SLED Opportunity · UTAH · UNIVERSITY OF UTAH - CAMPUS
AI Summary
University of Utah seeks cybersecurity consulting services to support secure computing enclaves for regulated research. The RFP covers advisory, compliance roadmap, policy development, training, and audit readiness for CMMC, NIST 800-171, and FedRamp standards. Proposals due by February 12, 2026.
The purpose of this Request for Proposals (RFP) is to solicit proposals to enter into a non-exclusive contract with a qualified vendor to accelerate the efforts of the University of Utah to create and maintain secure computing enclaves for regulated research. These enclaves are not general-purpose work environments and are exclusive to computing-intensive academic research activities. These enclaves consist of on-premises infrastructure, hardware, and staff. They include an existing CMMC Level 2 compliant enclave in the Price College of Engineering (CoE), a planned NIST SP 800-171r3 and FedRamp Moderate compliant enclave in the Center for High Performance Computing (CHPC), and CMMC Level 1 systems that support the work done in the enclaves. The University of Utah is advancing its cybersecurity posture to meet evolving federal compliance requirements and support a growing portfolio of highly regulated research. This work is primarily being done in the Price College of Engineering (CoE) and the Center for High Performance Computing (CHPC). **Solicitation Type**: RFP - Request for Proposal (Formal) **Source ID**: PU.AG.USA.2756265.2757355.C18636076 **Piggyback Contract**: No **Question Acceptance Deadline**: 12/30/2025 02:00 PM EST **Questions are submitted online**: Yes **Bid Submission Type**: Electronic Bid Submission **Solicitation Number**: UU209377496 **Reference Number**: 0000406955 **Pricing**: In attached document **Bid Documents List**: | Item Name | Description | Mandatory | Limited to 1 file | |---|---|---|---| | Bid Documents | Documents defining the proposal | Yes | No | **Questions and Answers**: - Q1 Arrow Right Question: Solicitation # UU209377496 1) Existing Users • Which stakeholder groups will participate from the University (CHPC, Price College of Engineering, Research Security Office, Information Security Office), and who are the primary decision-makers for each enclave? • For the Nanofabrication Laboratory expansion, who are the operational owners and security/compliance owners, and how will instructional vs. CUI-handling activities be coordinated? • For researchers using the enclaves, what are the access approval workflows and role definitions (e.g., admins, researchers, lab staff)? Arrow Right Answer: a. The Primary decision makers are the CHPC leadership, Engineering Leadership and Research Security Office Leadership. b. For the NanoFabrication Lab Engineering is the operational owner and the Research Security Office is the security/compliance owner. The NanoFab lab will fall under the Engineering Enclave SSP. Our CUI Flow Policy can be made available upon award; the policy will need to be expanded to address the unique operations of the NanoFab Lab. c. Engineering has an existing Access Control Policy that can be made available at award. d. The CISO or their delegate will be the University's responsible party for any final security decisions 12/19/2025 10:06 AM EST 01/12/2026 02:02 PM EST - Q2 Arrow Right Question: Solicitation # UU209377496 Existing Technologies • Please confirm the current state of the CoE CMMC Level 2 enclave (scope, identity/authorization boundaries, allowed external access: graphical client connections, DNS, NTP, authorized SFTP/HTTPS, egress email alerts, system software updates). Arrow Right Answer: Graphical access only through the Jump box using virtual desktop with all data channels disabled. DNS provided by a secure DNS service. NTP, secure data transfer protocols data access only from the data transfer node. Email limited to system generated alerts, none user facing. Software updated downloaded to internal host prior to approval and deployment. All user access to the environment requires multiple authentication factors. 12/19/2025 10:07 AM EST 01/12/2026 02:02 PM EST - Q3 Arrow Right Question: Solicitation # UU209377496 Existing Technologies • For CHPC, what is the present status of Citadel (NIST 800 171r2) and the Regulated Environment (RE) aligned to NIST 800 171r3/FedRAMP Moderate (independent networking, identity, and security infrastructure)? Arrow Right Answer: a. See attachments b. Citadel is designed for NIST 800-171 rev 2. Security-critical elements (e.g. networking, IAM, SIEM) are dedicated to Citadel, managed separately from other University systems and utilized only within Citadel. Controls to secure CUI-related communication with external entities (including US Government partners and security-relevant cloud services) include FIPS-validated encryption. c. The Regulated Environment (RE) is currently in the planning stages and is not yet operational. Like Citadel, the RE will have an independent tech stack that is managed separately from other University systems. 12/19/2025 10:07 AM EST 01/12/2026 02:02 PM EST - Q4 Arrow Right Question: Solicitation # UU209377496 Existing Technologies • What data segregation mechanisms are currently implemented across hundreds of nodes and 53 PB of data, and how are multi tenant workflows controlled? Arrow Right Answer: a. Primary techniques for segregating projects are siloing ownership controls and system login restrictions. Most of the nodes and data storage are not part of CHPC’s regulated environments (current or planned). CHPC has two other environments, the General Environment (GE) and the Protected Environment (PE). These two environments contain the majority of nodes and data, but these environments are out of scope for this RFP and are logically and physically separated from Citadel and the forthcoming RE. 12/19/2025 10:08 AM EST 01/12/2026 02:02 PM EST - Q5 Arrow Right Question: Solicitation # UU209377496 Tools / Technologies They Are Asking For • Which security tooling categories do you expect the vendor to design/integrate (e.g., SIEM, EDR, Vulnerability Scanners, Configuration Managers, IAM, DLP) within the enclaves and University systems? Arrow Right Answer: a. We expect the vendor to advise on strategy, provide best practices, recommend software and hardware, and problem solve alongside University subject matter experts. The work of configuration and integration will be a university responsibility. b. After evaluating our current strategy, the Awardee would be expected to support the detailed design or redesign of all security tooling implementations. The design should evaluate the feasibility and best practices of using existing university services from central IT , and to determine how best to co-locate security operations of the CoE and CHPC enclaves. The existing strategy can be summarized as such: (see attachments) c. Integrations between premises and cloud operations would be completed by university staff, with support from the awardee, if possible. If not, then a second engagement may be pursued with a SaaS vendor to create and maintain FedRamp High Compliance. 12/19/2025 10:08 AM EST 01/12/2026 02:02 PM EST - Q6 Arrow Right Question: Solicitation # UU209377496 Tools / Technologies They Are Asking For • Do you want the vendor to recommend new third party tools or only integrate with existing University systems? If recommendations are expected, which tool classes should be prioritized? Arrow Right Answer: a. New tools can and should be suggested. However, we have existing strategy and tech stacks and the focus should be to use what is available or planned first and recommend new tools only when existing tools are not sufficient. New technology proposals must be well evidenced to align with industry best practices or substantive evidence supporting the need to adopt new tech. If existing technologies cannot meet the requirements then we will be open and asking for vendor suggestions. 12/19/2025 10:09 AM EST 01/12/2026 02:02 PM EST - Q7 Arrow Right Question: Solicitation # UU209377496 Tools / Technologies They Are Asking For • What documentation artifacts do you require (e.g., SSPs, POA&Ms, control mappings, evidence artifacts) and do you have preferred templates? Arrow Right Answer: a. We are seeking Policy and Procedures that can be applied to both CHPC and Engineering. b. We will gather and collect evidence artifacts based on awardees guidance and good judgement when existing evidence is lacking c. SSP creation lead by awardee and supported by chpc for the RE environment d. POA&M creation in collaboration with CHPC for the RE e. We have developed our own template style for policy and procedure but are open to amending based on awardee input. f. Control mapping to policy and procedure expected to be supported by awardee when the accessors guide is lacking in guidance 12/19/2025 10:09 AM EST 01/12/2026 02:02 PM EST - Q8 Arrow Right Question: Solicitation # UU209377496 Monitoring or Incident Handling • For ongoing compliance monitoring and updates, what cadence and scope do you expect (controls coverage, reporting, stakeholder reviews)? Arrow Right Answer: a. We expect to build our compliance, monitoring and incident response programs with the vendor. The vendor shall help improve and mature our existing systems with existing or new technology proposals. The expectation is that the University will maintain operations. 12/19/2025 10:09 AM EST 01/12/2026 02:02 PM EST - Q9 Arrow Right Question: Solicitation # UU209377496 Monitoring or Incident Handling • For ongoing compliance monitoring and updates, what cadence and scope do you expect (controls coverage, reporting, stakeholder reviews)? Arrow Right Answer: a. We expect to build our compliance monitoring and incident response programs with the vendor. The vendor shall help improve and mature our existing systems with existing or new technology proposals. The expectation is that the University will maintain operations. 12/19/2025 10:11 AM EST 01/12/2026 02:02 PM EST - Q10 Arrow Right Question: Solicitation # UU209377496 Monitoring or Incident Handling • Should the vendor provide incident response communications and a customer portal for tracking support incidents, as referenced in the Support section? If yes, what incident SLAs and escalation paths do you expect? Arrow Right Answer: a. We expect to build and improve our compliance monitoring and incident response programs with the vendor. The vendor shall help improve and mature our existing systems with existing or new technology proposals. The expectation is that the University will maintain operations. 12/19/2025 10:11 AM EST 01/12/2026 02:02 PM EST - Q11 Arrow Right Question: Solicitation # UU209377496 24×7 or Any Type of Monitoring Support • The RFP does not explicitly call out 24×7 monitoring. Do you require round the clock monitoring, or a defined business hours coverage model for the enclaves and related compliance functions? Arrow Right Answer: a. We expect to expand our compliance monitoring and incident response programs with the vendor. The vendor shall help improve and mature our existing systems with existing or new technology proposals. The expectation is that the University will maintain operations. 12/19/2025 10:11 AM EST 01/12/2026 02:02 PM EST - Q12 Arrow Right Question: Solicitation # UU209377496 24×7 or Any Type of Monitoring Support • What availability targets and maintenance windows should the vendor design around to ensure operations do not impact research workflows? Arrow Right Answer: a. We expect to expand compliance monitoring and incident response programs with the vendor. The vendor shall help improve and mature our existing systems with existing or new technology proposals. The expectation is that the University will maintain operations. CHPC does not guarantee 24/7 uptime to users. CHPC markets itself to users as supporting standard office hours only. Service interruptions that occur outside of standard office hours are not guaranteed to be resolved until the next business day. 12/19/2025 10:12 AM EST 01/12/2026 02:02 PM EST - Q13 Arrow Right Question: Solicitation # UU209377496 Tool Licensing Only vs. Broader Services • Please confirm that the engagement is not limited to tool licensing and includes professional services: compliance roadmap, mock audits, training, documentation, and post implementation advisory. Arrow Right Answer: a. Professional services are being sought. The examples such as compliance roadmap, mock audits, training, documentation, and post implementation advisory are good but not exhaustive of the work. Refer to the RFP and include needed professional services in your responses. 12/19/2025 10:12 AM EST 01/12/2026 02:02 PM EST - Q14 Arrow Right Question: Solicitation # UU209377496 Tool Licensing Only vs. Broader Services • If any software/compliance tool licensing is expected within scope, which products and license quantities/terms should be included in the vendor proposal? Arrow Right Answer: a. Prepare with a base subscription of 300 and scale to 1,200 over three years. This will include system admins, support teams, and researchers. 12/19/2025 10:12 AM EST 01/12/2026 02:02 PM EST - Q15 Arrow Right Question: Solicitation # UU209377496 Support Post Installation & Level of Support • For post implementation support, what support tiers and deliverables do you require (e.g., advisory for audits/renewals, compliance monitoring, configuration guidance, documentation maintenance)? Arrow Right Answer: a. For post implementation support we seek an ala cart like menu that includes, but is not limited to advisory for audits/renewals, compliance monitoring, configuration guidance, documentation maintenance)? 12/19/2025 10:13 AM EST 01/12/2026 02:02 PM EST - Q16 Arrow Right Question: Solicitation # UU209377496 Support Post Installation & Level of Support • What are your expectations for uptime/downtime definitions, availability SLAs, credit policies, root cause analysis reports, and change communication for cloud like components referenced under FedRAMP applicability? Arrow Right Answer: a. Industry-standard SLAs are generally appropriate. Research systems have more grace for downtime than life safety systems. 99% percent is acceptable, but the details will need to be handled on a case-by-case basis. 12/19/2025 10:13 AM EST 01/12/2026 02:02 PM EST - Q17 Arrow Right Question: Solicitation # UU209377496 Support Post Installation & Level of Support • What training and knowledge transfer outcomes should be met (role based admin training, logging/monitoring setup, patch & vulnerability workflows, backup/recovery, secure baselines), and do you require SCORM compliant modules for your LMS? Arrow Right Answer: a. We expect the staff of CHPC and Engineering to be experts in building, maintaining, and operating NIST 800-171 and CMMC systems. They are already professionals in their domains and highly qualified. The vendor will be tasked with tuning their expertise to the aforementioned standards. SCORM packages are not expected for expert level training. They are a nice to have for end users, but we have existing systems like KnowBe4 to address base security and compliance training. 12/19/2025 10:14 AM EST 01/12/2026 02:02 PM EST - Q18 Arrow Right Question: Solicitation # UU209377496 Microsoft Licensing (Not specified in RFP — seeking clarification) • Which Microsoft licensing tier is currently in use across the enclaves and supporting systems (G3, G5, G5 Security, etc.)? Arrow Right Answer: a. No existing SaaS service supports the enclave. We are very interested in acquiring a FedRamp High service to act as ‘core infrastructure’ for our enclaves as they grow and evolve. 12/19/2025 11:19 AM EST 01/12/2026 02:02 PM EST - Q19 Arrow Right Question: Solicitation # UU209377496 Microsoft Licensing (Not specified in RFP — seeking clarification) • Are there any plans to upgrade or change Microsoft licensing tiers in the foreseeable future? Arrow Right Answer: a. We plan to acquire a FedRamp High SaaS solution to act as shared core infrastructure between enclaves and to provide modern tools to researchers. b. see attachments 12/19/2025 11:19 AM EST 01/12/2026 02:02 PM EST - Q20 Arrow Right Question: Solicitation # UU209377496 Asset Inventory (Not specified in RFP — seeking clarification) • Please provide the list of all assets within the enclave scopes (compute nodes, storage systems, network devices, identity/security infrastructure, endpoint types) to support control mapping, mock audit planning, and implementation guidance. Arrow Right Answer: a. In Engineering the follow assets exist i. A small network ii. Some physical and virtual servers iii. Some physical and virtual storage b. CHPC’s Citadel environment currently consists of approximately: i. Some 50 virtual and physical systems ii. Storage, about 500TB 12/19/2025 11:19 AM EST 01/12/2026 02:02 PM EST - Q21 Arrow Right Question: Solicitation # UU209377496 Scope Execution & Governance (from RFP) • For the mock CMMC Level 2 audit (CoE), what acceptance criteria and evidence do you expect to demonstrate readiness (including Supplier Performance Risk Score context)? Arrow Right Answer: a. A current NIST 800-171 self-assessment is completed, scored, and posted in SPRS, with a clear narrative linking SSP, POA&M, and residual risks. b. For the mock CMMC Level 2 audit, we expect to exit with a complete and approved set of CMMC/NIST 800-171 policies, procedures, guidance, and plans; a gap assessment, a mapped evidence set and repeatable evidence-collection process for each in-scope practice; a current, defensible NIST 800-171 self-assessment and SPRS score that the mock assessor can reproduce; and a prioritized POA&M and audit playbook that position the university to successfully pass a C3PAO assessment in Fall 2026. 12/19/2025 11:20 AM EST 01/12/2026 02:02 PM EST - Q22 Arrow Right Question: Solicitation # UU209377496 Scope Execution & Governance (from RFP) • For the NIST 800 171r3 HPC enclave (CHPC), how will the University define production readiness, and which stakeholders approve it (Information Security Office, CHPC leadership)? Arrow Right Answer: a. CHPC leadership will determine technical and operational readiness of the NIST 800 171r3 HPC enclave within CHPC to onboard and support users; Engineering IT Leadership will determine the technical and operational readiness of the CMMC enclave; the Information Security Office, with input from CHPC leadership, Engineering Leadership, and the Research Security Office, will determine compliance readiness of the enclave(s), taking into account that all documentation has been delivered and approved and University personnel have been trained and equipped to maintain compliance (i.e., items c and d under 11. Acceptance Criteria under 3.01 Scope of Work). 12/19/2025 11:20 AM EST 01/12/2026 02:02 PM EST - Q23 Arrow Right Question: Solicitation # UU209377496 Scope Execution & Governance (from RFP) • What is the expected timeline alignment with University scheduling constraints and the weekly status updates/meeting minutes/issue tracking cadence? Arrow Right Answer: a. A finalized scheduling plan will be established after award for each effort but generally i. A Bi-Weekly update for Stakeholders (solve issues, remove barriers, make decisions) ii. A Core technical sync weekly 1. Likely to be separate weekly meetings on particular subject areas i. routine conversations and communications via chat, email, video between parties is expected 12/19/2025 11:20 AM EST 01/12/2026 02:02 PM EST - Q24 Arrow Right Question: Solicitation # UU209377496 FedRAMP Applicability (from RFP) • For cloud like solutions in CHPC, how should the vendor advise on FedRAMP applicability and Moderate control alignment within the RE architecture? Which boundary documents and authorizations are already in place or planned? Arrow Right Answer: a. For the purposes of this RFP the interest lies with Services and Infrastructure. b. CHPC has received advice that our future RE environment may meet the definition of a cloud service provider (CSP) and therefore be subject to FedRAMP. The source of this advice could not provide a definitive answer at the time. CHPC is seeking expert guidance on whether or not the RE would meet the CSP definition and whether or not it would be subject to FedRAMP. We consider that possibility unlikely. c. CMMC (32 CFR 170.4-b) defines a “Cloud Service Provider (CSP)” as an external company providing cloud services based on cloud computing. This definition references NIST SP 800-145 from September 2011 (current version as of December 2025). 