October is Cybersecurity Awareness Month

Posted by Laura Stanton
on October 6, 2022
Blue promotional image with laptop, desktop, and mobile device clipart on the right side of the image. White text on the left reads "Is your agency cyber ready? GSA can help."

Is your agency cyber ready?

October is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber.”
Planning and executing a cybersecurity acquisition is a winding road. It can be daunting without a clear place to start. Federal agencies are challenged with navigating changing threat environments, new policy mandates, and an ever-evolving technology landscape. Acquisition professionals within the federal government have a large role in helping to protect our Nation’s networks and assets but don’t have to take this on alone. GSA offers convenient access to a range of resources to help identify requirements and create a plan, compare contract vehicles, and develop a solicitation to award a contract.

GSA is here to help “See Yourself in Cyber” and get your agency one step closer towards being cyber ready.

Current cybersecurity requirements

Executive Order (EO) 14028: Improving the Nation’s Cybersecurity and associated Office of Management and Budget (OMB) memoranda established critical policy goals federal agencies must follow. These goals include implementation of a Zero Trust Architecture (ZTA) and the adoption of Cybersecurity Supply Chain Risk Management (C-SCRM) practices within Information and Communication Technology (ICT) supply chains. Federal agencies have also been targeted in a number of high-profile cyber attacks resulting in new and evolving program needs to protect their networks from and respond to future attacks.

GSA offers multiple resources to help make sense of these new policies and program drivers and translate them into requirements for a solicitation:

  • GSA’s EO 14028 webpage and the Zero Trust webpage connect users with resources related to recent cybersecurity requirements.
  • GSA subject matter experts (SMEs) offer focused cybersecurity training that discuss many of the policy and technology drivers impacting the Federal cybersecurity marketplace.
  • GSA has multiple videos on cybersecurity on ITC’s YouTube playlist. Topics include use case scenarios for agencies seeking to procure cybersecurity solutions and the journey toward implementing a ZTA.

Buyer’s Guides

GSA offers a wide range of cybersecurity services and solutions. We know it can be difficult to select the right fit for your agency’s requirements. To help demystify this process, GSA developed a number of buyer’s guides that identify which solutions meet your agency’s specific cybersecurity needs:

GSA-offered cybersecurity services and solutions

GSA has several cybersecurity-specific contracting offerings, including:

  • The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) on the Multiple Award Schedule Information Technology (MAS IT), established in collaboration with OMB and the Cybersecurity and Infrastructure Security Agency (CISA), which provides:
    • Proactive and reactive cybersecurity services.
    • A wide range of vendors capable of meeting your agency’s small business and socioeconomic contracting goals.
    • Access to technically evaluated cybersecurity vendors. Vendors must pass an oral-technical evaluation to be able to offer services through the HACS SIN.

If you have questions about whether your requirement fits within the scope of the HACS SIN, GSA SMEs are available to provide free and individualized consultations, and scope reviews.

  • The IT Professional Services SIN on MAS IT that offers agencies:
    • Access to pre-vetted IT solution providers.
    • Pre-negotiated prices that can be further discounted.
    • Established terms and conditions at the master contract level that can be customized at the task order level.
    • A diverse pool of vendors to help meet socioeconomic and small business contracting goals.
    • Two cybersecurity-specific subcategories: IT Backup and Security Services, and Information Assurance.
  • The Continuous Diagnostics and Mitigation (CDM) Tools. CISA maintains the CDM Approved Products List (APL), the authoritative catalog for CISA-approved CDM IT products. To purchase products on the APL, agencies can use:

Planning and procurement tools

GSA gives buyers an entire toolbox to guide the process of developing and releasing a solicitation, from market research to procurement.

  • GSA’s Market Research as a Service (MRAS) gives buyers access to rapid, targeted market research for their acquisitions at no cost. MRAS can be used to identify GSA contracts that might fit requirements, get information on vendor pools and market data, or compare and search products offered on GSAAdvantage!®.
  • Buyers can also use GSA’s IT Solutions Navigator to identify the right contract vehicles to meet cybersecurity needs. Users can select types of products or services to see a list of best-fit contract vehicles and solutions that meet requirements.
  • On GSA eLibrary, agencies can view vendor pools offered under different contract vehicles, review vendors’ terms and conditions, and view their socioeconomic designations and geographic locations.
  • The IT Security Hallway on the Acquisition Gateway displays multiple resources for government users in one convenient location. Users can access sample statements of work for the HACS SIN and a tool to help calculate Independent Government Cost Estimates (IGCE).
  • Agencies can also use GSA eTools, including GSA eBuy and GSA Advantage!® to initiate the procurement process and release documents to industry. On GSA eBuy, Requests for Information, Requests for Quote, and Requests for Proposals can be released to holders of the contract vehicle selected. On GSAAdvantage!® buyers can compare products and pricing to make purchases or view past solicitations released as a resource.

