Department of Defense (DoD) Privacy Information Management System (DPIMS)

Sources Sought Notice

This notice is issued by the Defense Information Systems Agency (DISA) to determine the availability and technical capability of small businesses to provide sustainment services for the Department of Defense (DoD) Privacy Information Management System (DPIMS). DPIMS is an enterprise-wide platform consolidating breach reporting, enhancing efficiency, compliance, and analytics across DoD components. It is a Commercial-off-the-Shelf (COTS) SaaS solution hosted in an Azure GovCloud IL5 environment, accessible via NIPRNet.

The contractor will be responsible for project management, operations and maintenance (24/7/365), configuration management, tiered help desk support (Tier II/III), and cybersecurity services for the DPIMS platform. Key capabilities required include:

• Operations and Maintenance: Daily system monitoring, database administration, performance tuning, patching, uptime management, backups, and routine maintenance for a cloud-hosted custom application.

• Cyber Security and ATO Maintenance: Continuous Authority to Operate (ATO) maintenance, vulnerability management (ACAS, IAVMs), eMASS artifact maintenance, secure NIPR connectivity, data protection, interoperability with DoD systems, access controls, monitoring, and incident response.

• Tiered Technical Support: Providing Tier II and Tier III help desk support for DPIMS users, incident management, and SOP development.

• Configuration and Release Management: Formal release process for application changes (patches, fixes, enhancements), including testing, deployment, and documentation.

• Period of Performance: One 12-month base period and four 12-month option years, plus a potential 6-month extension under FAR clause 52.217-8.

• Place of Performance: Contractor's site and DISA Headquarters at Ft. Meade, MD. CONUS travel may be required.

• This is a Sources Sought Notice for market research; it is not a Request for Proposal (RFP).

• Interested businesses should submit a capabilities statement (max five pages) addressing the required capabilities and special requirements.

• Submission Deadline: Not explicitly stated in the provided text, but responses should be emailed to Korrina Taitano and Sebrina Lewis.

• DISA is specifically seeking information from small businesses (including SDB, 8(a), SDVOSB, HUBZone, WOSB).

• NAICS Code: 541512 (Size Standard: $34,000,000).

• Responses must demonstrate ability to comply with FAR clause 52.219-14, Limitations on Subcontracting.

• Information on joint ventures or partnering is requested.

• Special Requirements: Company must have a final security facility clearance. Personnel must be US Citizens and able to obtain a Secret clearance.

• The current contract for portions of this requirement is with Diversified Technical Services, Inc. (Small Business) under GSA MAS, with a PoP of 24 Sep 2021 – 23 Sep 2026.

• Responses are voluntary and do not commit the government to any award. No funds are available to pay for response preparation.

Performance Work Statement (PWS)

This PWS outlines the requirements for the sustainment of the Department of Defense (DOD) Privacy Information Management System (DPIMS). DPIMS is the enterprise-level case management system for breach reporting across all DOD entities, aiming to standardize reporting, improve efficiency, and streamline operations related to data breaches.

The contractor will be responsible for the following tasks:

• Task 1 – Project Management: Providing project management, supervision, technical writing, and documentation support.
• Task 2 - Change and Release Management: Managing requirements, performing testing services, and maintaining the configured COTS solution.
• Task 3 - Tiered Support: Offering comprehensive help desk support (Tier I, II, and III) for the DPIMS application, including incident resolution, user account management, and system administration.
• Task 4 – Operations, Maintenance and Sustainment: Ensuring system availability, RMF compliance, production/development/testing support, hosting environment maintenance, and managing upgrades.
• Task 5 – Cyber Security: Preparing certification and accreditation documentation, managing security posture, and complying with government security policies and RMF.

The scope includes supporting a COTS solution hosted in a DoD-approved cloud environment (Microsoft Azure Government IL5) and may require surge support not exceeding 10% of the contractor's total proposed cost/price.

Performance will be measured against Acceptable Quality Levels (AQLs) for each task, focusing on on-time delivery of documents and materials, ticket response and closure times, system availability, and security compliance. Specific metrics include >97% on-time document delivery for Project Management and >90% of system tickets closed within 2 business hours for Help Desk Tier II.

• Period of Performance: One 12-month base period and four 12-month option years, with a potential 6-month extension under FAR 52.217-8.

• Place of Performance: Primarily remote locations approved by the contractor. Classified work will be performed at cleared facilities. DISA Headquarters is located at Ft. Meade, MD.

• Security: Personnel require at least an Interim Secret clearance for most tasks, with access to NIPRNet and SIPRNet. The company must possess a Secret Facility Clearance.

• Certifications: Compliance with CMMC Level 3 is required.

• Data Rights: Unlimited Data Rights are required for all deliverables.

• Reporting: Regular reports include Monthly Status Reports (MSR), Program Management Reviews (PMR), System Status Reports, and After Action Reports for incidents.

• Travel: CONUS travel may be required and must be approved in advance by the COR.