CMS awarded $26.8M to MITRE Corporation for IT security program support, utilizing full and open competition

Contract Overview

Contract Amount: $26,820,954 ($26.8M)

Contractor: THE Mitre Corporation

Awarding Agency: Department of Health and Human Services

Start Date: 2013-06-01

End Date: 2018-05-19

Contract Duration: 1,813 days

Daily Burn Rate: $14.8K/day

Competition Type: FULL AND OPEN COMPETITION

Pricing Type: COST PLUS FIXED FEE

Sector: IT

Official Description: IGF::CL::IGF EISG AND CMS BUSINESS UNITS REQUIRE THE ASSISTANCE OF AN FFRDC TO TECHNICALLY DESIGN, STRATEGICALLY ALIGN, AND EFFECTIVELY EXECUTE THEIR INFORMATION SECURITY PROGRAM TO IMPLEMENT, EVALUATE, AND REPORT ON THE USE OF SECURITY CONTROLS TO PROTECT SENSITIVE INFORMATION ACROSS ALL OF CMS?S INFORMATION SYSTEMS.

Place of Performance

Location: WINDSOR MILL, BALTIMORE County, MARYLAND, 21244

State: Maryland Government Spending

Plain-Language Summary

Department of Health and Human Services obligated $26.8 million to THE MITRE CORPORATION for work described as: IGF::CL::IGF EISG AND CMS BUSINESS UNITS REQUIRE THE ASSISTANCE OF AN FFRDC TO TECHNICALLY DESIGN, STRATEGICALLY ALIGN, AND EFFECTIVELY EXECUTE THEIR INFORMATION SECURITY PROGRAM TO IMPLEMENT, EVALUATE, AND REPORT ON THE USE OF SECURITY CONTROLS TO PROTECT SENSITIVE INFORMATION A… Key points: 1. The contract focuses on enhancing CMS's information security program through technical design and strategic alignment. 2. MITRE Corporation, an FFRDC, brings specialized expertise in cybersecurity and program execution. 3. The contract's duration of approximately five years suggests a long-term commitment to security infrastructure. 4. Performance is measured by the implementation, evaluation, and reporting of security controls. 5. The use of a Cost Plus Fixed Fee (CPFF) contract type indicates potential for cost overruns if not managed carefully. 6. This award falls under 'All Other Professional, Scientific, and Technical Services', a broad category.

Value Assessment

Rating: good

Benchmarking the value of FFRDC support is complex due to their unique mission-oriented structure. However, the $26.8M award over nearly five years for critical IT security functions appears reasonable given the specialized nature of the work. The CPFF structure requires diligent oversight to ensure costs remain aligned with the fixed fee and project scope. Compared to similar large-scale IT security consulting engagements, this pricing seems within a competitive range for FFRDC services.

Cost Per Unit: N/A

Competition Analysis

Competition Level: full-and-open

This contract was awarded through full and open competition, indicating that multiple qualified vendors had the opportunity to bid. The specific number of bidders is not provided, but the open competition suggests a robust process aimed at securing the best value. This approach generally leads to more competitive pricing and a wider pool of potential solutions.

Taxpayer Impact: Taxpayers benefit from a competitive process that aims to secure the most effective and cost-efficient cybersecurity solutions for CMS.

Public Impact

Beneficiaries include CMS, its IT systems, and ultimately, individuals whose sensitive health information is protected. Services delivered include technical design, strategic alignment, and execution of information security programs. The geographic impact is national, covering all of CMS's information systems. Workforce implications include the engagement of specialized cybersecurity professionals from MITRE.

Waste & Efficiency Indicators

Waste Risk Score: 50 / 10

Warning Flags

• CPFF contract type can lead to cost overruns if not closely monitored.
• Broad service category may obscure specific performance metrics.
• Reliance on a single FFRDC for critical functions could present concentration risk.

Positive Signals

• Award to a Federally Funded Research and Development Center (FFRDC) ensures specialized, objective expertise.
• Full and open competition suggests a thorough vetting process.
• Focus on information security is critical for protecting sensitive health data.

Sector Analysis

The IT security services sector is a rapidly growing and critical area for government operations. This contract falls within the professional, scientific, and technical services category, specifically focusing on cybersecurity. The market for these services is highly competitive, with numerous large and small firms offering specialized solutions. Government spending in this area is substantial, driven by increasing cyber threats and the need to protect sensitive data. This contract represents a significant investment in safeguarding health information systems.

Small Business Impact

This contract was not set aside for small businesses and does not appear to involve significant subcontracting opportunities for small businesses based on the information provided. The award to a large FFRDC like MITRE typically means direct performance by the FFRDC's internal resources rather than extensive subcontracting. This limits direct opportunities for small businesses to participate in this specific contract's execution.

