Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF AUGUST 15, 2014 FBO #4647
SOURCES SOUGHT

D -- NIDCD Drupal Platform as a Service (PaaS) Web Content Management System (CMS) Support

Notice Date
8/13/2014
 
Notice Type
Sources Sought
 
NAICS
518210 — Data Processing, Hosting, and Related Services
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, Office of Administration, 6011 Executive Blvd, 5th Floor, Rockville, Maryland, 20852-3804, United States
 
ZIP Code
20852-3804
 
Solicitation Number
HHS-NIH-OD-SS-14-001
 
Archive Date
9/2/2014
 
Point of Contact
Joycelyn E Bacchus, Phone: 301-435-3901
 
E-Mail Address
bacchusj@od.nih.gov
(bacchusj@od.nih.gov)
 
Small Business Set-Aside
N/A
 
Description
This is a Sources Sought notice. This is NOT a solicitation for proposals, proposal abstracts, or quotations. The purpose of this notice is to obtain information regarding the availability and capability of all qualified sources to perform this potential requirement. Be sure to indicate current GSA Schedule Contracts/Government Wide Agency Contracts appropriate to this Sources Sought. Background: The National Institutes on Deafness and Other Communication Disorders (NIDCD) web presence is managed by its Office of Health Communication and Public Liaison (OHCPL), which is responsible for the agency's www.nidcd.gov website among others. NIDCD supports public web sites with thousands of visitors each month to popular public web sites including nidcd.nih.gov and noisyplanet.nih.gov. Traditional on premise SharePoint system development, content management activities and integration support is insufficiently adaptive and too costly for our needs. Market research supports the replacement of this current model with agile and cost effective commodity Platform as a Service (PaaS) Cloud Computing services. The Government requires the rapid implementation of transformative, secure, cloud-based web hosting and content management services in order to reduce web presentation costs and internal engineering risk, improve levels of service for both internal and external customers, and provide a predictable cost model for ongoing operations. Objectives: NIDCD is pursuing the acquisition of a cloud-based Drupal "Platform as a Service" (PaaS) Web Content Management System (CMS) to support its public facing web sites. NIDCD intends to implement an externally hosted, managed, and administered Drupal PaaS environment to allow for greater confidence in the overall operation of Drupal based websites and applications. Once completed, this project will provide the modern, flexible, scalable, secure, stable, highly available, and survivable web hosting environment NIDCD requires. Scope of Work: The scope of this effort includes the discovery/design and classroom workshops/training required to prepare our staff and/or contract developers to appropriately configure our first public web site using the Drupal instance(s). This will be an implementation of the chosen configuration and modules, and all cloud computing and support services required to operate, maintain, safeguard and manage the Drupal CMS PaaS. The highly visible nature of NIDCDs public web presence drives our information assurance requirements. The cloud computing environment must consist of either a government community cloud (including United States federal, state, local and tribal entities), or private cloud. For legal jurisdiction implications regarding ensuring the adequate safeguarding of Government sensitive information, including Personally Identifiable Information (PII), the contractor's PaaS Service Provider information systems that access and store government data at rest must be located within the sole jurisdiction of the United States Federal Government (i.e., within the continental United States, Hawaii, Alaska, Puerto Rico, Guam, and/or the Virgin Islands). Regardless of teaming arrangements, the PaaS Provider/Contractor and its subcontractors and/or teaming partners, shall comply with all required and applicable laws, rules, regulations, and standards, and these laws, rules, regulations, and standards shall apply equally to all parties involved in any aspect of managing, hosting, delivering, maintaining and/or supporting the cloud services in performance of this requirement. 3.1. Discovery Workshop/Technical Training- Phase I NIDCD requires the PaaS Provider/Contractor to work with the NIDCD team in on-site workshop/training sessions to determine the design and configuration of the new Drupal system. The workshop(s) shall focus on five primary areas: common requirements review, system interface discovery, migration best-practice overview, risk identification and project success metrics review 3.2. Component Architecture and High Level Design The Contractor shall lead component architecture and high level design review sessions with NIDCD teams. The Contractor will identify the major components of the Drupal system and identify how the system capabilities will be extended with community and custom Drupal modules. The high-level design shall also include the following activities: 3.2.1. Drupal Module Selection The Contractor shall work with the NIDCD team to identify the available Drupal core and community contributed open-source modules that are recommended in implementation. 