Posts

Posted on

The Federal Mobility Group: Signals of Progress

In 2019, two distinct working groups comprised of federal telecom professionals merged to form the Federal Mobility Group (FMG). Focused on the four pillars of agency mission enablement, 5G technology, mobility security, and acquisitions, the FMG’s purpose is to:

  • Share information to enable government adoption of secure mobile technologies supporting mission
  • Identify/Address member priorities (gaps/challenge areas)
  • Identify/Address Federal CIO Council and Office of Management and Budget (OMB) priorities

GSA is one of three FMG Chairs, supported by subject-driven working groups. GSA shares its FMG leadership role with the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) and has served the FMG since inception. The FMG’s 2020 agenda focused on supporting agencies’ pandemic related security and mobility challenges as well as delivering research on Mobile Security and 5G.

2020 Recap

Working groups are the engines of the FMG – and while pandemic response was top of mind, the FMG working groups used 2020 to deepen exploration and discovery across many technical areas:

Mobility 101: Interested in how the federal government defines mobility? Need help understanding the existing acquisition options agencies can leverage to procure mobile technology? Watch the acquisition working group’s webinar highlighting available products and services.

5G Use Cases: The 5G & Mobile Network Infrastructure working group collected and edited 11 federal use cases and published their Framework to Conduct 5G Testing, a modular approach to support the diverse needs of government stakeholders. On April 27 and 28, 2021, the FMG will host an interagency workshop based around this framework.

5G Public Policy Guidance: Want to learn more about policies and regulations impacting the adoption of 5G? Read more about the accomplishments and work from the FMG on their site (PIV card required) where you can review the white paper published by the Mobile Network Infrastructure subgroup. Public facing news and deliverables can be found on the FMG page and News section of the Cio.gov site.

Engage, Explore, Educate: In addition to developing resources to support the mobile community, the FMG invites industry partners to share new technologies and discuss recent events and learning, ensuring the team benefits from industry best practices.

5G-Related Federal Initiatives

Looking Forward to 2021

The Federal Mobility Group has set a high bar for its 2021 deliverables. They include:

  • FY 21 & Beyond: FISMA Mobility Metrics Report
  • Integrated Data Collection Mobility Data Reporting/Analysis
  • International Travel Guidance For Mobile Devices
  • Mobile Security Ecosystem Whitepaper

On April 20, 2021 ATARC and the FMG will co-host an event showcasing the work of the team and discussing 5G and Mobile Security in government. Register here.

The Mobility team at GSA supports a growing number of digital tools and resources to position your program and contracting staff for long-term success. If your agency is interested in learning more about our suite of mobility offerings, GSA’s Multiple Award Schedule and Enterprise Infrastructure Solutions (EIS) have everything from Wireless Carrier Services to Mobile Threat Defense to Internet of Things (IoT) solutions.

Get Involved

The FMG includes 200+ federal mobility SMEs and support contractors from 45 agencies and bureaus across the federal and technical spectrum. The group meets bi-weekly to discuss a variety of topics. Membership requires an active .gov or .mil address. To join the team, email wireless@gsa.gov.

Other 5G/Mobility Great Government Through Technology posts:

As always, follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

FY20: Exceptional Work in an Exceptional Year

The Numbers Are In – Biggest Year on Record for GSA ITC!

In Fiscal Year 2020, the Information Technology Category (ITC) recorded more than $30 billion in business volume across its portfolio. For context, this accounts for nearly a third (33%) of the $89 billion total that was spent on IT across all federal agencies in FY20.

