Alaska Aerospace Corporation is seeking proposals from qualified vendors to provide Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance services. The selected vendor will assist our organization in achieving and maintaining CMMC Level 2 certification to meet Department of Defense (DoD) contractual obligations for handling Controlled Unclassified Information (CUI). This RFP outlines the scope of services, deliverables, and evaluation criteria for vendor selection.
Proposals must be received no later than 5pm prevailing Alaska Standard Time on 1 July 2025 as indicated by postmark or email timestamp and late proposals will not be considered. All interested bidders must register with the Procuring Contracting Officer prior to bid submittal. Unregistered bids will not be accepted.
All questions must be in writing and directed to the procurement officer. The interested party must confirm telephone conversations in writing.
Two types of questions generally arise. One may be answered by directing the questioner to a specific section of the RFP. These questions may be answered over the telephone. Other questions may be more complex and may require a written amendment to the RFP. The procurement officer will make that decision.
Proposals shall be submitted via email. If submitting a proposal via email, the technical proposal and cost proposal must be saved as separate PDF documents and emailed to brandin.bignall.ctr@akaerospace.com as separate, clearly labeled attachments, such as Vendor A Technical Proposal.pdf and Vendor A Cost Proposal.pdf . The email must contain the RFP number in the subject line.
PROCUREMENT OFFICER: Brandin B. Bignall
email ADDRESS: Brandin.Bignall.ctr@akaerospace.com
Background
The Alaska Aerospace Corporation (AAC) is seeking proposals from qualified vendors to provide Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance services. The goal of this contract is to assist AAC in achieving and maintaining CMMC Level 2 certification to meet Department of Defense (DoD) contractual obligations for handling Controlled Unclassified Information (CUI).
The Pacific Spaceport Complex – Alaska, owned by AAC, serves as a low-cost access point to space and requires compliance with CMMC Level 2 due to its operations involving CUI.
Work Details
The contractor will provide comprehensive CMMC Level 2 compliance services, including:
1. Gap Assessment: Conduct an assessment of current cybersecurity practices against CMMC Level 2 requirements based on NIST SP 800-171 controls.
2. Remediation Planning: Develop a remediation plan addressing identified gaps with prioritized recommendations and cost estimates.
3. Implementation Support: Assist in implementing the 110 NIST SP 800-171 controls and associated Level 2 practices, including technical configurations and policy development.
4. System Security Plan (SSP) and Plan of Action and Milestones (POA&M): Develop or update the SSP for compliance documentation and create a POA&M for tracking remediation progress.
5. Pre-Assessment Preparation: Prepare AAC for a CMMC Level 2 assessment by a Certified Third-Party Assessment Organization (C3PAO), including mock audits and evidence collection.
6. Ongoing Compliance Support: Provide guidance on maintaining CMMC Level 2 compliance post-certification, including monitoring and updates to controls.
Period of Performance
The contract will commence approximately on August 1, 2025, and will last for approximately three years until June 2028.
Place of Performance
The work will be performed at the Pacific Spaceport Complex – Alaska, with the contractor providing its own workspace unless otherwise arranged with AAC.
Bidder Requirements
Offerors must hold a valid Alaska business license prior to the award of the contract. Subcontractors may be used but must be disclosed in the proposal, including their qualifications and licensing status.