3.2.2. Custom Module Design Some capabilities may not be able to be implemented using standard modules. The Contractor shall identify any custom modules recommended and prepare a high-level design overview of the custom modules. The component architecture shall also identify required integration points with any external systems and define the approach to integration including the message format and protocol for the integration. The Contractor shall document all system customizations and modifications, system content architecture, processes for content update and approval, and any other material changes and processes that are necessary for the continued operations and maintenance of the system. Software source code developed in fulfillment of this contract is deemed to be, by default, an open source work and shall be contributed to the Drupal community, unless any of the following conditions are met: a. The Government determines that the code is too crude to merit distribution or provide value to the broader community. b. The Government does not have the rights to reproduce and release the code or a component of the code. The Government has public release rights when the software is developed by Government personnel, when the Government receives "unlimited rights" in software developed by a contractor at Government expense, or when pre-existing code is modified by or for the Government. c. The public release of the item is restricted by other law or regulation, such as the Export Administration Regulations or the International Traffic in Arms Regulation. d. NIDCD cybersecurity staff determines that the public release of such code would pose an unacceptable risk to NIDCD's operational security. 3.2.3. Content Architecture The core of any Drupal site is the definition of content types and their categorization. The content architecture includes the content types, views of those types, taxonomies for categorizing content, and workflows for publishing content of each type. The Contractor shall facilitate the development of the content architecture with the NIDCD team. The Contractor shall implement the latest stable Drupal version, currently version 7.x core and appropriate contributed models to support NIDCD's mission and identify requirements, to include content such as blogs, events, publications, and press releases, and open data formats (xml, json, APIs, etc) mobile devices, 508 compliance, and multiple browser support. 3.2.4. Deployment Architecture The Contractor shall work with the NIDCD team in order to ensure that the cloud-based Platform as a Service architecture meets the performance and security requirements. 3.3. Hosting Functional Requirements - Phase III NIDCD requires a cloud-based Drupal PaaS that will provide in the base PaaS offering, at a minimum: a. 99.9% availability, or higher, to web site visitors and content publishers with a financially backed penalty schedule; b. a secure platform that prevent loss of, or tampering with, NIDCD data, service degradation, and/or service disruption to site visitors and NIDCD web publishers; c. the capability, including capacity and availability, that ensures immediate and uninterrupted service of web sites to the public which must be consistent with the uptime and other Service Level requirements identified herein; d. 24 hours per day, seven days a week, 365 days per year proactive monitoring and support for resolution of any and all outages that affect the availability of content to visitors. Provide troubleshooting services and support during core duty hours for issues not affecting the presentation of web content; e. compliance with federally mandated IPv6 requirements for public facing services (see http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/transition-toipv6.pdf); f. compatibility with currently proposed web page designs and aesthetics, and provides improvements where necessary to accommodate additional functionality within the Drupal framework; and g. accessibility to (and on-demand irretrievability of) archival records of historical content published on the website(s) indefinitely. h. No extra charge throttling of capacity during occasional public access "heavy use" periods. 3.3.1. Constraints 3.3.1.1. Incident Response The Contractor shall have, and exercise annually, an incident response plan to address security or privacy breaches, data loss, and unauthorized access to data. Such plan shall comply with FISMA, the Trusted Internet Connection (TIC) initiative, ISO 27001, and NIST standards. The Contractor shall adhere to U.S. Computer Emergency Readiness Team (US-CERT) guidance on incidence response and threat notifications. 3.3.1.2. Privacy The services provided shall comply with the provisions of the Privacy Act of 1974, especially with regard to the handling and protection of Personally Identifiable Information (PII). The Contractor shall cooperate in the conduct of periodic Privacy Impact Assessments (PIA), as required by Section 208 of the e-Government Act of 2002. It is not anticipated that any of NIDCD's public web sites will contain PII. 3.3.1.3. Data Location The Contractor shall not host any portion of the PaaS environment in facilities outside the contiguous United States, Alaska, Hawaii, and other U.S. Territories. 3.3.2. NIDCD Active Directory Integration NIDCD uses Microsoft's Active Directory to create a single NIDCD-wide directory of all users. This directory is known as the Enterprise Active Directory (EAD). While not initially required if needed in the future, the Drupal CMS must recognize the EAD as the authoritative source for authentication using the open standard Security Assertion Markup Language (SAML). 