Posts

Posted on

Generative AI and Specialized Computing Infrastructure Acquisition Resource Guide now available

Goal: Help agencies buy Generative AI

Artificial Intelligence (AI) is one of the most profound technological shifts in a generation or more. If we learn how to harness its power correctly, AI tools could significantly strengthen how the federal government serves the public.

Seeing AI’s potential – and its risks –  the president signed Executive Order 14110 on Safe, Secure, and Trustworthy Artificial Intelligence (AI EO) on October 30, 2023. 

Since it was signed, there has been a lot of activity around highlighting AI use cases and increasing the AI talent and skills in the federal workforce.

I blogged about the procurement considerations it emphasized and we explored the pivotal role of the chief AI officer

The AI EO also sparked an ongoing effort to guide responsible artificial intelligence development and deployment across the federal government. 

Section 10.1(h) of the AI EO asks GSA to create a resource guide to help the acquisition community procure generative AI solutions and related specialized computing infrastructure.

In this post, I’ll describe our new Generative AI and Specialized Computing Infrastructure Acquisition Resource Guide and highlight some of the specific content.

A Focus on Generative Artificial Intelligence

As many of you know, some of the most popular promising tools in the broader field of artificial intelligence are in the field called generative AI.

Fundamentally, generative AI tools are software. It is starting to show up in our email and word processing programs, the search engines we use every day, and the more sophisticated software that agencies rely on. These tools can be helpful for many agencies trying to automate simple tasks or solve complex problems. We’ve seen agencies using generative AI tools to write summaries of rules, create first drafts of memos, and make more helpful chatbots. And many more uses are spooling up right now including using generative AI tools to write computer code and develop new training scenarios for agency staff.

These generative AI tools are getting better and more agencies are asking their contracting officers to help procure the right solutions. 

At the most basic level, because generative AI tools are software, acquiring them must follow the same acquisition policies and rules as other IT and software purchases. Contracting officers should consider cybersecurity, supply chain risk management, data governance and other standards and guidelines just as they would with other IT procurements.

At the same time, generative AI tools are unique. We are all hearing about the risks of generative AI solutions, some of which we talk about in the guide – from bias in how the systems were trained… to “hallucinations” where a generative AI tool states wrong information that it just made up. 

Contracting officers play a critical role in ensuring commercial generative AI offerings conform with federal and agency guidance, laws and regulations and have the right safeguards and protections while enabling their agencies to get the most out of generative AI projects.

We put together the Generative AI and Specialized Computing Infrastructure Acquisition Resource Guide to help contracting officers and their teams understand how to do just that.  

Practical Tips for the Acquisition Community

Because the field is emerging and the use cases are diverse, it’s impossible to provide guidance that applies to every situation. So the guide offers questions that contracting officers should ask and a process to use when scoping a generative AI acquisition. 

The guide also makes a few specific recommendations of other actions the acquisition workforce should take to procure generative AI solutions effectively. Many generative AI tools may already be available to agency staff in tools they use every day or through government cloud platforms they already have accounts on. And these tools may be available through professional service and system integrator contracts the agencies already have in place. In that way, the fastest acquisition may be no acquisition, or as simple as adding more “credits” to an existing cloud platform account. 

Before embarking on a large scale or complex new acquisition for generative AI tools, see if there is a simpler route. Work with your agency’s chief information officer, chief artificial intelligence officer, and chief information security officer to determine what you already have in place and whether you can just use an existing solution or contract.

Here are a few other recommendations in the guide:

  • Start with Your Agency’s Needs. Rather than starting with solutions and specifications, define the problem that the agency wants generative AI tools to help solve.
  • Scope and Test Solutions. Given the evolving nature of most generative AI tools, it is essential for agencies to use testbeds and sandboxes to try solutions before committing to large scale buys with too many unknowns about product performance.
  • Manage and Protect Data. Generative AI relies on data “inputs” to create content “outputs” so it is critical to know where data is coming from, what are its limitations and how data will be used and protected.
  • Control Costs. Generative AI is very often billed like other Software as a Service so usage costs can really grow quickly if not appropriately monitored and managed.

Acquisition staff also benefit from knowing what procurement actions their agency and others have already taken. You’ll also find a searchable data dashboard to give information about recent AI-related contract actions.

Specialized Computing Infrastructure

The guide also talks about “specialized computing infrastructure” per the AI EO. Specialized computing infrastructure can be thought of as the high-performance computers, powerful chips, software, networks and resources made specifically for building, training, fine-tuning, testing, using and maintaining artificial intelligence applications. Computing infrastructure can be on-premise, cloud based or a combination of both.

