Got Hacks? Get HACS!
Highly Adaptive Cybersecurity Services offer rapid-response solutions.
The government toolbox is not entirely bare when it comes to solutions and services that agencies can use to improve cybersecurity. The National Institute of Technologies and Standards (NIST) has provided detailed guidance on agency security for some time, and the General Services Administration (GSA) recently launched its security-specific procurement program.
Highly Adaptive Cybersecurity Services (HACS), introduced in 2016, is a set of Special Item Numbers (SINs) that agency buyers can access through the GSA’s IT Schedule 70, a long-term contract that has become a “must have” for vendors selling IT products and services to the federal government, states and local entities.
In this case, the HACS SINs provide agencies quick access to pre-vetted support services, allowing them to test for vulnerabilities, rapidly address those that are found and, hopefully, stop attacks before they compromise government networks and systems.
“The HACS SINs allow agencies direct access to a pool of vendors ready to provide services needed to meet Cybersecurity National Action Plan (CNAP) requirements, and proactively protect their IT services,” a GSA spokesperson says. “The SINs also allow agencies to quickly solicit support from vendors when a data security breach has occurred.”
CNAP was formally unveiled as an Obama Administration initiative, in February 2016, to establish a long-term strategy for improving cybersecurity awareness and protections throughout government. A companion Cybersecurity Strategy and Implementation Plan (CSIP) was launched as a result of the government’s 2015 30-day Cybersecurity Sprint. CSIP seeks to identify and prioritize high-value assets; prepare for, respond to and recover from cyberattacks; and ensure deployment of the best technology in pursuit of those goals.
Specifically, the HACS SINs are:
- 132-45A Penetration Testing that mimics real-world attacks to identify ways that attackers might circumvent security features.
- 132-45B Incident Response are services that help agencies affected by a cybersecurity attack to determine the extent of the incident, to remove attackers from systems and restore networks to a more secure state.
- 132-45C Cyber Hunt activities anticipate and prepare for potential attacks by identifying cyberthreats to industries outside of government whose IT systems are similar to those used by government agencies.
- 132-45D Risk and Vulnerability Assessment provide services such as network mapping, vulnerability scanning, phishing assessment and penetration testing.
It took a while for agency users to become knowledgeable about the SINs, but in fiscal year 2018 there’s been a “strong increase” in the number of solicitations that include them, the GSA spokesperson says. Agencies have indicated that they like having cyber-specific SINs available to them. Some have inquired with the GSA about incorporating them into their RFPs. To date, the HACS SIN 132-45D has generated the most inquiries, the GSA said.
Looking to improve the program, the GSA recently launched a HACS Modernization initiative. At an RFI and stakeholder event, in June 2018, a majority of vendors favored combining the current four SINs into one, the GSA spokesperson says.