NRC awards $2.1M BPA Call to OASIS SYSTEMS, LLC for cybersecurity services through 2027
Contract Overview
Contract Amount: $2,059,623 ($2.1M)
Contractor: Oasis Systems, LLC
Awarding Agency: Nuclear Regulatory Commission
Start Date: 2025-08-25
End Date: 2027-02-19
Contract Duration: 543 days
Daily Burn Rate: $3.8K/day
Competition Type: FULL AND OPEN COMPETITION
Pricing Type: LABOR HOURS
Sector: IT
Official Description: TO ESTABLISH A NEW BPA CALL FOR THE CYBERSECURITY CONTRACT 31310021A0005. THE NEW BPA CALL WILL INCLUDE THE 2026 ROP CYBERSECURITY INSPECTIONS, THE CREATION OF THE FUNDAMENTALS BOOK, AND COMPLETION OF THE VULNERABILITY MANAGEMENT TASK WITH THE OFFICE
Place of Performance
Location: ROCKVILLE, MONTGOMERY County, MARYLAND, 20852
State: Maryland Government Spending
Plain-Language Summary
Nuclear Regulatory Commission obligated $2.1 million to OASIS SYSTEMS, LLC for work described as: TO ESTABLISH A NEW BPA CALL FOR THE CYBERSECURITY CONTRACT 31310021A0005. THE NEW BPA CALL WILL INCLUDE THE 2026 ROP CYBERSECURITY INSPECTIONS, THE CREATION OF THE FUNDAMENTALS BOOK, AND COMPLETION OF THE VULNERABILITY MANAGEMENT TASK WITH THE OFFICE Key points: 1. Contract focuses on cybersecurity inspections, fundamentals book creation, and vulnerability management. 2. OASIS SYSTEMS, LLC, a known entity, will perform the services. 3. The contract duration is approximately 1.5 years, ending in February 2027. 4. Services are categorized under 'Other Computer Related Services'. 5. The award was made under a full and open competition. 6. The contract type is labor hours, indicating payment based on effort expended.
Value Assessment
Rating: fair
The total award amount of $2.1 million for a 1.5-year period for cybersecurity services appears to be within a reasonable range for specialized IT support. However, without specific details on the scope of 'cybersecurity inspections,' 'fundamentals book,' and 'vulnerability management task,' a precise value-for-money assessment is challenging. Benchmarking against similar cybersecurity contracts for government agencies of comparable size and complexity would be necessary for a more definitive evaluation of pricing and value.
Cost Per Unit: N/A
Competition Analysis
Competition Level: full-and-open
The contract was awarded under full and open competition, suggesting that multiple vendors had the opportunity to bid. The specific number of bidders is not provided, but this procurement method generally fosters competitive pricing and allows the government to select the best value offer. The open competition indicates a healthy market for these cybersecurity services.
Taxpayer Impact: Taxpayers benefit from a competitive process that is likely to result in more cost-effective service delivery and a wider pool of qualified contractors.
Public Impact
The Nuclear Regulatory Commission (NRC) will benefit from enhanced cybersecurity capabilities. Services include critical cybersecurity inspections and vulnerability management. The creation of a 'fundamentals book' suggests a focus on knowledge transfer and standardization. The contract supports the NRC's mission to ensure the safe use of nuclear materials.
Waste & Efficiency Indicators
Waste Risk Score: 50 / 10
Warning Flags
- Lack of detailed performance metrics for cybersecurity inspections.
- Potential for scope creep in 'vulnerability management task' without clear deliverables.
- Limited insight into the specific expertise of OASIS SYSTEMS, LLC in these niche cybersecurity areas.
Positive Signals
- Awarded under full and open competition, indicating market availability and potential for competitive pricing.
- Clear contract end date provides budget certainty.
- Focus on cybersecurity aligns with critical government infrastructure protection needs.
Sector Analysis
This contract falls within the broader Information Technology and Professional Services sector, specifically focusing on specialized cybersecurity services. The market for cybersecurity is robust and growing, driven by increasing threats to government and private sector data. The NRC's need for these services is consistent with the general trend of federal agencies investing in cyber defense. Comparable spending benchmarks would likely be found within IT services contracts for agencies with similar regulatory or operational oversight responsibilities.
