Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF NOVEMBER 22, 2023 SAM #8030
SOURCES SOUGHT

R -- Request for Information (RFI) - Program Management Office Support for Zero Trust Implementation

Notice Date
11/20/2023 9:07:39 AM
 
Notice Type
Sources Sought
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
PROGRAM SUPPORT CENTER ACQ MGMT SVC ROCKVILLE MD 20857 USA
 
ZIP Code
20857
 
Solicitation Number
OS316725
 
Response Due
12/6/2023 9:00:00 AM
 
Archive Date
12/21/2023
 
Point of Contact
Jennifer Browning
 
E-Mail Address
jennifer.browning@hhs.gov
(jennifer.browning@hhs.gov)
 
Description
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES OFFICE OF CHIEF INFORMATION OFFICER REQUEST FOR INFORMATION Program Management Office Support for Zero Trust Implementation THIS IS A REQUEST FOR INFORMATION (RFI) ONLY. This RFI is issued solely for market research, planning, and information purposes only, in accordance with Federal Acquisition (FAR) Part 10 and is not to be constructed as a commitment by the Government to issue a subsequent solicitation (Request for Proposal or Request for Quote). This RFI does not commit the Government to contract for any supply or service. Further, the Government will not accept unsolicited proposals in response to this RFI. Participants in this market research are advised that the Government will not pay for any costs incurred in response to this RFI. All costs associated with responding to this RFI will be solely at the interested party�s expense. Responses to this RFI will be used to identify potential sources, vehicles and set asides for specific small business classifications. Not responding to this RFI does not preclude participation in any future solicitation, if any is issued. This is a market research tool being used to determine the availability of existing vendors that can provide the services described in this RFI. The anticipated North American Industry Classification System (NAICS) for this requirement is 541512 �Computer Systems Design Services.� Product Service Code (PSC) R499 �Support � Professional: Other.�� If contractor believe a more appropriate NAICS applies to this requirement as detailed herein, include the feedback in your response. INTRODUCTION The Department of Health and Human Services (HHS) Office of the Chief Information Officer (OCIO) is conducting market research for Program Management Office (PMO) support services for the department wide Zero Trust Architecture (ZTA) implementation. BACKGROUND/PROGRAM DESCRIPTION HHS is the U.S. government�s principal agency for protecting the health of all Americans and providing essential human services. The mission of HHS is to enhance the health and well-being of Americans by providing effective health and human services and by fostering sound, sustained advances in the sciences, underlying medicine, public health, and social services. HHS accomplishes its mission through programs and initiatives that cover a wide spectrum of activities, serving Americans at every stage of life. Twelve (12) Operating Divisions (OpDivs), including nine (9) agencies in the U.S. Public Health Service (PHS) and three (3) human services agencies, administer HHS� programs. Some HHS components function with a high degree of autonomy due to delegated authorities from the HHS Chief Information Officer (CIO); these functions are typically focused on information technology and cybersecurity capabilities as articulated by the Federal Information Security Modernization Act (FISMA) of 2014. OCIO is responsible for the strategic direction and management of significant HHS Information Technology (IT) programs and policy activities. OCIO supports the development and implementation of an enterprise Information Technology (IT) across HHS. Within OCIO, the Office of Information Security (OIS) leads IT security initiatives to protect and secure information assets to the OpDivs and Staff Divisions (StaffDivs). OIS manages and enhances the overall cybersecurity and privacy risk posture and resilience of HHS and its partners in the healthcare and public health (HPH) sector. HHS is currently working on a department wide ZTA implementation in response to Executive Order (EO) 14028, Improving the Nation�s Cybersecurity, and Office of Management and Budget (OMB) M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. EO 14028 initiated the Government-wide effort to ensure that baseline security practices to migrate the Federal Government to a ZTA and to realize the security benefits of cloud-based infrastructure while mitigating associated risks. As stated in EO 14028, the term �Zero Trust Architecture� means a security model, a set of system design principle, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. A transition to a �zero trust� approach to security provides a defensible architecture for this new environment. Furthermore, OMB M-22-09 set forth a Federal Zero Trust Strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 to reinforce the Government�s defenses against increasingly sophisticated and persistent threat campaigns. HHS has developed the Department Zero Trust Strategy Implementation Plan. While a few OpDivs within HHS have Zero Trust Maturity (ZTM) plans in place, HHS is just beginning to align resources to a department wide Zero Trust Strategy. Many of the skills and technologies required under ZTA already exist in HHS but putting all the components together requires HHS to significantly upgrade governance and Information Technology (IT) management, and more deeply integrate teams and technologies. Furthermore, achieving these goals in a cost-effective manner challenges the financial governance structures that exist since HHS component agencies and sometimes programs are independently funded. HHS expects that strategy, governance, and resources alignment over time will drive the consolidation of control points, data planes and supporting capabilities so that modernization efforts will envelope and eventually retire legacy technologies, and new services can be on-boarded. OCIO OIS is gathering information around establishing and maintaining a Program Management Office (PMO) Support to assist with the implementation of the department wide ZTA initiative. TASK SCOPE AND OBJECTIVES OCIO OIS is conduction market research on establishment and maintenance of a PMO support to assist with the implementation of the department wide ZTA initiative. The capabilities of interest are: Identify existent Zero Trust capabilities and gaps in each OpDiv: Engage with each OpDiv to review documentation and key artifacts to recognize current zero trust status and implementation plans. Develop use cases to conduct assessments against CISA�s ZTMM version 2 within each OpDiv. Conduct