GSA preps security pacts

The General Services Administration's Office of Information Security last week released a request for quotations on a $250 million security services contract to help agencies protect their critical computer systems.

The blanket purchase agreement is the basis for Program Safeguard, an OIS effort to protect the federal critical infrastructure against cyberattacks. It will serve as a vehicle for information security services that agencies need to comply with Presidential Decision Directive 63, issued in May 1998. PDD 63 outlines requirements for agencies to protect the nation's most important computer systems from cyber- and physical attacks.

In October, GSA partnered with Booz-Allen & Hamilton Inc. to provide consulting services for agencies to develop plans, required by the presidential directive, that spell out how agencies will protect systems. The new BPA takes the next step to provide services to fulfill the plans, said Tom Burke, assistant commissioner of OIS.

The BPA covers six areas: critical infrastructure asset identification; vulnerability assessment and threat identification; critical infrastructure protection readiness and contingency planning; physical infrastructure protection; information systems security and information assurance; and emergency preparedness training, exercises and simulation.

"These are the things that [agencies] need to do in the next few months to meet the presidential decision directive," Burke said.

Vendors already offer critical infrastructure protection services to agencies, including through GSA's Federal Supply Service schedule, on which the BPA is based. But it could take an agency time to find the right solution among all the IT contracts.

"While those services are all available on many contracts in the government environment, we thought this was a way to bring them forward and highlight them," Burke said.

The Commerce Department contracted with Booz-Allen to help identify the department's minimum essential infrastructure and vulnerabilities. However, many more steps, such as contingency planning and how to protect the systems, need to be taken before the agency has adequately protected its critical infrastructure, said Lisa Westerback, director of the Office of Information Planning and Review at Commerce. "What GSA is proposing will be very helpful for that," she said.

The RFQ went out to 11 vendors, and GSA will award contracts as the vendors respond, making the services available to agencies as quickly as possible. "It is in our interest and the customer's interest to get these things evaluated and awarded quickly," Burke said. His office is working with GSA's IT Solutions Development Center in Region 9 to evaluate proposals and manage the contract.

Vendors that received the request include Booz-Allen, Sytex Inc., Computer Sciences Corp., Litton/PRC Inc., SRA International Inc., GTE Government Systems Corp., Kajax Engineering Inc., Science Applications International Corp., KPMG LLP, Collins Consulting Group and Leads Corp.

Vendors declined to comment on the contract or could not be reached.

The BPA expires Sept. 30, 2000, and can be extended if agencies are still installing programs, but by that time Burke hopes to have a multiple-award indefinite-delivery, indefinite-quantity contract in place. Once GSA develops the IDIQ, a transition plan will be developed, and GSA expects many of the same vendors to be on that contract as on the BPA.

In the past, critics contend, contracts like Program Safeguard have not been successful. Although agencies talked about the need for security, when it came time to spend money on it, they did very little. "There is an enormous gap between potential and real demand," said Warren Suss, president of consulting firm Warren H. Suss Associates.

The major factor behind this contract's success will be the new awareness brought on by PDD 63 and whether the directive is followed up with budgeted funds for information security from the president and Congress, Suss said.