DoD's $12.8M RMF Review Factory contract awarded to SOLIEL LLC faces scrutiny over value and competition

Contract Overview

Contract Amount: $12,797,987 ($12.8M)

Contractor: Soliel LLC

Awarding Agency: Department of Defense

Start Date: 2021-09-28

End Date: 2026-09-27

Contract Duration: 1,825 days

Daily Burn Rate: $7.0K/day

Competition Type: FULL AND OPEN COMPETITION

Number of Offers Received: 9

Pricing Type: FIRM FIXED PRICE

Sector: IT

Official Description: ENTERPRISE RISK MANAGEMENT FRAMEWORK (RMF) REVIEW FACTORY

Place of Performance

Location: WASHINGTON NAVY YARD, DISTRICT OF COLUMBIA County, DISTRICT OF COLUMBIA, 20376

State: District of Columbia Government Spending

Plain-Language Summary

Department of Defense obligated $12.8 million to SOLIEL LLC for work described as: ENTERPRISE RISK MANAGEMENT FRAMEWORK (RMF) REVIEW FACTORY Key points: 1. The contract's value appears high for IT support services, necessitating a deeper dive into the specific deliverables and market rates. 2. Full and open competition was utilized, but the number of bids received (9) warrants an analysis of whether this truly fostered competitive pricing. 3. The fixed-firm price structure offers some cost certainty, but the duration of the contract (5 years) could lead to price escalation if not managed effectively. 4. Performance context is limited without specific metrics on the 'RMF Review Factory' output and its impact on DoD's cybersecurity posture. 5. This contract falls within the IT services sector, specifically 'Other Computer Related Services', a broad category that requires further definition for precise benchmarking. 6. The absence of small business set-aside flags a potential missed opportunity to engage smaller, specialized firms in this critical cybersecurity support area.

Value Assessment

Rating: fair

The contract's total value of $12.8 million over five years averages to approximately $2.56 million annually. Benchmarking this against similar IT support contracts for cybersecurity services is challenging without more specific details on the 'RMF Review Factory' functions. However, the per-year cost seems substantial for services categorized under 'Other Computer Related Services'. Further analysis would require comparing the scope of work to industry standards for cybersecurity compliance and review processes.

Cost Per Unit: N/A

Competition Analysis

Competition Level: full-and-open

The contract was awarded under full and open competition, indicating that all responsible sources were permitted to submit bids. Nine bids were received, suggesting a reasonable level of interest. However, the effectiveness of this competition in driving down costs and ensuring the best value for the government depends on the specific requirements and the number of truly qualified bidders among the nine.

Taxpayer Impact: While full and open competition is generally favorable for taxpayers, the ultimate value depends on whether the competitive process resulted in the most cost-effective solution for the government's needs.

Public Impact

The primary beneficiaries are the Department of Defense (specifically the Defense Information Systems Agency) through enhanced cybersecurity compliance processes. The contract supports the delivery of services related to the Risk Management Framework (RMF) review process, crucial for maintaining the security of DoD information systems. The contract is geographically focused on the District of Columbia, indicating a concentration of services or oversight in that region. Workforce implications are likely within the IT and cybersecurity professional domains, potentially creating or sustaining jobs in these specialized fields.

Waste & Efficiency Indicators

Waste Risk Score: 50 / 10

Warning Flags

Potential for cost overruns if the scope of 'RMF Review Factory' expands beyond initial expectations.
Risk of vendor lock-in if specialized knowledge becomes concentrated within SOLIEL LLC.
Dependency on a single contractor for a critical cybersecurity function could pose a risk if performance degrades.
The broad 'Other Computer Related Services' category may obscure the true nature and cost drivers of the work performed.

Positive Signals

Awarded through full and open competition, suggesting a broad search for qualified vendors.
The firm fixed-price contract type provides cost predictability for the government.
The contract duration allows for sustained support and potential for building expertise.
The number of bidders (9) indicates market interest and potential for competitive pressure.

