The Food and Drug Administration's Center for Devices and Radiological Health (CDRH) is seeking a sole-source contract with MedCrypt for a unique data subscription service. This service will provide critical information on known vulnerabilities in software components used in medical devices, assisting in the development of an automated Software Bill of Materials (SBOM) analysis solution. The objective is to create a comprehensive resource that allows for the timely identification and evaluation of vulnerabilities, risks, and exploitations across the product lifecycle. CDRH aims to integrate this data into their existing systems to promote safer medical device usage, in line with new cybersecurity requirements established under the Food and Drug Omnibus Reform Act of 2022. The document emphasizes the singular qualifications of MedCrypt in managing the necessary alias data for effective comparison with vulnerability information, making their service essential for CDRH’s cybersecurity efforts. The acquisition is justified under the FAR due to the lack of available alternatives with the required capabilities. Proper procurement procedures, including market research and cost analysis, are in place to ensure fairness and compliance.
The FDA's Center for Devices and Radiological Health (CDRH) has issued a Request for Proposal (RFP) aimed at enhancing cybersecurity for medical devices. The objective is to develop a process for data analysis regarding known vulnerabilities, risks, and potential exploits in devices utilizing software, hardware, or firmware. To achieve this, the CDRH seeks a data provider who can supply a continuously updated dataset of vulnerabilities, complemented by a comparator file that standardizes software component identifiers for accurate analysis against received Software Bills of Materials (SBOMs).
The project involves several tasks, including a kickoff meeting, dataset integration, automated data delivery, and anonymized analysis requests. Deliverables include test and final datasets, encrypted data submissions, and meeting summaries, all to be formatted according to specified standards. The contract type is Firm Fixed Price with a performance period of one year, with the potential for four subsequent option years. Services may be performed off-site or on the FDA premises. The RFP emphasizes the critical need for cybersecurity in medical devices, aligning with recent legislative mandates ensuring the safety and efficacy of healthcare technologies.