10 December 2020
PERFORMANCE WORK STATEMENT FOR UNITED STATES TRANSPORTATION COMMAND (USTRANSCOM) COMMAND, CONTROL, COMMUNICATIONS & CYBER SYSTEMS DIRECTORATE (TCJ6) MANAGED INFORMATION TECHNOLOGY SERVICE (MITS) ENTERPRISE SUPPORT Managed Services
10 December 2020
1
PERFORMANCE WORK STATEMENT (PWS) 1 DESCRIPTION OF SERVICES 1.1 Background The United States Transportation Command (USTRANSCOM) located at Scott Air Force Base (AFB), IL, is one of 11 Unified Combatant Commands (UCC). USTRANSCOM provides command and control (C2) for the synchronized transportation, distribution, and sustainment of personnel and assets, making possible the projection and maintenance of national power wherever needed with speed and agility, high efficiency, and a high level of trust and accuracy. USTRANSCOM’s mission is to provide air, land, and sea transportation for the Department of Defense (DoD) and other Government and non-Government organizations during both peace and war. The Commander, USTRANSCOM, is tasked as the single manager of the Defense Transportation System (DTS) to oversee defense common-user transportation assets. The Secretary of Defense further expanded the USTRANSCOM mission by tasking USTRANSCOM to manage key components of the Joint Deployment and Distribution Enterprise (JDDE). An important functional requirement is the integration of the Transportation Component Commands (TCCs): Air Mobility Command (AMC), Surface Deployment and Distribution Command (SDDC), and Military Sealift Command (MSC). USTRANSCOM Command, Control, Communications, and Cyber (C4) Systems (C4S) Directorate (TCJ6) provides essential C4S support to the USTRANSCOM Commander, the Joint Enabling Capabilities Command (JECC) and the TCCs in performance of the command’s mission to provide global air, land, and sea transportation to meet national security objectives. The USTRANSCOM C4 environment interfaces with numerous on-site and remote commercial, DoD, service, and common-user networks (i.e., Secret Internet Protocol Router Network (SIPRNet), Non-secure Internet Protocol Router Network (NIPRNet), DoD approved cloud environments and the Scott AFB Local Area Network (LAN), Wide Area NetworkWAN), Metropolitan Area Network (MAN), or the DoD Information Networks (DoDIN)). A myriad of applications make use of the USTRANSCOM C4 infrastructure by providing access and services to the USTRANSCOM user community. USTRANSCOM operates the Common Computing Environment (CCE) surrounded by a network defense infrastructure. The USTRANSCOM CCE, supported by TCJ6 and multiple United States Air Force (USAF) organizations and SDDC, is comprised of several operating systems clients and servers both on premise and in the DoD approved cloud environments, both physical and virtual. Supported operating systems, software, applications are listed in Appendix F: Operating Systems/Software/Applications Supported and Protocols in Use are listed in Appendix G: Protocols in Use. The diversity of applications riding on the USTRANSCOM CCE (C2 systems, information management systems, mail/message systems, and security systems) increases the complexity and difficulty to integrate new system requirements. The information security infrastructure operating with the USTRANSCOM CCE is a unique integration of products demanding a high degree of technical skills and understanding. SDDC, a component of USTRANCOM provides global surface transportation to meet national security objectives in peace and war. SDDC executes its mission through three core processes: (1) surface movements, (2) personal property and passenger movement, and (3) deployability engineering. It is a joint-service major Army command and USTRANSCOM’s surface transportation component. SDDC’s mission, “To provide global surface distribution 2
management and services to meet National Security objectives in peace and war,” positions this organization as the link between DoD shippers, commercial carriers, and the warfighters offering safe, responsive, efficient distribution and deployment solutions for the military. DoD uses Information Technology (IT) for worldwide surface deployment, distribution and in-transit visibility of equipment and supplies. The SDDC Information Management Directorate’s mission is to manage the mission area support functions (communications, automation, storage area networks, audio-visual, publications, and records management disciplines). NEED TO ADD AMC LINES 1.2 1.2 Scope The scope of the contract effort is to provide a broad range of Managed Information Technology Services, MITS and C4S capabilities to support the USTRANSCOM, AMC and SDDC missions. Information Technology (IT) technical skills will be required to support the USTRANSCOM C4 environment, which interface with numerous on-site and remote commercial, DoD, service, common-user networks, and in the DoD approved cloud (i.e., Secret Internet Protocol Router Network (SIPRNet), Non-secure Internet Protocol Router Network (NIPRNet), DoD approved cloud environments and the Scott AFB Local Area Network (LAN), Wide Area Network WAN),Metropolitan Area Network (MAN), or the DoD Information Networks (DoDIN)). Additional support will be required to a myriad of applications that make use of the USTRANSCOM C4 infrastructure by providing access and services to the USTRANSCOM and SDDC user community. Additionally, the contractor shall provide a range of IT services to include cyber security, network operations and maintenance, IT planning, system integration, technical testing and evaluation, analysis and guidance, software management, systems administration, purchase of hardware and software, hardware repair and enhancements, service desk, software configuration, end user devices support/desktop services, architecture and infrastructure management, system management, audio visual and video teleconferencing, and all deliverables related to these services. The contractor shall utilize managed services best practices to perform the tasks and subtasks of this PWS to provide responsive IT service delivery. The required outcomes are delivering Managed IT services to USTRANSCOM users within agreed service levels and achieving continual service improvements to IT services. The contractor shall be responsible for coordinating, managing, assigning resources, processes, and activities with regard to the successful delivery of the entire IT service delivery process as defined in this PWS. The contactor, in concert with the Government, will establish, collect, and report metrics to evaluate and improve service delivery performance. The contractor will leverage a Managed Services framework, other Government publication (e.g. DoD Enterprise Service Management Framework (DESMF) edition II, or latest version) and IT Service Management (ITSM) to establish a business management approach and discipline to IT service delivery. Managed IT Service is a set of specialized organizational capabilities to design, implement, and manage quality services providing value to our business partners and customers. Contract shall comply with DoDI 8440.01 “DoD Information Technology (IT) Service Management (ITSM)” These capabilities take the form of functions and processes for managing services over the lifecycle, through strategy, design, transition, operations, and continual service improvement (CSI). This contract shall use Managed Services best practices to perform the following: Develop an Integrated Master Schedule incorporating all contractor tasks, projects, 3
