Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF OCTOBER 09, 2022 SAM #7618
SPECIAL NOTICE

R -- CMS' Supply Chain Risk Management (SCRM) Program - Logical Follow-on

Notice Date
10/7/2022 1:28:41 PM
 
Notice Type
Justification
 
NAICS
541614 — Process, Physical Distribution, and Logistics Consulting Services
 
Contracting Office
OFC OF ACQUISITION AND GRANTS MGMT BALTIMORE MD 21244 USA
 
ZIP Code
21244
 
Solicitation Number
RFQ221166
 
Archive Date
11/06/2022
 
Point of Contact
Jennifer Davis, Phone: 4107862460, Deborah S. Lester
 
E-Mail Address
jennifer.davis@cms.hhs.gov, deborah.lester@cms.hhs.gov
(jennifer.davis@cms.hhs.gov, deborah.lester@cms.hhs.gov)
 
Award Number
GS-00F-0014X
 
Award Date
09/26/2022
 
Description
This acquisition was conducted under the authority of the Multiple-Award Schedule Program in accordance with FAR 8.405-6(c). Within the Information Security and Privacy Group (ISPG), the Division of Strategic Information (DSI); also referred to as the �Program Executive Office� (PEO), is responsible for the establishment and management of the Centers for Medicare & Medicaid�s (aka �CMS� or �agency�) Supply Chain Risk Management Program (SCRM).� This program was established in 2018 as one of the Chief Operating Officer�s (COO) top priorities, further supported by the Executive Orders (14017 & 14028) and federal acts or regulations (Federal Acquisition Supply Chain Security Act (FASCSA) & NIST 800-53, etc., which mandate that departments establish and maintain a supply chain risk management program for their respective agencies. � FASCSA, enacted under 41 U.S.C. 4713, established the Federal Acquisition Security Council (FASC);� an executive branch interagency council aimed at addressing and collaborating amongst the senior-levels of the Federal Government, to provide direction, policies and recommendations for agencies to establish and manage their supply chains, both the infrastructure and risks, to include providing insights or information to decision makers prior to finalizing an acquisition that would pose a supply chain risk to the agency/entity. CMS�s SCRM program would continuously monitor agency acquisitions throughout the contract life-cycle to include enterprise-wide systems, hardware and software packages or development. In addition, SCRM also monitors the professional support services provided to the agency, while identifying risk tolerances through a constructed risk matrix, in order to protect the confidentiality and integrity of CMS information, people and functionalities. Since being directed through FASCSA and Executive Order (EO) 14017, America�s Supply Chains, which states: �The United States needs resilient, diverse, and secure supply chains to ensure our economic prosperity and national security,� the Department of Health and Human Services (HHS�s) Secretary directed CMS to carry forth development and execution of a SCRM program. Since being notified, CMS has contracted for support with the development of a fully robust and scalable SCRM program to meet all of the requirements; to include Cyber Supply Chain Risk Management (C-SCRM), which encompasses cybersecurity, Software Bill of Materials (SBOMs), and application reviews prior to obtaining an Authorization to Operate (ATO) and rolling-out the program over on a network.� To date, the PEO is developing and meeting minimal functionality requirements; however, the foundational building blocks are still evolving. Transitioning to another contractor, and/or severing ties with the current contractor, prior to reaching full program functionality would be destructive to the program�s upward trajectory experienced over the past few years. This program is currently in the middle of a growth sprint that will include enhanced Supplier Risk Assessments (SRA�s), improving the tracking of documents for planned acquisitions, and editing/revising the preliminary policies and procedures which discuss the methodology and cadence of ways in which CMS will vet and ensure the oversight and protection of over $500 billion dollars of working capital funds used annually to support the American beneficiary through medical services and support.� In addition to the fiscal responsibility SCRM plays within CMS, the agency must also ensure proper protections are taken to secure information that is collected, used and stored, which fall in one, or many, of the categories of: national security, public health, privacy data, Protected Health Information (PHI), Personally identifiable information (PII), proprietary data, procurement data, inter-agency data, or privileged system information.� This program and the protections provided are enhancements enacted in response to multiple audits, exterior agency findings, and Executive Orders. The incumbent contractor has assisted CMS with the creation of the foundational PEO documentation, policies, practices, and plans to address the mandated initiative through EO�s and NIST reports. Additionally, the SCRM program must be able to address the findings uncovered within an OMB audit/inquiry, Office of Chief Financial Officer (OCFO) audit, GAO report addressing the Department�s SCRM program, and FISMA audits within HHS and the OPDIVs (which included CMS). The incumbent contractor has also been communicating and building both internal and external, relationships with stakeholders on behalf of CMS and the SCRM program for the past 3 years; these relationships and requisite knowledge is not quickly transferred, duplicated, or matured with a new contractor. The 3 years of constant connection, communication and dedication of the incumbent has led CMS to where the program is present day. If this program were to lose the incumbent before the program is at a point of transition, CMS would lose a preponderance of all the institutional knowledge, specific to the documentation, processes, and intrinsic knowledge. In addition, the relationships that have been built in the development/establishment of SCRM within CMS would be difficult to replicate.� Without the continued use of the incumbent�s expertise, there is a major risk to the integrity of the SCRM program�s processes and policies that have been developed; the risk could jeopardize the security and privacy of millions of Medicare or Medicaid beneficiary, and Marketplace consumer level data points, trillions of dollars of appropriated funding, as well as open the agency up to a potential external threat that goes undetected. To minimize these risks identified, the incumbent contractor needs to continue working with the program office for the next year at which point the PEO is expected to have reached a point where a contract transition would not degrade the performance of the program and would be ready to be transitioned to a contractor for ongoing maintenance. It is the full intent of DSI/ISPG that the SCRM program rapidly develops over the next year, to a point that consideration of competing the maintenance/ancillary analytical support; which will be required for the foreseeable future, would be an option.� The program; while still in an infancy stage, should be able to assume greater tasks and capabilities over the next year, allowing CMS to confidently say the program has reached initial operational capability. The period of performance for services will be September 26, 2022 � September 25, 2023.
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/bdc06dd1589b4cffb9fb902ebe177f85/view)
 
Place of Performance
Address: Baltimore, MD, USA
Country: USA
 
Record
SN06489446-F 20221009/221007230113 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.