The document serves as a justification for the Food and Drug Administration's (FDA) request for a sole-source contract with Dark Sky Technology, focusing on the acquisition of proprietary data to enhance medical device cybersecurity. Specifically, the FDA's Center for Devices and Radiological Health (CDRH) intends to obtain a subscription for a dataset that aids in the automation of Software Bill of Materials (SBOM) analysis, crucial for identifying and mitigating vulnerabilities in medical devices that utilize software. The contract will allow for ongoing integration of real-time data regarding software vulnerabilities, enabling the CDRH to efficiently assess and address cybersecurity risks associated with medical devices.
The justification outlines the agency's need for unique data that is not available from other sources, demonstrating that Dark Sky Technology possesses specific intellectual property essential for meeting these requirements. The document acknowledges efforts made to solicit competitive offers, but concludes that no suitable alternatives can fulfill the agency's specific needs. Furthermore, it emphasizes the criticality of the requested data in safeguarding public health while adhering to recent legislative mandates on medical device cybersecurity. Ultimately, this acquisition is framed as an urgent necessity to maintain the safety and efficacy of medical devices in a rapidly evolving technological landscape.
The FDA's Center for Devices and Radiological Health (CDRH) has issued a Request for Proposal (RFP) aimed at enhancing the cybersecurity of medical devices, particularly those involving software. The initiative is driven by the need to identify and mitigate vulnerabilities present in software components of these devices, a responsibility underscored by the Food and Drug Omnibus Reform Act of 2022. The objective is to acquire a timely data subscription service for reporting known vulnerabilities, allowing for integration with CDRH's automated Software Bill of Materials analysis solution.
The RFP outlines several tasks for the contractor, including the initial kickoff meeting, dataset tailoring, integration, and automated encryption of data for continuous evaluation of cybersecurity risks. Key deliverables will include a final dataset of known vulnerabilities, delivered daily, and protocols for secure data management. The contract is structured on a firm fixed price basis, with a performance period of up to five years, and encourages remote work due to ongoing flexibility post-COVID-19. This project is a crucial step in ensuring the safety and efficacy of medical devices amidst growing cybersecurity concerns.