Notice ID: FDA_252025
DEPARTMENT OF HEALTH AND HUMAN SERVICES, FOOD AND DRUG ADMINISTRATION
Original Set Aside: Service-Disabled Veteran-Owned Small Business (SDVOSB) Sole Source
This notice is not a request for competitive proposals. However, any party that believes it can meet this requirement as stated herein may submit a written capability statement that clearly supports and demonstrates their ability to perform the requirement.
Capability statements must be received by the response date and time of this notice. Submissions will be reviewed to determine if they can meet the requirement. A determination by the Government to compete this proposed contract based upon responses to this notice is solely within the discretion of the Government.
It is anticipated that an award will be issued to Prometheus Federal Services LLC within approximately ten (10) days after the date of this notice unless the Government determines that any other organization has the capability to meet this requirement.
Response Date: May 9, 2025, by 3:00 PM EST. Please email responses to Hilda Aryeh – hilda.aryeh@fda.hhs.gov.
BACKGROUND
The Food and Drug Administration (FDA) is responsible for protecting the public health by assuring the safety, efficacy, and security of human and veterinary drugs, biological products, medical devices, our nation’s food supply, cosmetics, and products that emit radiation. The FDA is also responsible for advancing the public health by helping to speed innovations that make medicines and foods more effective, safer, and more affordable, and helping the public get the accurate, science-based information they need to use medicines and foods to improve their health.
The mission of the Center for Devices and Radiological Health (CDRH) is to protect and promote the public health. CDRH assures that patients and providers have timely and continued access to safe, effective, and high-quality medical devices and safe radiation-emitting products. We provide consumers, patients, their caregivers, and providers with understandable and accessible science-based information about the products we oversee. We facilitate medical device innovation by advancing regulatory science, providing industry with predictable, consistent, transparent, and efficient regulatory pathways, and assuring consumer confidence in devices marketed in the U.S.
Section 3305 of the Food and Drug Omnibus Reform Act of 2022 (“FDORA”), enacted on December 29, 2022, added section 524B “Ensuring Cybersecurity of Medical Devices” to the Federal Food, Drug, and Cosmetic Act (FD&C Act). Under section 524B(a) of the FD&C Act, a person who submits a 510(k), PMA, PDP, De Novo, or HDE for a device that meets the definition of a cyber device, as defined under section 524B(c) of the FD&C Act, is required to submit information to ensure that cyber devices meet the cybersecurity requirements under section 524B(b) of the FD&C Act, and to submit an associated Software Bill of Materials (SBOM) under section 524B(c) of the FD&C Act. For devices that are not cyber devices that nonetheless may be exposed to cyber risk, FDA recommends that SBOMs be included as part of their premarket submissions to help demonstrate a reasonable assurance of safety and effectiveness. An SBOM is a nested inventory that makes up a full listing of all of the software components (components, packages and libraries) which are part of a medical device (when applicable).
SBOMs are typically provided in a machine-readable format, and will be part of premarket submissions (510(k), premarket approval application (PMA), Product Development Protocol (PDP), De Novo, and Humanitarian Device Exemption (HDE)) for review. It will be imperative for the reviewers to have a way to easily determine if the software components associated with the device present risks that could impact the device’s safety, effectiveness, or cybersecurity, including whether the components have any known vulnerabilities.
Known vulnerabilities, risks, and exploitations are different than more typical anomalies or defects in devices in that they are largely unseen, and they can “appear” at any point in time based on the technology that is being used, including technology that may be added as the device is modified or maintained. The product can work perfectly throughout clinical trials and thereafter, but then tremendous adverse effects can be introduced with the exploitation of a single vulnerability all at once. This could potentially impact all users of the device at once and cause multitudes of adverse events in a very short period of time.
OBJECTIVE
The Medical Device Cybersecurity Team (Cybersecurity Team) within the Food and Drug Administration’s (FDA) Center for Devices and Radiological Health (CDRH) is seeking a contractor to develop (and/or provide) and maintain a process which supports data analysis and reporting, and provide detailed cybersecurity vulnerability, risk, and exploitation information to inform reviewers and the Cybersecurity team of potential issues within devices that contain or otherwise leverage software, hardware, or firmware.
SCOPE
This project will augment and maintain a process and reporting product within the FDA CDRH system that is used by reviewers of devices that contain or leverage software, as well as other staff members. It will integrate and work with externally acquired data assets and provide informative and easy to understand reports that detail any and all concerning factors with individual software components and packages underlying the medical device.
This system is provisioned to ingest data from outside sources as well as the SBOM itself, load said data to a common, yet protected, datastore, and create comparisons between the two. In addition to this, the system also generates reports for reviewers and staff that are clear, yet comprehensive, to help facilitate the review process as well as post-market surveillance. These reports will need to be maintained, augmented and potentially added to.
Data on known vulnerabilities, risks, and exploitations are available through multiple sources, and are updated on a timely basis (typically daily) with the latest issues and concerns that have been identified. These data are integrated into the solution, allowing for the ability to consider risks across the total product lifecycle, and will need to be maintained and augmented as needed.
The work required can be broken down into the following components:
-
Vulnerability data ingestion and harmonization
-
SBOM data ingestion
-
SBOM and vulnerability data comparisons
-
Report generation
-
Operations and Maintenance of the System:
-
Troubleshoot issues reports;
-
Remediate bugs;
-
Routine updates and minor enhancements.
-
This requirement is expected to be a Firm Fixed Price contract.
PERIOD OF PERFORMANCE
The period of performance for this order is a 5-month base period and two 12-month option periods. The anticipated dates of performance are:
-
Base Period: 09/01/2025 – 02/24/2026
-
Option Period: 02/24/2026 – 02/23/2027
-
Option Period: 02/24/2027 – 02/23/2028
Read The Full Announcement Here.
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $295 annually.