Welcome Login

For current information from GSA about COVID19 please click HERE

You are here

IT Security: GSA's Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN)

In collaboration with the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), GSA developed IT Schedule 70’s HACS SIN 132-45 to make it easier for agencies to procure quality cybersecurity services. The HACS SIN is designed to provide government organizations with access to cybersecurity vendors and to help organizations meet IT security requirements outlined in:

  • OMB Memorandum 19-03, “Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program”
  • OMB Memorandum 17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information”
  • The CISO Handbook, published on https://cio.gov

The scope of the HACS SIN includes proactive and reactive cybersecurity services. Assessment services needed for systems categorized as High Value Assets (HVA) are also within scope of this SIN. It includes Risk and Vulnerability Assessments (RVA), Security Architecture Review (SAR), and Systems Security Engineering (SSE). Additionally, the scope of the SIN includes services for the seven step Risk Management Framework (RMF), and Security Operations Center (SOC) services.

  • The seven-step RMF includes preparation; information security categorization; control selection; implementation; assessment; system and common control authorizations; and continuous monitoring. RMF activities may also include Information Security Continuous Monitoring Assessment (ISCMA) which evaluate organization-wide ISCM implementations, and also Federal Incident Response Evaluations (FIREs), which assess an organization’s incident management functions.  
  • SOC services are services such as: 24x7x365 monitoring and analysis, traffic analysis, incident response and coordination, penetration testing, anti-virus management, intrusion detection and prevention, and information sharing.

There are five subcategories under the HACS SIN. Vendors listed within each subcategory in GSA eLibrary have passed a technical evaluation for that specific subcategory:

  • High Value Asset Assessments - include Risk and Vulnerability Assessment (RVA) which assesses threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. See the section below on RVA for details on those services. Security Architecture Review (SAR) evaluates a subset of the agency’s HVA security posture to determine whether the agency has properly architected its cybersecurity solutions and ensures that agency leadership fully understands the risks inherent in the implemented cybersecurity solution. The SAR process utilizes in-person interviews, documentation reviews, and leading practice evaluations of the HVA environment and supporting systems. SAR provides a holistic analysis of how an HVA’s individual security components integrate and operate, including how data is protected during operations. Systems Security Engineering (SSE) identifies security vulnerabilities and minimizes or contains risks associated with these vulnerabilities spanning the Systems Development Life Cycle. SSE focuses on, but is not limited to the following security areas: perimeter security, network security, endpoint security, application security, physical security, and data security.
  •  Risk and Vulnerability Assessment - assesses threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. The services offered in the RVA subcategory include Network Mapping, Vulnerability Scanning, Phishing Assessment, Wireless Assessment, Web Application Assessment, Operating System Security Assessment (OSSA), Database Assessment, and Penetration Testing.
  • Cyber Hunt - activities respond to crises or urgent situations within the pertinent domain to mitigate immediate and potential threats. Cyber Hunts start with the premise that threat actors known to target some organizations in a specific industry or with specific systems are likely to also target other organizations in the same industry or with the same systems.
  • Incident Response - services help organizations impacted by a cybersecurity compromise determine the extent of the incident, remove the adversary from their systems, and restore their networks to a more secure state.
  • Penetration Testing - is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.

Purchases can be made through GSA Advantage!® or eBuy system, by issuing a Request for Quote (RFQ) against SIN 132-45  and allowing HACS vendors to respond to your requirements. An RFQ may be posted to GSA’s eBuy, an electronic RFQ system that is part of the suite of tools which complement GSA Advantage!. eBuy allows ordering activities to post an RFQ, obtain quotes, and issue orders. In general, the process below should be followed to order HACS services.

When multiple requirements are needed, ordering activities should only select SIN 132-45 when submitting the RFQ on eBuy, and writing within the solicitation document that vendors may utilize other SINs to create a complete solution. This will ensure the responding vendors are limited to those on the HACS SIN and have passed a technical evaluation.

State and local governments may also order from IT Schedule 70, which has cooperative purchasing (www.gsa.gov/stateandlocal and https://www.gsa.gov/portal/content/202285). Agencies should also comply with their organization's respective acquisition rules.

Benefits of Using the HACS SIN

  • The SIN is available through IT Schedule 70, a well-managed Tier-2 Spend Under Management (SUM) vehicle, the use of which aligns with the President’s Management Agenda and OMB Memorandum 19-13 "Category Management: Making Smarter Use of Common Contract Solutions and practices".
  • This SIN allows agencies to easily identify high-quality cybersecurity vendors with various socioeconomic categories.
  • The SIN also enables rapid ordering and deployment of services using IT Schedule 70’s streamlined ordering procedures that reduce procurement lead times by 25 to 50 percent compared to open market ordering, which is less efficient and can carry additional risks.
  • Our Ordering Guide attached below can help procurement officials rapidly solicit services from the HACS SIN.
  • Helpful acquisition documents, such as Statement of Work (SOW) templates, are available on the Acquisition Gateway and GSA’s IT Security website at https://gsa.gov/itsecurity.
  • Cybersecurity and acquisition subject-matter experts are available to help with HACS procurements.


Attachment TitleSizeType
File HACS Ordering Procedure78.11 KBDOCX

Views: 1368

The purpose of this community is to provide a place where customers and industry partners can engage and discuss Cybersecurity related topics.... More

Visit the HACS SIN website to find high quality cybersecurity services to meet your needs:

  1. High Value Asset (HVA) Assessments
  2. Risk and Vulnerability Assessment (RVA)
  3. Cyber Hunt
  4. Incident Response
  5. Penetration Testing
  • candice's picture
  • tammy.kreiser@cydaptiv.com's picture
  • vbalani's picture