The Missile Defense Agency (MDA) intends to issue a solicitation to procure cybersecurity compliance and risk management services to support MDA and the Office of Chief Information Officer, according to a pre-solicitation notice.
The notice, published Feb. 22, said this cybersecurity compliance and risk management requirement includes conducting “numerous cybersecurity test and risk assessment services across all MDA information systems,” their connections and associated test events.
MDA said the cyber support requirement will be solicited as a Women-Owned Small Business set-aside using source selection procedures in federal acquisition regulations.
This acquisition will be classified as Other Computer Related Services and the Small Business Size Standard will be $30 million. MDA expects to award a single cost-plus-fixed-fee contract for a base period of three years with one three-year and one six-month extension options.
Places of performance will largely include Fort Belvoir, Va.; Huntsville, Ala.; and Colorado Springs, Colo.
The requirement includes the development, implementation, sustainment and execution of Agency Risk Management Framework (RMF) functions and processes including cybersecurity controls validation, software assurance, cybersecurity risk assessment, cybersecurity training; and providing fee-for-service management and event scheduling support.
The notice said the cybersecurity controls validation includes performing technical and non-technical evaluation on information systems authorized or to-be authorized by the MDA Authorizing official, internal and external MDA information systems connections and classified sites connecting to MDA information systems. Software assurance requirements cover assessing internal and external Commercial-Off-The-Shelf (COTS) and Government-Off-The-Shelf (GOTS) software code analysis and results and risk assessment reports for all major software builds of the Operational Capacity Baseline of the missile defense system (MDS).
The notice said cybersecurity risk assessment entails the RMF control and system-level assessments of all major hardware and software updates of the Operational Capacity Baseline of the MDS; all MDA flight and ground test event architectures; information systems authorized or to-be authorized by the MDA Authorizing Official; internal and external MDA information systems connections; classified sites connecting to MDA information systems; and cybersecurity test results from test evaluations.
The cybersecurity training requirement includes organizing and developing curriculum for Agency-level cybersecurity workforce training, education, and leadership development as well as providing management support in tracking Agency-wide cybersecurity certifications and training requirements.
The notice said MDA expects to post the final solicitation at the Procurement Integrated Enterprise Environment (PIEE) solicitation module about 45 days from the date of this notice. The solicitation will close 30 days after posting.