While most agencies will likely access generative AI tools through the cloud, some agencies may need to build some light specialized computing infrastructure to support their specific requirements.

This is the start.

The biggest challenge to producing any sort of guidance around a technology is anticipating and accommodating change. To do it, we organized a working group, gathered input from a wide array of acquisition specialists and technical experts, and collaborated with our IT Vendor Management Office to inform and support faster, smarter IT buying decisions across the federal community. We welcome your feedback at genai@gsa.gov.

Generative AI technology will continue to evolve. The risks and benefits will shift over time. Agencies will experiment with generative AI tools. And contracting officers will play a critical role by working closely with program and IT staff to find, source and acquire the right generative AI solutions for agencies’ needs. We hope the Generative AI and Specialized Computing Infrastructure Acquisition Resource Guide helps the acquisition community enable their agencies to start to responsibly harness the power of this promising technology and better serve the American people.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

Without you, we can’t make IT happen!

March marks National Procurement Month, a period to honor procurement professionals and the acquisition workforce across industry and government. Professionals like you who give your all to serve the public interest and make things happen.

Whether it’s making the most of emerging technologies like artificial intelligence or securing contracts to improve an agency’s cloud solutions and emergency mobile services, procurement professionals have tangible effects on the American public.

I want to take a moment to acknowledge the acquisition professionals across all levels of government and industry that work with GSA to deliver Best-in-Class service.

Key to successful organizations

Government acquisition professionals are out there every day doing the hard work of evaluating requirements to determine what’s possible, what’s working, and what could be improved. From reviewing offers and making awards, to monitoring the contract progress with a focus on transparency and accountability, you continue to make a difference and ensure taxpayer dollars are spent responsibly.

Team acquisition

Acquisition is a team sport, and as we continue to build IT acquisition vehicles, we recognize how important it is to be engaged and transparent with our agency and industry partners and to embrace innovative acquisition solutions, while learning from stakeholder feedback and expert procurement professionals in the IT field. Each group is instrumental to the success of our mission.

Evolving and improving

New technologies are rapidly changing and improving how we do procurement. Promising new tools such as Robotic Process Automation (RPA), machine learning, and AI are set to further streamline procurement processes and improve supply chain visibility. Credit for much of procurement’s quick tech evolution over the last couple of years can also go to members of the acquisition workforce: Data analysts, chief information officers, and emerging tech subject matter experts who have developed, found, tested and deployed IT solutions that make procurement more efficient and less risky, expanding our ability to directly impact the bottom line and drive successful outcomes for agencies.

Buy, sell — Be part of the procurement picture

Without YOU, we can’t make IT happen! Thank you for your unwavering dedication.
Do you want to continue your professional development as an IT procurement professional? Learn more at GSA’s Information Technology Acquisition University https://gsa.gov/itau or sign up for a training session and earn CLPs at https://gsa.gov/events.

Are you ready to be part of the vendors who support the American public? Find out how to work with GSA and become a vendor at the Vendor Support Center https://vsc.gsa.gov/vsc/.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

Post-Quantum Cryptography — What is it and where to start?

We all know cybersecurity is a dynamic field that is constantly evolving to protect people from the malicious use of technology. As we’ll explore in this post, cybersecurity professionals may soon be called to defend against technologies that blur the limits of classical physics.

What we know

Think back to high school physics, old episodes of the TV show “Nova,” or even the latest superhero movies, and you’ll recall the term “quantum” or “quantum mechanics.” Quantum, simply speaking, refers to what goes on at the subatomic level.

For decades, our friends at the National Institute of Standards and Technology (NIST) marshaled the resources of the federal government in applying the principles of quantum mechanics to information processing. They helped shape the field of quantum information science and birth an entirely new class of devices: quantum computers.

Right now, when a computer tries to solve a complex problem it has to check every possible solution one by one. That takes an enormous amount of time and computational power. Here’s where quantum computers shine. Because they operate at the subatomic level, they can actually explore and check multiple solutions simultaneously, drastically reducing the time needed to find the right answer. This means that tasks that would take classical computers years or even centuries to complete could be done by quantum computers in a matter of minutes or hours. It’s mind-boggling!

The problem

Here’s the catch: quantum computers could also break many of the encryption algorithms we currently rely on to protect sensitive data. We rely on encryption to keep information and data transfers safe both in our government work and everyday life – everything from logging into networks and websites to paying with credit cards. Quantum computers put all of that encryption at risk.

In 2022, the National Security Council issued a warning that certain quantum computers could “jeopardize civilian and military communications, undermine supervisory and control systems for critical infrastructure, and defeat security protocols for most Internet-based financial transactions.”

