Risk Management Framework (RMF) Services
The Risk Management Framework (RMF) manages cyber security risks by implementing dynamic security controls for federal information systems. Agencies must replace the static Certification and Accreditation (C&A) process with RMF. NIST developed RMF and it is described within NIST publication SP 800-53 as a required element of FISMA compliance.
Agencies can get RMF services through 14 industry partners Blanket Purchase Agreements (BPAs).
Features
Ceiling: $58 million
Period of performance: June 10, 2011 to June 9, 2014
Solicitation number: eBuy RFQ #465145 (QTA-0-10-FK-B-0001)
Aligned with federal cybersecurity guidance and commercial best practices
The RMF BPA is aligned with Federal Information Security Management Act (FISMA) requirements, Office of Management and Budget (OMB) guidance, and commercial best practices including continuous monitoring. Learn more on the National Institute of Standards and Technology (NIST) website.
Available to all government customers
Federal, state, local, and tribal government organizations can use the RMF BPA.
Lower prices
The RMF BPA features lower prices than you can find on IT Schedule 70.
How to order
Follow the six steps below to order. For complete instructions, download the Risk Management Framework Ordering Guide (Word, 1,340k, 11/14/2011).
1. Determine that your work is in scope
Review the BPA modification in the Risk Management Framework Ordering Guide (Word, 1,340k, 11/14/2011) for the full scope of the BPA. During this phase, you must also determine the complexity of your current systems. Use Appendix D and the Complexity Model spreadsheet (also in the ordering guide) to assess your systems.
2. Prepare the statement of work (SOW)
Draft your requirements in accordance with your system assessment. Use the ordering procedures in FAR 8.405-2 for a list of what you must include.
3. Prepare the request for quotations (RFQ)
Follow your agency’s procedures for preparing an RFQ and follow any internal policies for acquiring IT services. Develop and state your evaluation criteria.
All orders must be fixed-price.
4. Issue the request for quotations (RFQ)
Below $3,000. If your order is below the micro-purchase threshold, you may place orders with any BPA holder who can meet your needs. You should try to distribute orders among the BPA holders.
Between $3,000 and $150,000. If your order is between the micro-purchase threshold and the simplified acquisition threshold, provide the RFQ to at least three BPA holders according to FAR 405-2. (If you don't, you must document exceptions according to FAR 8.405-6).
Above $150,000. If your order is more than the simplified acquisition threshold, provide the RFQ to all BPA holders who meet your requirements. You must also seek a price reduction.
5. Evaluate responses
Evaluate all responses received using the evaluation criteria you specified in the RFQ. See FAR 8.405-2(d) for more guidance. Select the BPA holder who represents the best value.
6. Award the task order
Award the task order and document who you awarded it to, what was purchased, and the pricing. Include the BPA number, BPA holder's name, and Schedule contract number on all orders.
| Document Name | Format | Size | Publish date |
|---|---|---|---|
| Risk Management Framework Ordering Guide Includes templates to help you order RMF services. |
Word | 1,340k | 11/14/2011 |
Industry partners
View the websites below for the 14 RMF BPA awardees. More information about each awardee, including points of contact, is available in the Risk Management Framework Ordering Guide (Word, 1,340k, 11/14/2011). These links go to nongovernment commercial websites.
- Apptis, Inc.
- Booz Allen Hamilton, Inc.
- Deloitte Consulting, LLP
- DSD Laboratories, Inc.
- G&B Solutions, Inc.
- Global Network Systems, Inc.
- Kadix Systems, LLC
- Knowledge Consulting Group, Inc.
- Securicon LLC
- SecureInfo Corporation
- Tantus Technologies, Inc.
- Telos Corporation
- Tetrad Digital Integrity
- Veris Group, LLC
