CMS awards $31.5M contract to MITRE for IT security and privacy transformation
Contract Overview
Contract Amount: $31,528,751 ($31.5M)
Contractor: THE Mitre Corporation
Awarding Agency: Department of Health and Human Services
Start Date: 2019-09-18
End Date: 2024-09-25
Contract Duration: 1,834 days
Daily Burn Rate: $17.2K/day
Competition Type: FULL AND OPEN COMPETITION
Pricing Type: COST PLUS FIXED FEE
Sector: IT
Official Description: THE CONTRACTOR IS REQUIRED TO PROVIDE IT AND PROFESSIONAL SERVICES TO PROVIDE ISPG SUPPORT TO TRANSFORM THE CMS SECURITY AND PRIVACY POSTURE INCLUDING BOTH COMPLIANCE TO FEDERAL MANDATES AND SITUATIONAL AWARENESS METRICS FROM CONTINUOUS MONITORING AN
Place of Performance
Location: WINDSOR MILL, BALTIMORE County, MARYLAND, 21244
State: Maryland Government Spending
Plain-Language Summary
Department of Health and Human Services obligated $31.5 million to THE MITRE CORPORATION for work described as: THE CONTRACTOR IS REQUIRED TO PROVIDE IT AND PROFESSIONAL SERVICES TO PROVIDE ISPG SUPPORT TO TRANSFORM THE CMS SECURITY AND PRIVACY POSTURE INCLUDING BOTH COMPLIANCE TO FEDERAL MANDATES AND SITUATIONAL AWARENESS METRICS FROM CONTINUOUS MONITORING AN Key points: 1. Contract focuses on enhancing compliance with federal mandates and improving situational awareness through continuous monitoring. 2. The contractor, MITRE, is a non-profit research and development organization with extensive government contracting experience. 3. The contract type is Cost Plus Fixed Fee, which can incentivize cost control but requires careful oversight. 4. Performance period spans over five years, indicating a long-term need for these critical security services. 5. The contract is a delivery order under a larger indefinite-delivery/indefinite-quantity (IDIQ) vehicle, suggesting potential for future task orders. 6. The scope includes transforming the security and privacy posture of CMS, a significant undertaking for a major health agency.
Value Assessment
Rating: good
The contract value of $31.5 million over five years for comprehensive IT security and privacy services appears reasonable given the scope and the specialized nature of the work. Benchmarking against similar large-scale IT security transformation contracts is challenging without more specific service details, but MITRE's status as a federally funded research and development center (FFRDC) often implies a focus on mission-critical, complex challenges rather than purely commercial service provision. The Cost Plus Fixed Fee (CPFF) structure requires diligent monitoring to ensure costs remain aligned with the fixed fee and the overall value delivered.
Cost Per Unit: N/A
Competition Analysis
Competition Level: full-and-open
This contract was awarded under full and open competition, indicating that multiple qualified vendors had the opportunity to bid. The specific competition dynamics for this delivery order are not detailed, but the fact that it was competed openly suggests a healthy market for these specialized IT security services. The presence of multiple bidders typically leads to better price discovery and potentially more competitive pricing for the government.
Taxpayer Impact: Full and open competition generally benefits taxpayers by ensuring that the government receives the best possible value through a competitive bidding process, driving down costs and encouraging innovation among contractors.
Public Impact
Beneficiaries include Medicare and Medicaid beneficiaries who rely on the secure and private handling of their health information. Services delivered will enhance the security and privacy posture of the Centers for Medicare and Medicaid Services (CMS). The geographic impact is national, as CMS operates nationwide, and its IT systems support all states and territories. Workforce implications include the potential for specialized IT security professionals to be engaged in this critical government function.
Waste & Efficiency Indicators
Waste Risk Score: 50 / 10
Warning Flags
- Cost Plus Fixed Fee contracts require robust oversight to manage costs effectively and ensure the fixed fee remains appropriate.
- The long performance period necessitates ongoing evaluation of contractor performance and alignment with evolving security needs.
- The complexity of transforming a large agency's security posture presents inherent risks that need continuous mitigation.
Positive Signals
- Award to MITRE, a reputable non-profit R&D organization, suggests a focus on technical expertise and mission accomplishment.
- Full and open competition indicates a robust market and potential for competitive pricing.
- The contract addresses critical federal mandates for security and privacy, aligning with national priorities.
Sector Analysis
The IT services sector, particularly within government contracting, is highly competitive and specialized. This contract falls within the broader category of professional, scientific, and technical services, with a specific focus on cybersecurity and IT infrastructure. The market for such services is substantial, driven by increasing cyber threats and stringent federal compliance requirements. Comparable spending benchmarks are difficult to pinpoint without granular detail, but large federal agencies like CMS invest billions annually in IT modernization and security.
