C-SCRM Acquisition Community of Practice (ACoP) Interact Site

Posted by Laura Stanton
on June 30, 2022
Cyber-Supply Chain Risk Management (C-SCRM) Whole of Government logo.

Since the launch of the C-SCRM Acquisition Community of Practice (ACoP), GSA and CISA have been co-leading an effort to broaden the level of awareness and develop agency maturity in the areas of acquisitions, supply chain risk management, and cybersecurity across the Federal Government for information communication technology and services (ICTS).

Many federal departments and agencies have limited C-SCRM capabilities, resources, governance, guidance, and training; especially in the acquisition of ICTS. We need governmentwide collaboration with industry and the sharing of ideas, tools, guidance, and best practices for C-SCRM as part of the acquisition of ICTS.

Many don’t see the acquisition workforce as a key component of agencies’ cybersecurity teams. But federal procurement professionals have unique opportunities, through contracting, to ensure the safety and security of the federal government’s ICTS, help strengthen cybersecurity across networks, and prevent incidents like Solarwinds from occurring.

To increase C-SCRM awareness and adoption government-wide, the C-SCRM ACoP launched an online collaborative space for the federal government’s IT community and industry to share best practices, ideas, guidance, tools, and expertise needed to implement C-SCRM requirements. Working together as a community and sharing information will help us improve our cybersecurity posture across all levels of government.

The C-SCRM ACoP has hosted key events such as the C-SCRM Shark Tank event in collaboration with the American Council for Technology – Industry Advisory Council (ACT-IAC) where industry experts showcased innovative C-SCRM solutions to a government panel. The C-SCRM ACoP also plans to conduct a survey of industry to identify C-SCRM challenges and suggest best practices from industry’s perspective.

Additionally, the C-SCRM ACoP hosts monthly sessions open to federal employees and agency support staff. These sessions and events, held in collaboration with CISA, offer opportunities for knowledge sharing and cross collaboration focusing on supply chain risk awareness and advancements in cyber-acquisitions. Subject matter experts are ‘on hand’ not only providing information related to cybersecurity and acquisition integrity, but also best practices and lessons learned. 

Joining the C-SCRM ACoP helps:

  • Enhance the Federal Government’s cross-agency collaboration
  • Identify agencies’ strengths and capabilities in leading strategic C-SCRM objectives
  • Rapidly disseminate best business practices & outcomes
  • Learn from other agencies

To join the C-SCRM ACoP, email us at C-SCRM_ACoP@gsa.gov.

Visit the C-SCRM ACoP’s Interact site to be part of this collaborative journey. Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Continue Reading...

Marking the One-Year Anniversary of Executive Order 14028 “Improving the Nation’s Cybersecurity”

Posted by Laura Stanton
on June 6, 2022

May 2022 marked one year since President Biden signed Executive Order (EO) 14028 – “Improving the Nation’s Cybersecurity.” It directs sweeping changes to cybersecurity requirements and calls on federal agencies to address key issues critical to building a more resilient cybersecurity posture. The EO also requires federal agencies to take steps to implement a Zero Trust Architecture (ZTA) model to modernize and strengthen cybersecurity standards and detection.

Since May 12, 2021, the Office of Management and Budget (OMB) issued additional guidance to support the mission of “Improving the Nation’s Cybersecurity.”

Timeline of Key Policy and Guidance Associated with the EO beginning on May 12, 2021 when the EO was signed through January 26, 2022.
Figure 1: Timeline of Key Policy and Guidance Associated with the EO

The associated OMB memos outline the steps required for agencies to better protect federal information systems, making them more secure and resilient. The requirements include implementation of:

  • Strict security controls on critical software,
  • Mature event detection and analysis capabilities, and
  • Endpoint data collection within networks to detect and hunt cyber threats.

Federal agencies also have new ways to obtain funding for the cybersecurity products and services needed to implement the EO’s requirements. Bolstering cybersecurity defenses is one of the Technology Modernization Fund (TMF)’s focus areas, and it’s funded three projects to support ZTA implementation. The President’s FY23 Budget request includes increased funding for federal agencies as they implement the EO’s priorities and a ZTA strategy. The request is the largest such increase in over 12 years.

Resources to help meet the EO requirements

There is no single technology, product, or service that can achieve the goals of implementing ZTA. Each agency’s journey and solution will be unique, and GSA’s Federal Acquisition Service (FAS) is here to help.

