The General Services Administration (GSA) is tasked with helping federal agencies meet their procurement needs. This includes the continual and growing need for identity protection services. While it’s not common for GSA to actively seek contractors to join the GSA Schedules program, less than a handful of companies currently provide identity protection solutions through the GSA Schedule Contract. In effort to expand the pool of companies that provide these services, on May 23, 2019, GSA put out a call for data breach response and identity protection service providers.

Background

In 2015, GSA worked with federal agencies to create the Identity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA). The IPS BPA provides agencies with access to companies that offer identity monitoring and data breach response services to include:

• Address verification reports
• Credit monitoring, credit risk assessments, and consumer credit reports
• Identity theft insurance and identity restoration services
• Recovery services involving suspected or actual breaches of sensitive personally identifiable information

In July of 2016, the Office of Management and Budget established the GSA IPS BPA as a preferred source for federal agencies looking for credit monitoring, breach response, and identity protection services. This means, with a few exceptions, agencies must take additional steps to justify using any other contract vehicle for the purchase of these types of services.

Moving Forward

The IPS BPA is set to expire next year. Instead of recompeting the BPA, GSA Schedule SIN 520-20, Data Breach Response & Identity Protection Services, will serve as a replacement. GSA explained that there were difficulties with pricing under the BPA and that SIN 520-20 would provide greater flexibility to meet agency needs.

According to GSA, from fiscal year 2016 to present, agencies awarded $53 million in IPS related non-OPM/BPA awards. GSA is looking to direct these future awards through SIN 520-20, as well as future OPM IPS related awards once the task order expires.

SIN 520-20

SIN 520-20 is a Financial and Business Solutions (FABS) related subcategory under the GSA Professional Services Schedule (PSS). In 2017, GSA redefined SIN 520-20 from “Comprehensive Protection Solutions” to “Data Breach Response & Identity Protection Services”. The redefined SIN reflects an integrated, total solution to provide:

• Identity monitoring and notification of Personally Identifiable Information (PII) and Protected Health Information (PHI)
• Identity theft insurance
• Identity restoration services
• Protection of the confidentiality of PII and PHI

The Challenge for Companies

Companies interested in providing IPS services through the GSA Schedule will have a few significant hurdles to overcome. The Data Breach Response and IPS SIN has unique technical, pricing, and reporting requirements. This is part of the reason so few companies currently offer services under the SIN. The security requirements prevent resellers from qualifying for the SIN.

System Security Plan (SSP)

A company cannot offer IPS services under GSA Schedule SIN 520-20 without submitting a moderate impact level System Security Plan (SSP). During a recent webinar on the IPS SIN, GSA admitted that the SSP was a “fairly onerous requirement, but very important”. The SSP must follow the latest revision of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations. Companies must also be familiar with NIS SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Pricing Requirements

All companies must offer total solution pricing to be considered for SIN 520-20. This can be priced per year, per impacted individual – best for agencies that do not know the number of enrollees affected by the breach. Another option for the total solution pricing is per year, per enrollee, which is best for agencies that do know the number of enrollees impacted by the breach. While not required, companies can also offer pricing for individual components of the IPS total solution and additional services.

Need Help Offering Data Breach & Identity Protection Services Under the GSA Schedule?

Federal Schedules, Inc. has been helping companies obtain and manage their GSA Schedule Contracts since 1986. Whether your company wants to obtain a new GSA Schedule Contract to provide data breach response and identity protection services to federal agencies, or you have an existing GSA Professional Services Schedule and would like to add the IPS SIN 520-20 – we can help! Contact us to discuss.