Cybersecurity Compliance Services Support

Background
The FEMA Office of the Chief Information Security Officer (OCISO), Compliance Division maintains FEMA’s compliance posture in accordance with Federal Information Security Modernization Act (FISMA) and facilitates a continuous monitoring Authority to Operate (ATO) process that provides security authorization services support to all FEMA systems. The purpose of this effort is to ensure the confidentiality, integrity, and availability systems, networks and data are at an acceptable level of risk throughout the system development life cycle by acquiring and providing Information System Security Officers (ISSOs), Security Analysts, Program Manager, and other cyber resources determined in the future to fulfill cyber security requirements for FEMA’s Enterprise systems.

Work Details
FEMA is looking for a contractor to provide project management and cyber security compliance support services to the agency’s IT system owners and key stakeholders throughout the systems development lifecycle (SDLC) to include classified and unclassified systems. The Contractor shall incorporate security engineering and business best security practices into its management of all services, releases, and projects. The Contractor’s overall approach for integrating the two shall be described in the Service Management Plan (SMP).
The Contractor’s adherence to this SMP process shall be reviewed at Contract and Call Order Contractor Performance Reports (CPRs) and shall be incorporated into 90 Day Action Plans and Integrated Master Schedules (IMSs). The content of the SMP shall be ISO/IEC 20000-2:2019, National Institute of Standards and Technology (NIST) Cybersecurity Framework, NIST Risk Management Framework (RMF), and Department of Homeland Security (DHS) 4300 Series.

Place of Performance
The contract work may be performed within the continental United States (CONUS) and outside the continental United States (OCONUS), including various locations such as FEMA Headquarters, Regional Offices, Distribution Centers, Disaster Emergency Communications facilities, Government Owned and Contractor Operated (GOCO) facilities.