Active

Contract Opportunity

Procurement Technical Assistance Centers (PTACs) are an official government contracting resource for small businesses. Find your local PTAC (opens in new window) for free government expertise related to contract opportunities.

This is a Small Business Sources Sought notice. This is NOT a solicitation for proposals, proposal abstracts, or quotations.

The purpose of this notice is to obtain information regarding: (1) the availability and capability of qualified small business sources; (2) whether they are small businesses; HUBZone small businesses; service-disabled, veteran-owned small businesses; 8(a) small businesses; veteran-owned small businesses; woman-owned small businesses; or small disadvantaged businesses; (3) their size classification relative to the North American Industry Classification System (NAICS) code for the proposed acquisition; and (4) availability of domestic sources manufactured in the United States in sufficient and reasonably available commercial quantities and of a satisfactory quality.

Your responses to the information requested will assist the Government in determining the appropriate acquisition method, including whether a set-aside is possible. An organization that is not considered a small business under the applicable NAICS code may submit a response to this notice.

This notice is issued to help determine the availability of qualified companies technically capable of meeting the Government requirement and to determine the method of acquisition. It is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals or quotes. No award will be made as a result of this notice. The Government will NOT be responsible for any costs incurred by the respondents to this notice. This notice is strictly for research and information purposes only.

Background: The mission of NCATS is to catalyze the generation of innovative methods and technologies that will enhance the development, testing, and implementation of diagnostics and therapeutics across a wide range of human diseases and conditions. NCATS is at the forefront of automated biomedical experimentation, replacing hours of time-consuming basic laboratory work with systems and robots capable of conducting experiments with a fraction of the resources. This technology can both cut costs and increase productivity, which acts as a multiplier effect on research efficiency and raw output.

In the administration of these programs, NCATS utilizes many assets, including buildings, facilities, communications equipment, computer systems, employees, contractors, public trust, and information. A loss to any one of these assets could affect the goals or the quality of support necessary from NCATS to its various customers and stakeholders. Additionally, NCATS collects, uses, and stores information that falls into the categories of privacy data, Protected Health Information (PHI), Personally Identifiable Information (PII), proprietary data, procurement data, inter-agency data, and privileged system information. Access to these types of information is subject to the Privacy Act of 1974 (as amended), the Computer Security Act of 1987 (as amended), and the Federal Information Security Management Act (FISMA) of 2002, as well as many important rules, regulations, policies, and guidelines promulgated by HHS, the Office of Management and Budget (OMB), and the National Institute of Standards and Technology (NIST). As a result, NCATS has a legal and practical responsibility to maintain the confidentiality, integrity, and availability of this information.

Under the NCATS Cybersecurity Services Program (CSS) and supported by the NIH Office of the Chief Information Officer (OCIO) staff, the NCATS CIO is responsible for applying prudent and effective information security, privacy and risk management measures. This will safeguard the NCATS staff, patients, research, grants and financial data, computers, networks, and other IT resources that are vital to the daily functioning and mission of NCATS. Under this program, the NCATS CIO seeks to comply with the Federal Information Security Modernization Act of 2014 (FISMA 2014), widely accepted information security best practices, and many other laws, policies, standards, mandates and initiatives as put forth by the U.S. Congress and implemented by the Department of Health and Human Services (HHS), the Department of Homeland Security (DHS), OMB, NIST, the General Accounting Office (GAO), and the White House. Also, under this program, the NCATS CIO provides information security and privacy incident response, security operations support, security policy and oversight, program and project management, security awareness and training, and other cyber and information security services to the NCATS programs and affiliates.

Though automated systems reduce the need for human labor, the systems and labs are not entirely self-sufficient. This contract seeks to augment the workforce responsible for the day-to-day operation of robotics and systems, as well as the infrastructure necessary to achieve top quality results.

Purpose and Objectives: The purpose of this requirement is to provide the National Center for Advancing Translational Sciences (NCATS) Information Technology Resources Branch (ITRB) Cybersecurity Services (CSS) Division with day-to-day support services. The contractor will provide full-time support through a small cadre of individuals under a fixed-price task order. The individuals working under this contract are expected to have deep individual cybersecurity expertise. Discrete tasks (for example, completion of an authorization to operate (ATO) package) will be performed through fixed-price or time-and-materials task orders structured to meet those needs (e.g. for a period of weeks or months, part-time, on-site/off-site, by subcontract, joint venture, etc.). The contractor will provide advice to the CSS division chief regarding the most advantageous and cost-effective approaches to accomplish the tasks in this Statement of Work (SOW). These support services will primarily consist of direct support to the CSS Division on a fixed-price basis, with the first task order to provide for full-time level of effort that will address the contract management and program management tasks described below. Additional task orders may be issued on a fixed-price level of effort, fixed price completion, time-and-materials, or labor hours basis. The first task order will be awarded concurrently with the award of the parent IDIQ, and will provide for full-time support that will address the contract management and program management tasks).

Project requirements:

The complete description of each the project requirements is provided in the attached Draft Statement of Work.

• Experience and Functional Responsibility

Capable of providing direct support to the chief of the CSS Division of ITRB in the execution of the tasks executed by the ISPG and NCIC. The contractor performing the services are expected to have deep individual cybersecurity expertise with a full-time support through a small cadre of individuals.

• Information Security and Privacy Policy Support

Capable of providing information security and privacy support to NCATS employees and contractors to apply on specific business needs, technical situations and policy requirements.

