Application Security Testing (AST) — reduce your cybersecurity risk

“Improving the Nation’s Cybersecurity” is a top priority across all federal agencies. Constant and fast-paced application innovation is the new norm of today’s digital enterprise. Vulnerabilities are waiting to be exploited by adversaries and their increasingly sophisticated malicious attempts such as the Log4J application exploitation.

The Office of Management and Budget’s (OMB) Memorandum 22-09 specifically charges agencies to operate dedicated Application Security Testing (AST) programs for a stronger and more robust cyber posture. Early and continuous AST minimizes the risk of sensitive data exposure and system compromise. To prevent most application security threats, agencies need a dedicated AST program that implements a variety of tools to continuously assess and address application vulnerabilities throughout the Security Development Life Cycle (SDLC).

The software development lifecycle begins with analysis before moving to design, development, and testing. Next comes deployment and finally, maintenance.

AST tools

Testing requirements and guidance released by OMB, the National Institute of Standards and Technology, and the Cybersecurity and Infrastructure Security Agency will make applications more resistant to security threats and identify security weaknesses and vulnerabilities. Ultimately, the goal is to create a holistic AST program of automated tools and manual testing that continuously examines applications as they are developed and continue through the SDLC. AST methodologies can be categorized into:

  • Automated AST relies on written code/test scripts and tools to test and validate an application. It can be completed in less time than manual testing and covers more test permutations; however, it does require heavy coding and maintenance.
  • Manual testing is executed by human security testers to discover complex bugs for which automated testing cannot detect or to resolve automated testing’s false positives. It requires a substantial level of expertise, effort, and time.

An AST program uses a variety of tools throughout the SDLC, many of which are described in the table below.

A table that highlights AST testing tools, their purpose, proactive or reactive scanning, low false positives, and cost. Static application security testing is used to examine source code for weaknesses. Dynamic application security testing is used to find security vulnerabilities in a running environment. Interactive application security testing analyzes code for vulnerabilities by simulating scenarios in a running environment. Mobile application security testing identifies vulnerabilities in applications used with mobile platforms during or post development. Software composition analysis identifies open-source software in codebase. Manual testing examines all essential features to find more complex and logical vulnerabilities.

Top AST threats

According to the Open Web Application Security Project (OWASP), the top three application security threats are broken access control, cryptographic failures, and injection.

A table featuring best practices and AST tool(s) to address broken access control, cryptographic failure, and inject vulnerabilities.

Third-party application security testers

Another component of a dedicated AST program is the use of independent third-party application security testers who specialize in identifying vulnerabilities internal staff may miss. These expert firms have the skills and certifications required to provide high-quality results and ensure applications hold up against real-world cyber attacks.

GSA cybersecurity resources

GSA created the AST Buyer’s Guide to help federal agencies meet AST program requirements, provide Third-Party Application Security Tester selection criteria, and address application security threats. It provides an overview of AST, key considerations when implementing an AST program, and helps identify and procure AST offerings to improve your agency’s application security posture.

To make the acquisition experience easier and more efficient, GSA also provides useful resources like an AST summary sheet, AST statement of work template, and AST informational video. These and many other resources can be found at www.gsa.gov/ast.

GSA cybersecurity support

The GSA IT category team is available to answer questions and provide subject matter expertise related to purchasing AST, cybersecurity, and a full range of IT products and services. Please contact the IT customer service center at 855-ITaid4U/855-482-4348 or itcsc@gsa.gov.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.

GSA supports National Strategy to Secure 5G with new acquisition guidance

GSA’s Acquisition Guidance for Procuring 5G Technology supports an ongoing, multi-agency effort to document and share best practices for optimal 5G deployments.

National Strategy

As discussed in past posts, the Federal Government views 5th generation (5G) wireless technology as a future driver of the global economy. It also views the security of 5G information and communications technology and services infrastructure, and the data transmitted and stored on it, as a key national security interest. In addition to protecting data on the network, a trusted, secure supply chain is also paramount. We cannot ensure the security of 5G networks if untrusted equipment or software is allowed to control any part of them.

The National Strategy to Secure 5G is our country’s game plan to manage the risks associated with next generation wireless technologies and the new use cases they open up. GSA’s role is to establish acquisition processes and facilitate federal agency adoption of 5G infrastructure with appropriate security safeguards and adherence to national policies. The desired outcome is a resource that helps agencies identify their standards, specify security controls, and catalog other relevant requirements to provide a secure 5G infrastructure.