The FAS Office of IT Category (ITC) has resources to help agencies, vendors, and acquisition professionals continue to work towards a mature ZTA and meet the Administration’s requirements.

Over the past year, GSA’s ITC has:

  • Participated in governmentwide working groups on Cybersecurity Supply Chain Risk Management (C-SCRM) and ZTA. To ensure GSA’s offerings are capable of delivering the products and services that support implementation of the EO’s requirements, subject matter experts (SMEs) participated in working groups led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST).
  • Educated the acquisition workforce on EO 14028. GSA SMEs conducted multiple trainings and speaking engagements for IT and acquisition professionals on ZTA, C-SCRM, and the EO requirements. If your agency would like to schedule a session with GSA SMEs, reach out to the GSA National Account Manager dedicated to your agency.
  • Incorporated C-SCRM practices into GSA contract vehicles. To assist agencies with EO requirements to mitigate cyber risks in the Government’s IT supply chain, GSA continues to pursue efforts to ensure alignment with EO guidance.
  • Developed informational webpages and Buyer’s Guides to aid agencies navigating the EO requirements.

Other ways GSA can help

Whether your agency is small or large, GSA has solutions that can be tailored to your cybersecurity needs. In addition to the Buyer’s Guides, GSA offers multiple online tools to assist in planning a cybersecurity acquisition. 

  • IT Security Acquisition Planning Package (APP) provides common resources agencies can use to plan a cybersecurity acquisition, including:
    • Overviews of GSA IT Security offerings,
    • IT Security Statement of Work (SOW) and Request for Quote (RFQ) templates, and
    • GSA’s Market Research As a Service (MRAS) tool to identify potential vendor pools and suggested contract vehicles. 
  • GSA developed Buy.GSA.gov, which can help you:
    • Plan – Determine the documents you need, and find vendors and contracts. 
    • Develop Documents – Find sample documents and templates.
    • Research – Find products, services, and pricing data.
    • Purchase – Review buying methods and request submissions for quotations.
  • GSA, in partnership with the Federal Chief Information Officers Council, is developing a series of ZTA Playbooks to help agencies move from the conceptual planning phase to actual implementation of a zero trust security model. Agencies can expect a “base playbook,” followed by playbooks dedicated to the pillars of a mature ZTA.
  • GSA has Customer Service Directors specifically assigned to your agency by location. You can also find the National Account Manager dedicated to your agency. 
  • For cybersecurity SME support, contact the IT Security Subcategory at ITSecurityCM@gsa.gov.

What’s next

As the Federal government improves its efforts to better protect Federal information systems, expect additional OMB guidance and updates to the Federal Acquisition Regulation (FAR), driving the need for modification of contract language. GSA will keep you informed, communicating with you the major developments.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Continue Reading...

Reducing Cyber Supply Chain Risks

Posted by Laura Stanton
on November 3, 2021

From reports of large-scale cyber attacks such as Solarwinds to President Biden’s signing of Executive Order 14028, Improving the Nation’s Cybersecurity, cyber supply chain risks have been top of mind for policymakers and federal agencies governmentwide.

GSA is committed to helping agencies mitigate cyber supply chain risks. By understanding the threats, agencies are positioned to take defensive action against them.

Ecosystem threats

Government depends on a global supply chain ecosystem: vendors, distribution routes, technologies, laws, and policies. Each piece of this ecosystem works together to design, manufacture, distribute, use, and manage products and services.

However, these supply chains’ ecosystems can expose government organizations and enterprises to financial, governance and cybersecurity risks.

Of these risks, one of the most troubling is that someone will use vulnerabilities in a supply chain to carry out a cyberattack.

A supply chain cyber attack occurs when an attacker uses a trusted outside partner or vendor with access to a system’s data to infiltrate an information system.

Because supply chain attacks are difficult to prevent and can greatly harm any organization, federal agencies must identify, categorize, manage, and mitigate risks within their supply chains.

In its December 2020 report, the Government Accountability Office (GAO) assessed how 23 civilian CFO Act agencies’ implemented 7 Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) practices.

In their review, the GAO found that many agencies had not implemented the practices according to their evaluation criteria and that no agencies had fully implemented all 7 practices.

What you can do

You can take proactive information and operational technology acquisitions measures to reduce an organization’s cyber supply chain risks.