Small Business Impact
The provided data indicates that this contract was not set aside for small businesses (ss: false, sb: false). Therefore, there are no direct subcontracting implications for small businesses stemming from a set-aside requirement. The prime contractor, OASIS SYSTEMS, LLC, may engage small businesses as subcontractors, but this is not mandated by the contract terms presented.
Oversight & Accountability
Oversight of this BPA Call will likely be managed by the Nuclear Regulatory Commission's contracting and program offices. Accountability measures would be tied to the performance standards outlined in the BPA Call and the labor hours expended. Transparency is facilitated by the contract being awarded under full and open competition, with details typically available through federal procurement databases. Inspector General jurisdiction would apply if any fraud, waste, or abuse is suspected.
Related Government Programs
- Cybersecurity Services
- IT Professional Services
- Information Technology Support
- Contracting Vehicles (BPA)
- Nuclear Regulatory Commission IT Spending
Risk Flags
- Potential for undefined scope in vulnerability management.
- Clarity needed on cybersecurity inspection methodologies and reporting.
- Limited public information on contractor's specific cybersecurity expertise.
Tags
it, cybersecurity, nuclear-regulatory-commission, maryland, bpa-call, labor-hours, full-and-open-competition, professional-services, other-computer-related-services, oasissystemsllc
Frequently Asked Questions
What is this federal contract paying for?
Nuclear Regulatory Commission awarded $2.1 million to OASIS SYSTEMS, LLC. TO ESTABLISH A NEW BPA CALL FOR THE CYBERSECURITY CONTRACT 31310021A0005. THE NEW BPA CALL WILL INCLUDE THE 2026 ROP CYBERSECURITY INSPECTIONS, THE CREATION OF THE FUNDAMENTALS BOOK, AND COMPLETION OF THE VULNERABILITY MANAGEMENT TASK WITH THE OFFICE
Who is the contractor on this award?
The obligated recipient is OASIS SYSTEMS, LLC.
Which agency awarded this contract?
Awarding agency: Nuclear Regulatory Commission (Nuclear Regulatory Commission).
What is the total obligated amount?
The obligated amount is $2.1 million.
What is the period of performance?
Start: 2025-08-25. End: 2027-02-19.
What is the specific track record of OASIS SYSTEMS, LLC in performing cybersecurity inspections and vulnerability management for federal agencies?
Information regarding OASIS SYSTEMS, LLC's specific track record in performing cybersecurity inspections and vulnerability management for federal agencies is not detailed in the provided data. A thorough review would require examining past performance evaluations (e.g., CPARS reports), contract history, and any publicly available case studies or testimonials. Understanding their experience with similar government cybersecurity requirements, particularly within the regulatory domain of the Nuclear Regulatory Commission, would be crucial for assessing their capability and reliability in fulfilling this BPA Call. Without this specific performance data, the assessment remains general.
How does the $2.1 million award compare to similar cybersecurity contracts awarded by the NRC or other federal agencies for comparable services?
A direct comparison of the $2.1 million award for this BPA Call to similar cybersecurity contracts requires access to a broader dataset of federal procurements. Factors such as contract duration (approximately 1.5 years), scope of services (inspections, fundamentals book, vulnerability management), and the specific agency (NRC) are key variables. Generally, cybersecurity services for federal agencies can range significantly in cost depending on complexity and scale. A preliminary assessment suggests the amount is moderate for specialized IT services over this timeframe, but a definitive benchmark would necessitate analyzing contracts with similar North American Industry Classification System (NAICS) codes (like 541519) and service descriptions from agencies of comparable size and mission.
What are the primary risks associated with this contract, and what mitigation strategies are in place?
Primary risks associated with this contract include potential underestimation of the effort required for vulnerability management, challenges in defining and measuring the success of 'cybersecurity inspections,' and the possibility of the 'fundamentals book' not meeting the NRC's specific needs. Another risk could be the contractor's ability to adapt to evolving cybersecurity threats within the contract period. Mitigation strategies are likely embedded within the BPA Call's performance work statement (PWS), requiring clear deliverables, regular progress reporting, and potentially quality assurance surveillance plans (QASPs). The labor hour contract type allows for flexibility but also necessitates close monitoring of hours expended against progress.
How effective is the 'full and open competition' approach in ensuring the NRC receives optimal value for its cybersecurity investments?