GSA guidance

Screenshot of the front page of the "GSA Acquisition Guidance for Procuring 5G Technology" with a white and navy background. There is a colorful technology graphic at the bottom right of the screen.
Download the PDF at buy.gsa.gov or order physical copies at cmls.gsa.gov.

The subject matter experts behind our Wireless Mobility Solutions contracts applied this directive to the early 5G use cases they were observing at various agencies. We coordinated extensively with the interagency Federal Mobility Group, and we incorporated valuable input from experts in other agencies and industry. The result is our Acquisition Guidance for Procuring 5G Technology, a plain-language white paper that charts the progression of 5G in the public sector, outlines its core standards, explores government use cases, and delves into acquisition strategies that balance flexibility with security requirements. In particular, the Guidance features:

  • Tools and strategies for contracting 5G – A model acquisition process that details how technical staff should go about defining requirements and how contracting staff should use them to structure a solicitation.
  • 5G use cases in government – A living list of 5G use cases and pilot programs applicable to the public sector;
  • Standards for 5G – A detailed accounting of the international and U.S. standards that are used to determine requirements for 5G;
  • General background – A plain language narrative describing the evolution of cellular technology, the capabilities 5G offers, its relevance to the public sector, efforts underway to secure it, and its potential to shape future telecommunications products and services.

The wheel keeps turning

A six-sided "5G Wheel" in shades of purple depicting what the GSA Acquisition Guidance for Procuring 5G Technology features: Technology, Standard, Security, Policy, Acquisition, and Use Case.
The “5G Wheel” is one model of visualizing the components that enable resilient deployments.

We’ve previously described our “5G for Government” strategy as the understanding of six core concepts: Technology, Standards, Security, Policy, Acquisition, and Use Cases. Use cases are the real-world applications that agencies are pursuing, or want to achieve. Acquisition is the nuts and bolts of getting the solution in place in the most efficient and effective way. Once you understand the technology, know the standards, consider the security aspects, and are up-to-date on governmentwide policies, then it’s time to plan and execute. If you think of this strategy as a circle or wheel, the Use Case is the end of one cycle and the beginning of another. Each rotation strengthens our collective understanding of what makes a 5G deployment secure and successful. The Acquisition Guidance for Procuring 5G Technology is GSA’s first effort to distill this collective knowledge into a usable format to help government technology managers, their contracting offices, and trusted industry partners buy, build, and use secure 5G systems. As a living document, the Guidance will be frequently reviewed to keep pace with changing technology, ensure governmentwide cybersecurity requirements are accurate, and incorporate feedback from stakeholders. Send feedback, questions, and suggestions to wireless@gsa.gov.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.

GSA plans to grant DOJ, DHS extended period to complete EIS transition

Recently, we made a decision that will enable GSA to give the Department of Justice (DOJ) and Department of Homeland Security (DHS) until May 31, 2026 to complete their transitions to EIS. DOJ and DHS asked for more time to complete their transition, citing multiple factors, including global supply chain disruptions and pandemic challenges. GSA agreed to create the requested extensions so that DOJ and DHS can carry out their transition plans without the risk of serious disruptions to critical services.

A significant decision

Executing these extensions will be a major undertaking for GSA and the contract holders. GSA anticipates there are more than sixty contracts that will need extensions after May 31, 2024. GSA will execute modifications to extend each contract. The justification for these modifications will detail the current status, the delays and obstacles agencies have faced in their transitions, and the timeline in which they expect to have their transitions completed.

GSA is proceeding according to FAR 6.3, which prescribes policies and procedures, and identifies the statutory authorities, for contracting without providing for full and open competition. The specific authority is under FAR 6.302-1, “Only one responsible source and no other supplies or services will satisfy agency requirements.”

No guarantees

The approach we are taking is not without risks. For instance, contractors may not agree to an extension. They can refuse to sign on to extend further and GSA cannot force them to continue providing these services. Further prolonging transition generates risks for agencies, too. The EIS contracts offer benefits to agencies such as cost savings opportunities, avenues for technology modernization, and access to modern cybersecurity capabilities.

