On August 17, 2016, the General Services Administration (GSA) released the long-awaited draft solicitation for a government-wide cybersecurity acquisition vehicle. With the solicitation, GSA has created new IT Schedule 70 special item numbers (SINs) for "Highly Adaptive Cybersecurity Services" (HACS). The idea behind the HACS SINs is for agencies to have a single vehicle (the IT Schedule 70 contract) to purchase cybersecurity products and services. Its development is an outgrowth of the President's Cybersecurity National Action Plan and the Office of Management and Budget's Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government.
GSA is requiring that all current IT Schedule 70 vendors that offer services within the scope of the HACS SINs migrate those services to the new HACS SINs. Written narratives describing vendor capabilities will need to be submitted to GSA, and GSA will conduct oral interviews to confirm capabilities. GSA has indicated that it plans to begin vendor evaluations on September 1, 2016. Offerors will be given a rating of either Acceptable/Pass or Unacceptable/Fail. Agencies can begin ordering from the new SINs as of October 1, 2016.
Release of the solicitation follows an RFI process, during which GSA sought information about the types of cyber products and services that agencies need as well as input from vendors regarding any concerns about the development of the HACS SINs.
The four new HACS SINs encompass proactive, reactive and remedial cybersecurity services. They are:
GSA anticipates that the HACS SINs will provide benefits to agencies and vendors alike by centralizing and facilitating the purchase and sale of cybersecurity products and services. Among the additional anticipated benefits are:
- aligning of IT Schedule 70 cybersecurity offerings to meet customer needs;
- consolidating of cybersecurity product and service offerings for ease of customer use and better acquisition planning;
- providing agencies with a means to compare and differentiate vendor offerings;
- giving GSA greater visibility into cybersecurity purchases through Federal Supply Schedule sales reporting;1 and
- offering agencies high-level vetting of contractors whose services are offered on the HACS SINs to provide higher quality and certainty.
Notably, the labor categories and prices stated under the HACS SIN will apply only to that SIN and not to other Schedule 70 offerings. Hardware and software purchases will be out of scope for HACS and covered by other Schedule 70 SINs.
Vendors with HACS SINs on their Schedule 70 contract will be required to comply with FAR 52.204-21 concerning the basic safeguarding of contractor information systems that process, store, or transmit federal contract information. Compliance with several identified National Institute of Standards and Technology (NIST) IT security standards also will be required.
Solicitation terms and conditions require that the contractor describe each HACS offered in a way that mirrors the manner by which the contractor sells to commercial customers. Pricing shall also be in accordance with the contractor's customary commercial practices.
It remains to be seen whether the HACS SINs will become a widely used mechanism for federal cybersecurity service purchases. However, consolidation of service offerings on Schedule IT 70 makes a lot of sense, and could be a boon to those contractors with HACS SINs.
Please contact us if you need assistance with the consolidation process or with general questions about the HACS SINs.
1 For information about recent changes to Federal Supply Schedule sales reporting relating to the new Transactional Data rules see here.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved