€¦ · Web viewPERFORMANCE WORK STATEMENT. Navy Authorizing Official. SECTION 1 – SCOPE OVERVIEW, BACKGROUND AND GENERAL INFORMATION. Scope. Overview. …

N00189-17-R-0021Attachment I

PERFORMANCE WORK STATEMENT

Navy Authorizing Official

SECTION 1 – SCOPE OVERVIEW, BACKGROUND AND GENERAL INFORMATION

1.1 Scope Overview

This Performance Work Statement (PWS) describes the performance requirements for contractor services in support of U. S. Fleet Cyber Command/U. S. Tenth Fleet Department Of Defense (DoD) Information Assurance Certification and Accreditation Process (DIACAP) Certification and Accreditation (C&A) responsibilities and functions and Risk Management Framework (RMF) Assessment and Authorization (A&A) responsibilities and functions. The scope of work includes operations in a secure environment for classified and unclassified information technology (IT) processes and satisfying requirements in support of Joint and other service/agency goals and directives. Services shall be performed at both Government and Contractor facilities. The scope of work includes travel but is not expected to include work aboard ship/ underway or to deployed/ out of garrison shore sites.

1.2 Background

The Chief of Naval Operations has appointed Commander, U.S. Fleet Cyber Command (FLTCYBERCOM) as the Navy Authorizing Official (NAO) for all classified and unclassified collateral and general service (GENSER) operational Navy Information Technology (refer to OPNAVINST 5239.1 series, OPNAVNOTE 5230 of Aug 2011 and OPNAVINST 5450.345 of 04 Apr 2012). Under this appointment, FLTCYBERCOM has the operational responsibility to maintain an acceptable level of cybersecurity and performance risk to Navy networks and systems across Top Secret, Secret, and Unclassified security enclaves, throughout their life cycle, afloat and ashore. The NAO also represents Navy cybersecurity risk management perspectives on key joint/joint interest programs such as nuclear C3, space, missile defense, and Joint Strike Fighter. The NAO Directorate executes operational risk management requirements on the Commander's behalf and is currently organized with four divisions and an administrative support team. This work is directly derived from statute, including Clinger-Cohen and the Federal Information Security Management Act (FISMA).

The DoD has mandated a wholesale process change from DIACAP to using the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) (ref. DoDINST 8510.01 of 12 Mar 2014). In addition to requiring practitioners to learn new processes, RMF calls for substantially more depth of documentation and security analysis, adds a new requirement for NAO to formally approve cybersecurity plans early in a system's life cycle, and also increases the scope of RMF assessment and authorization to include platform IT and industrial control systems.

The DoD expects transition to RMF to be complete by 2018. Based on this target completion date, it is estimated that at the beginning of the contract period of performance, the Navy’s IT portfolio will be roughly 50% DIACAP / 50% RMF and the Navy will have effectively

1


converted to RMF at the end of the first period of performance, however, transition may take longer.

Navy IT includes systems, networks, applications and the physical sites in which they reside. DIACAP C&A/RMF A&A activities, under the purview of the FLTCYBERCOM Authorizing Official (AO), assess Navy IT compliance with statutes, federal and DoD/Department of Navy (DoN) directives, policies, instructions and orders.

NAO Directorate personnel support the DIACAP C&A and RMF A&A requirements of Navy Echelon I and II Commands, Program Management Offices (PMO) and other Navy stakeholders, including newly-assigned Functional AO (FAO) at four Navy systems commands for their respective platform IT-control systems (PIT-CS). This support includes managing DIACAP collaborations, RMF formal and informal checkpoints, technical document review, and provision of technical and administrative guidance to site/system personnel. RMF brings new work to the NAO Directorate, especially by calling for much higher level of engagement during Step 2, Control Selection.

Note: RMF requires AO decision in three process steps: 1. System Categorization2. Control Selection 3. Authorization Transition to RMF is expected to include an increase in both workload as well as changes to type of analysis required. A mixture of legacy DIACAP and new RMF procedures will have to be followed during the transition. DoD timelines for transition may be either accelerated or slowed down. In addition, RMF establishes a three tiered approach at the individual system (Tier 3), mission area (Tier 2), and organization-wide (Tier 1) levels. While the NAO focuses at the Tier 3 level, the Navy anticipates a significant increase in Tier 2 risk assessment and risk management decision work across the warfighting, business and enterprise services areas. This anticipated increase represents a significant addition to the broad NAO requirements. Together, it is anticipated that these factors will necessitate adjustment in the skills and support that are expected to be covered by this contract over the period of performance.

In the processing of DIACAP C&A and RMF A&A packages, NAO Directorate personnel (and supporting contractor personnel) analyze cyber security documentation and artifact submissions for Navy IT to include operational systems, Platform Information Technology (PIT), test and development systems, systems supporting test exercises, special projects, and Navy IT which requires a joint authorization, to ensure all Navy IT meets DoD/DON cyber security directives, policy, instructions and orders. In addition to processing packages, NAO Directorate personnel review and develop Navy cybersecurity policies and provide process improvement and functional support to the NAO.

2


The NAO Directorate is organized in five Divisions. Key responsibilities are as follows:

NAO ADMINISTRATION AND SUPPORT DIVISION (NAO N1)The NAO Administration and Support Division provides administrative support to the NAO Director, NAO Deputy Director and when directed NAO Division Heads for all routine office tasks associated with Cybersecurity and the administrative processing of Certification and Accreditation (C&A) or Assess and Authorize (A&A) processes ensuring these documents are in accordance with DoD and DON directives, instructions and other national level policy. NAON1 serves as the Directorate Information Management Officer (DIMO).

NAO MISSION INTEGRATION/JOINT SUPPORT DIVISION (NAO 1)The NAO Mission Integration/Joint Support Division works with FCC line directorates (e.g. N3/Operations) and special assistants (e.g. Staff Judge Advocate) to synchronize operational actions in support of mission assurance and FCC strategic goals, with particular emphasis on NAO support to deliberative and crisis action planning in the defensive cyber and DODIN operations mission areas. The Division actively assesses, researches, and manages actions applied to perimeter and boundary protections such as Ports Protocol and Services Management (PPSM), Boundary Change Requests (BCR), Cross Domain Solutions (CDS), and Blacklisting on the SIPRNET. The Division ensures customers execute processes that are fully supportive of actions necessary to successfully complete the DIACAP C&A and RMF A&A processes. Furthermore, this Division is the CYBERSAFE representative working with OPNAV N2/N6 and System Commands (SYSCOM) to develop and implement the CNO mandated Cyber Safety Program which is designed to implement cybersecurity requirements on critical and essential systems, networks, and assets beyond that of the A&A requirements of RMF.

NAO OPERATIONS DIVISION (NAO 2)The NAO Operations Division facilitates NAO cybersecurity risk acceptance decisions regarding accreditation/authorization of Navy IT. The Division ensures that a) DIACAP C&A and RMF A&A efforts and associated tasks, such as Ports Protocols and Service (PPS) registry, Boundary Change Requests (BCR), and Cross Domain Solution (CDS) approvals are executed within the bounds of directives, policies, instructions and orders; b) that the process engages appropriate stakeholders (e.g. information system owner and security control assessor); and c) that Navy IT operational configuration, vulnerabilities and risk are understood in support of an accreditation/authorization decision or other required approvals. The NAO Operations Division prepares accreditation/authorization and related documentation and supports stakeholder accreditation/authorization strategic development in support of accreditation/authorization and/or approval decision by the FLTCYBERCOM NAO. Furthermore, FCC NAO2 provides out of cycle risk analysis of Navy IT in support of Navy missions and operations.

3


NAO ASSESS AND AUTHORIZE SUSTAINMENT DIVISION (NAO 3)The NAO Assess and Authorize Sustainment Division executes the NAO role in actions required to support DIACAP C&A and RMF A&A, particularly in the monitor security controls phase. This work helps to ensure Navy IT continuously complies with cyber security requirements, even as requirements mature. This includes coordinating, endorsing, and/or approving high-risk escalations for all Navy circuits and non-circuits (systems) for DON Chief Information Officer (CIO) approval, delays to disconnect for circuits, conditional accreditation extension requests for non-circuits (systems), coordinating and preparing AO-to-AO Memorandum of Agreement(MOA)/ Memorandum of Understanding (MOU) and other support agreements) for signature, assessing risk and system authorization status for various waiver requests, reporting on accreditation/authorization metrics, and adjudicating Cyber Security Inspection (CSI) and Cyber Command Readiness Inspection (CCRI) findings for inclusion in C&A/A&A remediation plans as part of RMF Step 6 (Monitor), and conducting Web Risk Assessments (WRAs). In addition, this Division works with NAO2 to follow up on accreditation stipulations for medium to low risk systems (per reference a-e) as well as focus on systems requiring the most Operational Risk Management, e.g., PKI, HBSS, and works with the High Risk Escalation Process to follow-up on stipulations determined by the Component CIO (DON CIO), DDCIO, Fleet Cyber Command Executive Director and the High Risk Escalation Advisory Board.

NAO ASSESS AND AUTHORIZE PROCESS IMPROVEMENT DIVISION (NAO 4)The NAO Assess and Authorize Process Improvement Division collects and presents metrics, assesses and researches solutions to common DIACAP C&A and RMF A&A process challenges and leads the implementation of solutions to those challenges. In ITIL terms, the NAO4 focuses on continual service improvement phase of C&A/A&A cybersecurity risk management activities. The Process Improvement and Support Division also provides functional support in the areas of lead for the Navy’s instances of Enterprise Mission Assurance Support Service (eMASS) system administration and also for directorate metrics on the various A&A processes.

Public Law 113–283 Federal Information Security Modernization Act of 2014 (FISMA) entitled each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems (IS) that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FLTCYBERCOM has a need for contractor-provided support services to support the NAO Directorate to conduct DIACAP C&A and RMFA&A functions and tasks, enact current and future cyber security policy, and support the DON goal of achieving FISMA and other statutory requirements.

4


1.3 OBJECTIVE

The product of a procurement action related to this PWS will be a single-award, indefinite delivery/indefinite (IDIQ) quantity contract for non-personal contractor support services. A single contractual vehicle is envisioned as the scope and tasks described below are regarded as being integrally related to the wholeness and overall security of Navy IT. The contractor will support the mission and tasks of the NAO Directorate divisions under both DIACAP and RMF policies. The eventual contract, if awarded, will contain firm-fixed price provisions for labor. Travel shall be fixed-price if possible but if not, will be reimbursed at actual costs. Task orders will be individually funded and specify the tasks, labor categories, travel and deliverables. Task orders will be written and issued as firm-fixed price.

1.4 APPLICABLE DOCUMENTS

The following documents are applicable to the scope of work:

a. DoDD 8500.01, Information Assurance, 4 October 2002b. DoDI 8500.02, Information Assurance (IA) Implementation, 6 February 2003c. DoDI 8510.01 DoD Information Assurance Certification and Accreditation Process

(DIACAP), 28 November 2007d. DoDI 8500.01, Cybersecurity, 14 March 2014e. DoDI 8510.01 Risk Management Framework (RMF) for DoD Information

Technology (IT), 12 March 2014f. DoD 5200.1, Vol. 1. DoD Information Security Program: Overview, Classification,

and Declassification, February 24, 2012g. DoD 5200.1 Vol. 2. DoD Information Security Program: Marking of Classified

Information, February 24, 2012h. DoD 5200.1 Vol. 3. DoD Information Security Program: Protection of Classified

Information, February 24, 2012i. DoD 5200.1 Vol. 4. DoD Information Security Program: Controlled Unclassified

Information (CUI), February 24, 2012j. DoD Directive 5205.8, Access to Classified Cryptographic Information, 8 November

2007k. CJCSI 6211.02B, Defense Information System Network Policy, Responsibilities and

Processes of 31 July 2003l. CJCSI 6510.01F, Information Assurance and Computer Network Defense of 9

February 2011m. SECNAV 5239.3A, Department of the Navy Information Assurance Policy, 20

December 2004n. Navy Authorizing Official and Security Control Assessor Risk Management

Framework Process Guide (RPG) Version 1.0, 31 August 15 (or current version)o. Information Assurance Certification and Accreditation Process (DIACAP) Interim

Guidance, 6 July 06p. Navy Telecommunications Directive (NTD) 08-10 Navy Ports, Protocols, and

Services (NPPS) for Navy Unclassified and Classified Networksq. ALCOM 016/15 Navy Authorizing Official Restructuring, 29 January 15

5


r. ALCOM 168/16 Navy Authorizing Official Restructuring, 04 August 2016s. 5 USC 552a, The Privacy Act of 1974t. Director of Central Intelligence 6-3, Security Policy on Intelligence Information in

Automated Systems and Networksu. NSTISSP No. 11 Revised, National Policy Governing the Acquisition of Information

Assurance (IA) and IA Enabled Information Technology (IT) Products, June 2003v. USN/USMC IA PUB-5239-22, Information Assurance Protected Distribution System

(PDS) Publication, October 2007w. NSTISSAM TEMPEST/2-95A, Red/Black Installation Guidance, 3 February 2000x. SECNAV M5216.5, Department of the Navy Correspondence Manual, March 2010.

Other relevant IA policy documents as published or updated.y. Department of the Navy (DoN) Federal Information Security Management Act

(FISMA) Guidelines of Mar 06z. DoD Directive 8570.1, Information Assurance Training, Certification , and

Workforce Management of 15 Aug 04aa. DoD 8570.01-M, Information Assurance Workforce Improvement Program of 19 Dec

05bb. NIST 800-30, Guide for Conducting Risk Assessments, September 2012cc. NIST 800-37, Guide for Applying the Risk Management Framework to Federal

Information Systems, February 2010dd. NIST 800-52, Guidelines for the Selection, Configuration, and Use of Transport

Layer Security (TLS) Implementations, April 2014ee. NIST 800-53A, Assessing Security and Privacy Controls in Federal Information

Systems and Organizations: Building Effective Assessment Plans, December 2014ff. CNSSI 1253, Security Categorization and Control Selection for National Security

Systems, 27 March 2014gg. OPNAVINST 5239.1 series, Navy Information Assurance (IA) Program. Most

current is revision C of 20 August 2008hh. DoDD 8140.01, Cyberspace Workforce Management, 11 August 2015ii. NSTISSI 4009, National Information Systems Security (INFOSEC) Glossary

(NOTAL), September 2000jj. DoDI 8520.02, Public Key Infrastructure (PKI) and Public Key Enabling (PKE), 24

May 2011 kk. DoDI 8530.1-M, Computer Network Defense Service Provider Certification and

accreditation Process, 17 December 2003ll. Office of Management and Budget, Circular A-130, "Management of Federal

Information Resources”, Revised 28 November 2000mm. DoD 5400.7, DoD Freedom of Information Act Program, 2 January 2015nn. DoD 5400.11-R, "Department of Defense Privacy Program, 14 May 2007oo. DoD 5220.22-M, "National Industrial Security Program Operating Manual, 28

February 2006pp. DoD 1000.25, DoD Personnel Identity Protection Program, 23 April 2007qq. SECNAV M-5510.36, DON Information Security Program, June 2006rr. SECNAV M-5510.30, DON Personnel Security Program, June 2006ss. Section 3544 of Title 44, US Code (FISMA) of 2002

6


tt. Navy Telecommunications Directive (NTD) 02-14 Policy and Procedures for Web Risk Assessment (WRA) of Unclassified Navy Websites

uu. SECNAV M-5239.2, Cyberspace Information Technology and Cybersecurity Workforce Management and Qualification Manual of June 2016

vv. OPNAVINST 5450.345, Mission Functions and Tasks for US Fleet Cyber Command of Apr 2012

ww. OPNAVINST 5400.44A, Navy Organization Change Manualxx. DoDINST 8582.01 of June 2012, Security of Unclassified DoD Information on Non-

DoD Information Systems

1.5 Anticipated Period of Performance

The resultant contract will consist of a 5-year ordering period during which firm-fixed price task orders may be issued. The five year ordering period has been divided into contract years to allow for labor rate escalation. The Option to Extend Services under FAR clause 52.217-8 will be included. The ordering period will commence upon contract award.

Contract Year Period of Performance (estimated)YEAR I 27 August 2017 – 26 August 2018

YEAR II 27 August 2018 – 26 August 2019

YEAR III 27 August 2019 – 26 August 2020

YEAR IV 27 August 2020 – 26 August 2021

YEAR V 27 August 2021 – 26 August 2022

52.217-8 Option To Extend Services

27 August 2022 – 26 February 2023

1.6 Transition in/out

The expectation is that the contractor will have 30 days from the date of contract award to complete systems access requests, obtain CAC cards, coordinate security clearance information and complete other administrative tasks necessary prior to commencement of work under the first issued task order.

Should the contractor not be selected as the future follow-on contractor, the contractor shall participate in a transition phase to orderly and efficiently transition to a successor. The transition phase shall be considered the last thirty (30) days prior to the end of the contract or task order period(s) of performance, whichever is later. The transition phase shall consist of briefing the Government and successor on the status of all current task orders and providing task order deliverables to the Government by the respective due dates. The contractor shall submit a Transition Plan to the Government not later than 30 days after the plan is requested. The

7


Transition Plan must include, at a minimum, a staffing plan to ensure current task orders are fully staffed throughout transition, a list of current task orders, and a date for the status briefing.

SECTION 2 - CONTRACTOR PERSONNEL

2.1 Contractor Personnel General Requirements2.1.1 Contractor personnel are high-level self-starters with demonstrated technical experience

in their respective functions and labor categories.

2.1.2 Contractor personnel engaged in this effort shall meet the DoD Cybersecurity Specialty Area 61 (Advanced/Master) requirements of the SECNAV 5239.2M "Cyberspace Information Technology and Cybersecurity Workforce Management and Qualification Manual" and the requirements of any successor manuals or instructions which establishes training and certification standards for the DOD cybersecurity workforce. Contractor personnel must be appropriately certified prior to performing under this PWS.

2.1.3 Contractor personnel must have the appropriate security clearance for their respective positions. Interim SECRET and TOP SECRET (TS) security clearances are acceptable until final adjudication is received. Contractor personnel who will be placed into positions with TS/Sensitive Compartmented Information (SCI) clearance requirements must have a final TOP SECRET clearance to be SCI eligible. Contractor personnel shall comply with DON and local security requirements in order to gain access to the facility.

2.1.4 The contractor shall be responsible for the provision of adequate levels of staffing required to meet NAO’s functional requirements and Performance Measures. Contractor will fill vacancies caused by loss of personnel due to turnover, extended sick leave, etc., not later than two weeks from last work date of the departing contractor.

2.1.5 Contractor personnel shall maintain a 40-hour work week. Work shall be performed between the hours of 0630 and 1730, Monday through Friday. Government facilities will be closed on federal holidays.

2.1.6 Personnel assigned to this task must keep current on the respective technologies associated with the contract. The Contractor shall be responsible for training contractor personnel to maintain and enhance respective employee skill-levels and knowledge. Contractor shall track individual qualifications and certifications of personnel assigned to this effort.

2.1.7 During the first 180 days of task order performance (or duration of task order if period of performance is less than 180 days) the Contractor shall make no substitutions of key personnel unless the substitution is necessitated by illness, death, or termination of employment. The Contractor shall notify the Contracting Officer within 7 calendar days after the occurrence of any of these events and provide any necessary explanatory information and plan to fill the vacancy. After the initial 180-day period, the Contractor should inform the Government as a courtesy when a personnel change is anticipated or contemplated.

8


2.1.8 Contractor personnel shall be required to complete mandatory Navy training requirements including but not limited to Combatting Human Trafficking, Cyber Security Awareness, and Prevention of Sexual Assault and Harassment, and Classified Material handling. Additional training may be required for travel to overseas locations. The majority of these training requirements are completed via computer-based training during the standard work-day.

2.1.9 All contractor personnel performing under this performance work statement shall identify themselves as a contractor employee to avoid creating any impression that they are Government officials. Such identification shall be made in all meetings attended, when answering Government telephones, on all e-mails, and when working in other situations where their contractor status is not obvious to third parties. They must also ensure that all documents or reports produced by contractors are suitably marked as contractor products or that contractor participation is appropriately disclosed.

2.2 Labor

2.2.1 DIACAP and RMF Package Processing. The government anticipates requiring a base-level of support services in each of the contract years to perform the functions of DIACAP and RMF package processing, BCRs, CSLAs, Vulnerability Management, eMASS Administration and accreditation lifecycle process. Personnel assigned to this set of tasks may also be required to assist with the accomplishment of other task orders awarded under this contract. The level of support required will vary as the transition from DIACAP to RMF progresses. The specific level of support required will be defined in each task order. The table below represents the historical labor mix and labor hours engaged to satisfy similar previous requirements, which is provided for informational purposes only. Offerors are free to propose a different mix of labor categories and level of effort (see Deliverables, paragraph 4.0. for additional information).

Labor Category/ Description

Clearance Level

CSWF Designation Code

Proposed Staffing

Estimated Annual

LOE

Estimated Annual Total Hours

Senior Cyber Security Analyst/Program Manager *

TS/SCI 61 Advanced Master 1 1920 1920

Senior Cyber Security Analyst * TS/SCI 61

Advanced Master 1 1920 1920

Senior Cyber Security Analyst * S 61

Advanced Master 6 1920 11520

Cyber Security Analyst/Specialist

S61 Intermediate/Journeyman

26 1920 49200

9


*Denotes Key Personnel in the base level support

2.2.1.1 Labor Category Duties and Minimum Requirements for personnel with primary responsibility of DIACAP and RMF package processing, BCRs , CSLAs, Vulnerability Management, eMASS Administration and accreditation lifecycle process. These personnel may also be required to assist with the accomplishment of other task orders awarded under this contract.

Senior Cyber Security Analyst/Program Manager (Key Personnel)

Duties: The Senior IA Analyst/Program Manager is specifically charged with the responsibility of interfacing with the Government on all matters pertaining to this Performance Work Statement including the quality of and conformance to requirements and methodologies directly related to the contracted effort. The Senior IA Analyst /Program Manager shall direct the contractor’s effort through the company’s internal management system that shall provide project progress visibility to assure on-time completion of contract requirements.

The Senior IA Analyst /Program Manager shall be a full time position assigned to work on-site at the Government location in support of daily NAO requirements, reporting and completion of contract requirements.

Experience:

1. A minimum of seven (7) years practical experience at a professional level in Information Assurance/Cyber Security (IA/CS) within Department of Defense or U.S Navy. The following may have been gained concurrently:

2. Six (6) years of experience managing complex projects or programs to include preparation of reports and correspondence that are technically correct; coordination and scheduling of multiple people, tasks and functions; managing funding of requirements; and providing support relative to certification and accreditation processes and DOD IA/CS directives.

3. Seven (7) years of experience managing administrative and technical support related to IA/CS and Information Systems Security (INFOSEC) project subtasks.

4. Five (5) years of experience supervising, planning and leading technical teams in multiple, complex tasks assignments involving disciplines including analysis and decision support.

Experience in two or more of the following functional areas:

1. Performing system, network and application C&A/A&A-related tasks including DIACAP/RMF package development, IA/security controls analysis, risk assessment, contingency planning, Security Test and Evaluation (ST&E), risk mitigation analysis, and technology reviews/assessments.

10


2. IA/CS background in requirements analysis, design, development, implementation and follow-up.

3. IA/CS concepts and requirements development and analysis.4. IA/CS planning and management.

Senior Cyber Security Analyst/Specialist (TOP SECRET/SCI) (Key Personnel)

Duties: Provides senior technical analysis for IA/CS support and integration efforts. Performs in-depth analysis in various areas and technologies within DIACAP C&A and RMF A&A. Implements Risk Management Framework (RMF) for NC3/MUOS space system and system of systems, to include an end to end architectural implementation across NC3/MUOS

Experience:

Six (6) years of experience in Information Systems Operations, IA/CS or Information Systems Management.

Four (4) years of experience in the areas of systems, networks and applications analysis applicable to IA/CS, INFOSEC, DIACAP, and RMF.

Four (4) years of experience in Space systems and operations.

The Senior Cyber Security Analyst/Specialist with TS/SCI clearance shall have knowledge/experience in the following primary areas:

1. Security Architecture analysis and compliance assessment with DoD/DON required configurations

2. Security Operations tools architecture SME, integrator, and operations interface3. Support required selected sample audits of IAVA, STIGs and CTOs to enforce

compliance 4. Firewall and Boundary audit and configuration management 5. Conduct security posture and threat analysis given current security infrastructure,

configuration, and employment 6. Coordinate/Collaborate with Ech I/II/III stakeholders and shepherd owners through

cybersecurity work flow7. Assist NAO in the identification of additional cyber security engineering needs within

the Navy Space/NC3 environment 8. Knowledge of stakeholder (USSTRAT, ARSTRAT, OPNAV, PEO SPACE) interests

and concerns9. Navy Qualified Validator (NQV) *

* The Navy Qualified Validator is an independent assessor; the Validators must possess the experience necessary to successfully perform Assessment & Authorization (A&A) following the Department of Defense (DoD) Risk Management Framework (RMF) structure and optimizing the first-pass approval rate of Security Authorization Packages.

11


Senior Cyber Security Analyst/Specialist (SECRET) (Key Personnel)

Duties: Provides senior technical analysis for IA/CS support and integration efforts. Performs in-depth analysis in various areas and technologies within DIACAP C&A and RMF A&A documentation.

Experience:

Six (6) years of experience in Information Systems Operations, IA/CS or Information Systems Management

Four (4) years of experience in the areas of systems, networks and applications analysis applicable to IA/CS, INFOSEC, DIACAP, and RMF.

The estimated 6 personnel in this labor category/security clearance shall collectively have experience in all secondary areas:

1. IA/CS requirements, standards, and IA/security controls analysis.2. C&A/A&A requirements and processes.3. Risk and vulnerability assessment and risk mitigation analysis.4. IA/CS policy development, review and/or implementation.5. Encryption techniques and requirements.6. Network architecture design.7. System analysis, design, integration, security test and evaluation.8. Ports, Protocols, and Services.9. Cross-domain solutions.10. Web Risk Assessment (WRA) as it applies to C&A/A&A*11. Wireless/mobile technologies**12. Navy Qualified Validator (NQV) ***

*At least one (1) Senior Cyber Security Analyst/Specialist out of all engaged on this effort must have experience in Web Risk Assessment (WRA) as it applies to C&A/A&A.

