Earlier this month, the U.S. General Services Administration (GSA) issued a Request for Information (RFI) soliciting feedback from industry on ways to improve the sale of Cybersecurity and Information Assurance (CyberIA) products and services through GSA’s multi-billion dollar Information Technology (IT) Schedule 70. IT Schedule 70 currently features more than a dozen special item numbers (SINs) for cybersecurity products and services.[1] In this RFI, GSA seeks information from vendors and federal agencies as to whether it should consolidate those SINs into one major CyberIA grouping, with a number of categories and subcategories.

The RFI, which was issued just weeks before the Office of Management and Budget (OMB) and the Department of Defense (DoD) announced their own major cybersecurity initiatives, is yet another sign that the federal government is leveraging its substantial buying power to harden government and contractor networks against cyber intrusions. As explained below, GSA’s appeal to industry offers a tremendous opportunity for the private sector to help shape the way commercial CyberIA products and services are bought by and sold to the government.

GSA’s Proposed CyberIA Special Item Number

The RFI announces that GSA is considering adding a consolidated SIN under IT Schedule 70 that is dedicated exclusively to the sale of CyberIA products and services. IT Schedule 70 is one of the largest contract vehicles administered by GSA, with more than $14 billion in FY2014 sales and sales to date of nearly $7 billion in FY2015. As a starting point, GSA has offered the following description of the proposed CyberIA SIN:

Schedule 70 Grouping SIN Category Cybersecurity/Information Assurance (CyberIA) products and services SIN Description
CyberIA SIN ●    Hardware

●     Software

●     Services

SIN categories include hardware, software and services associated with:

●   Information Assurance

●   Virus Detection

●   Intrusion Detection and Prevention

●   Network Management

●   Situational Awareness and Incident Response

●   Secure Web Hosting

●   Backup and Security Services

●   Communications Security

According to GSA, the potential benefits of the proposed SIN include:

  • Realigning IT Schedule 70 CyberIA offerings to reflect the market and customer needs.
  • Consolidating CyberIA products and services to help agencies efficiently conduct market research and acquisition planning.
  • Providing IT Schedule 70 vendors the ability to more easily differentiate CyberIA products and services from other IT offerings.
  • Improving CyberIA offerings, sales reporting, and visibility for IT Schedule 70.
  • Offering GSA customers a “high level-vetting” of available CyberIA technologies and industry partners.

GSA’s Request for Industry Feedback

The RFI asks industry to provide feedback in two areas: (1) the draft scope and administration of the proposed CyberIA SIN, and (2) how CyberIA products and services are currently sold on IT Schedule 70, each of which is described in detail below. Together, these inquiries offer industry an opportunity to educate the government about the offerings in the commercial market and to help define the types of CyberIA products and services that may ultimately be eligible for schedules sales. With regard to the scope and administration of the proposed CyberIA SIN, GSA has requested commentary on the topics below.

  • Proposed SIN Scope: GSA has requested comments on the scope of the proposed SIN. One question for industry to consider is whether the proposed SIN will include offerings for Cloud Computing and cyber incident investigation and remediation services, both of which present unique opportunities and challenges for procurement officials and already are subject to substantial (and often disparate) statutory and regulatory requirements.
  • NIST Characteristics: GSA has asked whether all offerings should meet the “essential characteristics” for CyberIA that have been identified by the National Institute for Standards and Technology (NIST). The private sector’s input on this question is especially critical because, as is reflected by the cybersecurity guidance and regulations recently issued by OMB and DoD, NIST has developed multiple standards of security controls for federal information systems and contractor systems that contain government information and their application may vary across different federal agencies. For example, it remains unclear how the government intends to apply the various NIST standards to the unique service models offered by Cloud Service Providers, which can be certified as compliant with NIST Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, through the Federal Risk Authorization Management Program (FedRamp), but which may now also be subject to the requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, as a result of OMB’s recent guidance.
  • SIN Categories: GSA also asks whether the proposed SIN categories of (i) Information Assurance, (ii) Virus Detection, (iii) Intrusion Detection and Prevention, (iv) Network Management, (v) Situational Awareness and Incident Response, (vi) Secure Web Hosting, and (vii) Backup and Security Services “address the range of expected CyberIA products and services,” and whether industry has suggestions for additional categories not already found on the GSA schedule.
  • Information about Vendor Pricing, Potential Offerings, and Terms and Conditions: GSA has also asked industry to provide information and ideas about pricing methodologies for CyberIA offerings, the types of CyberIA products and services that are likely to offered by industry, and the terms and conditions that would apply to schedule-holders under the CyberIA SIN.

In addition to seeking feedback on the proposed CyberIA SIN, GSA has asked for input that will help the agency “develop a deeper understanding” of how CyberIA products and services are currently sold on IT Schedule 70. Specifically, GSA has asked private sector entities to furnish the information such as:

  • A brief description of their respective companies, the Primary Service Codes and North American Industry Classification Codes they primarily utilize, and any GSA Schedule or other government-wide GSA contract vehicle(s) that they currently hold.
  • A description of any IT Schedule SINs under which companies currently provides CyberIA products or services, the pricing methodology/pricing escalation for such offerings, whether they have any specialized federal End User License Agreements, and the pricing structure of any CyberIA offerings made under IT Schedule 70.

Importantly, the RFI indicates that any confidential or proprietary information furnished by private entities must be clearly marked “wherever it appears.” GSA has also noted that it may provide this information to contractors providing advisory services, subject to non-disclosure agreements, but that any information marked as confidential will not otherwise “be disclosed to any other party outside the government.” According to GSA, information not clearly marked as confidential “will not be treated as confidential.” Finally, the RFI seeks information from agencies about their buying practices for CyberIA, such as:

  • How agencies typically procure CyberIA offerings, including the contract vehicles and types used; and
  • Whether agencies expect this proposed SIN would improve the transparency and ease of use of acquiring CyberIA offerings through IT Schedule 70.

Responses to the GSA RFI are due by 4 pm EST on September 11, 2015 and should be submitted via email to ciap@gsa.gov and Daniel.Kim@gsa.gov.

[1] See “Cybersecurity” section of “What IT Schedule 70 Offers.”

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.