The Office of Management Budget then issued M-23-02 advising agencies how to take the threat seriously. Importantly, OMB said agencies should prepare to protect their data from quantum computers trying to break their encryption. Such stronger data protections became known as Post-Quantum Cryptography (PQC).

So what technologies and services will agencies need to transition to PQC?

Where to start

The first step, per M-23-02, is for agencies to inventory their active cryptographic systems and re-inventory them annually through 2035. That includes looking at all deployed cryptographic systems used for creating and exchanging encryption keys, providing encrypted connections, or creating and validating digital signatures. GSA has multiple acquisition vehicles ready to help you find the right resources to do that.

  • The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) also offers quick access to vendors who have been technically evaluated to do such inventories.
  • If an agency has Enterprise Infrastructure Solutions (EIS) Managed Services awarded, it can tap into those suppliers to conduct these assessments.

The way forward

The experts at NIST are leading the effort to develop algorithms designed to withstand quantum computer attacks. NIST has begun the process of standardizing these algorithms — named CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+, and FALCON. This is the final step before making these mathematical tools available so that organizations can integrate them into their encryption infrastructure. NIST also notes that there will be more post-quantum encryption standards to follow.

Some agencies may wish to start testing the PQC algorithms before they are standardized by NIST. Hardware, web browsers, content delivery networks, cloud service providers, devices and endpoints, and enterprise devices that initiate or terminate encrypted traffic all rely on encryption and might be areas to test pre-standardized PQC algorithms.

If your agency is ready to test or explore quantum computing further, GSA has contracts for that too:

Together, we’re on it

Quantum computers are advancing quickly, increasing the need for reliable PQC solutions. GSA works in close collaboration with NIST and the Cybersecurity and Infrastructure Security Agency (CISA) to keep our contracts aligned with the latest technical and security requirements including emerging PQC standards.

Agencies will need to protect their information systems and data from growing threats. The right suppliers can complement an agencies’ IT and information security staff and resources with relevant products, services and solutions to assess cryptographic risks, test safeguards and identify needed investments.

We look forward to working with more agencies to help them prepare for this imminent post-quantum future. We’re planning to host an in-person Quantum Summit at GSA headquarters on April 16, 2024 from 9-12 EST where you can learn more about quantum resilience from Federal practitioners, so save the date! And while we probably won’t be able to help you traverse time and multiverses like a movie superhero, we are ready to help you get your systems prepared for what comes next. Contact us with your needs and we will help guide you to a solution.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

Procurement and the AI EO — Helping federal CAIOs navigate the path ahead

Recently, the White House issued Executive Order 14110 – Safe, Secure, and Trustworthy Artificial Intelligence. It’s the first governmentwide directive encouraging the responsible use of artificial intelligence.

Welcome CAIOs!

For many agencies, implementing EO 14110 means formalizing a new position: the Chief Artificial Intelligence Officer, who will drive the creation of each agency’s AI strategy and establish new governance. CAIOs will be tasked with implementing sophisticated risk management requirements so the projects they oversee comply with all applicable laws, regulations, and policies, including those addressing privacy, confidentiality, copyright, human and civil rights, and civil liberties.

In industry, companies of all shapes and sizes have brought on CAIOs to manage their workflows and augment their organizations’ skill sets. I’m encouraged to see their counterparts arrive in government, including our own at GSA, Zach Whitman.

So, to the AI specialists and leaders joining federal agency C-Suites, welcome! We at GSA’s Federal Acquisition Service are excited to help you get the tools you’ll need to accomplish your missions.

The work ahead

The promise of AI is incredible. The latest advancements in Large Language Models and Generative AI take a field that has been building up for more than 50 years to a new level. We can see agencies using AI to speed up workflows, improve how the public interacts with federal information, reveal new insights in our data, and improve how we design and deliver programs.

Over the next few months, CAIOs will work on strategies to drive innovation and manage the risks of AI. According to EO 14110, CAIOs will serve as the senior AI advisors to agency leadership and start weighing in on strategic decisions. You’ll work closely with Chief Information Officers and Chief Information Security Officers to set up the right safeguards for how the AI tools your teams and others within your agencies use will meet cybersecurity standards and best practices. Working together with leaders and staff throughout the organization, you may even prototype solutions that can illustrate the capabilities and risks of AI when delivering on your agency’s mission.

But wait, there’s more! You’ll also compile inventories, evaluate products, influence workforce development, prioritize projects, remove barriers, document use cases, assess performance, implement internal controls, and ensure your agency’s AI efforts comply with a host of existing laws and policies.

