Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF JULY 01, 2015 FBO #4968
SOURCES SOUGHT

D -- INFORMATION TECHNOLOGY ENGINEERING SUPPORT SERVICES - Sources Sought/RFI

Notice Date

6/29/2015
 

Notice Type

Sources Sought
 

NAICS

541512 — Computer Systems Design Services
 

Contracting Office

Department of the Navy, Military Sealift Command, MSC Norfolk, Building SP-64, 471 East C Street, Bldg SP64, Naval Station Norfolk, Norfolk, Virginia, 23511, United States
 

ZIP Code

23511
 

Solicitation Number

N102-15-ITESS
 

Archive Date

7/23/2015
 

Point of Contact

Cheryl Somers, Phone: 757-443-5921
 

E-Mail Address

cheryl.somers@navy.mil
(cheryl.somers@navy.mil)
 

Small Business Set-Aside

N/A
 

Description

Sources Sought/RFI for ITESS MARKET SURVEY N102-15-ITESS 29 JUNE 2015 From: MSC N102 Subject: INFORMATION TECHNOLOGY (IT) ENGINEERING SUPPORT SERVICES DESCRIPTION: This is a market survey for acquisition planning purposes ONLY. No formal solicitation exists at this time. MSC is soliciting input to determine the technical, administrative, management and financial capability of potential offerors to perform this kind of work. Interested offerors must submit a brief but complete capability statement that demonstrates the capability to perform the type of services described below. MSC requests a response to this market survey by no later than 8 July 2015. This information will be used by the Contracting Officer to assist in developing the procurement strategy. This is a request for information only and your response is not an offer. This request for information does not commit the Government to pay for any costs incurred in preparation of any submission to this market survey. DRAFT REQUIREMENT Information Technology (IT) Engineering Support Services (ITESS) PERFORMANCE WORK STATEMENT (PWS) 1. Contract or Task Order Title. Information Technology (IT) Engineering Support Services (ITESS) 2. Background. MSC's mission is to support our nation by delivering supplies and conducting specialized missions across the world's oceans. Additional information on MSC is available at www.msc.navy.mil. The C4S Directorate (N6) is responsible for MSC IT worldwide. The Director of C4S serves as MSC's Command Information Officer (CIO), the principal IT advisor to the MSC Commander. N6's mission is to provide IT support to MSC managers and staff necessary to effectively and efficiently carry out the agency's mission; to provide integrated, standards based, secure IT solutions within the context of the Global Information Grid in concert with the DoD and its partners; and to ensure that IT resources are acquired and managed in a manner consistent with the standards, policies, and priorities established by the Secretary of Defense and the MSC Commander. MSC C4S Engineering manages engineering resources in support of Information and Communications capabilities ashore and afloat including requirement management, capability maintenance, development, initial installations and retirement. 2.1 Current Operating Environment Ashore environment: MSC is supported by or uses the following ashore networks including: Navy Marine Corp Internet (NMCI) Continental United States (CONUS), Overseas Navy Enterprise Network (ONE-NET) Outside the Continental United States (OCONUS), MSC Data Centers (CONUS) and Afloat Network Operations Center (ANOC) (CONUS). MSC's ashore desktop operating environment is currently a hybrid of various Windows, and UNIX environments. MSC's current ashore server operating environment includes Windows, UNIX and LINUX environments at the MSC Corporate Data Center (MCDC), ANOC, and MSC Disaster Recovery Site (MDRS). DESKTOP APPLICATIONS include both standard off-the-shelf software products such as the Microsoft Office Suite and other common Windows software such as Media Player and Microsoft Internet Explorer. In addition, MSC has a wide variety of Commercial-Off-The-Shelf (COTS), Government-Off-The-Shelf (GOTS), and legacy applications on user desktops. Shipboard Environment: SMIS-UNCLASS Network, Attachment J-001, consists of workstations, primary and backup domain controllers, a database server, a switch, router, Dynamic Host Configuration Protocol (DHCP) and Windows Internet Name Service (WINS) server, accelerator, encryptor/decryptor, and link to the ANOC via satellite transport services. The MSC Shipboard SMIS-UNCLASS environment currently operates using Microsoft operating systems and Internet Explorer. The workstations utilize various Government-off-the-shelf (GOTS), Commercial-off-the-shelf (COTS), and Shipboard Management Information System (SMIS) applications and software. These applications and software are listed on the Afloat Applications Gold List. Depending on the hull type of an MSC ship, the number of on board workstations can range from 15, up to and above 120. SMIS-CLASS Network Attachment J-002 includes a single Server running Microsoft Exchange and thin-client workstations running Windows. Exchange servers and client desktops runs in a virtualized server environment. Data for Active Directory, DNS, and Exchange is replicated among local and remote domain controllers. 3. Objectives: The objective of this contract is to obtain IT Systems Engineering Support Services that will assist N6 in providing technical solutions to satisfy emerging requirements, enhance and develop IT capabilities in support of Military Sealift Command's (MSC) mission and assist in the development of governance to ensure IT capabilities align to MSC N6's strategic plan, MSC N6's technical architecture road maps and Department of Defense (DoD) mandates. 4. Scope. The contractor shall provide Information Technology (IT) Systems Engineering Support Services necessary to maintain, upgrade, test, develop and install new IT capabilities for MSC worldwide in accordance with MSC N6 Strategic Plan (Attachment J-003). All systems should be developed in accordance with the DISA Security Technical Implementation guides and assessed using the applicable checklist and benchmarks. Compliance and deviations from these requirements will be documented in the appropriate form and included as a contract deliverable. The Contractor during performance shall adhere and apply processes that are equivalent to those articulated by CMMI for Development, Version 1.3 (CMMI-DEV, V1.3) capability level 3. The Contractor shall also provide disciplined systems engineering and project management practices in accordance with DoD 5000 and shall be in compliance with all DoD and DoN mandates and instructions, and consistent with the work requirements identified in this Performance Work Statement (PWS). Unless otherwise indicated, copies of the specifications, standards, and handbooks referenced in this PWS are available from the Document Automation and Production Service (www.defense.gov/pubs/), 700 Robbins Avenue, Building 4D, Philadelphia, PA 19111-5094. MSC unique documents are available from the Military Sealift Command Head Quarters (MSCHQ), Military Sealift Command Washington, 914 Charles Morris Court, SE Bldg. 210, Washington Navy Yard, DC 20398-5540. In the event of a conflict between the text of this document and the references cited herein, unless otherwise indicated, the text of this document takes precedence. Nothing in this document, however, supersedes applicable laws and regulations unless a specific exemption has been obtained. • Task Area 1 - Contract Management • Task Area 2 - Project Management & Technical Management Process Support Services • Task Area 3 - Systems & Software Engineering (SE/SWE) Support Services • Task Area 4 - IT Service Management (ITSM) Support Services • Task Area 5 - Enterprise Architecture (EA) Support Services • Task Area 6 - Information Assurance (IA) Support 5. Performance Requirements. 5.1 Task 1 - Contract Management The contractor shall provide all necessary personnel, administrative, financial, and managerial resources necessary for the performance of this activity. The contractor shall designate a single point of contact (POC) as the Contract Manager (CM) for use in communicating issues, concerns or problems on this task order. The PM shall have the authority to commit the contractor's organization and make decisions for the contractor's organization in response to Government issues, concerns or problems. The PM shall be readily available to respond to questions, concerns and comments, as well as be proactive in alerting the Government to potential contractual/technical issues. Although Government staff may coordinate with other contractor staff, the PM shall serve as the single contractor representative responsible for resolving all issues, concerns and problems. The contractor shall provide a draft Contract Management Plan (CMP) to the MSC COR at the Kick-Off Meeting. Effective Contract Management will ensure that all contractor support assigned to this task are coordinating and leveraging processes already in place or being developed. This effort will include the overall management of contractor resources assigned to this task order as well as reporting to and direct interaction with the Contracting Officer's Representative (COR) and the Alternate Contracting Officer's Representatives (ACORs). Program Management support includes the full range of project planning, resource management, risk assessment and mitigation, quality management, change control, and management of project deliverables consistent with industry best practices. 5.1.1 Subtask 1 - Contract Kick-Off Meeting The contractor, after coordination with the Government, will schedule and coordinate a contract kick-off meeting to be held within 5 business days of task order award. The contractor, with the assistance of the Government, will develop an agenda for the meeting. The contractor will ensure that all identified participants are notified of the meeting in advance. At a minimum, kick-off attendees shall include key contractor personnel and key MSC personnel. At the kick-off meeting, the contractor shall present its Transition Plan for overall program management of the awarded task order. The contractor shall develop and, after Government approval, distribute meeting minutes and action items within 5 business days after the kick-off meeting. (CDRL A101, A102) 5.1.2 Subtask 2 - Contract Management Plan The Contractor shall develop, deliver, and maintain throughout the contract period of performance, a Contract Management Plan that shall be used as a foundation for technical, resource, production and management planning. The Contractor shall develop and deliver a preliminary Contract Management Plan at the kick-off meeting and an updated Contract Management Plan within 30 calendar days after the kick-off meeting. The Contract Management Plan shall include the following summary information as well as any additional information deemed relevant by the Contractor: a. design control b. reliability c. configuration control d. standardization e. quality assurance f. provisioning g. control of Government property i. tests j. certifications k. packaging l. shipping m. other Data Item Description (DID) DI-MGMT-80004A may be used and tailored with government concurrence. (CDRL A103) 5.1.3 Subtask 3 - Contract Management Reviews The contractor shall prepare and submit a Contract Management Review (CMR) agenda to the COR 5 business days prior to the CMR meeting and prepare minutes within 5 business days after the meeting. The Contractor shall prepare a review to be delivered the day of the review. The CMR shall address current TDL status to include current task order performance in comparison with task order performance metrics, mitigation plans for under-performing areas, and other issues and concerns. The CMR shall summarize the previous three months performance and agreement with the Program Management Plan. The CMR will define the work projected for the subsequent 3 months. The first review will be conducted three-months after award. Subsequent reviews will be conducted at three-month intervals. (CDRL A104) 5.1.4 Subtask 4 - Performance Measurement The contractor shall monitor performance standards and report monthly, via the Monthly Contract Status Reports. The contractor shall report performance metrics relative to each TDL; performance metrics shall include TDL status: resources, risk, deliverables, schedule, cost and hours by labor category for each reporting period. Metrics shall be reported for both monthly and aggregate/cumulative totals. Data Item Description (DID) DI-MGMT-81861 may be used, tailored with government concurrence. (CDRL A105) 5.1.5 Subtask 5 - Performance Cost Reporting The contractor shall prepare and submit a report concurrently with each invoice presented for payment. The contractor shall report expenses that can be invoiced under the contract. The report shall include labor expended for the period and cumulatively broken out to identify labor categories, labor rate, project ID and project phase and personnel utilized. Contractors must provide a cost summary sheet providing a breakout of monthly costs per effort and cumulative costs as they relate to the estimated amounts. The contractor shall use the report format found as defined in the Performance Cost Report. Data Item Description (DID) DI-FNCL-80165A may be used, tailored with government concurrence; alternate formats may be proposed and used, with prior approval of the Contracting Officer's Representative. (CDRL A106) 5.1.6 Subtask 6 - Information Assurance The contractor shall comply with latest Military Sealift Command's Information Assurance Policy. Current policy is detailed in MSC Instruction (COMSCINST 5239.3 series Attachment J-004). Compliance with this directive is mandatory during the execution of design, development, and implementation and maintenance tasks within this PWS. The contractor shall comply with the Department of Defense (DoD) Information Assurance Workforce Improvement Program (DoD 8570.01-M Attachment J-005). The contractor shall use only certified personnel for all task(s) performed under this task order where certification is a requirement in accordance with DoD 8570.01-M. 5.1.7 Subtask 7 - Quality Assurance The contractor shall have at contract award, and shall maintain, a quality management system per the International Organization of Standards ISO 9001:2000 standard for all work performed at the contractor's facilities in support of this contract. The Government reserves the right to require the contractor to present its certificate of ISO 9001:2000 compliance at any time. The contractor shall, in addition, support all MSC ISO 9001:2000 assessments by utilizing all N6 processes for work performed under this contract. The contractor shall provide a quality assurance plan and approach for task order management, task order deliverables, and business process improvement to enhance the current and future processes. The quality assurance plan shall be provided at the contract kick-off meeting. DID DI-QCIC-81794, Quality Assurance Program Plan (QAPP) may be used and tailored with government concurrence. (CDRL A107) 5.1.8 Subtask 8 - Configuration Management The Contractor shall implement a Configuration Management (CM) system which complies with the following requirements: a. Establishes initial hardware and software baseline of requirements. This baseline shall include hardware drawings and software programs and code which represent the delivered end items. b. Perform CM reviews during formal technical program reviews at the Contractor and subcontractor facilities that verifies the high level system requirements have been incorporated and implemented into the evolving detail baseline. c. A change control system for identifying, evaluating, dispositioning, and implementing proposed hardware and software changes to the established baseline. d. A system that provides for periodic audits, including subcontractors, to ensure the overall requirements and objectives of the program are being accomplished and satisfied. MIL-HDBK-61 may be used for guidance. Data Item Description (DID) DI-SESS-81875 may be used, tailored with government concurrence. 5.1.8.1 Configuration Control The Contractor shall identify configuration items and maintain configuration change control through the systematic evaluation, coordination, approval/disapproval, and implementation of all approved changes after the functional and product configuration baselines are established. 5.1.8.2 Configuration Identification The Contractor shall establish configuration identification through the development of formal documentation (i.e., specifications, drawings and documents) that describes the baseline to be used for controlling program requirements. 5.1.8.3 Configuration Change Control The Contractor shall implement a Government approved configuration change control process. Changes to the established baseline may be submitted to the Government for approval at any time. 5.1.8.4 Data Control The Contractor shall implement a Data Management (DM) process for identification, acquisition, control, maintenance, status accounting and timely delivery of data items. The Contractor shall provide a Data Accession List (DAL) of all data, documents, reports, studies, etc. All data shall be made available to the Government upon request. The Contractor shall transfer data and information to the Government electronically to the maximum extent possible to facilitate more rapid communications between Government and Contractor organizations. This objective includes the creation of a cost-effective on-line digital data environment that allows the program acquisition and operational support activities, throughout the life cycle of the program, to digitally create, store, access, manipulate, share and exchange all programmatic and technical data. 5.1.8.5 Documentation The Contractor shall establish configuration identification through the development of formal documentation (i.e., specifications, drawings and documents) that describes the baseline to be used for controlling program requirements. The Contractor shall document the configuration of all new and modified configuration items established under the Project. The documentation shall include configuration item performance requirements, design, test procedures, maintenance, and version description. 5.1.9 Subtask 9 - Communications The contractor will develop and organize the communications strategy necessary to keep key stakeholders, and project team leads informed as projects move thru the different phases of the engineering and acquisition processes and shall provide technical support by assisting MSC in drafting plans, Standard Operating Procedures (SOPs) and other guidance documents as pertain to this PWS. 5.1.10 Subtask 10 - Staffing The Contractor is required to provide resources with required project management, systems engineering and IT Service Management competencies in accordance with the MSC Service Delivery Overarching Framework (Attachment J-006) and Enterprise Project Management Handbook (Attachment J-007). 5.1.11 Subtask 11 - Phase-In / Phase-Out Plans Phase-In Plan: No later than 5 business days after the contract kick-off meeting, the contractor shall develop, with Government input, a plan of action to ensure the smooth transition of services from the predecessor contractor to the contractor with no degradation of services. Phase-Out Plan: No later than 120 calendar days prior to the end of the contract, the contractor shall develop, with input from the Government, a plan of action to facilitate the transition of services to the incoming contractor with no degradation in services. 5.1.12 Subtask 12 - Program Management Deliverables All deliverables shall be provided electronically, in a Microsoft (MS) Office commercially available product format. PWS Deliverable Distribution CDRL 5.1.1 Contract Management Plan COR/ACOR A103 5.1.1 Contract Kick Off Meeting Agenda COR/ACOR A101 5.1.1 Contract Kick Off Meeting Minutes COR/ACOR A102 5.1.2 Management Plan COR/ACOR A103 5.1.3 Contract Management Review COR/ACOR A104 5.1.4 Monthly Status Reports (MSRs) COR/ACOR A105 5.1.5 Performance Cost Report COR/ACOR A106 5.1.7 Quality Assurance Program Plan COR/ACOR A107 5.1.8 Configuration Management Plan COR/ACOR A108 5.1.11 Phase-In Plan COR/ACOR A109 5.1.11 Phase-Out Plan COR/ACOR A110 5.2 Task 2 - Project Management & Technical Management Process Support Services The contractor shall provide support for Technical Management Processes and Project Management in support of systems and software engineering projects and in accordance with Department of Defense (DoD) Instruction (DoDI) 5000.02 and Department of the Navy (DoN) mandates, Cybersecurity (Information Assurance) policies, standards, instructions and directions. The purpose of this activity is not to direct the contractor day-to-day systems engineering work provides visibility into the project technical, cost and schedule performance. Additionally, this activity will be used to ensure management and control of activities, reviews and the Technical Data Package (TDP) baseline. 5.2.1 Subtask 1 - Project Management Reviews The contractor shall prepare and submit a Project Management Review (PMR) agenda to the COR 5 business days prior to the PMR meeting and prepare minutes within 5 business days after the meeting. The Contractor shall prepare a review to be delivered the day of the review. The PMR shall address current project status to include performance in comparison with TDL defined performance metrics, mitigation plans for under-performing areas and risks, issues and concerns. The PMR shall summarize the previous month's performance and overall consistency with the project plan. The first review will be conducted one months following each project kick-off. Subsequent reviews will be conducted at monthly intervals. (CDRL A201, A202) 5.2.2 Subtask 2 - Project Management Support The Contractor shall provide Project Management support service in accordance with the DOD Acquisition Life Cycle and as defined in the TDL, including: a. Develop and update as required by phase, a Work Breakdown Structure (WBS) compliant with MIL-STD-881C Appendix K Attachment J-008 (or as appropriate) specific to each project. b. Develop and maintain a project cost estimate. c. Develop and update as required by phase, a Project Management Plan specific to each project. d. Prepare inputs to and/or draft Plan of Actions and Milestones (POA&Ms) to support the Project Management Plan, WBS, the SEMP, and required technical process areas specific to each project. e. Prepare and update the project schedule / Integrated Master Schedule. The project schedule shall include "stop light" indicators indicating activity status as defined in the TDL f. Provide Stakeholder Management, develop Stakeholder Register and ensure communications objectives are planned and met g. Reviews and prepares engineering and technical analysis, reports, change proposals, and other technical documentation. h. Apply engineering experience to perform functions such as configuration management, quality assurance testing, and acquisition and resource management. i. Analyze project cost and schedule performance and determine the effect of current performance on overall program schedule and resource requirements for review by government personnel. j. Analyze program acquisition strategies and determine the cost benefit(s), if any, of integrating acquisition requirements for review by government personnel. k. Translate technical requirements and program constraints into inputs for acquisition documentation. l. Maintain contract deliverable status to ensure that their receipt or non-receipt is integrated into related schedule information. m. Generate and produce presentation materials (including slides, diagrams and other briefing materials) to support program/project requirements. n. Attend meetings/conferences with government personnel to gather information to support program/project requirements as requested. Track and report on action items resulting from, but not limited to meetings, training, and to other activity requests. (CDRL A203, A204, A205, A206, A207) 5.2.3 Subtask 3 - Technical Management Process Support Provide Technical Management Process support service in accordance with the DOD Acquisition Life Cycle, including: a. Develop and update as required by phase, a Systems Engineering Management Plan (SEMP) specific to each project. b. Develop and update as required by phase, a Test and Evaluations Master Plan (TEMP) specific to each project. c. Risk Management in accordance with guidance provided in the "Risk Management Guide For DoD Acquisition Fifth Edition, Version 2.0" (1) Provide support for Systems Engineering Project Risk Management, create and maintain risks in RiskExchange, Provide bi-weekly status briefs of status for all risks (2) Release and Transition Management including shall planning, scheduling, and controlling the transition of releases to test and live environments, ensuring the integrity of the product baselines, the live environment and that the correct configuration items are released. d. Provide technical assessment to deliver real-time visibility into the project and demonstrate technical readiness e. Provide requirements management and maintain requirements baselines f. Provide configuration management and change control g. Provide Decision Analysis and Resolution h. Provide Interface Management, develop Interface Control Documents i. Provide Technical Data Management, manage Configuration Item and technical baselines, manage changes to new and existing baselines as defined in this PWS j. Provide Deployment and Transition planning and management (CDRL A208, A209, A210, A211, A212) 5.2.4 Subtask 4 - Earned Value Measurement and Tracking The contractor shall ensure that projects are measured and tacked to provide Earned Value Management (EVM) data. Project EVM shall include be conducted at a level sufficient to report project earned value, CPI and SPI as defined in the TDL. Project EVM shall be reported monthly at the Engineering Project Review (EPR). Data Item Description (DID) DI-MGMT-81861 may be used, tailored with government concurrence. (CDRL A213) 5.2.5 Subtask 5 - Technical Measurement and Metrics The contractor shall ensure that projects metrics are measured and tracked throughout the project life cycle as defined in the TDL. Areas where measurement and metrics should be monitored include: (1) Software Metrics (e.g., size, complexity, reuse, defects, productivity) (2) Hardware metrics (space, weight and power (SWaP), available RAM, storage) (3) Technical Staffing (labor hours by labor category per task) (4) Cost (5) Risk (6) Schedule (7) Quality (defects in products or project artifacts) (CDRL A214) 5.2.6 Subtask 6 - Travel 5.2.6.1 Travel Request The Contractor shall develop and deliver a trip request 15 business days prior to any travel. The travel request shall detailed travel information in include information on requirements, associated costs, objectives, purpose, summary of activities, and individuals traveling. (CDRL A215) 5.2.6.2 Trip Report The Contractor shall develop and deliver a trip report is provided within 5 business days after the conclusion of all travel in support of project efforts and contains the detailed travel information and accomplishments. It shall contain sufficient detail of the travel information including: • Dates • Purpose • Location • Dates at Site • Personnel Contacted • Summary • Chronology of Events • Observations • Deliverables Left • Training Provided • Software Performance & metrics • Action Items • Conclusion • Recommendations (CDRL A216) 5.2.7 Subtask 7 - Project Management Deliverables All deliverables shall be provided electronically, in a Microsoft (MS) Office commercially available product format unless otherwise defined. Task Deliverable Distribution CDRL 5.2.1 Project Management Review (Minutes) COR/ACOR/ TPOC A201 5.2.1 Project Management Review (Minutes) COR/ACOR/ TPOC A202 5.2.2 Work Breakdown Structure (WBS) COR/ACOR/ TPOC A203 5.2.2 Project Management Plan (PMP) COR/ACOR/ TPOC A204 5.2.2 Plan of Actions and Milestones (POA&M) COR/ACOR/ TPOC A205 5.2.2 Project Schedule COR/ACOR/ TPOC A206 5.2.2 Stakeholder Register COR/ACOR/ TPOC A207 5.2.3 Systems Engineering Management Plan (SEMP) COR/ACOR/ TPOC A208 5.2.3 Test and Evaluations Master Plan (TEMP) COR/ACOR/ TPOC A209 5.2.3 Interface Control COR/ACOR/ TPOC A210 5.2.4 Deployment and Transition Planning COR/ACOR/ TPOC A211 5.2.4 Deployment and Transition Planning COR/ACOR/ TPOC A212 5.2.4 Earned Value Measurement and Tracking COR/ACOR/ TPOC A213 5.2.5 Technical Measurement and Metrics COR/ACOR/ TPOC A214 5.2.6.1 Travel Request COR/ACOR/ TPOC A215 5.2.6.2 Trip Report COR/ACOR/ TPOC A216 5.3 Task 3 - Systems & Software Engineering Support Services The contractor shall provide technical and engineering support services to ensure the development, integration, deployment and sustainment of new systems, software and capabilities, the development of modifications to systems and equipment, and correction of deficiencies in systems and equipment. The contractor shall provide systems and software engineering support services compliant with all DoD/DoN mandates and instructions. Paragraphs in this section describe the scope of engineering services to be performed under this contract. Although the task order shall be self-initiating, the contractor shall be given additional technical direction or clarification to accomplish work as specified through issuance of Technical Direction Letters (TDLs). Services provided shall be in support of Military Sealift Command (MSC), N6 Command, Control, Communication and Computer Systems (C4S). Services shall be performed at the contractor's facilities, at government facilities and laboratories, and aboard MSC ships. 