The General Services Administration (GSA) issued a Request for Information (RFI) on May 22 seeking stakeholders’ feedback regarding how it could enhance its four Highly Adaptive Cybersecurity Services (HACS) Special Item Numbers (SINs) to ensure their viability as a cybersecurity service solution. Specifically, the RFI solicits input regarding the current state of the SINs, including recommended adjustments to its offering of services and concerns related to GSA evaluation or contracting processes. GSA is particularly interested in hearing from non-HACS awardees regarding why they chose not to pursue a HACS award.
By way of background, GSA, at the direction of the Office of Management and Budget (OMB), established four HACS SINs on IT Schedule 70 in October 2016: Penetration Testing, Incident Response, Cyber Hunt and Risk, and Vulnerability Assessment. GSA developed these SINs to improve customer procurement of cybersecurity services, provide greater insight into cybersecurity purchases, enable agencies to leverage the benefits of cybersecurity, improve IT flexibility and responsiveness, and minimize cost.
Currently, challenges associated with SIN duplication appear to be undermining the effectiveness of the HACS SINs as a cybersecurity services solution. According to GSA’s Schedule Sales Query (SSQ) tool, sales under the four HACS SINs totaled a little more than $4 million during Fiscal Year (FY) 2017. By way of comparison, sales under the IT Schedule 70, “Information Technology Professional Services” SIN totaled more than $7 billion for the same time period. Accordingly, it might be argued that the scope of services offered under the HACS SINs may have expanded to include service offerings that already are available to customers under other Schedule 70 SINs, and thus, not needed as a channel for purchasing/selling. Something else, however, may be at play here.
Specifically, the current structure of the HACS SINs does not appear to reflect how HACS are offered in the commercial market. Agencies and other customers often acquire cybersecurity services as a part of a total solution, not as separate standalone services. For example, a contractor may offer a bundled package of IT services to meet an agency’s need to include HACS, at times providing both reactive and remediation services as a part of routine operations and maintenance of an IT system. These circumstances could explain the wide difference in customer/vendor choice between the HACS SINs and the IT Schedule 70, Information Technology Professional Services SIN.
For this reason, the Coalition commends GSA for its efforts to modernize the HACS SINs based on stakeholder input from customer agencies and industry. As we have said in the past, challenges associated with contract duplication adds administrative burden and cost for both government and industry without a clear indication of commensurate value for customers. Here, the HACS SINs appear to be inconsistent with commercial best practices, where cybersecurity services are integrated into the solution. Based on the foregoing, GSA has an opportunity to realign the HACS SINs in a manner that is consistent with commercial best practices and avoids possible instances of duplication. The Coalition will be submitting comments in response to the RFI on June 23, which will expand upon the above discussion, and we look forward to working with GSA in its efforts.
 The SINs are a reflection of the direction provided by OMB as part of its cybersecurity management initiatives provided in its October 2015 memorandum. Specifically, the memorandum directed GSA, in coordination with OMB and the Department of Homeland Security (DHS), to research and identify contract vehicle options for incident response services.