3.3.3. Security and Compliance The Contractor shall provide cloud services with the requisite security, confidentiality, integrity, availability, and privacy levels and controls that are compliant with regulations, to include the following: a. Federal government regulatory compliance requirements (i.e. Privacy Act, FISMA, CIPSEA, Federal Records Act, Freedom of Information Act, Trade Secrets Act, Health Insurance Portability and Accountability Act (HIPAA), Privacy Rules, etc.); b. Security standards and security control requirements for a Moderate Impact system as described in NIST Special Publications (SP) for cloud computing (SP 800-144, SP 800- 145, and SP 800-146) as well as NIST SP 800-53 with an accepted Certification and Accreditation (C&A) or Security Authorization; c. Privacy Act, Title 5 of the United States Code (U.S.C.) § 552a and applicable agency rules and regulations; and d. The hosting environment provisioned by the Contractor must demonstrate an appropriate level of security for a FISMA Moderate system by meeting the requirements of Section C.5.3.1, comply with FedRAMP and NIDCD Information Security and Privacy Requirements. The continuous monitoring provided must comply with the NIST Special Publication 800-137 framework and Department of Homeland Security (DHS) guidance. Prior to NIDCD's operational readiness testing, the Contractor shall provide (for Government review and acceptance) the complete set of Security Assessment and Authorization artifacts, as required by FISMA for the information system having a Moderate security categorization. These deliverables are required to support system certification and NIDCD authorization to operate (ATO). 3.4. Management Objectives The Contractor shall provide cloud services in order to: a. Maintain ongoing high levels of user satisfaction with the cloud services; b. Provide a mechanism that measures, and reports on, customer satisfaction with the delivery and use of cloud services; c. Increase end-user efficiency related to the management of Cloud Services capabilities; d. Allows for controlled, real-time, on-demand and automated provisioning of storage and bandwidth capacity to support content delivery; e. Provides NIDCD service level managers a web-based "dashboard" that enables 24x7x365 near real-time monitoring and visibility of: 1. Cloud services performance, service status, and key performance indicators of the System against the proposed SLAs and operational parameters; 2. Reporting and analytics that provides NIDCD with up-to-date and comprehensive Information regarding technical and management performance (summarizing projected vs. actual measures), pricing and other related issues by bureau and office; and 3. Security logs as required within the documentation identified in Section 2.3.4.3, Security and Compliance and in accordance with the terms and conditions of associated attachments. 3.5. Project Phases and Deliverables 3.5.1. Task 1: Drupal Design and Government's Operational Readiness and Acceptance Testing (Phase I) The Contractor shall complete Drupal CMS design and training sessions within ninety (30) calendar days of award, concluding Phase I. At the close of Phase I, the Contractor shall deliver to the Government for review and acceptance draft Assessment and Authorization (A&A) documentation, proposed solutions architecture, migration plans, prototypes, and test results demonstrating the success for delivery of the requirements and services described herein. The design and training session(s) shall focus on the migration of one of NIDCD public sites. The Government will have seven (7) calendar days to review and submit a report pertaining to the Acceptance testing documentation and as a result of service testing. The Contractor shall have seven calendar days to respond to the Government's report with a corrective action plan, if necessary. The Government will then have seven calendar days for final review and acceptance or rejection of the Contractor's service solution. 3.5.2. Task 2: Implementation (Phase II) Within thirty (30) calendar days of notification by the Government of Phase I acceptance, the Contractor shall complete implementation of the NIDCD Drupal PaaS architecture as agreed. The Government will have seven calendar days to review and submit a report pertaining to service testing. The contractor shall have seven calendar days to respond to the Government's report with a corrective action plan, if necessary. The Government will then have seven calendar days for final review and acceptance or rejection of the vendor's proposed service solution and/or action plan(s). 3.5.3. Task 3: Steady-State Phase (Phase III) Phase III is the steady-state operations of the cloud hosted Drupal Platform as a Service web content management and presentation services which the Contractor shall maintain and ensure. 3.6. Access Control The Contractor shall ensure system access control seamlessly integrates with NIDCD's Identity, Authorization and Access Management (IdAAM) solution, which consists of: ● Microsoft Active Directory (AD) and Public Key Infrastructure (PKI) architecture ● NIDCD HSPD-12 PIV SmartCard-based credentials and enable logical authentication 3.7. Authentication NIDCD currently utilizes name and password authentication, however NIDCD is transitioning to Entrust PKI for authentication. The Contractor shall ensure that the hosted solution shall support authentication using NIDCD's SAML infrastructure, enabling NIDCD to meet its two factor authentication requirements as specified in Homeland Security Presidential Directive (HSPD)-12, dated August 12, 2004. 3.8. Final Product The Contractor's end-product shall be a fully functional hosted Drupal content architecture capable of supporting the www.NIDCD.gov & noisyplanet.nih.gov website, configured as agreed in workshop sessions, and extensible to support other NIDCD public websites on demand. 