**At least one (1) Senior Cyber Security Analyst/Specialist out of all engaged on this effort must have experience in Wireless/mobile technologies as it applies to C&A/A&A.

** At least two (2) Senior Cyber Security Analysts/Specialists out of all engaged on this effort must have experience as Navy Qualified Validators. The Validator is an independent assessor; the Validators must possess the experience necessary to successfully perform Assessment & Authorization (A&A) following the Department of Defense (DoD) Risk Management Framework (RMF) structure and optimizing the first-pass approval rate of Security Authorization Packages.

12



Duties: Provides technical analysis for IA/CS support and integration efforts. Performs analysis of DIACAP C&A and RMF A&A documentation.

Experience:

Five (5) years of experience overall to include four (4) years of related IA/CS and INFOSEC technical experience.

Four (4) years of experience in IA/CS analysis support in IA/security controls analysis, conducting risk assessments, risk mitigation analysis, developing contingency plans.

Each Cyber Security Analyst shall have knowledge/experience in all of the following primary areas:

1. IA/CS requirements and IA/security controls analysis.2. C&A/A&A requirements and processes.3. Risk and vulnerability assessment and risk mitigation analysis.4. IA/CS policy development, review and/or implementation.5. System analysis, design, integration, security test and evaluation.6. Ports, Protocols, and Services.

The estimated 26 personnel in this labor category should collectively have experience in all secondary areas:

a. MOU/MOA/ISA/ICA review process.b. WRA as it applies to C&A.c. Contingency planning.d. DISA circuit connection approval process.e. Cross-domain solutions.f. Encryption techniques and requirements.g. Platform Information Technology (PIT) /Industrial Control System (ICS) analysis.h. Requirements for classified data network operations. i. Requirements for NATO information processing.j. Network architecture design.k. Application requirements analysis, integration and testing.l. Designing and implementing IA/CS solutions.m. Managing functional and cross-functional requirements on information assurance and

information systems at an enterprise-wide level.n. Firewall Policyo. Technical writingp. Wireless/mobile technologiesq. Cloud platformsr. Virtualization

13


2.2.2 Other Task Orders. Additional task orders may be issued for DIACAP to RMF transition planning, DIACAP to RMF transition process development, RMF process development and implementation, targeted analysis, process development studies, or other in-scope tasks. These tasks may require a mix of labor categories and subject matter expertise. The table below represents the government’s estimate of the labor categories, clearance level, and hours which may be required to complete these and similar tasks. Offerors are free to propose a different mix of labor categories and level of effort (see Deliverables, paragraph 4.0. for additional information). The exact labor categories, clearance level and level of effort will be prescribed in each awarded task order.

Labor Category/ Description

Clearance Level

CSWF Designation Code

Proposed Staffing

Estimated Annual

LOE

Estimated Total Hours

Senior Cyber Security Analyst/Project Manager

S 61 Advanced Master .5 960 960

Metrics & Analytics Specialist S

62 Intermediate/Journeyman

2@960 hours each 1920 1920

Technical Writer/Editor S

62 Intermediate/Journeyman

2@960 hours each 1920 1920

IT Training/Media Specialist S 61

Advanced Master

2@960 hours each 1920 1920


S61 Intermediate/ Journeyman

2@960 hours each 1920 1920

Senior Cyber Security Analyst/Project Manager

Duties: The Project Manager shall interface with the Contracting Officer’s Representative on all matters pertaining to the Task Order to which assigned. The Project Manager shall direct the contractor’s effort through the company’s internal management system that shall provide project progress visibility to assure on-time completion of contract requirements.

Experience:

Six (6) years of experience managing complex projects or programs to include preparation of reports and correspondence that are technically correct; coordination and scheduling of multiple people, tasks and functions; and managing funding of requirements.

14


Five (5) years of experience supervising, planning and leading technical teams in multiple, complex tasks assignments involving disciplines including analysis and decision support.

Performing system, network and application C&A/A&A-related tasks including DIACAP/RMF package development, IA/security controls analysis, risk assessment, contingency planning, Security Test and Evaluation (ST&E), risk mitigation analysis, and technology reviews/assessments.

IA/CS background in requirements analysis, design, development, implementation and follow-up.

IA/CS concepts and requirements development and analysis. IA/CS planning and management.

Metrics and Analytics Specialist

Duties: The Metrics and Analytics Specialist will aid in various reporting and analytics initiatives. The Metrics and Analytics Specialist will ensure data quality, integrity, and accuracy of reporting while utilizing appropriate methodologies, industry tools, and best practices. Also will work closely with the government to define appropriate reporting metrics, and contribute to the output of all reporting and analytics as requested.

Experience:

Bachelor's degree in business, finance, information systems, computer related disciplines or equivalent work experience specifically related to reporting/analysis is required.

ITIL foundations certification preferred. 3+ years of experience developing analytic reporting required. 3+ years of experience working on and leading/managing projects required. 3+ years of experience in developing tools to automate reporting. Experience collaborating with senior level business leaders and stakeholders required.

Technical Writer/Editor

Duties: Assists in collecting and organizing information for preparation of user manuals, in support of agencies’ management, organizational and business improvement efforts, researches, drafts, and edits materials involving manuals, briefs, proposals, instructional material, catalogues, technical publications, software and hardware documentation, and other technical reports using automated tools. Interprets reports, specifications and/or drawings to increase understanding of processes and document requirements. Processes and conducts reviews, to include; Freedom of Information Act (FOIA), declassification reviews or other specific agency requests. Will be required to work independently or under only general direction.

Experience:

Five (5) years’ experience in creating and editing IA/Cybersecurity (CS) technical documents

15


IT Training/Media Specialist

Duties: Design, deliver, and develop high quality, effective IT, cybersecurity (CS) and DoD Risk Management Framework (RMF) Assess and Authorize (A&A) training solutions using a variety of media - training manuals, guides, fact sheets, overviews, presentations, etc. Coordinate and conduct orientations and training for both technical and non-technical audiences. Train personnel by conducting formal classroom courses, workshops, and seminars

Experience:

A minimum of six (6) years in the following primary areas:

1. Communications, curriculum design, media/marketing or related field. 2. Developing IT training materials. 3. RMF requirements and processes.

Must also have the following skills:

1. Exceptional communication skills with ability to communicate vision, strategy, and key objectives.

2. Strong attention to detail.3. Exceptional business writing capabilities.4. Word and Powerpoint expertise is required.


Duties: Provides technical analysis for IA/CS support and integration efforts.

Experience:

Five (5) years of experience overall to include four (4) years of related IA/CS and INFOSEC technical experience.

Four (4) years of experience in IA/CS analysis support in IA/security controls analysis, conducting risk assessments, risk mitigation analysis, developing contingency plans.

SECTION 3 – SCOPE TASKING AND REQUIREMENTS

3.1 DIACAP C&A and RMF A&A Support

3.1.1 Both the DIACAP C&A and RMF A&A processes require:a. Detailed analysis of applicable security controls b. Determining the compliance status with each security control c. An in-depth understanding of the Navy IT system being reviewed, andd. Thorough reviews of package artifacts

16


e. Excellent written and verbal communication skills

DIACAP C&A primarily requires AO decision to approve an Authorization. RMF A&A reviews require a more lengthy and intensive review than DIACAP in most cases due to the RMF construct and numerical difference in security controls and artifacts associated with an RMF submission. RMF requires AO decision in three process steps:

1. System Categorization2. Control Selection 3. Authorization

During the life of the contract, the DIACAP C&A process will gradually be replaced by the RMF A&A process. The number of DIACAP C&A packages is expected to decrease, while the number of monthly and annual RMF A&A reviews increases. The Contractor must be able to support dual process activities until RMF is the sole C&A Activity.

3.1.2 Base Level Support tasks and sub-tasks

3.1.2.1 Participate in collaboration and checkpoint activities with assigned Echelon I/II commands and other stakeholders as needed to achieve accreditation/authorization or approvals for other related tasking as it relates to Navy IT that require NAO approval.

3.1.2.2 Perform risk analyses on Navy IT and provide accreditation/authorization recommendations to NAO government employees.

3.1.2.3 Provide guidance to other Navy commands as needed as pertains to emerging technologies, C&A/A&A processes and accreditation/authorization strategic planning and development. For example, leveraging commercial cloud infrastructure, platform or software as a service, mobile application security, mobile device management, including “bring your own device” and enterprise accreditation/authorization development.

3.1.2.4 Review information system (IS) architectures, operating mode, applications, data types, system boundaries, connections and other relevant information that will allow a full risk assessment.

3.1.2.5 Review Navy IT for compliance with Federal, DoD, DON, and Navy policies.

3.1.2.6 Review and process other DoD service component accreditations via established reciprocity requirements and processes.

3.1.2.7 Assist in the implementation and promulgation of Navy Ports, Protocols, and Services (PPS) guidance IAW DoD PPS policy. Support PPS coordination activities with, for example, SPAWAR PMW 130.2 on PPS exceptions.

