Loren Data's SAM Daily™

FBO DAILY - FEDBIZOPPS ISSUE OF FEBRUARY 06, 2016 FBO #5188
SOLICITATION NOTICE

60 -- CCTV Ethernet

Notice Date

2/4/2016
 

Notice Type

Combined Synopsis/Solicitation
 

NAICS

517110 — Wired Telecommunications Carriers
 

Contracting Office

Department of Homeland Security, Transportation Security Administration, Headquarters TSA, 601 S. 12th Street, TSA-25, 10th Floor, Arlington, Virginia, 20598, United States
 

ZIP Code

20598
 

Solicitation Number

HSTS05-16-Q-HNL001
 

Archive Date

2/23/2016
 

Point of Contact

Peter S Larsen, Phone: 202-380-8955
 

E-Mail Address

peter.s.larsen@tsa.dhs.gov
(peter.s.larsen@tsa.dhs.gov)
 

Small Business Set-Aside

Total Small Business
 

Description

1.0 General Requirement Information This is a Combined Synopsis/Solicitation for commercial items prepared in accordance with the information in FAR Subpart 12.6, as supplemented with additional information included in this notice. This announcement constitutes the only solicitation; firm fixed price quotes are being requested and a written solicitation will not be issued. HSTS05-16-Q-HNL001 is issued as a Request for Quote. This solicitation documents and incorporates provisions and clauses in effect through FAC 2005-85-1. This is a total small business set aside. The NAICS code is 517110 with a business size standard of 1500. The anticipated period of performance is one base year followed by an Option Year. The Government anticipates awarding a firm fixed price purchase order. 2.0 Description of Service TSA-HNL requires monthly connectivity service for CCTV-Ethernet transport with RJ-45 handoff. The contractor shall provide a minimum 3Mbps connectivity for the data lines. The connectivity shall support the CCTV real time coverage continuously. All services, hardware and/or software provided under this purchase order must be compliant with DHS 4300A DHS Sensitive System Policy Direct, DHS 4300A Sensitive Systems Handbook., TSA MD 1400.3 Information Technology Security Policy, TSA IT Security Policy Handbook and Technical Standards. Accessibility Requirements (Section 508) Section 508 of the Rehabilitation Act, as amended by the Workforce Investment Act of 1998 (P.L. 105-220) requires that when Federal agencies develop, procure, maintain, or use electronic and information technology (EIT), they must ensure that it is accessible to people with disabilities. Federal employees and members of the public who have disabilities must have equal access to and use of information and data that is comparable to that enjoyed by non-disabled Federal employees and members of the public. All EIT deliverables within this work statement shall comply with the applicable technical and functional performance criteria of Section 508 unless exempt. Specifically, the following applicable EIT accessibility standards have been identified: Section 508 Applicable EIT Accessibility Standards 36 CFR 1194.21 Software Applications and Operating Systems, applies to all EIT software applications and operating systems procured or developed under this work statement including but not limited to GOTS and COTS software. In addition, this standard is to be applied to Web-based applications when needed to fulfill the functional performance criteria. This standard also applies to some Web based applications as described within 36 CFR 1194.22. 36 CFR 1194.22 Web-based Intranet and Internet Information and Applications, applies to all Web-based deliverables, including documentation and reports procured or developed under this work statement. When any Web application uses a dynamic (non-static) interface, embeds custom user control(s), embeds video or multimedia, uses proprietary or technical approaches such as, but not limited to, Flash or Asynchronous Javascript and XML (AJAX) then 1194.21 Software standards also apply to fulfill functional performance criteria. 36 CFR 1194.24 Video and Multimedia Products, applies to all video and multimedia products that are procured or developed under this work statement. Any video or multimedia presentation shall also comply with the software standards (1194.21) when the presentation is through the use of a Web or Software application interface having user controls available. 36 CFR 1194.31 Functional Performance Criteria, applies to all EIT deliverables regardless of delivery method. All EIT deliverable shall use technical standards, regardless of technology, to fulfill the functional performance criteria. 36 CFR 1194.41 Information Documentation and Support, applies to all documents, reports, as well as help and support services. To ensure that documents and reports fulfill the required 1194.31 Functional Performance Criteria, they shall comply with the technical standard associated with Web-based Intranet and Internet Information and Applications at a minimum. In addition, any help or support provided in this work statement that offer telephone support, such as, but not limited to, a help desk shall have the ability to transmit and receive messages using TTY. Section 508 Applicable Exceptions Exceptions for this work statement have been determined by DHS and only the exceptions described herein may be applied. Any request for additional exceptions shall be sent to the COTR and determination will be made in accordance with DHS MD 4010.2. DHS has identified the following exceptions that may apply: 36 CFR 1194.3(b) Incidental to Contract, all EIT that is exclusively owned and used by the contractor to fulfill this work statement does not require compliance with Section 508. This exception does not apply to any EIT deliverable, service or item that will be used by any Federal employee(s) or member(s) of the public. This exception only applies to those contractors assigned to fulfill the obligations of this work statement and for the purposes of this requirement, are not considered members of the public. Section 508 Compliance Requirements 36 CFR 1194.2(b) (COTS/GOTS products), When procuring a product, each agency shall procure products which comply with the provisions in this part when such products are available in the commercial marketplace or when such products are developed in response to a Government solicitation. Agencies cannot claim a product as a whole is not commercially available because no product in the marketplace meets all the standards. If products are commercially available which meet some but not all of the standards, the agency must procure the product that best meets the standards. When applying this standard, all procurements of EIT shall have documentation of market research that identify a list of products or services that first meet the agency business needs, and from that list of products or services, an analysis that the selected product met more of the accessibility requirements than the non-selected products as required by FAR 39.2. Any selection of a product or service that meets less accessibility standards due to a significant difficulty or expense shall only be permitted under an undue burden claim and requires authorization from the DHS Office of Accessible Systems and Technology (OAST) in accordance with DHS MD 4010.2. All tasks for testing of functional and/or technical requirements must include specific testing for Section 508 compliance, and must use DHS Office of Accessible Systems and Technology approved testing methods and tools. For information about approved testing methods and tools send an email to accessibility@hq.dhs.gov. DHS and TSA Enterprise Architecture Compliance a) The Contractor shall ensure that all solutions, products, deliverables, and services are aligned and compliant with the current DHS and TSA Enterprise Architecture, and the Federal Enterprise Architecture Framework (OMB Reference Models). b) All solutions and services shall meet DHS and TSA Enterprise Architecture policies, standards, and procedures. Specifically, the contractor shall comply with Homeland Security Enterprise Architecture (HLS EA) requirements. i. All developed solutions and requirements shall be compliant with the HLS EA. ii. The contractor shall align all solutions and services and ensure compliance with applicable TSA and DHS IT Security, Application, System, Network, Data, Information, and Business Architecture policies, directives, guidelines, standards, segment architectures and reference architectures. iii. The contractor shall utilize any existing TSA or DHS user interface design standards, style guides, and/or policies and standards for human factors, usability, user experience, or human computer interaction (HCI). iv. All solution architectures and services (Application, System, Network, Security, Information, etc.) shall be reviewed and approved by TSA EA as part of the TSA SELC review process and in accordance with all applicable DHS and TSA IT governance policies, directives, and processes (i.e. TSA IT Governance Management Directive 1400.20). This includes the Solution Engineering Review (SER), Preliminary Design Review (PDR) and Critical Design Review (CDR) stage gates. All implementations shall follow the approved solution architecture/design without deviation. Any changes, to either the prior approved solution and/or prior approved design that are identified during subsequent SELC phases, including testing, implementation and deployment, shall undergo additional EA review prior to proceeding. v. All IT hardware and software shall be compliant with the TSA and HLS EA Technical Reference Model (TRM) Standards and Products Profile; all products are subject to TSA and DHS Enterprise Architectural approval. No products may be utilized in any production environment that is not included in the TSA and HLS EA TRM Standards and Products Profile. c) Description information for all data assets, information exchanges and data standards, whether adopted or developed, shall be submitted to the TSA Enterprise Architecture Data Management Team, who will be responsible for coordination with the DHS Enterprise Data Management Office (EDMO) for review, approval and insertion into the DHS Data Reference Model and Enterprise Architecture Information Repository. i. Development of data assets, information exchanges, and data standards will comply with the DHS Data Management Policy MD 103-01 and all data-related artifacts will be developed and validated according to DHS and TSA data management architectural guidelines and subject to the TSA Enterprise Architecture Data Management Team (EDM) approval. ii. In addition to the Federal Acquisitions Regulations (FAR) Subpart 27.4 - ‘Rights in Data and Copyrights' and Section 35.011 detailing technical data delivery, the contractor shall provide all TSA-specific data in a format maintaining pre-existing referential integrity and data constraints, as well as data structures in an understandable format to TSA. Examples of data structures can be defined as, but not limited to a. Data models depicting relationship mapping and, or linkages b. Metadata information to define data definitions c. Detailed data formats, type, and size d. Delineations of the referential integrity (e.g., primary key/foreign key) of data schemas, structures, and or taxonomies iii. All