U.S. General Services Administration
Chat or call
Hours for live chat and calls:
Sun 8 p.m. to Fri 8:30 p.m. Central time
Highly Adaptive Cybersecurity Services
Features and benefits
Highly Adaptive Cybersecurity Services - Special Item Number 54151HACS can help your agency
- Test high-priority IT systems.
- Quickly order and implement services from technically-evaluated vendors.
- Stop adversaries before they impact networks.
- Rapidly address potential vulnerabilities.
HACS includes proactive and reactive cybersecurity services and supports governmentwide priorities like Application Security Testing and Zero Trust Architecture.
News, events, and training
Join our IT security Interact community for news and updates for agencies and industry.
Buy on MAS
Eligible agencies: Federal, state, local, tribal
MAS Solicitation: IT Services SIN 54151HACS
NAICS: 541519 — Other Computer Related Services
PSC: DJ01 — IT and Telecom — Security and Compliance Support Services (Labor)
Vendor list: eLibrary
Eligible agencies can order on Multiple Award Schedule by issuing an RFI or RFQ to vendors through eBuy and GSA Advantage.
State, local, territorial, and tribal governments may be able to purchase through Cooperative Purchasing and Disaster Purchasing programs.
- HACS buying guide [PDF - 196 KB]
- eLibrary for solicitations, terms, socio-economic status
- Guidance and tools for MAS buyers
- Market Research as a Service tool
- Assisted Acquisition Services for cradle to grave buying support
- All available offerings on MAS
You can combine SINs to meet your requirements, and may have the option to set-aside the requirement for one or more socio-economic categories. Use eLibrary’s HACS contractor page to filter vendors by set-aside; select your specified socio-economic designation (such as SBA Certified 8(a) Firm) and search. Specify set-asides and any other qualified requirements (like scope and mandatory knowledge) in the solicitation.
Blanket Purchase Agreements are a great option for recurring needs and can help your agency meet strategic sourcing, compliance requirements, and socio-economic goals. You can establish a blanket purchase agreement with MAS contractors using the authority and instructions under FAR 8.405-3.
Contact ITSecurityCM@gsa.gov for a free scope review against SIN 54151HACS.
HACS vendors
HACS vendors are categorized under five subgroups for market research purposes:
You can specify a subgroup or subgroups by inserting this language into your RFQ: “This Request for Quotation seeks contractors holding the Highly Adaptive Cybersecurity Services Special Item Number and the contractor must be categorized in the following HACS subgroup (or subgroups) [insert subgroup or subgroup].”
Always check a contractor’s GSA price list to verify and confirm availability of awarded products and services. Offerors are responsible for keeping their awarded subgroups up-to-date in eLibrary.
HACS templates
These example templates provide typical language and can be copied and pasted directly into sections 3.0 and 4.0 of the RFQ template:
Sell on MAS
Current contract holders can submit a modification to add a SIN in the eOffer/eMod portal,
If you’re new to MAS, follow the MAS Roadmap guidance for preparing and sending an offer.
Oral-technical evaluation
Vendors who were awarded all four of the legacy HACS SINs (132-45) may require a HACS self-attestation to apply for the HACS High Value Asset Assessments subgroup.
All vendors must pass an oral-technical evaluation before they can be awarded the HACS SIN:
- Evaluation questions are not provided before the evaluation but we recommend that you (the offeror) review the MAS Solicitation IT Category Attachment.
- When submitting your offer or mod, you’ll need to name up to five key personnel (and their roles in your company) to field questions during your evaluation. Consultants are not allowed to participate.
- A GSA MAS Contracting Officer must request the oral-technical evaluations for SIN 54151HACS from the HACS Program Management Office. The HACS PMO will contact you to coordinate a date for the oral-technical evaluation once the request is received. GSA reserves the right to reschedule this date at the convenience of the Government; the offeror may also reschedule with reasonable notice.
- You’ll have 1 hour and 40 minutes for the base oral-technical evaluation consisting of questions related to High Value Asset Assessments, Risk and Vulnerability Assessment, and Penetration Testing. You’ll have 10 minutes for each additional subgroup (Incident Response and/or Cyber Hunt) if you decide to to add those subgroups to your base evaluation.
- You’ll be evaluated by our Technical Evaluation Board of GSA IT Specialists. Within two business days after the evaluation, the board will send their results to the GSA CO, and the CO will send results to the offeror within one week.
You may not be subject to HACS oral-technical evaluation if:
- Your company was previously awarded all of the legacy SINS 132-45A Penetration Testing, 132-45B Incident Response, 132-45C, Cyber Hunt, 132-45D Risk and Vulnerability Assessment, and;
- You provide a HACS self-attestation acknowledging your ability to perform Security Architecture Review and Systems Security Engineering services in their entirety.
Once you’re awarded the HACS SIN, follow the instructions for selecting SIN subgroups [PDF - 52 KB] to add awarded subgroups to your eBuy profile.
Need help? Contact the Vendor Support Center.
Related resources
- Cybersecurity Terms and Definitions for Acquisition [PDF - 862 KB]
- Homeland Security Presidential Directive 12
- Federal Risk and Authorization Management Program
- NIST Security Content Automation Protocol Validated Products
- Common Criteria Certified Products
- National Information Assurance Partnership