GSA supports your transition

GSA remains committed to the successful completion of the EIS Transition program. We conduct weekly updates to the transition inventory to ensure agencies and contractors have the most accurate data at their fingertips. In addition to frequent meetings with individual agencies, we hold monthly EIS Transition Office Hours and Interagency EIS Transition Meetings, both of which serve as forums for agencies to share their knowledge and ask transition-related questions. GSA also meets monthly with the contractors for an all-agency progress check and conducts comprehensive quarterly reviews.

GSA is and will continue to actively monitor agency progress toward stated EIS deadlines. If you need assistance, have additional data to share on the speed of your transition to EIS, or would like to meet with us, please contact your assigned GSA Solutions Broker.

For more information, visit gsa.gov/eistransition.

Follow ITC on LinkedIn and Twitter, and subscribe for blog updates.

FY22 in review, informing the future

At the beginning of every fiscal year, we sit down to develop our targets, and as I look back on the last year I’m very proud to see what we’ve been able to deliver for agencies.

Employee, customer, and industry input is key

Results of the Federal Employee Viewpoint Survey (FEVS), Customer Loyalty Satisfaction Survey (CLS), and the Industry Satisfaction Survey (ISS) are all part of a broader feedback ecosystem that drives our decisions. These three surveys collectively show a top-line level of ITC health and our progress in improving engagement and experience across ITC’s employees, customers, and suppliers.

This feedback is driving many of the decisions we make. At the end of the day, we’re here to serve, and so we look very closely at those survey results. I’m pleased that year over year, ITC customer loyalty and industry satisfaction remained steady, but I’m even more interested in what these surveys tell us about areas where we can improve.

Customers are telling us that ease of acquiring is the strongest driver of your loyalty and that you’d like to see us further improve internal processes, customer service, and communications generally.

Industry, on the other hand, said procurement process and industry expertise were your strongest drivers of satisfaction. You, too, would like to see improved processes and communications.

We hear you both and are working on ways to improve these concerns. There’s clearly some overlap here, and this gives us some clear direction.

If you’re a small business that’s new to the government market, it can be daunting. We’re working on solutions to make this all easier. One great example that we’re seeing is from the 8(a) STARS III GWAC where of the 258 industry partners who have task order awards, 149 of them received their first GSA contract vehicle task order award through 8(a) STARS III. Brand new to GSA contracting, and they’re already out the gate with orders.

This is great news, and we’re learning what we can from these results.

By the numbers

In every IT subcategory (Hardware, Software, IT Services, Telecom, and IT Security), we exceeded our FY22 targets.

IT Services on the Multiple Award Schedule had a particularly strong year surpassing our target by nearly 29 percent, with a year-over-year positive variance of more than 16 percent.

Mission spend through our IT contracts reached just shy of $34 billion for the first time and surpassed the previous year by nearly 5 percent. Volume over the last 4 years has increased by about $8.5 billion, which is truly remarkable. And most importantly, ITC helped agencies save nearly $2 billion through cost avoidance in the last year alone.

While we celebrate these successes, we’re also looking to the future for what’s next.

Table depicting the FY22 Final dollar spend on each IT Category (IT Hardware, IT Software, IT Services, Telecom Services, IT Security/Shared Services, GWACs, ETS, and HSPD-12, PKI). The total for ITC in FY22 was $33,735,217.

Trends, informing the future

Diversity, equity, inclusion, and accessibility initiatives are particularly important to the Biden-Harris Administration, and a big part of that is helping small businesses succeed in government contracting. I’m happy to report that ITC handily exceeded our small business utilization goals last year for small businesses generally, women-owned, services-disabled, and HUBZone small businesses. Small Disadvantaged Business performance was also very strong. Small businesses have won approximately $8.45 billion in FY22 (up 9.4 percent from $7.7 billion in FY21) through their work on ITC contracts.

We’ve been working hard on ways to make it easier for small businesses to support the government. We’re setting up Polaris, our next small business contract, and so I expect to see this trend of small business utilization continue.

In terms of the market, IT services are in high demand, and I would expect that to continue too. Automated Contact Center Solutions, Health IT, Cloud adoption, Earth Observation, and Highly Adaptive Cybersecurity Services were all particularly strong year over year.

Speaking of cybersecurity, that’s another important topic to watch this year. We’re tracking trends and technologies that can help our customers improve their cybersecurity hygiene and strengthen their cybersecurity posture.

Looking forward, together

As we wrap up FY22 and kick off FY23, I want to thank our customers, industry partners, and ITC staff. It’s because of our close collaboration that we have these successes to celebrate.