800-145 specifies “on-demand self-service” to be an essential characteristic of cloud computing. Citadel is part of the University, so it is not acting as a CSP to the University nor to the researcher. Citadel is not providing on-demand self-service to the granting agency nor to the researcher, so it is not acting as a CSP to the granting agency. 12/19/2025 11:20 AM EST 01/12/2026 02:02 PM EST - Q25 Arrow Right Question: Current Boundary Diagrams and In-scope Asset Inventories Please provide (or confirm the availability of) current boundary diagrams and in-scope asset inventories for: (a) Price College of Engineering (CoE) CMMC Level 2 enclave, (b) CHPC planned enclave, and (c) CMMC Level 1 systems supporting enclave work. Arrow Right Answer: 1. See questions 2, 3, 5 2. CHPCs planned enclave does not yet exist and so does not yet have boundary diagrams 3. CMMC L1, L2 systems are operational and supporting enclave work. 12/23/2025 02:42 PM EST 01/12/2026 02:02 PM EST - Q26 Arrow Right Question: Environment Scope For each environment, please confirm the authoritative definition of “in scope” (systems, networks, identities, endpoints, storage, backups, monitoring, and administrative pathways) and identify any required external interconnections (cloud services, collaborators, vendors, other institutions). Arrow Right Answer: 1. For both enclaves, the scope includes any system, network, identity, endpoint, storage, backup, monitoring tool, or administrative pathway involved in the transmission, processing, storage, or management of CUI, ITAR, or NIH Controlled Access Data. 2. There are no current cloud connections, but connections are expected as we enable SaaS based systems for collaboration and centralization of core security operations. 3. CHPC Citadel and RE: assets considered as in-scope have been inventoried and labelled as such, using the standard 800-171r2 and CMMC definitions (32 CFR 170.19-c-1): assets that process/store/transmit CUI are in-scope, as are assets that provide security protection services or store security protection data. Paths to external elements (e.g. data transfers with external grantors and communication with cloud-based services) are documented and secured as required by NIST 800-171rev2. An endpoint hosting a VDI client configured to not process/store/transmit CUI beyond the keyboard/video/mouse activity of the VDI client is also considered to be out-of-scope. CHPC Citadel makes use of one external cloud-based service: MFA. 12/23/2025 02:43 PM EST 01/12/2026 02:02 PM EST - Q27 Arrow Right Question: CMMC Level 1 Scope For CMMC Level 1 scope, does “systems that support the work done in the enclaves” include shared services such as central IAM, networking, security tooling/SOC, ticketing/change management, and backup platforms? If yes, please indicate which are expected to be assessed as in-scope versus treated as inherited/shared controls. Arrow Right Answer: 1. There are no shared services, at present. We intend to purchase a FedRAMP HIGH solution that would permit inheritance of IAM, security tooling, etc. into the CoE SSP. But again, at present all services for CMMC are hosted and maintained within the enclave. 12/23/2025 02:44 PM EST 01/12/2026 02:02 PM EST - Q28 Arrow Right Question: Clarification on CHPC NIST SP 800-171 Revision 2&3 Deliverable Requirements For CHPC, the target is NIST SP 800-171 Revision 3. Please confirm whether deliverables must also include mapping and readiness views for NIST SP 800-171 Revision 2 to support active DoD awards (if applicable), or whether Revision 3-only alignment is sufficient. Arrow Right Answer: 1. The current priority for CHPC RE is Revision 3. However, within the next five years the university intends to merge secure computing operations under CHPC. This may take the form of Engineering’s Enclave being adopted by CHPC or the build of another enclave. CHPC does /NOT/ expect the RE to comply with 171-rev2 or CMMC 2.0. Awardee will help inform this strategy. 12/23/2025 02:47 PM EST 01/12/2026 02:02 PM EST - Q29 Arrow Right Question: Confirmation of DFARS Assessment Support and Applicable Clauses Please confirm whether the University expects vendor support for DFARS-related assessment mechanics, including SPRS-related activities (e.g., scoring support) and any required affirmations, and identify which DFARS clauses are currently applicable to the enclaves and supporting systems. Arrow Right Answer: 1. The intent would be that a future C3PAO do the above stated work. The awardee would support the preparation so a C3PAO can provide affirmative affirmations to the systems. Help in identifying DFARS clauses that may be applicable is welcome; historically outside council has helped us in that work but engagement by awardee would be expected to some degree. 12/23/2025 02:48 PM EST 01/12/2026 02:02 PM EST - Q30 Arrow Right Question: FedRAMP Moderate Compliance Expectations for CHPC Enclave The RFP references a “FedRAMP Moderate compliant enclave” for CHPC. Please clarify whether the University intends: (a) FedRAMP Moderate–aligned control intent and documentation discipline, (b) exclusive use of FedRAMP Moderate Authorized cloud services for applicable components, or (c) an Agency ATO-style authorization package for the enclave (or another interpretation). Arrow Right Answer: 1. We do not intend for our services to be FedRAMP. However, we are seeking to understand if our services may need to be FedRAMP. We largely believe they will not but vendor guidance is requested on the matter. 12/23/2025 02:52 PM EST 01/12/2026 02:02 PM EST - Q31 Arrow Right Question: Cloud Services If cloud services are within scope for CHPC and/or CoE, please list the currently selected/approved cloud services and indicate whether they are FedRAMP Moderate Authorized (or planned to be). Arrow Right Answer: 1. A vendor has not been selected or approved; however, we expect they will be FedRAMP High 2. Recommendations from awardee will be taken into consideration prior to finalizing a FedRAMP solution 12/23/2025 02:54 PM EST 01/12/2026 02:02 PM EST - Q32 Arrow Right Question: Constraints or Requirements for Regulated Research Please identify any known constraints or requirements related to regulated research (e.g., ITAR/EAR/export controls), including staffing eligibility restrictions, background checks, onboarding requirements, and limitations on vendor access to systems and documentation. Arrow Right Answer: 1. Work in University Enclaves are subject to the compliance programs noted in the question. We expect that the awardee can provide subject matter experts capable of discussing these, and more, compliance programs with university staff. The full details of any project should not be shared, but out of an abundance of caution we are seeking experts that could participate in ITAR or Export Controlled conversations like a project member. This is not expected of all staff, but a core contingent should be able to ‘participate’ at this level. 12/23/2025 02:55 PM EST 01/12/2026 02:02 PM EST - Q33 Arrow Right Question: Vendor Access Expectations Please confirm vendor access expectations for readiness assessment and mock audit activities, including allowed remote access methods, security requirements (MFA, bastion, session recording), onsite requirements, and any restrictions on testing/validation activities in production. Arrow Right Answer: 1. No access is expected for awardee. University professionals will provide details and display relevant information as needed. If gaps exist awardee will help remediate with by introducing policy, procedure, practices, and system design principals to university staff for implementation. 12/23/2025 02:56 PM EST 01/12/2026 02:02 PM EST - Q34 Arrow Right Question: Existing Compliance Artifacts Please provide an inventory (or confirm availability for review) of existing compliance artifacts for CoE and CHPC, such as SSP(s), policies/standards/procedures, diagrams, tool outputs (vulnerability scans, SIEM/SOC processes), prior assessments, training records, incident response artifacts, and POA&Ms Arrow Right Answer: 1. These items are all available to review on award for both the CHPC and Engineering 12/23/2025 02:57 PM EST 01/12/2026 02:02 PM EST - Q35 Arrow Right Question: Evidence Handling and Repository Expectations Please describe the University’s preferred evidence handling and repository expectations (e.g., University-owned storage platforms, restrictions on vendor-hosted repositories) and whether use of a vendor-operated GRC tool for tracking and reporting is permitted. Arrow Right Answer: 1. We are very interested in leveraging a GRC tool for tracking and reporting evidence. The long-term strategy is compliance automation. Awardee suggestions of tools are welcome and expected. With consideration to how we intend to scale our operations a GRC tool to track compliance is almost mandatory for success. 12/23/2025 02:58 PM EST 01/12/2026 02:02 PM EST - Q36 Arrow Right Question: Prime Contractor Eligibility Confirmation Please confirm whether a prime contractor with a C3PAO partner/subcontractor (Authorized or Candidate) satisfies the RFP requirement, and whether the University requires specific documentation (e.g., letter of commitment, roles/responsibilities matrix) at proposal submission. Arrow Right Answer: 1. A prime contractor with a C3PAO partner/subcontractor can satisfy the requirement. Documentation stating the C3PAO’s commitment and satisfaction of all relevant pass/fail expectations would be required. 