AGENCY:

National Institute of Standards and Technology (NIST), Commerce.

ACTION:

Notice.

SUMMARY:

The National Institute of Standards and Technology (NIST), Department of Commerce, intends to sponsor a Federally Funded Research and Development Center (FFRDC) to facilitate public-private collaboration for accelerating the widespread adoption of integrated cybersecurity tools and technologies. NIST published three notices in the Federal Register advising the public of the agency's intention to sponsor an FFRDC and requesting comments from the public. This notice provides NIST's analysis of the comments related to NIST's proposed establishment of the FFRDC received in response to those notices. These responses, as well as NIST's responses to the many acquisition-related comments and questions received in response to the three notices will be posted on FedBizOpps.

DATES:

NIST published portions of a draft Request for Proposals for public comment in December 2013.

ADDRESSES:

NIST's responses to acquisition-related comments and question and the draft Request for Proposals will be published for public comment at www.fbo.gov.

FOR FURTHER INFORMATION CONTACT:

Keith Bubar via email at Keith.Bubar@nist.gov or telephone 301-975-8329 or Keith Bubar, NIST, 100 Bureau Drive, Mail Stop 1640, Gaithersburg, MD 20899-1640.

SUPPLEMENTARY INFORMATION:

NIST has identified the need to support the mission of the National Cybersecurity Center of Excellence (NCCoE) through the establishment of an FFRDC. In evaluating the need for the FFRDC, NIST determined that no existing alternative sources can effectively meet the unique needs of NIST. The proposed NCCoE FFRDC will have three primary purposes: (1) Research, Development, Engineering and Technical support; (2) Program/Project Management focused on increasing the effectiveness and efficiency of cybersecurity applications, prototyping, demonstrations, and technical activities; and (3) Facilities Management. The proposed NCCoE FFRDC may also be utilized by other federal agencies.

The FFRDC will be established under the regulations found at 48 CFR 35.017.

Comments Received and Responses: The following is a summary and analysis of the comments received during the public comment period and NIST's responses to them. NIST received comments from a total of 46 commenters. NIST received three comments opposed to establishing the proposed FFRDC. In addition, NIST received two comments opposed to government spending in general, but not specifically directed toward the proposed FFRDC. Finally, NIST received a total of 73 additional comments/questions from 43 commenters, centered on the proposed acquisition and other related topics.

A summary of the public comments opposing the establishment of the FFRDC, along with NIST's responses to each, are as follows:

Comment: Two commenters stated that hundreds of private sector firms are capable of performing the tasks described in the notice.

Response: NIST is aware of the vast cybersecurity research, development, engineering, technical, program/project management and facilities management capabilities available in the private sector. The NCCoE meets its unique mission of increasing the rate of adoption of more secure technologies by establishing broad consortia of academic, government, and private sector organizations whose engineers work side-by-side at the center. While potentially having the appropriate technical capabilities, private sector firms motivated by profit and future competitive opportunities would not provide the same level of objectivity as an organization managing an FFRDC.

Comment: One commenter stated that a Request for Information or draft Request for Proposals (RFP) would likely yield numerous responses from qualified private sector firms.

Response: NIST intends to publish a draft RFP to allow prospective offerors an opportunity to ask questions and provide comments.

Comment: Two commenters stated that any concerns about organizational conflicts of interest within the private sector can be resolved through industry divestitures and other methods, and can be fully addressed and prevented through provisions in the current acquisition system.

Response: As established under the Federal Acquisition Regulation (FAR), FFRDCs are designed to prevent potential conflicts of interest from occurring and to allow for the independence and objectivity necessary to collaborate effectively with a broad consortium of technical organizations. By establishing an FFRDC, potential conflicts of interest will be avoided as the FFRDC operator will not be motivated by potential competitive advantages or profit, ensuring a level playing field for all collaborators on NCCoE activities. The FFRDC operator could potentially have access to the intellectual property of a large number of possibly competing companies collaborating on NCCoE activities. The Start Printed Page 1832access to intellectual property of many companies could present conflicts of interest for an organization that does not meet the provisions of FAR 35.017(a)(3).

Comment: One commenter stated that NIST has not adequately demonstrated that there are no existing contract vehicles or FFRDCs available to meet its needs.

Response: Through conducting market research, NIST determined that neither a standard services contractor nor an existing FFRDC can adequately meet NIST's requirement for supporting the NCCoE. Review of the 40 existing FFRDCs indicated that only one incorporated cybersecurity in its mission and vision statement, Carnegie Mellon Software Engineering Institute (SEI), sponsored by the U.S. Army. SEI's stated mission is to “advance the technologies and practices needed to acquire, develop, operate, and sustain software systems that are innovative, affordable, trustworthy, and enduring.” SEI identifies its competencies as including software engineering and research, computer security, emerging software technologies, and acquisition solutions. SEI's mission statement and the focus of its current staff are significantly narrower than the NCCoE's requirement to execute applied research and collaborate with industry, academia, and government to accelerate the adoption of solutions based on existing commercial-off-the-shelf products. The use of SEI to support the mission of the NCCoE would result in a significant limitation on the range of services that could be performed and the range of use cases to be undertaken.

Comment: Two commenters stated that NIST has not clearly stated the basis, purpose and mission of the FFRDC.

Response: In the forthcoming draft RFP, NIST will articulate its requirement for the FFRDC with greater specificity, and prospective offerors will have the opportunity to ask questions and submit comments.

Comment: One commenter stated that creating a new FFRDC would expose NIST to significant cost vulnerabilities and potential criticism from Congress and others.

Response: The competition for an Indefinite Delivery Indefinite Quantity (IDIQ) contract, the contracting mechanism to be used for the FFRDC, occurs at the base contract level. The nature of an IDIQ contract does allow for future actions within the scope of the contract to be awarded without further competition. However, NIST will review the scope of work thoroughly to identify areas that require clarification prior to release of the RFP, and the IDIQ contract will be competed to the maximum extent practicable. NIST will negotiate the cost, terms and conditions of all task orders with the FFRDC operator before performance commences. By using a task order based IDIQ contract, NIST will balance scope and cost control while allowing for the flexibility to address the needs of the NCCoE.

NIST has posted a notice to the Federal Business Opportunities (FBO) Web site with the official responses to each comment received in response to the previous three Federal Register notices, including those comments summarized above. The FBO Reference Number for this notice is NCCoE_FFRDC-FRN_4. NIST published portions of a draft Request for Proposals for public comment in December 2013.