3.1.2.8 Review and process DIACAP and RMF artifacts to support required AO approvals. For DIACAP, this is primarily an accreditation decision. Under RMF, this includes concurrence on system categorization, system security plan, security assessment plan,

17


information system continuous monitoring strategy, control selection and support to system authorization decisions. Ensure DIACAP/RMF artifacts are accurate, complete, and compliant with DoD, Navy, and NAO policies/direction.

3.1.2.9 Attention to detail is critical to the Government in providing exceptional services to the DoD community so RMF/DIACAP packages or other products must be correct and held to a high standard. To ensure high standards of performance, deficiencies and errors must be kept at a minimum.

3.1.2.10 RMF/DIACAP package or products are considered deficient if the submitted package or products does/do not meet established DoD/Navy policies or internal processing procedures or guidance and have been deemed as deficient as communicated via email by assigned government personnel.

3.1.2.10.1 Administrative errors are errors that pertain to accreditation/authorization letters, coversheets and other documents,(i.e. grammar, punctuation, spelling) that are created by the contractor for Government review,

3.1.2.10.2 Technical errors are errors that fail to address DoD/Navy RMF/DIACAP or internal processing procedures or guidance that pertain to Cybersecurity requirements and are of a technical nature. Provide risk assessments and accreditation/authorization recommendations to NAO government staff for systems/circuits being escalated to DON CIO via DDCIO (Navy) for high risk accreditation approval.

3.1.2.11 Review and process Platform Information Technology (PIT) Designation and PIT Risk Approval artifacts to support required AO approvals. Ensure PIT Designation and PIT Risk Approval artifacts are accurate, complete, and compliant with DoD, Navy, and NAO policies/direction. Provide Platform IT designation/PIT Risk Approval and Accessibility Level recommendations to NAO government staff.

3.1.2.12 Develop and/or contribute to processes to capture out-of-cycle updates to accreditations/authorizations (e.g., CCRI/CSI results, POAM updates, DISA scans).

3.1.2.13 Develop, track and monitor C&A/A&A follow-up for Web Risk Assessment (WRA) and other site or system reviews (e.g. Navy or Joint Cyber Protection Team Activities).

3.1.2.14 Track and monitor accreditation/authorization conditions follow-up to ensure continued security posture is maintained and integrated into the C&A process when vulnerabilities are identified on Navy networks, systems, circuits, and applications

3.1.2.15 Support data analysis to identify system issues and recommend priority actions to reduce organization risk.

3.1.2.16 Assist sites with assessment vulnerability integration activities to meet compliance with policy

18


3.1.2.17 Maintain and provide status of IT/IS with CAT I/High/Very High Risk vulnerabilities and that have been on an Interim Authority to Operate (IATO)/ATO with Conditions for longer than established RMF/DIACAP timeframes.

3.1.2.18 Review and provide recommendations for various waivers/extensions of IA/CS requirements per DoD/DON/USN guidance.

3.1.2.19 Support NAO’s administration of Cyber Security Inspection and Certification Program (CSIC-P) portals and databases to include USN organization and user account creation, liaison with appropriate Help Desks for any problems encountered, and recommend improvements for more effective and reliable operations.

3.1.2.20 Provide NAO support for all Command Cyber Readiness Inspection (CCRI) and Cyber Security Inspection (CSI) issues to include post inspection finding adjudication, statistical data/metrics of post inspection adjudication status, and Security Technical Implementation Guide (STIG) review and interpretation. Support and track post compliance inspection results as Navy Qualified Validator (NQV).

3.1.2.21 On a daily basis, participate in the required DIACAP C&A/RMFA&A steps to review Navy-wide C&A/A&A package submissions to ensure understandable security posture for system/network architectures and technical/non-technical operating features. DIACAP/RMF packages must include a cover page or equivalent as defined by NAO, listing key summary information as designated by NAO government staff.

3.1.2.22 Prepare documentation in the form of letters, Standard Operating Procedures (SOP), white papers, correspondence, forms and other documentation in support of the Navy C&A/A&A and authority to connect processes.

3.1.2.23 Coordinate with stakeholders and review DIACAP/RMF packages at various steps in the C&A/A&A process (dependent on which policy applies; DIACAP or RMF) for completeness, accuracy and compliance in accordance with DoD/DON, and other applicable C&A/A&A/IA/CS policy as determined by the government. Ensure complete documentation packages flow through the C&A/A&A processes and keep the NAO designated staff informed of status and potential issues. Present findings from submitted accreditation packages prior to the scheduled C&A/A&A collaboration/checkpoint meetings or other predetermined points as defined by NAO designated staff.

3.2 Cybersecurity Support

3.2.1 Representative examples of CS support duties and responsibilities include are:

3.2.1.1 Conduct DIACAP/RMF compliance documentation assessments and coordination activities (e.g., collaboration and checkpoint meetings) for systems and networks seeking accreditation/authorization under the purview of the NAO. Compliance assessments encompass the review and assessment of systems, sites, networks and

19


applications to ensure CS/security controls are addressed and implemented in accordance with DoD/Navy cyber security policy.

3.2.1.2 Attend meetings in support of NAO requirements and prepare written feedback on the content and outcome of meetings, and follow-on tasks including recommendations.

3.2.1.3 Develop point papers, naval messages, presentations, drafted formal emails, briefings and other forms of written documentation on an as-needed basis to support NAO.

3.2.1.4 Develop project plans for tasks requiring significant planning and management oversight and prepare project plans for NAO staff approval.

3.2.1.5 Support mission area cybersecurity risk assessment activities at the RMF Tier 2 level that cross multiple individual systems or capabilities. This may include supporting research in the areas of mission assurance and related policies and procedures and development of draft process steps.

3.2.1.6 Support NAO coordination for participation in DoD, DON and Navy cybersecurity initiatives in the development of standards to align with mandated policy.

3.3 Other Tasks and Sub-tasks

3.3.1 Support NAO participation in continual improvement of C&A/A&A processes to include DoD, DON, and Navy initiatives (e.g., transition of DoD standards to align with National Institute of Standards and Technology (NIST) standards). Coordinate the analysis and design for new processes and technologies designed to integrate and streamline current process automation and procedures.

3.3.2 Support NAO coordination for any new C&A/A&A processes/policy implementation within Navy, e.g., C&A/A&A activities for Next Generation Enterprise Network (NGEN), Consolidated Afloat Networks and Enterprise Services (CANES), cloud computing initiatives, and joint acquisition programs requiring a Navy accreditation/authorization (e.g., Joint Strike Fighter, Mobile User Objective System (MUOS), ballistic missile defense (BMD)).

3.3.3 Develop, monitor and provide C&A/A&A metrics at request of NAO government reps. Metrics will be used to identify barriers or inefficiencies and to inform decision making on process improvements. Examples of metrics that could be requested include number of systems accredited in a given time period broken down by accreditation type, risk profile of systems accredited over a given time period, and number of systems being accredited through the high risk system escalation process.

3.3.4 Develop, refine and implement process to track expiring accreditations/authorizations and provide high-level notification.

20


3.3.5 Support NAO as a stakeholder in the development and improvement of Information Assurance Technical Authority (IA TA) Navy policy and standards (e.g. RMF Security Control Specific Assigned Values (SPAV), security controls inheritance).

3.3.6 Support NAO in execution of RMF training/implementation events in support of the Navy’s transition to the RMF and continual process improvement.

3.3.7 Assist in developing and updating policies, procedures and guidelines for new and existing technologies, CS processes, and administrative procedures in support of implementing DoD/DON/USN/FCC IA/CS policy and instructions. Procedures shall be developed consistent with DON procedures and NAO/ FCC guidance.

3.3.8 Assist in developing, updating and implementation procedures to support C&A/A&A workflow processes, criteria needed to facilitate processes and accreditation/authorization decision milestones in accordance with NAO requirements. Procedures will require review and changes as processing requirements change to meet enhancements and changes in DoD/DON IA/CS program requirements.

3.3.9 Assist in developing Standard Operating Procedures (SOPs), checklists, workflow process charts, forms, POC lists, and other documentation needed to support NAO processes and related cyber security functions.

3.3.10 Assist in developing procedures, forms, and other documentation in support of Navy-wide implementation of DoD/DON/USN/FCC cyber security processes.

3.3.11 Maintain, modify and enhance NAO tracking tools as required. Provide productivity and metrics reports utilizing SharePoint and/or other automated tools as required. All enhancements to NAO tools must be approved by NAO government staff before implementation. The contractor shall be responsible for testing changes before implementing.

SECTION 4 - DELIVERABLES

4.1 General Information

4.1.1 Throughout the period of performance, the Contractor shall provide the deliverables listed below. Correspondence shall be in the format prescribed by the Naval Correspondence Manual and NAO requirements, forms and other documentation as prescribed by prevailing DoD guidelines and NAO staff. Deliverables shall be prepared in Contractor format where not otherwise specified by the Government. Deliverables shall be provided to the Contracting Officer Representative (COR). Documentation/deliverable products shall be delivered in electronic format suitable for posting on U. S. Government websites as required.

