SOURCES SOUGHT NOTICE

Document Type:  Sources Sought Notice 
Notice Number:  AMDTC-21-0002
Title:  NIST Cybersecurity and Privacy Support Services (CAPSS)
NAICS Code:  541519 – Other Computer Related Services

Contracting Office Address
National Institute of Standards and Technology (NIST), 
Acquisition Management Division, 
100 Bureau Drive, Mail Stop 1640, 
Gaithersburg, MD, 20899-1640

Sources Sought Notice: AMDTC-21-0002
Project Title:  NIST Cybersecurity and Privacy Support Services (CAPSS)

This is a Sources Sought Notice ONLY.  Requests for copies of a solicitation will not receive a response.  

This Notice is for planning purposes only and is not a Request for Proposal or Request for Quotation or an obligation on the part of the National Institute of Standards and Technology (NIST) for conducting a follow-on acquisition.  NIST does not intend to award a contract on the basis of this Notice, or otherwise pay for the information requested.  No entitlement or payment of direct or indirect costs or charges by NIST will arise as a result of submission of responses to this Notice and NIST’s use of such information.  NIST recognizes that proprietary components, interfaces and equipment, and clearly mark restricted or proprietary components, interfaces and equipment, and clearly mark restricted or proprietary data and present it as an addendum to the non-restricted/non-proprietary information.  In the absence of such identification, NIST will assume to have unlimited rights to all technical data in the information paper.
  
NO SOLICITATION DOCUMENTS EXIST AT THIS TIME.

Background:

The National Institute of Standards and Technology (NIST) is responsible for developing standards and Special Publications, including minimum requirements, that provide adequate information security for all agency operations and assets, but such standards and Special Publications shall not apply to national security systems. With a new and re-energized national emphasis on information security, the NIST Information Technology Laboratory's (ITL) Computer Security Division (CSD) is uniquely positioned to ensure that new technology initiatives are selected, deployed, and operated in a manner that does not increase the risk to organizational missions, individuals, and the Nation.

CSD conducts research and development in cybersecurity management and assurance, cryptography and systems security, identity management, and emerging cybersecurity technologies. CSD plays a vital role in both national and international cybersecurity standard setting. CSD also provides reference specifications in multiple areas, allowing others to leverage the Division's work to increase the security of their systems and products.

NIST is contemplating the issuance of an Indefinite-Delivery, Indefinite-Quantity (IDIQ) type contract to gain technical expertise and consultation in multiple specified areas of cyber and information security and privacy to ensure that the NIST mission can be met to "provide standards, technology, tools, and practices to protect our nation's information and information systems."

NIST expects the requirements of its mission to expand and anticipates the need for support in meeting these requirements. The support needed to ensure a successful mission ranges from internal programmatic support to technical expertise and research consulting in a wide range of cyber and information security areas. It is also anticipated that CSD will need support with outreach efforts of various kinds.

The intended outcome is for NIST to have the ability to ensure that support is available when needed for specific tasks, as they are identified through internal requirement and resource evaluation, so NIST can accomplish its mission, meet higher organizational expectations, and provide cyber and information security mechanisms to reduce the risks to organizations, individuals, and the Nation.

Requirement:

NIST is seeking information on contractors who can provide cybersecurity research, development and implementation support services and subject matter expertise within the specific task areas 1 thru 7 detailed below.  However, in terms of contractor responses to this Sources Sought Notice, please note the level of importance/priority the Government has assigned to each task area.  The “priority level” indicated for each task area is NOT an indication of how likely it is that work/tasks will occur under a given task area.  Rather, the “priority level” indicates the level of interest NIST has in identifying contractors with capabilities to successfully complete work in a given task area.  While NIST is seeking information on contractor capabilities in all task areas, information on contractor capabilities in the “HIGH” priority task areas is of greater focus than on contractor capabilities in the lower priority task areas.  The table below summarizes the priority assigned to each task area, with details on each task area to follow:

