Join us May 13th at 1:00 pm EDT for a live webinar led by GSA’s IT Acquisition experts as we explore:
Benefits in shifting from a compliance model to the cybersecurity maturity model
Adopting a supply chain risk evaluation approach in government contracting
Easy to understand acquisition planning packages (e.g., playbooks, checklists, templates)
The 3-hour session features an overview of requirements and evaluation factors used in developing the 2nd Generation Information Technology (2GIT) blanket purchase agreement; and a quick look into the GSA’s IT Solutions Navigator connecting buyers with resources, tools, and decision support for IT procurements.
This is the third session in GSA’s 2021 monthly Federal Acquisition Service Training (FAST) Conference series. Each session is worth up to 3 Continuous Learning Points. You can find the full lineup of events here.
The last months have been a whirlwind of activity for the new government-wide Information Technology Vendor Management Office (ITVMO). We not only chartered the ITVMO, but have started working with several partner agencies and IT acquisition experts from across government to identify existing resources that can assist agencies with their buying decisions. The ITVMO brings together the most critical players in the federal IT acquisition landscape to solve challenges agencies and vendors face when buying and selling IT products and solutions.
Launched in October 2020, the ITVMO is a government-wide effort to amplify the benefits of managing vendor engagement in the IT Category to make IT acquisitions faster and more cost effective. The ITVMO serves as a trusted independent advisor and advocate to help agencies buy common IT goods and services. As a one-stop shop, the ITVMO will leverage government-wide IT procurement data, conduct market research, and develop shared agency acquisition knowledge to support agencies’ buying decisions.
There are many programs and initiatives across government that are interested in improving how government buys IT. The ITVMO is unique in that it is a collaborative effort amongst partners in Category Management (CM) with the most critical IT acquisition Best in Class (BIC) contract vehicles and associated programs including:
The General Services Administration (GSA);
The National Aeronautics and Space Administration (NASA);
The National Institutes of Health (NIH);
The Department of Defense (DOD);
The White House Office of Management and Budget (OMB) Office of Federal Procurement Policy (OFPP).
Through this collaboration, the ITVMO will advance the goals of IT Category Management (CM) to improve how the government buys common IT goods and services and enable the government to act more as a single entity by sharing best practices and acquisition intelligence as well as eliminating the unnecessary duplication and redundancy that exists between federal agencies.
What’s Happening & What’s Next
One of the central drivers of CM is to mature federal IT acquisitions so that the government acts more like a single buyer rather than many independent agencies. By creating a space where some of the biggest and most impactful federal IT acquisitions programs and initiatives can collaborate and solve shared problems, establishing the ITVMO is a major step toward that goal.
The ITVMO is chartered and led by an Executive Steering Committee (ESC) comprised of several agencies including those with the largest IT BIC vehicles. The ESC determines the strategic direction and project priorities for the ITVMO to solve problems for agencies and vendors alike.
To identify shared challenges and opportunities throughout government, the ITVMO surveyed hundreds of IT and acquisition experts including the Chief Information Officers Council (CIOC) and the Chief Acquisition Officers Council (CAOC) as well as several communities of practices. The ITVMO team also conducted listening sessions with industry groups. The data and feedback gathered from across government is driving the challenges the ITVMO seeks to address in the near future.
The ITVMO’s primary customers are the programs and offices responsible for making buying decisions at each agency, and the vendor community. On January 27th, the ITVMO hosted an Open House for agencies to provide an overview of the ITVMO’s mission and services, and to answer any questions from the community. More information about the ITVMO Open House, including a video recording of the event, is available to government employees.
Based on customer feedback, the ITVMO is working on several products and services that will be made available to agencies in the near future, including:
Continuing a Small Business Webinar Series developed in partnership with the IT Government-wide Category and the American Council for Technology and Industry Advisory Council Small Business Alliance so agencies and vendors can learn how GSA’s Federal Acquisition Service Multiple Award Schedules Program will allow agencies to more easily procure IT products and services from small businesses.
Vendor Profiles that provide agencies with pricing information, specific vendors’ terms and conditions, and best practices for negotiating with that vendor.
Deep Vendor Intelligence crowdsourced from IT acquisition experts from across the federal government participating in integrated project teams (IPTs).