12/23/2025 03:00 PM EST 01/12/2026 02:02 PM EST - Q37 Arrow Right Question: Desired Engagement Structure Please confirm the University’s desired engagement structure under the non-exclusive contract (task order process, expected use of fixed-price deliverables vs. time-and-materials vs. hybrid, expected initial period of performance). Arrow Right Answer: 1. Below is an example of how vendors may envision the engagement. This is provided as an example and is not meant to be reflective of specific work or deadlines. Please the good judgement of your organization to digest the requirements of the RFP to put forth your best proposals. See attachments for charts • If you go with time and material, you will be required to complete the work before invoicing the university. The invoice will need to be itemized and net30 at a minimum. • Projects payments structures are flexible. The minimum billing cycle is 30 days; However the University would prefer quarterly if a project is expected to take more than 4 months. ] • We would like the proposed fee and the travel/tools/third party licenses to be included in the "all inclusive" number, not to exceed an annual amount. We would also like to see the menu of rates for the calculation but the vendor needs to provide a proposed annual amount based on those rates. Same with the travel/tools/third part licenses. • Please note: we are seeking a long-term partner in our evolution, we expect there to be task-based outcomes for each enclave and new adaptations as our research pool expands, we prefer an integrated approach (Engineering and CHPC) because we intend for operations to centralize at some point in the future. 12/23/2025 03:01 PM EST 01/12/2026 02:02 PM EST - Q38 Arrow Right Question: Target Dates Please provide any target dates or time windows for: (a) CHPC enclave design completion, (b) CHPC readiness validation, (c) CoE CMMC Level 2 mock audit, and (d) planned formal CMMC Level 2 certification assessment (if scheduled). Arrow Right Answer: 1. The Mock Audit is expected to be a priority for the College of Engineering and the Research Security Office following award. 2. We plan to seek C3PAO certification in the Fall of 2026. 12/23/2025 03:02 PM EST 01/12/2026 02:02 PM EST - Q39 Arrow Right Question: Readiness Definition Criteria Please confirm the University’s definition of “readiness” for: (a) CHPC third-party validation of NIST SP 800-171r3 posture, and (b) CoE formal CMMC Level 2 certification, including preferred reporting format (pass/fail by practice, risk-ranked findings, evidence sufficiency scoring). Arrow Right Answer: A) DR: CHPC will be considered ready for validation when 1) all controls have satisfactory policies/procedures/guidance; 2) evidence necessary for all controls has been identified and recorded; 3) all known outstanding deficiencies have been documented and a POAM for remediation identified 12/23/2025 03:04 PM EST 01/12/2026 02:02 PM EST - Q40 Arrow Right Question: Objective 7 Clarification Objective 7 references expanding the CMMC Level 2 enclave to encompass the Nanofabrication Laboratory and other shared lab spaces. Please clarify whether the University expects design/strategy deliverables only (boundary model, architecture, backlog) or implementation support (segmentation changes, workstation rebuilds, access control changes), and whether vendor remote access to lab instrumentation is permitted. Arrow Right Answer: 1. The University expects design/strategy deliverables only. The university does not expect or intend the awardee to provide implementation support for the CMMC environment. No remote access to lab instrumentation by non-university employees will be permitted. 12/23/2025 03:05 PM EST 01/12/2026 02:02 PM EST - Q41 Arrow Right Question: Grant Funding Which Grant is funding this initiative? Arrow Right Answer: • No Grant is funding this initiative. 12/23/2025 03:05 PM EST 01/12/2026 02:02 PM EST - Q42 Arrow Right Question: Staff Credentialing Requirements Please confirm minimum credentialing expectations (if any) for engagement staff, including desired or required levels/quantities of CMMC ecosystem personnel (CCA, CCP) and audit personnel (e.g., CISA), and whether these may be satisfied via subcontractor staff. Arrow Right Answer: • See the RFP Questions for Credentialing Expectations • Subcontractor staff may satisfy these expectations; however, subcontractors must be named and meet pass/fail qualifications identified in the RFP. 12/23/2025 03:07 PM EST 01/12/2026 02:02 PM EST - Q43 Arrow Right Question: Accessibility Requirements for Deliverables Please confirm the University’s accessibility requirements for deliverables under Section 508 and the ADA, including any specific standards (e.g., WCAG level) and required formats (tagged PDFs, accessible Word/PowerPoint, alt text for diagrams), and whether the University provides accessible templates to be used. Arrow Right Answer: The University of Utah expects anything you deliver to be accessible under ADA and Section 508. In practical terms, that means: • Aim for WCAG 2.1 Level AA for all digital content (see the University’s accessibility pages and DOJ/Title II guidance on WCAG 2.1 AA). Utah Accessibility Brand • Documents should be accessible Word/PowerPoint or properly tagged PDFs (headings, reading order, tagged tables, real lists, etc.), consistent with the University’s digital accessibility guidance. Digital Utah • Include alt text for images and diagrams, and captions or transcripts for any audio/video. Utah Accesibility The University’s main accessibility and digital accessibility resources are here: • Accessibility home: Accessibility Utah • Digital & web accessibility / Web Essentials: Digital Utah+1 The University can provide accessible templates and branding guidance, and you’d be expected to either use those or match that standard in anything you create. 12/23/2025 03:08 PM EST 01/12/2026 02:02 PM EST - Q44 Arrow Right Question: CUI Asset Identification (The Core Scope) • Data Entry: Which departments (e.g., Engineering, HR, Finance) receive or create documents for DoD contracts? • Storage: Is CUI stored on local file servers, in the cloud (SharePoint/OneDrive), or on physical media like encrypted thumb drives? • Communication: Do employees discuss or send technical data via email, Slack, or Microsoft Teams? • Endpoints: Which laptops, workstations, or mobile devices are used to access these files or applications? Arrow Right Answer: 1. The PIs and the Research Security Office receive and create documents. Work is completed in appropriate spaces as determined via the granting office. 2. CUI is stored on local file servers within the secure enclave. CUI is transported on encrypted physical media if requested by the project sponsor or in situations where secure encrypted network connections are unavailable. Cloud storage is being investigated as part of the FedRAMP strategy. 3. Employees are not permitted to discuss technical details electronically, at this time. We are seeking a FedRAMP solution to extend features functionality like those listed. 4. Endpoints listed are not allowed at present. All work must occur over VDI when interacting with CUI. If a PI required a laptop, or workstation, our intent is that a FedRAMP partner could provide MDM that would enable those endpoints, but there are no current plans to pursue those endpoints for hosting CUI. 12/23/2025 03:37 PM EST 01/12/2026 02:02 PM EST - Q45 Arrow Right Question: Security Protection Asset (SPAs) Identification • Infrastructure: Which firewalls, switches, and routers manage the traffic for your CUI environment? • Security Tools: What tools provide MFA (Multi-Factor Authentication), EDR (Endpoint Detection), or SIEM (Log Management)? • People: Who are the IT admins or external Managed Service Providers (MSPs) that have "keys to the kingdom" for these security systems? Arrow Right Answer: 1. The infrastructure listed is present in our environments. 2. The people who operate the systems are vetted university of utah staff in the CHPC and Engineering departments. 3. We do not have any MSPs 12/23/2025 03:38 PM EST 01/12/2026 02:02 PM EST - Q46 Arrow Right Question: Contractor Risk Managed Assets (CRMAs) Identification These are assets that could access CUI but aren't intended to (e.g., they are on the same network). • Connectivity: Are there workstations on the same office network that don't work on DoD projects but aren't logically separated (VLANed) from those that do? • Shared Services: Do you have shared printers or scanners used by both the CUI team and the general staff? Arrow Right Answer: 1. CUI operations are separated logically and physically from normal operations 2. No services are shared between general operations and CUI activity 3. No equipment is shared between CUI handling and regular office activities 4. We intend to provide the ability for researchers to complete administrative operations like email, chat, and co-creation of documents with a FedRAMP high solution 5. We do not intend to provide printers or scanners to researchers at this time or in the near future 12/23/2025 03:40 PM EST 01/12/2026 02:02 PM EST - Q47 Arrow Right Question: Specialized Assets Identification These often have technical limitations that make standard security controls difficult to implement. • Shop Floor: Do you have Operational Technology (OT) like CNC machines, PLCs, or 3D printers that receive digital design files? • Government Gear: Do you have Government Furnished Equipment (GFE) that you aren't allowed to modify or install software on? • Test Gear: Are you using oscilloscopes or spectrum analyzers that are networked to your CUI environment? Arrow Right Answer: 1. Yes, we have OT required for our research, and more OT is expected to be required over time. We are seeking solutions to help streamline the onboarding of OT into our operations. The Nanofabrication Labratory is the premier usecase for this type of work. 2. We do have limited GFE provided. It is managed by TCP on a project-by-project basis and is largely laptops. The equipment is managed by the providing agency and physically secured by researchers according to the TCP. 3. At present no OT connects to the enclave directly. A TCP and CUI Flow Policy determines how data moves from the secure rooms where CUI/ITAR are generated and how it gets to the enclave. 