Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JUNE 10, 2004 FBO #0927
SOLICITATION NOTICE

D -- IT Certification & Accreditation

Notice Date
6/8/2004
 
Notice Type
Solicitation Notice
 
NAICS
541690 — Other Scientific and Technical Consulting Services
 
Contracting Office
Department of Agriculture, Agricultural Research Service, Acquisition and Property Division, Acquisition Branch (MD), 5601 Sunnyside Avenue, Building 3, Mailstop: 5116, Beltsville, MD, 20705
 
ZIP Code
20705
 
Solicitation Number
04-3K06-021
 
Response Due
6/22/2004
 
Archive Date
7/7/2004
 
Point of Contact
John Chadwick, Contract Specialist, Phone 301-504-1732, Fax 301-504-1717, - Dennis Foley, Supervisory Contract Specialist, Phone 631-323-3397, Fax 631-323-3295,
 
E-Mail Address
jchadwick@ars.usda.gov, dfoley@piadc.ars.usda.gov
 
Small Business Set-Aside
Total Small Business
 
Description
This is a combined synopsis/solicitation for commercial items prepared in accordance with the format in Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; proposals are being requested and a written solicitation will not be issued. The solicitation number is 04-3K06-021. This solicitation is being issued as a request for quote (RFQ) in accordance with FAR Subpart 13.5 ? Test Program for Certain Commercial Items. The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular 2001-23. The associated North American Industry Classification System (NAICS) for this procurement is 541690 and the business size is $6,000,000.00. The Government intends to award a firm-fixed-price contract for Information Technology Certification & Accreditation consulting services, for the U.S. Department of Agriculture, Agricultural Research Service, Beltsville, Maryland. This requirement is a 100% set aside for Small Business. Statement of Work IT Certification & Accreditation 1.0 INTRODUCTION Federal law and Office of Management and Budget (OMB) guidance includes the requirement that agencies establish oversight mechanisms, to evaluate systematically and ensure the continuing security, interoperability, and availability of systems and their data. More specifically, the guidance requires a process, identified herein as Security Accreditation, to ensure that a management official authorizes in writing the use of each Major/Non-Major Application and General Support System (GSS) based on implementation of its security plan before beginning or significantly changing processing in the system. Use of the system shall be re-authorized at least every three years, or when a major change that impacts security of the system occurs. Security accreditation is the official management decision to authorize operation of an information system. Security accreditation, which is required under OMB Circular A-130, provides a form of quality control and challenges managers and technical staff at all levels to implement the most effective security controls and techniques, given technical constraints, operational constraints, cost and schedule constraints, and mission requirements. Security evaluation plays an important role in the security accreditation process. This evaluation, made in support of the security accreditation process, determines the effectiveness of these security controls in a particular environment of operation and the vulnerabilities in the information system after the implementation of such controls. The results of the security certification are used to reassess the risks and update the security plan for the information system?thus, providing the factual basis for the authorizing official to render the security accreditation decision. 1.1 OBJECTIVE The purpose of this Statement of Work (SOW) is to obtain security consultation and technical support to develop specific documentation and perform tasks that meet USDA?s requirements for Certification & Accreditation (C&A) of two hundred and thirteen (213), Agricultural Research Service (ARS), applications and GSS. These requirements consist of the tasks for Information Technology (IT) C&A activities as noted in this SOW. (Referenced in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37). 1.2 USDA C&A GUIDE The USDA Certification and Accreditation Guide is intended to provide a comprehensive and uniform approach to the C&A process. Individuals responsible for, or involved in the C&A process, will use this guide as a resource to assist them in certifying and accrediting the United States Department of Agriculture (USDA) Major/Non-Major Applications and General Support Systems. The USDA C&A Guide defines three distinct phases. Pre-Certification, Certification, and Accreditation. Security Certification and Accreditation for low impact systems can be demonstrated as stated in Federal Information Processing Standard (FIPS) Publication 199. The scalability of the certification and accreditation process for low impact systems results in the elimination of the independent certification agent, the incorporation of self-assessment activities, and a reduction in the associated level of supporting documentation and paperwork as prescribed in NIST SP 800-37. 2.0 SCOPE This scope of work includes all of the following activities, each of which is described in the USDA C&A Guide and NIST SP 800-37. These tasks and the products that result from them must meet the above referenced USDA/NIST specifications and guidelines. ARS is the principal in-house research agency of the U.S. Department of Agriculture (USDA). ARS currently has 100 research locations including a few in other countries. The contractor shall provide security consultation and technical support to ARS to complete C&A activities for all of it?s Major/Non-Major Applications and General Support Systems, consisting of local area networks and web farms geographically located across the Unitied States at ARS Area Offices and field locations. The contractor shall develop detailed instructions, templates, and boilerplates to assist ARS system administrators to create documentation and complete tasks that meets USDA?s requirements for certification and accreditation. 