Empowering government operations with cutting-edge IT solutions through IT Professional Services SIN

In today’s digital age, technology plays an essential role in every aspect of our lives, including government operations. But agencies don’t always have the resources or expertise in-house to take advantage of the benefits technology can bring. To help agencies that may be stretching resources and budgets in addition to the workload of their acquisition workforce, GSA provides a wide range of IT services through the IT Professional Services Special Item Number (SIN) on the Multiple Award Schedule (MAS-IT). This SIN enables federal, state, local, and tribal agencies to access a broad range of IT solutions from experienced contractors at competitive rates.

This blog post is part of a series where we’re discussing each of GSA’s key IT Services SINs. Each blog will discuss the benefits for agencies in using the solution, take a look at who is using it, and share an example of how an agency successfully used the SIN to achieve its mission.

A few key benefits to using GSA’s IT Professional Services SIN are listed below:

  1. Experienced industry partners: Access a pool of experienced IT professionals who have worked on government projects. These contractors have the knowledge and expertise required to design and implement complex IT solutions that meet the specific needs of your agency.
  2. Faster procurements: Quickly and easily access IT solutions through the Multiple Award Schedule (MAS). This saves time and resources and enables you to focus on your core mission.
  3. Cost savings: Leverage competitive rates, lower administrative burden, and reduced use of agency resources. Buying IT solutions through SIN is faster and easier, driving costs down when compared to the costs of the open market.

Top agencies

Agencies invested almost $10 billion through the IT Professional Services SIN last year. Here are some of our biggest users:

  • US Customs and Border Protection
  • National Aeronautics and Space Administration
  • General Services Administration
  • Department of Defense (Various Offices)
  • Department of Homeland Security
  • Department of Agriculture
  • Department of the Navy
  • Department of Health and Human Services
  • Department of the Air Force
  • Department of the Interior

Use Case: Small businesses provide low-cost, secure application for agency’s foreign aid program

A federal agency administering aid to foreign countries needed to create an application that could run efficiently and effectively on low-cost tablets. This application also needed to operate in areas where only low-speed internet access was available.

In addition, the application had to be secure and protect personally identifiable information and health data.

The agency released a request for information (RFI) under the IT Professional Services SIN using GSA eBuy. The RFI allowed the agency to survey existing capabilities among the vendors on the SIN to determine what requirements to include in a request for proposal (RFP). The agency used the RFI market research to draft and issue a performance work statement (or PWS) under the IT Professional Services SIN for the Field Employee Support Tablet Initiative project. They received six proposals.

Ultimately, a group of three small businesses using a contractor teaming arrangement (or CTA) received the contract award.

GSA’s IT Professional Services SIN, serving you

GSA’s IT Professional Services SIN provides agencies — at all levels — with access to experienced IT professionals, a faster procurement process, and cost savings. By leveraging the expertise of contractors through the IT Professional Services SIN, agencies can implement IT solutions that meet their specific needs, improve efficiency, and better fulfill their missions.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.

Application Security Testing (AST) — reduce your cybersecurity risk

“Improving the Nation’s Cybersecurity” is a top priority across all federal agencies. Constant and fast-paced application innovation is the new norm of today’s digital enterprise. Vulnerabilities are waiting to be exploited by adversaries and their increasingly sophisticated malicious attempts such as the Log4J application exploitation.

The Office of Management and Budget’s (OMB) Memorandum 22-09 specifically charges agencies to operate dedicated Application Security Testing (AST) programs for a stronger and more robust cyber posture. Early and continuous AST minimizes the risk of sensitive data exposure and system compromise. To prevent most application security threats, agencies need a dedicated AST program that implements a variety of tools to continuously assess and address application vulnerabilities throughout the Security Development Life Cycle (SDLC).

The software development lifecycle begins with analysis before moving to design, development, and testing. Next comes deployment and finally, maintenance.

AST tools

Testing requirements and guidance released by OMB, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency will make applications more resistant to security threats and identify security weaknesses and vulnerabilities. Ultimately, the goal is to create a holistic AST program of automated tools and manual testing that continuously examines applications as they are developed and continue through the SDLC. AST methodologies can be categorized into:

  • Automated AST relies on written code/test scripts and tools to test and validate an application. It can be completed in less time than manual testing and covers more test permutations; however, it does require heavy coding and maintenance.
  • Manual testing is executed by human security testers to discover complex bugs for which automated testing cannot detect or to resolve automated testing’s false positives. It requires a substantial level of expertise, effort, and time.

An AST program uses a variety of tools throughout the SDLC, many of which are described in the table below.

A table that highlights AST testing tools, their purpose, proactive or reactive scanning, low false positives, and cost. Static application security testing is used to examine source code for weaknesses. Dynamic application security testing is used to find security vulnerabilities in a running environment. Interactive application security testing analyzes code for vulnerabilities by simulating scenarios in a running environment. Mobile application security testing identifies vulnerabilities in applications used with mobile platforms during or post development. Software composition analysis identifies open-source software in codebase. Manual testing examines all essential features to find more complex and logical vulnerabilities.