A Technology Life Cycle Assessment to provide agencies with insights into buying emerging technology and updating existing systems and services to meet evolving needs.
A deep dive and review of current Cost Avoidance Methodologies used by IT BIC acquisitions vehicles. The ITVMO is working closely with GSA’s IT Category to provide recommendations on how to improve the accuracy and reliability of cost avoidance methodologies and the underlying contract data.
If any of the above interest you, we would love to connect with you. Please feel free to reach out to the ITVMO inbox at email@example.com.
The ITVMO recently launched the first of several IPTs made up of the federal government’s foremost experts in working and negotiating with specific IT vendors. The IPTs will produce recommendations and strategies that can be shared and leveraged throughout government.
On May 12, 2021, The ITVMO will also host an Industry Day intended for our industry and vendor partners to learn about the mission of the ITVMO and the best way to collaborate with the ITVMO and federal IT acquisitions staff.
Finally, the ITVMO will soon launch our website to share the ITVMO’s latest updates and activities, post relevant templates and resources, and direct users to the relevant information to meet their IT acquisition needs.
The Numbers Are In – Biggest Year on Record for GSA ITC!
In Fiscal Year 2020, the Information Technology Category (ITC) recorded more than $30 billion in business volume across its portfolio. For context, this accounts for nearly a third (33%) of the $89 billion total that was spent on IT across all federal agencies in FY20.
Accordingly, this past fiscal year proved to be a record year in other categories as well:
IT spending through the Multiple Award Schedule accounted for an impressive $18.1 billion of the $30 Billion total, bolstered by its $12.7 Billion in new obligations. In FY20, MAS IT impressively posted 18% annual growth in new obligations.
On the Small Business front, ITC accounted for $7.1 Billion in utilization from Government Wide Acquisition Contracts (GWACs), Schedules, and Telecommunications
ITC issued a single award via its telecommunications branch to the tune of $2.5 Billion, using the Enterprise Infrastructure Service (EIS) Contract. The award was made on behalf of the Department of Health and Human Services, and over the lifetime of the contract, the agency estimates it will save more than $700 million.
ITC accounted for more than $2 billion in savings and cost avoidance to their customers
FY20 Efforts in Review
The 2020 Fiscal Year drove change through every part of our lives. COVID-19 spurred dramatic change in government work culture and led to rapid technological adaptation across all agencies. A good deal of ITC’s increased business volume can be attributed to agencies transitioning to mobile-friendly technology. However, this unprecedented spending is also due to agencies acknowledging that GSA is a solid partner as they make big IT changes and choices about how to invest. We’re out front and focused when it comes to customer service, agile response to emergency needs, and delivery of mission-enabling and emerging technologies.
In 2020, customer agencies turned to GSA’s schedules program, assisted acquisition services and governmentwide acquisition contracts (GWAC) to fulfill pandemic-driven requirements as well as regular demand for products and services. Our success embodies the trust that federal agencies have put in us and our ability to address elements that our customers most care about:
Speed of acquisition
Assistance with mobile-friendly technology adoption
Technical and market expertise
General customer service
Agencies have turned to and relied on us to ensure their mission continuity and transition to a more untethered workforce.
In FY20, ITC launched the Information Technology Acquisition University (ITAU) to make it easier to learn about GSA’s products, IT solutions available through GWACs, MAS, and more. ITAU is a digital training platform for emerging technologies, their acquisition, GSA-specific contract training and more.
Additionally, ITC enhanced the Cloud Information Center, the GSA-curated federal resource hub for all things cloud, continuing to place valuable cloud computing resources in the hands of agencies.
These resources are ways that GSA is meeting the rise in demand for virtual access to our subject matter experts and more online learning platforms.
In FY21, GSA is doubling down on emerging technologies as the way of the future. The 8(a) STARS III and Polaris government-wide acquisition vehicles will have Artificial Intelligence offerings (Machine Learning, Robotic Process Automation, Natural Language Processing), edge computing and more. As the Cybersecurity Maturity Model Certification (CMMC) effort ramps up and Supply Chain Risk Management (SCRM) principles are emphasized, GSA will continue to prioritize security as a core tenet of acquisitions.