3.0 Tasks 3.1 Identify Required Security Controls The contractor shall identify and document all security controls that shall be on Agency IT systems, including those specified in the System Security Plan and any additional requirements needed to secure the system at the proper security categorization. The controls shall be compiled from USDA guidance, other federal guidance, including OMB A-130, NIST SP 800-53, FISMA, and industry best practices. The security controls shall include management, technical and operation controls for the system, in addition to environmental and physical security controls. The contractor shall confirm that the security category of the information system has been determined and documented in the system security plan. The controls shall match the system categorization as defined in FIPS Publication 199. 3.2 Develop/Review Security Plans All USDA agencies and staff offices are required to develop individual Security Plans for all Agency IT systems. USDA OCIO has developed instructions and templates for each type of plan. The contractor shall perform a review of the security plans to determine the validity of the plan. Furthermore, the contractor shall review and recommend updates of agency security plans based on the results of the security plan review process. The contractor shall recommend modifications and update agency system security plans as needed to meet NIST SP 800-18, FISMA, and Office of Inspector General (OIG) audit requirements. Recommendations shall be incorporated into the plans, and modifications shall be made to ensure consistency between the security plan and self-assessment. 3.3 Perform Initial Risk Assessments The contractor shall review Agency IT system self-assessments and confirm that the risk to agency operations, assets, or individuals has been determined and documented in the system security plan, risk assessment, or an equivalent document. The contractor shall apply a methodology that meets or exceeds the specification of the National Security Agency (NSA) developed INFOSEC Assessment Methodology (IAM), NIST SP 800-26, NIST SP 800-30, OMB A-130 Appendix III, and USDA?s self-assessment guides, as applicable. For low impact systems, the appropriate methods and procedures necessary to conduct a self-assessment of the information security controls is sufficient in accordance with NIST SP 800-37. 3.4 Security Test and Evaluations The contractor shall review the system security plan, self-assessment, and Security Test & Evaluation (ST&E) results and determine if the risk to agency operations, agency assets, or individuals is acceptable. Findings shall be documented in the System Security Evaluation reports, and weaknesses shall be documented in the Plan of Action and Milestone (POA&M) reports. A variety of assessment methods and tools may be employed to determine if vulnerabilities exist. These may include both internal and external examination and shall address both physical and cyber security. Tests and reviews used may include, but are not limited to: Vulnerability scans Security Plan review Self-assessment review 3.5 Develop Interconnectivity Agreements All USDA agencies and staff offices that have obtained approval from the USDA CIO to access the Internet through a non-USDA Internet Service Provider (ISP) shall have an Interconnectivity Support Agreement (ISA) established between the agency and the non-USDA ISP. The Interconnectivity Support Agreement is a memorandum of understanding (MOU) that states the level of security anticipated, the level attained, when and how information affecting the security of either or both systems will be exchanged, etc. The contractor shall develop Interconnectivity Support Agreements and Memorandums of Understanding that meet USDA?s requirements for certification and accreditation in accordance with NIST SP 800-47. 4.0 STATUS REPORTING The contractor shall brief the Contracting Officer?s Technical Point of Contact (TPOC), through weekly one-hour meetings. These briefings will detail the week?s accomplishments, review the goals for the coming week, and act as a forum for logistics and general strategy issues. 5.0 DELIVERABLES All deliverables require at least two iterations - a draft and a final. The contractor shall provide copies of the original draft document and one electronic copy, formatted in MS Word (diskette, CD-ROM or encrypted electronic mail) to the TPOC for each deliverable or interim deliverable. The contractor shall submit drafts to the TPOC for review and comment in accordance with the contractor?s proposed milestone/delivery schedule. The TPOC will consolidate comments and return the commented draft document to the contractor in electronic and hard copy form. ARS shall have five business days for review and submission of written comments to the contractor. The contractor shall submit final versions to the TPOC within five business days of comments being received. 6.0 SECURITY REQUIREMENTS The activities and reports required to perform tasks in this contract are expected to contain unclassified Sensitive Security Information (SSI) that could act as a guide for hostile entities to cause harm to the Department?s critical infrastructure. USDA Departmental Regulation 3440-2 ?Control and Protection of ?Sensitive Security Information? provides minimum protection requirements and guidance to be followed when handling SSI. Such information shall not be divulged or made known in any manner to any person. The contractor shall immediately notify the TPOC upon discovery of any inadvertent disclosures of information. All information arising from this contract, both hard copy and electronic, shall be returned to the government at the completion of this contract. The contractor shall not disclose sensitive or proprietary information of, or in the possession of, the United States Department of Agriculture or any of its operating units, contractors or business partners to unauthorized persons. The contractor shall be subject to any and all penalties imposed by law for unlawful disclosure of Departmental information. 