On June 8th, the General Services Administration (GSA) issued a Request for Information (RFI) for a “Proposed Special Item Number (SIN) on IT Schedule 70: Highly Adaptive Cybersecurity Services (HACS).”  The scope of the proposed SIN included proactive cyber services (e.g. network mapping, vulnerability scanning, penetration testing, phishing assessment, web application assessment, and wireless assessment) and post-incident/post assessment remediation services.

The goal is to:

Support initiatives to improve customer procurement of Cybersecurity services and enable agencies to take full advantage of Cybersecurity benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost.

On Tuesday, GSA held the first-ever conversation on the Cybersecurity National Action Plan (CNAP), a collaborative workshop for government and industry.  As part of the dialogue, GSA discussed the future addition of the HACS SIN to IT Schedule 70.   GSA highlighted the RFI and encouraged industry feedback.  The Coalition will be submitting comments in response to the RFI and hopes to engage with GSA on this critical effort.  The current due date for comments is June 21st.   Given the significance of the potential new SIN, the Coalition has requested an extension of the due date to ensure all stakeholders have sufficient time to draft effective, responsive comments for GSA’s consideration.

The proposed SIN is part of the Office of Management and Budget’s (OMB) cybersecurity management initiatives.  On October 30, 2015, The Office of Management and Budget (OMB) issued Memorandum M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government.  The memorandum set forth a series of five management objectives designed to improve cybersecurity across the federal government.  Among the goals is the development of strategies/a process for rapid deployment of emerging technologies.  Another management goal directs GSA, in coordination with OMB and the Department of Homeland Security (DHS), to research and identify contract vehicle options for incident response services.

Given OMB’s directive to GSA, the focus on adding HACS to IT Schedule 70, rather than creating a new standalone contract vehicle, is a positive step.  A significant benefit of this approach is fostering access to the commercial market through IT Schedule 70’s continuous open seasons that allow for the submission of proposals and modification for new cyber technologies every working day of the year.  The Coalition looks forward to working with GSA to ensure an efficient, effective implementation of the HACS SIN that reduces administrative processes and avoids unnecessary duplication and/or confusion across IT Schedule 70.

The Coalition’s comments in response to the RFI will address a number of measures to enhance the flexibility of IT Schedule 70’s ability to provide for the “rapid deployment of emerging technologies” from the commercial market.  Here are three recommendations that, if adopted, reduce barriers to entry, increase value, and promote innovation through IT Schedule 70.

  1. Eliminate the Price Reduction Clause (PRC). The PRC increases contract administration costs for government and industry at time when pricing is driven by competition at the task order level. The PRC also creates barriers to entry for new products and services.  Our members consistently indicate that they are unable to add new technologies, products, and services to IT Schedule 70 due to the compliance risk associated with the PRC.  Eliminating the PRC will save government and industry time and money, while fostering increased access to emerging cyber technologies.
  2. Incorporate Other Direct Costs (ODCs). Incorporating ODCs into IT Schedule 70 will enhance access to commercial cyber solutions.  ODCs will allow customer agencies and contractors to compete for and perform comprehensive cyber solutions.  FAR Part 12 and the corresponding commercial item clauses clearly authorize ODCs, and as the largest commercial item IT contract in government, GSA an opportunity to move the entire market forward in providing the latest commercial solutions for cybersecurity.
  3. Return to the standard commercial item order of precedence language for commercial software licenses (i.e. Commercial Supplier Agreement (CSA). The current language in IT Schedule 70 essentially subordinates commercial contract terms and conditions to government unique terms and conditions.  This approach is inconsistent with the Federal Acquisition Streamlining Act of 1994 and its implementing regulations, which call for the utilization of commercial items and terms, to the maximum extent practicable.  The IT Schedule 70 current order of precedence increases barriers to entry for commercial technologies, stifles innovation, and increases administrative costs and risks for IT Schedule 70. Realigning the order of precedence consistent with FASA and FAR Part 12 will increase access to emerging cyber technologies.

Coalition members stand ready to work with GSA on IT Schedule 70 to ensure it serves as the government’s strategic platform for rapid access to emerging commercial cyber technologies.