Start preparing now to earn points on NIH’s CIO-SP4 contract opportunity

The National Institutes of Health (NIH) recently released a draft request for proposal (RFP) for the Chief Information Officer – Solutions and Partners, better known as “CIO-SP4”, IDIQ procurement. This up-to-10-year Indefinite Delivery/Indefinite Quantity (IDIQ) contract (five years base, with a five-year optional period) is among NIH’s largest and is expected to yield $20 billion worth of task order awards. NIH expects this procurement to be designated Best-in-Class (BIC) by the Office of Management and Budget (OMB), like its previous iteration, CIO-SP3. This designation would allow it to be a preferred government-wide acquisition solution. 

This intended multiple IDIQ award effort spans a wide variety of IT services, not just within the health space as medical systems “are increasingly integrated with a broader IT architecture, requiring a systems approach to their implementation and a sound infrastructure for their operation,” the draft RFP says. It is NIH’s intention that both small and non-small businesses will have ample opportunity to get awards, and they likely will be evaluated separately. 

There are 10 different task areas that comprise the technical scope of the contract:

• IT Services for Biomedical Research, Health Sciences, and Healthcare
• Chief Information Officer (CIO) Support
• Digital Media
• Outsourcing
• IT Operations and Maintenance
• Integration Services
• Cybersecurity
• Digital Government and Cloud Services
• Enterprise Resource Planning
• Software Development

The draft RFP indicates that NIH will take a self-scoring sheet approach to evaluating proposals as it has in the past. As of this writing, the NIH has not yet posted a draft version, and it likely will not do so for a few more months. Given that the final solicitation is targeted for December 2020 per the cover sheet of the draft RFP, potential offerors have ample time to prepare for areas in which they will be able to earn points. Before we get to these areas, note one requirement of the solicitation that is for the duration of the contract: The contractor must have an accounting system that is adequate for determining costs applicable to flexibly price task orders. If you do not have an approved accounting system, nor are aware of an upcoming audit by DCAA or other audit entity, you can obtain an independent public accounting firm audit to demonstrate that your accounting system is capable of complying with the requirements listed on Standard Form 1408 (SF-1408).

In what areas should you expect to earn points?

The biggest point-earning opportunities will likely relate to experience and past performance. The more complex the project, the higher the likelihood that you will receive more points. If the experience was within a cost-plus contract instead of fixed-price, there may be more points for that as well. There will likely be additional points for a wider variety and separate instances of recent projects within each task area. CIO-SP3 required that contract holders have capabilities in all 10 task areas.  

The other significant area that might be a bit more controllable for you right now is within the “other” factor category, whether it’s called administration, certifications, or all the rest. This area should include point-earning opportunities for evidence of superior corporate governance and operations. They could include evidence of other adequate business systems (e.g., purchasing, estimating, earned value management), industry certifications (e.g., FedRAMP, CMMI, ISO, CMMC), and security. Many of these factors are likely achievable if you start sooner rather than later as they necessitate a significant amount of lead time. While we are not certain at this point, we are hopeful that NIH will allow independent public accounting firm audits of other business systems as they’re allowing them for the accounting system to help enhance competitiveness. Purchasing and estimating system audits generally necessitate about six months of activity under DFARS-compliant system policies and procedures to evidence that they are working properly. Therefore, right now it is possible for you to implement an acceptable purchasing and/or estimating system for it to be auditable in time for a December 2020 proposal submission. 

The new Cybersecurity Maturity Model Certification (CMMC), even though it is a Department of Defense (DOD) initiative, was explicitly stated within the draft RFP as likely being needed for DOD task orders. By December, CMMC certifications should be well underway. Make sure your IT environment is ready and you have a CMMC auditor lined up! Otherwise, FedRAMP, Capability Maturity Model Integration (CMMI), and International Organization for Standardization (ISO) certifications can also take a while to prepare for and receive. None of these is an overnight process, and it is short-sighted to think you can procure any of them without any preparation within a couple weeks of the proposal due date in December. 

Now what?

Here is what we think any potentially interested contractors should be doing right now:

• Understand the RFP task areas and figure out what area(s) you will be competitive in.
• Consider a teaming arrangement if you think that will bolster your competitiveness. 
• Assign team members who are responsible now for the proposal. 
• Don’t wait until the final RFP comes out to start writing and developing a win strategy. 
• Start gathering applicable experience and past performance evidence. 
• Gather and submit comments on the draft RFP that will help make you more competitive and stand out from your competitors. (See our recent Lunch and Learn slides on Proposal Best Practices.)
• Establish a timeline and plan for the likely business system-related point-earning opportunities.
• Start discussions on your approach to accounting system and CMMC compliance.