Department of Education,
Federal Student Aid BPA
Cybersecurity and Privacy Support Services (CPSS)
The purpose of this multiple award Small Business set-aside Blanket Purchase Agreement (BPA) is to provide Cybersecurity and Privacy Support Services (CPSS) for the Department of Education (DoED) Federal Student Aid (FSA) and the DoED Office of Chief Information Officer (OCIO) to implement cybersecurity policies, protect organizational information technology enterprise infrastructure, and protect sensitive U.S. citizens’ data from unauthorized access. This BPA was awarded in accordance with the General Services Administration (GSA) Multiple Award Schedule (MAS) Special Item Number (SIN) 54151HACS (Formerly SIN 132-45) and related Information Technology (IT) Professional Services SIN 132-51. The resulting competitive Call Order services to be procured under this BPA, shall provide a fully functional and highly resilient cybersecurity capability that will provide continuous monitoring capability to identify, assess, manage, and mitigate risk through the protection of DoED systems and information. Areas of support include, but are not limited to, Cybersecurity Risk Management and Compliance; Information Systems Security Services; Cybersecurity Operations; Software Capability Operations and Maintenance; Security Architecture Support; Security Engineering; and Continuous Diagnostics and Mitigation. The resulting Call Orders for these services shall be competitively awarded per the stated requirements in this BPA to support DoED’s immediate and future Cybersecurity needs.
The cumulative total of all Call Orders issued during the entire period of performance of the BPA is estimated at $300 million dollars.
This is a multiple-award BPA in accordance with (IAW) FAR 8.405-3. The contract type for Call Orders placed against the resultant BPA will be determined upon issue of each competitive Call Orders, that will vary between Firm Fixed Price (FFP), Labor Hour (LH), Time and Materials (T&M) and/or any combination of these three contract types.
The Chief Information Security Officer (CISO) maintains a cybersecurity program based upon the National Institute of Standards and Technology (NIST) risk management framework for complying with and assessing the security posture of all FSA information systems, including partner and other third-party entities. Furthermore, there is independent verification and validation of the controls tested and tracking to closure of all plans of actions and milestones for vulnerabilities, gathering metrics of compliance levels, scorecards, and cybersecurity statistics, and support in managing or audit findings. Independent Verification and Validation of findings, vulnerabilities, and mitigation shall support Federal resources assessments. As such, BPA holders awarded Call Orders under this Service Area are precluded from the award of services under Service Area 4.1.3.
The CISO provides support for FSA Information System Security Officers (ISSO’s) that are responsible for the overall cyber security administration, health, and hygiene of their respective information system. The duties of the CPSS contractor may include designation as a primary or alternate ISSO, as deemed necessary by the CISO. Such duties include acting as the primary point of contact for cybersecurity matters, ensuring compliance with current policies, ensuring cyber defenses are in place and operating as designated by the security plan, updating the entries in the Departmental tracking system (currently Cyber Security Assessment and Management, CSAM), ensuring completion of data sensitivity worksheet/self-assessments, ensuring boundary information is identified, accurate, and current, coordinating disaster recovery plans and tests, ensuring system related documentation is accurate and current, ensuring the system maintains a valid Authority to Operate (ATO), ensuring that users are current and maintain proper authorization, reporting and responding to any security incidents, attending and reporting on ISSO meetings.
The CISO is in charge for several teams focused upon the day- to-day operations and maintaining cybersecurity of FSA information systems. The CISO teams are based upon the five core functions as described within the NIST cybersecurity framework: identify, protect, detect, respond, and recover. FSA employs world-class services and products at its major data center, cloud implementations, as well as strict oversight of third-party contracted servicers. The DoED Security Operations Center (SOC) collaborates with approximately 70 different external contractors/partners at approximately 50 distributed data center sites that support over 200 Federal Information Security Management Act (FISMA) reportable systems. Each external contractor/partner manages a local incident response team (IRT) and/or SOC. The DoED SOC synthesizes data from each of these contractors/partners for oversight monitoring. DoED OCIO requires on-site support for the DoED SOC and FSA requires on-site support for the FSA SOC functions to integrate and monitor the systems and technologies, including the activities that relate to managing the security operations and incident response coordination with these external partners. BPA holders awarded Call Orders under this Service Area are precluded from the award of services under Service Area 4.1.1.
DoED and FSA CISOs address some security requirements through the maintenance and evergreening custom software, applications, and scripts to satisfy specific needs and requirements. Cybersecurity solutions maintain robust protections and features that may fall outside a Commercial Off-The-Shelf (COTS) tool or vendor-standard report. All future technical requirements for software capabilities will adhere to DoED and FSA’s cybersecurity checklist of mandatory requirements.
The CISO is required to maintain the security architecture for
systems under Department control. The CISO provides the expertise to review and develop high-level architecture designs and diagrams as well as technical security architecture for security-sponsored capabilities. The security architecture support is responsible for ensuring that stakeholder protection needs and the corresponding system requirements necessary to protect organizational missions and business functions and individuals’ privacy are adequately addressed in the enterprise architecture including reference models, segment architectures, and solution architectures (systems supporting mission and business processes). The security or privacy architect serves as the primary liaison between the enterprise architect and the systems security or privacy engineer and coordinates with system owners, common control providers, and system security or privacy officers on the allocation of controls. The security architecture function is responsible for aspects of the enterprise architecture that protect information and information systems from unauthorized system activity or behavior to provide confidentiality, integrity, and availability. The security architecture function is responsible for aspects of the enterprise architecture that ensure compliance with privacy requirements and manages the privacy risks to individuals associated with the processing of Personally Identifiable Information (PII).
DoED OCIO and FSA Security Engineering team provides full- service engineering and architecture support to design and document ongoing and future initiatives to enhance the security monitoring and incident response capability. The support is focused on implementation, optimization, administration, and integration of security policy, guidelines, hardening standards, security tools, technology, security design associated documentation, and developing innovative solutions to keep the SOC on the cutting edge of technology.
DoED and FSA CISOs maintain a continuous monitoring program consistent with the Federal Government’s deployment of Information Security Continuous Monitoring (ISCM) and the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) Program. The program implementation is in various levels of deployed with some components fully fielded and others with gaps yet to be addressed. CPSS contractors shall assess current capabilities and mature Department/FSA CDM levels. The overall Program is directed at reducing agency threat surface, improving situational awareness (especially in Federal space), improving response capabilities, and reporting requirements at the Department and FISMA.
Contractors supporting this BPA effort shall meet all the requirements of the FSA Information Resources Program Elements (IRPE) Standards of Work. The specific IRPE requirements shall be specified and provided in detail at the Call Order level.