TSA-specific data shall be delivered in a secure and timely manner to TSA. Data security is defined within the ‘Requirements for Handling Sensitive, Classified, and/or Proprietary Information', section of this SOW. This definition complies with not only the delivery of data, but also maintaining TSA-specific data within a non-TSA or DHS proprietary system. Alternative data delivery techniques may also be defined by TSA Enterprise Data Management (EDM) team. iv. All metadata shall be pre-defined upon delivery to TSA. Metadata shall be delivered in a format that is readily interpretable by TSA (e.g. metadata shall be extracted from any metadata repository that is not utilized by TSA and delivered in a TSA approved manner). Metadata shall also provide an indication of historical verses the most current data to be used, as well as frequency of data refreshes. v. The contractor shall adhere to providing a Data Management Plan (DMP), as defined by Enterprise Architecture, to the EA design review team before the preliminary/critical design review. The Data Management Plan includes conceptual and logical data models, data dictionaries, data asset profile, and other artifacts pertinent to the project's data. All data artifacts must adhere to TSA EA data standards defined and published before the design review. Data Standards include but are not limited to, data asset standards, metadata standards, logical/physical naming standards, and information exchange (using the National Information Exchange Model (NIEM)) standards. All required artifacts must be provided to and approved by the EA Design Review team. d) Applicability of Internet Protocol Version 6 (IPv6) to DHS-related components (networks, infrastructure, and applications) specific to individual acquisitions shall be in accordance with the DHS Enterprise Architecture (per OMB Memorandum M-05-22, August 2, 2005) regardless of whether the acquisition is for modification, upgrade, or replacement. All EA related component acquisitions shall be IPv6 compliant as defined in the U.S. Government Version 6 (USGv6) Profile (National Institute of Standards and Technology (NIST) Special Publication 500-267) and the corresponding declarations of conformance defined in the USGv6 Test Program. Sensitive Information Required Special Contract Terms (MARCH 2015) SAFEGUARDING OF SENSITIVE INFORMATION (MAR 2015) (a) Applicability. This clause applies to [ENTITY NAME], its subcontractors, and Contractor employees (hereafter referred to collectively as "Contractor"). The Contractor shall insert the substance of this clause in all subcontracts. (b) Definitions. As used in this clause- "Personally Identifiable Information (PII)" means information that can be used to distinguish or trace an individual's identity, such as name, social security number, or biometric records, either alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, or mother's maiden name. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-personally identifiable information can become personally identifiable information whenever additional information is made publicly available-in any medium and from any source-that, combined with other available information, could be used to identify an individual. PII is a subset of sensitive information. Examples of PII include, but are not limited to: name, date of birth, mailing address, telephone number, Social Security number (SSN), email address, zip code, account numbers, certificate/license numbers, vehicle identifiers including license plates, uniform resource locators (URLs), static Internet protocol addresses, biometric identifiers such as fingerprint, voiceprint, iris scan, photographic facial images, or any other unique identifying number or characteristic, and any information where it is reasonably foreseeable that the information will be linked with other information to identify the individual. "Sensitive Information" is defined in HSAR clause 3052.204-71, Contractor Employee Access, as any information, which if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of Title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense, homeland security or foreign policy. This definition includes the following categories of information: (1) Protected Critical Infrastructure Information (PCII) as set out in the Critical Infrastructure Information Act of 2002 (Title II, Subtitle B, of the Homeland Security Act, Public Law 107-296, 196 Stat. 2135), as amended, the implementing regulations thereto (Title 6, Code of Federal Regulations, Part 29) as amended, the applicable PCII Procedures Manual, as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the PCII Program Manager or his/her designee); (2) Sensitive Security Information (SSI), as defined in Title 49, Code of Federal Regulations, Part 1520, as amended, "Policies and Procedures of Safeguarding and Control of SSI," as amended, and any supplementary guidance officially communicated by an authorized official of the Department of Homeland Security (including the Assistant Secretary for the Transportation Security Administration or his/her designee); (3) Information designated as "For Official Use Only," which is unclassified information of a sensitive nature and the unauthorized disclosure of which could adversely impact a person's privacy or welfare, the conduct of Federal programs, or other programs or operations essential to the national or homeland security interest; and (4) Any information that is designated "sensitive" or subject to other controls, safeguards or protections in accordance with subsequently adopted homeland security information handling procedures. "Sensitive Information Incident" is an incident that includes the known, potential, or suspected exposure, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or unauthorized access or attempted access of any Government system, Contractor system, or sensitive information. "Sensitive Personally Identifiable Information (SPII)" is a subset of PII, which if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone elements. Examples of such PII include: Social Security numbers (SSN), driver's license or state identification number, Alien Registration Numbers (A-number), financial account number, and biometric identifiers such as fingerprint, voiceprint, or iris scan. Additional examples include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements: (1) Truncated SSN (such as last 4 digits) (2) Date of birth (month, day, and year) (3) Citizenship or immigration status (4) Ethnic or religious affiliation (5) Sexual orientation (6) Criminal History (7) Medical Information (8) System authentication information such as mother's maiden name, account passwords or personal identification numbers (PIN) Other PII may be "sensitive" depending on its context, such as a list of employees and their performance ratings or an unlisted home address or phone number. In contrast, a business card or public telephone directory of agency employees contains PII but is not sensitive. (c) Authorities. The Contractor shall follow all current versions of Government policies and guidance accessible at http://www.dhs.gov/dhs-security-and-training-requirements-contractors, or available upon request from the Contracting Officer, including but not limited to: (1) DHS Management Directive 11042.1 Safeguarding Sensitive But Unclassified (for Official Use Only) Information (2) DHS Sensitive Systems Policy Directive 4300A (3) DHS 4300A Sensitive Systems Handbook and Attachments (4) DHS Security Authorization Process Guide (5) DHS Handbook for Safeguarding Sensitive Personally Identifiable Information (6) DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel Suitability and Security Program (7) DHS Information Security Performance Plan (current fiscal year) (8) DHS Privacy Incident Handling Guidance (9) Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules accessible at http://csrc.nist.gov/groups/STM/cmvp/standards.html (10) National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations accessible at http://csrc.nist.gov/publications/PubsSPs.html (11) NIST Special Publication 800-88 Guidelines for Media Sanitization accessible at http://csrc.nist.gov/publications/PubsSPs.html (d) Handling of Sensitive Information. Contractor compliance with this clause, as well as the policies and procedures described below, is required. (1) Department of Homeland Security (DHS) policies and procedures on Contractor personnel security requirements are set forth in various Management Directives (MDs), Directives, and Instructions. MD 11042.1, Safeguarding Sensitive But Unclassified (For Official Use Only) Information describes how Contractors must handle sensitive but unclassified information. DHS uses the term "FOR OFFICIAL USE ONLY" to identify sensitive but unclassified information that is not otherwise categorized by statute or regulation. Examples of sensitive information that are categorized by statute or regulation are PCII, SSI, etc. The DHS Sensitive Systems Policy Directive 4300A and the DHS 4300A Sensitive Systems Handbook provide the policies and procedures on security for Information Technology (IT) resources. The DHS Handbook for Safeguarding Sensitive Personally Identifiable Information provides guidelines to help safeguard SPII in both paper and electronic form. DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel Suitability and Security Program establishes procedures, program responsibilities, minimum standards, and reporting protocols for the DHS Personnel Suitability and Security Program. (2) The Contractor shall not use or redistribute any sensitive information processed, stored, and/or transmitted by the Contractor except as specified in the contract. (3) All Contractor employees with access to sensitive information shall execute DHS Form 11000-6, Department of Homeland Security Non-Disclosure Agreement (NDA), as a condition of access to such information. The Contractor shall maintain signed copies of the NDA for all employees as a record of compliance. The Contractor shall provide copies of the signed NDA to the Contracting Officer's Representative (COR) no later than two (2) days after execution of the form. (4) The Contractor's invoicing, billing, and other recordkeeping systems maintained to support financial or other administrative functions shall not maintain SPII. It is acceptable to maintain in these systems the names, titles and contact information for the COR or other Government personnel associated with the administration of the contract, as needed. (e) Authority to Operate. The Contractor shall not input, store, process, output, and/or transmit sensitive information within a Contractor IT system without an Authority to Operate (ATO) signed by the Headquarters or Component CIO, or designee, in consultation with the Headquarters or Component Privacy Officer. Unless otherwise specified in the ATO letter, the ATO is valid for three (3) years. The Contractor shall adhere to current Government policies, procedures, and guidance for the Security Authorization (SA) process as defined below. (1) Complete the Security Authorization process. The SA process shall proceed according to the DHS Sensitive Systems