Notice ID: DOIDFBO240050
Solicitation #: 140D0424Q0778
The Department of the Interior (DOI), Interior Business Center (IBC), Acquisition Services Directorate (AQD), Division II, Branch II, in support of a requirement for the Health Resources and Services Administration (HRSA), an operating division within the Department of Health and Human Services (HHS).
This Limited-Sources Justification (LSJ) is for a follow-on requirement to award a firm fixed-price (FFP) limited-source task order (TO) to Deloitte & Touche Limited Liability Partnership (LLP) under its General Services Administration (GSA) Schedule GS-00F029DA to provide Information Technology (IT) Support Services.
a. This requirement is for IT services to develop a Zero Trust program governance, data governance, policy framework and compliance support to implement Zero Trust IT cybersecurity requirements required by Executive Order (EO) 14028 to improve the nation’s cybersecurity. In response EO 14028, issued in May 2021, the Cybersecurity and Infrastructure Security Agency (CISA) established the Zero Trust Maturity Model (ZTMM), a roadmap that agencies can reference as they transition towards Zero Trust Architecture (ZTA). The ZTMM represents a gradient of implementation across five distinct pillars, in which advancements can be made over time toward optimization. The pillars include Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar includes general details regarding the following cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance. Governance is associated with the enforcement of an agency’s cybersecurity policies, procedures, and processes, within and across pillars, to manage an agency’s enterprise and mitigate security risks in support of Zero Trust principles and fulfillment of the Federal EO 14028 requirement. The Contractor must perform the following overall tasks (see Statement of Work for more details/requirements applicable to these tasks):
i. Contract Management
ii. Project/Program Management and Implementation
iii. Logistic Services for Office of Planning, Analysis and Evaluation
iv. Development of a HRSA Data Governance Policy Guidance Document
v. HRSA Compliance with Zero Trust Policy Pillar Mandates
vi. Assist with the establishment of Cross-HRSA Standards/Language for Data Use Agreements
vii. Creation of a Standardized HRSA Data Dictionary
viii. Development and Implementation of an Action Plan for Data Quality Improvement Processes at HRSA.
ix. Usage of the Developed Action Plan for Data Quality Improvement Processes at HRSA to Implement Data Quality Enhancements.
x. Assist with the establishment of a Zero Trust Program Office
b. The Independent Government Estimate is for a two-year period of performance (POP). The two-year POP will be fully funded with no year funds
In September 2022, a TO (75R60222F80155) was awarded to Deloitte & Touche LLP and issued under its GSA Schedule GS-00F-029DA to provide IT support services to the HRSA to perform a ZTRA, evaluate existing capabilities, perform gap analysis, develop a roadmap to include potential product needs, policy/standard operating procedures (SOP), and a migration plan needed to transition to a compliant ZTA. This current requirement is needed to perform the follow-on work to develop data governance and policy needed to execute the migration plan that was developed under the previous GSA TO for the transition and implementation of ZTA.
HRSA also shares IT infrastructure with the National Institutes of Health (NIH) that is managed by the NIH Center for Information Technology (CIT), thus NIH CIT acts as an NIH and HRSA service provider. Both agencies share a common environment in the form of a single Microsoft 365 tenant and Active Directory (AD) forest holding both NIH and HRSA accounts, data, credential and device management. The desired outcome of the Zero Trust assessment and follow-on activities cannot be achieved without the extensive and deep knowledge of how those configurations and network operations are managed and maintained today in the environment operated by NIH. Given the closely coupled global configurations of the HRSA and NIH Microsoft 365 environment, alignment with a ZTA for HRSA is highly dependent upon the direct involvement of NIH and one of their current contractors (Deloitte), tools and platform ecosystem. NIH currently has a contract with Deloitte to perform AD re-architecture and the knowledge gained from performing this work will drive some of the data policies and framework needed for this requirement. Consequently, the work for this current requirement is not only follow-on work from the previous TO but is also highly dependent and integrated with work that Deloitte is currently performing under the separate contract.
The previous GSA TO period of performance was from 9/30/2022 to 5/29/2023 thus Deloitte has already spent several months performing the ZTA requisite gap analysis and developed a migration plan for HRSA. Deloitte’s previous migration plan, developed by utilizing CISA ZTMM along with their existing in-depth knowledge, technical expertise of HRSA/NIH shared IT infrastructure, will ensure the development of effective cybersecurity data governance, policy, procedures and processes for the successful implementation of the highest level of protection for HRSA’s data assets.
Having another Contractor perform the new work is anticipated to double the cost since the new Contractor will need to devote time and effort in acquiring the IT infrastructure knowledge and expertise of the NIH and HRSA shared intricate IT environment. Time and effort will also need to be spent on assessing, analyzing and understanding the work and migration plan that was previously developed by Deloitte. Additional costs are further anticipated as a new Contractor will also need to spend time working in close collaboration and constant communication with Deloitte, NIH and HRSA on the IT infrastructure nuances arising from the on-going work under the separate contract. Having a new Contractor will also result in the managing of a multivendor IT ecosystem which will cost more to HRSA and NIH in Government time spent
The previous work and on-going work performed by Deloitte will provide them with even greater technical experience and deep understanding of HRSA and NIH shared IT infrastructure which is crucial for effectively designing governance and compliance policies, procedures, and controls under this requirement to ensure IT infrastructure meets ZTA. If this justification is not approved, HRSA and NIH may run the risk of having inefficient data policies, security measures and protocols and fail to meet Zero Trust capabilities. This in turn will leave IT infrastructure vulnerable to unauthorized system access, cyber threats, and data breaches resulting in costly system downtime.
Based on the above facts, it is logical and reasonable to have Deloitte perform the subsequent/follow-on new work as it will minimize cost, maximize productivity, and increase efficiency that will ensure the development of effective data policy and governance for a successful Zero Trust transition and implementation.
It is also in the best interest of the Government for Deloitte to develop Zero Trust data governance, policies and procedures based on the gap analysis report and migration plan that they developed on the previous TO. In doing so, will make Deloitte fully responsible to deliver a data governance policy and procedures that are consistent withand practical with the previously developed Zero Trust gap analysis and migration plan. Having Deloitte perform the work on the previous project and follow-on project will make them overall responsible and accountable for the operations and maintenance phase of this entire project.
Since the issuance of the EO in May 2021, HRSA has made it a priority to fully comply with ZTA. It is crucial for this requirement to initiate as soon as possible and for it to follow-on the previous work to ensure the new work is efficiently and effectively completed within a two-year POP and simultaneously with on-going work integrated with this requirement. The IT environment is constantly and rapidly evolving and even minor delays can compromise IT security.
Additionally, the Zero Trust program governance, data governance, policy framework and compliance support that will be provided through this requirement will also benefit HRSA and NIH due to their shared IT infrastructure. NIH has approximately 25 Institutes and Centers that will benefit from the services of these requirement.
There are no subsequent acquisitions anticipated for this requirement since the intent of this requirement is to provide HRSA with an enterprise-level data governance policy and procedures that the organization and its IT system owners can follow to fully transition and implement ZTA capabilities and remain compliant with Zero Trust program requirements.
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $250 annually.