D -- TECHNICAL CONSULTING SERVICES

Notice Date

February 7, 2001

Contracting Office

U.S. General Accounting Office, Acquisition Management, 441 G. Street N.W., Room 6851, Washington, DC 20548

ZIP Code

20548

Solicitation Number

OAM-2001-N-0008

Response Due

March 1, 2001

Point of Contact

Karen T. Gantt, Contracting Officer, 202-512-2709

E-Mail Address

The contracting officer may be contacted via e-mail (GanttK@gao.gov)

Description

I. This notice is a combined synopsis/solicitation for commercial items prepared in accordance with Federal Acquisition Regulation 12.6, as supplemented with additional information included in this notice for technical consulting services. This announcement is subject to the availability of funds. This announcement constitutes the only solicitation; proposals are being requested, and a written solicitation will not be issued. II. Request for Proposal number is OAM-2001-N-0008. The incorporated provisions and clauses are those in effect through Federal Acquisition Circular 97-21. This solicitation is issued to establish an Indefinite Delivery/Indefinite Quantity (IDIQ) contract against which task orders may be placed for a period of one year with four (4) option periods of 12 months each, see FAR Clauses 52.216-18, 52.216-22, 52.217-8, and 52.217-9. The Government shall order at least the quantity of services designated as the Guaranteed Minimum. For this procurement, the Guaranteed Minimum dollar value is $1,000.00, see FAR Clause 52.216-19. Services will be ordered by means of task orders against the contract with specifically defined tasks, schedules, deliverables and price. Task order requirements may range from small short-term taskings to extended-term taskings. III. STATEMENT OF WORK: (1) Background. The Office of Applied Research and Methodologies (ARM) of GAO requires technical consulting services. These services will be provided directly to ARM staff involved with the computer security test facility. The ARM group conducts general controls audits of Federal computer centers. The test facility is used by ARM technical staff to develop computer assisted audit tools, conduct tests in a non-production environment, and train EDP auditors in information systems security technology. (2) Scope and Objectives. The computer security test facility will enable GAO staff to perform more effective and more timely general controls reviews in the large number of OS/390 environments. Federal agencies using IBM's OS/390 operating system may have a false sense of confidence regarding the vulnerability of data to accidental or deliberate unauthorized alteration. The protection offered by widely used security products (e.g., RACF, CA-ACF2, CA-Top Secret) can often be circumvented as a result of flaws in other software that has been added to the base OS/390 configuration. These flaws are commonly referred to as operating system integrity exposures; they constitute a primary vulnerability to system penetration of OS/390 which has generally been considered to be immune to the widely publicized attacks of Unix and Windows NT networks. (3) Qualifications and Experience. The contractor shall use highly skilled, technical EDP security specialists to perform and document all tasks under this statement of work. The EDP security specialist(s) assigned shall have: at least ten years of intensive experience in OS/390 operating system software design and support; expert knowledge of OS/390 software integrity mechanisms; expert knowledge of System 390 hardware controls and their relation to OS/390 integrity; extensive knowledge of non-IBM system software products widely used in the industry as extensions to base OS/390 configurations; extensive knowledge of the top three major OS/390 security products as listed above; expert knowledge of the System 390 machine instruction set and principles of operation; expert knowledge of OS/390 assembler language and System 390 object code generation; expert skill in reading and analyzing object code to determine program function without the benefit of source code language statements; a proven track record in performing OS/390 integrity analysis and successful design of OS/390 penetration tests; and, strong oral and written communications skills. (4) Task Requirements. As requested by the GAO contacts (to be specified in the contract), the contractor shall: (a) Conduct analyses of Supervisor Call (SVC) routines for compliance with IBM system software integrity guidelines. (b) Conduct analyses of cross-memory Program Call (PC) and Program Transfer (PT) routines for compliance with IBM system software integrity guidelines. (c) Conduct analyses of specialized file manipulation exit routines known as I/O Appendages for compliance with IBM system software integrity guidelines. (d) Conduct analyses of general purpose user exit routines in OS/390 system software including, but not limited to, Job Entry Subsystem (JES), Virtual Telecommunica -tions Access Method (VTAM), Time Sharing Option Extended (TSO/E), System Management Facility (SMF), etc. for compliance with IBM system software integrity guidelines. (e) Conduct analyses of unorthodox modifications to OS/390 system software using undocumented and/or non-recommended system interfaces, such as intercepts