The Cybersecurity Risk Management Program is an integrated organization-wide cyber security risk management (CSRM) program to allow line leaders through senior executives to prioritize risk and make solid risk-based decisions.
This task order will provide the Government with continued subject matter expertise to mature and maintain the cybersecurity risk management program to enable line leaders through senior executives to prioritize risk and make solid risk-based decisions in accordance with NIST guidance to meet FISMA and Executive Order 13800 requirements.
Awardee Name: DELOITTE CONSULTING LLP
Unique Entity ID: CKV2L9GZKJK3
Total Contract Value: $611,391.25
Action Obligation: $611,391.25
Department Name: SOCIAL SECURITY ADMINISTRATION
Funding Office: SSA OFC OF ACQUISITION GRANTS
Number of Bidders: 1
Award ID: 28321325FDX030061
Referenced IDV ID: 47QRAA18D001P
Contract Vehicle: GSA MAS
RFP ID: 28321325Q00000120
Major Program Supported: CYBER SECURITY RISK MANAGEMENT (CSRM) PROGRAM
NAICS: 541611
Award Type: Delivery Order
Start Date: 2025-02-14
Ultimate Completion Date: 2026-02-14
Click here to view more on USAspending.gov
Note: Newly awarded contracts may take 24 to 48 hours to appear on USAspending.gov.
Background
We seek approval of a LSJ to issue a 12-month logical follow on task order to the following mission-critical cybersecurity risk management program services call order:
Call Order 28321323FA0010092 – Integrated organization-wide cyber security risk management (CSRM) program to allow line leaders through senior executives to prioritize risk and make solid risk-based decisions.
This call order was issued under SAAS Blanket Purchase Agreement number 28321319A0040007 with Deloitte consulting LLP, which has since expired, for a period of performance from 02/15/2023 through 2/14/2025. We seek approval of a 12-month follow on task order under Deloitte Consulting’s GSA schedule.
The cybersecurity risk management process is guided by the Federal Information Security Modernization Act (FISMA) of 2014, which along with Executive Order 13800, empowers the Commissioner with the authority and accountability for information security and cyber risk management.
Our integrated organization-wide cyber security risk management (CSRM) program enables line leaders through senior executives to prioritize risk and make solid risk-based decisions. The agency continues to build upon it current foundational CSRM program towards FISMA Level 4 maturity. In FY23 and FY24 the SSA Inspector General (IG) audited SSA and concluded that SSA’s cyber security risk management strategy was insufficient. Additionally, we determined that the scope and maturity of the existing strategy needs further maturing to manage cyber risks in a comprehensive manner to prioritize cyber risks and enable informed risk-based decisions at the enterprise level.
An effective CSRM Project Management Office (PMO) function is crucial to the success of SSA managing its cyber security risk. Cybersecurity risk is spread throughout the agency and not solely based on system assessments. Unlike point in time assessments, cybersecurity threats are constantly changing, and new threat actors are appearing on a regular basis. Organization-level and mission/business-level cyber risks must also be considered, and along with system-level risks, integrated with the Agency’s Enterprise Risk Management Program.
Cybersecurity risk management is necessary as the alternative is crisis management. Cyber risk data will be better utilized to enable resource allocation and budget appropriately across a portfolio of cybersecurity risks to the Agency.
At the current time, OIS relies on the contracted assessor expertise to provide expert guidance and execution of a FISMA Level 4 maturity CSRM Program. Under the current call order, the contractor must provide industry knowledge not currently available with the SSA federal workforce.
OIS and OAG are currently working to award new BPAs following multiple award schedule competitive procedures, which will result in competitive call order awards moving forward.
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $295 annually.