Policy Directive 4300A (Version 11.0, April 30, 2014), or any successor publication, DHS 4300A Sensitive Systems Handbook (Version 9.1, July 24, 2012), or any successor publication, and the Security Authorization Process Guide including templates. (i) Security Authorization Process Documentation. SA documentation shall be developed using the Government provided Requirements Traceability Matrix and Government security documentation templates. SA documentation consists of the following: Security Plan, Contingency Plan, Contingency Plan Test Results, Configuration Management Plan, Security Assessment Plan, Security Assessment Report, and Authorization to Operate Letter. Additional documents that may be required include a Plan(s) of Action and Milestones and Interconnection Security Agreement(s). During the development of SA documentation, the Contractor shall submit a signed SA package, validated by an independent third party, to the COR for acceptance by the Headquarters or Component CIO, or designee, at least thirty (30) days prior to the date of operation of the IT system. The Government is the final authority on the compliance of the SA package and may limit the number of resubmissions of a modified SA package. Once the ATO has been accepted by the Headquarters or Component CIO, or designee, the Contracting Officer shall incorporate the ATO into the contract as a compliance document. The Government's acceptance of the ATO does not alleviate the Contractor's responsibility to ensure the IT system controls are implemented and operating effectively. (ii) Independent Assessment. Contractors shall have an independent third party validate the security and privacy controls in place for the system(s). The independent third party shall review and analyze the SA package, and report on technical, operational, and management level deficiencies as outlined in NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. The Contractor shall address all deficiencies before submitting the SA package to the Government for acceptance. (iii) Support the completion of the Privacy Threshold Analysis (PTA) as needed. As part of the SA process, the Contractor may be required to support the Government in the completion of the PTA. The requirement to complete a PTA is triggered by the creation, use, modification, upgrade, or disposition of a Contractor IT system that will store, maintain and use PII, and must be renewed at least every three (3) years. Upon review of the PTA, the DHS Privacy Office determines whether a Privacy Impact Assessment (PIA) and/or Privacy Act System of Records Notice (SORN), or modifications thereto, are required. The Contractor shall provide all support necessary to assist the Department in completing the PIA in a timely manner and shall ensure that project management plans and schedules include time for the completion of the PTA, PIA, and SORN (to the extent required) as milestones. Support in this context includes responding timely to requests for information from the Government about the use, access, storage, and maintenance of PII on the Contractor's system, and providing timely review of relevant compliance documents for factual accuracy. Information on the DHS privacy compliance process, including PTAs, PIAs, and SORNs, is accessible at http://www.dhs.gov/privacy-compliance. (2) Renewal of ATO. Unless otherwise specified in the ATO letter, the ATO shall be renewed every three (3) years. The Contractor is required to update its SA package as part of the ATO renewal process. The Contractor shall update its SA package by one of the following methods: (1) Updating the SA documentation in the DHS automated information assurance tool for acceptance by the Headquarters or Component CIO, or designee, at least 90 days before the ATO expiration date for review and verification of security controls; or (2) Submitting an updated SA package directly to the COR for approval by the Headquarters or Component CIO, or designee, at least 90 days before the ATO expiration date for review and verification of security controls. The 90 day review process is independent of the system production date and therefore it is important that the Contractor build the review into project schedules. The reviews may include onsite visits that involve physical or logical inspection of the Contractor environment to ensure controls are in place. (3) Security Review. The Government may elect to conduct random periodic reviews to ensure that the security requirements contained in this contract are being implemented and enforced. The Contractor shall afford DHS, the Office of the Inspector General, and other Government organizations access to the Contractor's facilities, installations, operations, documentation, databases and personnel used in the performance of this contract. The Contractor shall, through the Contracting Officer and COR, contact the Headquarters or Component CIO, or designee, to coordinate and participate in review and inspection activity by Government organizations external to the DHS. Access shall be provided, to the extent necessary as determined by the Government, for the Government to carry out a program of inspection, investigation, and audit to safeguard against threats and hazards to the integrity, availability and confidentiality of Government data or the function of computer systems used in performance of this contract and to preserve evidence of computer crime. (4) Continuous Monitoring. All Contractor-operated systems that input, store, process, output, and/or transmit sensitive information shall meet or exceed the continuous monitoring requirements identified in the Fiscal Year 2014 DHS Information Security Performance Plan, or successor publication. The plan is updated on an annual basis. The Contractor shall also store monthly continuous monitoring data at its location for a period not less than one year from the date the data is created. The data shall be encrypted in accordance with FIPS 140-2 Security Requirements for Cryptographic Modules and shall not be stored on systems that are shared with other commercial or Government entities. The Government may elect to perform continuous monitoring and IT security scanning of Contractor systems from Government tools and infrastructure. (5) Revocation of ATO. In the event of a sensitive information incident, the Government may suspend or revoke an existing ATO (either in part or in whole). If an ATO is suspended or revoked in accordance with this provision, the Contracting Officer may direct the Contractor to take additional security measures to secure sensitive information. These measures may include restricting access to sensitive information on the Contractor IT system under this contract. Restricting access may include disconnecting the system processing, storing, or transmitting the sensitive information from the Internet or other networks or applying additional security controls.(6) Federal Reporting Requirements. Contractors operating information systems on behalf of the Government or operating systems containing sensitive information shall comply with Federal reporting requirements. Annual and quarterly data collection will be coordinated by the Government. Contractors shall provide the COR with requested information within three (3) business days of receipt of the request. Reporting requirements are determined by the Government and are defined in the Fiscal Year 2014 DHS Information Security Performance Plan, or successor publication. The Contractor shall provide the Government with all information to fully satisfy Federal reporting requirements for Contractor systems. (f) Sensitive Information Incident Reporting Requirements. (1) All known or suspected sensitive information incidents shall be reported to the Headquarters or Component Security Operations Center (SOC) within one hour of discovery in accordance with 4300A Sensitive Systems Handbook Incident Response and Reporting requirements. When notifying the Headquarters or Component SOC, the Contractor shall also notify the Contracting Officer, COR, Headquarters or Component Privacy Officer, and US-CERT using the contact information identified in the contract. If the incident is reported by phone or the Contracting Officer's email address is not immediately available, the Contractor shall contact the Contracting Officer immediately after reporting the incident to the Headquarters or Component SOC. The Contractor shall not include any sensitive information in the subject or body of any e-mail. To transmit sensitive information, the Contractor shall use FIPS 140-2 Security Requirements for Cryptographic Modules compliant encryption methods to protect sensitive information in attachments to email. Passwords shall not be communicated in the same email as the attachment. A sensitive information incident shall not, by itself, be interpreted as evidence that the Contractor has failed to provide adequate information security safeguards for sensitive information, or has otherwise failed to meet the requirements of the contract. (2) If a sensitive information incident involves PII or SPII, in addition to the reporting requirements in 4300A Sensitive Systems Handbook Incident Response and Reporting, Contractors shall also provide as many of the following data elements that are available at the time the incident is reported, with any remaining data elements provided within 24 hours of submission of the initial incident report: (i) Data Universal Numbering System (DUNS); (ii) Contract numbers affected unless all contracts by the company are affected; (iii) Facility CAGE code if the location of the event is different than the prime contractor location; (iv) Point of contact (POC) if different than the POC recorded in the System for Award Management (address, position, telephone, email); (v) Contracting Officer POC (address, telephone, email); (vi) Contract clearance level; (vii) Name of subcontractor and CAGE code if this was an incident on a subcontractor network; (viii) Government programs, platforms or systems involved; (ix) Location(s) of incident; (x) Date and time the incident was discovered; (xi) Server names where sensitive information resided at the time of the incident, both at the Contractor and subcontractor level; (xii) Description of the Government PII and/or SPII contained within the system; (xiii) Number of people potentially affected and the estimate or actual number of records exposed and/or contained within the system; and (xiv) Any additional information relevant to the incident. (g) Sensitive Information Incident Response Requirements. (1) All determinations related to sensitive information incidents, including response activities, notifications to affected individuals and/or Federal agencies, and related services (e.g., credit monitoring) will be made in writing by the Contracting Officer in consultation with the Headquarters or Component CIO and Headquarters or Component Privacy Officer. (2) The Contractor shall provide full access and cooperation for all activities determined by the Government to be required to ensure an effective incident response, including providing all requested images, log files, and event information to