Accordingly, this past fiscal year proved to be a record year in other categories as well:

  • IT spending through the Multiple Award Schedule accounted for an impressive $18.1 billion of the $30 Billion total, bolstered by its $12.7 Billion in new obligations. In FY20, MAS IT impressively posted 18% annual growth in new obligations.
  • On the Small Business front, ITC accounted for $7.1 Billion in utilization from Government Wide Acquisition Contracts (GWACs), Schedules, and Telecommunications
  • ITC issued a single award via its telecommunications branch to the tune of $2.5 Billion, using the Enterprise Infrastructure Service (EIS) Contract. The award was made on behalf of the Department of Health and Human Services, and over the lifetime of the contract, the agency estimates it will save more than $700 million.
  • ITC accounted for more than $2 billion in savings and cost avoidance to their customers

FY20 Efforts in Review

The 2020 Fiscal Year drove change through every part of our lives. COVID-19 spurred dramatic change in government work culture and led to rapid technological adaptation across all agencies. A good deal of ITC’s increased business volume can be attributed to agencies transitioning to mobile-friendly technology. However, this unprecedented spending is also due to agencies acknowledging that GSA is a solid partner as they make big IT changes and choices about how to invest. We’re out front and focused when it comes to customer service, agile response to emergency needs, and delivery of mission-enabling and emerging technologies.

In 2020, customer agencies turned to GSA’s schedules program, assisted acquisition services and governmentwide acquisition contracts (GWAC) to fulfill pandemic-driven requirements as well as regular demand for products and services. Our success embodies the trust that federal agencies have put in us and our ability to address elements that our customers most care about:

  • Speed of acquisition
  • Assistance with mobile-friendly technology adoption
  • Technical and market expertise
  • Data transparency
  • General customer service

Agencies have turned to and relied on us to ensure their mission continuity and transition to a more untethered workforce.

In FY20, ITC launched the Information Technology Acquisition University (ITAU) to make it easier to learn about GSA’s products, IT solutions available through GWACs, MAS, and more. ITAU is a digital training platform for emerging technologies, their acquisition, GSA-specific contract training and more.

Additionally, ITC enhanced the Cloud Information Center, the GSA-curated federal resource hub for all things cloud, continuing to place valuable cloud computing resources in the hands of agencies.

These resources are ways that GSA is meeting the rise in demand for virtual access to our subject matter experts and more online learning platforms.

Looking Forward

In FY21, GSA is doubling down on emerging technologies as the way of the future. The 8(a) STARS III and Polaris government-wide acquisition vehicles will have Artificial Intelligence offerings (Machine Learning, Robotic Process Automation, Natural Language Processing), edge computing and more. As the Cybersecurity Maturity Model Certification (CMMC) effort ramps up and Supply Chain Risk Management (SCRM) principles are emphasized, GSA will continue to prioritize security as a core tenet of acquisitions.

As my Deputy Assistant Commissioner Keith Nakasone likes to remind me, agencies are coming to GSA to leverage our IT expertise and the buying power of the government. They want to know that the products they’re adding to their IT footprint aren’t jeopardizing their networks. To that end, the CMMC level can be designated as needed at the task order requirement level. Large contracts such as the 2nd Generation Information Technology (2GIT) hardware/software Blanket Purchase Agreements, have SCRM built in as a key operational component. Ultimately, GSA understands it plays a crucial role and has a considerable responsibility for an agency’s IT health.

Going into FY22, ITC will continue to provide the tools needed to successfully modernize while prioritizing cost-efficiency, expediency, and security. Leveraging Best In Class (BIC) contracts is one way. Taking advantage of online resources like ITAU and the CIC is another. Give your agency a reason to acquire with confidence — work with GSA for your next IT acquisition.

As always, follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.
To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

Continuous Monitoring: Keeping Your System Up to Date and Prepared for Cyberattacks

Continuous monitoring of IT systems is an evolving process. It adapts as new technologies and capabilities become available and as organizations are faced with advanced and persistent threats. However, the core strategies of continuous monitoring lay the foundation for safe and secured federal IT systems.

Continuous monitoring helps agencies identify, resolve, and understand key insights regarding certain risks to their information systems. The Risk Management Framework (RMF) process consists of several steps that include preparing a system for authorization, authorizing the system, and continuously monitoring the system until the next authorization process begins. The monitoring step is essential for agencies that want to minimize risks to their security systems.

As mentioned in previous posts, the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) solution is available for agencies in need of cybersecurity services, including RMF. GSA’s HACS solution connects agencies with vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors to assist with continuous monitoring strategies and Security Operations Centers (SOCs) activities.

