SOURCES SOUGHT
D -- Risk Management Framework (RMF) Services
- Notice Date
- 6/28/2021 12:40:45 PM
- Notice Type
- Sources Sought
- NAICS
- 541512
— Computer Systems Design Services
- Contracting Office
- DEPT OF COMMERCE NIST GAITHERSBURG MD 20899 USA
- ZIP Code
- 20899
- Solicitation Number
- NB1810002101730
- Response Due
- 7/6/2021 9:00:00 AM
- Archive Date
- 07/07/2021
- Point of Contact
- Monica Brown, Phone: 3019750642
- E-Mail Address
-
monica.brown@nist.gov
(monica.brown@nist.gov)
- Description
- The National Institute of Standards and Technology (NIST) seeks information on commercial vendors that are capable of maintaining and maturing NIST�s Risk Management Framework (RMF) and Information Security Continuous Monitoring (ISCM) program, software solution, and technical services to enable more automation of assessment processes, increased mission/business context to maintain ongoing awareness of information security and privacy to support organizational risk management decisions. The target audience at NIST includes, but not be limited to, Authorizing Officials, Information System Owners, Information System Security Officers, Operating Unit Security Officers, and Security Control Assessors.� The primary goal of this sources is to find vendors that are capable of providing the technical services that meet the following requirements: Implement a risk scoring methodology that meets the following criteria: Risk scores are derived from business and technical attributes of systems and components, as well as assessment results of management, operational, and technical NIST Special Publication 800-53 Revision 5 security and privacy controls. Risk scores are provided at the control, component, system, and organizational levels and take into account system-specific and inherited risk. Risk scores aid in prioritizing weakness mitigation to the highest risk areas first. Security controls are scored based on Confidentiality, Integrity, and Availability; privacy controls are scored based on Predictability, Manageability, and Disassociability. � The solution meets the following criteria: Utilizes Archer product modules and Tableau. Integrated solution includes security and privacy control descriptions, automated and manual assessment results, risk scoring, and drill-down reporting capability. FIPS 199 impact rating, control responsibility designation, and control tailoring is automated through risk profiling capability. Seamless technical and programmatic integration with DHS CDM. The integrator meets the following criteria: Experience implementing enterprise risk scoring methodologies and solutions to Federal agencies effective for cybersecurity & privacy assessments and continuous monitoring. Experience with Archer and Tableau tools (the existing vendor tools for NIST�s Cyber Risk Scoring (CRS) Solution) Experience implementing an enterprise and local inheritance model and integrating business/mission context into risk metrics. Experience managing a vulnerability management program using AWARE scoring. Deep knowledge of the NIST Risk Management Framework (RMF), the NIST Cybersecurity Framework (CSF), and the Continuous Diagnostics and Mitigation (CDM) program and how a risk scoring approach could integrate with these frameworks. Experience conducting security & privacy assessments that comply with FISMA, SP 800-37, and SP 800-53 (latest versions). In addition to the software and services described above, NIST also seeks training available to NIST staff regarding the proposed methodology and associated software solutions.� ��� After results of this market research are obtained and analyzed, NIST may conduct a competitive procurement and subsequently award a purchase order or task order. �If at least two qualified small businesses are identified during this market research stage, then any resulting competitive procurement would be conducted as a small business set-aside.� NIST is seeking responses from all responsible sources, including large, foreign, and small businesses. Small businesses are defined under the associated NAICS code for this effort, 541512, Computer Systems Design Services as those domestic sources earning $30.0M or less annually. Please include your company�s size classification and socio-economic status in any response to this notice.� Instructions to Responders: Interested parties that have the capabilities to meet the Government�s basic requirements are requested to email a detailed report describing their abilities to meet all requirements to Monica H. Brown at monica.brown@nist.gov no later than the response date of July 5, 2021, 12:00pm for this sources sought notice. The report should include relevant information to your capabilities including the following: Name of company(ies), their addresses, and a point of contact for the company (name, phone number, fax number and email address) that provide the services for which specifications are provided. Indication if the company(ies) are small business and social economic category(ies). Indication of whether the services required are currently on one or more GSA Schedule (i.e. Multiple Award Schedules [MAS]) contracts and, if so, the GSA MAS contract number(s). Indication if the company(ies) can provide all, or some, of the services. Indication of number of days, after receipt of order that is typical for delivery of such services. Any other relevant information that is not listed above which the Government should consider in developing its minimum specifications and finalizing its market research.
- Web Link
-
SAM.gov Permalink
(https://beta.sam.gov/opp/a0a157a9b9fa4d179f2ef310e57820ad/view)
- Place of Performance
- Address: Gaithersburg, MD 20899, USA
- Zip Code: 20899
- Country: USA
- Zip Code: 20899
- Record
- SN06045209-F 20210630/210628230114 (samdaily.us)
- Source
-
SAM.gov Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's SAM Daily Index Page |