Risk Management Framework (RMF) Services
Government must manage their cybersecurity dynamically at the enterprise level. Risk Management Framework (RMF) services replaces the outdated Certification and Accreditation (C&A) process.
NIST developed RMF and describes it as a mandated element of FISMA compliance (see the reference section below). GSA provides RMF services through Blanket Purchase Agreements (BPAs) with pre-competed pricing.
Ceiling: $58 million
Period of performance: June 10, 2011 to June 9, 2014
Solicitation number: eBuy RFQ #465145 (QTA-0-10-FK-B-0001)
Aligned with federal cybersecurity guidance and commercial best practices
The RMF BPA is aligned with Federal Information Security Management Act (FISMA) requirements, Office of Management and Budget (OMB) guidance, and the DHS National Infrastructure Protection Plan. Learn more on the National Institute of Standards and Technology (NIST) website.
Available to all government customers
Federal, state, local, and tribal government organizations can use the RMF BPA.
The RMF BPA features lower prices than you can find on IT Schedule 70.
How to order
1. Determine that your work is in scope
Review the BPA modification in the Risk Management Framework Ordering Guide (Word, 1340KB, Rev. 12/2012) for the full scope of the BPA. During this phase, you must also determine the complexity of your current systems.
Use the RMF Service request package (Excel 39KB) - this excel workbook takes you tab by tab to better understand how to use the RMF BPA and ensure that you don't miss any critical steps.
Table of Security Deliverables and References - helps ordering activities understand and to identify which CLIN(s) to include on their solicitation (Word, 780 KB).
2. Prepare the statement of work (SOW)
Draft your requirements in accordance with your system assessment. Use the ordering procedures in FAR 8.405-2 for a list of what you must include.
3. Prepare the request for quotations (RFQ)
Follow your agency’s procedures for preparing an RFQ and follow any internal policies for acquiring IT services. Develop and state your evaluation criteria.
All orders must be fixed-price.
4. Issue the request for quotations (RFQ)
Below $3,000. If your order is below the micro-purchase threshold, you may place orders with any BPA holder who can meet your needs. You should try to distribute orders among the BPA holders.
Between $3,000 and $150,000. If your order is between the micro-purchase threshold and the simplified acquisition threshold, provide the RFQ to at least three BPA holders according to FAR 405-2. (If you don't, you must document exceptions according to FAR 8.405-6).
Above $150,000. If your order is more than the simplified acquisition threshold, provide the RFQ to all BPA holders who meet your requirements. You must also seek a price reduction.
5. Evaluate responses
Evaluate all responses received using the evaluation criteria you specified in the RFQ. See FAR 8.405-2(d) for more guidance. Select the BPA holder who represents the best value.
6. Award the task order
Award the task order and document who you awarded it to, what was purchased, and the pricing. Include the BPA number, BPA holder's name, and Schedule contract number on all orders.
View the websites below for the 14 RMF BPA awardees. More information about each awardee, including points of contact, is available in the Risk Management Framework Ordering Guide (Word, 1340KB, Rev. 12/2012). These links go to nongovernment websites.
- Apptis, Inc.
- Booz Allen Hamilton, Inc.
- Deloitte Consulting, LLP
- DSD Laboratories, Inc.
- G&B Solutions, Inc.
- Global Network Systems, Inc.
- Kadix Systems, LLC
- Knowledge Consulting Group, Inc.
- Securicon LLC
- SecureInfo Corporation
- Tantus Technologies, Inc.
- Telos Corporation
- Tetrad Digital Integrity
- Veris Group, LLC
- NIST Special Publication 800-37 - Guide for Applying the Risk Management Framework to Federal Information Systems Revision 1 (PDF 250 KB).
- NIST offers online RMF Training.
- DHS Information Systems Security Line of Business (ISSLoB) listing of Risk Management Framework (RMF) Shared Service Centers (SCC).
- NIST's Recommended Security Controls for Federal Information Systems and Organizations (NIST 800-53) (PDF 250 KB).