GSA offers continued support

GSA support doesn’t stop once you’ve released your solicitation. We are committed to providing support to agencies throughout the entire acquisition lifecycle. If you have questions related to an offeror’s submission, or need to clarify questions from industry, our experienced cybersecurity and contracting SMEs can assist. For SME support, contact the GSA IT Security Subcategory at ITSecurityCM@gsa.gov.

While cybersecurity acquisitions may seem intimidating at first glance, GSA offers plenty of resources to help demystify the process. If you need additional assistance, you can contact the Customer Service Director (CSD) dedicated to your agency and region, or your agency’s National Account Manager (NAM). CSDs and NAMs are a valuable source of information on GSA programs and can connect you with further support or training. To learn more about CSDs and how they can help, watch this video.

Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Continue Reading...

C-SCRM Acquisition Community of Practice (ACoP) Interact Site

Posted by Laura Stanton
on June 30, 2022
Cyber-Supply Chain Risk Management (C-SCRM) Whole of Government logo.

Since the launch of the C-SCRM Acquisition Community of Practice (ACoP), GSA and CISA have been co-leading an effort to broaden the level of awareness and develop agency maturity in the areas of acquisitions, supply chain risk management, and cybersecurity across the Federal Government for information communication technology and services (ICTS).

Many federal departments and agencies have limited C-SCRM capabilities, resources, governance, guidance, and training; especially in the acquisition of ICTS. We need governmentwide collaboration with industry and the sharing of ideas, tools, guidance, and best practices for C-SCRM as part of the acquisition of ICTS.

Many don’t see the acquisition workforce as a key component of agencies’ cybersecurity teams. But federal procurement professionals have unique opportunities, through contracting, to ensure the safety and security of the federal government’s ICTS, help strengthen cybersecurity across networks, and prevent incidents like Solarwinds from occurring.

To increase C-SCRM awareness and adoption government-wide, the C-SCRM ACoP launched an online collaborative space for the federal government’s IT community and industry to share best practices, ideas, guidance, tools, and expertise needed to implement C-SCRM requirements. Working together as a community and sharing information will help us improve our cybersecurity posture across all levels of government.

The C-SCRM ACoP has hosted key events such as the C-SCRM Shark Tank event in collaboration with the American Council for Technology – Industry Advisory Council (ACT-IAC) where industry experts showcased innovative C-SCRM solutions to a government panel. The C-SCRM ACoP also plans to conduct a survey of industry to identify C-SCRM challenges and suggest best practices from industry’s perspective.

Additionally, the C-SCRM ACoP hosts monthly sessions open to federal employees and agency support staff. These sessions and events, held in collaboration with CISA, offer opportunities for knowledge sharing and cross collaboration focusing on supply chain risk awareness and advancements in cyber-acquisitions. Subject matter experts are ‘on hand’ not only providing information related to cybersecurity and acquisition integrity, but also best practices and lessons learned. 

Joining the C-SCRM ACoP helps:

  • Enhance the Federal Government’s cross-agency collaboration
  • Identify agencies’ strengths and capabilities in leading strategic C-SCRM objectives
  • Rapidly disseminate best business practices & outcomes
  • Learn from other agencies

To join the C-SCRM ACoP, email us at C-SCRM_ACoP@gsa.gov.

Visit the C-SCRM ACoP’s Interact site to be part of this collaborative journey. Follow ITC on Twitter and LinkedIn, and subscribe for blog updates.

Continue Reading...

Reducing Cyber Supply Chain Risks

Posted by Laura Stanton
on November 3, 2021

From reports of large-scale cyber attacks such as Solarwinds to President Biden’s signing of Executive Order 14028, Improving the Nation’s Cybersecurity, cyber supply chain risks have been top of mind for policymakers and federal agencies governmentwide.