plans, activities to show schedule, resources, and objectives Identify ITSM issues and focus on the highest priorities identified by Government Service multiple customers with varying requirements Define, measure, and report relevant metrics to help with fact-based decision-making Improve efficiency by automating standard tasks, and streamlining processes by applying lean principles to the work Unite teams and processes by understanding interdependencies and how they impact one another Influence the organizational culture to support CSI activities 1.3 1.3 Specific Tasks 1.3.1 Task 1: Contract Level and Contract Management This task consists of the functional activities relating to the administration and management of this effort. The contractor shall identify a Program Manager (PM) by name who shall provide management, direction, administration, clerical support, documentation, quality assurance, and leadership during the execution of this PWS. The contractor shall designate a principal point of contact for technical issues in addition to the PM. The contractor shall provide a centralized program management capability. The contractor shall prepare documents such as briefings, point papers, and meeting minutes related to status of the performance of this PWS. The contractor shall provide support in the specific areas outlined below in this PWS. The contractor shall provide all deliverables listed in section 1.4, to include referenced documents, contractor-developed and Government approved plans, schedules, and milestones. The contractor shall meet stated Government requirements and milestones. If contractor misses milestones, the Government must be notified in writing within 24 hours of the missed deadline. The contractor’s PM is the authorized point of contact with the Government Contracting Officer’s Representative (COR). PM responsibilities include, but are not limited to, interfacing with Government management personnel, staffing of all tasks, formulating and enforcing work standards, creating personnel and project schedules, reviewing work discrepancies, and communicating Government policies, purposes, and goals to the contractor team. All decisions regarding Government requirements or Government actions shall be made by Government personnel. The contractor’s representative shall submit evaluations, recommendations, etc., to the COR and/or Contracting Officer (CO) for action. The contractor may work remotely through VPN access in the event of inclement weather, health concerns or additional specific events approved by Managed Services Government Staff. This flexibility will ensure continuity of operations during periods of restricted access (e.g., weather, pandemic restrictions, hazardous conditions). Contractor personnel supporting the below tasks may be authorized to work remotely during periods of restricted access:
1.3.1.1 Task 1 Subtask 1: Contract Management Plan The contractor shall submit the Contract Management Plan within fifteen (15) business days of contract award. The Government will review the plan and provide comments to the contractor within five (5) business days from receipt of the updated Contract Management Plan. The 4
contractor shall have five (5) business days from receipt of the Government’s comments to submit the final plan. The contractor shall update the plan each option year within fifteen (15) business days of the option year exercised. 1.3.1.2 Task 1 Subtask 2: Weekly Activity Report (WAR) The contractor shall provide accomplishments, issues and recommendations to weekly activity reports (WAR) in accordance with (IAW) staffing processes assigned by the Government. 1.3.1.3 Task 1 Subtask 3: Monthly Status Report (MSR) The contractor shall provide a Monthly Status Report (MSR) no later than the 15th of the month following the reporting period. At a minimum, the MSR shall include the following information: A list of the accomplishments of the reporting period by each active task/project area. A synopsis of the efforts completed, deliverables provided, conferences, and trips conducted and attended during the reporting period. The MSR shall include a spending “burn down” financial graph showing funds expended to date and funds remaining against the budgeted amount. The format of the financial chart(s) shall be as agreed between the contractor and the Government. An overall evaluation of the contract to date, listing per task any issues, problem areas, and items that require Government action. 1.3.2.1.2.1 Incident Management Monthly 1.3.2.1.2.2 Request Fulfillment Monthly 1.3.2.3.4 Monthly Problem Management Report 1.3.2.5.54.6.2 Metrics End-User Device Operations and Maintenance 1.3.2.6.1.2 VTC Metrics 1.3.2.6.2 Delivery schedule for each project/initiative with breakdown of hours expended 1.3.3.3.2.1.2 Software Consumption Metric 1.3.3.3.2.1.3 Government Requested Metrics (Inventory Management) 1.3.6 Deliver Schedules 1.3.6.3 Best Practices Report 1.3.6 Delivery schedule for each project/initiative with breakdown of hours expended 1.3.8.2 Monthly Status Reportwith the status of system/software deficiencies, trouble report resolution In conjunction with the contract end date, the contractor shall submit a final MSR no later than the last business day of the final period of performance. 1.3.1.4 Task 1 Subtask 4: In-Process Reviews (IPRs) The contractor shall conduct quarterly In-Process Reviews (IPRs) as scheduled by the Government. At a minimum, the IPR shall summarize status, progress, recommendations, financial summaries, and concerns in the development of any tasks or documentation described within this PWS. Presentation materials shall be prepared and provided to the COR two (2) business days prior to the IPR.
5
1.3.1.5 Task 1 Subtask 5: Trip Reports Within five (5) business days of completion of any travel, the contractor shall submit a trip report to include the following details: purpose, location, trip duration, travelers, travel costs, individuals contacted during trip, synopsis of discussions, decisions made, future actions identified, and issues or concerns arising during the trip. Invoices (along with associated receipts) shall support all travel reimbursement requests. 1.3.1.6 Task 1 Subtask 6: Meeting/Conference Minutes The contractor shall attend meetings or conferences held at USTRANSCOM or other locations as identified by the Government, and provide meeting/conference minutes that detail the results as well as the impact of the meetings/conferences within one (1) business day after completion of the meeting/conference. Meetings/Conferences will generally take place during the normal duty hours listed in paragraph 3.1.
