REQUEST FOR INFORMATION (RFI): ATO Cybersecurity Program, Engineering & Technical Services

1. INTRODUCTION

In accordance with Federal Aviation Administration Acquisition Management System (AMS) Policy 3.2.1.2.1 - this announcement is to conduct a Market Survey for the purpose of soliciting statements of interest and capabilities from interested vendors. This is not a Screening Information Request (SIR) or Request for Proposal (RFP).

The FAA is not seeking or accepting unsolicited proposals.

This announcement is for information and planning purposes and is not to be construed as a commitment of any type by the Government. The Government will not reimburse any costs incurred by vendors in responding to this notice. Any costs associated with this Market Survey will be the sole responsibility of the vendor.

Since this is a Sources Sought announcement, no evaluation letters and/or results will be issued to the respondents. The information received will not be released, except as required under the Freedom of Information Act (FOIA); proprietary information will be protected if appropriately marked.

At this time, the nature of the competition has not been determined. This Market Survey is intended to seek information from interested vendors of all sizes and types including large businesses. Both large and small businesses are encouraged to respond.

The FAA may request that one, some, all, or none of the respondents to this Market Survey/Sources Sought provide additional information, and vendor participation in any information session is not a promise for future business with the FAA.

2. BACKGROUND

The Federal Aviation Administration (FAA) National Airspace System (NAS) Security and Enterprise Operations (NASEO) (AJW-B) have a requirement to minimize the impact of cyber security events or incidents in support of availability and restoration requirements for Air Traffic Organization (ATO) systems and services. The FAA runs a multi-faceted cybersecurity program to protect the NAS in accordance with Federal Information Security Management Act (FISMA). The ATO Cybersecurity Group (ACG), a line of business under NAS NASEO within the ATO, is the lead organization for governing, implementing, and managing cybersecurity controls for NAS.

The President has declared that the cyber threat is one of the most serious economic and national security challenges we face as a nation and that America's economic prosperity in the 21st century will depend on cyber security . The ATO Cybersecurity Strategic Plan advances progress toward a NAS mission space in which critical infrastructure remains secure and resilient; where critical and essential services continue to function under a range of cyber conditions; where NAS cyber security capabilities adapt to changing cyber threats and NAS operations withstand or rapidly recover from disruptions. The ever-increasing capability of cyber adversaries demand in-depth institutional knowledge of the critical infrastructure, which must be maintained to ensure resiliency of the mission space.

The ATO Cybersecurity Group (ACG) is responsible for the overall management of the ATO Cybersecurity. Their role is to integrate cybersecurity functions into NAS and ATO operations and provide an enterprise-wide view of cybersecurity risk with cybersecurity strategic planning. ACG secures NAS and ATO operated systems through authorization, continuous monitoring and ensuring compliance. The foundation for ATO Cybersecurity is about understanding and managing the risk in order to protect and enable the operational mission.

3. PURPOSE

The purpose of this market survey is to solicit statements of interest from businesses capable of providing the following services (below) for the ATO Cybersecurity Program, Engineering & Technical Services.

4. DESCRIPTION/SCOPE

• The FAA anticipates that the following will be covered as part of the requirements scope: Program Control & Governance:
  • Program Management
  • Cybersecurity Policy Management
  • Privacy
  • Data Calls
  • Audits
  • Authorization Management (System Security Officers (SSOs), Cyber Security Assessment and Management (CSAM), Memos)
• Enterprise Architecture, Design & Solutions
  • Enterprise and System Architecture
  • Cyber Supply Chain Risk Management
  • Cybersecurity Strategic Planning & Analysis
  • Future technology and capability insertion
  • Operating environment definitions
• Cybersecurity Engineering
  • Cyber engineering requirements development
  • System domain subject matters experts
  • Risk Management Framework
  • Software Development
  • Enterprise Solutions Development
• Integration, Outreach & Planning
  • Training
  • Workforce Development
  • Cybersecurity outreach and communication
  • Cybersecurity Tabletops (TTX)
  • Operation Risk Management (ORM)

All tasks noted (above) shall be in accordance with the following:

• ATO Cybersecurity Program, Engineering & Technical Services, Statement of Work (SOW) dated June 25, 2024.

5. LOCATION OF WORK

Support under the contract may be performed on-site at FAA Headquarters (HQ) in Washington, DC, or the Mike Monroney Aeronautical Center (MMAC) in Oklahoma City and/or the William J. Hughes Technical Center in Egg Harbor Township, NJ and vendor facilities to accomplish the tasks.