Top AST threats

According to the Open Web Application Security Project (OWASP), the top three application security threats are broken access control, cryptographic failures, and injection.

A table featuring best practices and AST tool(s) to address broken access control, cryptographic failure, and inject vulnerabilities.

Third-party application security testers

Another component of a dedicated AST program is the use of independent third-party application security testers who specialize in identifying vulnerabilities internal staff may miss. These expert firms have the skills and certifications required to provide high-quality results and ensure applications hold up against real-world cyber attacks.

GSA cybersecurity resources

GSA created the AST Buyer’s Guide to help federal agencies meet AST program requirements, provide Third-Party Application Security Tester selection criteria, and address application security threats. It provides an overview of AST, key considerations when implementing an AST program, and helps identify and procure AST offerings to improve your agency’s application security posture.

To make the acquisition experience easier and more efficient, GSA also provides useful resources like an AST summary sheet, AST statement of work template, and AST informational video. These and many other resources can be found at www.gsa.gov/ast.

GSA cybersecurity support

The GSA IT category team is available to answer questions and provide subject matter expertise related to purchasing AST, cybersecurity, and a full range of IT products and services. Please contact the IT customer service center at 855-ITaid4U/855-482-4348 or itcsc@gsa.gov.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.

GSA supports National Strategy to Secure 5G with new acquisition guidance

GSA’s Acquisition Guidance for Procuring 5G Technology supports an ongoing, multi-agency effort to document and share best practices for optimal 5G deployments.

National Strategy

As discussed in past posts, the Federal Government views 5th generation (5G) wireless technology as a future driver of the global economy. It also views the security of 5G information and communications technology and services infrastructure, and the data transmitted and stored on it, as a key national security interest. In addition to protecting data on the network, a trusted, secure supply chain is also paramount. We cannot ensure the security of 5G networks if untrusted equipment or software is allowed to control any part of them.

The National Strategy to Secure 5G is our country’s game plan to manage the risks associated with next generation wireless technologies and the new use cases they open up. GSA’s role is to establish acquisition processes and facilitate federal agency adoption of 5G infrastructure with appropriate security safeguards and adherence to national policies. The desired outcome is a resource that helps agencies identify their standards, specify security controls, and catalog other relevant requirements to provide a secure 5G infrastructure.

GSA guidance

Screenshot of the front page of the "GSA Acquisition Guidance for Procuring 5G Technology" with a white and navy background. There is a colorful technology graphic at the bottom right of the screen.
Download the PDF at buy.gsa.gov or order physical copies at cmls.gsa.gov.

The subject matter experts behind our Wireless Mobility Solutions contracts applied this directive to the early 5G use cases they were observing at various agencies. We coordinated extensively with the interagency Federal Mobility Group, and we incorporated valuable input from experts in other agencies and industry. The result is our Acquisition Guidance for Procuring 5G Technology, a plain-language white paper that charts the progression of 5G in the public sector, outlines its core standards, explores government use cases, and delves into acquisition strategies that balance flexibility with security requirements. In particular, the Guidance features:

  • Tools and strategies for contracting 5G – A model acquisition process that details how technical staff should go about defining requirements and how contracting staff should use them to structure a solicitation.
  • 5G use cases in government – A living list of 5G use cases and pilot programs applicable to the public sector;
  • Standards for 5G – A detailed accounting of the international and U.S. standards that are used to determine requirements for 5G;
  • General background – A plain language narrative describing the evolution of cellular technology, the capabilities 5G offers, its relevance to the public sector, efforts underway to secure it, and its potential to shape future telecommunications products and services.

The wheel keeps turning

A six-sided "5G Wheel" in shades of purple depicting what the GSA Acquisition Guidance for Procuring 5G Technology features: Technology, Standard, Security, Policy, Acquisition, and Use Case.
The “5G Wheel” is one model of visualizing the components that enable resilient deployments.

We’ve previously described our “5G for Government” strategy as the understanding of six core concepts: Technology, Standards, Security, Policy, Acquisition, and Use Cases. Use cases are the real-world applications that agencies are pursuing, or want to achieve. Acquisition is the nuts and bolts of getting the solution in place in the most efficient and effective way. Once you understand the technology, know the standards, consider the security aspects, and are up-to-date on governmentwide policies, then it’s time to plan and execute. If you think of this strategy as a circle or wheel, the Use Case is the end of one cycle and the beginning of another. Each rotation strengthens our collective understanding of what makes a 5G deployment secure and successful. The Acquisition Guidance for Procuring 5G Technology is GSA’s first effort to distill this collective knowledge into a usable format to help government technology managers, their contracting offices, and trusted industry partners buy, build, and use secure 5G systems. As a living document, the Guidance will be frequently reviewed to keep pace with changing technology, ensure governmentwide cybersecurity requirements are accurate, and incorporate feedback from stakeholders. Send feedback, questions, and suggestions to wireless@gsa.gov.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.