to the First Level Interrupt Handler (FLIH) processes or standard SVC routines, for compliance with IBM system software integrity guidelines. (f) Design penetration tests to verify suspected OS/390 system integrity exposures. (g) Prepare written work summaries of the results of OS/390 software analyses performed that describe the integrity exposures found, identify specific IBM software integrity guidelines violated, and recommend potential corrective actions. (h) Assist in the design or enhancement of computer assisted audit techniques to automate OS/390 data collection and analysis in performing general controls reviews. (i) Recommend strategies for addressing general controls concerns for which satisfactory audit tools may not exist, such as software maintenance that could impact the integrity, security, reliability, performance, and availability. (j) Provide advice to the ARM team. (5) Task Orders. The technical consulting services will be required on demand. The contractor will be provided a request for pricing which will include the proposed task order, a statement of work, and schedule of deliverables. Using the hourly rate(s) in the contract, the contractor shall prepare a cost proposal to perform the task order. All task order cost proposals shall be submitted to both the Contracting Officer and the Contracting Officer's Technical Representative (COTR) within two (2) working days of receipt of the request for pricing. The task order pricing proposal may be telefaxed. Once agreement is reached between GAO and the contractor, a fully executed Task Order form will be provided to the contractor. The contractor's performance schedule and deliverable due dates shall be determined on a task by task basis as mutually agreed upon with the GAO designated contact(s) and will be included on the Task Order. The contractor shall prepare a written summary documenting the results of each analysis tasked and provide the source code for all penetration programs and scripts used in tests of OS/390 system integrity exposures identified. The deliver-ables will be provided in both hard copy and electronic form that best meets the needs of the ARM staff during the course of the work. All working papers and analyses developed by the contractor will be provided to GAO for their retention. (6) Independence and Objectivity. The contractor will provide a statement of independence and objectivity with respect to the proposed work in support of the U.S. General Accounting Office (GAO), an agency of the Legislative Branch of the U.S. Government. In so doing, the contractor will disclose all work performed during the past three years for any agency of the U.S. Government, work that is ongoing, or new work that is anticipated within the next year. (7) Work Location, Travel, and Timing. The contractor may work on site at the ARM facility in Washington, D.C. or off site at the contractor's office(s). The contractor is not expected to travel to locations where GAO is performing general controls audits. Local travel is not chargeable to the contract. I f any travel is required under this contract, all travel costs shall be reimbursed in accordance with the Federal Travel Regulations. The contractor's work shall begin immediately upon award of the contract and issuance of task order(s). (8) Non-Disclosure Requirements. The contractor will not be tasked with work involving access to specific classified or taxpayer information. However, the contractor will be required to sign a non-disclosure statement certifying that all work performed and system integrity exposures identified will be kept confidential and adequately safeguarded to prevent accidental or deliberate dissemination to those who might wish to use it to potentially penetrate Federal agency systems or for other purposes. Information developed by the contractor during the course of, or as a result of, these technical consulting services may be disclosed only upon the advanced and specific written authorization by the GAO. IV. Clauses. The following clauses apply to this acquisition: FAR 52.212-4, Contract Terms and Conditions-Commercial Items; FAR 52.212-5, Contract Terms and Conditions Required to Implement Statutes and Executive Orders-Commercial Items, the following clauses are applicable and incorporated by reference: FAR 52.203-6, Restrictions on Subcontractor Sales to the Government, with Alternate I; FAR 52.219-8, Utilization of Small Business Concerns and Small Disadvantaged Business Concerns; FAR 52.222-21, Prohibition of Segregated Facilities; FAR 52.222-26, Equal Opportunity; FAR 52.222-35, Affirmative Action for Special Disabled and Vietnam Era Veterans; FAR 52.222-37, Employment Reports on Special Disabled Veterans and Veterans of the Vietnam Era; FAR 52.232-34, Payment by Electronic Funds Transfer-Other Than Central Contractor Registration; FAR 52.239-1, Privacy or Security Safeguards. V. Evaluation. FAR 52.212-2, Evaluation-Commercial Items. The contract will be awarded to the contractor whose proposal is most advantageous to GAO, technical and price factors considered. Technical quality is more important than cost or price. As proposals become more equal in their technical merit, the evaluated cost or price becomes more important. The Government