U.S. General Services Administration
Chat or call
Hours for live chat and calls:
Sun 8 p.m. to Fri 8:30 p.m. Central time
Cybersecurity framework
Supporting your agency’s CSF
Your agency can leverage our GSA contract vehicles to implement your approach to the National Institute of Standards and Technology Cybersecurity Framework. Use the framework to:
- describe your current cybersecurity posture.
- describe a target end state for cybersecurity.
- identify and prioritize opportunities for improvement.
- assess your progress towards the target state.
The CSF organizes practices into five concurrent and continuous functions, which provide a high-level strategic view of an organization’s management of cybersecurity risk. The functions include individual categories and subcategories, which are discrete business outcomes an organization can achieve.
| Function | Purpose | Categories |
|---|---|---|
| Identify | Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. | Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, Supply Chain Risk Management |
| Protect | Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. | Identity Management, Authentication and Access Control, Awareness & Training, Data Security, Info Protection and Procedures, Maintenance, Protective Technology |
| Detect | Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. | Anomalies and Events, Security Continuous Monitoring, Detection Process |
| Respond | Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. | Response Planning, Communications, Analysis, Mitigation, Improvements |
| Recover | Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. | Recovery Planning, Improvements, Communications |
CSF product and service providers
Multiple Award Schedule
You can use our MAS Special Item Numbers to find specialized commercial products, services, and solutions.
- Our Highly Adaptive Cybersecurity Services and IT Professional Services SINs offer a range of services covering the cybersecurity lifecycle, from proactively assessing an information system’s risks and vulnerabilities to carrying out security monitoring, response, and recovery activities in a security operations center.
- Agencies can also use the Risk Assessment and Mitigation Services SIN to procure risk assessment and breach mitigation and forensic services. This SIN can also be used to implement measures to protect sensitive data, including Personally Identifiable Information and Protected Health Information. It can also be used to procure compliance and governance support, including data breach prevention training.
- Through the Identity, Credential, and Access Management SIN, agencies can purchase products and services to manage and authenticate user identities when accessing applications and information systems on your networks.
- GSA’s Best-in-Class IT Hardware and Software SINs allow agencies to purchase necessary cybersecurity products to improve your security posture and practices. These SINs also offer access to products listed on the Continuous Diagnostics and Mitigation Approved Product List. Products on the CDM APL are reviewed and approved by CISA to support the objectives of the CDM program.
- The BIC Wireless Mobility Solutions SIN provides a range of services to secure mobile devices, mobile applications, Internet of Things, and other mobile services deployed by agencies.
Governmentwide Acquisition Contracts
You can use GWACs to buy total IT solutions more efficiently and economically. We offer multiple GWACs that offer access to pools of vendors:
- Alliant 2 for access to vendors other than small businesses.
- 8(a) STARS III for access to 8(a) certified vendors.
- VETS 2 for access to Service-Disabled Veteran Owned Small Businesses.
Enterprise Infrastructure Solutions
You can use EIS for comprehensive IT, telecommunications, and infrastructure solutions. Through EIS’s Managed Security Service, agencies can access network monitoring, vulnerability scanning, and incident response capabilities. EIS also supports Trusted Internet Connections and Managed Trusted Internet Protocol Services.
Resources
- The NIST Framework for Improving Critical Infrastructure Cybersecurity organizes cybersecurity activities and practices into a common taxonomy.
- Zero Trust Architecture [PDF - 1 MB], Department of Defense Zero Trust Architecture [PDF - 1 MB], Application Security Testing, and Advanced Persistent Threat Buyer’s Guides identify key principles to consider when implementing cybersecurity programs and procuring relevant GSA solutions.
- GSA’s Cybersecurity Supply Chain Risk Management Guide [PDF - 1 MB]offers considerations and resources for acquiring products and services to establish a C-SCRM program that identifies cyber risks within IT supply chains.
- GSA’s IT Solutions Navigator and Market Research As a Service tools can be used to find contract vehicles that align best with agencies’ needs and capable vendor pools to meet their requirements.