1.3.1.7 Task 1 Subtask 7: Subject Matter Expertise (SME) The contract shall provide Subject Matter Expertise (SME) to respond to taskers, inquiries, Requests for Information (RFIs), and other requests as needed by the Government. The contractor shall consolidate, analyze, and present information/data from one or more sources or systems. The output of such requests will typically be in MS Excel, PowerPoint, Word, or Adobe PDF. 1.3.1.8 Task 1 Subtask 8: Personnel Status Report The contractor shall provide a personnel status report containing names and labor categories of personnel supporting each major task. The contractor shall provide the report within twenty (20) business days of the contract start date and update the report within five (5) business days of any changes in personnel. The Contractor shall make every reasonable attempt to fill any labor-hour vacancy of a position described in the Technical and Management Work Plan in a time period no longer than a single billing cycle. 1.3.1.9 Task 1 Subtask 9: Transition-In Plan The contractor shall ensure minimal service disruption to vital Government business and no service degradation during and after the Transition-In period. All transition-in activities shall be completed thirty (30) calendar days after the start date of the contract. The contractor shall deliver a finalized Transition-In Plan within five (5) business days of award. 1.3.1.10 Task 1 Subtask 10: Transition-Out Plan (Optional) If the Government terminates this contract for any reason or if an option year is not exercised, at the discretion of the Government, the contractor may be given up to a sixty (60) calendar-day transition period. The contractor must ensure no logistics or contract data is corrupted, changed, or altered in a manner that would cause damage to the Government. The contractor shall meet performance requirements and cooperate with the successor contractor in the transition period. During the transition period, the incumbent contractor shall provide the assistance and support required to ensure the orderly transition of all logistics support, and provide transitional planning necessary to enable the follow-on contractor to commence uninterrupted operations at the end of the transition period. The contractor shall also establish and maintain effective communication with the incoming contractor/Government personnel for the period of the transition via weekly status meetings. The contractor shall ensure follow-on contractor personnel are permitted access to
6
observe all operations, including workflow, priorities, scheduling, equipment handling/processing, parts storage, safety, and security. Familiarization visits shall not interfere with the activities of the incumbent contractor or Government personnel. The contractor shall provide and implement a Transition-Out Plan within 45 (forty-five) calendar days prior to expiration or notification of contract termination. To ensure a seamless transition, the contractor shall identify how it will coordinate with the incoming contractor and/or Government personnel to transfer knowledge regarding the following: Project management processes Points of contact Location of technical and project management documentation Schedules and milestones Status of ongoing technical initiatives Appropriate contractor-to-contractor coordination Transition of key personnel Actions required of the Government File plan, work related documents, files, policies and processes Inventories of hardware (H/W) and software (S/W) Access permission by individuals to locations in which they support The contractor shall organize all work related documents and files, store them on the designated Government collaboration tool and provide a file plan outlining the file structure. Status for each project shall be documented, to include recent, current, and pending actions. The contractor shall provide all-inclusive H/W and S/W inventories, a listing of all COTS utilized in support of this contract, accountability of licenses, and soft copies of all procedures and training materials developed as part of this contract. In addition, the contractor shall provide a complete list of all badges, vehicle passes, and Government software access permissions by individual currently working on the contract. The contractor shall deliver all data, compiled and un-compiled source code, flow charts, and business processes for the system and support applications at the completion of this task order. 1.3.1.11 Task 1 Subtask 11: Contractor Manpower Reporting The contractor shall report all contractor and subcontractor labor hours required for performance of services provided under this contract for USTRANSCOM via a secure data collection site. The contractor is required to complete all required data fields using the following Web address http://www.sam.gov/. Reporting inputs will be for the labor executed during the period of performance by each Government fiscal year (FY), which runs October 1 through September 30. While inputs may be reported anytime during the FY, all data shall be reported no later than October 31of each calendar year, beginning with 2022. Contractors may direct questions to the help desk at http://www.sam.gov/. Billing cycle for this contract will be on a monthly basis, (first calendar day of each month 7
through the last calendar day of that month). 1.3.2 Task 2: Service Operations The contractor shall perform IT Operations for the services and functional areas & capabilities as specified in this PWS. The contractor shall be responsible for ensuring services are delivered effectively and efficiently, to include restoring service interruptions, fulfilling user requests, resolving service failures, troubleshooting and fixing problems, as well as carrying out routine operational and maintenance tasks. The contractor shall be responsible for the following: IT Operations Management Service Desk Event Management Incident Management Request Fulfillment C2 Systems support Problem Management System and Database Administration Virtual Environment Operations Storage Management Messaging and Collaboration Directory Services and Identity and Access Management End-User IT Systems Support Key IT Service Support Network Infrastructure Visual Information Services ITSM Metrics Collection, Analysis, and Reporting
For each system or applicable area, the contractor shall perform the following: 1. Support the government Service Owner/Manager as defined by performing service management functions for delivery of Enterprise Network Service. Meet established Service Level Agreements (SLAs), Operational Level Agreements (OLAs), or other governing documents for Services and Service Components. Provide Service Operations input to Service Level Management (SLM) to establish SLA/OLA thresholds, specifications, performance indicators and standards. Provide Service Operations input for use by Service Portfolio Management and Service Strategy/Design in establishing Service Levels and recommending process and technology changes. 2. Support Event Management processes by identifying CIs and Services requiring monitoring. The contractor shall also support government identified thresholds and key performance indicators to monitor the service and/or Configuration Items (CIs) for both normal and abnormal conditions as applicable. The contractor shall respond to event notifications (i.e., Informational, Warning, and Exception) and take appropriate actions. The use of automated event notification and responses shall be applied as often as possible.