As my Deputy Assistant Commissioner Keith Nakasone likes to remind me, agencies are coming to GSA to leverage our IT expertise and the buying power of the government. They want to know that the products they’re adding to their IT footprint aren’t jeopardizing their networks. To that end, the CMMC level can be designated as needed at the task order requirement level. Large contracts such as the 2nd Generation Information Technology (2GIT) hardware/software Blanket Purchase Agreements, have SCRM built in as a key operational component. Ultimately, GSA understands it plays a crucial role and has a considerable responsibility for an agency’s IT health.
Going into FY22, ITC will continue to provide the tools needed to successfully modernize while prioritizing cost-efficiency, expediency, and security. Leveraging Best In Class (BIC) contracts is one way. Taking advantage of online resources like ITAU and the CIC is another. Give your agency a reason to acquire with confidence — work with GSA for your next IT acquisition.
As always, follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT. To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.
Continuous monitoring of IT systems is an evolving process. It adapts as new technologies and capabilities become available and as organizations are faced with advanced and persistent threats. However, the core strategies of continuous monitoring lay the foundation for safe and secured federal IT systems.
Continuous monitoring helps agencies identify, resolve, and understand key insights regarding certain risks to their information systems. The Risk Management Framework (RMF) process consists of several steps that include preparing a system for authorization, authorizing the system, and continuously monitoring the system until the next authorization process begins. The monitoring step is essential for agencies that want to minimize risks to their security systems.
As mentioned in previous posts, the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) solution is available for agencies in need of cybersecurity services, including RMF. GSA’s HACS solution connects agencies with vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors to assist with continuous monitoring strategies and Security Operations Centers (SOCs) activities.
After agencies obtain Authorization to Operate (ATO), they move into the continuous monitoring step of the RMF process. Though continuous monitoring strategies can vary by agency, usual tasks include near real-time risk management and ongoing authorization based on the system environment of operation. This step’s dynamic processes determine if a system’s security controls continue to be effective over time.
RMF services are available through GSA’s HACS SIN. A Statement of Work (SOW) for the RMF process can be found on the HACS website and includes example language for procuring services for the Monitor Step. The SOW outlines several subtasks that make up the continuous monitoring phase of RMF.
Roles and Responsibilities within the Continuous Monitoring Strategy
As part of the continuous monitoring process, the agency will oversee information system and environment changes. This process involves determining the security impact of proposed or actual changes to the information system and its environment of operation.
The Chief Information Security Officer (CISO) performs ongoing risk determination and acceptance as a part of continuous monitoring. This task consists of reviewing the reported security status of the information system (including the effectiveness of security controls employed within, and inherited by, the system) on an ongoing basis. The CISO aims to determine whether the risk to the agency’s system remains acceptable. If a risk is not acceptable, remediation will take place. This CISO is in an inherently governmental position; however, contractors can provide subject matter expertise and recommendations for risk determinations.
The IO and ISSO take part in ongoing remediation actions throughout the continuous monitoring process. Along with the Information System Owner (ISO) and the Common Control Provider (CCP), these personnel conduct remediation actions based on the results of ongoing monitoring activities, the assessment of risk, and outstanding items in the Plan of Action and Milestones.
For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to monitor its systems, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).
Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.
On December 31, 2020, GSA released the Draft Request For Proposal (RFP) for comment for our next generation small business GWAC, Polaris. With the creation of Polaris, GSA will build on the success of the now-expired Alliant Small Business GWAC by providing additional opportunities for small businesses, including but not limited to, HUBZone and woman-owned small business (WOSB) firms. We couldn’t be more proud of our team for putting this together, and we’re looking forward to your feedback.
WOSBs are Key Contributors
As we indicated in the draft RFP, GSA is considering socioeconomic pools to include WOSBs to maximize competition within the Information Technology Category. It’s very important to GSA that WOSBs are included in our contracts as they are key contributors to the government marketplace. It’s vital that the government have access to a robust pool of SBA certified WOSBs to ensure access to as broad of an industrial base as possible.
GSA is encouraging WOSBs to respond to the draft RFP to help ensure the following:
there is a sufficient pool of WOSBs that are SBA certified
to meet the annual federal goal of 5 percent of all federal contract dollars spent being awarded to WOSBs
to help increase competition in the IT emerging technologies and innovations space.