4. Currently we have no OT networked to our enclave; however, part of this RFP is helping architect solutions that permit OT to connect directly to our enclaves. 12/23/2025 03:41 PM EST 01/12/2026 02:02 PM EST - Q48 Arrow Right Question: Physical & Logical Boundary • Facilities: Are there specific locked rooms or areas where CUI is handled? Does your badge system log every entry? • Cloud Boundary: Are your cloud services FedRAMP Moderate or "Equivalent"? (e.g., moving from commercial Microsoft 365 to GCC High). • Remote Work: Do employees access CUI from home? If so, is it via a secure Virtual Desktop (VDI) or are they downloading files to home-based hardware? Arrow Right Answer: 1. Yes, there are locked rooms and areas where CUI is handled. 2. The system does log every entry; each enclave has an independent system. Part of the proposal is requesting a proposal for unifying physical controls across the existing and future locations 3. No services are currently operating in the Cloud or Fedramp. We expect to begin using Fedramp services as part of this engagement. 4. Tightly defined TCPs allow for remote based work on CUI. However, it must occur over VDI and the download of files to home-based hardware is strictly prohibited by technical and policy-based controls. 12/23/2025 03:42 PM EST 01/12/2026 02:02 PM EST - Q49 Arrow Right Question: Attachment A - Vendor Response Form Attachment A: Vendor Response Form is referenced in section 4.02, page 12, but is not available through Bidnet. In addition, Attachment A is referenced as the Cost Proposal in the Table of Contents. Please clarify if there is a Vendor Response Form we are to use in creating our response or if we are to create a response form following the numbering and order of sections 3 and 4. Arrow Right Answer: That was a missed edit that should have been made prior to publishing. 'Attachment A' should be the 'Cost Proposal' form. In addition, vendors are expected to create their own response documents responding to this solicitation. Those response documents should NOT also be labeled as 'attachment a'. 12/29/2025 12:38 PM EST 12/29/2025 01:07 PM EST - Q50 Arrow Right Question: Costs and Fees Attachment B is referenced for providing Costs and Fees in section 2.12, page 7. Please confirm that Costs and Fees are to be provided in Attachment A: Costs and Fees. Arrow Right Answer: Another missed edit prior to publishing. Section 2.12 is meant to refer to 'Attachment A' which is included in the documents. All other documents will need to be created/produced by the vendor as part of your submission. 12/29/2025 12:39 PM EST 12/29/2025 01:07 PM EST - Q51 Arrow Right Question: Engagement model / ordering The RFP describes a non-exclusive contract and says the University doesn’t guarantee volume, will work be issued via task orders/SOWs, and will CHPC + Engineering be competed per task, or should offerors propose an integrated base approach that covers both environments from day one? Arrow Right Answer: 1. See Q37, please 12/30/2025 11:47 AM EST 01/12/2026 02:02 PM EST - Q52 Arrow Right Question: System boundary + data types For each enclave (CoE CMMC L2, Nanofab expansion, CHPC “Regulated Environment” replacing Citadel), can the University provide the intended authorization boundaries and key data types (e.g., CUI categories, NIH controlled-access data), plus any boundary constraints with central university services (identity, logging, patching, egress)? Arrow Right Answer: 1. The CoE enclave has ingress and egress from the university but maintains an independent next-gen firewall as a boundary. All security functions are handled internally to the enclave. CoE deals with CUI and ITAR, at present. 2. A vision of the future for a shared core (see attachments) 3. DR – The CHPC Regulated Environment is intended and expected to handle regulated information from many sources to be used by researchers in many disciplines. NIH controlled access data is a known significant portion of the expected work. PHI/PII are also expected, both CUI from USGov sources and non-CUI from other sources (e.g. the University’s Health Sciences Center). We are also expecting some currently non-regulated data to become CUI. 4. The CHPC Regulated Environment will be fully separated from the University’s general IT support systems. Identity, logging, patching, and traffic filtering will be performed by equipment dedicated specifically to the CHPC RE the University’s regulated data efforts in general. 12/30/2025 11:48 AM EST 01/12/2026 02:02 PM EST - Q53 Arrow Right Question: Assessment approach & scoring outputs For the “mock audit” and readiness validation, what assessment methodology does the University expect (e.g., CMMC L2 assessment guides, NIST 800-171A procedures), and do you require deliverables aligned to SPRS-style scoring or specific evidence artifacts (interview/test/examine mapping) to support later third-party assessment? Arrow Right Answer: 1. We expect the CoE enclave will go to CMMC Level 2, and we intend to be able to support a later third party assessment. 2. Our goal is to improve our SSP and Evidence to such a degree we have a readymade package to deliver to the C3PAO on arrival. 12/30/2025 11:49 AM EST 01/12/2026 02:02 PM EST - Q54 Arrow Right Question: C3PAO requirement interpretation Section 4.01.4 asks whether the vendor is a C3PAO or on track within 12 months, is being a “candidate” acceptable as prime at award, and if not, is teaming/subcontracting with an authorized C3PAO acceptable for the mock audit and advisory work? Arrow Right Answer: 1. See question 36 and 42. 2. A prime contractor with a C3PAO partner/subcontractor can satisfy the requirement. Documentation stating the C3PAO’s commitment and satisfaction of all relevant pass/fail expectations would be required. 12/30/2025 11:49 AM EST 01/12/2026 02:02 PM EST - Q55 Arrow Right Question: FedRAMP in an on-prem/HPC context The scope references a “planned FedRAMP Moderate compliant enclave”, is the University seeking (a) guidance to align controls for a cloud service authorization, (b) a FedRAMP-like control baseline applied to on-prem infrastructure, or (c) support for specific cloud integrations (e.g., GovCloud/Azure Gov) that will require a defined CSP/authorization boundary? Arrow Right Answer: 1. see attachments 2. Above is a simplistic vision for how a FedRAMP SaaS solution would support the operations of CoE and CHPC enclaves. 3. We would be seeking confirmation of this strategy from the awardee. We would be seeking advisement on a CSP authorization boundary. 4. We are not seeking for our solutions to be FedRAMP authorized, we intend to consume FedRAMP services when and where it is technically best and affordable to do so. 5. We would be seeking guidance and support in a FedRAMP based SSP that CHPC and CoE could inherit from into their own SSPs. Eg, IAM, Monitoring, Vulnerability Management, etc. 6. The goal with a FedRAMP core would be to reduce the administrative, security, and management of the CoE and CHPC enclaves by using shared core services. This will allow each enclave and thegdir SSP to specialize in the domains that differentiate them from each other. 12/30/2025 11:51 AM EST 01/12/2026 02:02 PM EST - Q56 Arrow Right Question: Implementation responsibility boundary The RFP states the University will implement controls “with guidance from Vendor”, what level of hands-on work is permitted/expected (e.g., configuration changes, tooling deployment, SIEM/EDR integration), and what are the University’s change-control constraints (maintenance windows, approval gates) for enclave production systems? Arrow Right Answer: 1. Hands-on work by vendor is not expected. We do expect advisory sessions where a SME from vendor walks university staff through the configuration of a tool like a SIEM or an EDR. These examples may cover dozens of use cases. 2. Vendor work will primarily focus on upskilling university staff, architecting compliant solutions, prescribing evidence collection and procedure best practices, providing and improving our policy documents, etc. 3. The systems have generous maintenance windows as some will be greenfield or have low user counts so coordination of down time is easily achieved. 12/30/2025 11:52 AM EST 01/12/2026 02:02 PM EST - Q57 Arrow Right Question: Access, export control, and evidence handling What access model will be available to the vendor team (on-site, remote, jump hosts, VDI), and are there requirements for background checks, export control/ITAR eligibility, or restrictions on removing evidence (screenshots/log exports) from the enclave, i.e., what is the approved evidence collection and storage approach? Arrow Right Answer: 1. You will be required to follow the same access policies third-party partners are expected in NIST 800-171. Access virtual, or physical will be monitored by university of utah staff. 2. We do not expect the need for vendor access to internal regulated systems. If a situation demands it we will use existing policy and procedures to address the need. 3. Yes, we do have processes for background checks, and training required to access to systems. Export control and ITAR eligibility would be required of anyone accessing systems containing that data. 12/30/2025 11:53 AM EST 01/12/2026 02:02 PM EST - Q58 Arrow Right Question: CMMC Mock Assessment Is there any agency that will use the FedRAMP enclave? Or is the enclave just implementing FedRAMP Moderate controls? Arrow Right Answer: 1. We do not intend for our enclaves in the CoE or the CHPC to need FedRAMP compliance for them to operate. We are seeking guidance on if we are teetering on that point with CHPC proposed Regulated Environment. 