Small Business Impact
This contract does not appear to have a small business set-aside component, as it was awarded under full and open competition. However, the prime contractor, The MITRE Corporation, is a non-profit organization that often collaborates with and may subcontract to small businesses for specialized support. The impact on the small business ecosystem would depend on whether MITRE engages small businesses as subcontractors for specific tasks within this contract.
Oversight & Accountability
Oversight for this contract will likely be managed by the contracting officers and program managers within CMS and the Department of Health and Human Services. The Cost Plus Fixed Fee structure necessitates close monitoring of expenditures against the approved cost base and the fixed fee. Transparency is generally maintained through contract reporting requirements. Inspector General jurisdiction would apply to any allegations of fraud, waste, or abuse related to the contract.
Related Government Programs
- CMS IT Modernization
- Federal Cybersecurity Initiatives
- Health Insurance Portability and Accountability Act (HIPAA) Compliance
- Continuous Diagnostics and Mitigation (CDM) Program
- IT Professional Services
Risk Flags
- Potential for cost overruns due to CPFF structure
- Risk of evolving cyber threats outpacing contract scope
- Complexity of integrating new security measures into legacy systems
- Need for sustained high-level contractor performance over five years
Tags
it-services, cybersecurity, health-it, hhs, cms, cost-plus-fixed-fee, full-and-open-competition, delivery-order, maryland, professional-scientific-technical-services, federal-mandates, privacy-protection
Frequently Asked Questions
What is this federal contract paying for?
Department of Health and Human Services awarded $31.5 million to THE MITRE CORPORATION. THE CONTRACTOR IS REQUIRED TO PROVIDE IT AND PROFESSIONAL SERVICES TO PROVIDE ISPG SUPPORT TO TRANSFORM THE CMS SECURITY AND PRIVACY POSTURE INCLUDING BOTH COMPLIANCE TO FEDERAL MANDATES AND SITUATIONAL AWARENESS METRICS FROM CONTINUOUS MONITORING AN
Who is the contractor on this award?
The obligated recipient is THE MITRE CORPORATION.
Which agency awarded this contract?
Awarding agency: Department of Health and Human Services (Centers for Medicare and Medicaid Services).
What is the total obligated amount?
The obligated amount is $31.5 million.
What is the period of performance?
Start: 2019-09-18. End: 2024-09-25.
What is The MITRE Corporation's track record with the federal government, particularly within HHS and CMS?
The MITRE Corporation has a long and extensive history of working with the federal government, operating as a Federally Funded Research and Development Center (FFRDC). They are known for tackling complex national challenges across various domains, including defense, cybersecurity, healthcare, and aviation. Within the Department of Health and Human Services (HHS) and specifically the Centers for Medicare and Medicaid Services (CMS), MITRE has been involved in numerous projects related to health IT, data analytics, cybersecurity, and policy analysis. Their work often involves providing objective research, analysis, and technical guidance to government agencies. This specific contract for IT security and privacy transformation aligns with MITRE's core competencies and their established role in supporting critical government missions. Their non-profit status and FFRDC designation often position them as a trusted advisor for complex, mission-oriented technical challenges.
How does the Cost Plus Fixed Fee (CPFF) contract structure compare to other contract types for similar IT security services?
The Cost Plus Fixed Fee (CPFF) contract structure is one of several options for procuring complex services like IT security transformation. In a CPFF contract, the government reimburses the contractor for all allowable costs incurred, plus a predetermined fixed fee representing profit. This structure can be advantageous when the scope of work is not precisely defined at the outset or is expected to evolve, as it allows for flexibility. However, it places a significant burden on the government to meticulously monitor costs to ensure they are reasonable and allocable. Compared to Firm-Fixed-Price (FFP) contracts, CPFF offers less cost certainty for the government but can encourage contractors to take on riskier, more innovative projects. Compared to Cost-Plus-Incentive-Fee (CPIF) contracts, CPFF does not directly incentivize cost savings beyond the initial agreement on allowable costs and the fixed fee. For IT security, where requirements can change rapidly, CPFF can be suitable, but it demands robust oversight mechanisms to prevent cost overruns and ensure value for money.
What are the primary risks associated with a five-year IT security transformation contract for a large agency like CMS?
A five-year IT security transformation contract for a large agency like CMS carries several inherent risks. Firstly, the rapidly evolving threat landscape in cybersecurity means that the security solutions and strategies implemented early in the contract could become outdated or insufficient by the end of the term. This necessitates built-in flexibility and continuous adaptation, which can be challenging to manage. Secondly, the complexity of integrating new security measures into existing legacy systems within a vast organization like CMS poses significant technical and operational risks, potentially leading to disruptions or unintended vulnerabilities. Thirdly, there's a risk of scope creep, where the initial objectives expand over time, potentially increasing costs and delaying timelines if not managed effectively. Fourthly, maintaining consistent and high-quality performance from the contractor over a long period requires diligent contract management and performance monitoring. Finally, personnel turnover within both the contractor's team and the government oversight team can lead to knowledge gaps and inconsistencies in execution.
