Continuous Monitoring Analytical Tool Set (CMATS) Development and Sustainment

Performance Work Statement (PWS)

This PWS outlines the requirements for the continued development, sustainment, support, and modernization of the Continuous Monitoring Analytical Tool Set (CMATS) portfolio. The goal is to ensure robust endpoint attribution tag management, policy management, and continuous monitoring across the Department of Defense (DoD).

• Core CMATS Portfolio: Development, sustainment, modernization, and integration of existing CMATS capabilities, including Continuous Monitoring Risk Scoring (CMRS), Cyber Operational Attribute Management System (COAMS), Enterprise User Management (EUM), and Information Assurance Vulnerability Management (IAVM).

• New Capabilities: Development and integration of new functionalities for the CMATS portfolio.

• Cloud Modernization: Modernizing the CMATS platform to leverage a Joint Warfighter Cloud Capability (JWCC) Azure Cloud environment.

• Data Analytics & Visualization: Enhancing data analytics, developing new data sources, and improving visualization capabilities.

• Endpoint Attribution: Development and sustainment of tools like Device Attribution Tagging Tool (DATT) and Central Attribution Management Portal (CAMP) for managing asset attribution data.

• Support Services: Includes requirements analysis, prototyping, custom code development, cybersecurity analysis, integration of COTS/OSS/GOTS products, quality assurance, testing, deployment support, documentation, help desk support, and lab administration.

• Development Teams: Four concurrent development teams will focus on CMRS, EUM & COAMS, IAVM, and DATT/CAMP.

• Adherence to Agile SCRUM development processes.

• Deliverables must meet accuracy, error-free, and on-time delivery standards (90% target).

• Software quality metrics include defect-free code delivery (85% target).

• Security engineering and A&A deliverables require 95% accuracy.

• Timely notification of malicious activity (within 72 hours).

• Base Period: July 01, 2027 – June 30, 2028

• Option Periods (OPs): Four OPs extending through June 30, 2032.

• Place of Performance: Primarily contractor facility; some work at DISA HQ, Fort Meade, MD.

• Security: Personnel require Secret clearance; facility must have a Secret Facility Clearance.

• Personnel: Highly qualified personnel with thorough knowledge of their expertise areas; key personnel retention is critical.

• Agile Development: Strict adherence to Agile SCRUM methodology.

• Cloud Migration: Significant effort to migrate to JWCC Azure Cloud.

• Documentation: Comprehensive documentation required, following DoD Architecture Framework (DoDAF) standards.

• Cybersecurity: Compliance with RMF, NIST SP 800-53, STIGs, and other DoD cybersecurity directives.

• Supply Chain Risk Management (SCRM): A SCRM plan is required.

• Cybersecurity Maturity Model Certification (CMMC): Specific CMMC level required (level not specified in this excerpt).

Sources Sought Notice

This notice is issued by the Defense Information Systems Agency (DISA) to gather information on the availability and technical capability of small businesses to provide Cloud development and sustainment support for the Continuous Monitoring Analytical Tool Set (CMATS). DISA aims to modernize legacy system integrations by migrating applications to Azure, supporting new functionality development, and sustaining the CMATS portfolio.

• Period of Performance: July 15, 2027 – July 14, 2032
• Place of Performance: DISA Headquarters, Fort Meade, MD

This is for informational purposes only and is NOT a Request for Proposal (RFP). It does not constitute a solicitation, and the government is not obligated to award a contract. No funds are available to pay for response preparation.

This is a new requirement, but portions are currently performed under:

• Continuous Monitoring Risk Scoring Development and Sustainment (Contract HC1028-23-F-0003, Incumbent: Foxhole Technology, Small Business)

• Secure Configuration Management Development and Operations (Contract HC1028-22-F-0276, Incumbent: Superlative Technologies, Small Business)

• Device Attribute Tagging Tool (DATT) Maintenance and Implementation Support (Contract HC1028-25-F-0166, Incumbent: Booz Allen Hamilton, Large Business)

• Software Development Lifecycle: Experience with Agile, requirements capture, testing, configuration management, and deployment.

• COTS/GOTS Experience: Working with commercial/government off-the-shelf capabilities and necessary configurations.

• Team Management: Experience managing up to five software development teams.

• Data Integration: Experience ingesting, normalizing, processing, and providing consumable results from various data types and sources (on-premises, cloud, hybrid).

• Business Intelligence (BI) Tools: Experience generating user views and making reports available across different environments.

• Data Analytics: Capabilities in building and maintaining analytics from frequently changing datasets, including architecture and trending examples.

• Cloud Migration: Experience migrating legacy Microsoft systems to cloud environments, detailing cloud platforms, fees, timelines, and leveraging cloud services.

• All personnel must be U.S. citizens with a Secret security clearance.

• Facility Clearance Level (FCL) must be Secret or higher.

• NAICS Code: 541519 (Size Standard: $34M)

• Responses must demonstrate ability to comply with FAR clause 52.219-14, Limitations on Subcontracting.

• Interested businesses should provide information on joint ventures or partnerships.

• Deadline: 2:00 PM CT on [Date Not Specified]

• Email Responses to: carly.a.youngless.civ@mail.mil and kenric.l.phillips.civ@mail.mil

• Content: Brief capabilities statement (max 7 pages) addressing required capabilities, business name/address, representative name/title, socio-economic status, CAGE Code, and prime contract vehicles.

• Proprietary information must be clearly marked.