GSA is committed to helping agencies mitigate cyber supply chain risks. By understanding the threats, agencies are positioned to take defensive action against them.

Ecosystem threats

Government depends on a global supply chain ecosystem: vendors, distribution routes, technologies, laws, and policies. Each piece of this ecosystem works together to design, manufacture, distribute, use, and manage products and services.

However, these supply chains’ ecosystems can expose government organizations and enterprises to financial, governance and cybersecurity risks.

Of these risks, one of the most troubling is that someone will use vulnerabilities in a supply chain to carry out a cyberattack.

A supply chain cyber attack occurs when an attacker uses a trusted outside partner or vendor with access to a system’s data to infiltrate an information system.

Because supply chain attacks are difficult to prevent and can greatly harm any organization, federal agencies must identify, categorize, manage, and mitigate risks within their supply chains.

In its December 2020 report, the Government Accountability Office (GAO) assessed how 23 civilian CFO Act agencies’ implemented 7 Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) practices.

In their review, the GAO found that many agencies had not implemented the practices according to their evaluation criteria and that no agencies had fully implemented all 7 practices.

What you can do

You can take proactive information and operational technology acquisitions measures to reduce an organization’s cyber supply chain risks.

  • Evaluate your organizational structure. Set up a collective task force to secure your supply chain and empower this team to hold lower-level suppliers accountable and to have responsibility for overall supply chain security.
  • Identify and empower supply chain leadership. Review and monitor key contracts to verify that prime and subcontractors maintain security practices through the contract lifecycle. Threat intelligence and incident response capabilities must work together.
  • Put data protection and stakeholder communication processes in place. Set requirements for communicating and protecting data, specifically for incidents, breach notifications, and industry or legal reporting requirements.
  • Build trust by sharing threats with your supply chain partners. Prevent communication delays by being transparent about an attack or a potential breach. Transparent leadership and communication creates trust. Building that trust requires a commitment to straight talk, the ability to produce results, and the ability to restore trust when trust is lost.

GSA C-SCRM Resources

For the last 10 years, federal guidance and regulations have prioritized SCRM. This priority reflects the increasing threat of vulnerabilities in the nation’s supply chain.

We’re continuing to develop ways to help agencies reduce supply chain risk, like the Vendor Risk Assessment Program and the Cyber Supply Chain Risk Management Acquisition Community of Practice.

Vendor Risk Assessment Program

We are currently developing a program that can identify, assess, and monitor supply chain risks for vendors who do critical work for the federal government. It will audit supply chain risk processes or events and may include on-site assessments.

The following criteria will be monitored:

  • Risk of foreign ownership, control or influence;
  • Cyber risk; and
  • Factors that would affect the company’s vulnerability, such as financial performance.

If the risk assessment identifies supply chain risks, we will work with the vendor on a corrective action.

We take this seriously. Failing to resolve any identified risk may result in government action up to and including contract termination.

Cyber Supply Chain Risk Management Acquisition Community of Practice

In August 2021, we established a C-SCRM Acquisition Community of Practice (ACoP). It includes key acquisition stakeholders from GSA, Cybersecurity and Infrastructure Security Agency (CISA), Office of Management & Budget (OMB), and other federal agencies.

The goal of C-SCRM ACoP is to increase awareness and develop maturity in the areas of cyber-acquisitions and Information Communication Technology and Services (ICTS) supply chain risk management across the federal government.

Many federal departments and agencies need to mature C-SCRM capabilities, guidance, and training. This is particularly true for acquiring ICT hardware and software.

We need governmentwide contract language for getting ICT products that holds vendors accountable for assessing the risk of their supply channels, especially for embedded software.

To learn more about the C-SCRM ACoP or to join, email C-SCRM_ACoP@gsa.gov.

Coordination is key

Agencies must continuously monitor their interconnected IT ecosystem and establish the necessary contract requirements that ensure vendors are doing the same.

Stay up to date on the latest GSA C-SCRM initiative by following us on Twitter @GSA_ITC.

Continue Reading...

