CDC Managed Service Provider (MSP) 2.0

Sources Sought Notice / Request for Information (RFI)

This RFI is issued by the Centers for Disease Control (CDC) to conduct market research for Cloud Managed Services Provider Support. The CDC is seeking to determine the availability and technical capability of small businesses (and potentially large businesses) to provide these services. The results will inform the acquisition strategy for consolidating on-premise private cloud hosting services and public cloud-based hosting services under a single, unified managed services operating model.

Respondents are requested to provide information on:

• Organizational Details: Name, address, CAGE code, UEI, size, ownership, contact information.

• Contract Vehicles: Experience with specific government-wide contract vehicles (e.g., NIH CIO-SP3, NASA SEWP V, GSA vehicles).

• Managed Service Provider (MSP) Experience: Developing, implementing, and supporting scalable managed services across on-premise private and public multi-cloud environments. Experience in consolidating such services.

• 24x7 Support & Operations: Ability to staff and deliver round-the-clock monitoring, incident response, and operational support.

• Security Management: Experience with vulnerability management, POAM lifecycle, and federal security frameworks (FISMA, FedRAMP, TIC, Zero Trust).

• Service Delivery: Experience supporting specific services including Cloud Platforms (Azure/AWS), operating systems, SQL databases, application hosting, colocation, server virtualization, storage management, CDN/security services, and web hosting.

• ITSM & Program Management: Experience with IT Service Management (ITSM) aligned with ITIL, governance, quality assurance, continuous improvement, and automated workflows.

• Contract Recommendations: Suggestions on solicitation document structure (PWS/SOO), CLIN structures, contract vehicles, cost models, and potential for service area segmentation to enhance competition and small business participation.

• Submission Deadline: July 2, 2026.

• Submission Method: Email to al00@cdc.gov in Microsoft Word or Adobe PDF format.

• Page Limit: 10 pages or less, including appendices.

• Note: This is not a request for proposals. Submission is voluntary, and the government assumes no financial responsibility for costs incurred. No feedback or evaluations will be provided on submissions.

• The CDC is specifically assessing the availability of qualified small business concerns and socioeconomic small businesses.

• The goal is to evaluate whether the requirement can be structured to maximize competition and small business participation, potentially through set-asides or reserved awards.

• The applicable NAICS code is 518210.

• CDC intends to issue an order using one of the HHS Mandatory-Use Contract Vehicles.

• Respondents may submit analogous experience if they do not have exact matches for all stated attributes.

Statement of Work (SOW) / Performance Work Statement (PWS)

To provide comprehensive cloud hosting, infrastructure, platform, database, operational, transition, and disaster recovery services for the Centers for Disease Control and Prevention (CDC) Office of the Chief Information Officer (OCIO).

• Program Management and Governance: Project planning, reporting, risk management, performance management, stakeholder engagement, and continuous service improvement.
• Infrastructure, Hardware, and Software Services: Procurement, installation, operation, maintenance, security, and refresh of infrastructure components (servers, storage, virtualization, OS, management tools) for on-premises, private, and public cloud environments. Includes lifecycle management, patching, vulnerability remediation, and CMDB maintenance.
• Cloud Operations and Platform Services: End-to-end cloud operations (24x7x365) for private, public, hybrid, and on-premises environments. Services include cloud brokerage, provisioning, monitoring, automation, storage, backup/recovery, networking, security, IAM, middleware administration, incident/problem/change management, and capacity planning.
• Software, Middleware, and Platform Administration: Installation, configuration, monitoring, patching, upgrades, performance tuning, and security administration for software platforms, middleware, and supporting applications.
• Database Services: Comprehensive database administration across all environments, supporting various relational and non-relational technologies. Includes installation, configuration, security, monitoring, performance optimization, backup/recovery, and disaster recovery support.
• Customer Engagement and Service Intake: Facilitating intake, requirements gathering, solution design, migration planning, and service onboarding for CDC customers.
• Transition Services: Support for Transition-In, Transition-Out, and workload/system transitions, including planning, knowledge transfer, documentation, migration, testing, and operational readiness.
• Disaster Recovery and Business Continuity: Planning, implementation, testing, and execution of DR capabilities across all environments to meet defined RTOs and RPOs.