5.3.1 Subtask 1 - Engineering Studies and Analysis Services The Contractor shall perform engineering studies and analysis for requirements definition, operations concept definition, systems engineering decisions, trade studies, analysis of alternatives, and system definition in support of efforts in the formulation, implementation, and/or operations phases. Tasks cover a broad range of mission and system development domain areas. (CDRL A301) 5.3.2 Subtask 2 - Requirements Development Engineering Services The contractor shall provide requirements engineering support services to ensure the correct and accurate development of new capabilities and modifications to existing systems and equipment, and correction of deficiencies in existing systems and equipment as defined in the TDL. Such efforts shall include examining existing requirements for establishing baselines for new systems and equipment, with the aim of defining how best to meet these requirements as well as evaluating existing systems and equipment for possible improvement. The contractor shall conduct technical studies and evaluations to determine the cost and feasibility of implementing systems engineering concepts. Successful completion of the requirements engineering and definition phase shall be determined by a completed Product Definition Review (PDR) and complete Technical Data Package (TDP) defining the functional baseline as defined in the TDL. All Requests for Action (RFAs) produced during the PDR will be closed. The contractor shall: a. Perform Requirements Analysis. b. Ensure all requirements specifications are DoDD 8500.1 / DoDI 8500.2 compliant c. Develop or update Operations Requirement Documents (ORD) and Capability Development Document (CDD) as required by the TDL d. Perform Functional Analysis and Allocation. e. Provide Analysis of Alternatives (AoA). f. Evaluate the adequacy of existing or developmental equipment and systems to meet current and future requirements with normal growth considered. g. Evaluate operability, reliability, and maintainability in intended environments. h. Assess interoperability with other systems. i. Coordinate with MSC C4S Program Management (N61) to ensure adequacy of requirement definition, including life cycle sustainment, and verification & validation of system effectiveness and suitability in the operating environment. j. Evaluate life cycle cost effectiveness k. Conduct technical evaluation and support services during system requirements development of MSC systems. These evaluations shall include: (1) Documenting specific evaluation processes, results and an explanation of their implications. (2) Identifying system capabilities to meet design goals in an operational environment. This shall include identification of high-risk or low-performance areas, definition of alternate design methodologies, recommendation of design modifications, and evaluation of interoperability with existing and forthcoming systems. The contractor shall identify risks, alternatives, and modification recommendations. l. Review, evaluate, prepare, and revise system technical specifications at their inception. Prepare specifications for a variety of C4S equipment and systems. m. Prepare and revise a Requirements Traceability & Verification Matrix (RTVM) to support all phases of systems development and provide traceability to verification and validation n. Review, evaluate, prepare, and revise system test plan, processes and procedures o. Review, evaluate, prepare and update a system Life-Cycle Sustainment Plan (LCSP) p. Prepare and revise engineering and system drawings for C4S. Create detailed engineering diagrams to be used for guidance and information; prepare single line block diagrams, system interface block diagrams, systems wire run sheets, space arrangement drawings, and installation control drawings. (CDRL A302, A303, A304, A305, A306, A307, A308, A309, A310, A311, A312, A313, A314) 5.3.3 Subtask 3 - Design Engineering Services The contractor shall conduct system, subsystem and component design engineering on specific systems architecture and conduct system design engineering on new or existing systems undergoing improvement modifications with current and future system performance considered as defined in the TDL. Successful completion of the design phase shall be determined by a completed Solution Design Review (SDR) and complete Technical Data Package (TDP) defining the allocated baseline. All Requests for Action (RFAs) produced during the SDR will be closed. The contractor shall: a. Prepare and update system specifications applicable to new or existing systems or components. b. Ensure all design specifications are DoDD 8500.1 / DoDI 8500.2 compliant c. Review requirements and specification documentation to ascertain design goals and standards established during component or system concept formulation and initial product definition phases. d. Review and update final specifications for production units. e. Identify points of design inadequacy within the specified component or system for the desired application (e.g., response time, frequency coverage, etc.). f. Evaluate the component or system capability to meet design goals and standards in an operational environment and the capability to be interoperable with existing or forthcoming systems or components; identify high risk or performance shortfalls, to identify alternate design methodologies, and recommend design modifications. g. Participate with Government technical representatives in review meetings, engineering reviews, and conferences/presentations where subject matter expertise is required. h. Develop the System Design Specification, Software Design Specification, Hardware Design Specification and Interface Design Specification. i. Perform integration tests on improved or new/existing components and systems. Submit test reports, procedures and results. j. Designing and fabricating test aids for use in test and evaluation of systems or equipment, and providing definitions of design inadequacies. k. Prepare reports providing initial component or system evaluation results, possible design improvement alternatives with associated tradeoffs, and recommended approaches. Prepare updates to documentation packages including parts list and schematics. l. Perform system effectiveness studies to evaluate overall system effectiveness, reliability, maintainability, human engineering, and logistic supportability. m. Review systems engineering requirements and identify integration functions necessary to meet requirements. n. Review available equipment performance characteristics and identify suitable equipment required for integration. (CDRL A315, A317, A318, A319, A320, A321) 5.3.4 Subtask 4 - Implementation and Integration Support Services The contractor shall provide implementation and integration services to establish total systems and software capable of performing specific functions as defined in the TDL. Successful completion of the design phase shall be determined by a completed Test Readiness Review (TRR) and complete Technical Data Package (TDP) defining the product baseline. All Requests for Action (RFAs) produced during the TRR will be closed. The contractor shall: a. Support component installation, system integration, installation test and evaluation, in-service engineering, repair and validation, and lab upgrades and maintenance, b. Ensure all developed solutions are DoDD 8500.1 / DoDI 8500.2 compliant c. Support development tasking involving system design and feasibility evaluation, d. Support system design engineering, installation testing and evaluation of new or modified systems and equipment including the generation of requirements analysis, test plans, procedures, training outlines, operational evaluation, and recommendations. e. Review systems engineering requirements and identify integration functions necessary to meet requirements. f. Review available equipment performance characteristics and identify suitable equipment required for integration. g. Prepare System Implementation Plans; describes how the information system will be deployed, installed and transitioned into an operational system. h. Prepare detailed installation design drawings and interface definitions. i. Accomplish integration and installation, including any necessary hardware and software integration testing and deficiency remediation. j. Install/remove systems and equipment onto/from the test site and/or the Fleet platform; property accountability and/or inventory information shall be maintained at all times, k. Develop and provide revisions to operator and technical manuals, develop production and checkout procedures, perform installation checkouts, and prepare reports of checkout results. Manuals include, but are not limited to, instructions for handling, transporting, installing, operating and maintaining systems. (CDRL A321, A322, A323, A324, A325) 5.3.4.1 Developmental Test and Evaluation Support Services The contractor shall provide systems Developmental Test (DT) and Verification and Validation engineering execution and support services to verify & validate systems and software as defined in the TDL. Successful completion of the design phase shall be determined by a completed Deployment Readiness Review (DRR) and delivery of the updated Product Baseline Technical Data Package (TDP) as required. All Requests for Action (RFAs) produced during the DRR will be closed. The contractor shall: a. Perform development and review of test plans and test procedures documentation in support of design, development, integration and acceptance testing, conducts testing and produces report documentation b. Participate in the development of technical manuals, Quality Control Inspection Procedures (QCIPS), acceptance test procedures, planned maintenance system documentation 5.3.5 Subtask 5 - Limited Rate Initial Production (LRIP) Deployment Support Services The Contractor shall provide support for systems deployment and transition and life cycle sustainment. The Contractor shall be required to support and assist with Pre-Installation Test and Check-Out (PITCO) and Limited Rate Initial Production (LRIP) for new and upgraded systems, and assist in the seamless transition from RDT&E to the Production, Deployment and Operations and Support (PD&OS) phase of the System Life Cycle. The contractor shall: c. Perform development and review of test plans and test procedures documentation in support of design, development, integration and acceptance testing, conducts testing and produces report documentation d. Prepare transition and rollback plans e. Participate in the development of technical manuals, Quality Control Inspection Procedures (QCIPS), Standard Operating Procedures (SOPs), acceptance test procedures, and planned maintenance system documentation f. Red-Line and update Standard Operation Procedures (SOPs), training materials, tech manuals and drawings. g. Build and conduct Pre-Installation and Test Check-Out (PITCO) of systems to be deployed during LRIP h. Support installation and validation of systems deployed during LRIP i. Update and maintain technical data package (TDP) Product Configuration Baselines for deployed systems during transition. (CDRL A321, A329, A330, A332, A323) 5.3.6 Subtask 6- Operational Test and Evaluation (OT&E) Support Services Operational Test & Evaluation (OT&E) Support shall be required when a new/modified system or equipment is scheduled for installation on a platform as part of LRIP, a scheduled upgrade or for technical evaluation/operational test and evaluation purposes as defined in the TDL. The contractor shall provide test and evaluation support services for the monitoring and conducting of tests, evaluations, studies and the preparation of test plans for specified systems, subsystems or equipment. The contractor shall: a. Conduct a feasibility impact assessment, including description of equipment, preliminary installation drawings, and definition of support requirements. b. Assemble using existing Installation Control Drawings (ICDs) and develop ICDs where none exist. c. Prepare ICD, cable running sheets, arrangement drawings (plan and elevation), and detailed design drawings for any required fabrications. Prepare installation test and checkout plans for specified systems, subsystems or equipment. Provide test and evaluation support services for the monitoring and conducting of tests, evaluations, studies and the preparation of test plans for specified systems, subsystems or equipment. d. Prepare detailed test procedures for testing and evaluating the specified system, subsystem, or equipment. The contractor shall prepare test plans (including Total Ship Test Plans), to establish basic requirements for and relationships among first article tests, factory acceptance tests, system integration tests, installation tests, acceptance tests, technical evaluations, operational test and evaluations, and test outlines; and provide inputs to Test Bed Implementation Plans, Test and Evaluation Master Plans, and Test and Evaluation Plans. Test plans shall be developed per DoD-STD-2106. The test procedures shall define clearly the objectives of the test, the procedures that must be carried out by the test team to meet the objectives of the test, and the pass/fail criteria for the test, and equipment requirements. a. Test procedures documentation shall include the following: 1) Test title. 2) Test objectives. 3) Unit(s) to be tested. 4) Test equipment required. 5) Outside services required (if any). 6) Staffing required. 7) Test duration. 