Time to prioritize

That is a big to-do list! To succeed, you may need outside resources like AI-centric development environments and hardware; SaaS providers who can provide access to AI modules; and early assistance from AI experts who can create custom AI solutions for specific purposes in your agency. You will also need to implement training for agency staff on how to use AI systems.

Several different GSA acquisition solutions can help CAIOs procure the AI products, services and solutions they need to achieve their missions. Here are a few:

  • GSA offers easy access to AI development tools from Federal Risk and Authorization Management Program (FedRAMP) – approved cloud service providers on the Multiple Award Schedule – IT Category.
  • Our Governmentwide Acquisition Contracts — Alliant 2, 8(a) STARS III, and VETS 2 — help agencies quickly and efficiently bring on IT service providers, some of whom can provide targeted AI services.
  • GSA’s Rapid Review report service scans the Multiple Award Schedule and provides a list of approved vendors that meet particular criteria, including common AI services from coding to training, typically in as little as one day. To get started, visit our Market Research as a Service page and order a Rapid Review.

Above all, remember that we’re here to facilitate the business of connecting you with the right technology solution. Contact us with your needs and we will guide you there.

Know the risks

EO 14110 provides the most comprehensive guidance to date on the necessity for agencies to fully consider the risks from their use of AI.

AI tools will be subject to rigorous assessment, testing, and evaluation before they may be used. After that, according to EO 14110, CAIOs must ensure that their AI systems undergo ongoing monitoring and human review, that emerging risks are identified quickly, that its operators are sufficiently trained, and that the AI functionality is documented in plain language for public awareness.

Importantly, EO 14110 charges CAIOs with ensuring their agency’s AI will advance equity, dignity, and fairness. This will require a mix of thoughtful stakeholder engagement and the sophisticated use of data and analytics to anticipate, assess, and mitigate disparate impacts. That includes being alert to factors that contribute to algorithmic discrimination or bias and proactively removing them.

We’re constantly calibrating the balance between convenience and compliance, which is particularly important when preparing to acquire technologies like AI that are new and evolving. Our contracts require vendors to comply with rules, policies, and regulations — including EO 14110 and the NIST AI Risk Management Framework — to ensure you have a safe, secure, sustainable IT infrastructure.

More to come

In 2020, GSA launched the AI Community of Practice to get practitioners from across government talking and sharing best practices, then set up an AI Center of Excellence to put their knowledge into action. Much of their work helped lay the intellectual infrastructure needed to carry out the governmentwide objectives of EO 14110. GSA itself is named in three:

  1. Develop and issue a framework for prioritizing critical and emerging technologies offerings in the FedRAMP authorization process, starting with generative AI.
  2. Facilitate access to governmentwide acquisition solutions for specified types of AI services and products, such as through the creation of a resource guide or other tools to assist the acquisition workforce.
  3. Support the National AI Talent Surge by accelerating and tracking the hiring of AI and AI-enabling talent across the Federal Government through programs including the Presidential Innovation Fellows and the U.S. Digital Corps.

As you can see, there will be much more to come as the government’s AI strategy goes into action. To quote GSA Administrator Robin Carnahan, “GSA is proud to play key roles in supporting this Executive Order to help ensure the federal government leads the way in the responsible, effective use of AI.”

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

Acknowledging our Veterans, their contributions to the IT Category

In celebration of Veterans Day, I want to thank our Veterans for their service and dedication. I’m grateful for the sacrifices they have made for us. Our Veterans exemplify the qualities that enable our country to overcome the greatest obstacles.

GSA partnering with Veterans

GSA is dedicated to supporting Service-Disabled Veteran-Owned Small Businesses (SDVOSBs) in the federal IT market. ITC currently has hundreds of highly skilled SDVOSBs between our Multiple Award Schedule – IT (MAS-IT) and the Veterans Technology Services 2 (VETS 2) and 8(a) STARS III IT services Governmentwide Acquisition Contracts (GWAC).

While SDVOSBs have many opportunities to participate in the IT marketplace, VETS 2 is currently the government’s only GWAC set aside exclusively for SDVOSBs.

I’m happy to say that the VETS 2 option was exercised earlier this year in February 2023. In total, 45 industry partners received their option. This will provide federal agencies with continued use of this best-in-class solution for their long-term IT service project needs, with the performance of task orders extending out through 2033. As of August 2023, VETS 2 has had more than 200 task order awards with over $1.4 billion in Obligated Sales and a Total Estimated Sales of over $3B.