Services must be secure, scalable, resilient, and highly available, complying with Federal and CDC requirements (FISMA, FedRAMP, NIST, cybersecurity policies). Performance will be measured against established service levels and operational requirements.

Not specified in this document.

• Compliance with FISMA, FedRAMP, NIST, and CDC cybersecurity and governance policies.
• 24x7x365 operations for cloud services.
• Maintenance of accurate CMDB records.
• Development and maintenance of DR/BCP procedures meeting defined RTOs and RPOs.
• Support for modernization and continuous improvement of CDC's enterprise hosting and cloud environments.

Sources Sought Notice / Request for Information (RFI)

This RFI is issued by the Centers for Disease Control (CDC) to conduct market research for Cloud Managed Services Provider (MSP) Support. The CDC is seeking to determine the availability and technical capability of small businesses (including specific subsets) and potentially large businesses to provide these services. The results will inform the acquisition method. The applicable NAICS code is 518210.

The CDC is contemplating consolidating support services for on-premise private cloud hosting and public cloud hosting under a single, unified managed services operating model. This consolidation aims to:

• Standardize operations roles, processes, and automation.
• Reduce operational costs and duplication.
• Increase service quality and operational efficiency.
• Improve governance and lifecycle management.
• Create an acquisition strategy leveraging economies of scope and scale.
• Develop a clearly defined CLIN structure and cost model for chargebacks.

Respondents are asked to provide capability statements addressing:

• Overall experience in developing, implementing, and supporting scalable managed services across on-premise private and public multi-cloud environments.
• Experience in consolidating managed services support and operations.
• Ability to perform the full requirement as a prime contractor, or identify areas for subcontracting.
• Experience with cloud-agnostic services, reference architectures, workload portability, and hybrid multi-cloud services.
• Approach to managing risks associated with service consolidation.
• Experience supporting federal product owners for IT services.
• Ability to staff and deliver 24x7x365 support and operations.
• Experience in security management, including vulnerability detection, remediation, and federal security frameworks (FISMA, FedRAMP, TIC, Zero Trust).
• Direct support experience in specific services (Cloud Platforms, OS support, SQL DBA, application hosting, colocation, virtualization, storage, CDN, web hosting).
• Experience developing and implementing enterprise ITSM programs aligned with ITIL.
• Program management experience in governance, quality assurance, and continuous improvement.
• Experience with automated workflows, AI-integrated service catalogs, and CMDB capabilities.
• Experience integrating Asset Management with federal information systems.
• Experience in developing and implementing/integrating Event and Incident Management.

No solicitation exists at this time. This is a market research effort. The CDC intends to issue an order using one of the HHS Mandatory-Use Contract Vehicles per HHS Acquisition Alert 2025-01.

• Interested parties should submit responses via email to al00@cdc.gov by June 29, 2026.
• Responses should be in Microsoft Word or Adobe PDF format.
• Responses are limited to 10 pages or less.
• Respondents need not answer every subpart; analogous experience is acceptable.
• The government will not provide feedback or evaluations on submissions.

This RFI specifically seeks to assess the availability and capability of small businesses (Small Disadvantaged Businesses, Certified 8(a), Service-Disabled Veteran-Owned Small Businesses, HUBZone Small Businesses, Woman-Owned Small Businesses) and large businesses. The CDC will evaluate whether small business set-aside approaches are feasible and assess opportunities for partial set-asides or reserved awards.

Respondents are also requested to provide contract recommendations regarding solicitation document structure (PWS or SOO), Task Areas, CLIN structures, and contract mechanisms to drive innovation. They should also describe sample cost scenarios for hybrid environments and identify if services can be broken into logical service towers to increase competition or small business participation. If a respondent is not a small business, they should identify subcontracting opportunities for small businesses.