CMS awards $16.3M contract for security and privacy officer support to ASSYST INC

Contract Overview

Contract Amount: $16,309,528 ($16.3M)

Contractor: Assyst Inc.

Awarding Agency: Department of Health and Human Services

Start Date: 2024-01-19

End Date: 2027-02-13

Contract Duration: 1,121 days

Daily Burn Rate: $14.5K/day

Competition Type: FULL AND OPEN COMPETITION

Number of Offers Received: 4

Pricing Type: FIRM FIXED PRICE

Sector: Other

Official Description: CMS SECURITY & PRIVACY OFFICER SUPPORT SERVICES (CSPOSS)

Place of Performance

Location: STERLING, LOUDOUN County, VIRGINIA, 20166

State: Virginia Government Spending

Plain-Language Summary

Department of Health and Human Services obligated $16.3 million to ASSYST INC. for work described as: CMS SECURITY & PRIVACY OFFICER SUPPORT SERVICES (CSPOSS) Key points: 1. Contract awarded through full and open competition, suggesting a competitive bidding process. 2. The contract is a delivery order under a larger contract, indicating a phased approach to service delivery. 3. The firm-fixed-price contract type helps manage cost certainty for the government. 4. The duration of the contract is over three years, suggesting a need for sustained support. 5. The North American Industry Classification System (NAICS) code 541519 points to specialized computer-related services. 6. The contract is not set aside for small businesses, implying larger firms were likely participants. 7. The contract is for support services, focusing on the operational needs of the agency.

Value Assessment

Rating: good

The contract value of $16.3 million over approximately three years for security and privacy officer support appears reasonable given the specialized nature of the services. Benchmarking against similar contracts for IT security and privacy support within federal agencies would provide a more precise value-for-money assessment. The firm-fixed-price structure is generally favorable for cost control. However, without specific performance metrics or detailed service breakdowns, a definitive assessment of exceptional value is difficult.

Cost Per Unit: N/A

Competition Analysis

Competition Level: full-and-open

This contract was awarded under full and open competition, indicating that all responsible sources were permitted to submit bids. The presence of four bidders suggests a healthy level of competition for this requirement. A competitive process generally leads to better price discovery and potentially more innovative solutions as contractors vie for the award.

Taxpayer Impact: Full and open competition is beneficial for taxpayers as it drives down prices through market forces and ensures the government receives the best value for its investment.

Public Impact

The Centers for Medicare and Medicaid Services (CMS) will benefit from enhanced security and privacy officer support. Services delivered will likely include policy development, risk management, and compliance monitoring for sensitive health data. The geographic impact is primarily within CMS operations, likely supporting federal employees and contractors. Workforce implications include the potential for specialized IT security and privacy professionals to be engaged through the contractor.

Waste & Efficiency Indicators

Waste Risk Score: 50 / 10

Warning Flags

• Potential for vendor lock-in if services are highly specialized and difficult to transition.
• Reliance on a single contractor for critical security and privacy functions could pose a risk if performance degrades.
• Ensuring continuous alignment with evolving cybersecurity threats and regulatory landscapes requires proactive contract management.

Positive Signals

• Awarded through full and open competition, indicating a competitive market for these services.
• Firm-fixed-price contract type provides cost certainty for the government.
• Longer contract duration allows for stability and continuity in critical security and privacy functions.
• The contractor, ASSYST INC., likely possesses relevant expertise in IT security and privacy support.

Sector Analysis

This contract falls within the broader IT services sector, specifically focusing on cybersecurity and data privacy. The market for these services is substantial and growing, driven by increasing digital transformation and heightened regulatory scrutiny. Comparable spending benchmarks for similar security and privacy support services within federal agencies can vary widely based on scope and duration, but a contract of this value suggests a significant operational requirement.

Small Business Impact

This contract was not awarded as a small business set-aside, and the data does not indicate any specific subcontracting requirements for small businesses. This suggests that the primary awardee is likely a larger entity, and opportunities for small businesses would depend on ASSYST INC.'s subcontracting strategy. Without explicit set-aside provisions, the direct impact on the small business ecosystem for this specific award is likely limited.