8
3. Support the Incident Management Process Owner and execute Incident Management process, activities, and associated policies and governance. The contractor shall open, document, and close incidents using the Government-provided ITSM tool suite (currently BMC Remedy Information Technology Service Management (ITSM) suite for NIPR/SIPR environments and JIRA for the Cloud). The contractor shall escalate incidents IAW the Government’s escalation matrix (section 1.6) 4. ) and will perform incident investigation and analysis activities. The contractor shall recommend issues to Problem Management as required, through the ITSM tool. 5. Produce individual system and overall statistics, metrics, and any other requested specific technical or planning information as needed. Use of automated ad hoc statistics and metrics from the ITSM tool suite is encouraged. 6. Respond to incidents for USTRANSCOM and remote customers as needed. 7. Support the Problem Manager and the Problem Management processes. The contractor shall open, document, and close Problem actions using the Government-provided tool suite (currently BMC Remedy). Perform problem investigation and analysis activities, identify root causes, develop & document resolutions/work-arounds in the Known Error Database (KEDB), and create Requests for Changes (RFCs) as needed for resolution. The contractor will participate in Problem Model development and produce Problem Models for items within their area of responsibility. 8. Execute Request Fulfillment process and activities. The contractor shall develop request fulfillment models; perform request fulfillment actions and document models, templates and articles in ITSM tool. The contractor shall open, document, and close service requests using the Government-provided ITSM tool suite. Fulfill requests using automation to the fullest extent possible. 9. Submit, implement, and complete Requests for Change (RFCs) as prescribed by the Government’s Change Management Process/Policy. The contractor shall assist in the development of change processes, models, and participate in Change Process activities as required (e.g., Change Advisory Board, Change Practitioner). The contractor shall provide analysis of the operational impacts of system changes (e.g., network expansions, additions, upgrades and reconfigurations in hardware/software suites) within ten (10) business days of the Government’s request. 10. Provide Transition Planning and Support as required. This includes participation in working groups, planning meetings, estimations, and resource planning. The contractor shall work closely with Technical Management & Oversight and Project Management teams to ensure successful delivery and implementation of new or changed services. 11. Identify Configuration Items (CIs) and CI attributes for tracking and ensure the Configuration Manager Database (CMDB) accurately reflects the appropriate CIs within the Service Operations area of responsibility. The contractor shall create and maintain Configuration Models. The contractor will make changes to CIs within the Configuration Management System (CMS) as prescribed by the Change Management & Service Asset and Configuration Management (SACM) process owners. 12. Work within the Release and Deployment Process to ensure proper Service Operations acceptance of new or changed services or service components. The contractor shall 9
participate in the Service Design and Service Transition processes. 13. Support the Service Validation and Testing Process and related activities to increase service quality and reduce risk of transitioning services. The contractor shall participate in fit-for-use (Warranty) and fit-for-purpose (Utility) testing and delivery of new and changed services or components. 14. Share perspectives, ideas, experience, and information to enable informed decisions and to improve efficiency by reducing the need to rediscover knowledge. The contractor shall prepare knowledge articles and submit per the Knowledge Management Process for inclusion in the Government’s Knowledge Management Database (KMDB). The contractor shall define intra-office authorizations and responsibilities to produce, manage, and retire applicable internal and external knowledge information within the scope of this PWS using the KMDB. 15. Ensure services are supportable and documented correctly through participation in the applicable Service Catalog, Change Management, and overall Service Strategy and Design activities as required. The contractor shall provide service ownership and management for services provided by their respective teams, utilizing the services management principles. The contractor will ensure information in the Service Catalog pertaining to their area of responsibility is correct and current. 16. Track and review the delivery of supplier provided (commercial) services, software, & equipment (e.g., performance, delivery times, quality) to ensure the highest quality of supplier support to deliver services. The contractor shall make recommendations to the Government for increased supplier quality in the quarterly report. 17. Support the Service Level Management (SLM) process and participate in the establishment of service levels. The contractor shall aid in the proper tracking of service thresholds and events to measure service levels accurately. 18. Perform Capacity and Availability Management planning. Provide, recommend, and implement solutions to ensure availability of services in the near term and necessary capacity within the timeframe established by the Government. 19. Prepare and maintain continuity plans for C4 systems to include alternate site designations for restoration of mission or business essential functions. The Contractor shall support USTRANSCOM testing and development of its Continuity of Operations (COOP) plans to ensure effective continuity of service. Ensure Business Continuity Management (BCM) plans are in place, executable, and followed. Review continuity plans of service owners to ensure adequate capacity and availability of COOP infrastructure to support those plans. 20. Plan, coordinate, schedule and conduct Authorized Service Interruptions (ASIs) for required IT system and service outages. Attend meetings with Program/Project Managers, developers, and/or functional users. Coordinate with IT Operations Management (Department of Defense Network (DoDIN) Operations Center) for system/service downtimes. Provide documentation, answer technical questions, and provide appropriate support within the CCE.) to minimize the impact of scheduled service/system outages to customers and users.