Priority Level    Task Areas
HIGH    #1, #3, and #4
MODERATE    #7
LOW    #2, #5, and #6

1.    PRIORITY: HIGH —- Provide technical inputs into, and support the development of, Standards, Guidelines, NIST lnteragency Reports (NISTIRs), Models, Measures, Derived Test Requirements (DTRs), and Standard Reference Material(s). Specifics in each Task Order (TO). lnput(s) shall be technically correct, relevant to subject matter, and appropriate  to  designated  audience (i.e., Federal Government and Industry) . Formats shall follow NIST CSD, ITL, and Washington Editorial Review Board (WERB) requirements. Topic areas may include, but are not limited to:

a.    Cyber-physical systems, public safety communications, health information technology, electronic voting, critical infrastructure, and Federal agency cybersecurity practices
b.    Cyber supply chain risk management
c.    Cybersecurity awareness, training, education, and workforce development
d.    Cryptographic research and techniques for emerging applications
e.    Validation programs (for example, cryptographic modules, security content automation protocols)
f.    Identity, access, and privilege management
g.    Cloud computing and virtualization
h.    Mobile security
i.    Network and internet security
j.    Advanced security testing, measurement, and reference data (for example, security content automation, incident handling, vulnerability management, and information sharing)
k.    Technical security metrics (for example, roots of trust, combinatorial testing, attack graphs)
l.    Organizational and system risk assessment and management
m.    Software and application development, and application modeling
n.    Privacy engineering and risk management
o.    Cybersecurity and privacy in Health Information Technology (HIT) issues
p.    Machine Learning and Artificial Intelligence (ML/AI) cybersecurity, privacy, and trustworthiness issues (for example, bias within AI)

2.    PRIORITY: LOW —- Software development, application development, and application modeling support. Specifics in each TO.   Provide software development, application development and application modeling support. Design, develop, test, and deploy software, applications, Web applications, and/or multi-tier solutions in order to meet specific business needs in accordance with supplied requirements. Provide data modeling, data schema design, database design, data transformation and data loading services. This may include creation and/or maintenance of web-enabled data presentation and input applications to support specific business needs. Service may also include the need for identification and authentication mechanisms to control access to applications. Provide business process modeling of current work processes to identify opportunities for resource savings and automation efforts. The following are examples of development work to be conducted: (Specifics in each TO)

a.    Computer Security Resource Center content management system implementation and workflow development
b.    National Vulnerability Database (NVD) data query, analysis, visualization, and subscription tool development, as well as developing AI capabilities for analysis
c.    Automation and workflow development for US Government Configuration Baseline (USGCB) and National Checklist Program (NCP) data
d.    Security Content Automation Protocol (SCAP) Automated testing and reference implementations
e.    Generation of STIX-expressed indicators from cyber forensic analysis tools
f.    Generation of SCAP-expressed content from automated indicators
g.    Policy Machine demonstrations and reference implementations
h.    Proof of concept of various PIV and derived credential implementations and associated validation tools
i.    Crypto Validation Program (CVP) automated testing system and reference algorithm soft­ ware development
j.    Creation and management of public collaboration sites for numerous projects

3.    PRIORITY: HIGH —- Research work to be conducted in the following areas. Specifics in each TO.

a.    Cyber-physical systems, public safety communications, health information technology, electronic voting, critical infrastructure, and Federal agency cybersecurity practices
b.    Cyber supply chain risk management
c.    Cybersecurity awareness, training, education, and workforce development
d.    Cryptographic research and techniques for emerging applications
e.    Validation programs (for example, cryptographic modules, security content automation protocols)
f.    Identity, access, and privilege management
g.    Cloud computing and virtualization
h.    Mobile security
i.    Network and internet security
j.    Advanced security testing, measurement, and reference data (for example, security content automation, incident handling, vulnerability management, and information sharing)
k.    Technical security metrics (for example, roots of trust, combinatorial testing, attack graphs)
l.    Organizational and system risk assessment and management
m.    Software and application development, and application modeling
n.    Privacy engineering and risk management
o.    Cybersecurity and privacy in Health Information Technology (HIT) issues
p.    Machine Learning and Artificial Intelligence (ML/AI) cybersecurity, privacy, and trustworthiness issues (for example, bias within AI)