facilitate rapid resolution of sensitive information incidents. (3) Incident response activities determined to be required by the Government may include, but are not limited to, the following: (i) Inspections, (ii) Investigations, (iii) Forensic reviews, and (iv) Data analyses and processing. (4) The Government, at its sole discretion, may obtain the assistance from other Federal agencies and/or third-party firms to aid in incident response activities. (h) Additional PII and/or SPII Notification Requirements. (1) The Contractor shall have in place procedures and the capability to notify any individual whose PII resided in the Contractor IT system at the time of the sensitive information incident not later than 5 business days after being directed to notify individuals, unless otherwise approved by the Contracting Officer. The method and content of any notification by the Contractor shall be coordinated with, and subject to prior written approval by the Contracting Officer, in consultation with the Headquarters or Component Privacy Officer, utilizing the DHS Privacy Incident Handling Guidance. The Contractor shall not proceed with notification unless the Contracting Officer, in consultation with the Headquarters or Component Privacy Officer, has determined in writing that notification is appropriate. (2) Subject to Government analysis of the incident and the terms of its instructions to the Contractor regarding any resulting notification, the notification method may consist of letters to affected individuals sent by first class mail, electronic means, or general public notice, as approved by the Government. Notification may require the Contractor's use of address verification and/or address location services. At a minimum, the notification shall include: (i) A brief description of the incident; (ii) A description of the types of PII and SPII involved; (iii) A statement as to whether the PII or SPII was encrypted or protected by other means; (iv) Steps individuals may take to protect themselves; (v) What the Contractor and/or the Government are doing to investigate the incident, to mitigate the incident, and to protect against any future incidents; and (vi) Information identifying who individuals may contact for additional information. (i) Credit Monitoring Requirements. In the event that a sensitive information incident involves PII or SPII, the Contractor may be required to, as directed by the Contracting Officer: (1) Provide notification to affected individuals as described above; and/or (2) Provide credit monitoring services to individuals whose data was under the control of the Contractor or resided in the Contractor IT system at the time of the sensitive information incident for a period beginning the date of the incident and extending not less than 18 months from the date the individual is notified. Credit monitoring services shall be provided from a company with which the Contractor has no affiliation. At a minimum, credit monitoring services shall include: (i) Triple credit bureau monitoring; (ii) Daily customer service; (iii) Alerts provided to the individual for changes and fraud; and (iv) Assistance to the individual with enrollment in the services and the use of fraud alerts; and/or (3) Establish a dedicated call center. Call center services shall include: (i) A dedicated telephone number to contact customer service within a fixed period; (ii) Information necessary for registrants/enrollees to access credit reports and credit scores; (iii) Weekly reports on call center volume, issue escalation (i.e., those calls that cannot be handled by call center staff and must be resolved by call center management or DHS, as appropriate), and other key metrics; (iv) Escalation of calls that cannot be handled by call center staff to call center management or DHS, as appropriate; (v) Customized FAQs, approved in writing by the Contracting Officer in coordination with the Headquarters or Component Chief Privacy Officer; and (vi) Information for registrants to contact customer service representatives and fraud resolution representatives for credit monitoring assistance. (j) Certification of Sanitization of Government and Government-Activity-Related Files and Information. As part of contract closeout, the Contractor shall submit the certification to the COR and the Contracting Officer following the template provided in NIST Special Publication 800-88 Guidelines for Media Sanitization. Information Assurance Requirements for TSA Government Acquisitions A. Controls A.1. The Contractor shall comply with Department of Homeland Security (DHS) and Transportation Security Administration (TSA) technical, management and operational security controls to ensure that the Government's security requirements are met. These controls are described in DHS PD 4300A and TSA MD 1400 series security policy documents and are based on the NIST Special Publication (SP) 800-53 standards. A.2. The Contractor shall include this prospective clause in all subcontracts at any tier where the subcontractor may have access to "sensitive information" as defined in this prospective clause. A.3. The Contractor shall be privy to sensitive organizational information. A Privacy Management Plan and signed DHS Non-Disclosure Agreements (NDAs) for Contractor personnel are required within (30) calendar days of the contract start date. A.4. The Homeland Security Presidential Directive 12 (HSPD-12) requires the use of the Personal Identity Verification (PIV) credentials as the common means of authentication for access to TSA's facilities, networks, and information systems. Personal Identity Verification (PIV) credentials shall be used as the primary means of logical authentication for TSA sensitive systems. B. General Security Responsibilities for Contract Performance B.1. The Contractor shall ensure that its employees follow all policies and procedures governing physical, environmental, and information security described in the various TSA regulations pertaining thereto, good business practices, and the specifications, directives, and manuals for conducting work to generate the products as required by this contract. Personnel will be responsible for the physical security of their area and government furnished equipment (GFE) issued to them under the provisions of the contract. B.2. All Contractor employees shall receive initial TSA IT Security Awareness Training within 60 days of assignment to the contract. B.3. Refresher training must be completed annually thereafter. B.4. Role Based training for contract employees individuals with Significant Security Responsibility (SSR), whose job proficiency is required for overall network security within TSA, will be in accordance with DHS and TSA policy. B.5. Individuals with SSR will have a documented individual training and education plan, which will ensure currency with position skills requirements, with the first course to be accomplished within 90 days of employment or change of position. The individual training plan will be refreshed annually or immediately after a change in the individual's position or related position description requirements. B.6. The education and training will meet standards established by the National Institute of Standards and Technology (NIST) and set forth in DHS and TSA security policy. B.7. Evidence of training provided to personnel will be available upon request of the DHS IT Security Training Office, or during DHS/TSA onsite validation visits performed on a periodic basis. C. Configuration Management (hardware/software) C.1. Hardware or software configuration changes shall be in accordance with the DHS Information Security Performance Plan (current year and any updates thereafter), the DHS Continuous Diagnostics and Mitigation (CDM) Program to include dashboard reporting requirements and TSA's Configuration Management policy. The TSA Chief Information Security Officer (CISO)/ Information Assurance and Cyber Security Division (IAD) must be informed of and involved in all configuration changes to the TSA IT environment including systems, software, infrastructure architecture, infrastructure assets, and end user assets. The TSA IAD will approve any request for change prior to any development activity occurring for that change and will define the security requirements for the requested change. C.2. The Contractor shall ensure all application or configuration patches and/or Request for Change (RFC) have approval by the Technical Discussion Forum (TDF), and Systems Configuration Control Board (SCCB) and lab regression testing prior to controlled change release under the security policy document, TSA Management Directive (MD) 1400.3 and TSA Information Assurance Handbook, unless immediate risk requires immediate intervention. Approval for immediate intervention (emergency change) requires approval of the TSA CISO, SCCB co-chairs, and the appropriate Operations Manager, at a minimum. C.3. The Contractor shall ensure all sites impacted by patching are compliant within 14 days of change approval and release. C.4. The acquisition of commercial-off-the-shelf (COTS) Information Assurance (IA) and IA-enabled IT products (to be used on systems entering, processing, storing, displaying, or transmitting "sensitive information") shall be limited to those products that have been evaluated and validated, as appropriate, in accordance with the following: • The NIST FIPS validation program. • The National Security Agency (NSA)/National Institute of Standards and Technology (NIST) National Information Assurance Partnership (NIAP) Evaluation and Validation Program. • The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Agreement. C.5. US Government Configuration Board and DHS Configuration Guidance a) The provider of information technology shall certify applications are fully functional and operate correctly as intended on systems using the US Government Configuration Board (USGCB) and in accordance with DHS and TSA guidance. 