by Dave Alexander, Lincoln Strategies, LLC
GSA Schedule 70 will soon have a new SIN dedicated to cybersecurity products and services. The new SIN probably will be called “Highly Adaptive Cybersecurity Services” (HACS).
Is your firm interested in providing cybersecurity products and services to U.S. federal agencies and departments? If so, it might make sense to obtain a GSA Schedule 70 contract. This article provides an overview of these contracts and describes how GSA will adjust how Schedule 70 accommodates cybersecurity products and services. In particular, a new GSA cybersecurity SIN—“Highly Adaptive Cybersecurity Services” (HACS)—is in the works.
Overview of GSA Schedule Contracts
The General Services Administration (GSA) awards task order contracts to commercial firms for a vast array of products and services. Each contract has a long period of performance (a 5-year Base Period and 3 successive Option Periods of 5 years apiece). For professional services, each contract specifies labor categories and fixed hourly rates.
Any federal government agency or department can issue a task order to a commercial firm that holds a GSA Schedule contract. There is no cap on the size of any individual task order, nor are there cumulative limits.
GSA groups these contracts into related sets of services and products. Each such grouping is referred to as a “Schedule.” For example, GSA Schedule 03FAC has a scope of services that covers services and products related to Facilities Maintenance and Management (e.g., elevator maintenance services; energy efficiency services).
For the most part, each GSA Schedule has a unique Statement of Work. There are some exceptions; for example, the scope of the Professional Services Schedule (PSS) has some degree of overlap with a few of the other Schedules. This issue is discussed in more detail in another article.
With a few exceptions, firms can submit proposals for GSA Schedule contracts at any time. The solicitations for each Schedule are “evergreen,” and there are no particular deadlines for submitting proposals. There is no limit on the number of contracts that GSA can issue.
What is GSA Schedule 70?
GSA Schedule 70 covers Information Technology products and services. Among federal agencies and departments, it is a very popular acquisition route; more than $14.5 billion per year flows through Schedule 70 contracts.
As is the case for all GSA Schedules, each part of GSA Schedule 70’s scope of services is called a “Special Item Number” (yes, a “SIN”). For example, the portion of the scope of services that covers most IT professional services is SIN 132-51. More than $6.9 billion in services per year are delivered under this SIN. A few other examples of SINs include 132-8 (PCs, accessories, and many other types of hardware) and 132-32 (which covers term software licenses).
Cybersecurity Services under GSA Schedule 70
Many firms provide cybersecurity professional services under their GSA Schedule 70 contracts, primarily through SIN 132-51. The statement of work for this SIN is succinct (the main part of the SOW consists of all of 33 words) and exceedingly broad: certainly broad enough to cover a wide range of cybersecurity tasks. Based on my experience with a variety of clients, it is relatively easy for firms to propose cybersecurity services under this SIN.
Several other SINs within Schedule 70 encompass information security related products and services. For example one SIN addresses electronic credentialing services (SIN 132-60A), and another addresses hardware tokens for encrypted interfaces with information systems (SIN 132-60D).
A GSA Cybersecurity SIN in Schedule 70?
GSA has announced that it intends to add a new SIN to GSA Schedule 70, focusing on cybersecurity. One of the names that GSA is considering for this potential new SIN is “Highly Adaptive Cybersecurity Services” (HACS), with an apparent nod to those of us who enjoy a bit of wordplay.
Indications are that the new SIN will specify in great detail a wide range of cybersecurity professional services (e.g., network mapping; vulnerability scanning; penetration testing) and products. In addition, the new GSA cybersecurity SIN probably would have special proposal instructions associated with it. For example, it is possible that in order to qualify for this SIN, a firm would have to demonstrate special credentials and, possibly, perform acceptably on “capture the flag” tests.
This article will be updated as developments merit.
The author of this article, Dave Alexander, the Principal of Lincoln Strategies, LLC, has helped many firms obtain GSA Schedule 70 contracts and other types of GSA and non-GSA contracts. He can be reached at (978) 369-1140, or dave.alexander@LincolnStrategies.com.