SPECIAL NOTICE
D -- Support for Information Security Program Information Security Awareness Office, Office of the Chief Information Officer, National Institutes of Health
- Notice Date
- 3/22/2017
- Notice Type
- Special Notice
- NAICS
- 541519
— Other Computer Related Services
- Contracting Office
- Department of Health and Human Services, National Institutes of Health, National Library of Medicine, 6707 Democracy Blvd., Suite 105, Bethesda, Maryland, 20894, United States
- ZIP Code
- 20894
- Solicitation Number
- NLM17-2017-KDM
- Archive Date
- 3/25/2017
- Point of Contact
- Karen Miller, Phone: 301-827-6403, Daniel Hartinger, Phone: 301-827-6394
- E-Mail Address
-
kr33v@nih.gov, dan.hartinger@nih.gov
(kr33v@nih.gov, dan.hartinger@nih.gov)
- Small Business Set-Aside
- Total Small Business
- Description
- This is a sole source notice prepared in accordance with the format at Federal Acquisition Regulation (FAR) Subpart 6.3, Other Than Full and Open Competition; specifically, at FAR 6.3 FAR 6.302-1(b)(1)(i), When there is a reasonable basis to conclude that the agency's minimum needs can only be satisfied by unique supplies or services available form only one source or only one supplier with unique capabilities. This notice incorporates provisions and clauses in effect in the March 2005 FAR Revision, including all FAR Circulars issued as of the date of this synopsis. It is the intent of the National Library of Medicine to negotiate on behalf of the Office of the Chief Information Officer (OCIO), National Institutes of Health (NIH), on a sole source basis with CETECH to acquire professional services for a 14-day extension (03-26-17 through 04-09-17) to provide continued support to the NIH Information Security Program. CETECH is currently providing the professional services to support the NIH Information Security Program under Contract No. HHSN276201100018C, which was initially awarded under the procedures of FAR Part 15, Contracting by Negotiating procedures as a competitive total small business set-aside. [Note: On September 13, 2013, Triumph Enterprises, Inc., (i.e., Triumph) acquired CETECH, including its staff assigned under Contract No. HHSN276201100018C.] CETECH has provided professional services to support the NIH Information Security Program since 1999. The contracting actions are summarized as follows: 1. Contract No. N01-LM-9-3509 Title: IT Security, IT Management, and Budget Analysis for the NIH Prime Contractor: CETECH Period of Performance: 04-01-99 through 03-31-02 2. Contract No. N01-LM-2-3503 Title: IT Security, IT Management, and Budget Analysis for the NIH Prime Contractor: CETECH Period of Performance: 04-01-02 through 06-30-05 3. Contract No. HHSN276201100128U (N01-LM-5-3508) Title: IT Security, IT Management, and Budget Analysis for the NIH Prime Contractor: CETECH Period of Performance: 07-01-05 through 09-30-11 4. Contract No. HHSN276201100018C Title: NIH Information Security Program Support Prime Contractor: CETECH Period of Performance: 09-26-11 through 03-25-17 The NIH CIO has a continuous need for the services being provided by CETECH to apply information security, privacy, and risk management measures to safeguard the NIH staff, patients, research, grants and financial data, computers, networks, and other IT resources that are vital to the daily functioning and mission of the NIH. The interim award is required for the OCIO to comply with the Federal Information Security Modernization Act of 2014 (FISMA 2014), widely accepted information security best practices, and many other laws, policies, standards, mandates and initiatives as put forth by the U.S. Congress and implemented by the Department of Health and Human Services (HHS), the Department of Homeland Security (DHS), the Office of Management and Budget (OMB), the National Institutes of Standards and Technology (NIST), the General Accounting Office (GAO), and the White House. The NIH Information Security Program provides information security and privacy incident response, security operations support, security policy and oversight, program and project management, security awareness and training, and other information security services to the NIH Institutes/Centers (ICs). From the first award in 1999, CETECH has been an integral part of the NIH Information Security Program. The NIH Information Security Program, under the direction of the NIH Chief Information Security Officer (CISO), is currently involved in many NIH-level cybersecurity activities mandated by FISMA, OMB, HHS, the NIH Information Technology Management Committee (ITMC), and NIH senior management. As the NIH Information Security Program's responsibilities have increased, CETECH's responsibilities have also increased and its staff acquired the highly specialized knowledge, skills, and abilities to perform varied cybersecurity tasks including vulnerability scanning, wireless network scanning, intrusion detection, web page scanning, incident response, computer forensics, database administration, computer programming, real-time intrusion detection, training, security log review and analysis, and compliance monitoring using the unique combination of tools and processes used in the NIH environment. The CETECH staff also routinely communicate with IC security staff, NIH network engineers, and security staff in HHS and its Operating Divisions (OpDivs) as security events dictate. When, what, to whom, and how to communicate in the complex NIH and HHS environments are also part of CETECH acquired unique skills. The NIH network is a highly complex operation containing several hundred network segments which permit communication between an IC's intramural and extramural operations, between ICs, between the NIH and other OpDivs and HHS, and between the NIH and the outside world. The NIH network connections are not duplicated in any other public or private network. Knowledge of the NIH and HHS IT environment