The GSA Multiple Award Schedule (MAS) allows contractors to sell their products or services to the federal government through specific Special Item Numbers (SINs) that align with their commercial business practices. If your business offers Information Technology (IT) software, products, or professional services, there are multiple SINs that could be applicable to your GSA MAS offer within the IT Category. However, most IT SINs require offerors to follow instructions, prepare supporting documents, and draft technical narratives beyond the standard requirements. For example, to have the Highly Adaptive Cybersecurity Services (HACS) SIN awarded, offerors must submit two supporting technical narratives demonstrating past performance, pass an oral technical evaluation, adhere to National Institute of Standards and Technology (NIST) standards, and more.
Recently, GSA increased the requirements for contract offerors to include the HACS SIN on their contract proposals. In this blog, we will discuss the new Work Role ID requirement, the oral technical evaluation, and other requirements offerors must complete to have the HACS SIN awarded.
New Requirements for the HACS SIN
In December 2024, GSA released MAS Solicitation Refresh #23, which now requires potential contractors proposing the HACS SIN to identify specific Work Role IDs from the National Initiative for Cybersecurity Careers and Studies (NICCS) Workforce Framework for Cybersecurity (NICE Framework) that align with each of their HACS SIN labor categories.
GSA’s goal with this new requirement is likely to ensure that services awarded under this SIN can perform work consistent with cybersecurity standards and the SIN’s description.
What is the NICE Framework and Work Role IDs?
The NICE Framework is considered a lexicon tool to help businesses develop cybersecurity positions using standardized descriptions for cybersecurity tasks and responsibilities that can be applied to multiple industries across public, private, and academic sectors.
GSA includes the following components of the NICE Framework below in the IT Category Attachment:
- 7 Work Role Categories: A high-level grouping of common cybersecurity functions.
- 52 Work Roles: A grouping of work for which someone is responsible or accountable. Note: work roles are not synonymous with job titles or occupations.
- More than 2,200 Task, Knowledge, and Skill (TKS) Statements: A set of discrete building blocks that describe the work to be done (in the form of tasks) and what is required to perform that work (through knowledge and skills)
- 11 Competency Areas: Clusters of related knowledge and skill statements that correlate with one’s capability to perform tasks in a particular domain
From GSA’s list above, our primary focus is on the 52 “Work Roles” and their “Work Role IDs.” Each Work Role has an assigned Work Role ID; offerors will select up to five Work Role IDs to place in the “keywords” column of the Price Proposal Template (PPT) for Work Roles that align with each proposed labor category under the HACS SIN. The specific SIN for HACS is SIN 54151HACS.
How Should Offerors Assign Work Role IDs to their Labor Categories?
As part of your GSA MAS services offer for HACS, you will need to propose labor categories and labor category descriptions to perform work at the task order level. GSA’s NICE Framework Work Role ID requirement increases the scrutiny on cybersecurity labor category descriptions. It is important to make sure you align the correct Work Role IDs with your proposed HACS labor categories. For example, more general administrative roles may not align with any of the Work Roles, eliminating these labor categories from being part of your HACS SIN offerings.
In the IT Category Attachment, GSA includes an Excel document from the NICE Framework site (see link titled “NICE Framework Components v1.0.0) to help offerors further understand Work Role IDs and their descriptions. The image below from the Excel document shows a brief overview of one of the seven Work Role Categories, called “Design and Development (DD),” with Work Role IDs for each Work Role listed in the third column (e.g., DD-WRL-001, DD-WRL-002, etc.).
If your labor category descriptions already exist, then you can try searching keywords or phrases from your current description within the spreadsheet that would match potential applicable Work Role descriptions.
The brief Work Role description may not provide you with enough detail to assign the Work Role ID to a particular labor category. Thus, you should select a Work Role ID tab of the spreadsheet to view the multiple task, knowledge, and skill (TKS) statements associated with each Work Role ID. The below image provides an example of the “Cybersecurity Architecture” Work Role ID tab (DD-WRL-001) and its corresponding TKS statement descriptions for more information.
Other HACS SIN Requirements for GSA MAS Offerors
We just discussed the newest obstacle to having SIN 54151HACS awarded to your GSA Schedule contract, and now, we will provide a reminder of the other HACS SIN requirements.
Oral Technical Evaluation
As mentioned above, offerors pursuing the HACS SIN in their contract proposal must participate in and complete an oral technical evaluation conducted by GSA’s Technical Evaluation Board. For this evaluation, you can select up to five individuals from your company to answer questions from GSA’s evaluators. Subject matter experts (SMEs) or consultants from outside of your organization are not allowed to participate in the evaluation on your company’s behalf, however you can use these external resources as part of your preparatory activities.
Overall, the oral technical evaluation has a strict duration of 1 hour and 40 minutes. In this timeframe, your company’s selected representatives will be questioned in-depth on three of the five HACS SIN subcategories contractors can be placed in after award, which include:
- High Value Asset Assessments
- Risk and Vulnerability Assessment
- Penetration Testing
Questions will also be asked about Security Architecture Review (SAR) and Systems Security Engineering (SSE). If you are interested in the Incident Response or Cyber Hunt HACS SIN subcategories, then 10 minutes will be added for each additional subcategory to the evaluation time to answer questions related to these topics.
This evaluation is a pass/fail scenario, and you must pass all areas of the evaluation to have the HACS SIN awarded. GSA recommends reading the oral technical evaluation instructions under SIN 54151HACS in the IT Category Attachment to the MAS Solicitation to help you further prepare for the content and structure of the test.
Compliance with Laws, Standards, and Regulations
Your labor categories offered under the HACS SIN should adhere to specific NIST standards, such as NIST SP 800-207 for Zero Trust Architecture and NIST SP 800-64 for Security Considerations in the System Development Life Cycle, depending on the opportunities you will compete for after contract award.
Additionally, Federal Acquisition Regulation (FAR) Part 52.204-21 and OMB Memorandums may be applicable.
Past Performance
Like most other IT SINs, offerors will need to prepare two technical narratives demonstrating recent past performance of HACS SIN services. While businesses may have experience with cybersecurity services, your narratives and the projects’ statements of work must clearly support HACS SIN services included in the SIN’s description, such as zero trust architecture, virus detection, Risk Management Framework, information assurance, incident response, security services, and/or Security Operations Center (SOC) services.
It is also important to connect project tasks and deliverables to each of the HACS subcategories you would like to be placed in after passing the oral technical evaluation to highlight your company’s capabilities in each area. Since project narratives will be reviewed by cybersecurity or technology SMEs, you should not be afraid to include complex project details and technical terminology in your writing.
Why Should Offerors Attempt to Have SIN 54151HACS Awarded?
Based on the new Work Role ID requirement and additional instructions listed in this blog for SIN 54151HACS, you may be wondering if this SIN is even worth trying to get awarded on your GSA MAS contract. Currently, about 690 contractors have the HACS SIN awarded, so it’s not impossible to pass this SIN’s multiple requirements.
While the change in administration has impacted the federal workforce and some IT initiatives, we can still expect to see a focus on IT spending, such as with Artificial Intelligence (AI) solutions and contracting for cybersecurity services due to the reduced workforce.
As you navigate the complexities associated with HACS requirements, our experienced consultants can help prepare your contract offer for success in the GSA MAS IT space.
