Cyber Information Security and Operations for National Airspace System

1. INTRODUCTION Cybersecurity is a critical component of national security and economic stability with the increasing integration of networked systems, connected devices, and digital platforms across the aviation ecosystem. Cyberspace is a vital domain for the Federal Aviation Administration (FAA). The FAA relies on secure, resilient information systems in cyberspace to fulfill its mission to ensure safe and efficient air travel. The growing sophistication of cyber threats ranging from nation-state actors to independent malicious groups adversaries poses a significant threat to the FAA’s cyberspace infrastructure. They actively target government networks, and some have demonstrated the capability to disrupt and/or compromise elements of the FAA’s information environment. As these threats from adversaries evolve, the FAA must strengthen its cybersecurity posture to protect its systems, maintain operational continuity, and safeguard the integrity of the National Airspace System (NAS). The purpose of this market survey is to (1) gather information about potential vendors and their capabilities and (2) obtain vendors’ comments and recommendations regarding draft

requirements in accordance with the FAA Acquisition Management System (AMS) Policy 3.2.1.2.1. This announcement is not a Screening Information Request (SIR) or Request for Proposals (RFP). The FAA is not seeking or accepting unsolicited proposals. The FAA will not pay for any information received or cost incurred in preparing the responses to this market survey or associated activities. Therefore, any costs associated with the submission of responses are solely at the interested vendor’s expense. The nature of the competition that will be conducted for this procurement has not been finalized at this time. The FAA will review the responses to this market survey and will make acquisition decisions based on vendor responses and the FAA’s needs. This market survey must not be construed as an obligation on the part of the FAA to acquire these services. Since this is not an SIR or RFP, no results will be issued to the responding firms. No solicitation for these items exists at this time. If a solicitation is issued, it will be announced on the SAM.gov website. It is the vendor’s responsibility to monitor the website for release of the solicitation. The FAA may request that one, some, all, or none of the responders to the market survey provide additional information. No evaluation of vendors will occur based on this additional information, and vendor participation in any informational session is not a promise of future business with the FAA. The FAA reserves the right to have communication with any or none of the respondents. A response to this market survey is not a prerequisite for future procurement consideration. All information provided in response to this market survey except that which qualifies under an exemption may be subject to release under the Freedom of Information Act (FOIA). Information considered proprietary or confidential must be clearly marked as such and the vendor must provide justification to the FAA of such designation if requested. Any information not identified as proprietary or confidential will be used at the FAA’s discretion and may be publicly released without further FOIA disclosure review by the FAA or respondent(s). Any amendment(s) issued to this announcement will be published on SAM.gov. It is the interested parties’ responsibility to visit this website frequently to be informed of any changes to this announcement. Note: the FAR references cited in SAM.gov are not applicable to this market survey as the FAA has its own acquisition policies and guidance contained in AMS. 2.

BACKGROUND The Air Traffic Organization (ATO) has a critical infrastructure and the Cyber Security Strategic Plan advances progress towards a National Airspace System (NAS) where it remains secure and resilient. The plan also provides support for critical and essential services to continue and function under a range of cyber conditions. The NAS cybersecurity capabilities must adapt to changing cyber threats. This includes NAS operations that can withstand and/or rapidly recover from disruptions. The sustainment of NAS Cyber Operations (NCO), Independent Risk Assessment capabilities, and Information Systems Security (ISS) Assurance is critical to fulfilling the

requirements of the ’s (OMB) for continuous monitoring requirement, as well as complying with Federal Information Security Management Act (FISMA), and Executive Order 13636, Presidential Policy Directive (PPD-21) and the ATO Cyber Security Strategic Plan. Within the FAA there are three distinct cyber domains: NAS (operational/critical infrastructure), Research and Development, and Mission Support (IT). This Statement of Work (SOW) presents support

requirements necessary for the NAS systems that reside both in the NAS Operational domain as well as the Mission Support (MS) domain. 3. DESCRIPTION/SCOPE The FAA anticipates

requirements to support cybersecurity testing, risk assessment and operational security services within the National Airspace System (NAS). These services involve complex operational technology (OT) environment, safety-critical infrastructure, and distributed systems that differ significantly from traditional enterprise IT environments. The scope is expected to include, but not be limited to: Perform independent risk assessment, penetration testing and vulnerability assessment on NAS systems in accordance with FAA Orders, NIST guidance, and federal cybersecurity