The Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) is available through the Multiple Award Schedule (MAS) Information Technology. HACS provides agencies quicker access to key support services from technically evaluated vendors that will:
Expand your agency's capacity to test high-priority IT systems
The scope of the HACS SIN includes proactive and reactive cybersecurity services. Assessment services needed for systems categorized as High Value Assets (HVA) are also within scope of this SIN. It includes Risk and Vulnerability Assessments (RVA), Security Architecture Review (SAR), and Systems Security Engineering (SSE). Additionally, the scope of the SIN includes services for the seven step Risk Management Framework (RMF), and Security Operations Center (SOC) services.
The seven-step RMF includes preparation, information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. RMF activities may also include Information Security Continuous Monitoring Assessment (ISCMA) which evaluate organization-wide ISCM implementations, and also Federal Incident Response Evaluations (FIREs), which assess an organization’s incident management functions.
SOC services are services such as: 24x7x365 monitoring and analysis, traffic analysis, incident response and coordination, penetration testing, anti-virus management, intrusion detection and prevention, and information sharing.
There are five subcategories under the HACS SIN. Vendors listed within each subcategory in GSA eLibrary have passed a technical evaluation for that specific subcategory:
High Value Asset Assessments – include Risk and Vulnerability Assessment (RVA) which assesses threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. See the section below on RVA for details on those services. Security Architecture Review (SAR) evaluates a subset of the agency’s HVA security posture to determine whether the agency has properly architected its cybersecurity solutions and ensures that agency leadership fully understands the risks inherent in the implemented cybersecurity solution. The SAR process utilizes in-person interviews, documentation reviews, and leading practice evaluations of the HVA environment and supporting systems. SAR provides a holistic analysis of how an HVA’s individual security components integrate and operate, including how data is protected during operations. Systems Security Engineering (SSE) identifies security vulnerabilities and minimizes or contains risks associated with these vulnerabilities spanning the Systems Development Life Cycle. SSE focuses on, but is not limited to the following security areas: perimeter security, network security, endpoint security, application security, physical security, and data security.
Risk and Vulnerability Assessment – assesses threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. The services offered in the RVA sub-category include Network Mapping, Vulnerability Scanning, Phishing Assessment, Wireless Assessment, Web Application Assessment, Operating System Security Assessment (OSSA), Database Assessment, and Penetration Testing.
Cyber Hunt – activities respond to crises or urgent situations within the pertinent domain to mitigate immediate and potential threats. Cyber Hunts start with the premise that threat actors known to target some organizations in a specific industry or with specific systems are likely to also target other organizations in the same industry or with the same systems.
Incident Response – services help organizations impacted by a cybersecurity compromise determine the extent of the incident, remove the adversary from their systems, and restore their networks to a more secure state.
Penetration Testing – is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network.
State and local governments can buy technology via MAS Information Technology through the GSA Cooperative Purchasing Program. To find out if your government entity qualifies, or what fees may apply, refer to the links below:
Statement of Work (SOW) and Request for Quote (RFQ) Templates
The HACS SOW templates below provide example information for a variety of cybersecurity services that can be purchased through the HACS SIN. Sections 3.0 and 4.0 of each template provide typical language for a cybersecurity solicitation, and provide examples of specific activities and deliverables associated with HACS.
Each template aligns with the HACS RFQ Template, and material from any of these SOW examples can be copied and pasted directly into Sections 3.0 and 4.0 of the RFQ template to make your experience easier and more efficient.
Guidance on which vendors qualify to apply for the HACS High Value Asset (HVA) Subcategory is available in the Information Technology Category attachment #7 of the MAS solicitation document found on SAM.gov (search for "HVA" within the document to find specific HVA information). Vendors that require a Self-Attestation form to apply for the HACS HVA Subcategory can find it here - HACS Self-Attestation Form [PDF - 104 KB].
The shortcut to this page is gsa.gov/hacs.
Last Reviewed: 2021-10-27
PER DIEM LOOK-UP
Choose a location
Error, The Per Diem API is not responding. Please try again later.
No results could be found for the location you've entered.
Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained.
Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries."
Per diem localities with county definitions shall include"all locations within, or entirely surrounded by, the corporate limits of the key city as well as the boundaries of the listed counties, including independent entities located within the boundaries of the key city and the listed counties (unless otherwise listed separately)."
When a military installation or Government - related facility(whether or not specifically named) is located partially within more than one city or county boundary, the applicable per diem rate for the entire installation or facility is the higher of the rates which apply to the cities and / or counties, even though part(s) of such activities may be located outside the defined per diem locality.