8) Number of times each test is to be performed. 9) Detailed test procedures and pass/fail criteria. b. The contractor shall conduct and support the test and evaluation of specified systems, subsystems, or equipment following approved test plans and procedures. Specifically, the contractor shall: 1) Install the system or equipment for U.S. Government testing at specified locations, afloat, or ashore. 2) Perform test at specified locations, afloat, or ashore. 3) Design and fabricate test aids for use in testing and evaluating the specified system or equipment at specified locations, afloat or ashore. 4) Plan and design test processes and procedures to test new or existing systems. 5) Develop techniques, design changes, or other strategies aimed at reducing maintenance failures, and prepare reports that include the T&E results of the tested system. (CDRL A209, A210, A314, A333, A321) 5.3.7 Subtask 7 - Engineering Lab Maintenance and Support Services The contractor shall maintain and upgrade the test, pre-production and production lab environments located at the MSC N6 Test & Evaluation (T&E) System Integration Laboratory, SP-312 Norfolk, Va., and other test sites as applicable. All test environments shall be kept in working order through preventive and corrective maintenance. Production environment will be maintained to reflect the latest systems configurations and shall be an exact shipboard replication. Specifically, the contractor shall: a. Assemble and maintain software library with change documentation b. Assemble and maintain image library with change documentation c. Provide configuration and change management support for the test, pre-production and production lab environments. d. Contractor shall develop operational procedures for all testing environments. e. Maintain a system failure log for each testing environment. f. Maintain a list of significant systems-related publications, associated engineering materials, and engineering network equipment. g. Service Validation and Testing (SV&T) Support Services Work on specific engineering projects will be initiated via a letter of technical direction from the TOM in accordance with Section 6.0 (a). (CDRL A321, A334, A335) 5.3.8 Subtask 8 - Training Support Services The contractor shall develop training materials such as maps, charts, slides, textbooks, handbooks, readers, and computer based training (CBT). The contractor shall develop and update training outlines and associated materials. The Government shall approve training outlines, which shall include information from technical manuals, standards, and other applicable references. (CDRL A336) 5.3.9 Subtask 9 - Engineering Logistics Support Services The contractor shall provide engineering logistics support for new and modified MSC IT systems and subsystems. The contractor shall provide engineering logistics, configuration management, and material control services in support of assigned systems and equipment. The contractor shall: a. Develop or review engineering elements of strategies for supporting system requirements considering geographic area of deployment, equipment requirements, supportability, equipment/system interoperability, equipment/material availability, procurement lead-times, inventory and stocking requirements. b. Provide design and feasibility analysis of proposed logistics elements for new, existing, and refurbished/modified systems and subsystems. (CDRL A337, A338) 5.3.10 Subtask 10 - Transportation Alteration (TRANSALT) Support Services The Contractor shall develop and submit a TRANSALT package, for each ship class, in accordance with MSC instruction and as defined in the TDL. The Contractor shall develop and provide a package containing the required documentation per the MSC TRANSALT Process Guide in support of TRANSALT approvals for LRIP platforms. (CDRL A339) 5.3.11 Subtask 11 - In-Service Engineering Support Services (ISEA) The contractor shall provide in-service engineering activity (ISEA) support for existing and/or newly developed systems and equipment. This effort includes, but is not limited to performance analyses, problem identification and solution development for MSC systems. The contractor shall: a. Perform operational and failure analyses to assess problems and develop solutions, including new designs to enhance performance when necessary. Maintain applicable documentation in the MSC Configuration Management Database (CMDB), b. Provide engineering support for interfaces among system components and between supported systems and other new or deployed systems. Identify and correct interface discrepancies between systems. Develop, review, propose revisions to, and validate documentation applicable to systems and equipment interface design changes, c. Provide technical support for on-site engineering investigations to evaluate performance of systems/equipment including critical examination of installation designs and physical layouts for reliability, ease of maintenance, and suitability. Review technical accuracy of all requisite technical documentation, d. Develop, review and revise Shipboard Automated Maintenance Management (SAMM) preventative maintenance documentation in accordance with MSC Processes, e. Provide updates to existing System Product Configuration Baselines in accordance with MSC Change and Configuration Management processes and procedures. (CDRL A340) 5.3.12 Subtask 12 - Software Systems Development, Implementation and Maintenance Services 5.3.12.1 Software Engineering The Contractor shall define a software development plan (SDP) appropriate for the computer software projects to be performed under this contract. In accordance with the frame work defined in IEEE/EIA STD 12207.0 (series), the SDP shall define the processes, the activities, and the techniques and tools to be used to perform the tasks. Because the IEEE/EIA Std. 12207 does not prescribe how to accomplish the task, the Contractor must provide this detailed information so MSC can assess whether the Contractor's approach is viable. The Contractor shall follow this SDP for all computer software to be developed or maintained under this contract. The SDP may contain the information defined by IEE/EIA std. 12207.1, section 5.2.1 (generic content) and the Plans or Procedures in Table 1 of IEEE/EIA Std. 12207.1. In all cases, the level of detail shall be sufficient to define all software development processes, activities, and tasks to be conducted. Information provided must include, but is not limited to, specific standards, methods, tools, actions, strategies, and responsibilities associated with development and qualification. The Contractor shall maintain compatibility with the following software development tools: Microsoft Office, Borland Delphi, Java version 1.4, APACHE HTTP server version, APACHE Tomcat, JBoss EJB, Citrix Metaframe XP, Crystal Reports, Power Tools, ORACLE, SYBASE, Microsoft Outlook, ERWIN and Microsoft NET. The Contractor shall provide Life Cycle Management (LCM) support during operational life of systems developed or maintained under this contract. The SDP shall define the Contractor's proposed life cycle model and the processes used as a part of that model. In this context, the term "life cycle model" is as defined in IEEE/EIA std. 12207.0. The SDP shall describe the overall life cycle and shall include primary, supporting and organizational processes based on the work content of this contract. The Contractor shall provide LCM end-of-life system support during retirement of systems developed or maintained under this contract. The SDP may also contain the following activities in addition to those defined in IEEE/EIA STD 12207.0 (as amended): a. Software modeling support. MSC currently uses Unified Modeling Language (UML) to document Engineering and Logistics Government web applications. b. Track and provide software code error remediation where required c. Facilitate system installation which may include but is not limited to: 1) Quality Assurance system installation instructions and scripts 2) Quality Assurance system test instructions and scripts 3) Shoreside system installation instructions and scripts 4) Shipboard system installation instructions and scripts 5) Software Defect Reports 6) Software User's Manual (SUM) d. Provide all necessary equipment, hardware, software, training, and training documentation needed to perform initial training of MSC operations staff. e. Provide a Software Version Description (SVD) describing each software version consisting of one or more Computer Software Configuration Items (CSCIs). The SVD is used to release, control and track software versions. (CDRL A341, A342, A343, A345, A352, A353) 5.3.12.1.1 MSC Data Replication Support The Contractor shall provide support for the maintenance of MSC's existing database replication architecture. The support efforts required may include but are not limited to the following: a. Provide a database design and deployment plan for database structure changes b. Review proposed changes to the infrastructure and methodology of transmitting replication data for impact on the performance of the replicating environment. c. Test and report on the effects of database structure changes to MSC's database replication environment. d. Develop Standard Operating Procedures (SOPs) to minimize problems with database replication operations. e. Assist with management of MSC's database replication operations. f. Provide reports on the status of data replication between remote and consolidated sites. 5.3.12.1.2 Post Production Software Support (PPSS) Services The contractor shall provide Post Production Software Support (PPSS) to perform software maintenance for existing software applications as defined by the TDL and in support of the MSC N6 Enterprise. PPSS is a key software support concept that includes the activities necessary to ensure that Systems Engineering and sustainment principles, processes and practices are applied to software throughout the lifecycle. Software maintenance activities will include Corrective, Adaptive, Perfective and Preventative maintenance. The contractor shall: a. Develop a Software Support Requirements Analysis (SSRA) document(s) to identify all required software configuration items and define the Software Support resources and costs to include the labor, material, and overhead costs for each application, b. Develop/Update a Computer Resource Lifecycle Plan (CRLCMP) that describes the total software support strategy to include the development, acquisition, test and support plans over the life cycle of computer resources and applications that are integral to or are used in direct support of MSC systems, c. Provide a Software Support Activity (SSA) with resources required to deliver ongoing software maintenance as determined by the SSRA and CRLCMP and sufficient to meet program and software security objectives. (CDRL A354, A355, A356) 5.3.12.2 Software Assurance and Security Engineering Practices In coordination with the Government, the contractor shall design, develop and implement secure applications and configurations through applying applicable DoD STIGs, checklists, vendor security guidance, industry best practices, and applicable vendor product security patches. The contractor shall ensure applications are in compliance with DoDI 8500.2, IA Implementation (current version) and DoDI 8551.1, Ports, Protocols, and Services Management (current version). The contractor shall leverage, to the maximum extent possible, automated tools to identify and remediate vulnerabilities or weaknesses in the application design/coding, such as those described in Common Weakness Enumeration/System Administration, Networking, and Security Institute (CWE/SANS) TOP 25 Most Dangerous Programming Errors and Open Web Application Security Project (OWASP) Top Ten, that could be exploited by unauthorized sources. The Information System Security Engineer shall participate in Government and contractor formal and informal design reviews to identify potential security weaknesses, deficiencies, and/or vulnerabilities in the design. The Information System Security Engineer shall also ensure appropriate security requirements are included as part of the requirements traceability matrix and are evaluated as part of the security test and evaluation (ST&E). As part of the contractor's change control process, the contractor shall ensure participation by the Information System Security Engineer (ISSE) or a qualified IA representative to evaluate the impact of each change on security. The contractor shall document the results of this evaluation. 5.3.12.2.1 Software Source Code Scanning The contractor shall perform required base-lined source scanning IAW the SDDC IA policies prior to release to the Government. The Government will provide software security vulnerability scanning and testing tools for the life-cycle development process. The contractor shall use Fortify as the tool which is currently used by the Enterprise. Deliverable: Code scans due prior to code release to CTE environment and within 30 days of a new rule pack release. 5.3.12.2.2 Software Tracking Security Issues The contractor shall track all security issues uncovered during the entire software lifecycle. The risk associated with each security issue shall be evaluated, documented, and reported to the Government as soon as possible. Once discovered, the contractor shall include the risk along with a risk mitigation course of action (COA) to include a COA recommendation, as part of the QSR. 5.3.12.2.3 Non-Secure Software If the Government determines, after a security audit (e.g., ST&E) that software delivered under this contract is non-secure, the Government will provide written notice to the contractor concerning each non-conformity. Software shall be "non-secure" under contract if it contains a programming error listed on the current-approved version of the CWE/SANS TOP 25 (which can be located at http://www.sans.org/top25-programming-errors) or a web application security flaw listed on the current-approved version of the OWASP Top Ten (which can be located at http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). The contractor shall have 30 days after receipt of such notice (Remedy Period) to remedy each non-conformity by modifying/replacing and redelivering the software to the Government; or shall notify the Government within 15 days as to why the remedy cannot be implemented in 30 days, and propose a timeline for correction. If the Government determines, after a security audit following a Remedy Period, that the redelivered software is non-secure, and thus non-conforming, the Government may reject the delivery, provide notice of the non-conformance, and document the contractor's performance record. Alternatively, the Government may accept non-conforming software, receive appropriate consideration (equitable price reduction on a fixed price contract, reimbursement for costs of security audit, reimbursement for costs to correct the non-compliances, etc.), and document the contractor's performance record. 