Oversight & Accountability

Oversight is likely managed by the Centers for Medicare and Medicaid Services (CMS) program officials and contracting officers. As an FFRDC, MITRE operates under specific government oversight frameworks. Transparency is facilitated through contract reporting mechanisms, though detailed public access to specific security control implementations may be limited due to the sensitive nature of the work. The Inspector General for the Department of Health and Human Services would have jurisdiction over potential fraud, waste, or abuse.

Related Government Programs

• CMS IT Modernization
• Federal Cybersecurity Initiatives
• Health Information Technology Services
• FFRDC Support Contracts

Risk Flags

• Cost Plus Fixed Fee contract type requires diligent oversight to manage costs.
• Reliance on a single FFRDC for critical security functions may present concentration risk.
• The broad nature of 'All Other Professional, Scientific, and Technical Services' requires clear performance metrics.

Tags

it-security, health-it, cybersecurity, ffrdc, cost-plus-fixed-fee, full-and-open-competition, department-of-health-and-human-services, centers-for-medicare-and-medicaid-services, maryland, professional-scientific-and-technical-services, program-support, information-security

Frequently Asked Questions

What is this federal contract paying for?

Department of Health and Human Services awarded $26.8 million to THE MITRE CORPORATION. IGF::CL::IGF EISG AND CMS BUSINESS UNITS REQUIRE THE ASSISTANCE OF AN FFRDC TO TECHNICALLY DESIGN, STRATEGICALLY ALIGN, AND EFFECTIVELY EXECUTE THEIR INFORMATION SECURITY PROGRAM TO IMPLEMENT, EVALUATE, AND REPORT ON THE USE OF SECURITY CONTROLS TO PROTECT SENSITIVE INFORMATION ACROSS ALL OF CMS?S INFORMATION SYSTEMS.

Who is the contractor on this award?

The obligated recipient is THE MITRE CORPORATION.

Which agency awarded this contract?

Awarding agency: Department of Health and Human Services (Centers for Medicare and Medicaid Services).

What is the total obligated amount?

The obligated amount is $26.8 million.

What is the period of performance?

Start: 2013-06-01. End: 2018-05-19.

What is the track record of The MITRE Corporation in supporting federal agencies with IT security programs?

The MITRE Corporation has a long-standing and well-established track record of supporting federal agencies, including the Department of Health and Human Services (HHS) and its various components like CMS, with complex technical challenges, including IT security. As a Federally Funded Research and Development Center (FFRDC), MITRE is chartered to provide objective, independent research and analysis, and systems engineering and integration support. Their work often involves developing innovative solutions, assessing emerging technologies, and providing strategic guidance on critical national security and public interest issues. For IT security, MITRE is known for its expertise in areas such as cybersecurity strategy, threat modeling, risk management frameworks, and the development of security architectures. Their involvement with CMS specifically aims to enhance the security posture of systems handling sensitive health information, a mission they have undertaken across various government sectors.

How does the value of this contract compare to similar IT security support contracts for federal health agencies?

Comparing the $26.8 million value of this contract to similar IT security support contracts for federal health agencies requires careful consideration of scope, duration, and the specific nature of the support. Contracts for IT security can range widely, from specific vulnerability assessments to comprehensive program management and system development. Given that this contract involves an FFRDC (MITRE Corporation) providing broad technical design, strategic alignment, and execution for CMS's entire information security program over approximately five years, the cost appears to be within a reasonable range for specialized, high-level support. Many large-scale IT security consulting engagements with federal agencies can reach tens or even hundreds of millions of dollars over similar or longer periods, especially when they involve complex system integration or R&D components. The FFRDC designation implies a focus on objective analysis and long-term strategic support rather than just tactical implementation, which can influence pricing.

What are the primary risks associated with this contract, and how are they being mitigated?

Primary risks associated with this contract include potential cost overruns due to the Cost Plus Fixed Fee (CPFF) structure, the complexity of securing large-scale IT systems, and the potential for vendor lock-in or over-reliance on a single FFRDC. Mitigation strategies likely involve robust oversight from CMS contracting officers and program managers to monitor expenditures against the fixed fee and ensure adherence to the scope of work. MITRE's FFRDC status inherently provides a level of objective analysis and mission focus that can mitigate risks related to vendor self-interest. Furthermore, the contract's foundation in full and open competition suggests that the initial selection process aimed to identify a capable and reliable partner. Regular performance reviews and clear deliverables are standard mechanisms to ensure the contractor meets security objectives and manages risks effectively.

How effective is the FFRDC model, like MITRE's involvement, in achieving federal IT security program goals?