Visit our website to learn more about our solutions, or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Celebrating our Veterans

In thinking about Veterans Day this year, I want to pay special tribute to America’s Veterans for their service and dedication to this great nation. I’m grateful for the sacrifices they have made to defend our nation. Our Veterans are an example of the strength, courage, and resolve that allows our country to overcome so many of the challenges we face.

I have spent time with Veterans and Service Disabled Veteran Owned Small Business (SDVOSB) owners and know their desire to serve continues after they leave active service. I am proud that GSA is committed to working with this community.

GSA working with Veterans

GSA is dedicated to tapping into that strength, courage, and resolve by bringing the SDVOSB community to the federal IT market.

There were more than 800 SDVOSBs across the entire government-wide IT category last year that reported sales. ITC is represented by 357 of those industry partners through our Multiple Award Schedule – IT (MAS-IT) contract and the Veterans Technology Services 2 (VETS 2) and 8(a) STARS III IT services Governmentwide Acquisition Contracts (GWAC). Through these acquisition vehicles, SDVOSBs won more than $1.46 billion of the IT market last year.

Through GSA contract vehicles like VETS 2, service-disabled veterans continue to serve our nation by providing innovative IT solutions in support of agency missions and the military. VETS 2 is currently the government’s only GWAC set aside exclusively for SDVOSBs.

The VETS 2 option period is coming up next year and we have every intention of exercising that option for those SDVOSBs meeting the terms and conditions of the contract. This will provide federal agencies with continued use of this socio-economic small business, best-in-class solution for their long-term IT service project needs, with the performance of task orders extending out through 2033.

SDVOSBs bringing real mission impact

While I can’t call out individual SDVOSBs, I do want to offer a couple of examples of their great work:

  • One of our customer agencies recently awarded a $248 million order through VETS 2 to provide IT Support Services for their digital infrastructure services center. Through these IT support services, the SDVOSB will fill the agency’s need for maintaining legacy operations and to innovate, at an accelerated pace, to meet the customer’s requirements into the future.
  • Another recent innovative task order award for $166 million was for enterprise services integration and modernization. The scope of the task order is to provide a quality-focused process and capability that enables effective sustainment and modernization of command, control, communication, computers, and information technology systems. The task order will modernize military headquarters to include operations centers, planning rooms, and conference rooms, utilizing innovative technologies such as video walls, audio processors, and multi-classification video teleconference systems.

Veterans, key to the future

Our commitment doesn’t stop with VETS 2 and MAS-IT. GSA’s next small business and socio-economic small business GWAC, Polaris, will have an SDVOSB pool. Polaris is designed to assist agencies in acquiring customized IT services and IT services-based solutions while expanding opportunities for SDVOSB firms. Stay tuned to our Small Business Community of Practice Interact page for updates.

These contracts drive progress on important public policy objectives, including the President’s Executive Order 13985 On Advancing Racial Equity and Support for Underserved Communities Through the Federal Government as we work to improve diversity, equity, inclusion, and accessibility.

I’m grateful for the meaningful partnership we have with our Service Disabled Veteran Owned Small Businesses and for their continued hard work and dedication to helping agencies achieve their missions every day. I’m really excited for what the future holds.

Visit our website to learn more about VETS 2, MAS-IT, and Polaris or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

20 years of E-Government

This year marks the 20th anniversary of the enactment of the eGov Act, and I was recently asked in an interview what I felt had changed the most in the federal technology market and what had stayed the same. It was an interesting conversation, and so I’d like to share my thoughts with you.

Changing times, evolving technology

In 2002 your work revolved around your office building and your desk. Most everyone in government was tied to their office because of the technology at the time — desktop computers and desk phones.

Now think back to when you got your first Blackberry. I think it was 2004/5 for me. All of a sudden you could access your email on the go and connect to your headset wirelessly through Bluetooth.

Then of course the iPhone came in 2007 and has since changed everything. So, while I still have a desk at GSA’s central office, I haven’t had a desk phone in almost a decade or a desktop computer in two decades — today, I work from a laptop and a mobile phone.

In terms of the federal technology market, we are once again seeing two big technological trends that are radically transforming how we all operate: the shift to telework and cloud adoption.

Cloud adoption and telework

The pandemic hammered home the value of flexibility and collaboration. GSA invested in an efficient mobile workforce long before COVID hit, and that investment paid off. Our teams adapted quickly to full-time telework, enabling us to rapidly turn around and help other agencies do the same.

