Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

Instructions on the Use of General Services Administration (GSA) Blanket Purchase Agreements (BPAs) for Independent Risk Analysis Services

April 20, 2009

To:Heads of Contracting Activity (HCAs)
OPDIV Chief Information Security Officers (CISOs)
OPDIV Chief Information Officers (CIOs)
From:Nancy J. Gunderson. Acting HHS Senior Procurement Executive
Michael W. Carleton, HHS Chief Information Officer
Subject:Instructions on the Use of General Services Administration (GSA) Blanket Purchase Agreements (BPAs) for Independent Risk Analysis Services
Effective:Immediately

 

HHS is responsible for managing the information it stores, processes, and transmits in support of its business functions, in accordance with federal laws and regulations. Some information or data types, such as personally identifiable information (PH), require additional protection due to their sensitivity. The risk associated with PH misuse, unauthorized disclosure or data breach depends upon the sensitivity level of the information.

OPDIV/STAFFDIV Chief Information Security Officers (CISOs) report all suspected or confirmed data breaches to the HHS Information Security and Privacy Program within the Office of the Chief Information Officer (OCIO), which in turn notifies members of the HHS PII Breach Response Team (BRT). If the BRT determines that a PH breach has occurred, it must assess the risk level associated with the breach and tailor the Department's response accordingly.

This memorandum is to advise you that assistance is available for such risk assessments. GSA has established government-wide Blanket Purchase Agreements (BPAs) for independent risk analysis services, including verification and validation of in-house risk assessments. Attached is information regarding those BPAs.

If the BRT determines that a PH breach has occurred and that in-house resources are not available to conduct an adequate risk assessment, then the BRT Chair (i.e., HHS CIO) -in concert with the OPDIV/STAFFDIV CISO and cognizant contracting officer --must review the pricing and other terms and conditions of the GSA BPAs (in addition to any other independent risk analysis services that they may consider in their market research).

Further, if during acquisition planning a collaborative decision is made to acquire independent risk analysis services other than through the GSA BPAs, HHS shall send a notice to GSA, with a copy to OMB's E-Government Administrator, explaining how the proposed contract offers the best value to the Government. The notice shall also identify the pricing and other terms and conditions of the proposed award; briefly describe the services needed; and justify why the services are needed from this vehicle rather than from one of the GSA BPAs.

In addition, the notice shall be prepared by the HHS BRT Chair, in consultation with the HHS Chief Acquisition Officer (or designee) and submitted at least 10 days prior to making an award (except in the event of unusual and compelling urgency, in which case the notice shall be provided as soon as practicable).

Authorities:

  1. OMB Memorandum (M-07-16), Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22,2007 located at http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf
  2. OMB Memorandum (M-08-10), Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA), dated February 4, 2008 located at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-10.pdf
  3. Policy for Responding to Breaches of Personally Identifiable Information (PII), dated November 17, 2008, HHS-OCIO-2008-001.003, located at http://www.hhs.gov/ocio/policy/20080001.003.html
  4. Personally Identifiable Information (PII) Breach Response Team (BRT) Charter, dated November 17, 2008, HHS-OCIO-2008-0001.003C, located at http://www.hhs.gov/ocio/policyI20080001.003c.html
  5. Federal Acquisition Regulation (FAR) 8.405-2, Ordering procedures for services requiring a Statement ofWork and FAR 8.405-3, Blanket Purchase Agreements (BPAs) located at http://www.acquisition.gov/far/reissue/FARvol1ForPaperOnly.pdf

Attachment:

Independent Risk Analysis Services Blanket Purchase Agreement Information

Government Points of Contact

U.S. General Services Administration

Crystal Plaza 4,2200 Crystal Drive, 7th Floor

Arlington, VA 22202

 

BPA Contracting Officer

Houston Taylor

E-mail: bouston.taylor@gsa.gov

 

Alternate:

Dennis Harrison

E-mail: dennis.harrison@gsa.gov

 

BPA Holders

Identity Theft Guard Solutions. LLC

BPA #: GS-23F-IRAOI

MAS Contract#: GS-23F-0037T

Date of Award: 01-Oct-07

Address: 8625 SW Cascade Avenue, Suite 310

Beaverton, OR 97008

POC: Eric Landry; eric.landry@identitysafeguards.com

Tel: 800.298.7558 Fax: 800.298.8457

 

SRA International Inc.

BPA#: GS-23F-IRA02

MAS Contract#: GS-23F-0037T

Date of Award: 01-Oct-07

Address: 4300 Fair Lakes Court

Fairfax, VA 22033

POC: George Shalhoub, Sr. Contracts Administrator

Tel: 703-284-5000

Fax: 703-284-5001


Back to top

Acquisition Policy Implementation Guidance