FDA Cybersecurity Risk Management and Compliance Services

The FDA is seeking cybersecurity risk management services through a Blanket Purchase Agreement (BPA) to enhance its cybersecurity posture and comply with federal mandates. The services will address evolving threats to the FDA's extensive IT infrastructure, which includes 111 FISMA-reportable systems and various cloud environments. Key objectives include improving security controls, strengthening information security against threats, expanding awareness and collaboration, mitigating IT enterprise weaknesses, and developing IT security policies. The scope covers technical and management services, and subscriptions/licenses. Task areas include security authorization support, policy and data call support, Enterprise Governance Risk and Compliance (eGRC) support, cybersecurity risk management documentation, and transition services. The contract type allows for Firm Fixed Price, Labor Hour, or Time and Material task orders. Personnel must be adequately trained and certified, with specific requirements for Program Managers and Technical Writers. The place of performance is primarily the Washington, D.C. metropolitan area, with remote work options available. The contractor must adhere to stringent security and privacy requirements, including safeguarding sensitive information, mandatory training, incident response protocols, and compliance with federal regulations such as FISMA, NIST, and the Privacy Act.

The U.S. Food and Drug Administration (FDA) has issued a Sources Sought Notice (SS-75F40126Q00036) for Cybersecurity Risk Management and Compliance Services. This notice is for market research to identify small businesses, specifically SBA certified 8(a) vendors, under GSA Multiple Award Schedule (MAS) categories 54151S and 54151HACS. The FDA seeks professional services to enhance its cybersecurity posture, aligning with federal mandates like FISMA and EO 14028. The scope includes ongoing security authorization, LMS support, security policy, eGRC support, risk management documentation, and transition services. Responses, due by February 4, 2026, at 2:00 PM ET, should detail contact information, socio-economic status, GSA contract numbers, and experience in security authorizations, FedRAMP, and audit activities.