The Federally Funded Research and Development Center (FFRDC) model, as utilized with MITRE Corporation for CMS's IT security program, is generally considered highly effective for achieving complex, long-term federal goals. FFRDCs offer unique advantages: they operate under government charter, maintain objectivity, and possess deep technical expertise without direct competition with the private sector. This allows them to tackle challenging, strategic issues like comprehensive IT security program design and alignment. For CMS, MITRE's role as an FFRDC means they can provide unbiased analysis, systems engineering, and strategic recommendations crucial for protecting sensitive health data. Their long-term presence also fosters institutional knowledge and continuity, which are vital for evolving cybersecurity landscapes. While FFRDCs are not typically involved in day-to-day operational execution, their role in strategic planning, technical design, and program evaluation is critical for establishing and maintaining a robust security posture.

What are the historical spending patterns for IT security support at CMS, and how does this contract fit within them?

Historical spending patterns for IT security support at CMS reflect a consistent and growing investment in protecting sensitive health information. As a major federal health agency managing vast amounts of personal health data, CMS has always prioritized cybersecurity. Spending in this area has likely increased over time, mirroring the overall rise in cyber threats and the increasing digitization of healthcare. Contracts for IT security at CMS typically encompass a range of services, including network security, data protection, compliance monitoring, incident response, and strategic planning. This $26.8 million contract with MITRE Corporation, focused on the technical design, strategic alignment, and execution of the overall information security program, represents a significant, strategic investment. It appears to fit within a pattern of dedicated, substantial funding for cybersecurity, likely complementing other contracts focused on specific security technologies, infrastructure, or operational support. The use of an FFRDC suggests a focus on foundational program architecture and long-term strategy rather than just tactical implementation.

Industry Classification

NAICS: Professional, Scientific, and Technical Services › Other Professional, Scientific, and Technical Services › All Other Professional, Scientific, and Technical Services

Product/Service Code: RESEARCH AND DEVELOPMENT › N – Health R&D Services

Competition & Pricing

Extent Competed: FULL AND OPEN COMPETITION

Solicitation Procedures: NEGOTIATED PROPOSAL/QUOTE

Solicitation ID: RFPCMS20110021

Pricing Type: COST PLUS FIXED FEE (U)

Evaluated Preference: NONE

Contractor Details

Address: 7515 COLSHIRE DR, MC LEAN, VA, 22102

Business Categories: Category Business, Corporate Entity Tax Exempt, Nonprofit Organization, Not Designated a Small Business, Special Designations, U.S.-Owned Business

Financial Breakdown

Contract Ceiling: $30,715,388

Exercised Options: $26,820,954

Current Obligation: $26,820,954

Actual Outlays: $74,284

Subaward Activity

Number of Subawards: 6

Total Subaward Amount: $1,007,736

Contract Characteristics

Commercial Item: COMMERCIAL PRODUCTS/SERVICES PROCEDURES NOT USED

Cost or Pricing Data: NO

Parent Contract

Parent Award PIID: HHSM500201200008I

IDV Type: IDC

Timeline

Start Date: 2013-06-01

Current End Date: 2018-05-19

Potential End Date: 2018-05-19 00:00:00

Last Modified: 2023-02-23

More Contracts from THE Mitre Corporation

• Center for Advanced Aviation Development (caasd) Ffrdc Mitre — $1.7B (Department of Transportation)
• FY25 Task Order 7 - to Provide Systems Engineering Research and Development Services for the Department of Defense (DOD) and Other Federal Government Agencies — $753.9M (Department of Defense)
• FY24 Task Order 6 - Initial Funding and Updating PWS & DD254 — $735.3M (Department of Defense)
• Caasd Must Provide Essential Engineering, Research, and Analysis Capabilities to Support the FAA in the Performance of ITS Mission Through a Systems Approach That Addresses ALL Dimensions (E.G. Political, Operational, Economic, Technical) Required to — $700.5M (Department of Transportation)
• Initial Modification on Task Order 5 Nsec, Ffrdc to Incrementally Fund, Update PWS & DD254 — $687.3M (Department of Defense)

View all THE Mitre Corporation federal contracts →

Other Department of Health and Human Services Contracts

• Contact Center Operations (CCO) — $5.5B (Maximus Federal Services, Inc.)
• TAS::75 0849::TAS Oper of Govt R&D Goco Facilities — $4.8B (Leidos Biomedical Research Inc)
• THE Purpose of This Contract IS to Provide the Full Complement of Services Necessary to Care for UC in ORR Custody Including Facilities Set-Up, Maintenance, and Support Internal and Perimeter (IF Applicable) Security, Direct Care and Supervision Inc — $3.5B (Rapid Deployment Inc)
• Contact Center Operations — $2.6B (Maximus Federal Services, Inc.)
• Federal Contract — $2.4B (Leidos Biomedical Research Inc)

View all Department of Health and Human Services contracts →

Explore Related Government Spending