RFI for Cybersecurity Supply Chain Risk Management (C- SCRM) Program

Background
The USDA is conducting market research to identify potential sources with expertise in establishing a comprehensive Cybersecurity Supply Chain Risk Management (C-SCRM) Program. The goal is to ensure compliance with federal regulations and mitigate risks associated with compromised devices on the USDA network.

This RFI aims to gather information on industry capabilities for providing supply chain risk information through due diligence research based on publicly and commercially available unclassified data. C-SCRM involves identifying, assessing, and mitigating risks throughout the lifecycle of ICT products and services.

Work Details
The contractor will assist USDA in developing a firm set of requirements for a C-SCRM program by understanding industry standards and practices. The tasks include:
1. Providing due diligence research on companies involved in delivering products and services to USDA across all supply chain tiers.
2. Assessing compliance with C-SCRM laws, regulations, standards, policies, and reporting requirements.
3. Defining necessary people, processes, and technology for effective C-SCRM management.
4. Enabling visibility into global multi-tier supply chains and identifying ICT C-SCRM risks in products (hardware, software, firmware).
5. Evaluating capabilities that mitigate supply chain risks presented by ICT-based services.
6. Providing a capability statement addressing knowledge and experience related to federal regulations, automated processes for risk assessments, scalability of solutions, consistency in approaches, information-sharing mechanisms, alignment with best practices, and successful implementation of foundational SCRM practices as identified by the GAO.

Place of Performance
The anticipated place of performance is TBD; work could possibly be done remotely.