10
The contractor shall provide full process documentation for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare appropriate briefings and supporting materials no later than 48 hours prior to any presentation. At a minimum, the contractor shall perform a semi-annual process review and recommend CSI initiatives/opportunities for consideration to the CSI Manager. The contractor shall attend meetings or conferences held at USTRANSCOM, AMC, SDDC, or other locations as identified by the Government, and provide meeting/conference minutes IAW paragraph 1.3.1.6. The contractor shall provide inputs to weekly activity reports (WAR) IAW paragraph 1.3.1.2. The contractor shall perform Equipment Custodian (EC) duties within their area of responsibility and maintain proper accountability of all Government owned/purchased hardware IAW United States Transportation Command Instruction (USTCI) 33-16 and Air Force Manual (AFM) 33- 153, Management of Information Technology Hardware & Software Assets, and Air Force Manual (AFMAN) 17-1203, Information Technology (IT) Asset Management (ITAM), as well as maintain inventory information for all warranty and maintenance contracts. The contractor shall provide inventory information to the Government IAW with USTCI 33-16, annually or within 30 days from EC change. The contractor shall perform NIPRNet and SIPRNet Functional Area Communications and Computer Systems Manager (FACCSM) duties in their respective contracted out functional areas. Contractor personnel assigned to perform SIPRNet FACCSM duties shall be qualified as an Information Assurance Technician Level II (IAT-II), per DoD 8570.01-M. The Contractor shall provide copies of the required certification(s) applicable for IAT-II to the COR at start of contract execution. 1.3.2.1 Task 2 Subtask 1: IT Operations Management and Service Desk In support of USTRANSCOM Managed IT Services, the contractor shall sustain and maintain the Tier 0 Self-Service Portal. The contractor shall perform Tier I Service Desk activities (on- or off- site) and Duty Controller (DC) activities (on-site) at Scott AFB, or a contingency location, 24 hours per day, 7 days per week, to respond to C4 events and outages, to include scheduled/unscheduled outages. The contractor shall provide IT Operations Management (a.k.a. DoDIN Ops) and Service Desk capabilities, and capability needs to the Technical Management team and the IT Service Portfolio Management team to ensure the required automation and process capabilities will meet the needs for existing and projected service levels and planned service improvements. The contractor shall work with Technical Management to ensure all capabilities in this task area are lifecycle managed, planned, and programmed to meet organizational needs. 1.3.2.1.1 Task 2 Subtask 1.1: IT Operations Management - Duty Controller (DC) The contractor shall provide a Duty Controller (DC). The DC will work with the Duty Officer (DO) and cyber security analysts to identify and correlate problems affecting JDDE customers. DC activities shall include but are not limited to accepting notifications, to include Authorized Service Interruptions (ASI) requests, from the USTRANSCOM community, USTRANSCOM component commands, other combatant commands, and other global DoD customers regarding problems or questions concerning automated systems, services, or capabilities supporting the JDDE. The DC shall respond to alerts on both on premise and cloud unclassified and classified environments (i.e., information, warning, and exceptions) and take appropriate actions associated 11
with defined thresholds. The DC shall: Coordinate approval and track status of ASI requests, and manage the ASI program Analyze impact from external ASIs (e.g., Service components (TCCs), Host Base, DISA, DoD Cloud Environment) Utilize provided software tools (e.g., Remedy, Solarwinds, and Situational Awareness Common Operating Picture (SACOP)) to document, monitor, and report computer network status, and serve as a knowledge base for incident/event/problem resolution Ensure all events opened or closed in the automated tracking system are accurate and timely Assist the DO in the preparation of the daily report as outlined in TRANSCOM policies and procedures Ensure all reports/briefings are posted and updated as outlined in the procedures Ensure the DO has the most current status report on all events Provide a bi-annual review of all SOPs and recommend updates to the government lead Assume the service desk function from 1831 – 0629 on weekdays, 24 hours/day on weekends and federal holidays 1.3.2.1.1.1 Event Management The contractor shall assign an Event Manager. The Event Manager shall manage all Events throughout their lifecycle (detect, analyze, and control) as defined by the Event Management Process. The contractor shall structure, document, and manage Events within Managed service framework The contractor shall use established SLAs, OLAs or other government documents, and coordinate the identification, establishment and updates of event thresholds with each responsible functional team to ensure key event indicators are configured for automatic notification within the prescribed times and procedures. The contractor shall be responsible for and manage a master list of event items for coordination and synchronization, and made available to functional teams and leadership via the Government provided ITSM tool. As part of Event Management, the contractor shall perform the following across all services and service delivery units: Detect all changes of state that have significance for the management of a Configuration Item (CI) or IT Service Determine the appropriate control action for events and communicate to the appropriate functions Provide trigger, or entry point, for the execution of many service operation processes (e.g., Incident and Problem Management) and operation management activities Provide the means to compare actual operating performance and behavior against design standards and SLAs Provide a basis for service assurance and reporting as well as service improvement Collect and analyze ITSM metrics; prepare and deliver event reports based on their event analyses, identify trends that will be used for CSI The contractor shall be responsible for the activities within Event Management to include 12
Detection, Logging, Filtering, and Significance assessment. The contractor shall assess and document responses to each event such as automatic responses, Alerts & Human Interventions, Incidents, Problems, or Changes. The contractor shall conduct event reviews monthly, and report findings as part of the quarterly IPRs. The contractor will provide full process documentation (e.g., roles and responsibilities, Inputs/Outputs, Process Flows) for Government approval within 90 calendar days of contract start. The contractor shall maintain/modify all documentation for process changes within three (3) business days of notification. The contractor shall prepare Event Management briefings and supporting materials no later than 48 hours prior to any presentation.