You’re a WOSB, Why Get Involved?
In FY20, the federal government invested more than $87 billion in IT, with approximately $47 billion allocated to IT services. Federal agencies awarded $15.6 billion in IT services to small businesses, with more than $5 billion awarded through IT Category contracts. Every day, small businesses are making a huge impact in helping agencies achieve their missions.
SBA WOSB Certification
As of July 15, 2020, The U.S. Small Business Administration (SBA) implemented Congress’ changes to the WOSB Federal Contracting Program, as outlined in the 2015 National Defense Authorization Act (NDAA).
We’re encouraging WOSBs to work with the SBA, which implements and administers the WOSB Federal Contracting Program, in order to understand and navigate the certification process to ensure the right certifications are in place.
Before firms can compete for WOSB Federal Contracting Program set-aside (including Polaris) contracts, they must apply for certification through the new process on beta.certify.sba.gov
For more information about the new application process, please review the following fact sheet.
Additionally, beta.Certify Knowledge Base is a valuable resource for firms to get started learning about this new platform with how-to videos, user guides.
WOSBs, Helping Light the Way
We couldn’t be more excited about the future of our small business GWAC program and Polaris is going to help light the way. To be truly successful, we need your help in getting WOSBs certified.
As we celebrate Veterans Day, we want to take a moment to appreciate all of the men and women who contribute to this great nation through their service in our military. America’s veterans are one of our most valued resources. Veterans bring a unique skill set, knowledge, and experience to everything they do; and GSA has been able to tap into their valuable expertise through our Service-Disabled Veteran-Owned Small Business (SDVOSB) contract for IT Services, VETS 2.
GSA’s VETS 2 Governmentwide Acquisition Contract is available to all federal customers. Agencies purchasing IT services through the VETS 2 contract demonstrate how prevalent veterans are in supporting mission-critical IT services needs across the federal landscape. One of the important core capabilities of VETS 2 is Cybersecurity. The SDVOSB firms on the contract have done the work, and 77 percent of the firms have extensive experience in cybersecurity. More than 60 of the VETS 2 industry partners have a secret or top-secret facilities clearance. These companies are well established in the IT industry. The background they bring with their previous military experience has been key to their success.
The IRS, Treasury, DHS, DoD, Army, and Air Force have all tapped into the expertise of our VETS 2 Industry Partners. They have placed task orders on the contract for IT Security and Cybersecurity requirements. Since the inception of the VETS 2 contract in February of 2018, there have been 21 task orders specifically to support IT Security needs within the government. This shows that veterans can provide the specialized knowledge, skills, and abilities that are needed today.
The single largest task order that has been issued on the VETS 2 contract was completed by GSA’s Federal Systems Integration and Management Center (FEDSIM) on behalf of the United States Army Pacific (USARPAC). This task order will help USARPAC in providing a quality-focused process and capability that enables effective sustainment and modernization of critical Command, Control, Communications, Computers (C4), and IT systems. These services include site surveys, engineering, design, procurement, logistics, implementation, operations and maintenance, knowledge management, cybersecurity, and training of new and existing C4 IT systems. This is an excellent example of the broad capabilities available through VETS 2.
2020 has been hugely successful for the VETS 2 contract, with 97 task orders worth more than $1 billion. This contract is only in its third year and is already surpassing expectations. There are 69 industry partners on the contract with a variety of specialized IT services core capabilities. VETS 2 is also a Best-in-Class contract as designated by the Office of Management and Budget. Federal customers using VETS 2 will receive socioeconomic credit toward small business goals as well as credit toward their Spend Under Management goals.
On Veteran’s Day each year, we reflect on the hard, mission-enabling work our veterans continue to deliver for our government every day, and I couldn’t be more proud of our VETS 2 team and industry partners.
For more information about the industry partners on the contract, check out our VETS 2 website.
Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.
To close out National Cybersecurity Awareness Month, here are some steps federal agencies can take to protect their IT systems from cyber attacks and cybersecurity vulnerabilities using the Authorization to Operate (ATO) process.
An ATO demonstrates that a federal agency has gone through a federally approved, detailed process to protect an IT system from incidents such as cyberattacks, security breaches, malware, and phishing attempts. Many federal IT systems are required to obtain an ATO to process government data and federal regulations recommend that agencies follow the Risk Management Framework (RMF) to become authorized.
GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides solutions for all of an agency’s cybersecurity service needs, including RMF. The HACS SIN connects agencies with vendors who have passed oral technical evaluations for cybersecurity services performed within the RMF, and who are ready to assist agencies with the RMF process for a successful authorization.
All of the steps, tasks, and activities that precede the “Authorize” step of the RMF help to prepare the information system for the authorizing official’s appraisal. The authorizing official is not a contractor, but a federal employee of whichever agency is seeking ATO.
The HACS SIN connects federal agencies with contractors who can help in each stage of the RMF. Contractors can assist agencies in producing the deliverables associated with each RMF step listed in the chart below.
Once an agency has successfully completed the first four steps of the RMF (“Categorize” through “Assess”), an authorizing official will evaluate the system. The authorizing official for the federal agency in question evaluates residual risks identified during the security control assessment, and makes the decision to authorize the system to operate, deny its operation, or ask the agency to address any issues.
When granting an ATO, authorizing officials look for the following checklist of items:
Plan of Action and Milestones (POA&M)
Final Risk Determination and Risk Acceptance
The POA&M is one of the most important deliverables produced in the RMF process. It reflects organizational priorities for addressing any remaining weaknesses and deficiencies in an information system and its environment of operation. The Authorization Package includes all key documents including the security plan, security assessment report, and the POA&M.
Following the RMF steps helps your agency to achieve ATO, but the work does not end after an ATO is issued. Agencies must also continuously monitor their systems to ensure that security controls remain effective over time.
In addition, many federal agencies must reauthorize their information systems every three years by going through the RMF process again. This is where the final step of the RMF, “Monitor Controls,” is important. As part of continuous monitoring, a sample of the applicable security controls are tested annually, periodic vulnerability scanning is performed, and security impact analysis of changes are performed. If an agency continuously monitors its systems over those three years by documenting specific technical changes, environment changes, or changes to the organizational risk management strategy, it may be easier to renew an ATO because any security risks can be mitigated at the time they occur.
If you’ve scrolled through social media or watched live TV lately, you’ve likely seen an ad for 5G. If you find yourself wondering why there is so much conversation about 5G –you are not alone. Is it worth all of this attention?
We think so. 5G is set to revolutionize the world’s telecommunications infrastructure, paving the way for even greater use of autonomous devices and expanding the number of interconnected devices in the Internet of Things (IoT).
In October 2019, GSA held its first public event about 5G, where government and industry experts gave us a compelling look at the rollout of next generation networks, discussed how they’ll support IoT applications, and outlined the steps necessary to secure this new hyperconnected future.
Going forward, we’ll be sharing a series of posts outlining how we expect 5G will drive change across government, and what agencies should do to prepare. 5G means different things to different people, so our “5G for Government” strategy is best visualized as a wheel composed of six core concepts:
This post will look at the evolution of the technology enabling 5G, and more importantly, the types of devices, applications, and services that will soon depend on it.
New Tech, Same Trends
The first cellular telephones hit the market in the mid-1970s and offered wireless voice calling over an analog network. In the early 90s, this first generation cellular technology, using analog telecommunications standards, transitioned to a 2G digital network, allowing both voice and data to travel wirelessly between devices.
3G and 4G gave us mobile internet and streaming video, respectively, leading to the rise of the smartphone and entirely new industries, such as mobile application development and cross-platform analytics.
Remember when you couldn’t open an email attachment on your phone or send a photo—let alone a video—over a wireless network? When did that change?
Most people could not tell you which network generation enabled what feature, only that devices became faster, applications more data dependent, and new services arose as capabilities increased.
The same will be true for 5G, but due to its engineered flexibility and vast capacity for high-speed data transfer, the changes will come sooner and reach far beyond communications.
Why 5G Is Different
Since 5G is still new to the market, what we can say about its current technology is limited. Indeed, many experts will tell you that 5G was designed to support applications and services that are still largely confined to a laboratory setting. For now, when we look at the technology, we can only compare it to what’s currently on the market, but when we do, it becomes apparent that we’re just seeing the tip of the iceberg.