is a critical component of the NIH Information Security Program, since a cybersecurity threat such as a computer virus, if left unchecked, could affect all of the NIH then spread to another HHS OpDiv. When security threats arise, decisions must be made quickly to isolate the affected devices and minimize the risk to the NIH. Due to its extensive experience in monitoring the NIH IT environment, and detecting security threats, CETECH is the only source possessing the unique combination of knowledge, skills, ability and experience to quickly and correctly recommend and implement solutions to protect the NIH biomedical, patient, and administrative data and systems during the 14-day period of March 26, 2017 through April 9, 2017. An incorrect decision could cause an unacceptable disruption to the NIH computer-to-computer communications and NIH business. Only CETECH has the unique combination of required knowledge and skills with all the security toolsets and the NIH IT environment to successfully perform all of the security requirements during the 14-day contract's period of performance. The NIH CISO has a substantial information security incident tracking, communication, and reporting requirement. To ease the incident communication, tracking and reporting burden, CETECH staff designed, implemented, and currently maintains an NIH Incident Response Team (IRT) tracking portal and database, which are used to capture required NIH data and meet reporting requirements. The portal and database meet specifications set by the NIH CISO, by HHS, and by the United States Computer Emergency Readiness Team (US-CERT). CETECH is the only contractor with the knowledge and experience required of the NIH IRT portal and database to successfully perform all the work requirements during the 14-day bridge (interim) contract's period of performance until a follow-on competitive contract can be awarded. The CETECH staff has acquired highly specialized expertise that would be lost and would need to be re-acquired at additional government expense should the contractor not continue its support of the NIH Information Security Program during the 14-day bridge of services specified above. Even worse, critical security infrastructure and organizational support would be delayed and NIH would not be able to meet its obligations to protect the NIH mission and operations, as well as its obligations to HHS and its OpDivs. Instead of implementing the new required cybersecurity initiatives, the NIH Information Security Program would effectively lose ground and capabilities when continued support from the contractor is most critical. The NIH CIO is in the process of re-competing the requirements to support the NIH Information Security Program. It is recognized that to provide for full and open competition under a re-competition, the NIH CIO will need to develop and implement a complex Transfer task under which CETECH will be required to perform an orderly transition to another contractor. It is not in the Government's best interest to transfer the unique skills and knowledge acquired by CETECH since 1999 to another vendor for the interim period of performance. The transfer of knowledge itself will take at least three months, and the new vendor will not have sufficient time to onboard the required staff and acquire the NIH-specific knowledge to be able to properly transfer that knowledge to yet another vendor within three months when the re-compete contract solicitation is issued. As part of the acquisition process, the NIH has changed its strategy for security services to account for the growth of the program and to account for the increased Federal emphasis on performance-based approaches and firm fixed price contracts. This change in strategy requires the NIH Information Security Program to think differently about how requirements are developed and communicated to the contracting community; about how the contract will be managed and administered; and about measures to adequately incentivize the selected contractor to meet our performance objectives. The NIH Information Security Program has grown four-fold since 1999 in value and complexity and now must comply with numerous Office of Management and Budget (OMB)-mandated security requirements that did not exist prior to the Office of Personnel Management (OPM) security breach. The theft of OPM privacy information on millions of Federal employees and contractors created a threat to U.S. national security that will last for decades and cost billions of dollars to monitor. The new OMB requirements, initiatives, and policies that deal with increasingly sophisticated broad reaching threats from an ever-expanding collection of sources has set into motion many changes in the NIH Information Security Program. The NIH Information Security Program's performance expectations are vastly different today than they were in 1999, yet despite the added risks and complexity in today's cybersecurity environment, the NIH is committed to the small business community and supports the innovation and responsiveness a small business can offer. The NIH plans to partner with a small business with its follow-on security contract as it looks to the future of cybersecurity for the biomedical sciences. This notice is not a Request for Proposals (RFP), nor is an RFP available. However, all responsive sources may submit a capabilities statement in a timely manner that will be considered by the Government.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/OAM/NLM17-2017-KDM/listing.html)
- Place of Performance
- Address: National Library of Medicine, Office of Acquisitions, Two Democracy, Room 105, 6707 Democracy Boulevard, MSC 5488, Bethesda, Maryland, 20892-5488, United States
- Zip Code: 20892-5488
- Zip Code: 20892-5488
- Record
- SN04444224-W 20170324/170322235059-2c883cf01675cfaae5f50774924c1404 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |