Cybersecurity is officially a SIN. Or rather, a series of them.
As of Oct. 1, certain cybersecurity functions now fall under special identification numbers (SINs) in the General Services Administration’s Schedule 70. These SINs include penetration testing, incident response, cyber hunt, and risk and vulnerability assessments.
The Cybersecurity National Plan called on GSA to establish these services, and after several months of market research and input from industry and the Homeland Security Department, GSA created these SINs.
“What we really wanted to do was to hone down and say ‘how can we make it, number one, easier for agencies to find and buy specifically what they need in these areas? And then secondly, let’s really look at what it means for a company to be able to provide these kinds of services and what the qualifications processes look like,'” Mary Davie, GSA’s assistant commissioner for integrated technology services, told the Federal Drive with Tom Temin.
The solution to the first problem, Davie said, is to vet the qualifications of each company offering these services, and gather them together in a single place where agencies know that due diligence has been observed, and easily conduct a competition to choose a provider.
Davie said that GSA used its industry day, Interact website and a series of webinars to drum up interest in the SINs, and wound up with more than 200 companies actively seeking more information about applying and qualifying, some from outside Schedule 70.
As for the qualification process, multiple offices within GSA — including the Office of Governmentwide Policy, the Technology Transformation Service and the GSA CIO cyber office — collaborated with DHS to determine just what would be required from these companies.
“That was all posted publicly on the interact website,” Davie said. “Basically, the answers to the test are available to companies so they know where they would need to stand in order to qualify.”
This, in part, allowed them to qualify vendors much quicker than FedRAMP or Cloud.
“The FedRAMP process is based on a whole bunch of controls that need to be evaluated,” Davie said.
The other factor that contributed to the speed with which GSA was able to qualify vendors was the use of an oral evaluation process rather than taking written proposals.
“GSA has used oral extensively,” Davie said. “Other agencies do as well. What we find is that it’s much better, especially in a situation like this, to have a dialogue. And to really allow the companies to understand what it is the government’s asking for, what we think we need, and then to allow them to tell us how they can meet those requirements with those capabilities they have. The dialogue goes very quickly.”
Davie said the dialogue with the first company evaluated, which applied to all four SINs, took a little more than an hour. That’s much easier, she said, than going back and forth comparing sheets of paper.
GSA worked especially extensively with DHS’ Continuing Diagnostics and Mitigation program, which provides tools to agencies to identify, prioritize and deal with potential cybersecurity risks. GSA wanted to avoid duplication, Davie said, instead focusing on developing a complimentary program to support CDM’s efforts.
“Agencies need to ensure that blocking penetration in the first place is step one, ” Davie said. “If they do get penetrated, they need to look at step two, and see what’s available.”
Some legal experts are concerned that vendors will be leaving themselves open to investigation and litigation by using these SINs, considering the fragile nature of cybersecurity, where failures are considered in terms of when, not if. For example, if a company provides penetration testing, what happens if the network later gets penetrated? Is the company liable?
Davie said companies can negotiate different terms and conditions up front. Clear definitions of requirements, outcomes, and plans to handle situations that do arise will help companies avoid those issues in the future.