Notice of Intent to Sole Source - Cybersecurity Risk Management and Assessment (CRMA)

Pursuant to Federal Acquisition Regulation (FAR) 6.302-1, the National Geospatial-Intelligence Agency (NGA), Office of Contract Services (OCS), plans to award a sole source modification for a three-month extension to Deloitte Consulting LLC, 1919 N. Lynn Street, Suite 800, Arlington, Virginia 22209 in support of the Cybersecurity Risk Management and Assessment (CRMA) Task Order (HM0476-18-F-0215).

Deloitte Consulting LLC is the only responsible source to provide CRMA support services within the required timeframe without unacceptable delays in fulfilling the Agency’s mission critical cybersecurity requirements. This action will allow NGA/OCS the opportunity to complete the competitive award of a new contract that is currently in progress and ensure sufficient transition. The three-month extension will be effective 18 February 2023 through 17 May 2023.

The NGA/CIO-T requires cybersecurity services to protect and defend against network cyber-attacks. Cybersecurity services must provide information assurance measures that protect and defend information and information systems (IS) by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.

The current contractor, Deloitte Consulting LLC has the operational capability in place to provide for continuous cybersecurity support services to NGA’s Office of the Chief Information Officer (CIO) and Information Technology Services Directorate (CIO-T). CIO-T’s mission is to safeguard the NGA mission through collaborative, forward-leaning, and risk-balanced solutions, by providing cybersecurity assessment and authorization, risk management, blue team and information system security automation and optimization services to ensure trust in GEOINT services and data. NGA has defined and implemented a Risk Management Framework (RMF) based on National Institute of Standards and Technology (NIST) standards and Intelligence Community Directives (ICDs), carried out by the CRMA contract. RMF processes, tasks, and documentation provide the framework upon which NGA manages risks throughout the information system lifecycle. Assessment and Authorization (A&A) activities, performed using the RMF, are critical to provide NGA authorizing officials with accurate, sufficient, and timely information by which they can make risk-related decisions. Blue Team assessment services are required to identify vulnerabilities and security gaps in support of A&A and other agency cybersecurity functions. Finally, an Information System Security Automation and Optimization (ISSA&O) service provides technical solutions for meeting cybersecurity requirements and produces security architectures, designs, solutions, and configuration recommendations.

Award to any other source would require a competitive acquisition and award, transition and start-up time that would result in unacceptable delays in fulfilling ongoing critical agency requirements. Further, this extension will avoid a break in cybersecurity service supporting NGA’s mission critical risk management operations that protect and defend against network cyber-attacks, and, thereby, provide continuity of cybersecurity support services under the CRMA Task Order.

This Notice of Intent is being published in accordance with FAR 5.2 requiring the dissemination of information on proposed contract actions. This synopsis is a notice of intent to issue award using other than full and open competition and should not be construed as a request for competitive proposals. The determination of the Government not to open subject requirement to full and open competition was made in accordance with (IAW) 10 U.S.C.2304(c)(1) and 6.302-1(a)(2)(iii)(B) - Unacceptable delays in fulfilling the agency's requirements. A competitive follow-on solicitation for this requirement was released in November 2021 and an award is anticipated in Second Quarter (Q2) FY2023.

Interested parties may express their interest and provide a capabilities statement to the requirement no later than (NLT) Wednesday, 1 February 2023 at 12:00 p.m. Eastern Standard Time (EST), which shall be considered by the agency. A determination not to compete this proposed contract based on this notice is within the discretion of the Government.

The Government will issue a Justification and Approval (J&A) to support the need for a sole source award. An approved J&A will be posted at the Governmentwide Point of Entry (GPE) (http://www.SAM.gov) within 14 days after award of the modification.