Oversight & Accountability

Oversight for this contract would typically be managed by the contracting officer and the program office within CMS responsible for security and privacy. Accountability measures are inherent in the firm-fixed-price contract, requiring the contractor to deliver specified services. Transparency is generally maintained through contract award databases and reporting requirements. Inspector General jurisdiction would apply if any fraud, waste, or abuse is suspected.

Related Government Programs

• CMS IT Modernization
• Federal Cybersecurity Initiatives
• Health Insurance Portability and Accountability Act (HIPAA) Compliance
• Data Privacy Regulations Support

Risk Flags

• Potential for scope creep if requirements are not clearly defined.
• Contractor performance risk.
• Dependency on key personnel.
• Evolving cybersecurity threats and regulatory landscape.

Tags

it-services, cybersecurity, data-privacy, hhs, cms, firm-fixed-price, full-and-open-competition, delivery-order, professional-services, virginia, it-support

Frequently Asked Questions

What is this federal contract paying for?

Department of Health and Human Services awarded $16.3 million to ASSYST INC.. CMS SECURITY & PRIVACY OFFICER SUPPORT SERVICES (CSPOSS)

Who is the contractor on this award?

The obligated recipient is ASSYST INC..

Which agency awarded this contract?

Awarding agency: Department of Health and Human Services (Centers for Medicare and Medicaid Services).

What is the total obligated amount?

The obligated amount is $16.3 million.

What is the period of performance?

Start: 2024-01-19. End: 2027-02-13.

What is the track record of ASSYST INC. in performing similar federal contracts, particularly in cybersecurity and privacy support?

ASSYST INC. has a history of performing federal IT services. A detailed review of their past performance on contracts with agencies like HHS, or specifically CMS, would be necessary to assess their capabilities in security and privacy officer support. This would involve examining past contract performance evaluations (e.g., CPARS), any past performance issues, and the scale and complexity of services previously delivered. Understanding their experience with firm-fixed-price contracts and adherence to delivery schedules is also crucial for evaluating their reliability in fulfilling this new award.

How does the awarded value of $16.3 million compare to the market rates for similar security and privacy officer support services?

Benchmarking the $16.3 million contract value requires comparing it against similar services provided to other federal agencies or large private sector organizations. Factors such as the number of personnel, specific skill sets required (e.g., CISSP, CISM certifications), scope of responsibilities (policy development, incident response, risk assessments), and contract duration (approximately three years) are critical. Without access to detailed service level agreements and market research data used by CMS, a precise comparison is challenging. However, for specialized IT security and privacy roles, this value suggests a significant and ongoing need for expert support.

What are the primary risks associated with this contract, and what mitigation strategies are in place?

Key risks include potential performance deficiencies by the contractor, changes in regulatory requirements impacting the scope of services, and the potential for security breaches if privacy support is inadequate. Mitigation strategies likely involve robust contract surveillance by CMS, clearly defined performance standards and deliverables, regular status meetings, and contingency plans for service disruptions. The firm-fixed-price nature of the contract incentivizes ASSYST INC. to meet performance expectations to ensure profitability. Furthermore, the competitive award process suggests a baseline level of contractor capability.

How effective is the firm-fixed-price contract type in ensuring value for money for these security and privacy support services?

The firm-fixed-price (FFP) contract type is generally considered effective for services where the scope of work is well-defined and unlikely to change significantly. For security and privacy officer support, FFP provides cost certainty to CMS, as the contractor assumes the risk of cost overruns. This structure incentivizes the contractor to perform efficiently and effectively to maximize profit. However, if unforeseen complexities arise or the regulatory landscape shifts dramatically, the FFP structure might limit flexibility, potentially requiring contract modifications. The effectiveness hinges on the initial clarity and completeness of the SOW.

What is the historical spending pattern for security and privacy officer support services at CMS or similar agencies?