4.1.2 The Contractor should anticipate feedback from NAO Government staff in the form of comments and instructions as needed to correct and improve submitted

21


documents. In the event revisions are required to any deliverable products, revisions shall be made at no additional cost to the government. All revisions will be due in the specified timeframe as identified by the government. All final deliverable submissions shall remain the property of the U.S. Government. The due dates of specific deliverable products, such as point papers, analytical studies, Standard Operating Procedures and correspondence, which anticipated requirements but unknown as to topics and timing, will be mutually agreed upon by the Government and the Contractor when the work is assigned.

4.1.3 All methodologies and recommendations shall be reviewed and approved by the government prior to submission/implementation.

4.1.4 All documentation and letters are internal documents designated at minimum For Official (Government) Use Only (FOUO) or higher classification must be correctly marked in accordance with Navy information classification guidelines for the classification of information contained in the package.

4.1.5 By close of business (COB) Wednesday of each week for the previous week’s information, the Contractor shall provide Weekly Activity Reports. These reports shall summarize:

4.1.5.1 Productivity metrics for each Division for week including:a. Number and type (C&A, A&A, etc.) of packages assigned;b. Number of packages submitted for approval/signature; c. Packages currently in work; d. Other in-scope tasks assigned (studies, analyses, process standardization,

etc.). e. Average processing time for C&A, A&A, BCR and CLSA

4.1.5.2 The number of RMF/DIACAP packages or products submitted for approval/signature but returned for rework, correction or update due to deficiencies or errors.

4.1.6 By the fifth of each month for the previous month’s information, the Contractor shall provide a Monthly Activity Report Summary to convey:

4.1.6.1 Productivity metrics for the month for each Division including:a. Number and type (C&A, A&A, etc.) of packages assigned;b. Number of packages submitted for approval/signature; c. Packages currently in work; d. Other in-scope tasks assigned (studies, analyses, process standardization,

etc.). e. Average processing time for C&A, A&A, BCR and CLSA

22


4.1.6.2 Number of submitted RMF/DIACAP packages or products that require government approval or signature but returned for rework, correction or update due to deficiencies or errors.

4.1.6.3 Significant issues/plans, task completion dates, list of outstanding issues including amplifying remarks pertaining to background, assumptions, constraints and recommendations, and status of initiatives, projects, milestones, and tasks with the percentage completed.

4.1.6.4 A monthly travel summary.

4.1.7 The contractor shall be able to meet up to a 15 percent increase (at a minimum) of BCR/CLSA reviews from the baseline as stated in the Deliverables Table.

4.1.8 The Contractor shall provide trip reports to the COR upon the third business day following return from travel. Include name of meeting or symposium attended or reason for travel, highlights, issues, and action items/recommendations.

4.1.9 The Contractor shall provide an adequate number of personnel who possess the required qualifications, skills, education, experience and background to successfully accomplish the scope of work described in this PWS. The NAO Directorate estimates it will process 4100 DIACAP/RMF packages per year; the Contractor is expected to process 60 percent of total package submissions (2,460 packages). A DIACAP/RMF package submission is defined as any product that requires an FCC NAO accreditation, authorization, approval or concurrence decision, and consists of DIACAP accreditation decisions, RMF Step 2 System Security Plan (SSP) approvals and RMF Step 5 authorization decisions. As the Navy continues its efforts implementing RMF, an annual 3%-6% increase in packages requiring processing is anticipated over the life of the contract.

4.1.10 Deliverables Table

Item Number

Description Anticipated monthly workload

Due Date/Time

1 BCR 50-60 Average processing time 10 business days

2 CLSA 60-70 Average processing time 10 business days

DIACAP C&A 205* Average processing time 5 business days

RMF A&A (Step 2 and Step 5) Average processing time 5 business days

3 Plan of Action and Milestones for in-scope work (for tasking requiring a POA&M)

5 days after assignment

4 Documentation (letters, SOPs, As agreed upon at

23


white papers, correspondence, analysis, statistics, and similar items)

time of assignment/in POA&M

5 Monthly Activity Reports 5th of the following month

6 Trip Report 3rd business day after return

7 Meeting summary reports when tasked e.g. when identified as scribe for a collaboration/checkpoint or when sole NAO representative at a meeting

Within 24 hours of conclusion of meeting or by COB of next business day

8 Coordinate the analysis and design for new processes and technologies designed to integrate and streamline current process automation and procedures. Generate analytical reports.

As stated in Task Order

9 Support new C&A/A&A processes/policies by writing analytical reports, drafting explanations, developing training material, and similar documents.


10 Develop, monitor and provide C&A/A&A metrics


11 Develop, refine and implement process to track expiring accreditations/authorizations and provide high-level notification


12 Maintain, modify and enhance NAO tracking tools to include operational testing of tool.


13 Draft Standard Operating Procedures (SOPs), checklists, workflow process charts, forms, POC lists, and other similar documentation


14 Draft C&A/A&A workflow processes and procedures to include implementation plans


15 Draft procedures, forms, and As stated in Task

24


other documentation in support of Navy-wide implementation of DoD/DON/USN/FCC cyber security processes

Order

16 Transition-out Plan 30 days after requested

*DIACAP C&A transitioning to RMF A&A. RMF A&A reviews will become an increasing share of the workload in the option years.

SECTION 5 - TRAVEL

It is anticipated travel may be necessary in the performance of this scope of work. Travel may occur to the locations identified in the following table, as well as other locations, as determined necessary and authorized by the COR:

Description LocationNumber ofTravelers

Number of Days

Assist / review F-35 Program Arlington, VA 1 2RMF (trip 1) Washington, DC 1 2RMF (trip 2) Washington, DC 1 2RMF (trip 3) Washington, DC 1 2RMF (trip 4) Washington, DC 1 2eMASS User Acceptance Testing (trip 1) Washington, DC 1 2eMASS User Acceptance Testing (trip 2) Washington, DC 1 2eMASS User Acceptance Testing (trip 3) Washington, DC 1 2eMASS User Acceptance Testing (trip 4) Washington, DC 1 2DON Wireless Working Group San Diego, CA 1 5MUOS SWG Meeting (1st trip) Pt. Mugu, CA 1 4MUOS SWG Meeting (2nd trip) San Diego, CA 1 4MUOS RAF Visit (1st Trip) Geraldton, Australia 1 5NC3 SWG (1st trip) Omaha, NE 1 4NC3 SWG (2nd trip) San Diego, CA 1 4MUOS RAF Visit (2nd trip) Niscemi, Italy 1 5

5.1 Reimbursable Travel

Except as otherwise provided under non-reimbursable travel costs, the contractor will be reimbursed for travel costs in accordance with the Federal Travel Regulations (FTR) in effect at the time of the travel. This directive can be accessed at http://www.gsa.gov/portal/content/104790. It is the Department of the Navy (DON)

25


policy not to allow a charge of profit or fee on reimbursable items, therefore, travel will be reimbursed at actual cost, excluding any profit.

Airfare shall be based on the lowest available cost for coach or economy in writing in advance. The Contractor is not authorized to perform any travel that is not in conjunction with this contract. The COR shall notify the contractor in advance when travel is required. Upon notification, the contractor shall submit a travel request which identifies the estimated travel cost to the COR for approval. A trip report will be submitted in contractor format upon completion of all approved travel (contractor format) to the COR. All travel costs shall be in accordance with the estimated not to exceed amount identified in Section B of the contract and will be reimbursed at actual cost, so long as supporting documentation is provided with the invoice.

5.2 Non-Reimbursable Travel

Travel performed for personal convenience, daily travel to and from the contractor’s facility will not be reimbursed by the Government.

Travel costs incurred in the replacement of contractor personnel, for any reason, will not be reimbursed by the Government.

No travel or subsistence costs will be reimbursed for work performed within a 50-mile radius of the place of performance where services are being provided.

Relocation costs and travel costs incident to relocation of Government facilities are not allowed.

SECTION 6 - NON-PERSONAL SERVICES STATEMENT

Contractor employees performing services under this contract will be controlled, directed, and supervised at all times by management personnel of the Contractor. Contractor management will ensure that employees comply with the performance work standards outlined in this PWS. Contractor employees will perform their duties independent of, and without the supervision of, any Government official. The tasks, duties, and responsibilities set forth in the task may not be interpreted or implemented in any manner that results in any Contractor employee creating or modifying Federal policy, obligating the appropriated funds of the United States Government, overseeing the work of Federal employees, providing direct personal services to any Federal employee, otherwise violating the prohibitions set forth in Subparts 7.5 and 37.1 of the Federal Acquisition Regulation (FAR) http://farsite.hill.af.mil/vffar1.htm. The Government shall control access to the facility and shall perform the inspection and acceptance of completed work.

SECTION 7 – PLACE OF PERFORMANCE

At least eighty percent (80%) of work on the overall contract effort will be conducted at Government facilities located at U.S. Fleet Cyber Command Suffolk, VA and up to twenty percent (20%) may be conducted at Contractor facilities due to space limitations. Note: at any given time the contractor may be required to work at its location due to space limitations.

