Supply Chain Risk Management platform subscription

1.  Title of Procurement.

Riskmethods Supply Chain Risk Management platform subscription with BitSight cybersecurity integration.

2.  Nature of Procurement Action

This action is a follow-on to the riskmethods contract 6973GH-21-P-00794.  Riskmethods will provide access to the Supply Chain Risk Management platform with an increase from 100 to 500 supplier companies and including integrated cybersecurity data from BitSight for monitoring cybersecurity supply chain risk for 100 supplier companies.  

3.  Description of Supplies/Services

A follow-on to the existing riskmethods contract for total Supply Chain Risk Management services which includes a cybersecurity monitoring solution from BitSight.  The riskmethods platform provides comprehensive Supply Chain Risk Management monitoring via their Risk Radar, Impact Analyzer, Action Planner and Risk Assessment functions.  The requirement for Cybersecurity Supply Chain Risk Management (C-SCRM) is an essential component of a SCRM Program.  Also, Logistics Center and agency information is at risk of compromise through communication with the Supply Chain, especially since the status of Suppliers’ systems, policies and practices are unknown.

Riskmethods integrates BitSight data seamlessly into their system for Supply Chain Risk Management.  BitSight’s cybersecurity ratings provide an external, validated and continuously updated view into the security posture of a company.  BitSight applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance, mitigate third party risk, and assess aggregate risk. 

The FAA Logistics Center understands the need for a comprehensive SCRM Program and including cybersecurity data is essential. This integrated solution is not available from any other known SCRM providers and has been integral to the organization’s establishment of a SCRM Program. 

4.  Authority

The FAA proposes to procure this requirement on a single source basis as contemplated by AMS policy section 3.2.2.4.

5.  Rationale Supporting Use of a Single Source

Standardization: The Logistics Center’s current contract for Supply Chain Risk Management data is with riskmethods.  Riskmethods does not have an alternative cybersecurity data provider that integrates into their platform.  BitSight is a single source for the data.  To obtain SCRM data separately from different providers would mean that the FAA would have to collect and attempt to integrate the data into a separate workflow management system which not only does not exist within the Program but also would substantially increase Program operating cost.  In addition, additional training would be required for Program users, hence compounding Program costs and degrading performance substantially. 

This integrated solution is not available from any other known SCRM providers and has been integral to the organization’s establishment of a SCRM Program.  Continuing use of the  integrated riskmethods/ BitSight solution is essential to the Program and will allow for providing comprehensive analysis and monitoring of Supplier risk to the agency’s Supply Chain. Riskmethods is the only company that can meets the FAA’s requirement in a timely manner without any interruption in service.

6.  Market Analysis

An informal market analysis was performed via internet as well as via other government contract vehicles such as NASA’s SEWP V and GSA Advantage.  No other providers were located that meet the needs of the Logistics Center for Supply Chain Risk Management with an integrated cybersecurity data in a single solution. 

7.  Other Facts Supporting Use of Single Source

Future similar requirements are anticipated. Currently there are no additional vendors that can provide all Supply Chain Risk Management with an integrated cybersecurity data in a single solution. In the future, the requirements will continue to be purchased from riskmethods until another vendor that can provide all the required capabilities can be identified.