RFQ ID RFQ1511046
“Background & Justification for Revisions
Multiple Award Schedule (MAS) Information Technology Category (ITC) found a potential gap in supply chain risk management (SCRM) controls in the IT equipment SINs and identified that this same issue could exist in the software SINs. This potential gap pertains to third (3rd) parties performing maintenance and repair, which could be either a supply chain risk or cybersecurity risk. MAS IT’s position is that, by only allowing authorized vendors to perform maintenance and repair, SCRM risks will be minimized in the SINs.
Software maintenance as a product is within scope of SIN 511210 – software maintenance services. However, ITC has determined there is a gap in the requirement for offerors of software maintenance as a product to also provide the corresponding software license under SIN 511210 as part of their contract.
Similarly, ITC has determined there is a gap in the requirement for offerors of SIN 54151 – software maintenance services to also provide the corresponding software license under SIN 511210 or have any association with the Original Equipment Manufacturer (OEM) or Authorized Reseller / Distributor.
These gaps could result in unauthorized third (3rd) party vendors providing software maintenance as a product or as a service without any association to the Original Equipment Manufacturer (OEM) or Authorized Reseller / Distributor. This is considered a possible supply chain risk for Federal Information Systems and Organizations. (Recommended guidance for addressing supply chain risks can be found within NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.)
Software maintenance as a product (SIN 511210) ≠ software license (SIN 511210) = potential risk
Software maintenance as a service (SIN 54151) ≠ software license (SIN 511210) = potential risk
ITC strives to minimize supply chain risk for its customer agencies. ITC’s intent is to reinforce the connection between SINs that offer new IT equipment or software licenses to Original Equipment Manufacturers (OEMs) or authorized resellers/distributors on SINs that offer hardware maintenance or repair and software maintenance as a service. ITC is concerned that unauthorized third (3rd) parties performing maintenance and repair could be either a supply chain or cybersecurity risk. Ensuring that only authorized vendors perform maintenance and repair will minimize risk…”
XFactor Members access the complete set of documents here.
To register for a free XFactor trial, read more here