FDA Cybersecurity Risk Management and Compliance Services

Statement of Work (SOW) / Performance Work Statement (PWS)

This Statement of Work (SOW) outlines the objectives, constraints, technical requirements, and task areas for the U.S. Food and Drug Administration (FDA) Cybersecurity, Counterintelligence, and Insider Threat Program's Risk Management mission. The goal is to improve the FDA's cybersecurity posture and ensure compliance with federal laws and mandates.

• The scope encompasses technical and management services and subscriptions/licenses to support the FDA Cybersecurity, Counterintelligence, and Insider Threat Program's objectives.

• Key task areas include: Security Authorization Support, Security Policy and Data Call Support, Enterprise Governance Risk and Compliance (eGRC) Support Services, Cybersecurity Risk Management Documentation Services, and Transition In or Out Services.

• Services involve supporting security authorization processes, developing policies, managing eGRC tools (like RSA Archer), creating documentation, and facilitating transitions.

• Compliance with federal laws and mandates (e.g., FISMA, NIST SP 800-37, 800-53).

• Implementation of security controls to maintain confidentiality, integrity, and availability of FDA data.

• Support for ongoing authorization processes and audit responses.

• Timely reporting and response to security incidents and breaches.

• Most work is expected to be performed in the Washington, DC Metropolitan area, with potential travel to other FDA offices.

• A remote workforce program is supported if it meets specific criteria.

• Adherence to cybersecurity and privacy requirements, including FedRAMP.

• Mandatory training for all contractor staff on cybersecurity awareness, privacy, and records management.

• Compliance with specific security requirements for IT equipment, cloud environments, and data transport.

• Personnel must obtain background investigations commensurate with position sensitivity designations (Tier 2/2S).

• Compliance with Homeland Security Presidential Directive (HSPD)-12.

• Adherence to Section 508 accessibility standards for electronic and information technology.

Sources Sought Notice

This notice is issued by the U.S. Food and Drug Administration (FDA) for market research purposes to identify potential vendors capable of providing Cybersecurity Risk Management and Compliance Services. The FDA is specifically seeking to identify SMALL BUSINESSES, particularly SBA certified 8(a) vendors, within GSA Multiple Award Schedule (MAS) categories 54151S (Information Technology Professional Services) and 54151HACS (Highly Adaptive Cybersecurity Services).

The FDA is looking for capabilities in:

• Developing and providing system security authorization packages in accordance with FISMA 2014, HHS, OMB, NIST SP 800 series guidance, and NIST FIPS.
• Ensuring compliance with DHS High Value Asset Control Overlay for High Value Assets.
• Specific objectives include:
  • Ongoing security authorization services
  • Learning Management System (LMS) support for mandatory training
  • Security Policy and Data Call Support
  • Enterprise Governance Risk and Compliance (eGRC) Support Services
  • Cybersecurity Risk Management Documentation Services
  • Transition In or Out Services

A solicitation is NOT currently available. The government is not obligated to award a contract based on this notice and will not pay for any information received.

• Response Due Date/Time: February 4, 2026, by 2:00 PM ET.
• Submission Email: michelle.dacanay@fda.hhs.gov
• Format: Capability statements tailored to the requested information, not exceeding 10 pages.
• Content: Must include contact information, company structure, SAM registration, GSA contract numbers, proposed NAICS and GSA Schedule, publicly posted pricing, and detailed responses to specific questions regarding experience in cybersecurity risk management, FISMA, ongoing authorization, FedRAMP, AI, DHS tools, auditing, and subcontracting.
• Evaluation: Responses will be reviewed confidentially by FDA personnel to determine if small business sources capable of satisfying the agency's requirements exist. No individual feedback will be provided.

This sources sought is specifically targeting SMALL BUSINESSES, particularly SBA certified 8(a) vendors. Companies must be registered in SAM.gov.

• This is a Sources Sought Only, not an RFQ or RFP.
• Responses are voluntary and at no cost to the government.
• Proprietary, classified, or sensitive information should not be included.
• The FDA reserves the right to use non-proprietary technical information in future solicitations.