5.3.12.3 Delivery of the Secure Application The contractor shall provide successful installation and implementation of Enterprise software on the Government-owned environments. The Government centralized software installation/implementation team will perform code scans, builds and installation of the code into the Government-owned environments. The contractor shall provide assistance to this team during the verification and build process. The contractor shall use a master build process that reliably builds a complete distribution from source. The contractor's process shall include a method for verifying the integrity of the software delivered to the Government by using digitally signed and encrypted media. For all deliveries, the contractor shall provide all source code, installation kits, documentation *including those related to architecture, test design, and testing results, and installation procedures), and build procedures and scripts delivered to or maintained for the Government. 5.3.12.4 Software Malicious Code Warranty The contractor represents and warrants that the software shall be free from all computer viruses, worms, time-outs, time bombs, back doors, disabling devices and other harmful or malicious code intended to or which may damage, disrupt, inconvenience or permit access to the software user's or another's software, hardware, networks, data or information. 5.3.12.5 Source Code Configuration Control (Versioning) The contractor shall utilize a strict version control process for software development and provide two copies of source code for all software versions developed under this contract. The source code will be provided on optical removable media (burned for read-only) or another mutually agreed type of media. 5.3.12.6 Common Development Environment (CDE) (Reserved Task) The Government has future plans to establish an isolated CDE and facility for all software development to complement the Government's integration and testing environment. Therefore, once this becomes available, the contractor shall assist the Government in transferring all software development operations to this environment. After transition, the contractor shall conduct all software development entirely from within this consolidated Government common development environment. The contractor shall access remotely from their facilities through a Government-approved method, i.e. Virtual Machine-Ware Client. Upon completion of transfer and establishment of operational status of the Government's environment, the contractor shall cease development activities within their environment and remove all sensitive Government materials and information (data), and provide them to the Government for disposition. In the Government development environment, the programs will be provided basic Virtual Machines or Solaris Zones that have been locked down IAW DISA STIGs and fully patched. The contractor shall maintain the servers in a fully patched state. The Contractor will be supplied with source code or licenses, as needed, for all Government supplied software. The Government will provide the contractor use of a dedicated computer. The contractor shall use Government-furnished equipment (GFE) or a Government-compliant dedicated computer for remote access to the development environment. The contractor's GFE computer shall not be used for other general-purpose computing or non-development activities such as e-mail and web browsing, or used to access any network, other than the contractor's development environment, including the contractor's corporate network and the internet. The CDE shall be physically and logically isolated from other networks, to include its Enterprise unclassified network. Security guidelines for the environment must be documented and the security program implemented shall address the security controls described in NIST Special Publication 800-53 (current version), Recommended Security Controls for Federal Information Systems and Organizations (http://csrc.mist.gov/publications/PubsSPs.html). 5.3.12.7 Software Configuration Item (CI) Archiving The contractor shall maintain source code, design artifacts and other materials as required by the Government within the common development environment. (CDRL A357. A358, A359, A360, A361) 5.3.13 Subtask 13 - Enterprise Project Management (EPM) Process Engineering Support Services The contractor shall as required, provide process engineering in support of MSC N6's Enterprise Project Management (EPM) process framework. This shall include process requirements analysis, design & development, and produce documentation and training materials necessary to ensure that process solutions are integrated seamlessly within MSC's EPM process framework. Information of the MSC N6 EPM Process is provided in Attachments J-010. Process Engineering activities include: a. Producing process requirements b. Producing the basis of design c. Producing process diagrams d. Writing the process description & procedure e. Developing process training materials (CDRL A362) 5.3.14 Subtask 14 - Systems & Software Engineering Deliverables: All deliverables shall be provided electronically, in a Microsoft (MS) Office commercially available product format unless otherwise defined. Task Deliverable Distribution CDRL 5.3.1 Engineering Studies and Analysis Report/Paper COR/ACOR/TPOC A301 5.3.2 Product Definition Review (PDR) COR/ACOR/TPOC A302 5.3.2 Technical Data Package (TDP) - Functional Baseline COR/ACOR/TPOC A303 5.3.2 Operational Requirements Document (ORD) COR/ACOR/TPOC A304 5.3.2 Capability Development Document (CDD) COR/ACOR/TPOC A305 5.3.2 Architecture Specification COR/ACOR/TPOC A306 5.3.2 Systems/Subsystem Specification (SSS) COR/ACOR/TPOC A307 5.3.2 Software Requirements Specification (SRS) COR/ACOR/TPOC A308 5.3.2 Interface Requirements Specification (IRS) COR/ACOR/TPOC A309 5.3.2 Analysis of Alternatives (AoA) COR/ACOR/TPOC A310 5.3.2 System Test Plan (STP) COR/ACOR/TPOC A311 5.3.2 Requirements Traceability & Verification Matrix (RTVM) COR/ACOR/TPOC A312 5.3.2 Life-Cycle Sustainment Plan (LCSP) COR/ACOR/TPOC A313 5.3.2 Engineering System & Technical Drawings COR/ACOR/TPOC A314 5.3.3 Solution Design Review (SDR) COR/ACOR/TPOC A315 5.3.3 Systems/Subsystem Design Description (SSDD) COR/ACOR/TPOC A317 5.3.3 Software Design Description (SDD) COR/ACOR/TPOC A318 5.3.3 Interface Design Description (IDD) COR/ACOR/TPOC A319 5.3.3 Database Design Description (DBDD) COR/ACOR/TPOC A320 5.3.3 Test Report COR/ACOR/TPOC A321 5.3.4 Test Readiness Review (TRR) COR/ACOR/TPOC A322 5.3.4 Product Baseline Technical Data Package COR/ACOR/TPOC A323 5.3.4 System Implementation Plan COR/ACOR/TPOC A324 5.3.4 Technical Manuals COR/ACOR/TPOC A325 5.3.5 Transition Plan COR/ACOR/TPOC A329 5.3.5 Rollback Plan COR/ACOR/TPOC A330 5.3.5 Standard Operating Procedures COR/ACOR/TPOC A332 5.3.7 Failure Logs COR/ACOR/TPOC A335 5.3.8 Training Materials COR/ACOR/TPOC A336 5.3.9 Logistics Support Analysis Plan COR/ACOR/TPOC A337 5.3.9 Life Cycle Sustainment Plan (LCSP) COR/ACOR/TPOC A338 5.3.10 Transalt Package COR/ACOR/TPOC A339 5.3.11 ISEA SOPs COR/ACOR/TPOC A340 5.3.12.1 Software Development Plan (SDP) COR/ACOR/TPOC A341 5.3.12.1 Software Quality Assurance Plan (SQAP) COR/ACOR/TPOC A342 5.3.12.1 Software Quality Assurance Report (SQAR) COR/ACOR/TPOC A343 5.3.12.1 Software Test Plan (STP) COR/ACOR/TPOC A345 5.3.12.1 Software Defect Reports COR/ACOR/TPOC A352 5.3.12.1 Software Version Description (SVD) COR/ACOR/TPOC A353 5.3.12.1 Software User's Manual (SUM) COR/ACOR/TPOC A354 5.3.12.1 Software Support Requirements Analysis (SSRA) COR/ACOR/TPOC A355 5.3.12.1 Computer Resource Lifecycle Management Plan (CRLCMP) COR/ACOR/TPOC A356 5.3.12.1 Software Support Activity (SSA) Support Plan COR/ACOR/TPOC A357 5.3.12.2 Vulnerability Scan Compliance (VSC) Report COR/ACOR/TPOC A358 5.3.12.2 Software Security Issue Log COR/ACOR/TPOC A359 5.3.12.2 Software Source Code COR/ACOR/TPOC A360 5.3.12.2 Software Application End Item COR/ACOR/TPOC A361 5.3.13 EPM Process COR/ACOR/TPOC A362 5.4 Task 4 - IT Service Management (ITSM) Support 5.4.1 Subtask 1 - Service Validation and Testing (SV&T) Support Services The contractor shall: a. Conduct Systems Integration Testing of changes to the MSC capabilities for the ashore and afloat environments. b. Prepare Systems Test Plans (STP), describing the test scripts to be performed in the Validation Testing for each new or revised system. c. Perform system validation and verification testing on an as-required basis. d. Document systems integration testing issues and findings and present the results to the MSC Functional Sponsor, MSC N6 Project Managers, and all other stakeholders. e. Prepare System Test Reports (STR), documenting the results of testing, recommended action and any process improvements. f. Participate, critique, and comment on all requirement reviews and design reviews as required. The extent of the reviews is dependent on the complexity of the system involved, availability of documentation, resource availability, time constraints, MSC priorities, etc. g. Coordinate all systems integration testing resources and resolve any schedule conflicts with the MSC N6 ITSM Manager. The systems integration testing shall be closely coordinated with the Systems Engineering Project Manager, N6. (CDRL A401, A402, A403) 5.4.2 Subtask 2 - Service Asset and Configuration Management (SACM) Support Services The contractor shall provide SACM processes and procedures to support MSC C4S services. The contractor shall: a. Identify all assets and configuration items including hardware devices, operating systems, COTS and GOTS software packages, configurations, and maintenance schedules and their relationship. b. Provide guidance for MSC personnel on SACM policies, procedures, and tools. c. Perform service asset, configuration management and life-cycle management for Enterprise software and hardware. d. Perform MSC Configuration Management Library Function. e. Work with MSC to continually improve enterprise processes and promote compliance with industry best practices such as International Standards Organization (ISO) standards and Information Technology Infrastructure Library (ITIL). f. Support Department of the Navy Application and Database Management System (DADMS) so that MSC is compliant with Navy Policy regarding registration of DoN IT systems, applications and databases Attachment J-011. g. Produce an integrated, documented, holistic process to ensure 100% DADMS compliance for MSC. h. Integrate the DADMS compliance function with other MSC configuration management (CM) services including the asset management database and configuration management library. (CDRL A404, A405) 5.4.3 Subtask 3 - Quality Management System (QMS) Support Services The contractor shall perform: a. Service Review Review business services and infrastructure services on a regular basis. The aim of this process is to improve service quality where necessary, and to identify more economical ways of providing a service where possible. Conduct Quality Management Reviews of QMS Procedures and documents for accuracy, relevance and completeness. b. Process Evaluation Evaluate processes and procedures on a regular basis. This includes identifying areas where the targeted process metrics are not reached, and holding regular bench markings, audits, maturity assessments and reviews. c. Definition of CSI Initiatives Define specific initiatives aimed at improving services and processes, based on the results of service reviews and process evaluations. The resulting initiatives are either internal initiatives pursued by the service provider on his own behalf, or initiatives which require the customer's cooperation. d. Monitoring of CSI Initiatives Verify if improvement initiatives are proceeding according to plan, and to introduce corrective measures where necessary. (A406, A407, A408) 5.4.4 Subtask 4 - Change Management The contractor shall manage day-to-day activities related to Change Management in accordance with the ISTM change management process (Attachment J-012). The contractor shall: (a) Conduct Change Request (CRQ's) Management activities, including validating CRQ's. (b) Facilitate entry and management of Change Request (CRQ) in Change Management tool. (c) Facilitating Change Advisory Board (CAB) as per the define policies. (d) Preparing and maintaining minutes in conjunction with the Change Advisory Board (CAB) policies. (e) Developing and maintaining Change Management processes and policies. (CDRL A409, A410, A411, A412) 5.4.5 Subtask 5 - ITSM Deliverables: All deliverables shall be provided electronically, in a Microsoft (MS) Office commercially available product format unless otherwise defined. Task Deliverable Distribution CDRL 5.4.1 SV&T Status Report COR/ACOR/TPOC A401 5.4.1 Release Component Acceptance Test (RCAT) Plan COR/ACOR/TPOC A402 5.4.1 Release Component Acceptance Test (RCAT) Report COR/ACOR/TPOC A403 5.4.2 IT Asset Report COR/ACOR/TPOC A404 5.4.2 Asset Inventory COR/ACOR/TPOC A405 5.4.3 QMS Status Report COR/ACOR/TPOC A406 5.4.3 Service Design Package (SDP) COR/ACOR/TPOC A407 5.4.3 Design Document COR/ACOR/TPOC A408 5.4.4 Change Request (CRQ) Open Close Report COR/ACOR/TPOC A409 5.4.4 Technical Review Board (TRB) Meeting Status Report COR/ACOR/TPOC A410 5.4.4 Change Advisory Board (CAB) Meeting Status Report COR/ACOR/TPOC A411 5.4.4 Change Management Dashboard COR/ACOR/TPOC A412 5.5 Task 5 - Enterprise Architecture (EA) Support 5.5.1 Subtask 1 - EA Content MSC requires a contractor that is familiar with and can perform the functions involved in Enterprise Architecture (EA). MSC defines these functions as: EA Development, EA Maintenance, EA Change Management, and EA Repository Maintenance. 