26


The contractor’s facilities shall be located within 250 miles of the Tidewater, Virginia area. This facility shall only be used to process controlled, unclassified information. Contractor and Contractor facility shall follow DoD/Navy policy for processing, storing, receiving, transmitting, viewing DoD/Navy information, including DoDINST 8582.01 of June 2012, Security of Unclassified DoD Information on Non-DoD Information Systems.

SECTION 8- ACCEPTANCE PLAN

Inspection and acceptance of deliverables (Section 4) shall be performed by the COR in accordance with the Quality Assurance Surveillance Plan (QASP)/QASP Matrix.

SECTION 9 - INFORMATION ASSURANCE/INFORMATION SECURITY

The Contractor shall protect DoD classified and sensitive unclassified data regardless of the location or ownership of the transport media, including, but not limited to mobile computing devices and removable storage media, whether Government furnished or contractor owned/leased. Contractor shall comply with all current information assurance and information security policies, procedures, and statutes applicable to DoD information technology, including the July 3, 2007 DoD CIO Policy Memorandum on Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media. When supporting this contract from vendor location as place of performance, sensitive but unclassified DoD information will be protected in accordance with reference xx.

SECTION 10- GOVERNMENT FURNISHED INFORMATION (GFI)

The Government will make available copies of technical documentation, drawings, and magnetic media as appropriate, in support of task requirements. All GFI is provided for information purposes and remains the property of the Government.

SECTION 11– PRIVACY ACT COMPLIANCE

The contractor may be in contact with data and information subject to the Privacy Act of 1974 (Title 5 of the U.S. Code Section 552a). The contractor shall ensure that its employees assigned to this effort understand and adhere to the requirements of the Privacy Act and to Department of Defense and Department of the Navy regulations that implement the Privacy Act. Department of Navy policy and procedures implementing the Privacy Act are detailed in DoD Directive 5400.11 (DoD Privacy Program), available on-line at http://www.dtic.mil/whs/directives/ and in SECNAVINST 5211.5E (Department of the Navy Privacy Act (PA) Program), which is available on-line at http://privacy.navy.mil. The contractor shall identify and safeguard data, information and reports accordingly. In addition, the contractor shall ensure that contractor employees assigned to the contract are trained on properly identifying and handling data and information subject to the Privacy Act prior to commencing work.

27


SECTION 12 – PROPRIETARY INFORMATION

No data provided to, or developed by, the contractor shall be used for any purpose other than the tasks assigned. All information (data files and hard copy) becomes the property of the Government and the contractor shall return them at the completion of the task. The Government shall not be required to pay royalties, recurring license fees, use tax or similar additional payments for any contractor-developed product or associated software presentation.

SECTION 13 - SECURITY

U.S. citizenship and a SECRET security clearance are the minimum requirements. Contractor personnel assigned to this contract that are designated to work with information at the Top Secret (TS), Sensitive Compartmented Information (SCI) and non-SCI level are required to be cleared at the appropriate level (see Labor Table in 2.2.1) Interim TS clearances are permitted. The contractor shall ensure the ability to obtain personnel above SECRET security clearance to meet the terms of this contract. As applicable, FLTCYBERCOM shall prepare and submit appropriate DD Form 254 to meet security requirements.

SECTION 14 - GOVERNMENT FURNISHED OFFICE SUPPLIES

Materials considered reasonably required for the completion of the described work will be furnished to the contractor upon request made to the COR. These materials will be furnished to the contractor for use in connection with and under the terms of this order. Contractors physically located in a FLTCYBERCOM facility will be provided an NMCI seat and all associated hardware/software that will be needed to complete above described tasks. Upon completion of work, all GFM/E shall be returned to the Government.

SECTION 15 - RESUMES

The government reserves the right to review resumes for contractor personnel employed in this effort upon request. Upon request, resumes shall be provided to the COR, Alternate Contracting Officer Representative (ACOR), and Technical Assistant (TA).

SECTION 16 - INFORMATION SYSTEMS SECURITY

Information systems used by contractor personnel shall be operated in accordance with DOD 5220.22-M National Industrial Security Program Operating Manual (NISPOM) and reference xx.

SECTION 17 - SAFETY

The contractor shall comply with all Federal Occupational Safety and Health Administration (OSHA), local and base safety requirements, whichever is the most stringent. The contractor shall also comply with all local and base regulations pertaining to the environment, including but not limited to, water, air, solid waste, and noise pollution.

28


SECTION 18 - Contractor Unclassified Access to Federally Controlled Facilities, Sensitive Information, Information Technology (IT) Systems or Protected Health Information (Jan 2017)

Homeland Security Presidential Directive (HSPD)-12, requires government agencies to develop and implement Federal security standards for Federal employees and contractors. The Deputy Secretary of Defense Directive-Type Memorandum (DTM) 08-006 – “DoD Implementation of Homeland Security Presidential Directive – 12 (HSPD-12)” dated November 26, 2008 (or its subsequent DoD instruction) directs implementation of HSPD-12. This clause is in accordance with HSPD-12 and its implementing directives.

APPLICABILITYThis clause applies to contractor employees requiring physical access to any area of a federally controlled base, facility or activity and/or requiring access to a DoN or DoD computer/network/system to perform certain unclassified sensitive duties. This clause also applies to contractor employees who access Privacy Act and Protected Health Information, provide support associated with fiduciary duties, or perform duties that have been identified by DON as National Security Position, as advised by the command security manager. It is the responsibility of the responsible security officer of the command/facility where the work is performed to ensure compliance. Each contractor employee providing services at a Navy Command under this contract is required to obtain a Department of Defense Common Access Card (DoD CAC). Additionally, depending on the level of computer/network access, the contract employee will require a successful investigation as detailed below.

ACCESS TO FEDERAL FACILITIESPer HSPD-12 and implementing guidance, all contractor employees working at a federally controlled base, facility or activity under this clause will require a DoD CAC. When access to a base, facility or activity is required contractor employees shall in-process with the Navy Command’s Security Manager upon arrival to the Command and shall out-process prior to their departure at the completion of the individual’s performance under the contract.

ACCESS TO DOD IT SYSTEMSIn accordance with SECNAV M-5510.30, contractor employees who require access to DoN or DoD networks are categorized as IT-I, IT-II, or IT-III. The IT-II level, defined in detail in SECNAV M-5510.30, includes positions which require access to information protected under the Privacy Act, to include Protected Health Information (PHI). All contractor employees under this contract who require access to Privacy Act protected information are therefore categorized no lower than IT-II. IT Levels are determined by the requiring activity’s Command Information Assurance Manager.

Contractor employees requiring privileged or IT-I level access, (when specified by the terms of the contract) require a Single Scope Background Investigation (SSBI) or T5 or T5R equivalent investigation, which is a higher level investigation than the National Agency Check with Law and Credit (NACLC) described below. Due to the privileged system access, an investigation

29


suitable for High Risk national security positions is required. Individuals who have access to system control, monitoring, or administration functions (e.g. system administrator, database administrator) require training and certification to Information Assurance Technical Level 1, and must be trained and certified on the Operating System or Computing Environment they are required to maintain.

Access to sensitive IT systems is contingent upon a favorably adjudicated background investigation. When access to IT systems is required for performance of the contractor employee’s duties, such employees shall in-process with the Navy Command’s Security Manager and Information Assurance Manager upon arrival to the Navy command and shall out-process prior to their departure at the completion of the individual’s performance under the contract. Completion and approval of a System Authorization Access Request Navy (SAAR-N) form is required for all individuals accessing Navy Information Technology resources. The decision to authorize access to a government IT system/network is inherently governmental. The contractor supervisor is not authorized to sign the SAAR-N; therefore, the government employee with knowledge of the system/network access required or the COR shall sign the SAAR-N as the “supervisor.”

The SAAR-N shall be forwarded to the Command’s Security Manager at least 30 days prior to the individual’s start date. Failure to provide the required documentation at least 30 days prior to the individual’s start date may result in delaying the individual’s start date. When required to maintain access to required IT systems or networks, the contractor shall ensure that all employees requiring access complete annual Information Assurance (IA) training, and maintain a current requisite background investigation. The Contractor’s Security Representative shall contact the Command Security Manager for guidance when reinvestigations are required.

INTERIM ACCESSThe Command's Security Manager may authorize issuance of a DoD CAC and interim access to a DoN or DoD unclassified computer/network upon a favorable review of the investigative questionnaire and advance favorable fingerprint results. When the results of the investigation are received and a favorable determination is not made, the contractor employee working on the contract under interim access will be denied access to the computer network and this denial will not relieve the contractor of his/her responsibility to perform.

DENIAL OR TERMINATION OF ACCESSThe potential consequences of any requirement under this clause including denial or termination of physical or system access in no way relieves the contractor from the requirement to execute performance under the contract within the timeframes specified in the contract. Contractors shall plan ahead in processing their employees and subcontractor employees. The contractor shall insert this clause in all subcontracts when the subcontractor is permitted to have unclassified access to a federally controlled facility, federally-controlled information system/network and/or to government information, meaning information not authorized for public release.

