Phone: (202) 296-5505 Email:

New Call-to-action

 Back to all posts

GSA's Highly Adaptive Cybersecurity Services (HACS) SIN Blog Feature
Patrick Morgans

By: Patrick Morgans on April 14th, 2021

Print/Save as PDF

GSA's Highly Adaptive Cybersecurity Services (HACS) SIN

GSA Schedule | Technology | 4 Min Read

The U.S. federal government has become increasingly connected in the digital age. This affords great opportunities but also requires a significant investment in cybersecurity. Every organization has information that it needs to keep private, but the federal government has especially sensitive data that needs to be heavily guarded.

A single leak could cause rampant issues from identity theft to leakage of confidential information. To keep information secure in our constantly changing digital world, the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) was created under the Multiple Award Schedule (MAS) Program

If this sounds like a solution you can provide as a current or prospective GSA Schedule contractor, now is the time to learn more about the HACS SIN and consider adding it to your contract in order to benefit from this expanding field.

What is the Highly Adaptive Cybersecurity Services (HACS) SIN?

The HACS SIN gives government agencies quicker access to pre-vetted cybersecurity services to support network protection. The HACS SIN is available through the Multiple Award Schedule (MAS) Information Technology Large Category F

The services offered through this SIN involve protecting information, detecting any cybersecurity breaches or incidents, responding to any cybersecurity problems, and remedying any problems that emerge.

The HACS SIN covers various fields including:

  • Risk Management Framework (RMF) services
  • Information assurance
  • Virus detection
  • Network management
  • Situational awareness and incident response
  • Secure web hosting
  • Backup and security services
  • Security operations center services

If your company is capable of providing the federal government services that can test agency IT systems, quickly remedy vulnerabilities in federal systems, and prevent threats from breaching government networks, then you should consider the benefits of including this SIN on your GSA Schedule.

HACS SIN Subcategories

There are five specific subcategories that contractors are listed under when they have been awarded the HACS SIN. These subcategories are:

  1. High Value Asset Assessments
  2. Risk and Vulnerability Assessments
  3. Cyber Hunt
  4. Incident Response
  5. Penetration Testing.

The latter four subcategories were originally separate SINs, but now they coexist as separate subcategories under one SIN. This subcategorization allows contractors to receive the most relevant Requests for Proposals (RFPs) and Requests for Quotes (RFQs) in GSA eBuy.

High Value Asset Assessments

The High Value Asset Assessments subcategory covers Security Architecture Review, Risk and Vulnerability Assessment, and Systems Security Engineering.

Risk and Vulnerability Assessment

The Risk and Vulnerability Assessment subcategory covers Network Mapping, Vulnerability Scanning, Phishing Assessment, Wireless Assessment, Web Application Assessment, Operating System Security Assessment (OSSA), Database Assessment, and Penetration Testing.

Cyber Hunt

The Cyber Hunt subcategory covers services involving response to cybersecurity crises or incidents, including mapping current and potential threats.

Incident Response

The Incident Response subcategory includes services designed to help organizations that have been compromised assess damage, remove any offending threats from their systems and networks, and make the network secure again.

Penetration Testing

The Penetration Testing subcategory involves services by which experts impersonate attackers in order to find vulnerabilities in an organization’s networks and security systems.

Adding the Highly Adaptive Cybersecurity Services (HACS) SIN to Your GSA Schedule

For GSA contractors who wish to add the HACS SIN to their Schedule, there are special requirements that you should keep in mind.

To propose or add the HACS SIN, you need to remember that only IT professional services or labor categories can be offered under this Special Item Number. That means that there cannot be any products offered through this SIN.

You must also provide descriptions of two past projects, either completed within the past two years or ongoing with at least one year of work on the project. These descriptions must relate how the past project is related to work that would be performed under the HACS SIN. You want to point out the applicability of the past projects to the subcategories you are proposing.

Offerors of the HACS SIN must also comply with certain National Institute of Standards and Technology (NIST) requirements, and these can vary on the task order level.

The HACS SIN Oral Technical Evaluation

GSA contractors who wish to offer services under the HACS SIN must participate in an oral technical evaluation conducted by a Technical Evaluation Board (TEB). This often worries prospective contractors, but with an experienced team or help from a GSA consultant and some preparation, it is not necessarily something you need to fear.

The oral technical evaluation tests whether you can perform the services you would like to offer in each of the HACS SIN’s subcategories. You must pass this evaluation to be awarded the HACS SIN, and it is graded on a pass/fail basis.

Up to five of your employees can be present at the oral technical evaluation. You will want to check the current standards since these may be done virtually now. The base exam consists of questions regarding High Value Asset Assessments, Risk and Vulnerability Assessments and Penetration Testing. If you want the Cyber Hunt or Incident Response subcategories as well, you will be asked additional questions about in the subcategory(ies) that you select.

The base evaluation lasts an hour and forty minutes with ten minutes extra allotted for each additional subcategory selected. Any contractor who does not pass this evaluation can retry at least six months after the date of the initial test.

The oral technical evaluation includes scenario based as well as general question. The evaluation changes periodically, but you can learn more about what to generally expect in our blog about the HACS SIN oral technical evaluation.

Need Help Adding the HACS SIN to Your GSA Schedule?

Government agencies know that they can expect quality services at competitive but fair prices when they purchase through a GSA Schedule, and the HACS SIN is no different. If you find yourself interested in adding this SIN to your GSA Schedule or acquiring a GSA Schedule, please reach out to Winvale, and our experienced team of consultants will help you expand your presence in the government’s growing cybersecurity sphere.

New call-to-action


About Patrick Morgans

Patrick Morgans is a Lead Consultant for Winvale. He is a native of Fredericksburg, Virginia and earned his Bachelor's of Arts in Government from the University of Virginia.