5.5.1.1 MSC EA Development IAW the Clinger-Cohen Act, the Office of Management and Budget (OMB) and the policies of the Government Accountability Office (GAO) the contractor shall develop the MSC Enterprise Architecture, (includes a business architecture, application architecture, data architecture, and technology architecture), grouped and prioritized into segment architectures IAW OMB EA Assessment Framework 3.1. This includes but is not limited to developing the artifacts needed to successfully implement MSC's EA and guide information technology investment management. (CDRL A501, A502, A503, A504, A505, A506, A507, A508, A509) 5.5.1.2 MSC EA Maintenance The contractor shall maintain, which includes modifying and updating, the products produced during the EA Development phase. 5.5.1.3 EA Change Management The contractor shall support development of an EA Change Management Plan and conduct the process used to manage changes to EA artifacts and the repository. CDRL (A510) 5.5.1.4 MSC EA Repository Maintenance The contractor shall consolidate, store, quality control, audit, purge, maintain and publish the EA repository which includes all EA data and documentation. (CDRL A511) 5.5.2 Subtask 2 - EA Analysis and Planning Analysis and Planning is a vital part of proper EA support and shall be incorporated by the contractor into the required effort. EA Analysis and Planning includes but is not limited to Enterprise Transition Planning, EA Assurance, EA Compliance, EA Program Planning and EA Project Management. 5.5.2.1 Enterprise Transition Planning The contractor shall support these efforts by assisting in the development and maintenance of the MSC Enterprise IT Transition Plan which is the overall plan for transitioning to MSC's "to-be" architectures. This support includes conducting/closing gap analyses, identifying duplication and opportunities for consolidation, recommending courses of action, and developing Analysis of Alternatives (AoA) or Business Case Analysis (BCA) needed to support recommendations. Additionally, the contractor shall review changes to Department of Defense (DoD), Department of the Navy (DON), and United States Transportation Command (USTRANSCOM) EA policy, strategy, and guidance for incorporation into the MSC Enterprise IT Transition Plan. (CDRL A512, A513, A514, A515, A516, A517) 5.5.2.2 EA Assurance Support The contractor shall assess MSC IT projects for architectural impact and compliance with the EA. Additionally, the contractor shall review AoAs and BCA's presented during the course of a project to determine the viability of functionality, costs, savings, and conformance to standards. (CDRL A518, A519, A520, A521) 5.5.2.3 EA Compliance Support The contractor shall annually assess MSC systems and networks registered in DITPR-DON for compliance with the Department of the Navy Enterprise Architecture (DON EA) in accordance with DON EA Compliance Assessment Process Guidance, while also assessing those that are registered and designated as business systems for compliance with the DoD Business Enterprise Architecture (BEA). (CDRL A522, A523) 5.5.2.4 EA Program Planning Support The contractor shall develop EA program planning artifacts such as communications plans, maturity assessments, process design documents, and QMS Procedures Manuals IAW the MSC Quality Management System (QMS). (CDRL A524, A525, A526, A527) 5.5.2.5 EA Project Management The contractor shall develop and maintain all aspects of assigned architecture projects (planning to delivery). This includes but is not limited to developing work plans, schedules, project estimates, resource plans, and status reports. Conduct project meetings, track due dates, and support project briefings. (CDRL A528, A529) 5.5.3 EA Training and Communications In order to provide MSC stakeholders with knowledge and understanding of enterprise architecture concepts and principles needed to advance EA maturity in the organization, IAW the GAO EA Management Maturity Framework version 2.0, section 2, as well as status of EA efforts, MSC requires support in providing EA Training and EA Communications to internal and external stakeholders. 5.5.3.1 EA Training The contractor shall be responsible for providing and where necessary developing EA training classes and the instructional/reference materials required to support the training. The instructional and reference materials shall provide instructional and training solutions in support of business processes and supporting technology principles. (CDRL A530, A531) 5.5.3.2 EA Assistance and Consultations The contractor shall provide EA guidance, support, and coordination to stakeholders and IT project teams. 5.5.3.3 EA Program Communications The contractor shall provide communications/documentation IAW with the delivery schedule established in CDRL A524. (CDRL A532, A533, A534) 5.5.4 Subtask 4 EA/TA Deliverables: All deliverables shall be provided electronically, in a Microsoft (MS) Office commercially available product format unless otherwise defined. Task Deliverable Distribution CDRL 5.5.1.1 EA Artifact COR/ACOR/EA Mgr A501 5.5.1.1 Baseline Architecture COR/ACOR/EA Mgr A502 5.5.1.1 Target Architecture COR/ACOR/EA Mgr A503 5.5.1.1 Business Architecture COR/ACOR/EA Mgr A504 5.5.1.1 Application Architecture COR/ACOR/EA Mgr A505 5.5.1.1 Data Architecture COR/ACOR/EA Mgr A506 5.5.1.1 Technology Architecture COR/ACOR/EA Mgr A507 5.5.1.1 Security Architecture COR/ACOR/EA Mgr A508 5.5.1.1 Segment Architecture COR/ACOR/EA Mgr A509 5.5.1.3 EA Change Management Plan COR/ACOR/EA Mgr A510 5.5.1.4 Repository (EA) COR/ACOR/EA Mgr A511 5.5.2.1 MSC Enterprise IT Transition Plan COR/ACOR/EA Mgr A512 5.5.2.1 Gap Analysis COR/ACOR/EA Mgr A513 5.5.2.1 IT Program Transition Plan Review COR/ACOR/EA Mgr A514 5.5.2.1 Analysis of Alternatives (AoA) COR/ACOR/EA Mgr A515 5.5.2.1 Business Case Analysis (BCA) COR/ACOR/EA Mgr A516 5.5.2.1 DoD/DON/USTRANSCOM Policy, Strategy, and Guidance Review COR/ACOR/EA Mgr A517 5.5.2.2 AoA Review COR/ACOR/EA Mgr A518 5.5.2.2 BCA Review COR/ACOR/EA Mgr A519 5.5.2.2 Project EA Assessment COR/ACOR/EA Mgr A520 5.5.2.2 EA Plan COR/ACOR/EA Mgr A521 5.5.2.3 DON EA Compliance Assessment COR/ACOR/EA Mgr A522 5.5.2.3 BEA Compliance Assessment COR/ACOR/EA Mgr A523 5.5.2.4 Communications Plan COR/ACOR/EA Mgr A524 5.5.2.4 Maturity Assessment COR/ACOR/EA Mgr A525 5.5.2.4 Process Description Document COR/ACOR/EA Mgr A526 5.5.2.4 QMS Procedures Manual COR/ACOR/EA Mgr A527 5.5.2.5 Project Plan COR/ACOR/EA Mgr A528 5.5.2.5 Project Status Report COR/ACOR/EA Mgr A529 5.5.3.1 EA Training Class COR/ACOR/EA Mgr A530 5.5.3.1 EA Instructional and Reference Materials COR/ACOR/EA Mgr A531 5.5.3.3 Items of Interest Report COR/ACOR/EA Mgr A532 5.5.3.3 Meeting Agenda COR/ACOR/EA Mgr A533 5.5.3.3 Meeting Minutes COR/ACOR/EA Mgr A534 5.6 Task 6 - Information Assurance (IA) Support 5.6.1 Subtask 1 - Requirements for Contractor Provision of Security Plan, IA Controls. The contractor shall establish an IA Program to implement and sustain appropriate IA management, operation, and technical controls and processes required to safeguard DoD non-public information resident on or transiting the contractor's unclassified information systems from unauthorized access and disclosure. Protection measures applied must be commensurate with the risks (i.e., consequences and their probability) of loss, misuse, unauthorized access, or modification of information. The contractor shall submit for Government approval an overarching security plan that describes their strategy for implementation of IA and Industrial Security requirements throughout the life of the contract. The security plan shall address the security controls described in National Institute of Standards and Technology (NIST) Special Publication 800-53 (current version), Recommended Security Controls for Federal Information Systems and Organizations (http://csrc.mist.gov/publications/PubsSPs.html), and should be tailored in scope and depth appropriate to the effort and the specific unclassified DoD information. The contractor shall submit an updated security plan as changes are made to the environment that may affect the security posture. (CDRL A601) 5.6.2 Subtask 2 - Accreditation Sustainment The contractor shall provide program specific input for the development of new application security documentation and the updating of existing application security documentation to facilitate the security accreditation of the system IAW the current C&A guidance (current guidance is DoD Instruction (DoDI) 8510.01 DoD IA C&A Process (DIACAP) - will be migrating to NIST Risk Management Framework model). The contractor shall sustain the application and its environment in compliance with the DISA STIGs. The results of the DISA STIG documentation shall reflect the current status of the system; contractor shall provide monthly updates. The contractor shall provide updates to existing C&A documentation, such as network diagrams, ports and protocol matrix, application certification package created during release cycle, and other existing documentation. This documentation is required when changes are made that may affect the security posture of the application environment. The contractor shall provide a monthly update, NLT the last business day of the month to the Government PMO for the application's DIACAP Plan of Action and Milestones (POA&M). POA&Ms are maintained within the Enterprise Mission Assurance Support Service by the Government. (CDRL A602) 5.6.3 Subtask 3 - Periodic Government Inspections The contractor shall authorize Government inspections and reviews to assure compliance with DoD IA requirements throughout the contract performance period. The contractor shall be responsible for taking corrective action based upon the impact and severity of identified weaknesses. 5.6.4 Subtask 4 - Remote Access Contractor-furnished Equipment (CFE) employed for remote access to a Government network must meet equivalent Government-furnished equipment IA computing requirements. The contractor shall ensure that all CFE (hardware and software) employed to access these environments meet the following minimum Government IA requirements and provide periodic certification of compliance as a pre-requisite to being granted network access. • Use of personal systems is prohibited • Operating systems and applications must be configured for compliance with the DISA Gold Disk and applicable STIGs • DoD-approved anti-virus and anti-spyware software must be installed and signatures must be configured to automatically update on a daily basis • DoD-approved personal firewall must be utilized and configured to permit traffic by exception only, dropping all other traffic. If the personal firewall provides intrusions detection or prevention, the signatures or rules must be updated at the same intervals as the anti-virus software • Computers must be IA Vulnerability Management compliant • Computers must be scanned with the DoD version of E-eye Retina vulnerability scanner (or current approved DoD scanner solution) at a minimum of every 30 days. All vulnerabilities must be remediated and reported to the cognizant IA Manager • Contractor employees must possess a current Government-issued Common Access Card (CAC) and install Government-certified CAC readers • Verification of compliance with these requirements must be provided to an appointed Government representative (COR/ACOR) on a monthly basis. (CDRL A603) 5.6.5 Subtask 5 - Detect, Analyze, Respond 5.6.5.1 Reporting Requirements The contractor shall report to the Military Sealift Command (MSC) designated Government personnel within 4 hours of discovery of any suspected cyber intrusion events that affect DoD information resident on or transiting the contractor's unclassified information systems. Initial report shall be provided even if some details are not yet available, with follow-on detailed reporting within 24 hours. Reportable cyber intrusion events include the following: • A cyber intrusion event appearing to be an advanced persistent threat • A cyber intrusion event involving data exfiltration or manipulation or other loss of any DoD information resident on or transiting the contractor's, or its subcontractors', unclassified information systems • Intrusion activities that allow unauthorized access to an unclassified information system on which DoD information is resident or transiting. Definition of advanced persistent threat: An extremely proficient, patient, determined, and capable adversary, including two or more of such adversaries working together. 5.6.5.2 Incident Report Content The incident report shall include, at a minimum, the following information: • Applicable dates (date of suspected compromise and date of discovery) • Threat methodology (all known resources used such as Internet Protocol addresses, domain names, copies of malware, etc.) • An account of what actions the threat(s) may have taken on the victim system/network and what information may have been accessed • A description of the roles and functions of the threat-accessed system • An initial list of potentially impacted Government programs and each program's classification; • What information may have been exfiltrated that may impact Government programs • A list of all employees and subcontracted employees who work or have worked with the victim system/network • A point of contact to coordinate damage assessment activities 5.6.5.3 Incident Report Submission The contractor will submit unclassified network cyber incident reports to the USTRANSCOM Cyber Operations Center (CyOC) via encrypted email or another mutually agreed upon secure communications method. Copies of malware require special handling and pre-coordination must be accomplished prior to submission. The CyOC's email address and phone number are as follows: Email: transcom.scott.tcj3.mbx.cyoc@mail.mil Commercial Phone: 618-220-4222 5.6.5.4 Incident Report Coordination In the event of a known or potential intrusion, the contractor agrees to allow follow-on actions by the Government to further characterize and evaluate the suspect activity. The contractor acknowledges that damage assessments may be necessary to ascertain intruder methodology and identify systems compromised as a result of the intrusion. Company acknowledges that in certain cases a complete forensic analysis may be necessary to ascertain intruder methodology and identify systems compromised as a result of the intrusion. Once an intrusion is identified, the company agrees to take all reasonable and appropriate steps to preserve any and all evidence, information, data, logs, electronic files and similar type information reference NIST Special Publication 800-61: Computer Security Incident Handling Guide, (current version) related to the Page 21 of 68 intrusion for subsequent forensic analysis so that an accurate and complete damage assessment can be accomplished by the Government. The contractor is not required to maintain an organic forensic capability, but must ensure data is preserved until forensic analysis can be performed by the Government (e.g., removing an affected system, while still powered on, from the network meets the intent of this requirement). Any follow-on actions shall be coordinated with the contractor via the COR. 5.6.5.5 Law Enforcement/Counterintelligence In the event of a known or potential intrusion, the contractor shall consent to responding counterintelligence or law enforcement investigative agency requests to apply forensic analysis tools to contractor information systems affected by the intrusion, including monitoring tools, imaging tools, and any other techniques that the agency seeks to apply to effectively analyze the intrusion. The contractor shall allow the responding counterintelligence and/or law enforcement investigative agency to image affected systems, including systems containing proprietary information. Nothing in this contract shall limit the ability to conduct law enforcement or counterintelligence activities, or other activities in the interest of the Government. (CDRL A604) 5.6.6 Subtask 6 - Information Sharing The Government may use and disclose reported information (e.g., information regarding threats, vulnerabilities, incidents, or best practices) that does not include attribution information at its discretion to assist entities in protecting information or information systems (e.g., threat information products, threat assessment reports); provided that such use or disclosure is otherwise authorized in accordance with applicable statutes, regulations, and policies. 