assessments, document results, and propose solutions to mitigate gaps. Communicate and share results with Government stakeholders. Develop and maintain a ZTM scorecard: Develop ZTM score rating based on CISA�s ZTMM version 2. Assign ZTM scores to each OpDiv based on result of assessments. Develop a process for monthly or quarterly updates of ZTM scores to measure OpDivs� progress against implementing zero trust capabilities. Establish an enterprise ZTA roadmap: Collaborate with HHS to develop an enterprise road map. Align Zero Trust goals of each OpDiv with the department wide goals. Identify possible technical solutions that can be offered at the enterprise level based on individual OpDiv assessments. Draft a high-level implementation plan and suggest recommended technologies that can be used at the enterprise level. Develop a risk register to identify and track program risks. Provide a secure test and data environment to enable the testing of multiple products to support ZTA. HHS is exploring for use in proof of concepts: Develop and implement a methodology for iteratively assessing new tools and technologies to enable zero trust capabilities. Coordinate with Government the development of a list of tools for testing. Develop use cases. Create pilot demonstrations. Document pilots� results and provide recommendations showing what additional capabilities are achieved and what shortcomings are eliminated. Establish reporting mechanisms for financial activities to provide monthly reports to OMB: Develop a process to collect information from OpDivs on execution of funds to implement zero trust capabilities. Gather monthly data and submit reports. Improve budget investments for each OpDiv: Use results of zero trust assessments to develop report to prioritize budget investments. Identify cost-saving opportunities. Provide Security Strategic Design Innovation (SDI) support: Assist with industry & vendor engagement. Provide support with reviews and translation of White House, OMB, CISA directives, as well as NIST guidance and Gartner/Forrester/ATARC/AFCEA (industry), and Federal peer agency recommendations. Assist HHS with proceeding through the process of identifying the best solutions for fulfilling Zero Trust objectives and gaps in ZT architecture: Identification Rationalization Evaluation Testing Provide project management support. Provide program management support. Provide engagement and tracking support at the Department level: Assist with cybersecurity solutions and services spending tracking. Assist with cybersecurity solutions and services budget formulation. Provide Technology Innovation and Product Sessions (TIPS) and HHS Tech Exchange management and scheduling support. The Contractor capability would include providing subject matter expertise to implement, administer, manage, mature, and monitor operational activities to perform the objectives described above effectively and efficiently. Interested Vendors are requested to submit a detailed response on their ability to deliver/perform all of the capabilities listed above.� If the potential source is not currently capable of meeting all or a portion of the above requirements but is planning to have these service capabilities in the future, the vendor can provide information on the future capabilities of their business. RESPONDING TO THIS RFI Sources able to satisfy all aspects of the above requirements are invited to submit information describing their capabilities.� Please limit submissions to a maximum of 12 pages, inclusive of the cover page.� Responses should be submitted in Times New Roman, size 12 font, with single spacing.� Responses must include the following: Cover Page (maximum 1 page ) to include: Title Company name and address Brief overview of company history Affiliate information, parent company, joint venture partners, and potential teaming partners Year the firm was established and number of employees Point of contact (name, title, phone number, and e-mail address) Business type, North American Industry Classification System (NAICS) code(s)and company size (other than small, small business, Service-Disabled Veteran Owned Small Business (SDVOSB), etc.). Location Mailing address Website address List of existing Federal contractual vehicles to support this requirement (i.e., STARS III, Alliant 2, GSA MAS). Provide a summary of your capability to meet the Task Scope and Objectives described above and address the following in your response: Provide a summary of your technical capability to meet the requirements under Task Scope and Objectives section. What ZTA and Cyber Security contracts/task orders do you have currently or have participated in the past three years in Government agencies/departments? What performance monitoring and reporting tools do you currently have experience with and how would you propose to use them to ensure successful execution of this contract? Do you have secure test and data environment for evaluation of new technologies? Have you developed a ZT scorecard for another agency? What elements or information is needed to implement a department wide ZT scorecard? Provide Information on corporate experience or expertise in providing ZT implementation support services. Provide a maximum of three (3) contracts, your company has performed for similar services within the last 3 years: Name of Agency Contract Name Contract Number Total Awarded Amount (Contract Value with Options) Period of Performance Description of Work Performed Percentage of Work Performed Prime or subcontractor Additional comments: Any other relevant information that is not listed above which the Government should consider in finalizing its market research. SUBMISSION INSTRUCTIONS All responses shall be submitted via email at Jennifer.Browning@psc.hhs.gov no later than December 6, 2023, at 12:00 PM Eastern Time (EST), and must include the information requested above.� Responses should be submitted in either Microsoft Word or Adobe PDF format.� Late responses will not be accepted.� This is strictly market research, and the Government will not entertain any questions.� Respondents will not be notified of the results of the evaluation. We appreciate your interest and thank you in advance for responding to the RFI. Proprietary information, if any, should be minimized and MUST BE CLEARLY MARKED. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personal reviewing RFI responses will have signed nondisclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified.
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/0039bd4f6a2647b5947b57d37d69d0cf/view)
 
Place of Performance
Address: Washington, DC, USA
Country: USA
 
Record
SN06890802-F 20231122/231120230053 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.