Risk Management Framework (RMF) Services

The Administration requires federal agencies to dynamically manage their cybersecurity at an enterprise level. To support this effort, GSA offers Risk Management Framework (RMF) services Blanket Purchase Agreements (BPAs) through seven industry partners with pre-competed pricing.

The framework considers effectiveness, efficiency, and constraints required by applicable laws, directives, Executive Orders, policies, standards, or regulations. RMF is a mandated element of FISMA compliance (see the reference section below).

How to Order

How to order RMF

Review the BPA modification in the Risk Management Framework Ordering Guide [PDF - 300 KB] for the BPA's full scope. During this phase, you must also determine your current systems' complexity.

Use the RMF Service request package [XLSX - 39 KB]. This Excel workbook takes you tab-by-tab to a better understanding of how to use the RMF BPA, and ensures that you don't miss any critical steps.

Table of Security Deliverables and References helps ordering activities understand and identify which CLIN(s) to include on their solicitation [DOCX - 780 KB].

Draft your requirements in accordance with your system assessment. Use the ordering procedures in FAR 8.405-2 for a list of what you must include.

Follow your agency’s procedures for preparing an RFQ and follow any internal policies for acquiring IT services. Develop and state your evaluation criteria.

All orders must be fixed-price.

Below $3,000. If your order is below the micro-purchase threshold, you can place orders with any BPA holder that can meet your needs. Try to distribute orders among the BPA holders.

Between $3,000 and $150,000. If your order is between the micro-purchase threshold and the simplified acquisition threshold, provide the RFQ to at least three BPA holders according to FAR 405-2. (If you don't, you must document exceptions according to FAR 8.405-6.)

Above $150,000. If your order is more than the simplified acquisition threshold, provide the RFQ to all BPA holders that meet your requirements. You must also seek a price reduction.

Evaluate all responses received using the evaluation criteria you specified in the RFQ. See FAR 8.405-2(d) for more guidance. Select the BPA holder that represents the best value.

Award the task order and document who you awarded it to, what was purchased, and the pricing. Include the BPA number, BPA holder's name, and Schedule contract number on all orders.

Back to Top

Industry Partners

More information about each awardee, including points of contact, is available in the Risk Management Framework Ordering Guide Rev. 6/2015 [PDF - 913 KB].

RMF Industry partners

Here are the seven (7) RMF BPA awardees, linked to their nongovernment websites.

Back to Top


RMF features

The RMF BPA aligns with the Federal Information Security Management Act (FISMA) requirements, Office of Management and Budget (OMB) guidance, and the DHS National Infrastructure Protection Plan. Read more about the FISMA requirements.

Federal, state, local, and tribal government organizations can use the RMF BPA.

The RMF BPA features lower prices than you can find on IT Schedule 70.

Back to Top

Guidance, policy and references

Guidance, policy and references

Back to Top

Last Reviewed 2016-05-12