2. We do anticipate we will introduce FedRAMP High or Moderate services to support and/or improve core operations of our enclaves. At the point we deploy a SaaS based FedRAMP High Service we intend to provision accounts for private and public partners as research projects dictate. We would be the consumers, not the providers of any FedRAMP system. 12/30/2025 11:54 AM EST 01/12/2026 02:02 PM EST - Q59 Arrow Right Question: Cost proposal basis & formula inputs The cost section says pricing must be all-inclusive for the first 2-year term and provides a cost scoring formula, should “proposed fee” be interpreted as the total 2-year not-to-exceed, an annualized amount, or a menu of rates, and should travel/tools/third-party licenses be included in the “all-inclusive” number on Attachment A? Arrow Right Answer: 1. See Q37, please 12/30/2025 11:55 AM EST 01/12/2026 02:02 PM EST - Q60 Arrow Right Question: CMMC Mock Assessment There are 2 assessments mentioned in the RFP. Will the first one be a CMMC Level 2 Mock Assessment and the other a NIST 800-171 R3 Assessment? Arrow Right Answer: 1. Yes, CoE will require a CMMC Level 2 mock assessment 2. Yes, CHPC will require a NIST 800-171r3 mock assessment 12/30/2025 11:56 AM EST 01/12/2026 02:02 PM EST - Q61 Arrow Right Question: CMMC Number of Cage Codes How many CAGE Codes will be in scope? To perform a Mock assessment, we will need the CAGE Codes in scope. Arrow Right Answer: 1. We intend to use one CAGE code 12/30/2025 11:57 AM EST 01/12/2026 02:02 PM EST - Q62 Arrow Right Question: FedRAMP enclave Will the University require help in implementing FedRAMP (NIST 800-53) controls as well? Arrow Right Answer: 1. No, we do not intend to provide FedRAMP services 12/30/2025 11:58 AM EST 01/12/2026 02:02 PM EST - Q63 Arrow Right Question: RFP Follow-Up Questions 1. For evaluation purposes, should vendors propose a single integrated engagement covering both CHPC and Engineering, or two distinct workstreams with separate approaches, staffing, and timelines? 2. Does the University prefer parallel execution of CHPC (NIST 800-171r3 / FedRAMP-aligned) and Engineering (CMMC Level 2), or a phased approach? 3. Should proposals assume hands-on technical implementation support by the vendor, or primarily advisory/readiness services with University staff executing changes? 4. What level of technical and architectural specificity is expected in the proposal (e.g., reference architectures, control examples, SSP/POA&M excerpts)? 5. Would inclusion of sanitized example deliverables (SSP sections, POA&Ms, mock audit reports) be viewed favorably, or is high-level methodology preferred? 6. For scoring purposes, should the mock audit be proposed as a full C3PAO-style assessment simulation or a readiness-focused gap assessment, and is technical validation expected? 7. For proposal scoping, should vendors assume responsibility for producing University-owned SSPs, POA&Ms, and evidence mappings, or advisory support with co-development? 8. Should proposals assume the CHPC Regulated Environment is largely greenfield, or that significant components and controls are already in place, and is the primary objective assessment readiness or a production-ready compliant environment? 9. For proposal scoping, should the Nanofabrication Laboratory be treated as requiring full CMMC Level 2 coverage, or targeted controls limited to systems handling CUI, and is this in-scope for the initial engagement? 10. Does the University prefer pricing structured as fixed-price deliverables, time-and-materials, or a hybrid approach, and is itemized pricing by service component preferred? 11. What factors most strongly influence scoring under “Demonstrated Ability to Meet Scope of Work”, and are there common weaknesses observed in prior proposals Arrow Right Answer: 1. Probably the second, CoE has a different immediate need, and compliance expectations than CHPC; however, the long-term strategy for both CHPC and CoE is to merge secure research operations. 2. We prefer a parallel if the vendor is capable of handling that. 3. Assume primarily advisory/readiness services with University staff executing changes 4. We would like to see reference architectures and control examples, knowing that any examples would not be immediately relevant to our work without operational context from the university. Focus on demonstrating the quality of your work. 5. A high level is required, and the support of a sanitized SSP and POA&M would be a great way to demonstrate the quality of your work. 6. A readiness focused gap assessment and technical evaluation. We intend to engage with a new C3PAO for a lite mock audit and full assessment in the Fall of 2026. 7. Advisory support with co-development, primarily. There will be instances where we require the awardee to help produce parts of an SSP, Policy, or Procedure where their expertise is critical to the success of implementation. a. Engineering has an operational SSP and POA&M in good standing but could benifit from inclusion of better policy. b. CHPC’s ‘Citadel’ would require significantly more support 8. Yes, CHPC’s RE should be considered greenfield with opportunities to leverage your expertise in the creation of an operational SSP and POA&M 9. We would seek your expertise in how to best ‘thread the needle’ but we expect the NanoFab to need full CMMC Level 2 compliance for part of their operations. It will remain a teaching laboratory so CMMC Level 2 operations will not always be possible. 10. See Q37, please 11. Review the questions of the RFP and complete them to the best of your ability. 12/30/2025 12:03 PM EST 01/12/2026 02:02 PM EST - Q64 Arrow Right Question: General Question Section 1.01 of the RFP references a “…a planned NIST SP 800-171r3 and FedRamp Moderate compliant enclave in the Center for High Performance Computing (CHPC).” Can the University clarify if it is their intent for this enclave to meet the requirements of CMMC and NIST SP 800-171r2? Arrow Right Answer: 1. The CHPC Regulated Environment is intended to meet the requirements of NIST 800-171r3. It is /NOT/ expected to meet NIST 800-171r2 or CMMC 2.0 (which specifies r2). 12/30/2025 01:41 PM EST 01/12/2026 02:02 PM EST - Q65 Arrow Right Question: General Question Section 1.01 of the RFP states that the in-scope enclaves include, “…a planned NIST SP 800-171r3 and FedRamp Moderate compliant enclave in the Center for High Performance Computing (CHPC).” Can the University expand on their scope and expectations for this enclave to be FedRamp Moderate compliant? Arrow Right Answer: 1. As addressed in previous questions, we do not need to be FedRAMP compliant 12/30/2025 01:41 PM EST 01/12/2026 02:02 PM EST - Q66 Arrow Right Question: General Question Section 1.02 of the RPF mentions, “…the CoE operates a CMMC 2.0 enclave with an active Supplier Performance Risk Score submitted to the Department of Defense.” Can the University provide any insight into the status or state of that enclave? Can they share the enclave’s current SPRS score? Are there any active Plans of Action and Milestones? Arrow Right Answer: 1. We will share the score once the RFP is awarded to the awardee 2. We have an active POA&M in which each item must be completed within 180 days of entry onto the POA&M. 3. The enclave is successfully meeting the needs and expectations of researchers and is actively worked by CoE staff to ensure continued operational excellence. 12/30/2025 01:41 PM EST 01/12/2026 02:02 PM EST - Q67 Arrow Right Question: General Question Section 1.02 of the RFP states that the CoE CMMC enclave is currently being expanded to, “…include the Nanofab Laboratory, which operates similarly to a manufacturing facility and serves both students and research staff.” Is there currently a process in place to manage access for potential and actual users (i.e. students, etc.)? Arrow Right Answer: 1. Not for CMMC purposes 2. Our goal is to develop a plan that will incorporate the NanoFab lab into the CMMC enclave based on awardee recommendations. 12/30/2025 01:42 PM EST 01/12/2026 02:02 PM EST - Q68 Arrow Right Question: General Question Section 1.02 of the RFP states that the University is seeking professional services to, “…provide expert guidance to further mature the enclave’s defense-in-depth strategy.” Can the University clarify its expectations for maturing the enclave’s defense-in-depth strategy? Is this detailed somewhere else in the RFP? Arrow Right Answer: 1. No, it is detailed elsewhere in the RFP. 2. The strategy is to centralize security operations between both enclaves to create shared security services using a FedRamp High SaaS vendor for support. a) see attachments 12/30/2025 01:42 PM EST 01/12/2026 02:02 PM EST - Q69 Arrow Right Question: General Question Section 1.02 of the RFP makes references to mandates from the National Institutes of Health (NIH) and NIH Controlled Access Data. Can the University provide clarification on the relationship between these NIH references and the scope of this RFP? Are there additional compliance expectations for these above and beyond those outlined in section 3.01 Scope of Work? Arrow Right Answer: 1. DR: NIH Controlled Access Data specifies protections compliant with NIST 800-171. NIH does not mandate compliance expectations beyond NIST 800-171. As of December 2025, NIH authorizes use of both rev3 (current) and rev2 (previous) as guidance. 12/30/2025 01:42 PM EST 01/12/2026 02:02 PM EST - Q70 Arrow Right Question: General Question Section 3.01 of the RFP includes a list of compliance standards and certifications the selected vendor will assist the University in preparing for – detailed in bullets a through h. Is it the University’s intent that both in-scope enclaves (CHPC and Engineering) will meet all compliance requirements listed in these bullets? If not, can the University clarify which compliance and certification requirements apply to each enclave? Arrow Right Answer: 1. CoE only requires CMMC level 2. There is no intent to host NIH Controlled Access data within the CoE enclave. 