Earlier this month, the U.S. General Services Administration (GSA) issued a Request for Information (RFI) soliciting feedback from industry on ways to improve the sale of Cybersecurity and Information Assurance (CyberIA) products and services through GSA’s multi-billion dollar Information Technology (IT) Schedule 70. IT Schedule 70 currently features more than a dozen special item numbers (SINs) for cybersecurity products and services.[1] In this RFI, GSA seeks information from vendors and federal agencies as to whether it should consolidate those SINs into one major CyberIA grouping, with a number of categories and subcategories.

The RFI, which was issued just weeks before the Office of Management and Budget (OMB) and the Department of Defense (DoD) announced their own major cybersecurity initiatives, is yet another sign that the federal government is leveraging its substantial buying power to harden government and contractor networks against cyber intrusions. As explained below, GSA’s appeal to industry offers a tremendous opportunity for the private sector to help shape the way commercial CyberIA products and services are bought by and sold to the government.

GSA’s Proposed CyberIA Special Item Number

The RFI announces that GSA is considering adding a consolidated SIN under IT Schedule 70 that is dedicated exclusively to the sale of CyberIA products and services. IT Schedule 70 is one of the largest contract vehicles administered by GSA, with more than $14 billion in FY2014 sales and sales to date of nearly $7 billion in FY2015. As a starting point, GSA has offered the following description of the proposed CyberIA SIN:

Schedule 70 Grouping SIN Category Cybersecurity/Information Assurance (CyberIA) products and services SIN Description
CyberIA SIN ●    Hardware

●     Software

●     Services

SIN categories include hardware, software and services associated with:

●   Information Assurance

●   Virus Detection

●   Intrusion Detection and Prevention

●   Network Management

●   Situational Awareness and Incident Response

●   Secure Web Hosting

●   Backup and Security Services

●   Communications Security

According to GSA, the potential benefits of the proposed SIN include:

  • Realigning IT Schedule 70 CyberIA offerings to reflect the market and customer needs.
  • Consolidating CyberIA products and services to help agencies efficiently conduct market research and acquisition planning.
  • Providing IT Schedule 70 vendors the ability to more easily differentiate CyberIA products and services from other IT offerings.
  • Improving CyberIA offerings, sales reporting, and visibility for IT Schedule 70.
  • Offering GSA customers a “high level-vetting” of available CyberIA technologies and industry partners.

GSA’s Request for Industry Feedback

The RFI asks industry to provide feedback in two areas: (1) the draft scope and administration of the proposed CyberIA SIN, and (2) how CyberIA products and services are currently sold on IT Schedule 70, each of which is described in detail below. Together, these inquiries offer industry an opportunity to educate the government about the offerings in the commercial market and to help define the types of CyberIA products and services that may ultimately be eligible for schedules sales. With regard to the scope and administration of the proposed CyberIA SIN, GSA has requested commentary on the topics below.

  • Proposed SIN Scope: GSA has requested comments on the scope of the proposed SIN. One question for industry to consider is whether the proposed SIN will include offerings for Cloud Computing and cyber incident investigation and remediation services, both of which present unique opportunities and challenges for procurement officials and already are subject to substantial (and often disparate) statutory and regulatory requirements.
  • NIST Characteristics: GSA has asked whether all offerings should meet the “essential characteristics” for CyberIA that have been identified by the National Institute for Standards and Technology (NIST). The private sector’s input on this question is especially critical because, as is reflected by the cybersecurity guidance and regulations recently issued by OMB and DoD, NIST has developed multiple standards of security controls for federal information systems and contractor systems that contain government information and their application may vary across different federal agencies. For example, it remains unclear how the government intends to apply the various NIST standards to the unique service models offered by Cloud Service Providers, which can be certified as compliant with NIST Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, through the Federal Risk Authorization Management Program (FedRamp), but which may now also be subject to the requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a result of OMB’s recent guidance.
  • SIN Categories: GSA also asks whether the proposed SIN categories of (i) Information Assurance, (ii) Virus Detection, (iii) Intrusion Detection and Prevention, (iv) Network Management, (v) Situational Awareness and Incident Response, (vi) Secure Web Hosting, and (vii) Backup and Security Services “address the range of expected CyberIA products and services,” and whether industry has suggestions for additional categories not already found on the GSA schedule.
  • Information about Vendor Pricing, Potential Offerings, and Terms and Conditions: GSA has also asked industry to provide information and ideas about pricing methodologies for CyberIA offerings, the types of CyberIA products and services that are likely to offered by industry, and the terms and conditions that would apply to schedule-holders under the CyberIA SIN.

In addition to seeking feedback on the proposed CyberIA SIN, GSA has asked for input that will help the agency “develop a deeper understanding” of how CyberIA products and services are currently sold on IT Schedule 70. Specifically, GSA has asked private sector entities to furnish the information such as:

  • A brief description of their respective companies, the Primary Service Codes and North American Industry Classification Codes they primarily utilize, and any GSA Schedule or other government-wide GSA contract vehicle(s) that they currently hold.
  • A description of any IT Schedule SINs under which companies currently provides CyberIA products or services, the pricing methodology/pricing escalation for such offerings, whether they have any specialized federal End User License Agreements, and the pricing structure of any CyberIA offerings made under IT Schedule 70.

Importantly, the RFI indicates that any confidential or proprietary information furnished by private entities must be clearly marked “wherever it appears.” GSA has also noted that it may provide this information to contractors providing advisory services, subject to non-disclosure agreements, but that any information marked as confidential will not otherwise “be disclosed to any other party outside the government.” According to GSA, information not clearly marked as confidential “will not be treated as confidential.” Finally, the RFI seeks information from agencies about their buying practices for CyberIA, such as:

  • How agencies typically procure CyberIA offerings, including the contract vehicles and types used; and
  • Whether agencies expect this proposed SIN would improve the transparency and ease of use of acquiring CyberIA offerings through IT Schedule 70.

Responses to the GSA RFI are due by 4 pm EST on September 11, 2015 and should be submitted via email to ciap@gsa.gov and Daniel.Kim@gsa.gov.

[1] See “Cybersecurity” section of “What IT Schedule 70 Offers.”