Take the smartphone, for instance. Right now, a phone on a 4G network downloads data at approximately 12-36 megabits per second (Mbps). A 5G enabled phone clocks in at 50 Mbps at minimum. Phones on the fastest commercial networks can reach 1,000 (1 gigabit) per second, and average speeds are expected to exceed 10 Gbps as the technology matures.
How does it reach these speeds? 5G transmitters use higher frequency radio waves, some in or near the millimeter wave band of the electromagnetic spectrum. Bandwidth is much more plentiful there, which greatly increases the capacity and speed of data transfer. Instead of a single cellular antenna, the 5G phone contains multiple receivers, allowing it to process all this data over multiple streams, in parallel. You could liken it to filling a glass of water from the bottom up, and the top down, at the same time.
Smaller, More Flexible Networks
Like their predecessors, 5G networks are digital cellular networks, in which the service area covered by providers is divided into a mosaic of small geographical areas called cells. While conventional cell phone towers are hundreds of feet tall, millimeter wave antennas are only a few inches long. Though an individual antenna may only cover a small area, multiple antennas can work together as phased arrays to beam data straight to the user. This technique, known as beamforming, is one of many ways that 5G networks can be optimized to improve performance while it serves huge numbers of devices.
Open To Innovation
Small but mighty, 5G networks could be used to provide general home and office internet connections. A technique called network slicing could be used to segment a larger 5G network into highly customizable “slices,” managed and operated independent of the infrastructure owner, tailored to unique business needs. When used in conjunction with software-defined wide area networking (SD-WAN), 5G could replace outdated cable connections in government offices, campuses, and military bases.
Edge computing is another exciting concept made practical by 5G. This technique involves creating a cloud-based IT service environment at the edge of the cell, leveraging its unique properties and raw power to move computational workloads physically closer to the user. Theoretically, sophisticated edge computing could eliminate the need for physical hard drives and bulky device components, as the actual computing would occur in the cloud and beam compiled data directly to a screen or user interface. Battery sizes would shrink, ushering in new opportunities for wearable and drone technology.
Hypercharged wireless internet and robust cloud computing are just the start. The high data rate and low latency of 5G are envisioned as opening up many new applications in the near future. The use of data-heavy virtual and augmented reality applications in healthcare and research is one promising example. Another is 5G’s facilitation of fast machine-to-machine interactions in the coming Internet of Things . For example, computers in vehicles would continuously communicate with each other, sensors on the road, and real-time, artificial intelligence) generated directions using 5G. This is the kind of “smart grid” cities will have to deploy to support self-driving cars. Over time, communication capabilities and computing power will combine and extend across networks and devices, and information and computing power will be instantaneously available. This will encourage a wave of innovation in applications, services and functions built to run on the new infrastructure.
Lightning speed, expanded capacity, and massive connectivity are the defining characteristics of current 5G networks and enabled devices. These conditions are ideal for emerging technologies to take root.
More than that, 5G is widely expected to be a defining stage in the global evolution of IT in general, affecting almost all parts of industry and society. In subsequent posts, we’ll take a look at the standards on which it will all be built and explore the security considerations around its deployment.
Until then, please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.
The unprecedented and extraordinary efforts by businesses and Federal agencies to keep employees and customers safe during the COVID-19 pandemic have also inadvertently opened the door to cyberattacks.
Large-scale transitions to work-from-home technologies, heightened activity on many public-facing networks, and greater use of online services have presented new openings for cyber attackers to exploit. As people around the world shelter in place, they turn to online platforms to chat with friends, shop, work, and go to school. That transition to virtual life puts a large strain on cybersecurity controls.
Federal agencies face new daily challenges in assuring the security of networks. In the midst of the current global pandemic that imperative is even greater — they must protect their institutions while ensuring that daily tasks go on uninterrupted. The Office of Management and Budget (OMB) recommends that agencies “make risk-based decisions as appropriate to meet mission needs” during the COVID-19 pandemic.