  • Evaluate your organizational structure. Set up a collective task force to secure your supply chain and empower this team to hold lower-level suppliers accountable and to have responsibility for overall supply chain security.
  • Identify and empower supply chain leadership. Review and monitor key contracts to verify that prime and subcontractors maintain security practices through the contract lifecycle. Threat intelligence and incident response capabilities must work together.
  • Put data protection and stakeholder communication processes in place. Set requirements for communicating and protecting data, specifically for incidents, breach notifications, and industry or legal reporting requirements.
  • Build trust by sharing threats with your supply chain partners. Prevent communication delays by being transparent about an attack or a potential breach. Transparent leadership and communication creates trust. Building that trust requires a commitment to straight talk, the ability to produce results, and the ability to restore trust when trust is lost.

GSA C-SCRM Resources

For the last 10 years, federal guidance and regulations have prioritized SCRM. This priority reflects the increasing threat of vulnerabilities in the nation’s supply chain.

We’re continuing to develop ways to help agencies reduce supply chain risk, like the Vendor Risk Assessment Program and the Cyber Supply Chain Risk Management Acquisition Community of Practice.

Vendor Risk Assessment Program

We are currently developing a program that can identify, assess, and monitor supply chain risks for vendors who do critical work for the federal government. It will audit supply chain risk processes or events and may include on-site assessments.

The following criteria will be monitored:

  • Risk of foreign ownership, control or influence;
  • Cyber risk; and
  • Factors that would affect the company’s vulnerability, such as financial performance.

If the risk assessment identifies supply chain risks, we will work with the vendor on a corrective action.

We take this seriously. Failing to resolve any identified risk may result in government action up to and including contract termination.

Cyber Supply Chain Risk Management Acquisition Community of Practice

In August 2021, we established a C-SCRM Acquisition Community of Practice (ACoP). It includes key acquisition stakeholders from GSA, Cybersecurity and Infrastructure Security Agency (CISA), Office of Management & Budget (OMB), and other federal agencies.

The goal of C-SCRM ACoP is to increase awareness and develop maturity in the areas of cyber-acquisitions and Information Communication Technology and Services (ICTS) supply chain risk management across the federal government.

Many federal departments and agencies need to mature C-SCRM capabilities, guidance, and training. This is particularly true for acquiring ICT hardware and software.

We need governmentwide contract language for getting ICT products that holds vendors accountable for assessing the risk of their supply channels, especially for embedded software.

To learn more about the C-SCRM ACoP or to join, email C-SCRM_ACoP@gsa.gov.

Coordination is key

Agencies must continuously monitor their interconnected IT ecosystem and establish the necessary contract requirements that ensure vendors are doing the same.

Stay up to date on the latest GSA C-SCRM initiative by following us on Twitter @GSA_ITC.

Continue Reading...

GSA’s Enterprise Infrastructure Solutions Instills Cybersecurity Confidence

Posted by Laura Stanton
on August 2, 2021

On May 12, the White House issued the Executive Order on Improving the Nation’s Cybersecurity. This EO underlines the fundamental problem of how cybersecurity weaknesses leave critical infrastructure open to debilitating attacks. It also outlines what government agencies must do to improve their collective defensive posture, reduce risk, improve visibility and secure their infrastructure.

GSA’s Information Technology Category (ITC) tracks cybersecurity trends and is involved in conversations with industry experts on this topic. We incorporate the EO’s technological goals in our contract solutions, like Enterprise Infrastructure Solutions Contract, or EIS.

When it comes to network security, Zero-Trust Architecture (ZTA) is the gold standard. We even published a Zero Trust Architecture Buyer’s Guide to help agencies build toward it. EIS is featured prominently in the guide, because it offers baked-in security “building blocks” to create customizable solutions.

Managed Security Services

The EIS Managed Security Service (MSS) is a comprehensive service that protects an agency’s information technology assets—hardware devices, network, software, and information—from malicious attacks. It includes capabilities such as authentication, anti-virus, anti-malware/spyware, intrusion detection, and security event management. MSS comprises the following sub-services: Trusted Internet Connections Service (TICS), Managed Prevention Service (MPS), Vulnerability Scanning Service (VSS), and Incident Response Service (INRS).

Managed Network Services

The EIS Managed Network Service (MNS) enables an agency to outsource a portion or all of its network planning, design, implementation, maintenance, operations and customer service as a strategic move to improve IT services and lower costs.

Software Defined – Wide Area Network (SD-WAN) Services

SD-WAN services provide significant benefits by giving agencies central security management and visibility, the ability to segment networks where security policies can be tailored per application and data type, and identity-based user access.