Analyzing historical spending patterns for similar services at CMS or comparable agencies (like other HHS divisions or agencies managing large datasets) would provide context for the $16.3 million award. This would involve examining prior contracts for security and privacy support, their values, durations, and the number of bidders. Understanding trends in spending—whether increasing, decreasing, or stable—can indicate the agency's evolving priorities and resource allocation for these critical functions. It also helps in assessing whether this award represents a continuation, expansion, or reduction of previous support levels.

What are the implications of awarding this contract under 'full and open competition' versus a sole-source or limited competition approach?

Awarding under 'full and open competition' implies that CMS actively sought bids from all qualified sources, fostering a competitive environment. This typically leads to better pricing and a wider range of potential solutions compared to sole-source or limited competition. The presence of four bidders suggests that the market has multiple capable providers for these specialized services. This approach maximizes the opportunity for taxpayers to receive the best value and ensures that the chosen contractor is demonstrably the most advantageous based on price and technical merit, rather than being selected due to limited options or specific pre-existing relationships.

Industry Classification

NAICS: Professional, Scientific, and Technical Services › Computer Systems Design and Related Services › Other Computer Related Services

Product/Service Code: IT AND TELECOM - INFORMATION TECHNOLOGY AND TELECOMMUNICATIONS › IT AND TELECOM - SECURITY AND COMPLIANCE

Competition & Pricing

Extent Competed: FULL AND OPEN COMPETITION

Solicitation Procedures: SUBJECT TO MULTIPLE AWARD FAIR OPPORTUNITY

Offers Received: 4

Pricing Type: FIRM FIXED PRICE (J)

Evaluated Preference: NONE

Contractor Details

Address: 22866 SHAW RD, STERLING, VA, 20166

Business Categories: Category Business, Corporate Entity Not Tax Exempt, Minority Owned Business, Small Business, Special Designations, Indian (Subcontinent) American Owned Business, U.S.-Owned Business

Financial Breakdown

Contract Ceiling: $37,044,025

Exercised Options: $16,309,528

Current Obligation: $16,309,528

Actual Outlays: $11,020,165

Contract Characteristics

Commercial Item: COMMERCIAL PRODUCTS/SERVICES

Cost or Pricing Data: NO

Parent Contract

Parent Award PIID: 47QTCA19D00HL

IDV Type: FSS

Timeline

Start Date: 2024-01-19

Current End Date: 2027-02-13

Potential End Date: 2029-02-13 00:00:00

Last Modified: 2026-03-04

More Contracts from Assyst Inc.

• Edgar Systems Engineering Igf::ot::igf for Other Functions — $49.0M (Securities and Exchange Commission)
• Enterprise Cybersecurity Program Support — $32.0M (Department of Health and Human Services)
• Cyber Risk Management (CRM) — $30.1M (Department of Health and Human Services)
• Configuration Management Services — $21.6M (Department of State)
• Enterprise Applications - Assyst, Inc. - Work Order 1-Eeoc - Base Year (date of Award to 12 Months) - Remainder: Pending Availability of Funds — $7.2M (Equal Employment Opportunity Commission)

View all Assyst Inc. federal contracts →

Other Department of Health and Human Services Contracts

• Contact Center Operations (CCO) — $5.5B (Maximus Federal Services, Inc.)
• TAS::75 0849::TAS Oper of Govt R&D Goco Facilities — $4.8B (Leidos Biomedical Research Inc)
• THE Purpose of This Contract IS to Provide the Full Complement of Services Necessary to Care for UC in ORR Custody Including Facilities Set-Up, Maintenance, and Support Internal and Perimeter (IF Applicable) Security, Direct Care and Supervision Inc — $3.5B (Rapid Deployment Inc)
• Contact Center Operations — $2.6B (Maximus Federal Services, Inc.)
• Federal Contract — $2.4B (Leidos Biomedical Research Inc)

View all Department of Health and Human Services contracts →

Explore Related Government Spending