• Information Security and Privacy Technical Services

Capable of providing overall subject matter expertise to the Information Security Assessment and Authorization (A&A) program. Provide specific guidance and technical expertise in the form of standards, policies, procedures, and oversight for the NCATS A&A program as well as providing expertise in specific security or security-related engineering and privacy topics

• Information Security and Privacy Training Services

Capable of developing and maintaining a comprehensive information security and privacy awareness and training program.

• Audit Management and Support

Capable of providing audit management support for involvement in the development and maintenance of an Audit and Risk Management program and to provide support

• Security Operations Support

Capable of providing comprehensive operational cyber security situational awareness and response readiness by performing cybersecurity monitoring and advanced analytics and to provide support

• Security Engineering

Capable of providing security engineering which implements, optimizes, and administers innovative security solutions that reduce IC risk by providing increased visibility and response readiness across the enterprise

• Penetration Testing

Capable of providing penetration testing services by coordinating and conducting all Agency penetration testing on systems operated by and on behalf of NCATS. Document a test plan and methodology and utilize a variety of NCATS approved tools to conduct vulnerability assessments and penetration tests for all NCATS FedRAMP cloud and on-prem systems.

• Forensics, Malware Analysis, and Advanced Hunting

Capable of providing forensics and malware analysis for network, system and media digital forensics, advanced threat hunting, and malware analysis capabilities in a hybrid cloud environment. Utilize industry standard techniques, tools and procedures, to perform network and media digital forensics, incident response, malware analysis, advanced threat hunting across the Enterprise.

• Compliance Monitoring

Capable of providing information security compliance monitoring activities to promote ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions and to address assessment and analysis of security control effectiveness

• Incident Management

Capable of providing incident management services which includes a variety of critical functions related to situational awareness, incident and vulnerability management, coordination, collaboration, and security oversight for the Enterprise. The service ensures that each of the individual incident response teams and associated stakeholders are provided with timely relevant information to allow for the most effective response activities possible.

• Cyber Threat Intelligence and Information Sharing

The Threat Management Program ensures an optimal Agency security posture by identifying ongoing, immediate, and emerging threats to the organization, including threat actors, attack vectors, and breach scenarios. The vendor shall be Capable of providing proactive threat management informs stakeholders, improves situational awareness, highlights high-risk configuration vulnerabilities, facilitates rapid response, supplies relevant security material, and helps quantify organizational security risk

• Secure Application Development Service

Capable of providing software assurance and best practices in the system development life-cycle (SDLC) of agile application development environment that incorporates NIST 800-64 and 800-53 r4 security controls required for Federal IT systems.

Anticipated period of performance: This is expected to be a one-year contract with two option years.

Other important considerations: It is incredibly important for respondents to recognize that the government is looking for a comprehensive security strategy that accounts for the complexity and diversity of the entire NCATS scientific and IT portfolio, not simply a piecemeal approach on a case-by-case basis.

Capability statement /information sought.

Companies that believe they possess the capabilities to provide the required services should submit documentation of their ability to meet each of the project requirements to the Contracting Officer. The capability statement must specifically address each of the project requirements separately, as per the ATTACHED DRAFT STATEMENT OF WORK, as well as the ATTACHED TECHNICAL CAPABILITIES QUESTIONNAIRE. Additionally, the capability statement should include 1) the total number of employees, 2) the professional qualifications of personnel as it relates to the requirements outlined, 3) any contractor GSA Schedule contracts and/or other government-wide acquisition contracts (GWACs), such as NITAAC, by which all the requirements may be met, if applicable, and 4) any other information considered relevant to this program. Capability statements must also include the Company Name, Unique Entity ID from SAM.gov, Physical Address, and Point of Contact Information. The response must include the respondents’ technical and administrative points of contact, including names, titles, addresses, telephone and fax numbers, and e-mail addresses.

Interested companies are required to identify their type of business, applicable North American Industry Classification System (NAICS) Code, and size standards in accordance with the Small Business Administration. The government requests that no proprietary or confidential business data be submitted in a response to this notice. However, responses that indicate the information therein is proprietary will be properly safeguarded for Government use only. Capability statements must include the name and telephone number of a point of contact having authority and knowledge to discuss responses with Government representatives. Capability statements in response to this market survey that do not provide sufficient information for evaluation will be considered non-responsive. When submitting this information, please reference the solicitation notice number.

One (1) copy of the response is required and must be in Microsoft Word or Adobe PDF format using 11-point or 12-point font, 8-1/2” x 11” paper size, with 1” top, bottom, left and right margins, and with single or double spacing.

The information submitted must be in and outline format that addresses each of the elements of the project requirement and in the capability statement /information sought paragraphs stated herein. A cover page and an executive summary may be included but is not required.

The response is limited to ten (10) page limit. The 10-page limit does not include the cover page, executive summary, or references, if requested.

All responses to this notice must be submitted electronically to the Contract Specialist and Contracting Officer. Facsimile responses are NOT accepted.

The response must be submitted to the Contract Specialist, Renato Gomes, at e-mail address renato.gomes@nih.gov

The response must be received on or before March 20, 2023, 9am, Eastern Time.

“Disclaimer and Important Notes: This notice does not obligate the Government to award a contract or otherwise pay for the information provided in response. The Government reserves the right to use information provided by respondents for any purpose deemed necessary and legally appropriate. Any organization responding to this notice should ensure that its response is complete and sufficiently detailed to allow the Government to determine the organization’s qualifications to perform the work.

Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted. After a review of the responses received, a presolicitation synopsis and solicitation may be published in www.sam.gov. However, responses to this notice will not be considered adequate responses to a solicitation.

Confidentiality: No proprietary, classified, confidential, or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s).”

Attachments/Links