After agencies obtain Authorization to Operate (ATO), they move into the continuous monitoring step of the RMF process. Though continuous monitoring strategies can vary by agency, usual tasks include near real-time risk management and ongoing authorization based on the system environment of operation. This step’s dynamic processes determine if a system’s security controls continue to be effective over time.

Risk Management Framework (RMF) image
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

RMF services are available through GSA’s HACS SIN. A Statement of Work (SOW) for the RMF process can be found on the HACS website and includes example language for procuring services for the Monitor Step. The SOW outlines several subtasks that make up the continuous monitoring phase of RMF.

Roles and Responsibilities within the Continuous Monitoring Strategy

As part of the continuous monitoring process, the agency will oversee information system and environment changes. This process involves determining the security impact of proposed or actual changes to the information system and its environment of operation.

Security Control Assessments

An Information Owner (IO), Security Control Assessor (SCA), Information System Security Officer (ISSO), and Information System Security Engineer (ISSE) will be responsible for ongoing security control assessments. The IO is an inherently governmental position; however, contractors can provide support for the other roles in most situations. In these assessments, personnel examine the technical, management, and operational security controls within an information system. This practice ensures that a system is in accordance with the agency’s monitoring strategy.

Risk Determination

The Chief Information Security Officer (CISO) performs ongoing risk determination and acceptance as a part of continuous monitoring. This task consists of reviewing the reported security status of the information system (including the effectiveness of security controls employed within, and inherited by, the system) on an ongoing basis. The CISO aims to determine whether the risk to the agency’s system remains acceptable. If a risk is not acceptable, remediation will take place. This CISO is in an inherently governmental position; however, contractors can provide subject matter expertise and recommendations for risk determinations.

Ongoing Remediation

The IO and ISSO take part in ongoing remediation actions throughout the continuous monitoring process. Along with the Information System Owner (ISO) and the Common Control Provider (CCP), these personnel conduct remediation actions based on the results of ongoing monitoring activities, the assessment of risk, and outstanding items in the Plan of Action and Milestones.

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to monitor its systems, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

GSA’s VETS 2 GWAC Celebrates 3rd Year Anniversary

February 23, 2021 marks the third anniversary for GSA’s VETS 2 Governmentwide Acquisition Contract (GWAC). Customers from across the federal government have used VETS 2 for a wide variety of IT Services while also receiving Service-Disabled, Veteran-Owned Small Business (SDVOSB) credit toward their Small Business Procurement Scorecard, as well as Best-in-Class (BIC) Tier 3 credit toward Spend Under Management goals. I’m pleased to report that in just three years, VETS 2 has more than 100 task order awards with a total estimated value at approximately $1.1 billion.

VETS 2 provides access to 69 highly qualified companies capable of completing virtually any IT service requirement, including agile software development, artificial intelligence, cloud computing, and other emerging technologies. Customers have used VETS 2 for a wide range of mission-critical requirements, including a web conferencing solution at GSA, a cybersecurity support project for the Office of the Secretary of Defense, and an IT service desk for the US Air Force, to name a few. With strategic partners like the Department of Homeland Security (DHS) and Treasury identifying GSA Best-in-Class GWACs as preferred sources for IT requirements, the future is bright for VETS 2.

I couldn’t be more proud of the VETS 2 program team and our small business industry partners – the work they do makes a real difference. With an initial period of performance through February 22, 2023, and a five-year option until February 22, 2028, VETS 2 has a lot of runway to help your agency achieve its mission.

For more information on specific task orders on VETS 2, visit the Governmentwide Acquisition Contract Dashboards page. Additional information about the contract and training opportunities can be found at the VETS 2 page. Please send questions about VETS 2 to vets2@gsa.gov.

As always, follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

EIS Endgame – The Next Phase of the Government’s Transition Off Expiring Telecommunications Contracts

“Often, greater risk is involved in postponement than in making a wrong decision.”

Harry Hopf, a business consultant of the early 20th century, said these words, and many project management gurus probably have them hanging decoratively on their (now home) office walls.

This quote sums up our advice to agencies as we approach the next milestone guiding the governmentwide transition off GSA’s expiring Networx, Washington Interagency Telecommunications System 3 (WITS3), and Local Service Agreement contracts. In this post, we will explore why the transition should be at the top of everyone’s mind and what to expect from GSA as we close it out.

Enterprise Infrastructure Solutions timeline with milestone dates.

Time Is Running Out

By September 30, 2022, 100% of agencies’ telecom inventory must be off the expiring contracts and moved to GSA’s Enterprise Infrastructure Solutions (EIS) program.

The transition, at this point in time, presents an opportunity for your agency to take control of its own destiny. Agencies have seen upwards of 30% savings over current costs and will benefit as they transition their services. They don’t have to worry about exponential cost increases or operational disruptions due to services left on expired contracts. They are free to implement their modernization plans, confident that the technologies and services they plan to introduce are secure and in-scope.

GSA Positions Agencies for a Successful Transition

Some agencies are still in the process of contractor selection. We understand that pandemic mission priorities have taken precedence and want to reaffirm our availability to support agency transitions. If your agency is struggling with the acquisition phase, GSA is here to help! Key services include:

  • An inventory of complete services that need to be transitioned, including custom reports for your agency
  • Technical, acquisition, and ordering assistance, plus automated tools to directly assist agencies with expediting EIS task orders
  • GSA in-scope reviews of agency solicitations
  • Regular outreach to agencies’ Integrated Transition Teams to monitor transition progress and provide guidance

Disconnect Before You’re Disconnected

March 31, 2021 is the next major transition milestone, when 50% of legacy services must be disconnected. At the current rate, the government is not on track to meet the September 30, 2022 milestone for completion. Reliance on expiring contracts risks disruption of critical services delivered to the public.

We made that fact plain in a January 27 letter to all our agency partners and outlined remedies for any agency in jeopardy of missing the milestone dates. In particular, we want agencies to be aware that as of October 1, 2021, GSA will no longer accept or process any exception requests for its expiring contracts.

This is all part of GSA’s plan for the Closeout of Transition to EIS, which details the phased approach we will employ to complete the disconnection of services from the expiring contracts. The objective is to get agencies to transition themselves, with our support, and avoid unilateral disconnection. For those left with services on expired contracts, there will be no viable way to reinstate them. GSA will be unable to help.

Act Now

If your agency needs help with its transition, please contact the IT Customer Service Center at 855-482-4348, or send an email to ITCSC@gsa.gov. We encourage you to reach broadly across the CXO community in your agency. Include Chief Information, Acquisition, and Financial Officers in conversations on transition, financials, and risk.

For more resources on this topic, visit our EIS Transition page. Here you’ll find the GSA Transition Handbook, the GSA Project Plan for Closeout of Transition, the Transition Progress Tracking Report, and much more.

As always, follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

Can Your Network Adapt to Current and Future Demands? With SD-WAN, It Can!

How adaptable is your network?

Think back on how your organization worked through the early months of the COVID-19 pandemic, and you’ll have your answer.

Having a Modernized Infrastructure Paid Off

Agencies with modernized services such as Ethernet-based networks and software-based IP phones were able to operate with minimal disruption as their workforce shifted to full time telework. They took advantage of scalable bandwidth to quickly meet increased network requirements without the need for physical or onsite changes. This agility is one of the many advantages of modern infrastructure and cloud deployed applications. IP Voice users similarly kept making calls regardless of their physical location, and those with Unified Communications leveraged capabilities such as chat, conferencing, collaboration tools and presence applications to keep their workforce on mission.

SD-WAN Integrates and Orchestrates Your Network

IT leaders are actively seeking to implement a new networking technology called Software Defined – Wide Area Network (SD-WAN). SD-WAN can securely connect your headquarters, data centers, branch offices, and remote workers with numerous cloud-based services. SD-WAN can enable Trusted Internet Connection (TIC) use cases, segment users and applications, and play a role in Zero Trust Network architectures.

SD-WAN Is Now a Managed Service Under EIS

We recently added SD-WAN to our Enterprise Infrastructure Solutions (EIS) contract. SD-WAN is ideal for improving network performance since it increases visibility and control enterprise-wide. It saves money and increases performance by allowing the use of different types of internet connections such as broadband internet, 4G/5G wireless internet or high-availability Direct Internet Access based on availability and need. It can even be incorporated with existing Multiprotocol Label Switching (MPLS) circuits for critical applications.

SD-WAN Features and Ordering At-a-Glance

Our team created four new use cases for SD-WAN, Ethernet, IP Voice and Traditional TIC to show key info as a handy reference. These single-page infographics highlight the technologies we see driving modernization, the business value those technologies can offer you, and our implementation recommendations. We also offer supporting documents such as in-depth savings analyses, service guides, and whitepapers.

Software Defined - Wide Area Network graphic
SD-WAN Modernization Use Case pictured above. Download the PDF version.

In a GSA analysis of SD-WAN, medium-sized agencies can achieve a cost avoidance of 42%. Our SD-WAN Overview and Ordering Guide lays out everything you need to evaluate SD-WAN and acquire it on EIS. How’s your network able to support the ever-expanding use of cloud services? Utilize the numerous GSA resources to assist your organization to modernize with SD-WAN.

For additional information on what IT modernization could look like for your agency, please contact your designated GSA representative or call 855-482-4348.

Visit the Enterprise Infrastructure Solutions page to learn more and use our IT Solutions Navigator to find the vehicle that’s right for you.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

Polaris: Women Owned Small Businesses, Get SBA Certified

On December 31, 2020, GSA released the Draft Request For Proposal (RFP) for comment for our next generation small business GWAC, Polaris. With the creation of Polaris, GSA will build on the success of the now-expired Alliant Small Business GWAC by providing additional opportunities for small businesses, including but not limited to, HUBZone and woman-owned small business (WOSB) firms. We couldn’t be more proud of our team for putting this together, and we’re looking forward to your feedback.

WOSBs are Key Contributors

As we indicated in the draft RFP, GSA is considering socioeconomic pools to include WOSBs to maximize competition within the Information Technology Category. It’s very important to GSA that WOSBs are included in our contracts as they are key contributors to the government marketplace. It’s vital that the government have access to a robust pool of SBA certified WOSBs to ensure access to as broad of an industrial base as possible.

GSA is encouraging WOSBs to respond to the draft RFP to help ensure the following:

  1. there is a sufficient pool of WOSBs that are SBA certified
  2. to meet the annual federal goal of 5 percent of all federal contract dollars spent being awarded to WOSBs
  3. to help increase competition in the IT emerging technologies and innovations space.

You’re a WOSB, Why Get Involved?

In FY20, the federal government invested more than $87 billion in IT, with approximately $47 billion allocated to IT services. Federal agencies awarded $15.6 billion in IT services to small businesses, with more than $5 billion awarded through IT Category contracts. Every day, small businesses are making a huge impact in helping agencies achieve their missions.

SBA WOSB Certification

As of July 15, 2020, The U.S. Small Business Administration (SBA) implemented Congress’ changes to the WOSB Federal Contracting Program, as outlined in the 2015 National Defense Authorization Act (NDAA).

We’re encouraging WOSBs to work with the SBA, which implements and administers the WOSB Federal Contracting Program, in order to understand and navigate the certification process to ensure the right certifications are in place.

  • Before firms can compete for WOSB Federal Contracting Program set-aside (including Polaris) contracts, they must apply for certification through the new process on beta.certify.sba.gov
  • For more information about the new application process, please review the following fact sheet.
  • Additionally, beta.Certify Knowledge Base is a valuable resource for firms to get started learning about this new platform with how-to videos, user guides.

WOSBs, Helping Light the Way

We couldn’t be more excited about the future of our small business GWAC program and Polaris is going to help light the way. To be truly successful, we need your help in getting WOSBs certified.

To follow the Polaris conversation subscribe to the GSA Interact page: Small Business GWAC Community of Interest. Also, please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

Working Untethered: Enable Your Mission with GSA Best-In-Class Mobility Solutions

In the 1990s, the Department of Defense adopted the term “untethered” to describe an emerging military doctrine made possible by advances in wireless communications technology. Untethered operations meant they could be launched anytime, anywhere, thanks to systems that were flexible, secure, cost-effective, and —above all— attainable.

Out of necessity, the federal workforce is now working untethered. Sometimes, that makes us feel isolated, but we know the productivity tools we are putting in place today will shape how agencies can effectively carry out their missions tomorrow. Now is the time to equip the mobile workforce with the right mix of products and services, so teams can continue to work untethered while still staying connected.

Untethered Doesn’t Mean You’re On Your Own

GSA’s Wireless Mobility Solutions Program keeps your workforce connected and anchored; it provides everything you need to support your agency’s wireless needs. Our Best-in-Class (BIC) contract includes wireless carriers and resellers, telecommunications expense management, mobile device management, mobile security, and more.

The Wireless Mobility Solutions Special Item Number (Wireless SIN) on the Multiple Award Schedule is the path that makes it possible.

Everything Where You Need It

The Wireless SIN is a seasoned contract that is continuously evolving to keep pace with commercial offerings and best practices. Because it’s Best-in-Class, agencies will have access to category management data they can leverage to save time and resources.

Building on the successes of the FSSI Wireless BPA program, we’ve expanded the Wireless SIN to create a one-stop-shop that includes 11 subcategories.

  1. Wireless Carrier Services
  2. Mobile Hardware/Infrastructure
  3. Mobility-as-a-Service (MaaS)
  4. Enterprise Mobility Management (EMM)
  5. Mobile Backend-as-a-Service (MBaaS)
  6. Telecom Expense Management Services (TEMS)
  7. Mobile Application Vetting
  8. Mobile Threat Protection (MTP)
  9. Mobile Identity Management
  10. Internet of Things (IoT)
  11. Other/Mobile Services

Tested and Proven

The COVID-19 pandemic has highlighted the importance of streamlined acquisition. A public health agency was able to use our program and quickly gain access to more than 7,000 first responder-capable wireless devices to better support their efforts across the country.

A Contract with a Community

Improving customer experience is a driving force behind every ITC offering. In addition to managing a Best-in-Class contract, the Wireless Mobility team at GSA supports a growing number of digital tools and resources to position your program and contracting staff for long-term success, including:

Our Wireless Mobility team also plays a key role in the ongoing efforts of the Federal Mobility Group (FMG), an interagency community of practice focused on 5G adoption, Internet of Things (IoT) applications, artificial intelligence, security concerns and policy regulations. Through the FMG, our community is engaged in continuous learning and collaboration. Everyone is untethered, but no one is alone.

Untether Today

If you have comments, questions, or want to join the FMG, contact our Wireless Mobility team at wireless@gsa.gov

GSA’s MAS IT Category continually works to deliver enterprise mobility solutions to achieve value, cost savings, and balance between functionality, security, and management for its customers. Take advantage of the BIC Wireless Mobility Solutions SIN and more by visiting our IT Solutions Navigator to find the vehicle that’s right for you.

As always, follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

Veteran Owned Companies Bring Cybersecurity Expertise to Federal Customers

As we celebrate Veterans Day, we want to take a moment to appreciate all of the men and women who contribute to this great nation through their service in our military. America’s veterans are one of our most valued resources. Veterans bring a unique skill set, knowledge, and experience to everything they do; and GSA has been able to tap into their valuable expertise through our Service-Disabled Veteran-Owned Small Business (SDVOSB) contract for IT Services, VETS 2.

GSA’s VETS 2 Governmentwide Acquisition Contract is available to all federal customers. Agencies purchasing IT services through the VETS 2 contract demonstrate how prevalent veterans are in supporting mission-critical IT services needs across the federal landscape. One of the important core capabilities of VETS 2 is Cybersecurity. The SDVOSB firms on the contract have done the work, and 77 percent of the firms have extensive experience in cybersecurity. More than 60 of the VETS 2 industry partners have a secret or top-secret facilities clearance. These companies are well established in the IT industry. The background they bring with their previous military experience has been key to their success.

The IRS, Treasury, DHS, DoD, Army, and Air Force have all tapped into the expertise of our VETS 2 Industry Partners. They have placed task orders on the contract for IT Security and Cybersecurity requirements. Since the inception of the VETS 2 contract in February of 2018, there have been 21 task orders specifically to support IT Security needs within the government. This shows that veterans can provide the specialized knowledge, skills, and abilities that are needed today.

The single largest task order that has been issued on the VETS 2 contract was completed by GSA’s Federal Systems Integration and Management Center (FEDSIM) on behalf of the United States Army Pacific (USARPAC). This task order will help USARPAC in providing a quality-focused process and capability that enables effective sustainment and modernization of critical Command, Control, Communications, Computers (C4), and IT systems. These services include site surveys, engineering, design, procurement, logistics, implementation, operations and maintenance, knowledge management, cybersecurity, and training of new and existing C4 IT systems. This is an excellent example of the broad capabilities available through VETS 2.

2020 has been hugely successful for the VETS 2 contract, with 97 task orders worth more than $1 billion. This contract is only in its third year and is already surpassing expectations. There are 69 industry partners on the contract with a variety of specialized IT services core capabilities. VETS 2 is also a Best-in-Class contract as designated by the Office of Management and Budget. Federal customers using VETS 2 will receive socioeconomic credit toward small business goals as well as credit toward their
Spend Under Management goals.

On Veteran’s Day each year, we reflect on the hard, mission-enabling work our veterans continue to deliver for our government every day, and I couldn’t be more proud of our VETS 2 team and industry partners.

For more information about the industry partners on the contract, check out our VETS 2 website.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Posted on

Authorization to Operate: Preparing Your Agency’s Information System

To close out National Cybersecurity Awareness Month, here are some steps federal agencies can take to protect their IT systems from cyber attacks and cybersecurity vulnerabilities using the Authorization to Operate (ATO) process.

An ATO demonstrates that a federal agency has gone through a federally approved, detailed process to protect an IT system from incidents such as cyberattacks, security breaches, malware, and phishing attempts. Many federal IT systems are required to obtain an ATO to process government data and federal regulations recommend that agencies follow the Risk Management Framework (RMF) to become authorized.

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides solutions for all of an agency’s cybersecurity service needs, including RMF. The HACS SIN connects agencies with vendors who have passed oral technical evaluations for cybersecurity services performed within the RMF, and who are ready to assist agencies with the RMF process for a successful authorization.

RMF Graphic full definitions ATO highlight (3)
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

All of the steps, tasks, and activities that precede the “Authorize” step of the RMF help to prepare the information system for the authorizing official’s appraisal. The authorizing official is not a contractor, but a federal employee of whichever agency is seeking ATO.

The HACS SIN connects federal agencies with contractors who can help in each stage of the RMF. Contractors can assist agencies in producing the deliverables associated with each RMF step listed in the chart below.

Disclaimer: RMF deliverables can vary based on an organization’s cybersecurity needs.

Once an agency has successfully completed the first four steps of the RMF (“Categorize” through “Assess”), an authorizing official will evaluate the system. The authorizing official for the federal agency in question evaluates residual risks identified during the security control assessment, and makes the decision to authorize the system to operate, deny its operation, or ask the agency to address any issues.

When granting an ATO, authorizing officials look for the following checklist of items:

  • Plan of Action and Milestones (POA&M)
  • Authorization Package
  • Final Risk Determination and Risk Acceptance
  • Authorization Decision

The POA&M is one of the most important deliverables produced in the RMF process. It reflects organizational priorities for addressing any remaining weaknesses and deficiencies in an information system and its environment of operation. The Authorization Package includes all key documents including the security plan, security assessment report, and the POA&M. 

Following the RMF steps helps your agency to achieve ATO, but the work does not end after an ATO is issued. Agencies must also continuously monitor their systems to ensure that security controls remain effective over time.

In addition, many federal agencies must reauthorize their information systems every three years by going through the RMF process again. This is where the final step of the RMF, “Monitor Controls,” is important. As part of continuous monitoring, a sample of the applicable security controls are tested annually, periodic vulnerability scanning is performed, and security impact analysis of changes are performed. If an agency continuously monitors its systems over those three years by documenting specific technical changes, environment changes, or changes to the organizational risk management strategy, it may be easier to renew an ATO because any security risks can  be mitigated at the time they occur. 

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to achieve an ATO, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.