There are a number of contract vehicles available to federal agencies looking for cybersecurity tools but few that offer services like penetration testing and phishing assessments. The General Services Administration wants to build just such a contract and is asking agencies and industry how such a vehicle should be structured.

RFI: Cybersecurity Services Contract Vehicle

GSA issued a request for information on April 11 to "gain an enhanced understanding of what agencies' needs are, what solutions currently exist and what role GSA can play in improving the ability of agencies to procure the suite of cybersecurity services."

Those services include:

  • Network mapping: Identify assets on an agreed upon IP address space or network range(s).
  • Vulnerability scanning: Identify vulnerabilities associated with agency systems that are potentially exploitable by attackers.
  • Penetration testing: Evaluate the security of the customer’s IT assets by attempting to gain access into the computer system contrary to intended technical controls, application or network.
  • Phishing assessments: Evaluate the level of awareness of the agency workforce with regard to attempts to acquire sensitive information in an unauthorized manner. Phishing assessments can include scanning, testing or both and can be conducted as a one-time event or as part of a larger campaign to be conducted over several months.
  • Wireless assessments: Wireless access point (WAP) detection, penetration testing or both, performed onsite at the customer facility.
  • Web application assessments: Scan and/or test outward facing web applications.
  • Operating system assessments: Assess configuration of select host operating systems against standardized configuration baselines.
  • Database assessments: Assess configuration of selected databases against configuration baselines in order to identify potential misconfiguration and/or database vulnerabilities.
  • Proactive adversary hunt: Identify the presence of a previously unknown adversary or compromise on a target system or network.
  • Incident response: Help organizations impacted by a cybersecurity compromise determine the extent of the incident, remove the adversary from their systems and restore their networks to a more secure state.
  • Reactive adversary hunt: Provide the same general capability as proactive hunts but use information and threat intelligence specifically focused on the proximate incident to identify undiscovered attacks.
  • Security engineering services, including post-incident or post-assessment remediation: Provide agencies with technical assistance in implementing necessary security controls, system updates or architectural improvements to address the findings of a proactive assessment or resolve vulnerabilities identified by a cybersecurity compromise.

GSA is asking industry to reply to six questions that will help procurement officials refine the scope and better understand the range of products available in each of the 12 service areas.

Responses to the RFI will inform the creation of a contract vehicle for "both proactive and reactive cybersecurity services," according to Shon Lyublanovits, acting director of Strategic Solutions and Security Services. "Providing federal agencies better access to private sector talent that can identify threats, address vulnerabilities and assist in recovery from malicious cyber events is a key component of helping the entire federal government improve its cyber posture."

Comments are due by 5 p.m. on April 20 and should be emailed to ciap@gsa.gov using the associated response template.

About Aaron Boyd

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
In Other News
Load More