2. There is a long-term strategy to merge management of the enclaves; however, this does not mean all enclaves must meet all compliance standards. 12/30/2025 01:42 PM EST 01/12/2026 02:02 PM EST - Q71 Arrow Right Question: General Question Section 3.01 of the RFP provides a list of Project Objectives. This list includes the following: “Support the design and implementation of a NIST 800-171r3 High Performance Computing research enclave within CHPC.” Can the University clarify that the scope of work is focused on design and implementation? Is there an expectation of ongoing support for the enclave? Arrow Right Answer: 1. CHPC is looking for Subject Matter Experts (SMEs) in scoping and building a research enclave that is compliant with NIST 800-171r3. The environment needs to be scalable in the future without the support from the chosen vendor. CHPC employees need to have access to SMEs and to be given best practice from other Research, Compute, and Data centers that already have a successful NIST 800-171r3 compliant enclave. So, there is no expectation of ongoing support for the enclave. 12/30/2025 01:42 PM EST 01/12/2026 02:02 PM EST - Q72 Arrow Right Question: General Question Section 3.01 of the RFP provides a list of Project Objectives. This list includes the following: "Provide remediation actions for Engineering’s CMMC 2.0 Level 1 configuration and implementation for Federal Contract Information." We noted that the list of Vendor Responsibilities in this same section of the RFP does not appear to address expectations for this objective. Can the University provide additional detail on the expectations, scope, and requirements for the Engineer's CMMC 2.0 Level 1 environment? Arrow Right Answer: 1. We expect a technical gap analysis, evidence mapping, a POA&M and remediation path that leads use to be assessment ready in the next six months. 12/30/2025 01:42 PM EST 01/12/2026 02:02 PM EST - Q73 Arrow Right Question: General Question Section 3.01 of the RFP states that one project objective includes development of, “…comprehensive cybersecurity compliance strategy tailored to both CHPC and Engineering.” Is it the University’s expectation that this comprehensive strategy includes factors beyond the scope of work detailed in section 3.01 of this RFP – for example, should it consider industry best practices or address system and data availability? Arrow Right Answer: 1. see attachments 2. This is how we envision a comprehensive security strategy developing for the CHPC and CoE enclaves. Awardee would be expected to improve on and expand this line of thinking for operational excellence in CMMC and NIST 800-171 security operations. 12/30/2025 01:43 PM EST 01/12/2026 02:02 PM EST - Q74 Arrow Right Question: General Question Section 3.01 of the RFP includes vendor responsibilities related to Requirements Gathers and states the selected vendor, “…will conduct stakeholder interviews across relevant departments.” Does the University have an expectation or preference for whether these interviews are conducted virtually or in-person? Arrow Right Answer: 1. We can accommodate both in person or virtual interviews 12/30/2025 01:43 PM EST 01/12/2026 02:02 PM EST - Q75 Arrow Right Question: General Question Section 3.01 of the RFP includes vendor responsibilities related to Solution Design and states that the selected vendor, “…will design a compliance roadmap for both CHPC and Engineering.” Can the University provide clarification on the scope and expectations for these compliance roadmaps? Arrow Right Answer: 1. Stage one is we have a CMMC Level 2 and NIST 800-171 compliant enclaves 2. Our vision for the future looks like this, but we welcome and encourage discussion over the course of the engagement. a. see attachments b. see attachments 12/30/2025 01:43 PM EST 01/12/2026 02:02 PM EST - Q76 Arrow Right Question: General Question Section 3.01 of the RFP includes vendor responsibilities related to Implementation Support and states that the selected vendor, “…will provide configuration guidance for technical systems.” Can the University provide clarification on the scope and expectations for the configuration guidance for technical systems needed? Does the University anticipate this could include architectural or engineering support? If so, can the University share any key technologies being employed or envisioned for which experts may be needed? Arrow Right Answer: 1. CoE has immediate needs for architectural and engineering guidance on how to fold the Nanofabrication laboratory into the enclave. Longer-term the CoE will require architectural and engineering support connecting to SaaS based systems to extend security operations and provide users added functionality. 2. CHPC anticipates that configuration guidance for technical systems may include architectural and engineering-level guidance, in addition to standard configuration recommendations. Currently CHPC has extensive in-house HPC architecture and engineering expertise, but lacks security architecture and engineering expertise. CHPC would be seeking guidance on selecting technologies and architectures that best meet NIST 80-171 requirements. The intent of this requirement is to obtain vendor expertise to assist CHPC in designing, configuring, and operationalizing a scalable and automated research computing and data environment that supports compliance with NIST SP 800-171. The University’s long-term objective is to enable researchers with varying data sensitivity requirements to operate within a single, unified environment, rather than maintaining multiple segregated environments based solely on data classification. Accordingly, configuration guidance may include, but is not limited to: • High-level and detailed reference architectures aligned with NIST SP 800-171 control families • Design patterns that support logical segmentation or multi-tenant operation within a shared environment • Recommendations for automation, configuration management, and policy-as-code approaches to support scalability and consistency • Guidance on integrating compute, storage, networking, identity and access management, logging, monitoring, and security tooling • Alignment of technical configurations with auditability, documentation, and ongoing compliance sustainment CHPC does not expect vendors to replace internal operational staff. Rather, vendors should anticipate collabor 12/30/2025 01:43 PM EST 01/12/2026 02:02 PM EST - Q77 Arrow Right Question: General Question Section 3.01 of the RFP includes vendor responsibilities related to 5. Training and Knowledge Transfer. Does the University have any expectations for the format, timing, scope, or scale of training that will need to be provided by the selected vendor? Arrow Right Answer: 1. We are not seeking SCORM modules or pamphlets. We are seeking to become competent, qualified, and expert in all things NIST 800-171. The education may be best delivered though seminar, group conversation, and office hours. It is expected that the education and discussion will continue throughout the course of the RFP as new problems and use cases arise from the research community. View the knowledge transfer as the process between a mentor and a mentee. 2. We have one employee that is a CCP. We have knowb4 for general user training, and the security team has created a NIST 800-171 compliance training program that can be used as a jumping off point. 12/30/2025 01:43 PM EST 01/12/2026 02:02 PM EST - Q78 Arrow Right Question: General Question Section 3.01 of the RFP includes vendor responsibilities related to 5. Training and Knowledge Transfer and states that the selected vendor, “…will train University personnel on compliance requirements and system usage." Can the University provide clarification on the expectations for training University personnel on system usage? Arrow Right Answer: 1. See Question 77 12/30/2025 01:43 PM EST 01/12/2026 02:02 PM EST - Q79 Arrow Right Question: General Question Section 3.01 of the RFP includes vendor responsibilities related to Support and Maintenance and states that the selected vendor, “…will assist with ongoing compliance monitoring and updates, as requested of the University." Can the University provide additional insight into the expectations and scope of ongoing compliance monitoring and updates? Arrow Right Answer: 1. Awardee is expected to help architect the systems that enable ongoing compliance monitoring. The university intends for university staff to monitor, maintain, and resolve issues. 12/30/2025 01:44 PM EST 01/12/2026 02:02 PM EST - Q80 Arrow Right Question: General Question Section 3.01 of the RFP includes vendor responsibilities related to Support and Maintenance and states that the selected vendor, “…will provide advisory services for future audits and renewals." Can the University provide additional insight into the expectations and scope of future audits and renewals? Arrow Right Answer: 1. We are seeking a long-term partnership in which we can engage the awardee with additional audit like services, for example SPRS scores updates, review after major infrastructure changes (like adding a new lab, or changing identity providers), and preparing for recurring C3PAO audits. 12/30/2025 01:44 PM EST 01/12/2026 02:02 PM EST - Q81 Arrow Right Question: General Question Does the University have a preferred fee arrangement – fixed fee, time and materials, milestone based? Arrow Right Answer: 1. See Q37, please 12/30/2025 01:44 PM EST 01/12/2026 02:02 PM EST - Q82 Arrow Right Question: General Question Is there an expectation that the University’s CHPC enclave will be prepared to undergo a FedRamp authorization or equivalency assessment by an authorized FedRAMP 3PAO at the conclusion of this engagement? If so, can the University clarify whether the preparation of the FedRAMP Body of Evidence and support during that assessment are included within the scope of work for this RFP? Arrow Right Answer: 1. We are not seeking FedRAMP compliance for our services. See other questions for a fuller response. 