Managed Trusted Internet Protocol Services (MTIPS)

MTIPS version 2.2 provides security for all external connections to public Internet, Extranet, and Cloud Service Providers. As agencies look to implement the Cybersecurity and Infrastructure Security Agency (CISA) TIC 3.0 guidance, MTIPS may be complemented with additional EIS services to achieve the updated security capabilities of a TIC 3.0 Traditional TIC solution.

FedRAMP Authorized Software-as-a-Service (SaaS) Tools

SaaS gives an agency access to applications hosted in the cloud. The provider manages the security, availability, and performance of the applications as part of their service. Using SaaS allows an agency to reduce the time, expense, and risk associated with the installation and maintenance of software on agency computers. EIS SaaS meets all federally required security standards for Cloud services.

EIS delivers solutions to agencies that will meet CISA’s latest Trusted Internet Connections (TIC) 3.0 guidance and ZTA requirements which include the Core Zero Trust Logical Components described in the National Institute of Standards and Technology (NIST) Special Publication 800-207. GSA continues to collaborate with CISA to provide guidance to agencies advancing legacy networks towards a zero trust architecture.


In the past decade, the typical federal agency network has evolved from being static with a known perimeter to mobile-friendly with nodes across the country. We are now regularly reminded that security solutions must correspondingly evolve to secure agency data and be able to ensure the safe transport of information to and from cloud applications, data centers, and remote users. If they don’t, the U.S. will continue to be vulnerable to malicious actors all over the world.

The Cybersecurity EO prioritizes “accelerated movement to secure cloud services; centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investment in both technology and personnel to match these modernization goals.” EIS already supports these by supplying SD-WAN services, 5th Generation (5G) telecommunications technology, Internet of Things (IoT) offerings, and Cloud-based security solutions.

Using EIS to buy IT infrastructure ensures a greater degree of consistency in the government’s telecommunications and network infrastructure services. It also consolidates the government’s purchasing power, driving lower prices on products and services that to satisfy complex security, flexibility, and visibility needs. EIS solutions offer the foundation needed to adapt to evolving threats and continue accomplishing your mission. The sooner agencies transition, the sooner they can take advantage of the secure solutions available on EIS. Accelerate your transition progress by Taking A.I.M. at EIS.

Continue Reading...

Taking A.I.M. at EIS

Posted by Laura Stanton
on July 20, 2021

Enterprise Infrastructure Solutions (EIS) transition

The transition to Enterprise Infrastructure Solutions (EIS) is one critical path for agencies to evolve to more modernized and secure IT infrastructures and away from legacy technologies that are vulnerable to security risks — a high priority for this Administration. With the President’s Executive Order on Improving the Nation’s Cybersecurity, it’s important to remember that the transition to EIS is not about shutting down expiring contracts; it’s ultimately about the safety, security, and sustainability of the federal government’s IT infrastructure.

The most recent EIS transition milestone came and went on March 31, when agencies were expected to have disconnected at least 50 percent of their services from the expiring Networx, Washington Interagency Telecommunications System (WITS) 3, and Local Service contracts.

While the data illustrates agencies are making progress, with 55% of the federal government’s inventory remaining to be disconnected, there is still much work to be done. Therefore, we urge our agency partners to take A.I.M. at EIS:

  • Assess their status and accelerate their progress
  • Disconnect & transition their Inventory
  • Mitigate risk to ensure mission operations continue

Assessing status and accelerating progress

Less than two years remain before the Networx, WITS 3, and Local Service contracts expire on May 31, 2023. Though the September 30, 2022 deadline for 100% disconnect from expiring contracts is a little over 15 months away, we want to remind agencies that a lack of transition progress could result in service disconnection much sooner. Please assess your progress against several important dates that are outlined in the revised Project Plan for Closeout of Transition and accelerate actions accordingly:

  • June 30, 2021 – Agencies that are not transitioning to EIS will have services disconnected. On this date, agencies for whom GSA has provided a report for a price-only fair opportunity decision, but have yet to award the task order, will also be disconnected.
  • August 31, 2021 – Agencies that have not awarded any EIS task orders for their solicitations will be disconnected.
  • September 30, 2021 – Agencies that have not awarded EIS task orders for all their solicitations will be disconnected.
  • October 1, 2021 – GSA will no longer accept or process any exception requests for the expiring contracts (Networx, WITS 3, and Local Service Agreements). All new services should be ordered from the EIS contracts or other viable contracts.
Enterprise Infrastructure Solutions Transition Timeline with remaining milestone dates and upcoming Closeout Phases for 2021 June 30, 2021. Agencies that are not transitioning to EIS will have services disconnected. On this date, agencies for whom GSA has provided a report for a price-only fair opportunity decision, but have yet to award the task order, will also be disconnected .  August 31, 2021. Agencies that have not awarded any EIS task orders for their solicitations will be disconnected. September 30, 2021. Agencies that have not awarded EIS task orders for all their solicitations will be disconnected. October 1, 2021. GSA will no longer accept or process any exception requests for the expiring contracts (Networx, WITS 3, and Local Service Agreements). All new services should be ordered from the EIS contracts or other viable contracts.
Enterprise Infrastructure Solutions Transition Timeline with remaining milestone dates and upcoming closeout phases for 2021

The next major milestone for EIS transition is on March 31, 2022, which calls for 90% of services disconnected from expiring contracts. With less than 12 months to go, we urge agencies to accelerate progress, so as not to fall further behind.

Inventory: enhanced focus on disconnecting and transitioning inventory to EIS

Government-wide, we are behind the EIS curve. 11 of 17 large agencies and 15 of 25 medium-size agencies have yet to disconnect even 50 percent of their services as of March 31, 2021. Ultimately, missing transition milestones and continued reliance on expiring contracts risks disruption of critical services delivered to the public.

Mitigating risk to ensure mission operations continue

The more agencies fall behind the established milestones, the greater the risk to their mission. This not only leaves less time for transition-related activities ahead of the September 2022 milestone, but it will also increase the potential that agencies may be “stuck” waiting for disconnect and transition services to be rendered. In particular, agencies that delay their EIS contractor selection for replacement services may find themselves “in line” behind those that have already chosen a contractor and made transition progress. This further slows progress for disconnecting services from the expiring contracts and connecting new services.

The extended contracts expire on May 31, 2023 and there will be no extensions. We invite our agency partners to ask themselves “Will we complete transition on time?”. If your agency will not complete transition on time, contingency planning must start now.

The time for EIS transition action is now. Regardless if your agency is in the acquisition or implementation phase, know that GSA wants to actively support agency transitions. If your agency is struggling, GSA can provide services such as:

  • An inventory of complete services that need to be transitioned, including custom reports for your agency
  • Technical, acquisition, and ordering assistance, plus automated tools to directly assist agencies with expediting EIS task orders
  • GSA in-scope reviews of agency solicitations
  • Regular outreach to agencies’ Integrated Transition Teams to monitor transition progress and provide guidance

If your agency needs help with transition, please contact the IT Customer Service Center at 855-482-4348, or send an email to ITCSC@gsa.gov. We encourage you to reach out to your agency leadership. Include Chief Information, Acquisition, and Financial Officers in conversations on EIS transition, financials, and risk.

Continue Reading...

Zero Trust Architecture: Acquisition and Adoption

Posted by Laura Stanton
on July 15, 2021

What is Zero Trust Architecture (ZTA)?

Zero Trust is not a technology, but an approach to cybersecurity. It assumes all cyber networks and traffic are hostile in nature, and that any implicit trust in users should be eliminated. Now, more than ever, Zero Trust concepts are becoming increasingly important to an agency’s IT security posture as we see an increase in cyber attacks.

Zero Trust Architecture (ZTA) is a cybersecurity strategy that employs narrow and dynamic network defenses where every action, and use of resources is questioned, and where users are given the minimum levels of access to information needed to do their jobs.

To fully implement ZTA, organizations need to focus on the integration and implementation of a range of tactics and technologies. We can no longer rely on the concept of “trust, but verify”. Instead, agencies must verify, re-verify, and continue re-verifying with added layers of cybersecurity to establish true ZTA.

Why is ZTA important now?

Recent sophisticated cyber attacks and the shift to remote/virtual work environments highlight the importance of focusing on cybersecurity. The recent Sunburst and Colonial Pipeline cyber attacks exposed vulnerabilities in government and private sector computer systems. These attacks are a stark reminder that a weakness anywhere is a weakness everywhere. Furthermore, as organizations move to a mix of cloud-based, on-premises, and hybrid network models, traditional perimeter-focused network defenses can no longer protect an organization’s information communication technology assets. To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, government agencies must move quickly to modernize their cybersecurity capabilities and accelerate towards the adoption of ZTA.

