High Value Asset (HVA) Assessment Requirement for the HACS SIN

The High Value Asset (HVA) Assessment Requirement for the HACS SIN

The pandemic has fast-tracked our world’s transition into the digital space. Although greater connectivity has solved many problems, it opens up others – primarily cybersecurity. Cybersecurity is of paramount importance for the U.S. Government and to help protect its information network GSA created the Highly Adaptive Cybersecurity Services Special Item Number (HACS SIN).

Check if you Qualify to be a GSA Contractor

The HACS SIN (54151HACS) is one of the SINs available through the GSA Multiple Award Schedule (MAS) Information Technology Large Category F, and provides government customers with cybersecurity solutions from pre-vetted contractors at reasonable prices. Its scope covers five subcategories:

  • High Value Asset (HVA) Assessments
  • Risk and Vulnerability Assessments
  • Cyber Hunt
  • Incident Response
  • Penetration Testing

What is the High Value Asset (HVA) Assessment?

A High Value Asset (HVA) is any information system that is crucial to keeping an organisation running. Such systems are generally targets of cyber-attacks, which can cause catastrophic damage. Identifying a system’s technical weak spots is the key to protecting it, and so the Cybersecurity and Infrastructure Security Agency (CISA) developed the HVA Assessment to vet potential cybersecurity vendors who want to sell to the government via a GSA Schedule contract.

What does the High Value Asset (HVA) Assessment involve?

Any GSA Schedule contractor that wants to qualify as a cybersecurity assessor for the government must pass the HVA Assessment. 

First three steps are in preparation for the HVA Assessment course:

  1. Orientation: everyone involved must attend this orientation where CISA explains the assessment process and qualification requirements.
  2. Registration: candidates register for the HVA Assessment course. 
  3. Evaluation: participants must pass an online exam evaluation a few weeks before the course begins, to demonstrate that they have adequate prior knowledge of cybersecurity. Potential HACS SIN operators must also take an Operator Skills Assessment.

Once the preliminary steps are completed, candidates move onto the HVA Assessment course.

What happens in the HVA Assessment course?

The HVA Assessment course duration, activities and exam vary based on the type of assessment: 

  1. Security Architecture Review
  2. Risk and Vulnerability Assessment
  3. Systems Security Engineering

The course is delivered online by instructors, and candidates’ knowledge is tested with a comprehensive exam at the end, known as a ‘capstone’. 

What happens after you pass the HVA exam?

After passing the HVA capstone exam, the candidate must perform an initial assessment and write a detailed report that meets CISA’s strict requirements. If the CISA approves the report, the candidate will be deemed a qualified assessor. If not, they will have to complete activities which address the areas where the candidate is lacking knowledge, before submitting another report. 

What happens after completing the HVA Assessment?

The process doesn’t end there: as the digital world is constantly changing, assessors have to requalify every three years to demonstrate up-to-date cybersecurity knowledge. Refresher activities are sometimes organised by CISA, if major changes occur during the three year period. 

Want to know more about your HACS SIN?

If you are interested in a HACS SIN, get in touch with one of Price Reporter’s consultants today.

Click to rate
[Total: 0 Average: 0]
Leave feedback

Your email address will not be published. Required fields are marked *