GSA Federal Acquisition Service
Search:
For general questions, contact:
FAS National Customer Service Ctr
Phone: 1-800-488-3111
E-mail: ncsccustomer.service@gsa.gov

Professional Services
Identity Protection Services
MAS Multiple Award Schedule - Available offerings include commercial goods and services organized by 12 Large Categories, corresponding Subcategories, and SINs.

MAS Category list:

Download Contractors (Excel)
Professional Services - Identity Protection Services
Category Description
541990IPS Data Breach Response and Identity Protection - Data Breach Response and Identity Protection Services (IPS) include an integrated, total solution to provide identity monitoring and notification of Personally Identifiable Information (PII) and Protected Health Information (PHI); identity theft insurance; identity restoration services; and protection (safeguarding) the confidentiality of PII and PHI. Additional requirements specifically for Identity Protection Services are found in the notes section referenced below.

NOTE 1: Additional Proposal Instructions related to Identity Protection Services (IPS) are found in IPS Requirements Document 1B.

NOTE 2: Any firm offering Identity Protection Services will be required to provide a System Security Plan (SSP) in accordance with the template found in IPS Requirement Document 1C. The firm will also be required to submit a Firm Fixed Price as outlined in IPS Pricing Document 2, unless otherwise defined at the Task Order level (e.g. per product redeemed per the agreed-upon coverage period (month, year, etc.) ) covering ALL services cited in Section I of IPS Requirements Document 1A. If defined otherwise at the Task Order level, it must still be able to be mapped to the awarded Schedule contract pricing. Firms are encouraged to provide separate line item pricing for key services within this total solution SIN that the firm believes could be ordered independently (e.g., credit monitoring, restoration, etc). This will allow the Ordering Agency to obtain only those services needed depending on level of breach. See IPS Pricing Document 2 for pricing tables.

NOTE 3: Services provided shall be performed in accordance with applicable Federal laws and policies, including the Identity Theft and Assumption Deterrence Act of 1998, as amended by Public Law 105-318, 112 Statute 3007 (Oct. 30, 1998), and implemented by 18 U.S.C. 1028. Firms are required to adhere to all applicable Office of Management and Budget (OMB) policies including OMB Circular A-130, Managing Federal Information as a Strategic Resource, and any updates to OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information.

NOTE 4: The Agency Ordering Guide for Identity Protection Services can be found at https://www.gsa.gov/buying-selling/products-services/professional-services/buy-services/identity-protection-services-ips
541990RISK Risk Assessment and Mitigation Services - Services include: breach mitigation and analysis/forensic services, the deployment of financial risk assessment and mitigation strategies and techniques; improvement of capabilities through the reduction, identification, and mitigation of risks; detailed risk statements, risk explanations and mitigation recommendations; design and development of new business applications, processes, and procedures in response to risk assessments; and ensuring compliance with governance and regulatory requirements. Under this SIN, firms can also assist the Ordering Agency with preventive measures in protecting Personally Identifiable Information (PII) and Protected Health Information (PHI) through the evaluation of threats and vulnerabilities to PII and PHI type of information; training of Government personnel on how to prevent data breaches and identity theft; vulnerability assessments; privacy impact and policy assessments; review and creation of privacy and safeguarding policies; prioritization of threats; maintenance and demonstration of compliance; and evaluation and analysis of internal controls critical to the detection and elimination of weaknesses to the protection of PII and PHI type of information.