Every acquisition program should include language in their Request for Proposal (RFP) that addresses Cybersecurity requirements for a contractor. These requirements should be clearly and unambiguously articulated to potential offerors and what is expected from them in terms of compliance and performance. Below is a sample/explanation of Cybersecurity RFP Content that was obtained from the Defense Acquisition Guidebook (DAG).
Main Request for Proposal (RFP) Sections
Statement of Objective (SOO)
The SOO is where specific Cybersecurity requirements, functions, and tasks should be communicated to the offerors. This may include identification of Cybersecurity roles to be performed, specific IA controls to be satisfied, specific IA performance criteria (e.g., availability requirements). This section must clearly communicate what needs to be done with regards to Cybersecurity.
Contract Data Requirements List (CDRL)
In this section, identify any Cybersecurity-related data products that the potential contractor must produce. This may include reports, Cybersecurity artifacts, or other Cybersecurity documentation.
Section M: Evaluation Factors for Award
This section contains the evaluation factors and significant sub-factors by which offers will be evaluated and the relative importance that the Government places on these evaluation factors and sub-factors. Cybersecurity is just one of numerous factors that may be assessed for the purposes of making a contract award decision. It may be a major contributing factor in a best value determination, or it may be a minimum qualification for an award based primarily on cost or price.
The extent to which Cybersecurity considerations impact the award factors is a direct function of the clear communication and understanding of the potential loss or damage that a Cybersecurity failure could be subject to a system, organization, or mission capability. For this reason, a Cybersecurity professional should be tasked to assess the Cybersecurity requirement and risks and to advise the contracting officer accordingly. As appropriate, a Cybersecurity professional should develop Cybersecurity related evaluation factors, and participate in the negotiation of relative weightings of these factors. Correspondingly, a Cybersecurity professional should also be part of the source selection evaluation board to ensure that the Cybersecurity aspects of offeror’s proposals are assessed for technical and functional appropriateness, adequacy, and compliance with requirements.
Section H: Special Contract Requirements (Sample Language) [1]
It is DoD policy that Cybersecurity requirements shall be identified and included in the design, acquisition, installation, operation, upgrade or replacement of all DoD information systems. This includes systems and processes developed within the Defense Acquisition System; systems and processes developed at private expense; outsourced business processes supported by private sector information systems; and outsourced information technologies. Information technology services provided under this contract must comply with statutory and regulatory Cybersecurity policy. (See Cybersecurity Policy Requirements below)
Each proposal, or proposed task order under this contract, will be screened for compliance with applicable Cybersecurity statutes, policies, and procedures. Specific requirements will be stated in the performance work statement/statement of objectives.
This special contract provision shall be updated by reference for any changes to source documents. Any new laws or policies applicable to Cybersecurity subsequent to issuance of this contract will be incorporated into the basic contract unilaterally without equitable adjustment to the basic contract. Any equitable adjustment shall be assessed by individual task orders that may be affected by the change as applicable.
Cybersecurity Policy Requirements
The cybersecurity service contractor will have/may have to comply with the following main DoD Cybersecurity policies. A complete list can be found in the Defense Acquisition Guidebook: [1]
- Title 40/Clinger-Cohen Act
- DoD Instruction 8500.01 Cybersecurity – 14 Mar 2014
- DoD Directive 8570.1 “Information Assurance Training, Certification, and Workforce Management” – 23 April 2007
- DoD Instruction 8580.1 “Information Assurance in the Defense Acquisition System”
- DoD Instruction 8510.01 Risk Management Framework (RMF) for DoD Information Technology (IT) – 12 Mar 2014
- CJCS Instruction 6510.01E “Information Assurance (IA) and Computer Network Defense (CND)”
- CJCS Instruction 6212.01 “Interoperability and Supportability of IT and National Security Systems”
AcqLinks and References:
Updated: 7/23/2021
Rank: G1