In 2020, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, Zero Trust Architecture was released to provide agencies with guidance and detailed recommendations to improve their security posture using the core principles of ZTA. More recently, Executive Order 14028 “Improving the Nation’s Cybersecurity” requires all Federal agencies to develop a plan to implement ZTA in an effort to modernize and strengthen cybersecurity standards and detection.

What can agencies do to embrace ZTA?

Although there is no single end-to-end, comprehensive Zero Trust network solution, movement towards a Zero Trust security posture does not require agencies to rip and replace existing cybersecurity tools, hardware, or software products. Rather, agencies can make incremental steps to “re-tool” existing products to adhere to Zero Trust principles and supplement with GSA-offered products, services, and solutions to achieve ZTA.

GSA created a Zero Trust Architecture Buyer’s Guide for acquisition, network architect, and cybersecurity professionals who are seeking to implement ZTA. The guide is a roadmap to ZTA and provides helpful concepts and best practices. Zero Trust security models currently range between five and seven pillars. For the purposes of facilitating an acquisition-based perspective, GSA chose to represent a combination of eight unique pillars that agencies should consider when implementing a robust and efficient Zero Trust security model.

Zero Trust Architecture Pillars-User, Device, Network, Infrastructure, Application, Data, Visibility and Analytics, Orchestration and Automation

Getting to Zero Trust is a journey. Moving to ZTA will take time, and agencies will be at different starting points as they implement a Zero Trust strategy. When evaluating a ZTA solution, agencies should consider how well the product or service addresses these eight pillars and to what extent.

Zero Trust Pillars

PillarDescription
UserInvolves focus on user identification, authentication, and access control policies which verify user attempts connecting to the network using dynamic and contextual data analysis.
DevicePerforms “system of record” validation of user-controlled and autonomous devices to determine acceptable cybersecurity posture and trustworthiness.
NetworkIsolates sensitive resources from being accessed by unauthorized people or things by dynamically defining network access, deploying micro-segmentation techniques, and control network flows while encrypting end-to-end traffic.
InfrastructureEnsures systems and services within a workload are protected against unintended and unauthorized access, and potential vulnerabilities.
ApplicationIntegrates user, device, and data components to secure access at the application layer. Security wraps each workload and compute container to prevent data collection, unauthorized access or tampering with sensitive applications and services.
DataInvolves focus on securing and enforcing access to data based on the data’s categorization and classification to isolate the data from everyone except those that need access.
Visibility and AnalyticsProvides insight into user and system behavior analytics by observing real-time communications between all Zero Trust components.
Orchestration and AutomationAutomates security and network operational processes across the ZTA by orchestrating functions between similar and disparate security systems and applications.
Zero Trust Pillars

How can GSA help?

There are many elements of a Zero Trust solution that crosscut and incorporate GSA contract offerings. The information provided in the Zero Trust Architecture Buyer’s Guide can help agencies mature their Zero Trust implementation plans.

There are multiple GSA resources that support Zero Trust efforts, like the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) which provides access to vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors.

The Continuous Diagnostics and Mitigation (CDM) Tools SIN provides access to cybersecurity products included on the Department of Homeland Security Cybersecurity & Infrastructure Security Agency’s Approved Products List. Agencies can use these and other comprehensive GSA solutions to support the design and deployment of architectures that follow the tenets of Zero Trust.

Continue Reading...

Think Cloud, Think GSA

Posted by Laura Stanton
on July 12, 2021
Think Cloud, Think GSA FAST 2021 promo image - event July 15

We know you use cloud computing for more than just migration and storage. Some agencies need a trusted consultant to plan long-term strategy. Others are ready to build their own applications and deploy next-generation technology. GSA cloud experts want to alleviate your acquisition pain and answer your questions directly. To that end, the Information Technology Category and 3 other GSA offices are offering a guided tour of GSA’s cloud portfolio at our “Think Cloud, Think GSA” event from 1-3 PM Eastern on Thursday, July 15.

Our cloud experts will:

  • Answer your cloud technical and acquisition questions
  • Explore GSA cloud products and services offered by multiple GSA offices
  • Explain the buying options available to help agencies move through their cloud adoption journey.

Here are a few session teasers:

The Technology Transformation Services’ (TTS) Cloud Center of Excellence helps your agency innovate with embedded, on hand expertise. Understand how the Cloud Center of Excellence empowers agencies to undertake IT modernization and how their acquisition, security and technology teams are used as an engine of organizational change.