The VETS 2 team has been hard at work training government agencies on the use of VETS 2, with more than 3,000 customers trained so far. If you’re interested, visit www.gsa.gov/events for a list of upcoming training opportunities.

SDVOSBs bringing real mission impact

Last year at this time, I shared several examples of the great work of our Veteran partners and I’m happy to bring fresh ones this year:

  • One of the DoD agencies recently awarded a $404 million order through VETS 2 to provide Enterprise IT Support Service for their Combat Capabilities Development Command Aviation and Missile Center (AvMC). Through these IT support services, the SDVOSB will fill the agency’s need to provide the personnel, services, and supplies necessary to enable the full lifecycle of IT support requirements across AvMC.
  • Another DoD agency also awarded a $24M task order award for extensive cybersecurity services. Our VETS 2 industry partners provided the defense agency with a service that is essential to protecting our nation’s security. Cybersecurity has become a fundamental IT service needed to keep our country safe and secure and VETS 2 can deliver these mission-critical national security services.

Veterans, looking to the future

Our commitment doesn’t stop with our existing contracts. Our next small business GWAC, Polaris, will have an SDVOSB pool as well. Polaris is being designed to assist agencies in acquiring customized IT services and IT services-based solutions while expanding opportunities for SDVOSB firms. Stay tuned to our Small Business Community of Practice Interact page for updates.

I’m grateful for the meaningful partnership we have with our SDVOSBs and for their continued hard work and dedication to helping agencies achieve their missions every day. I’m really excited for what the future holds.

Visit our website to learn more about VETS 2, MAS-IT, and Polaris or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

Fed tech for emergency preparedness: The GSA schedule and public safety

Preparing your agency to respond to an emergency is not limited to hurricane or wildfire season. From ensuring continuity of operations to how citizens and employees receive critical communications; emergency preparedness is a continuous effort and an integral part of being agile, disaster-ready, and capable of carrying out essential duties in various emergency situations.

What’s in your emergency preparedness toolkit?

Wireless technology is an important part of the federal government’s emergency preparedness strategy. Knowing what technology is available, how and when to integrate it into your telecommunications plan, and how to best leverage the capabilities of the vendor community is a key responsibility of every telecommunications program manager. GSA can help.

GSA’s Best-in-Class Wireless Mobility Solutions Program gives agencies an integral piece for their emergency preparedness toolkits.

Federal, state, local and tribal agencies can access wireless mobility solutions like cell phone services, Wireless Priority Service, special capabilities for first responders, enterprise mobility and satellite communications (SATCOM), and deployable cell towers and infrastructure.

Buying through GSA helps you connect with the best provider for your agency, and incorporate the capabilities to best serve your agency and citizens.

Along with Best-in-Class solutions and competitive vendor offerings, outstanding technical support is available from GSA through sdintake@gsa.gov.

Don’t fly the COOP; GSA has a Wireless Mobility Solution

Continuity of Operations planning (COOP) is another aspect of emergency preparedness and a fundamental responsibility of public and private entities. COOP is a federal initiative to ensure agencies are able to continue the performance of essential functions under a broad range of circumstances. Today’s changing threat environment increases the need for continuity capabilities and plans at all levels of government.

GSA’s Wireless Mobility Solutions team is focused on readiness for communications and information systems, and they can help agencies shape and improve their COOP strategy with cost-effective and secure offerings.

Whether you’re looking for new solutions or updating your existing emergency preparedness plans, GSA’s Wireless Mobility Solutions team is ready to assist.

Ready to learn more?

Attend GSA’s Wireless Mobility Solutions webinar “Wireless Solutions for Emergency Preparedness,” Nov. 6, 2-3 p.m. ET.

This webinar is for government staff who manage IT, agency mobility programs, purchase or manage mobility, or have a role in emergency preparedness or public safety. Learn more about trustworthy wireless solutions that support emergency preparedness and public safety, and can help your agency build mission resilience.

Topics will include:

  • Solutions to help ensure your agency is better prepared for an emergency;
  • How 5G will impact emergency preparedness and how you can plan for it; and,
  • Agency considerations for wireless technology for public safety and mission resilience.

Speakers from AT&T, T-Mobile and Verizon will discuss some of the important issues facing public safety today, what technologies can better enable emergency preparedness, and what agencies should be doing right now to be better prepared.

Sign up today!

Also, visit our website to learn more about Wireless Mobility Solutions for your agency, or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

What does the future of cybersecurity look like?