7.0 GOVERNMENT FURNISHED EQUIPMENT AND INFORMATION The contractor shall provide all requisite hardware and software necessary to perform all tasks described in this SOW. Furthermore, the contractor shall specifically identify in their quotation the type, amount, and time frame, for obtaining any government resources required to perform the tasks identified in this SOW. 8.0 PLACE OF PERFORMANCE All work shall be performed at the George Washington Carver Center (GWCC) located in Beltsville, Maryland, or the contractor?s facility. 9.0 PERIOD OF PERFORMANCE Contractor shall begin contract performance within (10) days of contract award. All Certification and Accreditation work described in this SOW shall be completed by September 30, 2004. SERVICES AND PRICES DESCRIPTION The Contractor shall provide all personnel, equipment, materials, and supplies necessary to perform all work described in the Statement of Work for the Agricultural Research Service. PRICE SCHEDULE Item No. Service QTY Unit Amount 3.1 Identify Required Security Controls 1 Job $______ 3.2 Develop/Review Security Plans 1 Job $______ 3.3 Perform Initial Risk Assessments 1 Job $______ 3.4 Security Test & Evaluations 1 Job $______ 3.5 Develop Interconnectivity Agreements 1 Job $______ TOTAL CONTRACT PRICE $______ EVALUATION The Government will award a contract to the responsible quoter whose quote conforming to the RFQ will be most advantageous to the Government, price and other factors considered. The following factors shall be used to evaluate quotes: ?Contractor?s approach including technical understanding of performance requirements (objective, approach, methods, and schedule). ?Recent, relevant experience performing tasks of similar size, scope and complexity to those outlined in the SOW. ?Recent, relevant past performance on projects of commensurate size, complexity and scope. ?Price A written notice of award or acceptance of a quote, mailed or otherwise furnished to the successful quoter, shall result in a binding contract without further action by either party. The Government may accept a quote, whether or not there are negotiations after its receipt, unless a written notice of withdrawal is received before award. The provision at 52.212-1, Instructions to Offerors-Commercial Items, is hereby incorporated by reference. The provision at 52.212-3 is hereby incorporated by reference. Offeror?s shall include a completed copy of the Offeror Representations and Certifications-Commercial Items, with their offer. The clause at 52.212-4, Contract Terms and Conditions-Commercial Items, is hereby incorporated by reference. The clause at 52.212-5, Contract Terms and Conditions Required To Implement Statutes or Executive Orders-Commercial Items, is hereby incorporated by reference. The following paragraphs under this clause apply to this solicitation and any resultant contract: (b)(1) 52.203-6, (b)(5) 52.219-6, (b)(7) 52.219-8, (b)(9) 52.219-14, (b)(14) 52.222-3, (b)(16) 52.222-21, (b)(17) 52.222-26, (b)(18) 52.222-35, (b)(19) 52.222-36, (b)(20) 52.222-37, (b)(27) 52.225-16, (b)(28) 52.232-29, (b)(30) 52.232-33, (b)(33) 52.239-1. Submitting Quote Responses A. Provide a price quote based on the price schedule provided. Your price shall be fully burdened to include all costs necessary to perform the services identified in the SOW including all labor categories, hours, hourly rates, supplies, equipment, materials, transportation and all other direct and indirect costs and profit. B. Provide a narrative (separate from your price quotation) describing the planned approach to performing the services outlined in the SOW including a proposed milestone/delivery schedule. C. Provide a list of projects describing your experience performing similar work and past performance of commensurate size, complexity and scope. For each project include: 1. Name of the project; 2. Description of the work; 3. Contract number, date and type; 4. Name and address of the acquiring Government agency or commercial customers; 5. Initial contract amount and final contract amount; 6. Any problems encountered in performance of the work and corrective actions(s) taken, and; 7. Name(s) and telephone number(s) of references from the acquiring agency or customer who may be contacted for further information. All projects submitted shall have been performed within the last 3 years. Quoters shall only submit those projects which illustrate both their experience as well as their past performance. Quoters shall not submit separate projects demonstrating their experience and past performance separately. References other than those identified by the quoter may be contacted by the Government, with the information received used in the evaluation of the quoters past performance. ARS reserves the right to consider other information or sources at its disposal during the evaluation of the Past Performance factor. Quoters shall submit (1) original hard copy of their quotation (including the information requested above) to the address listed below as well as an electronic copy via e-mail to jchadwick@ars.usda.gov not later than 3:00 pm (EST), Tuesday, June 22, 2004. U.S. Department of Agriculture Agricultural Research Service ATTN: John A. Chadwick 5601 Sunnyside Ave. Mail stop 5116 Beltsville, MD 20705-5000 All inquiries pertaining to this RFQ shall be directed to John A. Chadwick, Contract Specialist, at (301) 504-1732 or via e-mail to: jchadwick@ars.usda.gov. See Numbered Note 1.
 
Place of Performance
Address: USDA, George Washington Carver Center (GWCC), 5601 Sunnyside Ave, Beltsville, MD
Zip Code: 20705
Country: US
 
Record
SN00599824-W 20040610/040608211612 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.