Part of the reason we were able to move so quickly was because we had embraced cloud computing early by investing in modern network architecture using GSA’s Networx contract.

That’s the second driver of modern government, the flexibilities afforded by the wide-scale adoption of commercial cloud services, which link the physical world to our virtual environments.

Think about the interview that inspired this blog post and how that content reaches its government audience. Twenty years ago, we’d record the interview, and the audio would play on a regional radio station. That’s the only way the audience would experience it.

Now, you can use a desktop, laptop, tablet, or mobile phone, (or a landline) not just to listen, but to participate. You can chat or post a question, and get a response in real-time. We have captioners (or AI/bots) who listen, transcribe, and produce a running transcript, and even video interpreters who can translate the conversation into American Sign Language.

The cloud-based software-as-a-service we use takes all these inputs and outputs raw data, which is stored and accessed securely within a FedRAMP-authorized environment. All that data is logged and analyzed in real-time while a host of systems operate in the background to defend against malicious actors.

Finally, it all gets encrypted and exits the platform, travels through the open Internet, and crosses the threshold back into a given federal network through Trusted Internet Connections. There are many types of “federal networks” ranging from a wired wide area network at an agency’s headquarters to someone’s home Wi-Fi, accessed through a Virtual Private Network and managed by a trusted vendor.

You may still catch that interview on the radio, but you can also experience it anytime from any device.

Every one of these services must be procured correctly, and that’s what GSA’s contracts ultimately provide.

Shared services — effective and efficient

When done right, a complex resource like what I described above isn’t limited to one department, rather it’s a service that becomes easily available to every employee of the agency — a shared service.

The benefits of such an acquisition are enjoyed across the entire enterprise, and that might be the most exciting change — that government agencies are starting to plan and buy IT more as a single enterprise than a loose collection of disparate parts.

This is federal category management in action. Internally, we’ve restructured our program units to better support enterprise offerings like managed services.

What once was called our office of Telecommunications Services is now Enterprise Technology Solutions because customers increasingly want secure, simple, and flexible capabilities that run on top of traditional networks.

Shared services have both stayed the same and evolved. I have two of the original e-Gov services in my portfolio with USAccess and the Federal Public Key Infrastructure program. Agencies still rely on these offerings every day, and they go a long way to reducing duplication of effort.

GSA, here to help

Of course that’s only the first part of the question. What hasn’t changed is the hard work and dedication of public servants and industry partners working hand in hand to ensure each agency fulfills its mission.

Visit our website to learn more or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

October is Cybersecurity Awareness Month

Blue promotional image with laptop, desktop, and mobile device clipart on the right side of the image. White text on the left reads "Is your agency cyber ready? GSA can help."

Is your agency cyber ready?

October is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber.”
Planning and executing a cybersecurity acquisition is a winding road. It can be daunting without a clear place to start. Federal agencies are challenged with navigating changing threat environments, new policy mandates, and an ever-evolving technology landscape. Acquisition professionals within the federal government have a large role in helping to protect our Nation’s networks and assets but don’t have to take this on alone. GSA offers convenient access to a range of resources to help identify requirements and create a plan, compare contract vehicles, and develop a solicitation to award a contract.

GSA is here to help “See Yourself in Cyber” and get your agency one step closer towards being cyber ready.

Current cybersecurity requirements

Executive Order (EO) 14028: Improving the Nation’s Cybersecurity and associated Office of Management and Budget (OMB) memoranda established critical policy goals federal agencies must follow. These goals include implementation of a Zero Trust Architecture (ZTA) and the adoption of Cybersecurity Supply Chain Risk Management (C-SCRM) practices within Information and Communication Technology (ICT) supply chains. Federal agencies have also been targeted in a number of high-profile cyber attacks resulting in new and evolving program needs to protect their networks from and respond to future attacks.

GSA offers multiple resources to help make sense of these new policies and program drivers and translate them into requirements for a solicitation:

  • GSA’s EO 14028 webpage and the Zero Trust webpage connect users with resources related to recent cybersecurity requirements.
  • GSA subject matter experts (SMEs) offer focused cybersecurity training that discuss many of the policy and technology drivers impacting the Federal cybersecurity marketplace.
  • GSA has multiple videos on cybersecurity on ITC’s YouTube playlist. Topics include use case scenarios for agencies seeking to procure cybersecurity solutions and the journey toward implementing a ZTA.