As we look ahead, there are several key areas of focus that will undoubtedly shape the virtual battleground. Government agencies who proactively embrace and implement current high priorities in these key areas will be better prepared to navigate the evolving digital threatscape and safeguard their sensitive information and assets. Here are some top drivers we anticipate will impact agencies’ cybersecurity strategy and spending plans.

Zero Trust Architecture (ZTA)

ZTA has been at the forefront of government guidance in recent years. Now that agencies have had time to plan for their ZTA requirements, implementing strategies should commence. ZTA provides agencies with the foundation to build a strong security posture that evolves with the ever-changing technological environment of dynamic and accelerating threats.

Cybersecurity Supply Chain Risk Management (C-SCRM)

The growing interconnectedness of systems, services, and products makes management and mitigation of supply chain risks even more important. Effective C-SCRM should be a fundamental component in cybersecurity strategy. Having C-SCRM as an essential element in procurement helps to ensure the resilience, security, and continuity of operations for organizations, government agencies, and critical infrastructure.

Post-Quantum Cryptography (PQC)

PQC is an emerging field within the cyber realm that is gaining increased relevance due to the potential threat quantum computers pose to traditional encryption methods. PQC involves the development of new cryptographic algorithms resistant to quantum computer attacks to ensure the security of digital communications and sensitive information. Agencies should begin to plan for future quantum resistant methods by inventorying their systems and engaging with vendors on how they are addressing quantum-readiness.

Some challenges agencies may face include:

  • The ability to identify PQ-vulnerable systems.
  • The ability to identify and implement appropriate PQC algorithms.
  • The high cost and complexity of implementation.
  • A gap in a trained and certified workforce to implement and maintain PCQ algorithms.

Artificial Intelligence (AI)

The rapid emergence and adoption of generative AI tools has created new challenges, especially for data security. As AI becomes more prevalent in our modern technology, agencies will need to assess the associated risks and develop strategies to mitigate vulnerabilities.

GSA and other agencies are working to support the new Executive Order to help ensure that AI systems are safe, secure, and trustworthy.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

Find cybersecurity solutions in IT Services GWACs

In a post earlier this month, I talked about the Cybersecurity Battle Ground with various Administration strategies, executive orders, and some of the resources that we’ve developed to help you navigate this guidance. If you haven’t read that post yet, I suggest you check it out.

Today, I thought I’d talk about some of the acquisition contracts that we’ve developed to help you get on-the-ground support with your cybersecurity efforts.

MAS and beyond

When you think cybersecurity, and you think GSA, the Multiple Award Schedule (MAS) for Information Technology (IT) probably comes to mind. We have a lot of great cybersecurity solutions there, including the Highly Adaptive Cybersecurity Solutions (HACS) Special Item Number (SIN), a variety of Continuous Diagnostics and Mitigation (CDM) tools, and Zero Trust Architecture (ZTA) solutions.

True, MAS-IT is a great place to cover your cybersecurity needs, but it’s not the only place. Depending on your overall acquisition goals, GSA’s Governmentwide Acquisition Contracts (GWACs) are a great path as well. These IT Services-first contracts are considered by the Office of Management and Budget to be Best-in-Class and have a host of capabilities to meet cybersecurity needs; from ZTA to IPv6, to insider threat detection and mitigation services.

I thought it would be interesting to analyze the data in our GWAC Dashboard to see what I could find by simply pulling the data by contract and searching for ‘Cyber’*. This is definitely not a comprehensive review of our cybersecurity offerings on the GWACs, but this gives a great sense of the work that’s happening.

* This can be done by going to the “DATA Feed” tab, clicking on the “Choose a format to download” icon at the bottom right, and selecting “Crosstab.” This will result in an Excel file with more information than can be easily displayed in the web dashboard.

8(a) STARS III

Federal agencies have leveraged the 8(a) STARS III GWAC, for example, to protect against cyber threats. 8(a) STARS III industry partners have supported America’s government by creating cyber risk assessments, performing enterprise penetration testing, and establishing security assessment reports. 8(a) STARS III has 23 task orders with an estimated value of more than $141.8 million for cyber-related activities. The Department of Treasury and the Department of Homeland Security are among the biggest users of 8(a) STARS III for cybersecurity services.

VETS 2

The VETS 2 GWAC is another great example. This Service-Disabled Veteran-Owned Small Business GWAC currently has more than $118 million in estimated value from 10 task orders ranging from IT Security Risk Management Framework (RMF) and Assessment and Authorization (A&A) Services to cybersecurity architecture and engineering services. Some of VETS 2’s biggest cybersecurity customers are the Department of Treasury, the Department of Homeland Security, and the Army.