The Information Technology Category’s (ITC) Cloud Acquisition Team gives those agencies that know what cloud products and services they want the information needed to acquire them. Hear about the Cloud Information Center, the pre-competed Multiple Award Schedule Cloud SIN, and more.

The Technology Transformation Services’ (TTS) Cloud.gov supports government agencies in getting to the cloud quickly, securely, and in a compliant manner. Three Cloud.gov experts will cover how their Platform-as-a-Service offering fits any step of a customer’s journey to the cloud, and how they are just a simple InterAgency Agreement away.

The Assisted Acquisition Services’ (AAS) FedSIM office works with mature organizations that have complex acquisition needs. Hear from the director Chris Hamm on how this white glove services span acquisition, financial, and project management for the full acquisition life cycle.

Think Cloud, Think GSA event promo image

Sonny Hashmi, GSA Federal Acquisition Service Commissioner, will give an opening keynote about how cloud policy and technology has progressed over the past decade. Sam Navarro, Director of the Customer Strategic Solutions Division, will act as Master of Ceremonies.

This event is open to government and industry. Participants are eligible to earn 2 Continuous Learning Points (CLPs). Registration is free and open to all.

Register and reserve your virtual seat today.

Continue Reading...

VETS 2 Provides IT Services Core Capabilities

Posted by Laura Stanton
on June 28, 2021

GSA’s Veteran Technology Services 2 (VETS 2) Governmentwide Acquisition Contract (GWAC) for IT Services provides critical IT solutions with comprehensive core capabilities to meet diverse agency IT requirements, including new and emerging technologies.

We recently conducted a survey of our 69 highly qualified VETS 2 industry partners to better understand their core capabilities and to highlight their strengths. This survey provides great insights into how VETS can help agencies — and we wanted to share.

We received responses from 97 percent of VETS 2 contractors and we’ve depicted those results below in graph format. Here are some highlights:

The top four types of IT Services they provide are:

  • IT Operations and Maintenance
  • Software Development
  • Information and Communications Technology
  • IT Security

VETS 2 contractors have successfully performed a variety of IT services for the government, the top five areas of past performance include:

  • IT Service Desk
  • Cyber Security
  • Agile Software Development
  • Cloud Computing
  • CyberOps

I also want to point out that 90 percent of VETS 2 industry partners hold a secret or top secret security clearance and 84 percent have an audited and approved cost accounting system. This means that no matter what your IT requirements are, our VETS 2 industry partners are well positioned to help.

VETS 2 is recognized by the Office of Management and Budget as Best-in-Class and is the only GWAC set-aside exclusively for Service-Disabled, Veteran-Owned Small Businesses. It’s the ideal vehicle to meet your IT mission needs.

Curious if VETS 2 is right for you? We’re happy to review your scope of work (SOW). This is a free, no obligation service and we’ll provide a written opinion within 5-7 business days. Request a SOW review here.

Visit our website to learn more about VETS 2.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

FAST 2021: Incorporating IT Security into Acquisitions

Posted by Laura Stanton
on May 6, 2021

Join us May 13th at 1:00 pm EDT for a live webinar led by GSA’s IT Acquisition experts as we explore:

  • Benefits in shifting from a compliance model to the cybersecurity maturity model
  • Adopting a supply chain risk evaluation approach in government contracting
  • Easy to understand acquisition planning packages (e.g., playbooks, checklists, templates)

The 3-hour session features an overview of requirements and evaluation factors used in developing the 2nd Generation Information Technology (2GIT) blanket purchase agreement; and a quick look into the GSA’s IT Solutions Navigator connecting buyers with resources, tools, and decision support for IT procurements.

This is the third session in GSA’s 2021 monthly Federal Acquisition Service Training (FAST) Conference series. Each session is worth up to 3 Continuous Learning Points. You can find the full lineup of events here.

Registration is open and free for agency and industry partners. Reserve your virtual seat today – we look forward to seeing you there!

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

Introducing the IT Vendor Management Office: a new government-wide collaborative effort to solve the toughest challenges in federal IT acquisitions

Posted by Vera Ashworth
on April 27, 2021

The last months have been a whirlwind of activity for the new government-wide Information Technology Vendor Management Office (ITVMO). We not only chartered the ITVMO, but have started working with several partner agencies and IT acquisition experts from across government to identify existing resources that can assist agencies with their buying decisions. The ITVMO brings together the most critical players in the federal IT acquisition landscape to solve challenges agencies and vendors face when buying and selling IT products and solutions.