1. USGCB Guidelines: a. http://usgcb.nist.gov/usgcb_content.html 2. DHS Sensitive Systems Configuration Guidance a. http://dhsconnect.dhs.gov/org/comp/mgmt/cio/iso/Pages/sscg.aspx b) The standard installation, operation, maintenance, updates and/or patching of software shall not alter the configuration settings from the approved USGCB configuration. The information technology should also use the Windows Installer Service for installation to the default "program files" directory and should be able to silently install and uninstall. c) Applications designed for normal end users shall run in the standard user context without elevated system administration privileges. C.6. The Contractor shall establish processes and procedures for continuous monitoring of Contractor systems that contain TSA data by ensuring all such devices are monitored by, and report to, the TSA Security Operations Center (SOC). The Contractor shall perform monthly Nessus scans on servers that contain TSA data, and shall send monthly scan results to the TSA Information Assurance Division (IAD) D. Risk Management Framework D.1. The Security Authorization and Ongoing Authorization Process in accordance with NIST SP 800-37 and SP 800-137 (current versions) is a requirement for all TSA IT systems, including general support systems (e.g., standard TSA desktop, general network infrastructure, electronic mail, etc.), major applications and development systems (if connected to the operational network or processing, storing, or transmitting government data). These processes are documented in the NIST Risk Management Framework. Ongoing Authorization is part of Step 6 "Monitoring" of the Risk Management Framework. All NIST and DIACAP guidance are publicly available; TSA and DHS security policy is disclosed upon contract award. D.2. A written authority to operate (ATO) granted by the TSA Authorizing Official (AO) is required prior to processing operational data or connecting to any TSA network. The contractor shall provide all necessary system information for the security authorization effort. D.3. TSA will assign a security category to each IT system compliant with the requirements of Federal Information Processing Standards (FIPS) 199 and assign security controls to those systems consistent with FIPS 200. D.4. Unless the AO specifically states otherwise for an individual system, the duration of any Accreditation will be dependent on the FIPS 199 rating and overall residual risk of the system; the length can span up to 36 months. D.5. The Security Authorization Package contains documentation required for Security Authorizations and Ongoing Authorization. The package shall contain the following security documentation: 1) Security Assessment Report (SAR) 2) Security Plan (SP) or System Security Authorization Agreement (SSAA), 3) Contingency Plan, 4) Contingency Plan Test Results, 5) Federal Information Processing Standards (FIPS) 199 Security Categorization, 6) Privacy Threshold Analysis (PTA), 7) E-Authentication, 8) Security Assessment Plan (SAP), 9)Authorization to Operate (ATO) Letter, 10) Plan of Action and Milestones (POA&M), and 11) Ongoing Authorization Artifacts as required by the DHS Ongoing Authorization Methodology (current version). The SA package shall document the specific procedures, training, and accountability measures in place for systems that process personally identifiable information (PII). All security compliance documents will be reviewed and approved by the Chief Information Security Officer (CISO) and the Information Assurance and Cyber Security Division (IAD), and accepted by the Contracting Officer upon creation and after any subsequent changes, before they go into effect. D.6. The contractor shall support the successful remediation of all identified system weaknesses and vulnerabilities. E. Contingency Planning E.1. The Contractor shall develop and maintain a Contingency Plan (CP), to include a Continuity of Operation Plan (COOP), to address circumstances whereby normal operations are disrupted. E.2. The Contractor shall ensure that contingency plans are consistent with template provided in the DHS Information Assurance Compliance System Tool. If access has not been provided initially, the contractor shall use the DHS 4300A Sensitive System Handbook, Attachment K, IT Contingency Plan Template. E.3. The Contractor shall identify and train all TSA personnel involved with COOP efforts in the procedures and logistics of the disaster recovery and business continuity plans. E.4. The Contractor shall ensure the availability of critical resources and facilitate the COOP in an emergency situation. E.5. The Contractor will test their CP annually. E.6. The Contractor shall record, track, and correct any CP deficiency and any deficiency correction that cannot be accomplished within one month of the annual test will be elevated to the Information Assurance and Cyber Security Division (IAD). E.7. The Contractor shall retain records of the annual CP testing for review during periodic audits. E.8. The Contractor shall ensure the CP addresses emergency response, backup operations, and recovery operations. E.9. The Contractor shall have an Emergency Response Plan that includes procedures appropriate to fire, flood, civil disorder, disaster, bomb threat, or any other incident or activity that may endanger lives, property, or the capability to perform essential functions. E.10. The Contractor shall have a Backup Operations Plan that includes procedures and responsibilities to ensure that essential operations can be continued if normal processing or data communications are interrupted for any reason for an unacceptable period of time as described in the Statement of Work. E.11. The Contractor shall have a Post-disaster Recovery Plan that includes procedures and responsibilities to facilitate rapid restoration of normal operations at the primary site or, if necessary, at a new facility following the destruction, major damage, or other major interruption at the primary site. E.12. The Contractor shall ensure all TSA data (e.g., mail, data servers, etc.) is incrementally backed up on a daily basis. E.13. The Contractor shall ensure a full backup of all network data occurs as required by the system's availability security categorization impact rating per TSA Information Assurance policy. E.14. The Contractor shall ensure all network application assets (e.g., application servers, domain controllers, Information Assurance (IA) tools, etc.) will be incrementally backed up as required to eliminate loss of critical audit data and allow for restoration and resumption of normal operations within one hour. E.15. The Contractor shall ensure sufficient backup data to facilitate a full operational recovery within one business day at either the prime operational site or the designated alternate site will be stored at a secondary location determined by the local element disaster recovery plan. E.16. The Contractor shall ensure that data at the secondary location is current as required by the system's availability security categorization impact rating. E.17. The Contractor shall ensure the location of the local backup repository and the secondary backup repository is clearly defined, and access controlled as an Information Security Restricted Area (ISRA). E.18. The Contractor shall adhere to the DHS Security Architecture Guidance Volume 1: Network and System Infrastructure for the layout of the file systems, or partitions, on a system's hard disk impacting the security of the data on the resultant system. File system design shall: • Separate generalized data from operating system (OS) files • Compartmentalize differing data types • Restrict dynamic, growing log files or audit trails from crowding other data. E.19. The contractor shall adhere to the DHS Security Architecture Guidance Volume 1: Network and System Infrastructure Design for the management of mixed data for OS files, user accounts, externally-accesses data files and audit logs. F. Program Performance F.1. The Contractor shall comply with requests to be audited and provide responses within three business days to requests for data, information, and analysis from the TSA Information Assurance and Cyber Security Division (IAD) and management, as directed by the Contracting Officer. F.2. The Contractor shall provide support during the Information Assurance and Cyber Security Division (IAD) audit activities and efforts. These audit activities may include, but are not limited to the following: requests for system access for penetration testing, vulnerability scanning, incident response and forensic review. F.3. Upon completion of monthly security scans, findings shall be documented and categorized as High, Medium, or Low based on their potential impact to the System IT Security posture. The Contractor shall provide TSA with estimates of the total engineering service hours required to support the remediation of open POA&M items. High security findings shall be remediated first in 45 days or less; Medium security findings shall be remediated in 60 days or less, and Low security findings shall be remediated in 90 days or less. The Contractor shall work with the TSA System ISSO and the respective Contracting Officer (CO) and/or Contracting Officer's Representative (COR), as well as OIT IAD and the System Owner (as required) to prioritize and plan for the remediation of open POA&Ms. The TSA System ISSO will maintain all security artifacts and perform Ongoing Authorization (per NIST 800-137 and DHS-TSA requirements) and Continuous Diagnostics and Mitigation (CDM) (per OMB M-14-03) activities to ensure active compliance with security requirements. Specific POA&M guidance and information can be found in the SOP 1401 Plan of Action and Milestone (POA&M) Process, as well as the DHS 4300A PD Attachment H Plan of Action and Milestones (POA&M) Process Guide. G. Federal Risk and Authorization Management Program (FedRAMP) If a vendor is to host a system with a Cloud Service Provider, the following shall apply: G.1. FedRAMP Requirements: Private sector solutions will be hosted by a Joint Authorization Board (JAB) approved Infrastructure as a Service (IaaS) Cloud Service Provider (CSP) (http://cloud.cio.gov/fedramp/cloud-systems) and shall follow the Federal Risk and Authorization Management Program (FedRAMP) requirements. The Cloud Service Provider shall adhere to the following in addition to the FedRAMP requirements: Identity and entitlement access management shall be done through Federated Identity; SSI and PII shall be encrypted in storage and in transit as it is dispersed across the cloud; Sanitization of all TSA data shall be done as necessary at the IaaS, PaaS or SaaS levels; Cloud bursting shall not occur; TSA data shall be logically separated from other cloud tenants; All system administrators shall be U.S. citizens; TSA data shall not leave the United States; The cloud internet connection shall be behind a commercial Trusted Internet Connection that has EINSTEIN 3 Accelerated (E3A) capabilities deployed. These include but are not limited to the analysis of network flow records, detecting and alerting to known or suspected cyber threats, intrusion prevention capabilities and under the direction of DHS detecting and blocking known or suspected cyber threats using indicators. The E3A capability shall use the Domain Name Server Sinkholing capability and Email filtering capability allowing scans to occur destined for.gov networks for malicious attachments, Uniform Resource Locators and other forms of malware before being delivered to.gov end-users. G.2. Private Sector System Requirements: TSA shall conduct audits at any time on the private sector systems, and the system shall be entered into the TSA FISMA Inventory as a system of record using the Control Implementation Summary (CIS) provided by the Cloud Service Provider. Security artifacts shall be created and maintained in the DHS Information Assurance Compliance Tool (IACS). The private sector systems are required to go through the Security Authorization Process and the Risk Management Framework in accordance the Federal Information Systems Management Act and NIST SP 800-37 Rev. 1. The cloud internet connection shall be behind a commercial Trusted Internet Connection that has EINSTEIN 3 Accelerated (E3A) deployed. Security event logs and application logs shall be sent to the TSA SOC. Incidents as defined in the