U.S. General Services Administration
Contact us
Call: 855-482-4348
Hours for live chat and calls:
Sun 8 p.m. - Fri 8:30 p.m. CST
Email: ITCSC@gsa.gov
Highly Adaptive Cybersecurity Services
About HACS
MAS Solicitation: IT Services - SIN 54151HACS
NAICS: Products, IT Security, IT Professional Services, IT Consulting
PSC: IT Outsourcing
Vendor list (eLibrary)
Eligible users: Federal, state, local, and tribal governments
With Highly Adaptive Cybersecurity Services, or HACS, your agency can:
- Expand capacity to test high-priority IT systems.
- Quickly order and implement services from technically evaluated vendors.
- Stop adversaries before they impact networks and rapidly address potential vulnerabilities.
HACS also supports government-wide priorities like Application Security Testing and Zero Trust Architecture.
The scope of HACS includes proactive and reactive cybersecurity services. HACS vendors are categorized under five subgroups for market research purposes. Check a contractor's GSA price list to verify and confirm availability of awarded products and services.
HACS subgroups
HVA assessments include Risk and Vulnerability Assessment (RVA) which: assesses threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations.
Security Architecture Review evaluates a subset of the agency’s HVA security posture to determine whether the agency has properly architected its cybersecurity solutions and ensures that agency leadership fully understands the risks inherent in the implemented cybersecurity solution.
Some vendors may require a HACS self-attestation form [PDF - 103 KB] to apply for the HACS High Value Assessments subcategory.
Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network
RVA assesses threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. includes network mapping, vulnerability scanning, phishing assessment, wireless assessment, web application assessment, Operating System Security Assessment (OSSA), database assessment, and penetration testing.
Incident response includes services that help organizations impacted by a cybersecurity compromise determine the extent of the incident, remove the adversary from their systems, and restore their networks to a more secure state.
Cyber hunt includes activities that respond to crises or urgent situations within the pertinent domain to mitigate immediate and potential threats. Cyber hunts start with the premise that threat actors known to target some organizations in a specific industry or with specific systems are likely to also target other organizations in the same industry or with the same systems.
Subgroups are provided for market research purposes only; check a contractor’s GSA price list to verify and confirm availability of awarded products and services.
How do I buy HACS?
Agencies can order through eBuy and GSA Advantage and issue an RFI or RFQ to vendors using Special Item Number 54151HACS.
Combine SINs to meet your requirements or try a blanket purchase agreement to easily fill recurring needs. You can also set aside the requirement for one or more socio-economic categories including but not limited to small businesses, veteran-owned businesses, and women-owned businesses.
Need support or subject matter expertise? Reach our team at ITSecurityCM@gsa.gov.
- HACS buying guide [DOCX - 79 KB] to help you along your way
- Assisted Acquisition Services for cradle to grave support
- Cooperative Purchasing for state, local, and tribal governments
- Market Research as a Service to help you research options
HACS templates provide typical language for a cybersecurity solicitation, and material from these examples can be copied and pasted directly into sections 3.0 and 4.0 of the RFQ template.
How do I sell HACS?
MAS contract holder
Submit a modification to add a SIN in the eOffer/eMod portal.
Without an existing MAS contract
Follow the MAS Roadmap guidance for preparing and sending an offer.
- Vendors must pass an oral technical evaluation before they can be awarded the HACS SIN. Here’s what to expect [PDF - 88 KB] at an oral technical evaluation; the oral technical evaluation questions are not provided before the evaluation.
- Once you’re awarded the HACS SIN, follow the instructions for selecting SIN subgroups [PDF - 52 KB] to add awarded subgroups to your eBuy profile.
- Our FASt Lane and Startup Springboard vendor onboarding programs can get you selling on Schedules even faster.
Need help? Contact the Vendor Support Center.
What’s new with HACS?
Join our IT security Interact community for news and updates for agencies and industry.
Related resources
- Cybersecurity Terms and Definitions for Acquisition [PDF - 91 KB]
- Homeland Security Presidential Directive 12 (HSPD-12)
- Federal Risk and Authorization Management Program (FedRAMP)
- NIST Security Content Automation Protocol (SCAP) Validated Products
- Common Criteria Validated Products
- National Information Assurance Partnership (NIAP)
ITC on Twitter
ITC on LinkedIn
ITC Blog