Sector Analysis

This contract falls within the broader IT services sector, specifically under the 'Other Computer Related Services' category (NAICS 541519). This category encompasses a wide range of IT services not elsewhere classified, including IT consulting and integration services. The market for cybersecurity and IT compliance services is substantial and growing, driven by increasing cyber threats and regulatory requirements. The DoD's spending in this area is significant, with numerous contracts awarded for various aspects of cybersecurity, network defense, and information assurance. Benchmarking this contract's value requires comparing it to similar RMF support or cybersecurity review services procured by other federal agencies or large defense contractors.

Small Business Impact

The contract indicates that small business participation was not a primary consideration, as the 'sb' field is false and there is no mention of small business set-asides. This suggests that the primary award was made to a large business or that the competition was not specifically structured to favor small businesses. While this may be appropriate if the scale or complexity of the requirement necessitates a larger contractor, it means that opportunities for small businesses to directly participate in this specific contract, either as prime or through subcontracting, may be limited unless explicitly mandated or pursued by the prime contractor.

Oversight & Accountability

Oversight for this contract would primarily fall under the Department of Defense and the Defense Information Systems Agency (DISA). Standard contract oversight mechanisms, including performance monitoring, invoicing review, and compliance checks, would be in place. The contract's fixed-firm price nature provides some level of financial oversight. Transparency would be enhanced through contract award databases and reporting requirements. Inspector General jurisdiction would apply in cases of suspected fraud, waste, or abuse related to the contract.

Related Government Programs

DoD Cybersecurity Support Services
Information Assurance Contracts
IT Professional Services
Risk Management Framework Implementation
Defense Information Systems Agency Contracts

Risk Flags

Potential for high cost relative to scope
Lack of specific performance metrics
Broad service category definition
Long contract duration without clear price adjustment controls

Frequently Asked Questions

What is this federal contract paying for?

Department of Defense awarded $12.8 million to SOLIEL LLC. ENTERPRISE RISK MANAGEMENT FRAMEWORK (RMF) REVIEW FACTORY

Who is the contractor on this award?

The obligated recipient is SOLIEL LLC.

Which agency awarded this contract?

Awarding agency: Department of Defense (Defense Information Systems Agency).

What is the total obligated amount?

The obligated amount is $12.8 million.

What is the period of performance?

Start: 2021-09-28. End: 2026-09-27.

What specific services constitute the 'RMF Review Factory' and how do they align with standard DoD cybersecurity compliance procedures?

The 'RMF Review Factory' likely refers to a streamlined, potentially automated or semi-automated process designed to expedite the review and approval of systems under the Department of Defense's Risk Management Framework (RMF). This framework is a comprehensive set of guidelines and procedures for managing cybersecurity risks to DoD information systems. Services could include pre-assessment reviews, vulnerability scanning analysis, documentation validation, and preparation of security authorization packages. The specific alignment with standard DoD procedures would depend on the detailed Statement of Work (SOW) for this contract. Without the SOW, it's difficult to ascertain the exact scope, but it implies a focus on efficiency and standardization within the RMF lifecycle, potentially reducing the time and resources DoD components need to allocate to these reviews.

How does the $12.8 million contract value compare to similar cybersecurity support services procured by the DoD or other federal agencies?

Benchmarking the $12.8 million contract value requires a detailed comparison of the scope of work, duration, and specific services provided against similar contracts. The category 'Other Computer Related Services' is broad. If the 'RMF Review Factory' involves extensive cybersecurity assessments, compliance auditing, and documentation management for a significant number of DoD systems, the cost might be justifiable. However, if it represents more routine support or a limited scope, it could be considered high. Comparable contracts for IT support, cybersecurity consulting, or compliance services within the federal government can range widely. For instance, contracts focused solely on penetration testing might be priced differently than those encompassing full RMF lifecycle support. A precise comparison would necessitate identifying contracts with identical or highly similar PWSs (Performance Work Statements) and service levels.

What are the potential risks associated with awarding a 5-year contract for cybersecurity review services to a single vendor?