shall use the following criteria listed in descending order of importance when evaluating proposals. The first and second factors are mandatory and the remaining factors are relative to a 100-point rating scale: EVALUATION FACTOR 1: INDEPENDENCE (MANDATORY) If the contractor is deemed not independent (or lacking objectivity) by GAO, the firm will not be eligible for this contract. EVALUATION FACTOR 2: COMMITMENT (MANDATORY) If the contractor does not commit to provide the required services "on demand" as described in Section 8, Task Orders of the statement of work, the firm will not be eligible for this contract. EVALUATION FACTOR 3: TECHNICAL KNOWLEDGE (35 points) GAO requires high technical knowledge, skills, and abilities pertaining to OS/390 system software and System 390 hardware architecture, and their integration. Offerors should clearly state technical qualifications as they address the requirements in the statement of work. EVALUATION FACTOR 4: TECHNICAL WORK EXPERIENCE (30 points) In addition to high technical knowledge, skills, and abilities, GAO requires a proven track record of exceptionally strong work experience that clearly demonstrates a mastery of OS/390 and System 390 proficiency. Offerors should clearly state technical work experience as it addresses the statement of work requirements. Also, offerors are required to submit a list of at least three (3) contracts completed or currently in process within the past three (3) years of the same or similar work covered by this evaluation factor.* EVALUATION FACTOR 5: AUDIT SUPPORT EXPERIENCE (20 points) In addition to the pure technical work experience as described above, GAO requires specialized work experience in major technical audits of system software management, security, and integrity in the large scale OS/390 environment. Offerors should clearly state audit related experience as it pertains to the statement of work requirements. Also, offerors are required to submit a list of at least three (3) contracts completed or currently in process within the past three (3) years of the same or similar work covered by this evaluation factor.* EVALUATION FACTOR 6: WRITTEN COMMUNICATION (15 points) Vendor proposals should include examples of written products such as audit reports, memoranda, technical analyses, published papers, etc. in the areas of OS/390 software and System 390 architecture which demonstrate the ability to communicate highly technical concepts and internal controls risks to a variety of audiences. *The following information shall be provided for each reference: (a) contract number; (b) name and address of contracting activity; (c) contracting officer's name and telephone number; (d) period of performance; (e) brief description of work under the contract; and (f) indicate the evaluation factor to which the reference applies. Price. The Government estimates that it may expend 750 consulting hours per year (base and 4 options). Offerors are requested to provide fully loaded hourly rates for each labor category proposed which is inclusive of all expenses, including report preparation, salaries, overhead, general and administrative expenses, and profit. Pricing must be provided for each period of the contract (base and 4 option years). These periods should be identified as follows: Base Period-Date of Award through 9/30/01; Option 1-10/1/01-9/30/02; Option 2-10/1/02-9/30/03; Option 3-10/1/03-9/30/04; Option 4-10/1/04-9/30/05. VI. The following provisions apply to this acquisition: (a) FAR 52.212-1, Instructions to Offerors-Commercial Items, Addendum paragraph (h) Multiple Awards-delete in its entirety, the government plans to award a single contract resulting from this solicitation; (b) FAR 52.212-3, Offeror Representations and Certifications-Commercial Items, all offerors must include a completed copy of the representations and certifications with their offer (a copy of FAR 52.212-3 in full text is available at www.arnet.gov/far). Each offeror is urged to examine this solicitation in its entirety and to ensure that their proposal contains all necessary information, provides all required documentation, and is complete in all aspects. VII. Submission of Offers. Proposals shall be submitted in two (2) physically separate and detachable parts; Part 1 -- Technical Proposal and Part 2 -- Price Proposal. All information shall be confined to the appropriate volume to facilitate independent evaluation. An original and 5 copies of both the technical and cost proposal must be submitted on or before March 1, 2001, 2:00 p.m., EST to : IF MAILED (USPS) U.S. General Accounting Office, Acquisition Management, 441 G Street, N.W., Rm. 6B46, Washington, D.C. 20548, Attn: Karen T. Gantt -- IF HANDCARRIED (COMPANY REP./MESSENGER/COURIER/OTHER USPS) U.S. General Accounting Office, Acquisition Management, c/o OGC Correspondence Control Team, 441 G Street, N.W., Rm. 1139 (Window to right of the Reception Desk), Washington, D.C. 20548, Attn: Karen T. Gantt. All offers must arrive at the designated location and by the time specified. All offers shall be clearly marked with the RFP number, offeror's name, address, point of contact, and phone number. FACSIMILE OFFERS WILL NOT BE ACCEPTED.*****

Record

Loren Data Corp. 20010209/DSOL006.HTM (W-038 SN50C9X6)