Launched in October 2020, the ITVMO is a government-wide effort to amplify the benefits of managing vendor engagement in the IT Category to make IT acquisitions faster and more cost effective. The ITVMO serves as a trusted independent advisor and advocate to help agencies buy common IT goods and services. As a one-stop shop, the ITVMO will leverage government-wide IT procurement data, conduct market research, and develop shared agency acquisition knowledge to support agencies’ buying decisions.

There are many programs and initiatives across government that are interested in improving how government buys IT. The ITVMO is unique in that it is a collaborative effort amongst partners in Category Management (CM) with the most critical IT acquisition Best in Class (BIC) contract vehicles and associated programs including:

  • The General Services Administration (GSA);
  • The National Aeronautics and Space Administration (NASA);
  • The National Institutes of Health (NIH);
  • The Department of Defense (DOD);
  • The White House Office of Management and Budget (OMB) Office of Federal Procurement Policy (OFPP).

Through this collaboration, the ITVMO will advance the goals of IT Category Management (CM) to improve how the government buys common IT goods and services and enable the government to act more as a single entity by sharing best practices and acquisition intelligence as well as eliminating the unnecessary duplication and redundancy that exists between federal agencies.

What’s Happening & What’s Next

One of the central drivers of CM is to mature federal IT acquisitions so that the government acts more like a single buyer rather than many independent agencies. By creating a space where some of the biggest and most impactful federal IT acquisitions programs and initiatives can collaborate and solve shared problems, establishing the ITVMO is a major step toward that goal.

The ITVMO is chartered and led by an Executive Steering Committee (ESC) comprised of several agencies including those with the largest IT BIC vehicles. The ESC determines the strategic direction and project priorities for the ITVMO to solve problems for agencies and vendors alike.

To identify shared challenges and opportunities throughout government, the ITVMO surveyed hundreds of IT and acquisition experts including the Chief Information Officers Council (CIOC) and the Chief Acquisition Officers Council (CAOC) as well as several communities of practices. The ITVMO team also conducted listening sessions with industry groups. The data and feedback gathered from across government is driving the challenges the ITVMO seeks to address in the near future.

ITVMO Customer Segments

The ITVMO’s primary customers are the programs and offices responsible for making buying decisions at each agency, and the vendor community. On January 27th, the ITVMO hosted an Open House for agencies to provide an overview of the ITVMO’s mission and services, and to answer any questions from the community. More information about the ITVMO Open House, including a video recording of the event, is available to government employees.

Based on customer feedback, the ITVMO is working on several products and services that will be made available to agencies in the near future, including:

  • Continuing a Small Business Webinar Series developed in partnership with the IT Government-wide Category and the American Council for Technology and Industry Advisory Council Small Business Alliance so agencies and vendors can learn how GSA’s Federal Acquisition Service Multiple Award Schedules Program will allow agencies to more easily procure IT products and services from small businesses.
  • Vendor Profiles that provide agencies with pricing information, specific vendors’ terms and conditions, and best practices for negotiating with that vendor.
  • Deep Vendor Intelligence crowdsourced from IT acquisition experts from across the federal government participating in integrated project teams (IPTs).
  • A Technology Life Cycle Assessment to provide agencies with insights into buying emerging technology and updating existing systems and services to meet evolving needs.
  • A deep dive and review of current Cost Avoidance Methodologies used by IT BIC acquisitions vehicles. The ITVMO is working closely with GSA’s IT Category to provide recommendations on how to improve the accuracy and reliability of cost avoidance methodologies and the underlying contract data.

If any of the above interest you, we would love to connect with you. Please feel free to reach out to the ITVMO inbox at itvmo@gsa.gov.

Coming Soon…

The ITVMO recently launched the first of several IPTs made up of the federal government’s foremost experts in working and negotiating with specific IT vendors. The IPTs will produce recommendations and strategies that can be shared and leveraged throughout government.

ITVMO - Integrated Project Teams

On May 12, 2021, The ITVMO will also host an Industry Day intended for our industry and vendor partners to learn about the mission of the ITVMO and the best way to collaborate with the ITVMO and federal IT acquisitions staff.

Finally, the ITVMO will soon launch our website to share the ITVMO’s latest updates and activities, post relevant templates and resources, and direct users to the relevant information to meet their IT acquisition needs.

Additional insight can be found on our ITVMO MAX page, and you can sign up for our newsletter. If you have any questions or general inquiries, please feel free to reach out to us at the ITVMO inbox at itvmo@gsa.gov.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...