provides other benefits including promoting the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, encouraging the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions and integrating information security into the enterprise architecture and system development life cycle.
DHS and GSA also say the BPA helps to link risk management processes at the information system level to risk management processes at the organization level through a risk executive function and establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).
“In developing the BPA, we worked with the National Institute of Standards and Technology to define tiers of service and included the latest version of NIST’s special publications that supports C&A,” he said. “The benefits, we believe, are both standardization of the processes and the standardized pricing and because of that we do believe significant savings because everyone competed in this, competed both on pricing and technical capabilities.”
Hale added the BPA is open for business now. He expects GSA and DHS to award similar cybersecurity vehicles for situational awareness in the coming months. The services likely will include endpoint protection platform, Web application, firewall, security information and event management and data flow analysis tools.
GSA and DHS’s award comes as agencies are moving away from just doing C&As, and toward continuous monitoring. Hale said the Federal Information Security Management Act still requires a C&A for each major system, and continuous monitoring comes after the system receives an authority to operate.
The C&A BPA becomes the fourth vehicle under SmartBuy for cybersecurity services. GSA also awarded contracts for antivirus, data-at-rest and situation awareness and incident response tier one services.