The 'full and open competition' approach is generally considered the most effective method for the government to achieve optimal value in its investments. By allowing all responsible sources to submit offers, it fosters a competitive environment that drives down prices and encourages innovation. For the NRC's cybersecurity needs, this approach likely resulted in multiple qualified vendors vying for the contract, leading to a more competitive bid landscape. This process increases the likelihood that the NRC selected a contractor offering the best balance of technical capability, past performance, and price, thereby maximizing the value of the $2.1 million investment.
What are the historical spending patterns of the NRC on cybersecurity services, and how does this award fit within that trend?
Historical spending patterns of the NRC on cybersecurity services are not provided in the current data. To analyze this, one would need to examine the NRC's budget allocations and contract awards for IT and cybersecurity over several fiscal years. This $2.1 million BPA Call represents a specific investment for a defined period (mid-2025 to early 2027). Understanding if this amount is consistent with, higher than, or lower than previous spending on similar services would provide context. Trends might indicate an increasing focus on cybersecurity, a shift in service providers, or a response to specific security directives or identified vulnerabilities.
What are the specific deliverables and performance metrics associated with the 'cybersecurity inspections' and 'vulnerability management task' under this BPA Call?
The provided data does not specify the exact deliverables or performance metrics for the 'cybersecurity inspections' and 'vulnerability management task.' A comprehensive understanding would require reviewing the full Performance Work Statement (PWS) or Statement of Objectives (SOO) associated with this BPA Call. Typically, cybersecurity inspections might involve detailed assessments against specific frameworks (e.g., NIST), producing reports with findings and recommendations. Vulnerability management tasks usually involve identifying, assessing, prioritizing, and remediating vulnerabilities, often tracked through metrics like the number of vulnerabilities identified, severity levels, and time-to-remediate. The effectiveness of these services hinges on clearly defined and measurable outcomes.
Industry Classification
NAICS: Professional, Scientific, and Technical Services › Computer Systems Design and Related Services › Other Computer Related Services
Product/Service Code: IT AND TELECOM - INFORMATION TECHNOLOGY AND TELECOMMUNICATIONS › IT AND TELECOM - SECURITY AND COMPLIANCE
Competition & Pricing
Extent Competed: FULL AND OPEN COMPETITION
Solicitation Procedures: SUBJECT TO MULTIPLE AWARD FAIR OPPORTUNITY
Pricing Type: LABOR HOURS (Z)
Evaluated Preference: NONE
Contractor Details
Address: 1400 CRYSTAL DR STE 200, ARLINGTON, VA, 22202
Business Categories: Category Business, Limited Liability Corporation, Not Designated a Small Business, Special Designations, U.S.-Owned Business
Financial Breakdown
Contract Ceiling: $3,569,061
Exercised Options: $3,569,061
Current Obligation: $2,059,623
Actual Outlays: $19,926
Contract Characteristics
Commercial Item: COMMERCIAL PRODUCTS/SERVICES PROCEDURES NOT USED
Parent Contract
Parent Award PIID: 31310021A0005
IDV Type: BPA
Timeline
Start Date: 2025-08-25
Current End Date: 2027-02-19
Potential End Date: 2027-02-19 00:00:00
Last Modified: 2026-03-31
More Contracts from Oasis Systems, LLC
- Technical Management & Advisory Services (tmas 2) 96TH CTG — $349.0M (Department of Defense)
- ,Ct::igf Procurement of Engineering, Professional, and Adminisntrative Support Services (epas — $242.0M (Department of Defense)
- Advisory and Assistance Services (A&AS) — $233.5M (Department of Defense)
- Scat 1 Engineering Professional and Administrative Support Services (epass) for AIR Force Life Cycle Management Center Fighters and Advanced Aircraft Directorate F15 Division (aflcmc/Waq) — $223.7M (Department of Defense)
- FOR Acquisition of Engineering, Professional & Administrative Support Services (epass) in Support of HB Directorate — $182.9M (Department of Defense)
Other Nuclear Regulatory Commission Contracts
- (information Technology Infrastructure Support Services (itiss)) — $208.2M (NTT Data Services Federal Government, LLC)
- Infrastructure Services and Support Contract — $157.8M (CACI NSS, LLC)
- Glinda Sncc BPA Call — $128.2M (Teksynap Corporation)
- Information Technology Infrastructure Support Services (itiss) — $100.7M (NTT Data Services Federal Government, LLC)
- Integrated Source Management Portfolio — $82.3M (Leidos, Inc.)