GSA’s Enterprise Infrastructure Solutions Instills Cybersecurity Confidence

Posted by Laura Stanton
on August 2, 2021

On May 12, the White House issued the Executive Order on Improving the Nation’s Cybersecurity. This EO underlines the fundamental problem of how cybersecurity weaknesses leave critical infrastructure open to debilitating attacks. It also outlines what government agencies must do to improve their collective defensive posture, reduce risk, improve visibility and secure their infrastructure.

GSA’s Information Technology Category (ITC) tracks cybersecurity trends and is involved in conversations with industry experts on this topic. We incorporate the EO’s technological goals in our contract solutions, like Enterprise Infrastructure Solutions Contract, or EIS.

When it comes to network security, Zero-Trust Architecture (ZTA) is the gold standard. We even published a Zero Trust Architecture Buyer’s Guide to help agencies build toward it. EIS is featured prominently in the guide, because it offers baked-in security “building blocks” to create customizable solutions.

Managed Security Services

The EIS Managed Security Service (MSS) is a comprehensive service that protects an agency’s information technology assets—hardware devices, network, software, and information—from malicious attacks. It includes capabilities such as authentication, anti-virus, anti-malware/spyware, intrusion detection, and security event management. MSS comprises the following sub-services: Trusted Internet Connections Service (TICS), Managed Prevention Service (MPS), Vulnerability Scanning Service (VSS), and Incident Response Service (INRS).

Managed Network Services

The EIS Managed Network Service (MNS) enables an agency to outsource a portion or all of its network planning, design, implementation, maintenance, operations and customer service as a strategic move to improve IT services and lower costs.

Software Defined – Wide Area Network (SD-WAN) Services

SD-WAN services provide significant benefits by giving agencies central security management and visibility, the ability to segment networks where security policies can be tailored per application and data type, and identity-based user access.

Managed Trusted Internet Protocol Services (MTIPS)

MTIPS version 2.2 provides security for all external connections to public Internet, Extranet, and Cloud Service Providers. As agencies look to implement the Cybersecurity and Infrastructure Security Agency (CISA) TIC 3.0 guidance, MTIPS may be complemented with additional EIS services to achieve the updated security capabilities of a TIC 3.0 Traditional TIC solution.

FedRAMP Authorized Software-as-a-Service (SaaS) Tools

SaaS gives an agency access to applications hosted in the cloud. The provider manages the security, availability, and performance of the applications as part of their service. Using SaaS allows an agency to reduce the time, expense, and risk associated with the installation and maintenance of software on agency computers. EIS SaaS meets all federally required security standards for Cloud services.

EIS delivers solutions to agencies that will meet CISA’s latest Trusted Internet Connections (TIC) 3.0 guidance and ZTA requirements which include the Core Zero Trust Logical Components described in the National Institute of Standards and Technology (NIST) Special Publication 800-207. GSA continues to collaborate with CISA to provide guidance to agencies advancing legacy networks towards a zero trust architecture.


In the past decade, the typical federal agency network has evolved from being static with a known perimeter to mobile-friendly with nodes across the country. We are now regularly reminded that security solutions must correspondingly evolve to secure agency data and be able to ensure the safe transport of information to and from cloud applications, data centers, and remote users. If they don’t, the U.S. will continue to be vulnerable to malicious actors all over the world.

The Cybersecurity EO prioritizes “accelerated movement to secure cloud services; centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investment in both technology and personnel to match these modernization goals.” EIS already supports these by supplying SD-WAN services, 5th Generation (5G) telecommunications technology, Internet of Things (IoT) offerings, and Cloud-based security solutions.

Using EIS to buy IT infrastructure ensures a greater degree of consistency in the government’s telecommunications and network infrastructure services. It also consolidates the government’s purchasing power, driving lower prices on products and services that to satisfy complex security, flexibility, and visibility needs. EIS solutions offer the foundation needed to adapt to evolving threats and continue accomplishing your mission. The sooner agencies transition, the sooner they can take advantage of the secure solutions available on EIS. Accelerate your transition progress by Taking A.I.M. at EIS.

Continue Reading...

Zero Trust Architecture: Acquisition and Adoption

Posted by Laura Stanton
on July 15, 2021

What is Zero Trust Architecture (ZTA)?

Zero Trust is not a technology, but an approach to cybersecurity. It assumes all cyber networks and traffic are hostile in nature, and that any implicit trust in users should be eliminated. Now, more than ever, Zero Trust concepts are becoming increasingly important to an agency’s IT security posture as we see an increase in cyber attacks.

