This document outlines the Defense Health Agency (DHA) Cyber Logistics cybersecurity Risk Management Framework (RMF) requirements for vendors. Vendors must comply with RMF requirements, including system security, assessment timeframes, and obtaining Authority to Operate (ATO). This involves submitting vulnerability assessment reports (Nessus scans), adhering to security technical implementation guides (STIGs), and maintaining equipment with patches and updates for at least six years or the end of life date. Pricing for cybersecurity lifecycle elements, including initial ATO and post-warranty maintenance, must be included in quotes. Failure to meet requirements may result in contract termination. Vendors are required to provide a point of contact for cybersecurity and subject matter experts for assessments. Specific timelines are provided for vendor and government actions throughout the RMF process.
The bid notice does not explicitly state a general delivery deadline for all products or services. However, it mentions that for all equipment requiring a full independent verification and validation (IVV) test, the vendor shall not make any delivery and shall not receive payment until the program management office (PMO) has completed a self-assessment and the IVV has been scheduled. Delivery may take place prior to this milestone only if written permission is provided by the contracting officer. For equipment requiring an assess only certification, delivery and payment are contingent on the PMO completing a self-assessment and the system being submitted for an assess only ATO/APL. The vendor must receive written confirmation from the PMO or contracting officer that the system has been submitted and that the vendor may proceed with delivery. Delivery may take place prior to this milestone only if written permission is provided by the contracting officer. The vendor shall remit all requested technical documents to the requester no later than one hundred and thirty (130) days from the date of order.
The bid notice states that for all equipment requiring a full independent verification and validation (IVV) test, the vendor shall not receive payment for the system until the program management office (PMO) has completed a self-assessment and the IVV has been scheduled. Similarly, for equipment requiring an assess only certification, the vendor shall not receive payment for the system until the PMO has completed a self-assessment and the system has been submitted for an assess only ATO/APL. The vendor must receive written confirmation from the PMO or contracting officer that the system has been submitted for an assess only ATO/APL and that the vendor may proceed with delivery before payment is processed. The bid notice does not specify other general payment terms.
The bid notice states that vendors shall be responsible for providing cybersecurity maintenance support for six (6) years, or until the end of life date of the equipment identified by the vendor, whichever is longer. Furthermore, pursuant to subsequent warranty period and service maintenance agreements (SMAs), the vendor shall, after the issuance of an ATO or APL approval, ensure that the vendor's device or system maintains its ATO or operating system platform and patches/updates for six (6) years or as long as the vendor commercially supports the equipment/product, whichever is longer. Maintaining the RMF ATO or APL approval shall be included as part of the vendor's warranty period.
The bid notice mentions that the option pricing for RMF only maintenance shall at a minimum be used in the evaluation/selection of vendors. However, it does not explicitly detail the overall award criterion.
The bid notice requires vendors to comply with the national information assurance partnership (NIAP) common criteria cybersecurity evaluation and validation scheme (CCEVS) evaluation. Vendors must provide a fully credentialed Nessus scan with RFO submission and monthly Nessus scans. The vendor device or system shall pass prevalidation technical screening vulnerability scans utilizing Nessus, Security Content Automation Protocol (SCAP) scans, and Security Technical Implementation Guides (STIGs) checklists within 6 months of contract award. Specific criteria for these scans include no unmitigated very high or high severity category I (CAT I) vulnerabilities and no unmitigated moderate severity category II (CAT II) vulnerabilities from Nessus scans and STIGs. The vendor shall also provide all sections of the medical device equipment risk assessment (MDERA) questionnaire and a vulnerability assessment report from a Nessus scanner.
The bid notice states that failure to meet the requirements may result in termination of the delivery order for cause, in accordance with Federal Acquisition Regulation (FAR) ****(m).