1.3.2.1.2 Task 2 Subtask 1.2: USTRANSCOM Service Desk Support The contractor shall provide Service Desk support from 0630 to 1830 local time, Monday through Friday. The contractor shall provide afterhours and weekend service-desk support, times and hours to be agreed upon between the contractor and the Government. Government anticipates, on average, one four-hour period per month on a specified weekend day. The contractor shall provide a focal point for incident management and request fulfillment for IT systems and services. The Service Desk shall provide support to include, but not be limited to, lifecycle management of incidents (tickets), answering calls, executing request fulfillment actions, providing functional user support, training issues, initial diagnostics/troubleshooting, account management and password services, diagnosing and resolving issues on unclassified and classified office information systems, and USTRANSCOM supported C4 systems. These systems include but are not limited to e-mail services, colaberation services, telephone services (VoIP/VoSIP), Distribute.mil, Records Management (RM), Electronic Information Management (EIM), SharePoint,TransViz, JFAST, AMHS and GCCS-J, Integrated Data Environment Global Transportation Network Convergence (IGC) and cloud managed services. The contractor shall collect and enter service desk information (e.g., event, incident, request fulfillment) into the USTRANSCOM designated service management systems. The contractor shall collect and analyze service desk metrics as determined by the Government; the contractor shall prepare and provide weekly and monthly metrics reports, highlighting trends and making recommendations for CSI. The contractor shall provide C4, and business system account management and access management to include creation of accounts, issuance of passwords and resetting locked user accounts within one (1) business day after receipt of request. The contractor shall provide access control to systems IAW published security policy. The contractor shall perform Local Registration Authority (LRA) duties, to include issuing and revoking Public Key Infrastructure (PKI) certificates throughout the command. The contractor shall be the focal point for all SIPRNet token issues, provide training to trusted agents (TAs) and ensuring the LRA program complies with DoDI 8520.02. The contractor shall provide on-call support 24 hours per day and respond onsite within two (2) hours of notification for SIPRNet token issues. The contractor shall interface with the provider Service Desks, Air Force Enterprise Service Desk, IT Operations Management, and other organizations as required to coordinate resolution of issues reported to the USTRANSCOM Service Desk.
13
1.3.2.1.2.1 Incident Management The contractor shall perform as the Incident Management Process Owner and Manager and shall be responsible for managing all incidents through their lifecycle. Following ITSM best practices and IAW DESMF, the contractor shall be responsible for timely reporting, resolving if possible, and escalating when needed, all incidents that affect services or service components. The contractor will provide full process documentation (e.g., roles and responsibilities, Inputs/Outputs, Process Flows) for Government approval within 90 calendar days of contract start. The contractor shall maintain/modify all documentation for process changes within three (3) business days of notification. The contractor shall prepare Incident Management briefings and supporting materials no later than 48 hours prior to any presentation. The contractor shall provide tracking, customizable reporting, knowledge base development, and access for both network support technicians and customer searches for status updates and common incident resolution. The contractor shall provide incident reports (or incident data if only data is requested) to support Capacity Management, Service Level Management, Security, Availability Management, Service Asset and Configuration Management, Change Management, Problem Management, and Access Management, if automated reports or the data is readily available in the tool database. Reports or data requests requiring manual manipulation to produce a requested product will require a level of effort (LOE) to determine feasibility of request and will require Government approval for production. The contractor shall provide a monthly Incident Management report to include, but not be limited to, the number of incidents and status of all open incidents. The contractor shall prepare knowledge articles for inclusion in the ITSM tool (e.g., Self-Service Portal (Tier 0), KMDB). Knowledge articles will cover all aspects of service desk operations to be used by service desk technicians as well as users (self- help and information) to perform recurring tasks and to apply work-arounds to known issues or problems. The contractor shall manage the lifecycle of all incidents (e.g., desktop, network, infrastructure) from initiation to closure, actively pursuing updates and escalation IAW paragraph 1.6. The contractor shall ensure ticket management actions adhere to established timeframes documented in the SLA. The contractor shall perform first-line investigation and diagnosis of all incidents and provide resolutions on customer’s first contact to the Service Desk at a minimum of 68% of the time. First contact resolution is the percent of contacts resolved by the service desk on the first interaction with the customer. For live calls or web chats, this means the customer's issue is resolved before they hang up the phone or end the chat session. Should the Service Desk determine they are unable to resolve an issue on the first call, the technician shall record applicable information (e.g. troubleshooting actions taken) about the user’s incident and escalate to the applicable work center (Tier II) for continued diagnosis and resolution IAW paragraph 1.6. The contractor shall use all means including remote desktop access to identify and fix incidents. The contractor shall ensure all users are informed of their incident status when the incident persists beyond the target resolution times IAW paragraph 1.6. Before closing any ticket, the contractor shall ensure the customer is satisfied with the action taken. The Service Desk shall ensure accurate logging, categorization, prioritization, initial diagnosis, routing, functional escalation, and data integrity of all incidents and requests. The contractor shall log and categorize all incidents and prioritize each IAW Incident Priority and Escalation Matrix (paragraph 1.6). In response to a reported incident, the contractor must record each incident within an incident management tool and provide an immediate recommended solution or a workaround in
14
the known error database. If an entry does not exist in the KEDB or an article is not in the KMDB, the contractor shall identify the need to create the KEDB entry, KMDB article or model. The contractor shall write and submit knowledge management articles for inclusion into the Government’s ITSM tool following the knowledge management article submission process. The contract shall ensure resolution on all incidents. The contractor shall provide as part of the MSR, the following metrics: First contact resolution rate 1st level resolution rate (incident closed by service desk w/o escalation) Size of incident backlogs Average age of tickets Tickets older than 2 weeks, 30 calendar days, 60 calendar days Average time to escalate Number of incidents resolved remotely Mean time to resolve Number of major incidents per service Number of complaints or issues concerning content and quality of incident communication Percentage of incidents handled within/outside of agreed response times Number and percentages of incidents incorrectly assigned/categorized Number and percentage of incidents related to change and releases 1.3.2.1.2.2 Request Fulfillment The contractor shall support the Request Fulfillment Process Owner and Manager and be responsible for the request fulfillment process for USTRANSCOM. Following best practices and IAW DESMF, the contractor shall perform tracking, customizable reporting, KMDB input, and access for both network support technicians and customer searches for status updates. The contractor shall provide a monthly service request report to include request number and status of all open service requests. The contractor shall highlight service request resolution times, which fall outside of agreed upon service levels. The contractor shall manage the lifecycle of all service requests from initiation to closure. The contractor shall provide a means for users/customers to request and receive standard, defined services from the Service Catalog and will assist with general information, complaints, or comments. The contractor shall ensure accurate logging, categorization, prioritization, routing, functional escalation, and data integrity of all applicable service requests.