Zero Trust Architecture (ZTA) is a cybersecurity strategy that employs narrow and dynamic network defenses where every action, and use of resources is questioned, and where users are given the minimum levels of access to information needed to do their jobs.

To fully implement ZTA, organizations need to focus on the integration and implementation of a range of tactics and technologies. We can no longer rely on the concept of “trust, but verify”. Instead, agencies must verify, re-verify, and continue re-verifying with added layers of cybersecurity to establish true ZTA.

Why is ZTA important now?

Recent sophisticated cyber attacks and the shift to remote/virtual work environments highlight the importance of focusing on cybersecurity. The recent Sunburst and Colonial Pipeline cyber attacks exposed vulnerabilities in government and private sector computer systems. These attacks are a stark reminder that a weakness anywhere is a weakness everywhere. Furthermore, as organizations move to a mix of cloud-based, on-premises, and hybrid network models, traditional perimeter-focused network defenses can no longer protect an organization’s information communication technology assets. To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, government agencies must move quickly to modernize their cybersecurity capabilities and accelerate towards the adoption of ZTA.

In 2020, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, Zero Trust Architecture was released to provide agencies with guidance and detailed recommendations to improve their security posture using the core principles of ZTA. More recently, Executive Order 14028 “Improving the Nation’s Cybersecurity” requires all Federal agencies to develop a plan to implement ZTA in an effort to modernize and strengthen cybersecurity standards and detection.

What can agencies do to embrace ZTA?

Although there is no single end-to-end, comprehensive Zero Trust network solution, movement towards a Zero Trust security posture does not require agencies to rip and replace existing cybersecurity tools, hardware, or software products. Rather, agencies can make incremental steps to “re-tool” existing products to adhere to Zero Trust principles and supplement with GSA-offered products, services, and solutions to achieve ZTA.

GSA created a Zero Trust Architecture Buyer’s Guide for acquisition, network architect, and cybersecurity professionals who are seeking to implement ZTA. The guide is a roadmap to ZTA and provides helpful concepts and best practices. Zero Trust security models currently range between five and seven pillars. For the purposes of facilitating an acquisition-based perspective, GSA chose to represent a combination of eight unique pillars that agencies should consider when implementing a robust and efficient Zero Trust security model.

Zero Trust Architecture Pillars-User, Device, Network, Infrastructure, Application, Data, Visibility and Analytics, Orchestration and Automation

Getting to Zero Trust is a journey. Moving to ZTA will take time, and agencies will be at different starting points as they implement a Zero Trust strategy. When evaluating a ZTA solution, agencies should consider how well the product or service addresses these eight pillars and to what extent.

Zero Trust Pillars

PillarDescription
UserInvolves focus on user identification, authentication, and access control policies which verify user attempts connecting to the network using dynamic and contextual data analysis.
DevicePerforms “system of record” validation of user-controlled and autonomous devices to determine acceptable cybersecurity posture and trustworthiness.
NetworkIsolates sensitive resources from being accessed by unauthorized people or things by dynamically defining network access, deploying micro-segmentation techniques, and control network flows while encrypting end-to-end traffic.
InfrastructureEnsures systems and services within a workload are protected against unintended and unauthorized access, and potential vulnerabilities.
ApplicationIntegrates user, device, and data components to secure access at the application layer. Security wraps each workload and compute container to prevent data collection, unauthorized access or tampering with sensitive applications and services.
DataInvolves focus on securing and enforcing access to data based on the data’s categorization and classification to isolate the data from everyone except those that need access.
Visibility and AnalyticsProvides insight into user and system behavior analytics by observing real-time communications between all Zero Trust components.
Orchestration and AutomationAutomates security and network operational processes across the ZTA by orchestrating functions between similar and disparate security systems and applications.
Zero Trust Pillars

How can GSA help?

There are many elements of a Zero Trust solution that crosscut and incorporate GSA contract offerings. The information provided in the Zero Trust Architecture Buyer’s Guide can help agencies mature their Zero Trust implementation plans.

There are multiple GSA resources that support Zero Trust efforts, like the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) which provides access to vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors.