30


CONTRACTOR’S SECURITY REPRESENTATIVEThe contractor shall designate an employee to serve as the Contractor’s Security Representative. Within three work days after contract award, the contractor shall provide to the requiring activity’s Security Manager and the Contracting Officer, in writing, the name, title, address and phone number for the Contractor’s Security Representative. The Contractor’s Security Representative shall be the primary point of contact on any security matter. The Contractor’s Security Representative shall not be replaced or removed without prior notice to the Contracting Officer and Command Security Manager.

BACKGROUND INVESTIGATION REQUIREMENTS AND SECURITY APPROVAL PROCESS FOR CONTRACTORS ASSIGNED TO NATIONAL SECURITY POSITIONS OR PERFORMING SENSITIVE DUTIES Navy security policy requires that all positions be given a sensitivity value based on level of risk factors to ensure appropriate protective measures are applied. Contractor employees under this contract are recognized as Non-Critical Sensitive [ADP/IT-II] positions when the contract scope of work require physical access to a federally controlled base, facility or activity and/or requiring access to a DoD computer/network, to perform unclassified sensitive duties. This designation is also applied to contractor employees who access Privacy Act and Protected Health Information (PHI), provide support associated with fiduciary duties, or perform duties that have been identified as National Security Positions. At a minimum, each contractor employee must be a US citizen and have a favorably completed NACLC or T3 or T3R equivalent investigation to obtain a favorable determination for assignment to a non-critical sensitive or IT-II position. The investigation consists of a standard NAC and a FBI fingerprint check plus law enforcement checks and credit check. Each contractor employee filling a non-critical sensitive or IT-II position is required to complete:

SF-86 Questionnaire for National Security Positions (or equivalent OPM investigative product)

Two FD-258 Applicant Fingerprint Cards (or an electronic fingerprint submission)

Original Signed Release Statements

Failure to provide the required documentation at least 30 days prior to the individual’s start date shall result in delaying the individual’s start date. Background investigations shall be reinitiated as required to ensure investigations remain current (not older than 10 years) throughout the contract performance period. The Contractor’s Security Representative shall contact the Command Security Manager for guidance when reinvestigations are required.

Regardless of their duties or IT access requirements ALL contractor employees shall in-process with the Command’s Security Manager upon arrival to the command and shall out-process prior to their departure at the completion of the individual’s performance under the contract. Employees requiring IT access shall also check-in and check-out with the Navy Command’s Information Assurance Manager. Completion and approval of a System Authorization Access Request Navy (SAAR-N) form is required for all individuals accessing Navy Information Technology resources. The SAAR-N shall be forwarded to the Navy Command’s Security

31


Manager at least 30 days prior to the individual’s start date. Failure to provide the required documentation at least 30 days prior to the individual’s start date shall result in delaying the individual’s start date. The contractor shall ensure that each contract employee requiring access to IT systems or networks complete annual Information Assurance (IA) training, and maintain a current requisite background investigation. Contractor employees shall accurately complete the required investigative forms prior to submission to the Command Security Manager. The Command’s Security Manager will review the submitted documentation for completeness prior to submitting it to the Office of Personnel Management (OPM); Potential suitability or security issues identified may render the contractor employee ineligible for the assignment. An unfavorable determination is final (subject to SF-86 appeal procedures) and such a determination does not relieve the contractor from meeting any contractual obligation under the contract. The Command’s Security Manager will forward the required forms to OPM for processing. Once the investigation is complete, the results will be forwarded by OPM to the DoD Central Adjudication Facility (CAF) for a determination.

If the contractor employee already possesses a current favorably adjudicated investigation, the contractor shall submit a Visit Authorization Request (VAR) via the Joint Personnel Adjudication System (JPAS) or a hard copy VAR directly from the contractor’s Security Representative. Although the contractor will take JPAS “Owning” role over the contractor employee, the Command will take JPAS "Servicing" role over the contractor employee during the hiring process and for the duration of assignment under that contract. The contractor shall include the IT Position Category per SECNAV M-5510.30 for each employee designated on a VAR. The VAR requires annual renewal for the duration of the employee’s performance under the contract.

BACKGROUND INVESTIGATION REQUIREMENTS AND SECURITY APPROVAL PROCESS FOR CONTRACTORS ASSIGNED TO OR PERFORMING NON-SENSITIVE DUTIES Contractor employee whose work is unclassified and non-sensitive (e.g., performing certain duties such as lawn maintenance, vendor services, etc.) and who require physical access to publicly accessible areas to perform those duties shall meet the following minimum requirements:

Must be either a US citizen or a US permanent resident with a minimum of 3 years legal residency in the United States (as required by The Deputy Secretary of Defense DTM 08-006 or its subsequent DoD instruction) and

Must have a favorably completed National Agency Check with Written Inquiries (NACI) or T1 investigation equivalent including a FBI fingerprint check prior to installation access.

32


To be considered for a favorable trustworthiness determination, the Contractor’s Security Representative must submit for all employees each of the following:

SF-85 Questionnaire for Non-Sensitive Positions

Two FD-258 Applicant Fingerprint Cards (or an electronic fingerprint submission)

Original Signed Release Statements

The contractor shall ensure each individual employee has a current favorably completed National Agency Check with Written Inquiries (NACI) or T1 equivalent investigation, or ensure successful FBI fingerprint results have been gained and investigation has been processed with OPM

Failure to provide the required documentation at least 30 days prior to the individual’s start date may result in delaying the individual’s start date.

* Consult with your Command Security Manager and Information Assurance Manager for local policy when IT-III (non-sensitive) access is required for non-US citizens outside the United States. SECTION 19 - Enterprise Contractor Manpower Reporting Application (ECMRA)

The contractor shall report contractor labor hours (including subcontractor labor hours) required for performance of services provided under this contract for the Fleet Cyber Command via a secure data collection site. Contracted services excluded from reporting are based on Product Service Codes (PSCs). The excluded PSCs are:

(1) W, Lease/Rental of Equipment;

(2) X, Lease/Rental of Facilities;

(3) Y, Construction of Structures and Facilities;

(4) D, Automatic Data Processing and Telecommunications, IT and Telecom- Telecommunications Transmission (D304) and Internet (D322) ONLY;

(5) S, Utilities ONLY;

(6) V, Freight and Shipping ONLY.

The contractor is required to completely fill in all required data fields using the following web address https://doncmra.nmci.navy.mil.

Reporting inputs will be for the labor executed during the period of performance during each Government fiscal year (FY), which runs October 1 through September 30. While inputs may be reported any time during the FY, all data shall be reported no later than October 31 of each

33


calendar year. Contractors may direct questions to the help desk, linked at https://doncmra.nmci.navy.mil.

SECTION 20 – STATUS OF FORCES

The information provided in this section is strictly a summary of the applicable SOFAs and country-specific requirements and should not be construed as all-inclusive. It is the contractor's responsibility to review, understand and comply with all SOFA and country-specific requirements applicable to this contract.

SOFA status defines the benefits received by the contractor and/or the contractor’s dependents. These benefits include, but are not limited to, commissary, postal, military banking privileges, on-base education and access to United States military medical facilities. The SOFA status usually defines the prosecution for criminal offenses in the USG OCONUS court system and laws as opposed to the Host Nation judicial system and laws but that will vary by location.

The Government may, at the discretion of the Base Commander, provide contractor employees and authorized dependents logistics support as mentioned in the previous paragraph. This only applies to foreign countries that have a SOFA.

The NATO SOFA is the governing document with respect to the status of forces in NATO countries. The NATO SOFA is silent to many issues, such as how and when SOFA status is granted to contractors. Issues like this are addressed in various bilateral agreements that the United States has with other countries, and the requisite requirements differ from country to country.

1.1.1. DOD CONTRACTOR PERSONNEL OFFICE (DOCPER) COMPLIANCE (NAPLES)

The contractor shall comply with the procedures associated with the Department of Defense Office of Civilian Personnel guidelines for employing DoD contractor employees as Technical Representatives (TRs) in Italy. The Web site for obtaining the documentation that governs the Technical Representative Accreditation Procedures in Italy, of DoD contractor employees as TRs, is identified below. The Government will also use the Contractor Verification System (CVS) to validate the contractor's need and application information for a CAC. The Government will reimburse the contractor for all costs associated with the DOCPER process.

http://www.per.hqusareur.army.mil/CPD/DocPer/Italy/ItalyDefault.aspx

1.1.1.1. DOD CONTRACTOR Insurance (Italy)

No mandatory requirements for insurance exist

34

https://doncmra.nmci.navy.mil/

€¦ · Web viewPERFORMANCE WORK STATEMENT. Navy Authorizing Official. SECTION 1 – SCOPE OVERVIEW, BACKGROUND AND GENERAL INFORMATION. Scope. Overview. …

Documents