5.6.7 Subtask 7 - Confidentiality and Non-Attribution Statement The Government shall take reasonable steps, by controlled access and need-to-know procedures, to protect against public release of attribution information of the contractor. The Government may use and disclose reported information that includes attribution information only on a need-to-know basis to authorized persons for cyber security and related purposes (e.g., in support of forensic analysis, incident response, compromise or damage assessments, law enforcement, counter intelligence, threat reporting, and trend analysis). The Government may disclose attribution information to support contractors that are supporting the Government's cyber security and related activities if the support contractor is subject to legal confidentiality requirements that prevent any further use or disclosure of the attribution information. The Government agrees to consider available exemptions of the Freedom of Information Act to protect againstdisclosure of attribution information of the contractor to unauthorized persons. Within a reasonable period necessary to perform an analysis after completion of the assessment, all contractor proprietary information or third party proprietary information in the possession of the Government as a result of the assessment will be destroyed unless other disposition is agreed upon in writing by the Parties or is required by law, Executive Order or regulation. 5.6.8 Subtask 8 - Certification & Accreditation (C&A) The Contractor shall develop and provide a Certification and Accreditation documentation package consistent with latest applicable DoDI 8510.01 Release. The C&A Package shall provide documentation and data objects generated through the Certification and Accreditation Process implementation for each new and modified system. Information from the package will be made available as needed to support an Authority to Operate (ATO) decision. The Certification and Accreditation package shall be a Comprehensive Package, containing all information connected with the certification of the system. Components include but are not limited to the below. 5.6.8.1 Risk Management Framework (RMF) Security Plan The Contractor shall, in accordance with the Navy Certification and Accreditation process, develop and provide a Security Plan. The plan provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements. The security plan should include implementation status, responsible entities, resources, and estimated completion dates. The plan also contains, as supporting appendixes or as references, other key security-related documents such as a risk assessment, privacy impact assessment, system interconnection agreements, contingency plan, security configurations, configuration management plan, and incident response plan. (CDRL A605) 5.6.8.2 Security Test Plan The Contractor shall in accordance with the Navy Certification and Accreditation process develops and provide a test plan and procedures to test security control implementation. (CDRL A606) 5.6.8.3 Supporting Certification Documentation The Contractor shall in accordance with the MSC Certification and Accreditation process develop and provide IA control test results and IA control artifacts. (CDRL A607) 5.6.8.4 Information Technology (IT) Security Plan of Action & Milestones The Contractor shall in accordance with the Navy Certification and Accreditation process develop and provide an Information Technology (IT) Security Plan of Action and Milestones (POA&M) (ITPM) required for any accreditation decision that requires corrective actions. The POA&M shall address: (1) why the system needs to operate; (2) any operational restrictions agreed upon timeline for completing and validating corrective actions; and (3) the resources necessary and available to properly complete the corrective actions. (CDRL A608) 5.6.8.5 Certification & Accreditation Scorecard The Contractor shall in accordance with the MSC Certification and Accreditation process develop and provide a Certification and Accreditation Scorecard to convey information about the IA posture of each system in a format that can be easily understood by managers and be easily exchanged electronically. (CDRL A609) 5.6.8.6 Continuous Monitoring Strategy The contractor shall, in conjunction with the program office and Security Control Assessor, develop a system-level strategy for the continuous monitoring of the effectiveness of security controls employed within or inherited by the system, and monitoring of any proposed or actual changes to the system and its environment of operation. The strategy must include the plan for annual assessments of a subset of implemented security controls, and the level of independence required of the assessor (e.g., ISSM or SCA The system-level continuous monitoring strategy must conform to all applicable published DoD enterprise-level or DoD Component-level continuous monitoring strategies (e.g., DoD's ISCM Strategy) to ensure the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur. (CDRL A610) 5.6.9 Subtask 9 - Information Assurance (IA) and Deliverables: All deliverables shall be provided electronically, in a Microsoft (MS) Office commercially available product format unless otherwise defined. Task Deliverable Distribution CDRL 5.6.1 Draft Security Plan COR/ACOR/TPOC A601 5.6.1 Final Security Plan COR/ACOR/TPOC A601 5.6.2 Draft Network diagram, ports, protocol matrix, and certification package COR/ACOR/TPOC A602 5.6.2 Final Network diagram, ports, protocol matrix, and certification package COR/ACOR/TPOC A602 5.6.4 Verification of remote access requirement COR/ACOR/TPOC A603 5.6.5 Incident Report COR/ACOR/TPOC A604 5.6.8. Security Test Plan COR/ACOR/TPOC A605 5.6.8.1 Risk Management Framework (RMF) Security Plan COR/ACOR/TPOC A606 5.6.8.2 Supporting Certification Documentation COR/ACOR/TPOC A607 5.6.8.3 Information Technology (IT) Security Plan of Action & Milestones COR/ACOR/TPOC A608 5.6.8.4 Certification & Accreditation Scorecard COR/ACOR/TPOC A609 5.6.8.5 Continuous Monitoring Strategy COR/ACOR/TPOC A610 6. Performance Standards. This is a performance-based requirement in accordance with FAR 37.6. The performance metrics include but are not limited to the following: Performance Standard Acceptable Quality Level (AQL) Method of Surveillance Program Management Support ( Task Must fill vacancies within 30 calendar days with qualified personnel Resource Allocations & Availability Information Assurance Support (Task Achieve and maintain 100% compliance and during required phases with MSC IA Policy as defined within MSC Instruction (COMSCINSTR 5239.3 series or current). Compliance Enterprise Architecture Support (refer to PWS paragraph 5.2) As required 100% of changes to MSC's Enterprise Architecture must be coordinated with the Enterprise Architecture team. Compliance Earned Value Tracking (refer to PWS paragraph 5.2.3 As required 100% of all projects will utilize the EVM technique for measuring project performance and progress in an objective manner. Compliance Systems Engineering Design (refer to PWS paragraph 5.2.2) Achieve and Maintain 100% compliance with Navy Policy regarding the registration of DoN IT Systems. Compliance 7. Place of Performance. Tasks will be performed primarily at the contractor site and on site at MSC Headquarters Norfolk, Virginia. The Contractor shall participate in meetings at the Naval Station Norfolk; therefore, travel to and from the contractor site will be required on an as needed basis. The contractor shall be expected to keep abreast of current activities and meetings to ensure that appropriate personnel are on site as needed. Furthermore, all tasks may require travel to other MSC, Navy, and USTRANSCOM or DOD installations to include but not limited to: • MSC and U.S. Navy vessels worldwide • MSC ANOC, San Diego, CA • MSC MDRS, Pensacola, FL • MSC, San Diego, CA • MSC, Norfolk, VA • MSC, Yokohama, Japan • MSC, Naples, Italy • MSC, Washington, DC • USTRANSCOM Headquarters, Scott AFB, IL • Navy Data Centers Reimbursement for travel shall be in accordance with the Joint Travel Regulations (JTR). Local travel to and from Naval Station Norfolk shall not be reimbursed (See H-7 REIMBURSEMENT OF TRAVEL). 8. Period of Performance. ). As directed by the COR, the contractor shall continue performance in emergency or mission essential conditions. Additionally, the contractor may be required to account for the whereabouts of their personnel should this information be requested by the COR. 9. Delivery Schedule. TBD All deliverables will be prepared using Microsoft Office and Adobe compatible products. If non-compatible software is used, contractor must obtain COR written approval. All deliverables, unless specified by the Technical Direction Letter, COR or the Contracting Officer, shall be delivered by posting to the existing N6 Collaboration Site (Access will be provided by the Government, as required). All deliverables shall comply with Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d) and the Architectural and Transportation Barriers Compliance Board Electronic and Information Technology (EIT) Accessibility Standards (36 CFR part 1194). Exception to this must be approved in writing by the COR or Contracting Officer. General Deliverables required, regardless of specific tasks are outlined below (all costs associated with these reports are considered to be part of the contractor's fully burdened labor rates). PWS Task# Deliverable Title Format Due Date Distribution/Copies Frequency and Remarks 5.1.1 Plan A003/DI-MGMT-80347 Date or calendar days after award or event Standard Distribution* Draft - 15 Final - 30 5.1.2 Report A008/DI-MGMT-80368 Two Copies to COR; Letter Only to KO Monthly, on 5th workday 5.1.3 Software Contractor-Determined Format (allowable if desired) Standard Distribution* 180 5.x (Continue as needed to document all deliverables) *Standard Distribution: 1 copy of the transmittal letter without the deliverable to the Contracting Officer; 1 copy of the transmittal letter with the deliverable to the Primary COR. 10. Security Requirements. This section shall be considered a supplement to block 13 of the Government provided DD 254, Contract Classification Specification. The following security requirements shall apply to this effort. References: a. DOD 5200.2-R, DOD Personnel Security Program. b. DISAI 240-110-36, Personnel Security. c. DOD 5220.22-M, National Industrial Security Program Operating Manual. d. DOD 5220.22-R, Industrial Security Regulation. e. DISA Computing Services Directorate (CSD) Security Handbook. f. DODM 5200.01, Information Security Program, 24 February 2012 10.1 Physical Security Security policies and procedures for safeguarding information will be IAW National Industrial Security Program Manual (NISPOM), DoD, DoN, and MSC security documents and directives, and shall be followed by the Contractor. Work performed as part of executing this requirement will require access up to SECRET. MSC shall provide the Contractor with access to all areas necessary to support Contract performance. Any materials furnished in support of this Contract remains the property of the DoD, agency or command originator. As part of this contract, the contractor will have safeguarding requirements as some of the support will be completed outside a government facility at the contractor's facility. At the direction of MSC, upon completion or termination of the Contract, all classified material/information furnished will be returned to the direct custody of the designated Information Assurance Manager (IAM), or destroyed IAW applicable instructions. Upon completion or termination of the Contract, all materials will be returned to MSC IAW applicable instructions. This effort may require access to U.S. Government classified information and facilities. Prior to contract award, Contractors must have a SECRET facility security clearance. An interim facility clearance prior to contract award is also acceptable. At a minimum, all personnel (includes Contractor and sub-Contractor) working with classified information and on U.S. Government facilities will require a SECRET Clearance. 