The Continuous Diagnostics and Mitigation (CDM) Tools SIN provides access to cybersecurity products included on the Department of Homeland Security Cybersecurity & Infrastructure Security Agency’s Approved Products List. Agencies can use these and other comprehensive GSA solutions to support the design and deployment of architectures that follow the tenets of Zero Trust.

Continue Reading...

FAST 2021: Incorporating IT Security into Acquisitions

Posted by Laura Stanton
on May 6, 2021

Join us May 13th at 1:00 pm EDT for a live webinar led by GSA’s IT Acquisition experts as we explore:

  • Benefits in shifting from a compliance model to the cybersecurity maturity model
  • Adopting a supply chain risk evaluation approach in government contracting
  • Easy to understand acquisition planning packages (e.g., playbooks, checklists, templates)

The 3-hour session features an overview of requirements and evaluation factors used in developing the 2nd Generation Information Technology (2GIT) blanket purchase agreement; and a quick look into the GSA’s IT Solutions Navigator connecting buyers with resources, tools, and decision support for IT procurements.

This is the third session in GSA’s 2021 monthly Federal Acquisition Service Training (FAST) Conference series. Each session is worth up to 3 Continuous Learning Points. You can find the full lineup of events here.

Registration is open and free for agency and industry partners. Reserve your virtual seat today – we look forward to seeing you there!

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

Continuous Monitoring: Keeping Your System Up to Date and Prepared for Cyberattacks

Posted by Laura Stanton
on March 10, 2021

Continuous monitoring of IT systems is an evolving process. It adapts as new technologies and capabilities become available and as organizations are faced with advanced and persistent threats. However, the core strategies of continuous monitoring lay the foundation for safe and secured federal IT systems.

Continuous monitoring helps agencies identify, resolve, and understand key insights regarding certain risks to their information systems. The Risk Management Framework (RMF) process consists of several steps that include preparing a system for authorization, authorizing the system, and continuously monitoring the system until the next authorization process begins. The monitoring step is essential for agencies that want to minimize risks to their security systems.

As mentioned in previous posts, the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) solution is available for agencies in need of cybersecurity services, including RMF. GSA’s HACS solution connects agencies with vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors to assist with continuous monitoring strategies and Security Operations Centers (SOCs) activities.

After agencies obtain Authorization to Operate (ATO), they move into the continuous monitoring step of the RMF process. Though continuous monitoring strategies can vary by agency, usual tasks include near real-time risk management and ongoing authorization based on the system environment of operation. This step’s dynamic processes determine if a system’s security controls continue to be effective over time.

Risk Management Framework (RMF) image
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

RMF services are available through GSA’s HACS SIN. A Statement of Work (SOW) for the RMF process can be found on the HACS website and includes example language for procuring services for the Monitor Step. The SOW outlines several subtasks that make up the continuous monitoring phase of RMF.

Roles and Responsibilities within the Continuous Monitoring Strategy

As part of the continuous monitoring process, the agency will oversee information system and environment changes. This process involves determining the security impact of proposed or actual changes to the information system and its environment of operation.

Security Control Assessments

An Information Owner (IO), Security Control Assessor (SCA), Information System Security Officer (ISSO), and Information System Security Engineer (ISSE) will be responsible for ongoing security control assessments. The IO is an inherently governmental position; however, contractors can provide support for the other roles in most situations. In these assessments, personnel examine the technical, management, and operational security controls within an information system. This practice ensures that a system is in accordance with the agency’s monitoring strategy.

Risk Determination

The Chief Information Security Officer (CISO) performs ongoing risk determination and acceptance as a part of continuous monitoring. This task consists of reviewing the reported security status of the information system (including the effectiveness of security controls employed within, and inherited by, the system) on an ongoing basis. The CISO aims to determine whether the risk to the agency’s system remains acceptable. If a risk is not acceptable, remediation will take place. This CISO is in an inherently governmental position; however, contractors can provide subject matter expertise and recommendations for risk determinations.

Ongoing Remediation

The IO and ISSO take part in ongoing remediation actions throughout the continuous monitoring process. Along with the Information System Owner (ISO) and the Common Control Provider (CCP), these personnel conduct remediation actions based on the results of ongoing monitoring activities, the assessment of risk, and outstanding items in the Plan of Action and Milestones.

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to monitor its systems, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

Veteran Owned Companies Bring Cybersecurity Expertise to Federal Customers

Posted by Laura Stanton
on November 12, 2020

As we celebrate Veterans Day, we want to take a moment to appreciate all of the men and women who contribute to this great nation through their service in our military. America’s veterans are one of our most valued resources. Veterans bring a unique skill set, knowledge, and experience to everything they do; and GSA has been able to tap into their valuable expertise through our Service-Disabled Veteran-Owned Small Business (SDVOSB) contract for IT Services, VETS 2.

GSA’s VETS 2 Governmentwide Acquisition Contract is available to all federal customers. Agencies purchasing IT services through the VETS 2 contract demonstrate how prevalent veterans are in supporting mission-critical IT services needs across the federal landscape. One of the important core capabilities of VETS 2 is Cybersecurity. The SDVOSB firms on the contract have done the work, and 77 percent of the firms have extensive experience in cybersecurity. More than 60 of the VETS 2 industry partners have a secret or top-secret facilities clearance. These companies are well established in the IT industry. The background they bring with their previous military experience has been key to their success.

The IRS, Treasury, DHS, DoD, Army, and Air Force have all tapped into the expertise of our VETS 2 Industry Partners. They have placed task orders on the contract for IT Security and Cybersecurity requirements. Since the inception of the VETS 2 contract in February of 2018, there have been 21 task orders specifically to support IT Security needs within the government. This shows that veterans can provide the specialized knowledge, skills, and abilities that are needed today.

The single largest task order that has been issued on the VETS 2 contract was completed by GSA’s Federal Systems Integration and Management Center (FEDSIM) on behalf of the United States Army Pacific (USARPAC). This task order will help USARPAC in providing a quality-focused process and capability that enables effective sustainment and modernization of critical Command, Control, Communications, Computers (C4), and IT systems. These services include site surveys, engineering, design, procurement, logistics, implementation, operations and maintenance, knowledge management, cybersecurity, and training of new and existing C4 IT systems. This is an excellent example of the broad capabilities available through VETS 2.

2020 has been hugely successful for the VETS 2 contract, with 97 task orders worth more than $1 billion. This contract is only in its third year and is already surpassing expectations. There are 69 industry partners on the contract with a variety of specialized IT services core capabilities. VETS 2 is also a Best-in-Class contract as designated by the Office of Management and Budget. Federal customers using VETS 2 will receive socioeconomic credit toward small business goals as well as credit toward their
Spend Under Management goals.

On Veteran’s Day each year, we reflect on the hard, mission-enabling work our veterans continue to deliver for our government every day, and I couldn’t be more proud of our VETS 2 team and industry partners.

For more information about the industry partners on the contract, check out our VETS 2 website.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

Authorization to Operate: Preparing Your Agency’s Information System

Posted by Laura Stanton
on October 30, 2020

To close out National Cybersecurity Awareness Month, here are some steps federal agencies can take to protect their IT systems from cyber attacks and cybersecurity vulnerabilities using the Authorization to Operate (ATO) process.

An ATO demonstrates that a federal agency has gone through a federally approved, detailed process to protect an IT system from incidents such as cyberattacks, security breaches, malware, and phishing attempts. Many federal IT systems are required to obtain an ATO to process government data and federal regulations recommend that agencies follow the Risk Management Framework (RMF) to become authorized.

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides solutions for all of an agency’s cybersecurity service needs, including RMF. The HACS SIN connects agencies with vendors who have passed oral technical evaluations for cybersecurity services performed within the RMF, and who are ready to assist agencies with the RMF process for a successful authorization.

RMF Graphic full definitions ATO highlight (3)
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

All of the steps, tasks, and activities that precede the “Authorize” step of the RMF help to prepare the information system for the authorizing official’s appraisal. The authorizing official is not a contractor, but a federal employee of whichever agency is seeking ATO.

The HACS SIN connects federal agencies with contractors who can help in each stage of the RMF. Contractors can assist agencies in producing the deliverables associated with each RMF step listed in the chart below.

Disclaimer: RMF deliverables can vary based on an organization’s cybersecurity needs.

Once an agency has successfully completed the first four steps of the RMF (“Categorize” through “Assess”), an authorizing official will evaluate the system. The authorizing official for the federal agency in question evaluates residual risks identified during the security control assessment, and makes the decision to authorize the system to operate, deny its operation, or ask the agency to address any issues.

When granting an ATO, authorizing officials look for the following checklist of items:

  • Plan of Action and Milestones (POA&M)
  • Authorization Package
  • Final Risk Determination and Risk Acceptance
  • Authorization Decision

The POA&M is one of the most important deliverables produced in the RMF process. It reflects organizational priorities for addressing any remaining weaknesses and deficiencies in an information system and its environment of operation. The Authorization Package includes all key documents including the security plan, security assessment report, and the POA&M. 

Following the RMF steps helps your agency to achieve ATO, but the work does not end after an ATO is issued. Agencies must also continuously monitor their systems to ensure that security controls remain effective over time.

In addition, many federal agencies must reauthorize their information systems every three years by going through the RMF process again. This is where the final step of the RMF, “Monitor Controls,” is important. As part of continuous monitoring, a sample of the applicable security controls are tested annually, periodic vulnerability scanning is performed, and security impact analysis of changes are performed. If an agency continuously monitors its systems over those three years by documenting specific technical changes, environment changes, or changes to the organizational risk management strategy, it may be easier to renew an ATO because any security risks can  be mitigated at the time they occur. 

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to achieve an ATO, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...

Cybersecurity Best Practices During the COVID-19 Pandemic

Posted by Bill Zielinski
on June 2, 2020

The unprecedented and extraordinary efforts by businesses and Federal agencies to keep employees and customers safe during the COVID-19 pandemic have also inadvertently opened the door to cyberattacks.

Large-scale transitions to work-from-home technologies, heightened activity on many public-facing networks, and greater use of online services have presented new openings for cyber attackers to exploit. As people around the world shelter in place, they turn to online platforms to chat with friends, shop, work, and go to school. That transition to virtual life puts a large strain on cybersecurity controls.

Federal agencies face new daily challenges in assuring the security of networks. In the midst of the current global pandemic that imperative is even greater — they must protect their institutions while ensuring that daily tasks go on uninterrupted. The Office of Management and Budget (OMB) recommends that agencies “make risk-based decisions as appropriate to meet mission needs” during the COVID-19 pandemic.

It is important now for agency leaders to focus on supporting technologies and capabilities that are absolutely essential to their organizations’ operations. Priority actions — and relevant technologies — may include testing already existing security plans, continuously monitoring security systems, and maintaining access security. GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides Federal agencies with rapid access to cybersecurity vendors who can assist with the following priority actions and more.

Best practices

Testing and having incident response plans in place are helpful for any agency. If an agency has plans such as incident response, disaster recovery, or continuity, it is important to test those plans and assess any risks as soon as possible. GSA’s HACS SIN provides rapid access to vendors evaluated for incident response services.

Chief Information Security Officers (CISOs) should continue to monitor their systems closely in order to identify cybersecurity events and incidents as soon as they may appear. Focus areas include monitoring networks for new strains of malware, monitoring collaboration tools such as Google Drive or Dropbox, and monitoring personnel activity. CISOs can also monitor their systems by using Intrusion Detection Systems or their preferred live network monitoring software. The HACS SIN is an efficient way to access these capabilities.

Access management in a remote work environment is another essential focus area during the COVID-19 pandemic. Though cybersecurity is essential, so is the physical safety of the American people. Agencies are encouraging teleworking whenever possible to adhere to the Government’s social distancing guidelines, and cybersecurity experts are needed to help make telework safe and secure for employees.

With many — if not all — of an agency’s employees working from home, click-through rates for phishing emails may increase when employees no longer work closely enough with coworkers to ask them in person about suspicious activity. Remote work can also require agencies to enable offsite access to critical and/or confidential information, which can increase the risk of a cyber attack. Employees can mitigate this risk by adhering to their agency’s access control policy and utilizing secure connections (such as Two-Factor Authentication (2FA) and/or VPN) when accessing Government networks containing sensitive information.

The COVID-19 pandemic is first and foremost a human challenge, with heads of agencies and employees all juggling professional duties with personal and family responsibilities. The risk of cyberattacks will be elevated, but by focusing now on cyber activities — testing response plans, monitoring security systems, and maintaining personnel security — agencies can successfully maintain their security.

GSA is here to help connect Federal agencies with vendors that provide necessary cybersecurity services during this time through the HACS SIN solution. For more information, visit the HACS Homepage. To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...