4. DELIVERABLES AND DELIVERY SCHEDULE In fulfillment of this effort, the Contractor shall be required to submit deliverables to the NIDCD Technical lead unless otherwise agreed upon. Unless otherwise specified, the Government will have a maximum of fourteen (14) calendar days from the day the draft deliverable is received to review the document, provide comments back to the contractor, approve or disapprove the deliverable. The contractor will also have a maximum of fourteen (14) calendar days from the day comments are received to incorporate all changes and submit the final deliverable to the Government. All days identified below are working days unless otherwise specified. 4.1. General Quality Measures General quality measures, as set forth below, will be applied to each deliverable received from the Contractor under this effort. 1. Accuracy - Deliverables will be accurate in presentation, technical content, and adherence to accepted elements of style. 2. Clarity - Deliverables will be clear and concise. Any and all diagrams will be easy to understand and be relevant to the supporting narrative. 3. Consistency to Requirements - All deliverables must satisfy the requirements of this SOW. 4. File Editing - All text and diagrammatic files will be editable by the Government. 5. Format - Deliverables will be submitted in hard copy where applicable and in media mutually agreed upon prior to submission. Hard copy formats will follow any specified directives or manuals. 6. Timeliness - Deliverables will be submitted on or before the due date specified herein or submitted in accordance with a later scheduled date determined by the Government. 4.2. Quality Assurance The NIDCD Technical lead will review, for completeness, preliminary or draft documentation that the Contractor submits, and may return it to the Contractor for correction. Absence of any comments by the NIDCD Technical lead will not relieve the Contractor of the responsibility for complying with the requirements of this work statement. Final approval and acceptance of documentation required herein shall be by letter of approval and acceptance by the NIDCD Technical lead. The Contractor shall not construe any letter of acknowledgement of receipt material as a waiver of review, or as an acknowledgement that the material is in conformance with the work statement. Any approval given during preparation of the documentation, or approval for shipment shall not guarantee the final acceptance of the completed documentation. 4.3. Weekly Status Reports The Contractor shall prepare and submit a weekly status report and participate in a one-hour teleconference call with members of the NIDCD team in accordance with the requirements of Phases I and II of this contract. The weekly status reports shall include at a minimum the following: ● Progress for the period: detailed progress report of findings, key relevant activities and accomplishments during the reporting period, including any partner activities; ● Activities planned, to include any partner activities, for the next reporting period: planned activities, as well as the status of any and all deliverables, including planned delivery date(s) and actual and/or anticipated delivery date(s); ● Problems encountered: identification of any problems, issues or delays and recommendations as to their resolution, and any corrective action that was taken to correct identified problems. 4.4. Proposed Workshops Deliverable Schedule The contractor shall provide a consolidated report for the Discovery and Architecture Workshops: Reference Section Workshops Schedule 4.4.1 Discovery Workshop(s) Delivered over the course of up to thirty (30) consecutive calendar days. 4.4.2. Architecture Workshop(s) Delivered over the course of up to ten (10) consecutive calendar days. Conducted concurrently with the Discovery Workshops Reference Section Deliverable or Milestone Schedule 4.4.3. Requirements matrix: The Contractor shall prepare a document describing all of the high-level requirements for the site, grouped by category and assigned prioritization. Within seven (7) calendar days following the completion of the Architecture Workshop. 4.4.4 Deployment plan: The Contractor shall prepare a document outlining the timeline for development of the site, exclusive of any potential data migration. Within seven (7) calendar days following the completion of the Architecture Workshop. 4.4.5. Risk Identification: The Contractor shall facilitate the identification and capture of risks to the project. This process shall bring focus to the highest risks, and in turn assist in their appropriate resourcing and scheduling within the development plan. Within seven (7) calendar days following the completion of the Architecture Workshop. 4.4.6. and 4.4.6.1. Generally Architecture and Design Document: The Contractor shall provide an Architecture and Design Document describing the recommended candidate architecture and high-level design aspects for the new site. The design shall include sections describing the outcome of each of the four (4) major areas covered in the workshop. Within seven (7) calendar days following the completion of the Architecture Workshop. Period of performance: Estimated to be for one (1) base period with (4) option period.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/HHS/NIH/OoA/HHS-NIH-OD-SS-14-001/listing.html)
 
Place of Performance
Address: Government Facility, Rockville, Maryland, 20892, United States
Zip Code: 20892
 
Record
SN03463468-W 20140815/140813235749-77cbd2b297a7d0e4f9fb4537ac9194aa (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.