How does this contract contribute to CMS's overall mission and the broader goals of federal IT security?
This contract directly supports CMS's core mission of administering the Medicare, Medicaid, and Children's Health Insurance Program (CHIP) by ensuring the security and privacy of sensitive beneficiary data. Protecting this information is paramount to maintaining public trust and ensuring the integrity of these vital healthcare programs. By transforming CMS's security and privacy posture, the contract aims to enhance compliance with federal mandates like HIPAA and FISMA, thereby reducing the risk of data breaches and cyberattacks. On a broader federal level, this initiative contributes to the government's overarching cybersecurity strategy, which prioritizes safeguarding critical infrastructure and sensitive information. Successful implementation will serve as a model for other federal agencies facing similar challenges in modernizing their IT security frameworks and adapting to emerging threats.
What historical spending patterns exist for IT security services at CMS or similar large federal health agencies?
Historical spending on IT security services at CMS and similar large federal health agencies has been substantial and generally increasing year over year. Agencies like CMS manage vast amounts of highly sensitive personal health information (PHI), making robust cybersecurity a non-negotiable priority. Spending typically covers a range of activities, including network security, data encryption, identity and access management, vulnerability assessments, security operations centers (SOCs), incident response, and compliance monitoring. Federal budgets reflect a growing recognition of cyber threats, with significant allocations directed towards modernizing security infrastructure, adopting advanced threat detection technologies, and ensuring compliance with evolving regulations. While specific historical figures for CMS's IT security spending require detailed budget analysis, it is safe to assume it represents a significant portion of their overall IT budget, likely in the tens to hundreds of millions of dollars annually, reflecting the scale of operations and the criticality of data protection.
Industry Classification
NAICS: Professional, Scientific, and Technical Services › Other Professional, Scientific, and Technical Services › All Other Professional, Scientific, and Technical Services
Product/Service Code: SUPPORT SVCS (PROF, ADMIN, MGMT) › PROFESSIONAL SERVICES
Competition & Pricing
Extent Competed: FULL AND OPEN COMPETITION
Solicitation Procedures: NEGOTIATED PROPOSAL/QUOTE
Solicitation ID: HHSM5002017RFP0020
Pricing Type: COST PLUS FIXED FEE (U)
Evaluated Preference: NONE
Contractor Details
Address: 7515 COLSHIRE DR, MC LEAN, VA, 22102
Business Categories: Category Business, Corporate Entity Tax Exempt, Nonprofit Organization, Not Designated a Small Business, Special Designations, U.S.-Owned Business
Financial Breakdown
Contract Ceiling: $31,528,751
Exercised Options: $31,528,751
Current Obligation: $31,528,751
Actual Outlays: $16,233,629
Subaward Activity
Number of Subawards: 3
Total Subaward Amount: $1,066,288
Contract Characteristics
Commercial Item: COMMERCIAL PRODUCTS/SERVICES PROCEDURES NOT USED
Cost or Pricing Data: NO
Parent Contract
Parent Award PIID: 75FCMC18D0047
IDV Type: IDC
Timeline
Start Date: 2019-09-18
Current End Date: 2024-09-25
Potential End Date: 2024-09-25 00:00:00
Last Modified: 2024-04-09
More Contracts from THE Mitre Corporation
- Center for Advanced Aviation Development (caasd) Ffrdc Mitre — $1.7B (Department of Transportation)
- FY25 Task Order 7 - to Provide Systems Engineering Research and Development Services for the Department of Defense (DOD) and Other Federal Government Agencies — $753.9M (Department of Defense)
- FY24 Task Order 6 - Initial Funding and Updating PWS & DD254 — $735.3M (Department of Defense)
- Caasd Must Provide Essential Engineering, Research, and Analysis Capabilities to Support the FAA in the Performance of ITS Mission Through a Systems Approach That Addresses ALL Dimensions (E.G. Political, Operational, Economic, Technical) Required to — $700.5M (Department of Transportation)
- Initial Modification on Task Order 5 Nsec, Ffrdc to Incrementally Fund, Update PWS & DD254 — $687.3M (Department of Defense)
Other Department of Health and Human Services Contracts
- Contact Center Operations (CCO) — $5.5B (Maximus Federal Services, Inc.)
- TAS::75 0849::TAS Oper of Govt R&D Goco Facilities — $4.8B (Leidos Biomedical Research Inc)
- THE Purpose of This Contract IS to Provide the Full Complement of Services Necessary to Care for UC in ORR Custody Including Facilities Set-Up, Maintenance, and Support Internal and Perimeter (IF Applicable) Security, Direct Care and Supervision Inc — $3.5B (Rapid Deployment Inc)
- Contact Center Operations — $2.6B (Maximus Federal Services, Inc.)
- Federal Contract — $2.4B (Leidos Biomedical Research Inc)
View all Department of Health and Human Services contracts →