Buyer’s Guides

GSA offers a wide range of cybersecurity services and solutions. We know it can be difficult to select the right fit for your agency’s requirements. To help demystify this process, GSA developed a number of buyer’s guides that identify which solutions meet your agency’s specific cybersecurity needs:

GSA-offered cybersecurity services and solutions

GSA has several cybersecurity-specific contracting offerings, including:

  • The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) on the Multiple Award Schedule Information Technology (MAS IT), established in collaboration with OMB and the Cybersecurity and Infrastructure Security Agency (CISA), which provides:
    • Proactive and reactive cybersecurity services.
    • A wide range of vendors capable of meeting your agency’s small business and socioeconomic contracting goals.
    • Access to technically evaluated cybersecurity vendors. Vendors must pass an oral-technical evaluation to be able to offer services through the HACS SIN.

If you have questions about whether your requirement fits within the scope of the HACS SIN, GSA SMEs are available to provide free and individualized consultations, and scope reviews.

  • The IT Professional Services SIN on MAS IT that offers agencies:
    • Access to pre-vetted IT solution providers.
    • Pre-negotiated prices that can be further discounted.
    • Established terms and conditions at the master contract level that can be customized at the task order level.
    • A diverse pool of vendors to help meet socioeconomic and small business contracting goals.
    • Two cybersecurity-specific subcategories: IT Backup and Security Services, and Information Assurance.
  • The Continuous Diagnostics and Mitigation (CDM) Tools. CISA maintains the CDM Approved Products List (APL), the authoritative catalog for CISA-approved CDM IT products. To purchase products on the APL, agencies can use:

Planning and procurement tools

GSA gives buyers an entire toolbox to guide the process of developing and releasing a solicitation, from market research to procurement.

  • GSA’s Market Research as a Service (MRAS) gives buyers access to rapid, targeted market research for their acquisitions at no cost. MRAS can be used to identify GSA contracts that might fit requirements, get information on vendor pools and market data, or compare and search products offered on GSAAdvantage!®.
  • Buyers can also use GSA’s IT Solutions Navigator to identify the right contract vehicles to meet cybersecurity needs. Users can select types of products or services to see a list of best-fit contract vehicles and solutions that meet requirements.
  • On GSA eLibrary, agencies can view vendor pools offered under different contract vehicles, review vendors’ terms and conditions, and view their socioeconomic designations and geographic locations.
  • The IT Security Hallway on the Acquisition Gateway displays multiple resources for government users in one convenient location. Users can access sample statements of work for the HACS SIN and a tool to help calculate Independent Government Cost Estimates (IGCE).
  • Agencies can also use GSA eTools, including GSA eBuy and GSA Advantage!® to initiate the procurement process and release documents to industry. On GSA eBuy, Requests for Information, Requests for Quote, and Requests for Proposals can be released to holders of the contract vehicle selected. On GSAAdvantage!® buyers can compare products and pricing to make purchases or view past solicitations released as a resource.

GSA offers continued support

GSA support doesn’t stop once you’ve released your solicitation. We are committed to providing support to agencies throughout the entire acquisition lifecycle. If you have questions related to an offeror’s submission, or need to clarify questions from industry, our experienced cybersecurity and contracting SMEs can assist. For SME support, contact the GSA IT Security Subcategory at ITSecurityCM@gsa.gov.

While cybersecurity acquisitions may seem intimidating at first glance, GSA offers plenty of resources to help demystify the process. If you need additional assistance, you can contact the Customer Service Director (CSD) dedicated to your agency and region, or your agency’s National Account Manager (NAM). CSDs and NAMs are a valuable source of information on GSA programs and can connect you with further support or training. To learn more about CSDs and how they can help, watch this video.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Efficiency, security at the heart of ITC’s hardware solutions: governmentwide strategic solutions (GSS) blanket purchase agreement

The IT requirements of government agencies are always shifting, as is the IT acquisition landscape itself. The pandemic amplified the need for desktops and laptops so that agencies can continue carrying out missions during emergencies that keep folks away from a physical workplace. To meet this ongoing need, the Information Technology Category (ITC) established the governmentwide strategic solutions (GSS) BPAs in 2015.

As a Best-in-Class solution that offers desktop and laptop computers with standard configurations that can then be customized to meet customer requirements, the GSS BPAs are another example of how ITC hardware and software solutions are practical and cost-competitive for agencies.