Alliant 2

Alliant 2 data shows a similar story. There, we find 25 task orders for a total estimated value of $2.2 billion. These task orders relate to Federal Public Key Infrastructure (FPKI) support services to cybersecurity – supply chain risk management (C-SCRM) support services and beyond.

Again, these are just task orders with the term ‘cyber’ in the description field. Even more come through when we add the term ‘IT security’.

The right cybersecurity solutions

As we continue to observe Cybersecurity Awareness Month, I wanted to bring attention to the ‘where’ of conveniently getting the cybersecurity solutions agencies need to protect their systems as agencies move to create a safer and more secure digital future.

Visit our website to learn more about cybersecurity or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

The Cybersecurity Battleground

Reflecting on the past, envisioning the future

This month marks the 20th anniversary of Cybersecurity Awareness Month, as well as the beginning of a new government fiscal year. I’d like to take this milestone opportunity to delve into some recent notable cybersecurity events, the broader implications for government agencies, and my vision as GSA continues to play a pivotal role in positioning agencies to create a safer and more secure digital future.

The 2023 Verizon Data Breach Investigations Report shows external actors were responsible for 83% of breaches. Continued cyber breaches, such as Volt Typhoon and the MOVEit application exploit not only cause disruption and pose a serious threat to our national security, but lay the groundwork for more sophisticated cyber attacks. Hackers will leverage any flaw in the cyber environment to gain access to sensitive information. Our adversaries are not resting, and neither can we.

In March 2023, the White House released an updated National Cybersecurity Strategy with ongoing initiatives aimed at enhancing the nation’s cybersecurity capabilities and comprehensive approach. It aligns numerous strategic objectives under five pillars:

  1. Defend Critical Infrastructure
  2. Disrupt and Dismantle Threat Actors
  3. Shape Market Forces to Drive Security and Resilience
  4. Invest in a Resilient Future
  5. Forge International Partnerships to Pursue Shared Goals

The White House later published its National Cybersecurity Strategy Implementation Plan which includes specific guidance for agencies as they implement the strategy’s requirements and key objectives.

The Department of Defense completed its Cyber Strategy in May 2023. The strategy underscores the ongoing advancement of Zero Trust Architecture (ZTA) and the technological solutions and services to fortify critical infrastructure, ensuring vital systems and assets are safeguarded. In August 2023, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Strategic Plan that aligns with the National Cybersecurity Strategy and lays out how agencies can fulfill their cybersecurity mission over the next three years. As plans are implemented, GSA is prepared to incorporate updated frameworks and standards into our solutions to meet agencies’ needs and requirements.

As we move forward into the new fiscal year, the Office of Management and Budget (OMB) continues to emphasize cybersecurity priorities for civilian agencies to consider when developing FY24 and FY25 budget requests. These include continued implementation of ZTA, investment in Cybersecurity Supply Chain Risk Management (C-SCRM) practices, and most recently Post-Quantum Cryptography (PQC). Details can be found in the OMB Memorandum M-22-16, M-23-18, and the Quantum-Readiness: Migration to Post-Quantum Cryptography fact sheet. Additionally, OMB outlined Research and Development Priorities for the FY25 budget which include addressing cybersecurity risks through resilient architectures. As the cybersecurity landscape is in a constant state of evolution, adapting to new guidance is imperative to Improving the Nation’s Cybersecurity.

How GSA supports agencies

GSA recognizes that every agency has unique needs, but the overarching goals remain. That is why GSA works diligently to support the modernization of security to enhance cyber resilience, protect important information, and maintain systems access and function.

To help agencies meet their goals, GSA developed a suite of resources on cybersecurity topics, such as ZTA and C-SCRM. Buyer’s guides and informational videos are available to help identify which solutions best fit agency IT security needs. In addition, our acquisition templates make procuring the products and services that modernize security and strengthen cyber resilience easy and efficient. Find the guides and more at www.gsa.gov/itsecurity.

Our commitment

At GSA we understand collaboration with other agencies, and our industry partners, is crucial for addressing the evolving and global nature of cybersecurity threats. We are committed to continue our efforts to provide comprehensive and impactful government-centric cybersecurity solutions that address the need for modernization today and protect assets from the cyber threats of tomorrow.

Stay up to date

We are available to agencies throughout the entire acquisition lifecycle. The GSA IT Category team offers subject matter expertise and is available to answer questions related to purchasing a full range of IT products and services. Please contact the IT Customer Service Center at 855-ITaid4U/855-482-4348 or itcsc@gsa.gov.

Follow ITC on LinkedIn and subscribe for blog updates.

Posted on

2023 EIS Transition Update

Last December I blogged about GSA’s decision to pursue extensions of the Networx, Washington Interagency Telecommunications System (WITS) 3 and Local Service contracts on behalf of a few agencies who needed more time to complete their transition to Enterprise Infrastructure Solutions (EIS). Much has transpired since that last blog post, and I wanted to give an update.

As of April 2023, 123 of 222 agencies had successfully transitioned off of the legacy telecommunications contracts. Transitioned agencies have realized some truly great benefits such as:

  • Divested from legacy services no longer supported by contractors
  • Adopted Trusted Internet Connection 3.0 architectures
  • Achieved lower overall cost
  • Increased cyber resilience.

Agencies that require an extension beyond May 31, 2024 must sign a Memorandum of Understanding (MOU) with GSA, provide GSA with details supporting further contract extensions, and start comprehensive quarterly executive transition updates with GSA. As of June 26, 2023, eight agencies have requested extensions to May 31, 2026. Some need additional weeks and some need additional months to complete their transition.

New Executive Leadership for Enterprise Technology Solutions

On February 16, 2023, Jake Marcellus became the Executive Director for Enterprise Technology Solutions (ETS). Jake leads a subcategory that includes Enterprise Telecommunications, Mobility and Satellite Communications (SATCOM) services. Jake came to us from GSA IT and has extensive experience leading telecommunications efforts within the Department of Defense.

I have asked Jake, as lead executive for EIS, to place his initial focus on improving the customer agency EIS transition experience and outcomes. His team developed a system to use disconnect data to identify the most significant transition risks and make the appropriate executive engagements with agencies.

They’re engaging agencies, assisting with problem identification, consulting on technical solutions and facilitating requests for 2026 extensions. In addition to meeting with agency Chief Information Office (CIO) staff, Jake is also meeting with executives of our EIS contractors.

The Continuity of Service Period and beyond

GSA continues to manage the EIS transition by supporting agency requirements and the contractors’ performance toward meeting the key completion dates.

  • May 31st 2024 – Continuity of Service (CoS) ends for those agencies that signed MOUs with GSA for the June 1, 2023 through May 31, 2024 CoS periods.
  • May 31st 2026 – The end of service for those agencies authorized to use extended CoS beyond May 31, 2024.

The terms and conditions of the legacy telecommunications contracts allow only those organizations specified in the Networks Authorized User List (NAUL) to obtain services under these contracts. GSA continues to update the NAUL to remove those agencies which are no longer authorized to use the contracts and will order contractors to disconnect services to such agencies. Unless an agency is working with GSA to use the extended CoS to May 31, 2026, the NAUL will be updated to remove the agency and its services will be disconnected on or before May 31, 2024. Agencies should continue to work aggressively with their contractors to transition prior to May 31, 2024. If an agency requires days, weeks or months beyond May 2024, it should contact their Solutions Broker on the GSA team to explore options.

Working together to achieve successful outcomes

Successful EIS transitions are a team effort. While GSA manages the transition as a governmentwide program, the agencies and their contractors–for both the legacy contracts and EIS–must work very closely to ensure the agencies’ requirements and those of their task orders are successfully met. This requires close oversight by the Ordering Contracting Officers for those task orders and the project managers, in collaboration with experts in networking, security, finance and operations that form the agencies’ transition teams. These teams monitor the contractors’ activities, identify risks and issues, and develop solutions with the contractors in compliance with the task orders and with an eye toward completing transition by the deadline.

Below are some of the lessons learned that enabled the successful completion of agency transitions.

  1. Know your existing inventory and requirements
    It is foundational that a transition is properly scoped in regards to physical locations and required telecom services. This step will ensure full accountability on what needs to be transitioned, what will not be transitioned and account for new requirements.
  2. Create a transition strategy
    A transition strategy includes what will be transitioned and the discrete considerations for unique mission needs and environment. Transitions in urban and rural areas have distinct challenges.
  3. Develop a plan and schedule
    Provide an overview of required actions and a detailed schedule of activities.
  4. Get stakeholder buy-in
    A successful transition requires acute coordination between engineering, program management, government contracting staff and the associated contractors.
  5. Monitor and Control
    This phase requires the agency work with both their EIS and legacy contractors to ensure that services are both transitioned and disconnected. Transition progress should be actively monitored to spot potential obstacles and implement corrective actions.
  6. Leverage the GSA team
    GSA has assigned solutions brokers for all agencies. Solutions brokers are a single point of contact for assistance with EIS, Networx, WITS3 and all transition activities. GSA’s ETS Executive Director is available for the agency executive engagement.

Visit our website to learn more about EIS or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.