10.2 Personnel Security As described above, work performed as part of executing this requirement may require access up to and including access to SECRET classified information. All personnel in support of the Contract shall be required to maintain a SECRET clearance based upon a minimum of a National Agency Check with Law Enforcement and Credit Check (NACLC). The Contractor shall pursue and obtain SECRET clearances for all personnel as applicable with the Contract. This requirement also applies to all sub-Contractor personnel supporting the Contract. The Contractor shall establish and maintain an access list of those employees working on the Contract. The Contractor shall provide an initial access list to the COR at the onset of the Contract; and an updated copy of the list shall be furnished to the COR immediately upon reassignment of personnel within the Contract. Additionally, this list shall be provided through the Joint Personnel Adjudication System (JPAS) or shall be coordinated through the Command Security staff if JPAS is not available to validate and verify personal security clearances are being maintained. All personnel reassignments and changes shall be provided via the revised access list to the MSC Security Manager and the COR and updates shall be maintained in JPAS. Personnel performing classified services who have access to classified material must be U.S. Citizens. All contracting personnel who have access to classified information must comply with DoD Directive Number 5240.06 regarding Counterintelligence Awareness and Reporting and will coordinate to meet training requirements. See DoD Directive Number 5240.06 for training requirements and compliance. The Contractor shall immediately notify the COR if any personnel in support of the Contract has their clearance revoked or the clearance has expired, or if the personnel are involved in a reportable incident or violation. 10.3 Non-Disclosure Requirements The Contractor will be required to work with business sensitive information in the performance of this contract. No sensitive or proprietary information of or in the possession of Military Sealift Command or any of its operating units will be disclosed without the written consent of the Contracting Officer. A Non-Disclosure Agreement and Organizational Conflict of Interest shall be completed for each contractor (Attachments J-## and J-##). 10.4 Visit Access Request The Contractor will submit a Visit Access Request (VAR) to Military Sealift Command for all personnel who will be working directly on the task order or who will be visiting Military Sealift Command or any of its operating units. The VAR should be submitted via the Joint Personnel Adjudication System (JPAS) as the primary method. If the Contractor does not have access to JPAS, a VAR can be produced on Contractor letterhead and faxed to Military Sealift Command Security. The VAR will indicate the purpose of the visit, the MSC Point of Contact, the period of performance in the Contract, and the following information for each member requiring access: • Full Name: Last, First, Middle • Date of Birth: • Place of Birth: • Full Social Security Number • Citizenship • Clearance 10.5 Security Training In addition to the training stipulated in paragraph XX, Training Courses, the Contractors will attend an Orientation Briefing within the first month of reporting onboard Military Sealift Command, which will include a Security Briefing. Contractors will also attend and/or complete at a minimum annual refresher training to include Counter Intelligence Training and Security Refresher Training as sponsored by Military Sealift Command. Refresher training may be offered via electronic means. 10.6 Security Contacts. DISA Security Personnel can be contacted for security related questions as follows: For Industrial Security related issues: Biniam Idriss, phone: (301) 225-1229 Defense Information Systems Agency ATTN: MPS61, Industrial Security Command Building 6910 Cooper Ave. Fort Meade, MD 20755-7088 For Personnel Security related issues to include interim IT access requests: Primary: TBD, phone: (301) 225-1206 Alternate: Richard Young, phone: (301) 225-1237 Defense Information Systems Agency ATTN: MPS62, Personnel Security Command Building 6910 Cooper Ave. Fort Meade, MD 20755-7088 10.7 Information Security and other miscellaneous requirements. 10.7.1 Contractor personnel must comply with local security requirements for entry and exit control for personnel and property at the government facility. 10.7.2 Contractor employees will be required to comply with all Government security regulations and requirements. Initial and periodic security training and briefings will be provided by Government security personnel. Failure to comply with security requirements can cause for removal and the contractor will not be able to provide service on this contract. 10.7.3 The Contractor shall not divulge any information about DoD files, data processing activities or functions, user identifications, passwords, or any other knowledge that may be gained, to anyone who is not authorized to have access to such information. The Contractor shall observe and comply with the security provisions in effect at the DoD facility. Identification shall be worn and displayed as required. 10.7.4 DISA retains the right to request removal of contractor personnel regardless of prior clearance or adjudication status, whose actions, while assigned to this contract, clearly conflict with the interest of the Government. 10.7.5 Contractor personnel will generate or handle documents that contain FOUO information at Government facilities. Contractor shall have access to, generate, and handle classified material only at Government facilities. All contractor deliverables shall be marked at a minimum FOUO, unless otherwise directed by the Government. The contractor shall comply with the provisions of the DOD Industrial Security Manual for handling classified material and producing deliverables. The contractor shall comply with DISA Instruction 630-230-19. 11. Government-Furnished Equipment (GFE)/Government-Furnished Information (GFI). 11.1 Resource Requirements The Contractor shall identify all resource requirements including the facilities, system hardware, system software, emulation tools, documentation and people needed to operate and support laboratory integration and testing. GFE items for development shall be identified and provided to the Contractor. The Contractor shall avoid use of proprietary information, tools, or COTS modifications for satisfying requirements. 11.1.2 System Components & Configuration Items As identified per the government approved system design and BOM the government shall provide appropriate components and configuration items to the Contractor. 11.3 Inventories upon Termination and Completion Within 120 calendar days of termination or completion of contract, the contractor shall perform and cause each subcontractor to perform a physical inventory, adequate for disposal purposes, of all Government property applicable to the contract unless MSC Contracting Officer waives the requirement in his sole discretion. This inventory is due to the MSC Property Administrator no later than 60 days prior to contract completion/termination. 12. Other Pertinent Information or Special Considerations. 12.1 Procedures for Technical Direction (a) Procedures for Technical Direction (1) Technical Direction Letters (TDLs) may be provided to the Contractor by the Contracting Officer or the COR during the term (term is defined as the period of performance for the task order and any options that may be exercised) of this task order. All TDLs must be signed by the Contracting Officer and the COR. The Contractor shall not commence work on a TDL unless the TDL is signed by the Contracting Officer and the COR/ACOR. Technical Direction will provide specific information relating to the tasks contained in the Performance Work Statement and will be provided to the contractor in writing. Any Technical Direction issued hereunder will be subject to the terms and conditions of the task order. The task order shall control in the event of conflict with any Technical Direction issued hereunder, and cannot be modified by any Technical Direction. (2) Technical Direction shall be issued in writing and shall include, but not be limited to, the following information. 1. Date of issuance of Technical Direction; 2. Applicable contract number/task order; 3. Technical Direction identification number; 4. Description of Technical Direction (Scope); 5. Scheduled time for completion of technical direction task (Schedule) 6. Technical Point of Contact 7. Signature of the Contracting Officer and the TOM/COR 8. Deliverables will be defined in each TDL (3) If the contractor considers the technical direction to be outside the scope of the task order, it shall notify the Contracting Officer immediately. In the case of the direction requiring work that is out of the scope of the contract, the contractor shall not proceed with the effort unless and until the Contracting Officer executes a contract modification to include the change in scope. (b) Technical direction task shall not exceed authorized cost ceiling (reimbursable funding for Other Direct Costs, and Travel) and time schedule without a modified technical direction from the Contracting Officer. Contractor shall provide in the monthly status reports noting any potential issues with scope, cost and/or schedule. (c) The Contractor shall invoice for labor monthly. Invoices for reimbursable travel and other direct costs shall be submitted no more than twice per month. 12.2 Contract Phase In / Phase Out Period 12.2.1 Task Order Phase-In Period Following award, there will be up to a 5 day phase-in period. The purpose of the phase-in period is to ensure a smooth transition of services. Immediately following award, the contractor shall commence review of all tasks to be performed under this contract. Prior to the contract kick-off meeting, the contractor shall develop, with Government input, a plan of action to ensure the smooth transition of services. At the end of the phase-in period, the contractor shall be responsible for full performance in accordance with the terms of the contract. 12.2.2 Task Order Phase-Out Period There will be a task order phase-out period commencing 90 days prior to end of the task order. The purpose of the phase-out period is to ensure a smooth transition of services from the predecessor contractor to the new contractor. The contractor shall provide the services necessary to ensure a successful transition of services from it to the awardee under a subsequent contract for the same or similar requirement. No later than 120 days prior to the end of the task order, the contractor shall develop, with input from the Government, a plan of action to facilitate the transition of services to the incoming contractor with no degradation in services. 12.3 Personnel Identification Contractor personnel shall be able to obtain and keep current Common Access Cards (CACs). CACs shall be obtained in a timely manner so as to pre-empt disruption of required services and network access. 12.4 Common Access Cards (CAC) The United States Department of Defense (DOD)/Uniformed Services Identification Common Access Card (CAC) is the standard identification card issued to authorized personnel within DOD. The Contractor shall ensure Common Access Card with Public Key Infrastructure (PKI) are obtained for any contractor personnel who require logical access to the Department of Navy's computer networks or systems and / or will require regular access to Government installations, facilities, and ships for the duration of the contract. Fees associated with obtaining CACs are not reimbursable. • Authorized Personnel. CACs are to be issued only through the auspices of a Trusted Agent (TA) (assigned after contract award), and only to U.S. Citizens or other individuals as authorized by Commander, Military Sealift Command (MSC). The contractor shall coordinate with the TA to ensure contractor employees have been entered into the web based Contractor Verification System (CVS). • Tracking and Disposition. Since the card is Government property, contractors are responsible for the control of CAC issued to their personnel under MSC contract. In order to ensure positive control of CAC, contractors shall, at a minimum: • Require employees to surrender their CAC to the COR at the end of his/her employment. • The Contractor shall surrender all CACs issued in the performance of a subject contract upon: 1) Termination/end of the contract; 2) As directed by the issuing authority, the Trusted Agent or the Contracting Officer. • CAC Reporting. The contractor shall provide to the COR: • A semi-annual list of all CACs issued to contractor employees and subcontractor's employees. The list shall state: 1) Names of the employee; 2) Location of CAC (e.g., with employee, returned to issuing office). • A report shall be made to the COR/ACOR within 24 hours of discovering any CAC is lost, stolen or destroyed. The Contracting Officer shall then generate a report to the Trusted Agent for cancellation of the card. 13. Section 508 Accessibility Standards. The following Section 508 Accessibility Standard(s) (Technical Standards and Functional Performance Criteria) are applicable (if box is checked) to this acquisition. Technical Standards 0 1194.21 - Software Applications and Operating Systems 0 1194.22 - Web Based Intranet and Internet Information and Applications 0 1194.23 - Telecommunications Products 0 1194.24 - Video and Multimedia Products 0 1194.25 - Self-Contained, Closed Products 0 1194.26 - Desktop and Portable Computers 0 1194.41 - Information, Documentation and Support The Technical Standards above facilitate the assurance that the maximum technical standards are provided to the Offerors. Functional Performance Criteria is the minimally acceptable standards to ensure Section 508 compliance. This block is checked to ensure that the minimally acceptable electronic and information technology (E&IT) products are proposed. Functional Performance Criteria 0 1194.31 - Functional Performance Criteria IT IS REQUESTED THAT THE ABOVE INFORMATION BE PROVIDED NO LATER THAN 8 JULY 2015 @ 2:00 P.M. NORFOLK, VIRGINIA LOCAL TIME. RESPONSES SHOULD BE EMAILED TO CHERYL.SOMERS@NAVY.MIL. THE POINT OF CONTACT FOR THIS ACTION IS MS. CHERYL SOMERS AT (757) 443-5921 OR CHERYL.SOMERS@NAVY.MIL.
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/notices/b7084d979aed219e2921216f80d85f84)
 

Place of Performance

Address: 471 East C. Street, Norfolk, Virginia, 23511, United States

Zip Code: 23511
 

Record

SN03780318-W 20150701/150629235559-b7084d979aed219e2921216f80d85f84 (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |