PSS Refresh 28: More than Meets the Eye

The General Services Administration’s (GSA) Federal Acquisition Service (FAS) is planning to release Refresh 28 of the 00CORP Professional Services Schedule (PSS) in Mid-November 2017. This update will implement a variety of changes to the scope of Special Item Numbers (SINs) 520-16, 520-17, and 520-20. It will also delete SINs 520-18 and 520-19 in order to redefine Data Breach Response and Identity Protection Services under PSS. These changes help to embrace the transition seen in data breach response and help create a proactive solution for identity protection.

There are many benefits that accompany the planned changes to the PSS. Redefining the scope of SIN 520-20 allows the industry to provide a total solution for data breach response and identity protection services under a single SIN. Firms now have the ability to offer all or part of the services listed in the new SIN description. Additionally, Refresh #28 and the associated mass modification will also make participation in the Transactional Data Reporting Pilot voluntary.

Here are some important changes made in the new refresh:

SIN 520-16: Business Information Services (BIS) has been redefined:

• Added “Security freeze (lock credit file)” to the existing SIN description.
• Removed “(excluding voice communication)” from the existing SIN description.
• Removed the following Special SIN Requirement: If proposing bond ratings, managed fund ratings, or institutional ratings, the offeror shall be accepted by the Securities and Exchange Commission as Nationally Recognized Statistical Rating Organizations (NRSRO).

SIN 520-17: Risk Assessment and Mitigation Services has been redefined:

• The scope has been revised to support ordering agencies seeking proactive prevention of identity theft.
• Support may include:
  • Mitigation and forensic services;
  • Evaluation of threats and vulnerabilities to Personally Identifiable Information (PII) and Protected Health Information (PHI);
  • Training of government personnel on how to prevent data breaches and identity theft;
  • Vulnerability assessments;
  • Privacy impact and policy assessments;
  • Review and creation of privacy and safeguarding policies;
  • Prioritization of threats;
  • Maintenance and demonstration of compliance;
  • And the evaluation and analysis of internal controls critical to the detection and elimination of weaknesses to the protection of PII and PHI.

SINs 520-18 and 520-19 have been deleted:

• The scope of SIN 520-18 was embedded into SIN 520-17.
• The scope of SIN 520-19 was embedded into SIN 520-20.

SIN 520-20: Data Breach Response and Identity Protection Services (IPS) has been redefined:

• SIN 520-20 has been redefined in its entirety to provide an integrated, total solution for identity monitoring services that includes notification of PII and PHI, identity theft insurance and identity restoration services, and protection (safeguarding) of confidential PII and PHI.

There are also new solicitation attachments containing additional instructions relevant to SIN 520-20:

• IPS Requirement Document 1A -Industry definitions, task order level reporting requirements, etc.
• IPS Requirement Document 1B -Additional proposal instructions related to SIN 520-20
• IPS Pricing Document 2-mandatory pricing structure template for SIN 520-20
• IPS Requirement Document 1C-template to use to fill out the mandatory system security plan for SIN 520-20

Additionally, to be considered for the awarding of SIN 520-20, the contractor is required to provide pricing for a total solution covering all services described in Section I of IPS Requirements Document 1A. GSA is looking for all-inclusive services to combat data breaches and SIN 520-20 is meant to be a total solution to this 21^st - century issue of security.

What other questions do you have about the PSS refresh? Contact info@winvale.com and we’d be happy to help!