Governmentwide strategic solutions (GSS) BPAs

The GSS BPAs allow all government agencies to simply “click and buy” pre-configured laptops, desktops, tablets, and monitors. They furnish option upgrades and services with a faster, more-efficient business model that provides cost savings for the government as well as next-generation technology customer-service capabilities. With a streamlined buying process for federal, state, local, and tribal governments, no additional competition or brand name justification is required. If an agency needs an end user device, this is the program to get it.

The GSS BPAs are recompeted annually to incorporate customer feedback and new products. This ensures:

  • The latest technology is available.
  • Technology configurations align with agency needs.
  • More consistent and competitive pricing.
  • Better terms and conditions.

Our Workstation Category Team works closely with agency and industry stakeholders to evaluate and refresh GSS standard configurations every nine months, helping the government aggregate demand and use its consolidated buying power.

On September 3, 2022, ITC awarded 4 categories for its Version 8 GSS BPAs for Dell, HP, Lenovo and Microsoft. The BPAs will have a performance period of 5 years, and products are available through GSA Advantage!® under GSS for IT products. To mitigate security risks, each of the awardees maintain vetted supply chain risk management (SCRM) plans in compliance with the NIST standard. As of Version 8, all machines now have a RAM minimum of 16GB, and all performance machines boast a minimum of 32GB.

GSS BPAs by the numbers

Did you know that the largest purchasing customer off of the GSS BPA realized a bulk discount of 50 percent of the Schedule price? Check out some other GSS BPA statistics below to see how it measures up:

  • Agencies executing large-quantity purchases through GSA’s GSS program in FY22 have an average savings per unit of 38 percent off the base price.
  • The GSS Program has 29 vendors (23 of which are small businesses).
  • The U.S. Special Operations Command is the GSS BPAs’ top user with over $238 million of orders since FY18.
  • Over 1,300 total transactions have been conducted this year.
  • From FY20 to FY21, GSS program sales increased 36.4 percent, recognition of the value many agencies see in the program.
A bar graph depicting GSS Program Sales from FY16 through FY21. The graph indicates a steady increase in total value in millions each FY.

As the end of the fiscal year nears, check out the GSS BPAs as an easy-to-use, compliant and efficient purchasing option for your hardware needs. These BPAs are available via the GSA AdvantageSelect buying platform. Use eBuy to get quotes for your GSS desktop and laptop products.

To read more on how to buy, check out the ITC GSS buying guide. For more details on ordering, visit the GSS information page. Visit gsa.gov/gssdesktoplaptop to learn more about these solutions or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Efficiency, security at the heart of ITC’s hardware solutions: 2nd generation IT (2GIT) blanket purchase agreement

In Fiscal Year 2022, ITC has continued making GSA’s hardware and software solutions easy to use, cost-effective, compliant, and convenient for agencies. Two of ITC’s blanket purchase agreements (BPAs), the 2nd generation IT (2GIT) BPAs and governmentwide strategic solutions (GSS) BPAs, have raised the bar, addressing the current risk climate by:

  • incorporating supply chain risk management (SCRM) principles,
  • improving product availability, and
  • increasing customer training.

Whether you are looking for pre-competed commercial hardware, software, or ancillary services, ITC strives to deliver an efficient buying experience to get mission-enabling technology to you.

The 2GIT blanket purchase agreements

The 2GIT BPAs provide access to commercial off-the-shelf (COTS) hardware and software products and services. With almost 5 million products offered, they are available governmentwide, including to State, Tribal, and Local governments through GSA’s cooperative purchasing program.

SCRM is a foundational part of the 2GIT program, which employs groundbreaking SCRM best practices by performing active post-award compliance management in addition to 2GIT’s pre-award requirements. 

With cybercrime (data breaches, ransomware attacks, etc.) threats on the rise, 2GIT’s SCRM requirement addresses vulnerabilities associated with IT products cycling through the vendor’s order and delivery processes. To date, the continuous monitoring and direct engagement with our 2GIT BPA team leads and distribution partner awardees has resulted in key process improvements through verification and validation.

2GIT also benefits from another line of defense in our ongoing efforts to reduce supply chain risk: the Verified Products Portal (VPP). This portal is designed to freely host authoritative product content, including standardized manufacturer names, part numbers, specifications and more for wholesalers and authorized distributors. By doing so,

  • Buyers have accurate product descriptions.
  • Only authorized distributors and resellers are listed.
  • Industry products are marketed with authoritative and current information.