12/30/2025 01:44 PM EST 01/12/2026 02:02 PM EST - Q83 Arrow Right Question: General Question Does the University have any relevant internal or external timelines they can share that would drive or impact the timing of specific deliverables? For example, does the University have an expectation for when they will undergo a CMMC Level 2 Assessment by an authorized C3PAO? assessment? Are there major milestones for the design and development of the planned CHPC enclave? Arrow Right Answer: 1. We are seeking a C3PAO audit in the Fall of 2026 to maintain pace with expected DoD contracting language changes. 2. If, awardee has a relationship with an outside C3PAO that can perform the audit, and a pass/fail mock audit we would be interested in knowing that for scheduling purposes. 3. CHPC’s major milestones are outlined below: a. Base System that is NIST 800-171 compliant with POAM – June 2026 b. Fully scaled environment that is NIST 800-171 compliant, development/migration to a single CHPC user, environment/platform/portal spanning all current CHPC environments with the ability to segment and allocate projects and users appropriately across assets (HPC, HPE, VMs, containerization, data services...) - FY27 12/30/2025 01:44 PM EST 01/12/2026 02:02 PM EST - Q84 Arrow Right Question: General Question Can the University provide an overview of the teams and personnel at the CHPC and Engineering that will be supporting the vendor throughout this project? Are any of these teams centralized or do they operate independently? Arrow Right Answer: 1. At present the CoE has 3-6 authorized support people. 2. Currently all teams (CHPC, RSO, Engineering) are separate, but it is the intent to centralize the security and compliance across domains. 3. The following teams from CHPC will be available to support the vendor throughout the project: a. Compute (3 authorized personnel) b. Network (3 authorized personnel) c. Security (2 authorized personnel) d. Storage (3 authorized personnel) e. User Services (7 authorized personnel) f. Cloud/Virtualization (5 authorized personnel) 12/30/2025 01:45 PM EST 01/12/2026 02:02 PM EST - Q85 Arrow Right Question: Vendor Clarification Questions For the CHPC Regulated Environment (RE), does the University intend to pursue formal FedRAMP authorization, or is alignment with FedRAMP Moderate controls sufficient within the scope of this engagement? Will the vendor be expected to develop full SSPs and POA&Ms for CHPC and Engineering enclaves, or will existing documentation be provided for refinement? Should the mock CMMC Level 2 audit for Engineering fully emulate a C3PAO assessment (including evidence sampling and scoring), or is a consultative readiness review acceptable? Will the selected vendor be expected to interact directly with federal sponsors or external assessors (e.g., DoD, NIH, C3PAOs), or will all such coordination be handled by the University? For the Nanofabrication Laboratory expansion, is CUI handling continuous or process-dependent, and are physical access controls already established or expected to be designed as part of this engagement? Does the University anticipate separate SSPs and compliance documentation per enclave, or a unified compliance strategy across CHPC and Engineering? What level of availability from University IT, security, and research staff should vendors assume during requirements gathering, remediation, and documentation activities? Are there mandatory enterprise tools or architectural constraints (IAM, logging, SIEM, network segmentation) vendors must integrate with and account for in timelines? Will Authorized vs. Candidate C3PAO status be evaluated differently during scoring? Does the University anticipate multiple awards, or is the intent to primarily engage one strategic vendor across both CHPC and Engineering? Arrow Right Answer: 1. No, we are not seeking for the RE to be FedRAMP certified 2. The COE is seeking a review of existing SSP and POA&M to ensure it would meet the expectations of a C3PAO certification assessment. Deficiencies would need to be identified and remediations prescribed by vendor. a. CHPC is seeking the awardee to lead the construction of an SSP and POA&M with support and input from CHPC and RSO. This will include the re-use, if appropriate, of existing SSP documentation. 3. Generally, no, the university will coordinate all actions with external partners. 4. No CUI is handled at the NanoFab yet. Part of the engagement is developing a roadmap to meet compliance with the various challenges presented by a teaching and learning lab. 5. We have existing physical security but require input and possible remediation and improvement plans. 6. Yes, the engineering and CHPC currently maintain separate SSPs and POA&MS. We are seeking a unified compliance strategy across enclaves. For example, we intend for a FedRAMP High SaaS solution to unify core services. The intent thereafter would be that engineering and chpc’s ssps could inherit significant portions of the SaaS solutions SSP. 7. This is a top priority for CHPC, RSO, and CoE. Engagement with Central IT will require advanced scheduling. 8. Both CHPC and CoE provide tools that are internal to the environment and are not open to enterprise tools provided by central IT. We are seeking vendors that can advise on how best to leverage enterprise tools in our existing environment. 9. Yes, we are seeking C3PAOs but are willing to accept them as a subcontract so long as they meet mandatory requirements listed in the RFP. 10. Ideally, we would partner with one vendor. 12/30/2025 01:55 PM EST 01/12/2026 02:02 PM EST - Q86 Arrow Right Question: support the existing CoE CUI enclave Would IT and Security team that support the existing CoE CUI enclave be the same personnel responsible for on-going administration of the prospective HPC Enclave (Regulated Environment)? Arrow Right Answer: • DR: The IT and Security teams supporting CHPC Citadel will also be responsible for the prospective CHPC Regulated Environment. These /are NOT/ the personnel responsible for the existing CoE enclave. • The IT and security teams for the CoE enclave are separate from the IT and security teams for the Citadel enclave. The long-term goal is to unify the security and compliance functions of each enclave under one central unit but maintain separation of IT support. 01/12/2026 01:47 PM EST 01/12/2026 02:02 PM EST - Q87 Arrow Right Question: general number of research teams What is the general number of research teams that access the CoE CUI Enclave? What is the general number of research teams that access the Citadel enclave environment? Arrow Right Answer: • Citadel currently (December 2025) supports (or is preparing to support) approximately twenty research teams. This number is expected to grow to approximately fifty by the end of 2027. • The CoE enclave averages three concurrent research groups using the facilities at any given time. Growth is expected and actively encouraged by research administration. 01/12/2026 01:47 PM EST 01/12/2026 02:02 PM EST - Q88 Arrow Right Question: users (estimated) access How many users (estimated) access the CoE CUI Enclave? How many users are estimated to require access to the HPC environment. Arrow Right Answer: • CHPC Regulated Environment is expected to serve approximately 1000 users (high hundreds to low thousands). • CoE currently supports 15 active uses within the enclave. This number is expected to grow rapidly as new labs and researchers are engaged. 01/12/2026 01:48 PM EST 01/12/2026 02:02 PM EST - Q89 Arrow Right Question: existing CUI enclaves Do the existing CUI enclaves leverage cloud computing technologies? If so, please identify specific cloud providers in-use. Arrow Right Answer: • CHPC Citadel does not leverage cloud computing technologies. • CoE does not currently leverage cloud computing 01/12/2026 01:48 PM EST 01/12/2026 02:02 PM EST - Q90 Arrow Right Question: desired order of operations Is there a desired order of operations for completion of SHPC enclave design, NanoFab integration advisory, or CoE Enclave mock assessment? If so, what is the general timeline (Month) that is anticipated for project commencement? Arrow Right Answer: 1. The mock assessment is priority one to make a fall deadline of a C3PAO assessment. 2. HPC enclave design 3. Nanofabrication lab integration advisory 01/12/2026 01:49 PM EST 01/12/2026 02:02 PM EST - Q91 Arrow Right Question: CMMC Certification assessment For CMMC Certification assessment, are the CoE secure enclave and Regulated Environment planned to be assessed in tandem, or independently? Arrow Right Answer: • They will be assessed independently. CHPC Regulated Environment is not expected to be assessed for CMMC. It is intended to comply with NIST 800-171rev3 (CMMC 2.0 specifies rev2). 01/12/2026 01:49 PM EST 01/12/2026 02:02 PM EST - Q92 Arrow Right Question: Regarding cost estimates Regarding cost estimates: the RFP appears to be very broad and inclusive of many services that are as yet unknown until a full gap or mock assessment is completed. It is impossible to know the work effort required for remediation and implementation support until a full understanding of gaps has been identified. Our proposed approach would be to offer a Gap/Mock Assessment as a fixed fee service and include hourly rates for remediation and implementation support. Are there concerns with this approach? Arrow Right Answer: 1. We see no issues with this approach. Please see Q37 for additional guidance. 01/12/2026 01:49 PM EST 01/12/2026 02:02 PM EST
SLED stands for State, Local, and Education. These are solicitations issued by state governments, counties, cities, school districts, utilities, and higher education institutions — as opposed to federal agencies.
SamSearch Platform
AI-powered intelligence for the right opportunities, the right leads, and the right time.