4.    PRIORITY: HIGH —- Support development and implementation of processes and mechanisms to enable effective outreach and communications with collaborators and stakeholders across the cybersecurity landscape, including industry, academia, standards organizations, and governments. Specifics in each TO. Processes and mechanisms may include, but are not limited to:

a.    Planning and supporting workshops, conferences, webinars, and meetings;
b.    Facilitating discussions and consensus-making;
c.    Supporting use of communications tools including social media and innovative publishing methods;
d.    Creating and/or managing a web environment and web content;
e.    Testing web usability and efficacy;
f.    Preparing lessons learned from previous outreach work;
g.    Developing use cases and tools to enable implementation of the privacy risk management framework; and
h.    Supporting the preparation, analysis, and adjudication of Requests for Information and other public comment responses.

5.    PRIORITY: LOW —- Program operations and analysis work to be conducted in the following areas. Specifics in each TO.

a.    National Vulnerability Database (NVD) analysis
b.    Cryptographic Algorithm Program (CAP) analysis
c.    Cryptographic Module Validation Program (CMVP) analysis
d.    Security Content Automation Program (SCAP) Validation support to labs and vendors
e.    Cryptographic Validation Program (CVP) support to labs and vendors

6.    PRIORITY: LOW —- Reports and project tracking meeting external requirements. Specifics in each TO. Provide programmatic support in Project Management, creation of project reports, project resource tracking, project and program requests for resources, and support in the creation of required documentation with specific formatting and graphic support requirements.

7.    PRIORITY: MODERATE —- Recommendations on standards activities that reflect NIST and DOC strategic positions, and interaction with Standards Development Organizations. Specifics in each TO. Provide technical expertise and consultation to support CSD in the identification, selection, constraining, and/or harmonization of Standards in existence and/or on the progression of standards under development by national, international, and other Standards Development Organizations (SDOs). Provide technical expertise and assistance in creating technically correct input relevant to the subject matter of the Standard under development in an SDO and provide administrative support where required.

Interested parties shall describe the capabilities of their organization as it relates to the provision of subject matter expertise and support services in the areas identified above, while considering the level of importance/priority assigned by the Government to each task area.  This level of importance/priority should NOT be misconstrued for how likely it is work will be required/awarded in these task areas.

NIST is seeking responses from all small business concerns. The small business size standard associated with the NAICS code for this effort, 541519, is $30.0 Million. Please include your organization’s size classification and socio-economic status in any response to this notice.  

After results of this market research are obtained and analyzed, NIST may conduct a competitive procurement and subsequently award a contract.  Companies that can provide such services are requested to email a written response describing their abilities to hingpan.wong@nist.gov and keith.bubar@nist.gov no later than the response date for this sources sought notice. 

The following information is requested to be provided as part of the response to this sources sought notice: 
1.    Name, Address, DUNS number, CAGE code, and point of contact information of your company.
2.    Any information on the company’s small business certifications, if applicable.
3.    Description of your company’s capabilities as they relate to the services described in this notice. 
4.    A description of your company’s previous experience providing the services described in this notice.
5.    Indication of whether the services described in this notice are currently offered via your company’s GSA Federal Supply Schedule (FSS) contracts, Government-wide Acquisition Contracts (GWACs), or other existing Government-wide contract vehicles; and, if so, the contract number(s) for those vehicles. 
6.    Any other relevant information that is not listed above which the Government should consider in finalizing its market research.

Responses are limited to a total of twelve (12) pages. The responses must be in MS Word format or PDF format.  Pages shall be 8½-inch x 11-inch, using Calibri 11 Point Font.  Each page shall have adequate margins on each side (at least one inch) of the page. Header/footer information (which does not include any information to be analyzed) may be included in the 1" margin space.