Since its pilot, the VPP has removed over 75,000 unauthorized products on GSA Advantage!® by working with industry.

2GIT by the numbers

  • 43 agencies have ordered off of the 2GIT BPAs, taking advantage of the more than 50 small business partners from different socioeconomic categories.
  • More than $127 million in sales have gone to small businesses, constituting more than 74 percent of total sales.
  • Over 59,000 2GIT transactions have been conducted on GSA Advantage!®, demonstrating our easy online ordering process.
  • ITC has conducted complimentary on-site and virtual customer support and training sessions on a global scale, including all Pacific and European Air Force units, reaching over 800 customers. These sessions are tailored to address unique aspects of the program, market research best practices, and how to procure through GSA eCommerce acquisition tools.

You can order 2GIT products through GSA Advantage!®, eBuy and Air Force Advantage!®. Agencies can submit requests for quote (RFQs) directly to 2GIT vendors on the eBuy portal under the BPA section. Only authorized 2GIT vendors can view and respond to RFQs posted there.

As we once again approach the end of another fiscal year, we encourage you to check out 2GIT as a straightforward purchasing option that helps  meet your procurement needs and goals. 
Visit gsa.gov/2git to learn more or use our IT Solutions Navigator to find the vehicle that’s right for you.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Last Chance: Signing Deadline Approaches for Expiring Telecom Contracts Continuity of Service MOU

In January, GSA decided it will invoke the Continuity of Service (CoS) clauses for expiring enterprise network and telecommunications contracts. This will allow agencies an additional year to either complete their transition to Enterprise Infrastructure Solutions (EIS) or find another solution to prevent interruption of services.

Transition has been slow for many federal agencies. As of June 30, 2022, only 94 percent of the planned task orders for transition have been awarded. Also, 5.3 million of the nine million legacy services governmentwide are still in use. These services range from telephone lines to high bandwidth secure internet access.

We urge agencies to push toward completing 100 percent disconnection of services by September 30, 2022 and assess their risk of not completing transition by May 30, 2023. Those who need more time to transition must sign a Memorandum of Understanding (MOU) to be authorized to use the CoS period from June 1, 2023 to May 31, 2024.

Sign the MOU by September 30th

If an agency does not sign the MOU by September 30, 2022, GSA will remove the agency from the Networks Authorized User List (NAUL) for the expiring contracts. The contractors will begin the disconnect process as early as November 2022 and complete it no later than May 2023.

Agencies that want to take advantage of the CoS period can do so only under these conditions:

  • Agencies must sign a Memorandum of Understanding (MOU) with GSA by September 30, 2022: GSA has sent a copy of the MOU to all potentially impacted agencies. The MOU must be signed by the agency head, or their designee with delegated authority. If an agency’s transition team has not received a copy of the MOU, please contact GSA at eistcc.ta@gsa.gov.
  • On May 31, 2024 (the end of the 12-month CoS period), any services remaining active on the expiring contracts will be disconnected, according to the terms and conditions of their respective contracts. Services cannot be reinstated on those contracts.

If an agency will not complete transition before the CoS period ends, the agency must:

  • Identify the services that will be cut off when the CoS period ends;
  • Develop a contingency plan to maintain operation of those services on another contractual arrangement; and
  • Implement that contingency plan so when the contracts expire and the services are disconnected, the agency’s mission is not interrupted or otherwise negatively affected.

GSA Resources

If your agency is mid-transition, weigh the pros and cons of signing the MOU and make a risk-based decision appropriate for your agency.

GSA remains available to help you assess your transition risk and understand your acquisition options. We are holding monthly EIS Transition Office Hours and monthly Interagency EIS Transition Meetings, both of which act as a forum for agencies to share best practices and lessons learned and ask transition-related questions. For an invitation to these open forums, please email benjamin.todd@gsa.gov.

The legacy telecommunications contracts are expiring very soon. Do not delay in transitioning services and, if needed, signing the CoS MOU and conducting contingency planning.

GSA is and will continue to actively monitor agency progress toward stated EIS deadlines. If you need assistance, have additional data to share on the speed of your transition to EIS, or would like to meet with us, please contact your assigned GSA Solutions Broker.

For more information, visit gsa.gov/eistransition.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.