Awarding a 5-year contract for critical cybersecurity review services to a single vendor, SOLIEL LLC in this case, presents several potential risks. Firstly, there's the risk of vendor lock-in, where the government becomes heavily reliant on the contractor's specific processes and personnel, making it difficult and costly to switch providers or bring the function in-house later. Secondly, performance degradation over time is a concern; without continuous competitive pressure, the vendor's motivation to maintain high standards might wane. Thirdly, the rapidly evolving cybersecurity landscape means that the vendor's expertise might become outdated if they do not proactively invest in training and technology, potentially leaving DoD systems vulnerable. Finally, a single point of failure exists; if the vendor experiences financial instability, management issues, or fails to meet contractual obligations, it could significantly disrupt DoD's cybersecurity posture.

Given the 'full and open competition' and 9 bidders, why might the value still be considered potentially high or require further justification?

While 'full and open competition' and a higher number of bidders (9) are generally positive indicators for price discovery, the value can still be questioned for several reasons. Firstly, the 'quality' of the competition matters; not all bidders may have been equally capable or realistic in their pricing. If only a few bidders were truly qualified, the competition might have been less robust than the number suggests. Secondly, the specific nature of the 'RMF Review Factory' services is crucial. If these are highly specialized or require unique expertise, the market might be limited, allowing the winning bidder to command a higher price. Thirdly, the contract's duration (5 years) means that the total value accumulates significantly. Even with competitive initial pricing, potential for scope creep or price adjustments over such a long period could inflate the overall cost. Lastly, the broad NAICS code (541519) might mean the contract is priced higher than if it were under a more specific, potentially lower-cost IT service category.

What is the historical spending trend for 'Other Computer Related Services' within the Department of Defense, and how does this contract fit?

Historical spending trends for 'Other Computer Related Services' (NAICS 541519) within the Department of Defense (DoD) show a consistent and significant investment in a wide array of IT support functions. The DoD is one of the largest federal purchasers of IT services, and this category often captures contracts for IT consulting, integration, data processing, and specialized technical support that don't fit neatly into other IT-related NAICS codes. Spending in this area has generally increased over the years, driven by modernization efforts, cybersecurity needs, and the increasing reliance on complex IT systems. This specific $12.8 million contract for an 'RMF Review Factory' fits within this trend as a specialized service aimed at enhancing cybersecurity compliance, a critical and growing area of DoD IT expenditure. Its value appears substantial but needs to be contextualized against the overall DoD IT budget and the specific criticality of RMF compliance.

Industry Classification

NAICS: Professional, Scientific, and Technical Services › Computer Systems Design and Related Services › Other Computer Related Services

Product/Service Code: IT AND TELECOM - INFORMATION TECHNOLOGY AND TELECOMMUNICATIONS › IT AND TELECOM - APLLICATIONS

Competition & Pricing

Extent Competed: FULL AND OPEN COMPETITION

Solicitation Procedures: SUBJECT TO MULTIPLE AWARD FAIR OPPORTUNITY

Offers Received: 9

Pricing Type: FIRM FIXED PRICE (J)

Evaluated Preference: NONE

Contractor Details

Address: 10170 JUNCTION DR STE 130, ANNAPOLIS JUNCTION, MD, 20701

Business Categories: 8(a) Program Participant, Asian Pacific American Owned Business, Category Business, Corporate Entity Not Tax Exempt, Economically Disadvantaged Women Owned Small Business, Limited Liability Corporation, Minority Owned Business, Self-Certified Small Disadvantaged Business, Small Business, Special Designations, U.S.-Owned Business, Woman Owned Business, Women Owned Small Business

Financial Breakdown

Contract Ceiling: $16,139,312

Exercised Options: $12,803,315

Current Obligation: $12,797,987

Contract Characteristics

Commercial Item: COMMERCIAL PRODUCTS/SERVICES

Cost or Pricing Data: YES

Parent Contract

Parent Award PIID: GS35F316BA

IDV Type: FSS

Timeline