6. NAICS CODE

The North American Industry Classification System (NAICS) code for this procurement has not yet been finalized, but the predominate effort is 541330 - Engineering Services Except Military and Aerospace Equipment and Military Weapons.

7. SUBMITTAL REQUIREMENTS FOR RFI

Interested sources should respond to this RFI/Market Survey by providing a Capability Statement in accordance with the requirements below:

A. One (1) cover page that includes:

• name of the vendor/firm/corporation
• available NAICS, Unique Entity Identifier (UEI), and CAGE code(s)
• business size and socioeconomic status
• point of contact (i.e., name, title, telephone, email)

Capabilities Statement should NOT include:

• Generic sale brochures, videos, and other marketing information materials are not solicited and therefore will not be reviewed.

B. The Capabilities Statement (maximum of 12 pages including a cover sheet) should demonstrates:

• A company's capabilities to meet the performance objectives and of the customer's requirement (above).
• A company's ability to provide personnel with security clearance levels of SECRET and/or Top Secret (TS).
• A company's ability to identify and resource allocate personnel for the requirement. This includes a company's ability to staff, recruit, train and retain personnel.
• A company's experience with (or a high-level summary) of consistent and timely performance in communications management. Specifically, messaging regarding threats, vulnerabilities, and emerging requirements levied by external Provide a high-level summary of your company's experience complying with the National Institute of Standards and Technology, Special Publication (SP) 800-53 Rev. 5, Security and Privacy Controls for Federal Information Systems and Organizations.
• A high-level summary from a company about effective solution sets under one (or more) of the following Cyber Security Framework (CSF) categories:

1. Identify
2. Protect
3. Detect
4. Respond

• The company's list of capabilities.
• The company's best practices.
• The company's list of metrics and/or measures and/or required inputs and/or dependencies and/or outputs for each solution.
• The company's advances in technology with new or innovative approaches/strategies for solutions.
• The company's tool sets.
• The details of the company's socio-economic status.
  • Large Businesses- identify intentions for subcontracting, small business utilization, (and/or) potential mentor-prot g arrangements that may be implemented to meet this requirement. In your estimation what percent of this potential requirement would your company need to subcontract to other companies?
  • Small Businesses- identify interests as a potential prime contractor (or) subcontractor. In your estimation what percent of this potential requirement would your company need to subcontract to other companies?
• A company's relevant and applicable reference(s) to examples of previous work and/or solution implementations that relate to the FAA's objectives and topics of interest.
• If applicable, the company's number of Federal Contracts (awards) held as a Prime Contract Holder for Enterprise Cybersecurity Program Services. This includes any contracts with an enterprise management approach, in similar to the size, scope, and complexity of the potential FAA ATO Cybersecurity Program requirement.
• If applicable, a company's experience, as a contractor in managing and staffing System Security Officer support with significant annual growth.
• If applicable, example(s) of a company's service contract(s) with Cybersecurity Support (i.e., Security Officer Support, and National Institute of Standards and Technology (NIST).
• If applicable, provide a high-level summary of a company's experience in developing software which included systems documentation (e.g., administration manuals and software code documentation).
• If applicable, a description of similar and/or related services currently provided or provided within the past five (5) years of any experience your company has performed.
• project description (contract or subcontractor number, if applicable)
• dollar value
• period of performance (POP)

D. Capabilities Statement Format

1. Responses should be provided in 12-point font in Microsoft Office or Adobe PDF (portable document file) format.

8. DELIVERY OF SUBMITTALS

Responses must be submitted via email to:

Elizabeth H. Williams

Contracting Officer, AAQ-320

elizabeth.h.williams@faa.gov

The email subject line must state the SAM.gov announcement number followed by the company name. Individual e-mail message size (i.e., email body text plus any attachments) must not exceed 10 MB. If more than one email is required to complete a respondent's submission, then in the email subject header following the company name, state which submission in the sequence is contained in the given email and the total number of email submissions being made by respondent (i.e., Email 1 of 2, Email 3 of 3, etc.)

Any proprietary or confidential information contained in the market survey submissions must be appropriately marked.

All submissions in response to this announcement must be submitted by email to the address above by 5:00 PM EDT on July 17, 2024. Submissions prior to the requested submission date are encouraged and will be accepted. Telephone calls or paper submissions will not be accepted. Submission of electronic files on digital data storage media (i.e., Blu-ray, DVD or CD; flash drives) will NOT be accepted.

Comments and questions on the Market Survey are not considered part of the response submission. The FAA will not provide feedback on any of the submitted materials.

For questions, requests for additional information, etc. regarding this market survey, contact Elizabeth H. Williams at the email address listed above.