Month: November 2021

Posted on

GSA Celebrates American Veterans

This Veterans Day, I’m contemplating GSA’s long history of working with service-disabled, veteran-owned small businesses (SDVOSB). I’m proud of the work they do every day to help agencies across the federal government achieve their mission.

Our Governmentwide Acquisition Contracts (GWACs) like VETS 2 demonstrate our ongoing commitment to our Veteran community – and I want to make sure I communicate clearly that we believe VETS 2 will continue its success and have a strong future as part of GSA’s suite of IT contract solutions for many years to come. We’re taking the necessary steps to execute the option period and doing all that we can to cement VETS 2’s future.

VETS 2: the right IT solutions, right now

In just 3 ½ years, VETS 2 has an estimated $1.87 billion value from 145 task order awards.

VETS 2 gives agency customers access to a wide variety of customized IT services and solutions. It also helps agencies receive SDVOSB credit toward their Small Business Procurement Scorecard and Best-in-Class (BIC) Tier 3 credit toward Spend Under Management goals.

The highly qualified companies on VETS 2 can complete almost any IT service requirement including agile software development, artificial intelligence (AI), cloud computing, and other emerging technologies.

SDVOSB pool on Polaris

In addition to our ongoing support for VETS 2, GSA is broadening opportunities for Veterans to work with the federal government. We recently announced a new contract pool for SDVOSB firms on Polaris, a new next-generation GWAC.

Polaris will bring more innovation to the small business community, federal agencies, and the acquisition workforce. This innovation will lead to substantial benefits for small businesses, improved technology for federal agencies, and greater flexibility for acquisition professionals across government.

Polaris will have 4 pools: small business, women-owned small business (WOSB), SDVOSB and businesses located in HUBZones. These pools will be awarded in phases to help our customers deliver on their missions and meet their socio-economic goals.

Our first priority is to release the request for proposals (RFP) for the small business and WOSB pools January 2022. The small business pool will be awarded first, later in the year. The HUBZone and SDVOSB RFPs and awards will follow.

Subscribe to our Small Business Community of Interest on GSA Interact to keep up to date.

Veterans help government through two GSA GWACs

We’re committed to the SDVOSB community. Together, VETS 2 and Polaris will deliver on our commitment to SDVOSBs. They’ll continue to deliver value for our customers well into the future and help ensure there will be no gap in access to SDVOSB contract offerings.

Find out more about VETS 2 and discover customer training opportunities at www.gsa.gov/vets2. Please send any questions to vets2@gsa.gov.

Additional information about Polaris can be found at www.gsa.gov/polaris. Please send any questions to polaris@gsa.gov.

Posted on

Reducing Cyber Supply Chain Risks

From reports of large-scale cyber attacks such as Solarwinds to President Biden’s signing of Executive Order 14028, Improving the Nation’s Cybersecurity, cyber supply chain risks have been top of mind for policymakers and federal agencies governmentwide.

GSA is committed to helping agencies mitigate cyber supply chain risks. By understanding the threats, agencies are positioned to take defensive action against them.

Ecosystem threats

Government depends on a global supply chain ecosystem: vendors, distribution routes, technologies, laws, and policies. Each piece of this ecosystem works together to design, manufacture, distribute, use, and manage products and services.

However, these supply chains’ ecosystems can expose government organizations and enterprises to financial, governance and cybersecurity risks.

Of these risks, one of the most troubling is that someone will use vulnerabilities in a supply chain to carry out a cyberattack.

A supply chain cyber attack occurs when an attacker uses a trusted outside partner or vendor with access to a system’s data to infiltrate an information system.

Because supply chain attacks are difficult to prevent and can greatly harm any organization, federal agencies must identify, categorize, manage, and mitigate risks within their supply chains.

In its December 2020 report, the Government Accountability Office (GAO) assessed how 23 civilian CFO Act agencies’ implemented 7 Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) practices.

In their review, the GAO found that many agencies had not implemented the practices according to their evaluation criteria and that no agencies had fully implemented all 7 practices.

What you can do

You can take proactive information and operational technology acquisitions measures to reduce an organization’s cyber supply chain risks.

  • Evaluate your organizational structure. Set up a collective task force to secure your supply chain and empower this team to hold lower-level suppliers accountable and to have responsibility for overall supply chain security.
  • Identify and empower supply chain leadership. Review and monitor key contracts to verify that prime and subcontractors maintain security practices through the contract lifecycle. Threat intelligence and incident response capabilities must work together.
  • Put data protection and stakeholder communication processes in place. Set requirements for communicating and protecting data, specifically for incidents, breach notifications, and industry or legal reporting requirements.
  • Build trust by sharing threats with your supply chain partners. Prevent communication delays by being transparent about an attack or a potential breach. Transparent leadership and communication creates trust. Building that trust requires a commitment to straight talk, the ability to produce results, and the ability to restore trust when trust is lost.

GSA C-SCRM Resources

For the last 10 years, federal guidance and regulations have prioritized SCRM. This priority reflects the increasing threat of vulnerabilities in the nation’s supply chain.

We’re continuing to develop ways to help agencies reduce supply chain risk, like the Vendor Risk Assessment Program and the Cyber Supply Chain Risk Management Acquisition Community of Practice.

Vendor Risk Assessment Program

We are currently developing a program that can identify, assess, and monitor supply chain risks for vendors who do critical work for the federal government. It will audit supply chain risk processes or events and may include on-site assessments.

The following criteria will be monitored:

  • Risk of foreign ownership, control or influence;
  • Cyber risk; and
  • Factors that would affect the company’s vulnerability, such as financial performance.

If the risk assessment identifies supply chain risks, we will work with the vendor on a corrective action.

We take this seriously. Failing to resolve any identified risk may result in government action up to and including contract termination.

Cyber Supply Chain Risk Management Acquisition Community of Practice

In August 2021, we established a C-SCRM Acquisition Community of Practice (ACoP). It includes key acquisition stakeholders from GSA, Cybersecurity and Infrastructure Security Agency (CISA), Office of Management & Budget (OMB), and other federal agencies.

The goal of C-SCRM ACoP is to increase awareness and develop maturity in the areas of cyber-acquisitions and Information Communication Technology and Services (ICTS) supply chain risk management across the federal government.

Many federal departments and agencies need to mature C-SCRM capabilities, guidance, and training. This is particularly true for acquiring ICT hardware and software.

We need governmentwide contract language for getting ICT products that holds vendors accountable for assessing the risk of their supply channels, especially for embedded software.

To learn more about the C-SCRM ACoP or to join, email C-SCRM_ACoP@gsa.gov.

Coordination is key

Agencies must continuously monitor their interconnected IT ecosystem and establish the necessary contract requirements that ensure vendors are doing the same.

Stay up to date on the latest GSA C-SCRM initiative by following us on Twitter @GSA_ITC.