It is important now for agency leaders to focus on supporting technologies and capabilities that are absolutely essential to their organizations’ operations. Priority actions — and relevant technologies — may include testing already existing security plans, continuously monitoring security systems, and maintaining access security. GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides Federal agencies with rapid access to cybersecurity vendors who can assist with the following priority actions and more.
Testing and having incident response plans in place are helpful for any agency. If an agency has plans such as incident response, disaster recovery, or continuity, it is important to test those plans and assess any risks as soon as possible. GSA’s HACS SIN provides rapid access to vendors evaluated for incident response services.
Chief Information Security Officers (CISOs) should continue to monitor their systems closely in order to identify cybersecurity events and incidents as soon as they may appear. Focus areas include monitoring networks for new strains of malware, monitoring collaboration tools such as Google Drive or Dropbox, and monitoring personnel activity. CISOs can also monitor their systems by using Intrusion Detection Systems or their preferred live network monitoring software. The HACS SIN is an efficient way to access these capabilities.
Access management in a remote work environment is another essential focus area during the COVID-19 pandemic. Though cybersecurity is essential, so is the physical safety of the American people. Agencies are encouraging teleworking whenever possible to adhere to the Government’s social distancing guidelines, and cybersecurity experts are needed to help make telework safe and secure for employees.
With many — if not all — of an agency’s employees working from home, click-through rates for phishing emails may increase when employees no longer work closely enough with coworkers to ask them in person about suspicious activity. Remote work can also require agencies to enable offsite access to critical and/or confidential information, which can increase the risk of a cyber attack. Employees can mitigate this risk by adhering to their agency’s access control policy and utilizing secure connections (such as Two-Factor Authentication (2FA) and/or VPN) when accessing Government networks containing sensitive information.
The COVID-19 pandemic is first and foremost a human challenge, with heads of agencies and employees all juggling professional duties with personal and family responsibilities. The risk of cyberattacks will be elevated, but by focusing now on cyber activities — testing response plans, monitoring security systems, and maintaining personnel security — agencies can successfully maintain their security.
GSA is here to help connect Federal agencies with vendors that provide necessary cybersecurity services during this time through the HACS SIN solution. For more information, visit the HACS Homepage. To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.
Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.
As cyberattacks increase in size and frequency, it is important for every agency to protect its network from incidents that can jeopardize the confidentiality, integrity, or availability of an information system. The Office of Management and Budget and the Department of Homeland Security determined that 74 percent of federal agencies participating in their 2018 assessment had cybersecurity programs that were either at risk or high risk.
While an agency can take proactive measures to prevent cyberattacks, an incident may still occur. When a cyberattack or other damaging incident occurs in an agency’s network, reactive measures such as incident response must be taken to preserve the integrity of the information system.
Incident response is the methodology an organization uses to respond to and manage a cyberattack. A data breach or cyberattack can wreak havoc and potentially affect employee security, intellectual property, and agency time and resources. Incident response protocol aims to reduce this damage and recover as quickly as possible.
Incident response protects organizations against four common types of incidents:
GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) offers incident response services to help organizations with compromised systems. These services help to determine the extent of the incident, remove the adversary from systems, and restore networks to a more secure state.
HACS incident response services can also be used to proactively plan for future attacks. The benefits of preparing and maintaining an incident response plan helps agencies handle cybersecurity events and minimizes the impact of potential threats while strengthening an agency’s defenses against any future incidents.
Below is an example of an incident response plan:
Incident Response Step
Create an asset list and system baseline.
Detection and Analysis
Analyze events to determine whether they constitute an incident.
Containment, Eradication, and Recovery
Prevent further damage from an incident, and determine the cause of an incident so that the system can be returned to the previously known neutral state. Restore compromised system to operational status.
Provide final report of the incident identifying current procedures for efficacy and whether those procedures were followed properly.
Another benefit of the HACS SIN is that the vendors included under the incident response subcategory have passed a technical evaluation and can provide individualized incident response plans. If an agency already has an incident response plan, vendors can evaluate the plan and provide services that adapt to that individualized plan. Vendors use qualified resources to minimize the impact of cyber-attacks and avoid future incidents. Incident response services can also augment agency resources during a large scale incident.
For more information on incident response and how GSA’s HACS SIN can provide your agency with incident response services, please visit the HACS Homepage.
To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.
Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.