TSA Information Assurance 1400.3 Management Directive and Handbook shall be reported to the TSA SPOC 1-800-253-8571. DHS Information Security Vulnerability Management Alerts and Bulletins shall be patched within the required time frames as dictated by DHS. H. Information Assurance Policy H.1. All services, hardware and/or software provided under this task order must be compliant with DHS 4300A DHS Sensitive System Policy Directive, DHS 4300A Sensitive Systems Handbook., TSA MD 1400.3 Information Technology Security Policy, TSA Information Assurance Handbook and Technical Standards. H.2. The Contractor solution shall follow all current versions of TSA and DHS policies, procedures, guidelines, and standards, which will be provided by the Contracting Officer, including but not limited to: • DHS Sensitive Systems Policy Directive (PD) 4300A • DHS 4300A Sensitive Systems Handbook • DHS National Security Systems Policy Directive (PD) 4300B • DHS 4300B National Security Systems Handbook· • TSA MD 1400.3 Information Technology Security • TSA Information Assurance Handbook • TSA Technical Standards • DHS IT Security Architecture Guidance Volumes 1, 2 and 3 • DHS/TSA Systems Engineering Lifecycle (SELC) • DHS Performance Plan (current fiscal year) • DHS Ongoing Authorization Methodology (current version) • OMB M-10-28, M-14-03 H.3. Authorized use of TSA IT systems and resources shall be in accordance with the TSA Information Assurance Handbook. H.4. The contractor shall complete TSA Form 251 and TSA Form 251-1 for sensitive or accountable property. The contractor shall email the completed forms to TSA-Property@dhs.gov and include a hard copy with the shipment. I. Data Stored/Processed at Contractor Site I.1. Unless otherwise directed by TSA, any storage of data must be contained within the resources allocated by the Contractor to support TSA and may not be on systems that are shared with other commercial or government clients. J. Remote Access J.1. The Contractor remote access connection to TSA networks shall be considered a privileged arrangement for both Contractor and the Government to conduct sanctioned TSA business. Therefore, remote access rights must be expressly granted, in writing, by the TSA Information Assurance and Cyber Security Division (IAD). J.2. The Contractor remote access connection to TSA networks may be terminated for unauthorized use, at the sole discretion of TSA. J.3. The Contractor must use his or her federal issued personal identifiable verification (PIV) badge to access TSA resources to include IT applications and physical facility. K. Interconnection Security Agreement If the service being supplied requires a connection to a non-DHS, Contractor system, or DHS system of different sensitivity, the following shall apply: K.1. Interconnections between DHS and non-DHS IT systems shall be established only through controlled interfaces and via approved service providers. The controlledinterfaces shall be accredited at the highest security level of information on the network. Connections with other Federal agencies shall be documented based on interagency agreements; memoranda of understanding/agreement, service level agreements or interconnection service agreements. K.2. ISAs shall be reissued every three (3) years or whenever any significant changes have been made to any of the interconnected systems. K.3. ISAs shall be reviewed and updated as needed as a part of the annual FISMA self-assessment. L. SBU Data Privacy and Protection L.1. The contractor must satisfy requirements to work with and safeguard Sensitive Security Information (SSI), and Personally Identifiable Information (PII). All support personnel must understand and rigorously follow DHS and TSA requirements, policies, and procedures for safeguarding SSI and PII. Contractor personnel will be required to complete Annual online training for SSI, Informational Security, and TSA Privacy training, which take approximately one hour each. L.2. The Contractor shall be responsible for the security of i) all data that is generated by the contractor on behalf of the TSA, ii) TSA data transmitted by the contractor, and iii) TSA data otherwise stored or processed by the contractor regardless of who owns or controls the underlying systems while that data is under the contractor's control. All TSA data, including but not limited to PII, sensitive security information (SSI), sensitive but unclassified (SBU), and critical infrastructure information (CII), shall be protected according to DHS and TSA security policies and mandates. L.3. TSA will identify IT systems transmitting unclassified/SSI information that will require protection based on a risk assessment. If encryption is required, the following methods are acceptable for encrypting sensitive information: 1. FIPS 197 (Advanced Encryption Standard (AES)) 256 algorithm and cryptographic modules that have been validated under FIPS 140-2. (current version) 2. National Security Agency (NSA) Type 2 or Type 1 encryption. (current version) 3. Public Key Infrastructure (PKI) (see paragraph 5.5.2.1 of the Department of Homeland Security (DHS) 4300A Sensitive Systems Handbook). (current version) L.4. The contractor shall maintain data control according to the TSA security level of the data. Data separation shall include the use of discretionary access control methods, VPN encryption methods, data aggregation controls, data tagging, media marking, backup actions, and data disaster planning and recovery. Contractors handling PII must comply with TSA MD 3700.4, Handling Sensitive Personally Identifiable Information (current version). L.5. Users of TSA IT assets shall adhere to all system security requirements to ensure the confidentiality, integrity, availability, and non-repudiation of information under their control. All users accessing TSA IT assets are expected to actively apply the practices specified in the TSA Information Assurance Handbook and applicable IT Security Technical Standards. L.6. The contractor shall comply with Sensitive Personally Identifiable Information (Sensitive PII) disposition requirements stated in the TSA Information Assurance Handbook, applicable Technical Standards and TSA MD 3700.4, Handling Sensitive Personally Identifiable Information. L.7. The Contractor shall ensure that source code is protected from unauthorized access or dissemination. M. Disposition of Government Resources M.1 At the expiration of the contract, the contractor shall return all TSA information and IT resources provided to the contractor during the contract, and provide a certification that all assets containing or used to process TSA information have been sanitized in accordance with the TSA MD 1400.3, TSA Information Assurance Handbook and Technical Standards. The contractor shall certify in writing that sanitization or destruction has been performed. Sanitization and destruction methods are outlined in the NIST Special Publication 800-88 Guidelines for Media Sanitization, and TSA Technical Standard 046 IT Media Sanitization and Disposition. The contractor shall email signed proof of sanitization to the COTR. In addition, the contractor shall provide a master asset inventory list that reflects all assets, government furnished equipment (GFE) or non-GFE that were used to process TSA information. N. Special Considerations and Circumstances (if applicable) Security Program Plan N.1 For major agency Information Technology (IT) infrastructure support ranging in the total estimated procurement value (TEPV) of about $100 million or above or per TSA management's request, the contractor may need to provide, implement, and maintain a Security Program Plan (SPP) based on the templates provided by the TSA Information Assurance and Cyber Security Division (IAD). This plan shall describe the processes and procedures that will be followed to ensure the appropriate security of IT resources that are developed, processed, or used under this contract. At a minimum, the contractor's SPP shall address the contractor's compliance with the controls described in NIST SP 800-53 (current version). The security controls contained in the plan shall meet the requirements listed in the TSA Information Assurance Handbook, Technical Standards and the DHS Sensitive Systems Policy Directive and Handbook 4300A (current versions). N.2 The SPP shall be a living document. It will be reviewed and updated semi-annually to address new processes, procedures, technical or federally mandated security controls and other contract changes that affect the security of IT resources under contract. N.3 The SPP shall be submitted within 30 days after contract award. The SPP shall be consistent with and further detail the approach contained in the offeror's proposal or quote that resulted in the award of this contract and in compliance with the requirements stated in this clause. N.4 The SPP, as accepted by the Contracting Officer and Information System Security Officer (ISSO), shall be incorporated into the contract as a compliance document. The Contractor shall comply with the accepted plan. O. Trusted Internet Connection 2.0 Requirements for Managed Trusted Internet Protocol Service Offering (MTIPS) O.1 MTIPS providers shall comply with the FedRAMP TIC 2.0 Overlay requirements in addition to the basic requirements outlined in the DHS Trusted Internet Connections (TIC) Reference Architecture v2.0. Anticipated POP is from February 12, 2016 through February 11, 2017 with a one year option year. 2.1 Requirement Information Name of Requiring Offices: TSA-HNL Airport 3375 Koapaka St. C-350 Attn: Valerie Kaneshiro 808-260-6637 Honolulu, HI 96819 2.2 Pricing Table The prices shall be detailed in the following pricing table: CLIN No. Location/Item Monthly Unit price Annual Price 00001 IP data line from HNL Airport 400 Rodgers Blvd, ACC Room- Gate 13 to TSA offsite office located at 3375 Koapaka St., Top Floor Honolulu (3 Mbps connectivity.) 00002 Option Year IP data line from HNL Airport 400 Rodgers Blvd, ACC Room- Gate 13 to TSA offsite office located at 3375 Koapaka St., Top Floor Honolulu (3 Mbps connectivity.) Grand Total $ Firm fixed pricing to include all parts, labor, maintenance, fees, permits, applicable taxes to provide service. TSA is a tax exempt Federal Agency. 