October 2020 Archives

To close out National Cybersecurity Awareness Month, here are some steps federal agencies can take to protect their IT systems from cyber attacks and cybersecurity vulnerabilities using the Authorization to Operate (ATO) process.

An ATO demonstrates that a federal agency has gone through a federally approved, detailed process to protect an IT system from incidents such as cyberattacks, security breaches, malware, and phishing attempts. Many federal IT systems are required to obtain an ATO to process government data and federal regulations recommend that agencies follow the Risk Management Framework (RMF) to become authorized.

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides solutions for all of an agency’s cybersecurity service needs, including RMF. The HACS SIN connects agencies with vendors who have passed oral technical evaluations for cybersecurity services performed within the RMF, and who are ready to assist agencies with the RMF process for a successful authorization.

RMF Graphic full definitions ATO highlight (3) — *Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.*

All of the steps, tasks, and activities that precede the “Authorize” step of the RMF help to prepare the information system for the authorizing official’s appraisal. The authorizing official is not a contractor, but a federal employee of whichever agency is seeking ATO.

The HACS SIN connects federal agencies with contractors who can help in each stage of the RMF. Contractors can assist agencies in producing the deliverables associated with each RMF step listed in the chart below.

*Disclaimer: RMF deliverables can vary based on an organization’s cybersecurity needs.*

Once an agency has successfully completed the first four steps of the RMF (“Categorize” through “Assess”), an authorizing official will evaluate the system. The authorizing official for the federal agency in question evaluates residual risks identified during the security control assessment, and makes the decision to authorize the system to operate, deny its operation, or ask the agency to address any issues.

When granting an ATO, authorizing officials look for the following checklist of items:

Plan of Action and Milestones (POA&M)
Authorization Package
Final Risk Determination and Risk Acceptance
Authorization Decision

The POA&M is one of the most important deliverables produced in the RMF process. It reflects organizational priorities for addressing any remaining weaknesses and deficiencies in an information system and its environment of operation. The Authorization Package includes all key documents including the security plan, security assessment report, and the POA&M.

Following the RMF steps helps your agency to achieve ATO, but the work does not end after an ATO is issued. Agencies must also continuously monitor their systems to ensure that security controls remain effective over time.

In addition, many federal agencies must reauthorize their information systems every three years by going through the RMF process again. This is where the final step of the RMF, “Monitor Controls,” is important. As part of continuous monitoring, a sample of the applicable security controls are tested annually, periodic vulnerability scanning is performed, and security impact analysis of changes are performed. If an agency continuously monitors its systems over those three years by documenting specific technical changes, environment changes, or changes to the organizational risk management strategy, it may be easier to renew an ATO because any security risks can be mitigated at the time they occur.

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to achieve an ATO, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

As an organization, GSA places a lot of importance on guiding IT service providers in forming relationships and doing business with the federal government. GSA is also here to assist agencies as they navigate the marketplace of emerging and transformative IT solutions that will help them achieve their missions and perform efficiently.

With that in mind, we’re naming our next-generation Governmentwide Acquisition Contract (GWAC) “Polaris,” and we’re developing it with these important attributes as our guides.

Polaris is also known as “The Guiding Star” in the night sky. This GWAC represents another step forward for the next generation of IT services based solutions from GSA. Polaris will not only guide small businesses through the federal market, it will also help GSA customer agencies through the acquisition of IT service-based solutions, and give GSA a chance to improve our offerings and set the agency on a solid course for the future.

On August 27, GSA hosted “Your Voice Matters: Help Shape GSA’s Next Small Business GWAC Industry Forum.” During the event, attendees heard firsthand about our vision for providing opportunities for small businesses – including underrepresented socio-economic categories – and state-of-the-art IT solutions for federal agencies through next-generation GWACs.

Teamwork makes the dream work

GSA recognizes the value of collaborating with our industry partners, customers, and other stakeholders. The only way to improve the quality and availability of IT services in the marketplace is to know exactly how agencies and industry partners feel about current products and processes, as well as opportunities for innovation. For that reason, we solicited feedback from industry partners prior to and during the industry forum. At that time, we also vowed to keep the conversation going.

To facilitate that dialogue, we launched the SB GWAC Community of Interest (COI). The COI is a webpage that allows for an exchange of thoughts on topics related to all of GSA’s small business GWACs. This input will be taken into consideration as we develop a plan forward. Additionally, engagement with agency and industry partners will continue through additional market research.

Broadening the Industrial Base

Pricing Strategy: GSA is considering new strategies to increase our pool of qualified small businesses that serve federal agencies. One of the most ambitious approaches involves the potential employment of Section 876 of the Fiscal Year 2019 National Defense Authorization Act in the next-generation vehicle, through FAS’s “Enhancing Competition at the Order Level” initiative under the Federal Marketplace Strategy. Section 876 gives GSA authority to award contracts to qualifying offerors without considering prices for services acquired on an hourly rate basis.

As this would shift the focus to pricing competition at the task order level – it is important that we continue our efforts to increase competition in the marketplace by creating opportunities for qualified small businesses.

On-ramps: By offering open season on-ramps, the industrial base could be expanded as technology changes, the market evolves, and to improve competition at the task order level. This would be a great benefit to federal agencies. On-ramping could allow agencies continuous access to top performing industry partners that offer the latest advancements in technology. On-ramping will also allow vendors the opportunity for consideration to be on the GWAC following the initial award period.

Additionally, small businesses with fresh ideas could have the opportunity to participate in the federal IT services marketplace. This approach could also improve overall federal government efficiency and might potentially help close the age-old government/private sector technology gap.

Opportunity Expansion: GSA’s small business GWACs have supported agencies in meeting their small business goals for more than two decades. We want to build on this success by looking at small businesses without socio economic status as well as options to increase opportunities for HUBZone and woman-owned small businesses. GSA is also eager to engage with industry about the possibilities of providing lifecycle opportunities on GSA contract vehicles for small businesses as they grow and mature.

Embracing Technology to Maximize Efficiency: Polaris aims to provide customers with streamlined access to emerging technology providers including those offering artificial intelligence, automated technologies (like robotic process automation), blockchain, 5G implementation (including edge computing), cyber security, and cloud.

Efforts to Ease the Process

In hopes of optimizing performance, GSA is improving existing business practices. Recent industry feedback has made it clear that we must work even harder to ease the strain that prospective future GWAC holders experience while trying to partner with us. For that reason, we are working on improvements to the proposal submission and evaluation processes. We’re currently exploring the use of an online proposal submission tool to expedite the award process. We’re also looking at an evaluation strategy that aligns with customer requirements, while using objective evaluation criteria to the maximum extent possible. Additionally, as a result of positive feedback received on the self-scoring approach used on VETS 2 and Alliant 2, a similar strategy for the new vehicle is being considered.

Power in Knowing

GSA’s Office of Small and Disadvantaged Business Utilization (OSDBU) has long been a valued resource to the small business community. We recognize that small businesses fuel the nation’s economy and sincerely welcome our responsibility to provide the support the community needs and expects. As with past GWAC launches, GSA is equipped to help prospective GWAC partners familiarize themselves with the process. GSA’s OSDBU team helps small businesses better position themselves for available opportunities by providing training and resources. This includes free virtual training on creating a federal marketing plan, and identifying federal customers through the Federal Procurement Data System (FPDS). For more information, regional OSDBU contacts can be accessed by visiting GSA’s small business support page.

We plan to host regular engagement events to keep all stakeholders up-to-date on the path to the new Polaris solicitation and award. Details about our future engagements will be made available on the COI web page.

What’s the Timeline?

We are in the very early stages of the process and are looking forward to continuing dialogue with our industry partners and agency customers. We’re working to release a request for information this month and we’re hopeful that we’ll be able to get a draft request for proposals out within the next few months.

We are enthusiastic that our new, next-generation small business GWAC has the potential to not only increase the industrial base and pool of qualified vendors, but also vastly increase the quality and diversity of IT services available to federal agency customers.

Interested parties should join the COI.