If you’re looking to buy cybersecurity services for your agency, just remember: cybersecurity is a SIN now. The General Services Administration’s Federal Acquisition Service just created the Highly Adaptive Cybersecurity Services Special Item Number (HACSSIN) to add more cyber services to GSA’s Schedule 70.
Bill Zielinski, deputy assistant commissioner for FAS’ IT category management, told theFederal Drive with Tom Temin that HACSSIN puts in place assistance for penetration testing, risk and vulnerability assessments that matches the National Institute of Standards and Technology’s cyber framework while meeting the requirements of the Homeland Security Department.
In addition, he said that FEDSIM is moving DHS’ Continuous Diagnostics and Mitigation to its own SIN as well, and partnering with Enterprise Integrated Services to start building in the kinds of protection DHS requires so that systems will start out compliant with EINSTEIN, a system of protections designed and implemented across the government, rather than having to be modified or upgraded.
But this could leave agencies with some confusion when it comes to product selection.
“One thing we always recommend is — [agencies] have plenty of places to go to, but part of that CDM program which DHS leads and manages is DHS will work directly with the agencies in reviewing what they currently have within their IT enterprise, then helping them come to some conclusions about where they have gaps, where they may have vulnerabilities, and helping them connect to those goods, products and services,” Zielinski said.
Zielinski said many agencies have been looking into automating the CDM processes, and GSA is working with both DHS and OMB to help achieve this.
“What they are looking for is ‘how do we get to the point where there’s not as much manual intervention in both the monitoring as well as the reacting to events that may occur from a cybersecurity perspective?’” he said. “So the product lines themselves are evolving and we continue to bring on products that give a much greater level of automation.”
One of the new things that’s becoming automated is software license vulnerabilities. Using this service, agencies can make decisions in advance about what software will be allowed. The tools will monitor the system to detect when new software is being installed and act accordingly.
This kind of continuous monitoring is also applied to network traffic. The network traffic flows through trusted internet connections, and those endpoints are continuously monitored to understand what sorts of traffic is passing through. This information can also be used to track patterns and alert the agencies security operations center and DHS when changes happen.
And it’s the aggregation of this kind of information that allows DHS to track larger trends and patterns to see what’s going on governmentwide.
“It’s all part of a larger, broader cybersecurity program that agencies implement,” Zielinski said. “EINSTEIN itself is not necessarily a specific product or a specific software, but it is the sets of products and the sets of tools that are placed to monitor the network traffic.”
Essentially, he said, the products and services on the two new cybersecurity SINs could be used in concert to become what DHS would consider EINSTEIN.
“In particular, when we talk about enterprise infrastructure solutions, that’s where the monitoring of the networks and those products in there for the trusted internet connection really are core to the EINSTEIN program,” Zielinski said. “What we’re trying to do is bake those all in, so that when an agency does procure those services, when they obtain those services for the network, they’re getting that all baked in from the beginning, so they are EINSTEIN-ready, if you will, at the point in time that they procure those services through EIS.”
He said there has been discussion about whether it would be easier to simply bring the entire government together on a single network. But that won’t happen anytime soon, so right now the focus is on making sure each agency has standardized protections.
And that will be easier once the HACSSIN is fully implemented. Zielinski said GSA put out a request for information on March 27 seeking input from industry, and the plan is to be fully up and running by late spring.