3.0Contract Administration Data 3.1 G. 5200.243.001 CONTRACTING OFFICER (CO) (JUL 2015) The Contracting Officer is the only person authorized to make any changes, approve any changes in the requirements of this contract, issue orders, obligate funds and authorize the expenditure of funds, and notwithstanding any term contained elsewhere in this contract, such authority remains vested solely in the Contracting Officer. (For further information, the Contracting Officer is a federal government employee who is specifically authorized and appointed in writing under specified agency procedures and granted the authority to enter into, administer, and/or terminate contracts and make related determinations and findings.) In the event, the Contractor makes any changes at the direction of any person other than the Contracting Officer, the change will be considered to have been without authority and no adjustment will be made in the contract price to cover any increase in costs incurred as a result thereof. The following Primary Contracting Officer is assigned to this contract. Alternate Contracting Officers may be assigned: TSA Contracting Officer: NAME: Peter Larsen PHONE NUMBER: 202-380-8955 EMAIL: Peter.S.Larsen@tsa.dhs.gov 3.2 G.5200.242.003 SUBMISSION OF INVOICES (JUL 2015) "SUBMISSION OF INVOICES" (a) Background: The Transportation Security Administration (TSA) partners with the United States Coast Guard Finance Center for financial services in support of TSA operations, including the payment of contractor invoices. Therefore, all contractor invoices must be submitted to, and will be paid by, the U.S. Coast Guard Finance Center (FinCen). (b) Invoice Submission Method: Invoices may be submitted via facsimile, U.S. Mail, or email. Contractors shall utilize ONLY ONE method per invoice submission. The submission information for each of the methods is as follows in order of preference: 1) Facsimile number is: 757-413-7314 The facsimile number listed above shall be used by contractors for ORIGINAL invoice submission only. If facsimile submission is utilized, contractors shall not submit hard copies of invoices via the U.S. mail. It is the responsibility of the contractor to verify that invoices are received, regardless of the method of submission used. Contractors may inquire regarding the receipt of invoices by contacting the U.S. Coast Guard Finance Center via the methods listed in subparagraph (d) of this clause. 2) United States Coast Guard Finance Center TSA Commercial Invoices P.O. Box 4111 Chesapeake, VA 23327-4111 (FIN-SMB-TSAInvoices@uscg.mil or www.fincen.uscg.mil) (c) Invoice Process: Upon receipt of contractor invoices, FinCen will electronically route invoices to the appropriate TSA Contracting Officer's Representative and/or Contracting Officer for review and approval. Upon approval, the TSA will electronically route the invoices back to FinCen. Upon receipt of certified invoices from an Authorized Certifying Official, FinCen will initiate payment of the invoices. Note for discounts offered: Discounts on invoices. If desired, the Contractor should offer discounts directly upon the invoice submitted, clearly specifying the terms of the discount. Contractors can structure discounted amounts for payment for any time period less than the usual thirty day payment period specified under Prompt Payment requirements; however the Contractor should not structure terms for payment of net amounts invoiced any sooner than the standard period required under FAR Subpart 32.9 regarding prompt payments for the specified deliverables under contract. Discounts offered after invoice submission. If the Contractor should wish to offer a discount on a specific invoice after its submission for payment, the Contractor should submit a letter to the Finance Center identifying the specific invoice for which a discount is offered and specify the exact terms of the discount offered and what time period the Government should make payment by in order to receive the discount. The Contractor should clearly indicate the contract number, invoice number and date, and the specific terms of the discount offered. Contractors should not structure terms for net amount payments any sooner than the standard period required under FAR Subpart 32.9 regarding prompt payments for the specified deliverables under contract. (d) Payment Status: Contractors may inquire on the payment status of an invoice by any of the following means: (1) Via the internet: https://www.fincen.uscg.mil Contacting the FinCen Customer Service Section via telephone at 1-800-564-5504 or (757) 523-6940 (Voice Option #1). The hours of operation for the Customer Service line are 8:00 AM to 5:00 PM Eastern Time, Monday through Friday. However, the Customer Service line has a voice-mail feature that is available 24 hours per day, 7 days per week. (2) Via the Payment Inquiry Form: https://www.fincen.uscg.mil/secure/payment.htm (e) Invoice Elements: Invoices will automatically be rejected if the information required in subparagraph (a)(2) of the Prompt Payment Clause, contained in this Section of the Contract, including EFT banking information, Taxpayer Identification Number (TIN), and DUNS number are not included in the invoice. All invoices must clearly correlate invoiced amounts to the corresponding contract line item number and funding citation. The Contractor shall work with the Government to mutually refine the format, content and method of delivery for all invoice submissions during the performance of the Contract. (f) Supplemental Invoice Documentation: Contractors shall submit all supplemental invoice documentation (e.g. copies of subcontractor invoices, travel vouchers, etc.) necessary to approve an invoice along with the original invoice. The Contractor invoice must contain the information stated in the Prompt Payment Clause in order to be received and processed by FinCen. Supplemental invoice documentation required for review and approval of invoices may, at the written direction of the Contracting Officer, be submitted directly to either the Contracting Officer, or the Contracting Officer's Representative. Note for "time-and-material" type contracts: The Contractor must submit the following statement with each invoice for labor hours invoiced under a "time-and-materials" type contract, order, or contract line item: "The Contractor hereby certifies in accordance with paragraph (c) of FAR 52.232-7, that each labor hour has been performed by an employee (prime or subcontractor) who meets the contract's specified requirements for the labor category invoiced." (g) Additional Invoice Preparation Instructions for Software Development and/or Hardware. The Contractor shall clearly include a separate breakdown (by CLIN) for any software development activities (labor costs, subcontractor costs, etc.) in accordance with Federal Accounting Standards Advisory Board Statement of Federal Financial Accounting Standards Number 10 (Preliminary design costs, Development costs and post implementation costs) and cite payment terms. The contractor shall provide make and model descriptions as well as serial numbers for purchases of hardware and software (where applicable.) (h) Frequency of Invoice Submission. Once monthly in arrears. 4.0 TSA SPECIAL CONTRACT REQUIREMENTS 4.1 H.5200.204.002 PERSONNEL ACCESS (JUL 2015) All Contractor personnel requiring access to TSA facilities, information systems, or information will be subject to the security procedures set forth in this contract. 4.2 H.5200.212.001 COMMERCIAL APPLICABILITY (JUL 2015) This contract 1is/0is not (CO shall select) for commercial item, as defined by FAR 2.1. 4.3 H.5200.224.001 DISCLOSURE OF INFORMATION (JUL 2015) Information furnished by the Contractor under this contract may be subject to disclosure under the Freedom of Information Act (FOIA). Therefore, all items that are confidential to business, or contain trade secrets, proprietary, or personally-identifiable information must be clearly marked. Any information made available to the Contractor by the Government must be used only for the purpose of carrying out the requirements of this contract and must not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. In performance of this contract, the Contractor assumes responsibility for protection of the confidentiality of Government records and information and must ensure that all work performed by its Subcontractor(s) shall be under the supervision of the Contractor or the Contractor's employees. (End of clause) 4.4 H.5200.228.001 INSURANCE FOR CONTRACTOR PERFORMANCE AT THE AIRPORT (JUL 2015) The Contractor must have approved insurance on file with Honolulu Airport. The Contractor is required to procure at its own expense, and keep in effect at all times during the term of the HSTS05-16-P-HNL001 the types and amounts of insurance specified. Typically, companies whose work is performed within buildings and terminals are required to have a minimum of liability insurance. Companies who require tools and/or equipment, and airfield access must have a minimum of liability insurance. Air Carrier Operating Permits and Leases will have additional insurance coverage requirements. The actual types and amounts of insurance required will be set on an individual basis by the Honolulu Airport based upon the company's scope of work and airport access required. For further information regarding Insurance Requirements, please contact Valerie Kaneshiro 808-260-6637. 4.5 H.5200.237.003 SECURITY REQUIREMENTS FOR CONTRACTOR EMPLOYEES PERFORMING AT OR IN AIRPORT LOCATIONS (DEC 2015) Contractor employees are required to meet all airport security screening requirements which include criminal history, background and fingerprint check. Contractor employees working in this facility will be required to obtain, possess and display a Secure Identification Display Area (SIDA) badge in accordance with the airport's physical and personnel security requirements. The Contractor is responsible for any fees associated with lost badges. For further information regarding Security Requirements, please contact Valerie Kaneshiro 808-260-6637. 5.0 TSA SPECIAL CONTRACT PROVISIONS 5.1 L. 5200.233.001 AVAILABILITY OF INTERNAL APPEAL PROCESS PER FAR 33.103 (JUL 2015) In the event of receipt of the Contracting Officer's final decision of an agency-level protest in accordance with Federal Acquisition Regulation 33.103, the offeror is hereby advised that an appeal process is available from within the agency. The Assistant Administrator of the Office of Acquisition in the Transportation Security Administration is the independent appeal authority. All appeals must be submitted in writing and signed by a company official who is authorized to commit the company and contain the same elements required in FAR 33.103(d) as well as an explanation of the Contracting Officer's decision (and copy of such decision). Appeals must be sent either in writing or via email to Transportation Security Administration, ATTN: APPEAL OF AGENCY PROTEST, Office of Acquisition, 601 S. 12th Street, Arlington, VA 20598-6025, or via email to TSAProcurementPolicy@tsa.dhs.gov. The subject line for the email should clearly indicate "APPEAL OF AGENCY PROTEST". (End of provision 6.0 Contract Clauses and Provisions HSAR 3052.209-70 - Prohibition on contracts with corporate expatriates. (JUN 2006) (a) Prohibitions. Section 835 of the Homeland Security Act, 6 U.S.C. 395, prohibits the Department of Homeland Security from entering into any contract with a foreign incorporated entity which is treated as an inverted domestic corporation as defined in this clause, or with any subsidiary of such an entity. The Secretary shall waive the prohibition with respect to any specific contract if the Secretary determines that the waiver is required in the interest of national security. (b) Definitions. As used in this clause: Expanded Affiliated Group means an affiliated group as defined in section 1504(a) of the Internal Revenue Code of 1986 (without regard to section 1504(b) of such Code), except that section 1504 of such Code shall be applied by substituting `more than 50 percent' for `at least 80 percent' each place it appears. Foreign Incorporated Entity means any entity which is, or but for subsection (b) of section 835 of the Homeland Security Act, 6 U.S.C. 395, would be, treated as a foreign corporation for purposes of the Internal Revenue Code of 1986. Inverted Domestic Corporation. A foreign incorporated entity shall be treated as an inverted domestic corporation if, pursuant to a plan (or a series of related transactions)- (1) The entity completes the direct or indirect acquisition of substantially all of the properties held directly or indirectly by a domestic corporation or substantially all of the properties constituting a trade or business of a domestic partnership; (2) After the acquisition at least 80 percent of the stock (by vote or value) of the entity is held- (i) In the case of an acquisition with respect to a domestic corporation, by former shareholders of the domestic corporation by reason of holding stock in the domestic corporation; or(ii) In the case of an acquisition with respect to a domestic partnership, by former partners of the domestic partnership by reason of holding a capital or profits interest in the domestic partnership; and (3) The expanded affiliated group which after the acquisition includes the entity does not have substantial business activities in the foreign country in which or under the law of which the entity is created or organized when compared to the total business activities of such expanded affiliated group. Person, domestic, and foreign have the meanings given such terms by paragraphs (1), (4), and (5) of section 7701(a) of the Internal Revenue Code of 1986, respectively. (c) Special rules. The following definitions and special rules shall apply when determining whether a foreign incorporated entity should be treated as an inverted domestic corporation. (1) Certain stock disregarded. For the purpose of treating a foreign incorporated entity as an inverted domestic corporation these shall not be taken into account in determining ownership: (i) Stock held by members of the expanded affiliated group which includes the foreignincorporated entity; or (ii) Stock of such entity which is sold in a public offering related to an acquisition described in section 835(b)(1) of the Homeland Security Act, 6 U.S.C. 395(b)(1). (2) Plan deemed in certain cases. If a foreign incorporated entity acquires directly or indirectly substantially all of the properties of a domestic corporation or partnership during the 4-year period beginning on the date which is 2 years before the ownership requirements of subsection (b)(2) are met, such actions shall be treated as pursuant to a plan. (3) Certain transfers disregarded. The transfer of properties or liabilities (including by contribution or distribution) shall be disregarded if such transfers are part of a plan a principal purpose of which is to avoid the purposes of this section. (d) Special rule for related partnerships. For purposes of applying section 835(b) of the Homeland Security Act, 6 U.S.C. 395(b) to the acquisition of a domestic partnership, except as provided in regulations, all domestic partnerships which are under common control (within the meaning of section 482 of the Internal Revenue Code of 1986) shall be treated as a partnership. (e) Treatment of Certain Rights. (1) Certain rights shall be treated as stocks to the extent necessary to reflect the present value of all equitable interests incident to the transaction, as follows: (i) warrants; (ii) options; (iii) contracts to acquire stock; (iv) convertible debt instruments; and (v) others similar interests. (2) Rights labeled as stocks shall not be treated as stocks whenever it is deemed appropriate to do so to reflect the present value of the transaction or to disregard transactions whose recognition would defeat the purpose of Section 835. (f) Disclosure. The offeror under this solicitation represents that [Check one]: __ it is not a foreign incorporated entity that should be treated as an inverted domestic corporation pursuant to the criteria of (HSAR) 48 CFR 3009.108-7001 through 3009.108-7003; __ it is a foreign incorporated entity that should be treated as an inverted domestic corporation pursuant to the criteria of (HSAR) 48 CFR 3009.108-7001 through 3009.108-7003, but it has submitted a request for waiver pursuant to 3009.108-7004, which has not been denied; or __ it is a foreign incorporated entity that should be treated as an inverted domestic corporation pursuant to the criteria of (HSAR) 48 CFR 3009.108-7001 through 3009.108-7003, but it plans to submit a request for waiver pursuant to 3009.108-7004. (g) A copy of the approved waiver, if a waiver has already been granted, or the waiver request, if a waiver has been applied for, shall be attached to the bid or proposal. HSAR 3052.215-70 KEY PERSONNEL OR FACILITIES (DEC 2003) (a) The personnel or facilities specified below are considered essential to the work being performed under this contract and may, with the consent of the contracting parties, be changed from time to time during the course of the contract by adding or deleting personnel or facilities, as appropriate. (b) Before removing or replacing any of the specified individuals or facilities, the Contractor shall notify the Contracting Officer, in writing, before the change becomes effective. The Contractor shall submit sufficient information to support the proposed action and to enable the Contracting Officer to evaluate the potential impact of the change on this contract. The Contractor shall not remove or replace personnel or facilities until the Contracting Officer approves the change. The Key Personnel or Facilities under this Contract: (specify key personnel or facilities) (End of clause) HSAR 3052.242-71 Dissemination of contract information. (DEC 2003) The Contractor shall not publish, permit to be published, or distribute for public consumption, any information, oral or written, concerning the results or conclusions made pursuant to the performance of this contract, without the prior written consent of the Contracting Officer. An electronic or printed copy of any material proposed to be published or distributed shall be submitted to the Contracting Officer. (End of clause) FAR. 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items (FEB 2016) (a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (1) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (Nov 2015) (2) 52.233-3, Protest After Award (AUG 1996) (31 U.S.C. 3553). (3) 52.233-4, Applicable Law for Breach of Contract Claim (OCT 2004)(Public Laws 108-77 and 108-78 (19 U.S.C. 3805 note)). (b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: _X_ (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (Oct 2015) (Pub. L. 109-282) (31 U.S.C. 6101 note). _X_ (8) 52.209-6, Protecting the Government's Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (Oct 2015) (31 U.S.C. 6101 note). _X_ (14)(i) 52.219-6, Notice of Total Small Business Set-Aside (Nov 2011) (15 U.S.C. 644). _X_ (18) 52.219-13, Notice of Set-Aside of Orders (Nov 2011) (15 U.S.C. 644(r)). _X_ (22) 52.219-28, Post Award Small Business Program Rerepresentation (Jul 2013) (15 U.S.C. 632(a)(2)). _X_ (25) 52.222-3, Convict Labor (June 2003) (E.O. 11755). _X_ (26) 52.222-19, Child Labor-Cooperation with Authorities and Remedies (Feb 2016) (E.O. 13126). _X_ (27) 52.222-21, Prohibition of Segregated Facilities (Apr 2015). _X_ (28) 52.222-26, Equal Opportunity (Apr 2015) (E.O. 11246). _X_ (30) 52.222-36, Equal Opportunity for Workers with Disabilities (Jul 2014) (29 U.S.C. 793). _X_ (33)(i) 52.222-50, Combating Trafficking in Persons (Mar 2015) (22 U.S.C. chapter 78 and E.O. 13627). _X_ (40) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (AUG 2011) (E.O. 13513). _X_ (42)(i) 52.225-3, Buy American-Free Trade Agreements-Israeli Trade Act (May 2014) (41 U.S.C. chapter 83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110-138, 112-41, 112-42, and 112-43. _X_ (44) 52.225-13, Restrictions on Certain Foreign Purchases (June 2008) (E.O.'s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury). _X_ (50) 52.232-33, Payment by Electronic Funds Transfer-System for Award Management (Jul 2013) (31 U.S.C. 3332). _X_ (7) 52.222-53, Exemption from Application of the Service Contract Labor Standards to Contracts for Certain Services-Requirements (May 2014) (41 U.S.C. chapter 67). Employee Class Monetary Wage - Fringe Benefits N/A N/A FAR 52.252-2 Clauses Incorporated by Reference (Feb 1998) This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): www.aquisition.gov/far FAR 52.212-4 Contract Terms and Conditions - Commercial Items (MAY 2015) FAR 52.247-34 F.o.b. Destination. (NOV 1991) FAR 52.252-1 Solicitation Provisions Incorporated by Reference (FEB 1998) This solicitation incorporates one or more solicitation provisions by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. The offeror is cautioned that the listed provisions may include blocks that must be completed by the offeror and submitted with its quotation or offer. In lieu of submitting the full text of those provisions, the offeror may identify the provision by paragraph identifier and provide the appropriate information with its quotation or offer. Also, the full text of a solicitation provision may be accessed electronically at this/these address(es): www.acquisition.gov/far FAR 52.212-1 Instructions to Offerors-Commercial Items (OCT 2015) FAR 52.212-3 Offeror Representations and Certifications. COMMERCIAL ITEMS (NOV 2015) In accordance with FAR 52.212-3, Offeror Representations and Certifications, An offeror shall complete only paragraph of this provision if the offeror has completed the annual representations and certifications electronically via http://www.acquisition.gov. If an offeror has not completed the annual representations and certifications electronically at the System for Award Management (SAM) website, the offeror shall complete only paragraphs (c ) through (o) of this provision. 7.0 Instructions General: This acquisition is being conducted under FAR Part 13, Simplified Acquisition Procedures. Contractors must be registered in the System for Award Management (SAM) prior to award. Registration is free. https://www.SAM.gov. Questions on Request for Quote (RFQ): If you have any questions regarding this RFQ, please e-mail the contract specialist at Peter.S.Larsen@tsa.dhs.gov. Peter Larsen 202-380-8955. Quotation Submittal Instructions: Due Date: February 8, 2016 3:00 P.M (Pacific Standard Time) Submit to: Peter.S.Larsen@tsa.dhs.gov Submittal Format: Electronic submissions only. 8.0 Evaluation Award will be made based on the lowest priced technically acceptable quotation based on the following evaluation criteria. • Price • Technical acceptability
 

Web Link

FBO.gov Permalink
(https://www.fbo.gov/spg/DHS/TSA/HQTSA/HSTS05-16-Q-HNL001/listing.html)
 

Place of Performance

Address: Honolulu, Hawaii, 69819, United States

Zip Code: 69819
 

Record

SN04009725-W 20160206/160204234647-75cdeb1ea2f3746f5a640883cecd71e7 (fbodaily.com)
 

Source

FedBizOpps Link to This Notice
(may not be valid after Archive Date)

---

| FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |