HHS - IT Security and Privacy Services (ISPS) - MRAS

The Department of Health and Human Services (HHS), through the General Services Administration (GSA), is conducting market research to support the Center for Consumer Information and Insurance Oversight (CCIIO). This initiative seeks to enhance IT security and privacy services, with a focus on evolving CCIIO's information technology governance and policy development. The goal is to ensure that CCIIO's policy and compliance guidance keeps pace with industry standards, particularly as they relate to IT security and privacy. The Marketplace Innovation and Technology Group (MITG) within CCIIO is responsible for overseeing the technical systems that underpin the agency's operations, including managing governance, compliance, and oversight programs across various state entities.

The work requested involves providing independent technical, analytical, and subject matter support to CCIIO's Information Security and Privacy (CISP) Team. This team oversees numerous systems across federal states, commercial partners, and other mission partners like Enhanced Direct Enrollment (EDE) systems. The Contractor will be expected to help develop a comprehensive Enterprise Risk Management program that goes beyond traditional system security measures. This program should strategically align security policies with privacy procedures while ensuring compliance with evolving regulations.

Key responsibilities include evaluating emerging technologies such as Artificial Intelligence, assessing upcoming policy changes with a focus on privacy implications, and supporting the development of a Business Activity Monitoring (BAM) strategy. This strategy aims at establishing critical business metrics for real-time monitoring of IT systems user activity across multiple federal systems. The Contractor will also provide insights into establishing an Enterprise Risk Management framework at large healthcare organizations by identifying risks, assessing them systematically, and implementing continuous monitoring processes.

Feedback from industry stakeholders is solicited regarding potential ambiguities in the Performance Work Statement (PWS), additional information needed for clarity on requirements or terms, recommended evaluation factors for selecting a contractor offering best value for this program, as well as any technical information desired alongside a potential solicitation. Organizations capable of providing these services are encouraged to submit their capabilities statement along with responses to specific questions concerning their experience in regulatory compliance investigations and their capacity in risk management frameworks.