The contractor will provide full process documentation (e.g., roles and responsibilities, Inputs/Outputs, Process Flows) for Government approval within 90 calendar days of contract start. The contractor shall maintain/modify all documentation for process changes within three business days of notification. The contractor shall prepare Request Fulfillment Management briefings and supporting materials no later than 48 hours prior to any presentation. The contractor shall be responsible for creating and providing Request Fulfillment process workflows for services within the service catalog, working closely with service providers, and 15
ITSM tool administrators. The contractor shall ensure all process flows follow predefined process models based on the service requested, and will work with the Service Catalog and Service Portfolio Management teams when new process flows need to be developed. The contractor shall work with Change Management to identify candidates from normal changes that are well-defined repeatable requests and standardize such request in Request Fulfillment. The contractor shall create service request models and ensure proper execution of all requests. The contractor shall support configuration and change management processes as integral synchronization with Request Fulfillment. The contractor shall provide as a part of the MSR the following information: Mean elapsed time for handling each type of service request Number and percentage of service request complete within and outside of agreed upon time Number of service requests resolved remotely or through automation Total number of service requests per time interval (daily, weekly, monthly) Number of incidents related to request fulfillment activities Size of backlog of outstanding service requests Average age of open service requests Days each request spends in each lifecycle phase Tickets older than 2 weeks, 30 days, 60 days 1.3.2.1.2.3 Tier 0 - Self-Help The contractor shall create, operate and maintain a Tier 0 (self-help) capability, utilizing the government-provided ITSM suite, which shall include, but not be limited to, answers to frequently asked questions (FAQs), ability to request services, open incidents, check status of requests and incident. The self-help site shall resolve a minimum of 25% of incidents and service requests. 1.3.2.2 Task 2 Subtask 2: Command and Control (C2) Systems & Program Support The contractor shall provide program management support to C2 Systems to include but not be limited to the following: Global Command and Control System-Joint (GCCS-J) Family of Systems (FoS) GCCS-J Common Operational Picture (COP) Joint Operation Planning and Execution System (JOPES) GCCS-J Integrated Imagery and Intelligence (I3) The contractor shall coordinate with Tier I (Service/Help Desk), Tier II, Tier III (Program Management Office engineering support personnel), DISA and external personnel to resolve issues as quickly as possible and provide completion timelines to leadership. The contractor shall brief leadership on all unplanned outages, causes, and planned resolutions with associated timelines. The contractor shall prepare appropriate briefs, information papers, and documents as assigned by the Government. The contractor shall schedule space for all required meetings and arrange audiovisual/video teleconferencing support for the meetings. The contractor shall prepare all meeting agendas and
16
supporting documents/presentation materials. The contractor shall maintain paper and electronic files of all documents created in support of this subtask. The contractor shall perform general administrative tasks, related to account administration, to support the Government. 1.3.2.2.1 Task 2 Subtask 2.1: GCCS Program Support The contractor shall provide program management support, direction, administration, quality assurance, and leadership of the execution of this PWS. The contractor shall perform the following: Review system documentation staffed by DISA and Joint Staff for implications to USTRANSCOM. Examples include, but not limited to: Joint Capabilities Integration and Development System (JCIDS) documents Information Support Plans (ISP) Test and Evaluation Master Plans (TEMP) Requirements documents (e.g., ICD, CDD) Develop and implement technical solutions for GCCS with the current C4S policy, funding constraints, maintenance concepts, configuration plans, and life cycle support, including sustainment and improvement considerations Develop and maintain an integrated master schedule (IMS) and work breakdown structure (WBS) identifying milestones and other significant program events using Microsoft Project or equivalent project management software Coordinate with USTRANSCOM J3 users on support for DISA Test Plans. Coordinate access to Government test environments, e.g., GCCS-J COP, Agile Client, or Joint Operations Planning and Execution System (JOPES) Receive and vet change requests through appropriate channels, document the coordination process, provide feedback to the users, and maintain status documentation on outstanding change requests Manage the installation, training, maintenance, and integrated logistics support of new C4S systems Prepare systems and documentation necessary for security certification and accreditation process (currently DIACAP, and transitioning to RMF) Prepare program for Joint Interoperability Certification or current interoperability certification process, as appropriate Maintain upgraded hardware and software service agreements The contractor shall be responsible for ensuring system availability and reliability of the GCCS-J and related GCCS FoS on U.S. and Coalition networks at USTRANSCOM. The contractor shall plan, develop, and implement GCCS program requirements. The contractor shall be responsible for maintenance, troubleshooting, installation, configuration, and the implementation of existing and future versions of the GCCS FoS. The contractor shall provide system administration support, technical support, and subject matter expertise for GCCS FoS, including: Common Operational Picture (COP), Integrated Imagery and Intelligence (I3), Joint Operation Planning and Execution System (JOPES), Information Assurance 17
(IA) and Client/Server installation, the Federal Aviation Administration (FAA) data feed system. The Contractor shall provide dedicated, on-site operations and maintenance (O&M) support during duty hours for all systems/services operated and maintained by the GCCS Technical Support Team. On-call O&M support shall be provided during non-duty hours. When on-call support is requested, the maximum time for reporting to duty station is two (2) hour after notification. A comprehensive on-call/alert roster shall be maintained and updated on a monthly basis. The contractor shall provide management, system administration, planning, and operational support for all Command and Control servers and client assets, including UNIX systems, within the scope of this task. The contractor shall perform the following: Administer GCCS FoS assets employed at USTRANSCOM and provide technical support Perform Configuration Management and Project Management and ensure IA compliance for all USTRANSCOM GCCS FoS assets Perform any necessary actions required to respond to GCCS FoS problem reports Perform system, security, and operational testing/evaluation events in coordination with the DISA GCCS-J PMO to determine suitability to field for future releases Ensure USTRANSCOM personnel and contractors are trained on the GCCS FoS server-based systems and maintain a recurring training program 1.3.2.2.1.1 C2 Systems Training Environment Engineering Support The C2 Systems training environment (lab/classroom) provides an environment to test compatibility of new and existing software and train USTRANSCOM operators. The contractor shall provide lab support for the testing of applications and segments prior to implementation on operational systems. The contractor shall also support segment testing for new versions of these software suites as they are delivered. The contractor shall configure, schedule, and coordinate use of the classroom. The contractor shall reconfigure the systems to accommodate special requirements, demonstrations, and testing requests. The contractor shall replicate error conditions found on Government identified operational systems and provide technical input for possible solutions. The contractor shall act as the point-of-contact for scheduling of all non- training activities of the lab/classroom. Systems and segments supported include but are not limited to the following: Joint Operation Planning and Execution System (JOPES), GCCS-J COP Agile Client Integrated Imagery and Intelligence (I-3) The contractor shall provide lab/classroom engineering support on the C2 systems. The contractor shall coordinate the technical integration of various systems that interface with the COP including, but not limited to, the Federal Aviation Administration (FAA) data feed system, the Integrated Data Environment/Global Transportation Network Convergence (IGC). The contractor shall test and install new software. The contractor shall troubleshoot problems on the operational system and respond to incidents in the performance of this subtask IAW paragraph 1.6 Priority Escalation matrix. The contractor shall document all responses. The contractor shall process trouble calls that require DISA assistance IAW USTRANSCOM established procedures. Any issues that cannot be resolved by local staff 18
will be passed to DISA using the GCCS Problem Report (GPR) for resolution. The contractor shall provide engineering assistance in designing COP communications channels and interfaces to support the execution of exercises involving USTRANSCOM. The contractor shall support exercise planning and operations. The contractor shall provide system administrator training for the C2 systems. The contractor shall provide a primary CRO and alternate CRO(s) as required to manage COMSEC material necessary for the C2 systems Lab/Classroom encryption. 1.3.2.3 Task 2 Subtask 3: Problem Management The contractor shall support the Government Problem Management Process Owner, perform as the Problem Management Process Manager, and follow best practices, IAW with DESMF, to ensure timely and effective problem resolution. The contractor shall create, manage, and document Problem Management processes. The contractor shall recommend Problem Management policies to the Government and implement approved policies. The primary objective of Problem Management is to prevent recurring incidents by identifying their underlying cause (i.e., problem), and to minimize the impact of incidents that cannot be prevented. The contractor shall perform Problem Management activities, coordinate analysis efforts with Tier II (technical support) and Tier III (engineering), as well as document and manage the lifecycle of all problems in the ITSM tool. Problem Management activities include, but are not limited to diagnosing the root cause of incidents, determining the resolution to those problems, and providing workarounds to Incident Management. The contractor will provide full process documentation (e.g., roles and responsibilities, Inputs/Outputs, Process Flows) for Government approval within 90 calendar days of contract start. The contractor shall maintain/modify all documentation for process changes within three (3) business days of notification. The contractor shall prepare Problem Management briefings and supporting materials no later than 48 hours prior to any presentation. 1.3.2.3.1 Problem Identification The contractor shall analyze Incident and Event Records, and data collected from other IT Service Management processes to identify trends or significant Problems. The contractor shall create problem records for new problems and enter the problem records in the Known Error Database within the ITSM tool. Recurring problems shall be categorized by problem ticket type (e.g., printing, e-mail, and phone) and prioritized based on criteria provided by the Government. The contractor shall work closely with Incident Management lead to define categorization and prioritization criteria and document them in the ITSM tool. 1.3.2.3.2 Problem Diagnosis and Resolution The contractor shall perform analysis, in conjunction with Tier II (technical support) and Tier III (engineering) personnel to identify the underlying root cause of a problem and initiate the most appropriate and economical solution. If a temporary workaround can be implemented, the contractor shall document the workaround in the Known Error Database (KEDB). For solutions that require a change, the contractor shall submit a Request for Change (RFC). 1.3.2.3.3 Close and Review Problem The contractor shall review and close all problem records. The contractor shall ensure known error records are updated within one (1) day from closure. The contractor shall check each problem
19
record to ensure completeness, accuracy, and that each record contains a full historical description. The contractor will document problem solutions in the appropriate ITSM record and Known Error Database. The contractor shall perform post problem resolution audits to validate the implemented solution delivers specified performance, which established processes were followed, and lessons learned captured. The contractor shall establish an audit report distribution list and disseminate reports focused to the appropriate audience. 1.3.2.3.4 Problem Management Monitoring and Reporting The contractor shall examine all problem-related data and status changes for consistency and document solutions/workarounds in Problem Management records and KEDB. The contractor shall collect and analyze metrics on the flow of problem tickets through the Problem Management process. The contractor shall determine the effectiveness of corrective actions taken to resolve problem tickets and verify whether a problem was eliminated. The contractor shall provide this information as part of the problem auditing and reporting process. The Problem Manager shall keep other Service Management processes, as well as IT Management, informed of outstanding problems, their processing-status, and existing workarounds. The contractor shall utilize trend analysis methods and other means to produce a monthly Problem Report. The, which shall be provided in the MSR. The report shall contain at a minimum: Outstanding Problems, Resolution times to resolve/close Problems, highlight Problems with special importance regarding Availability, Capacity, IT Service Continuity and IT Security Management, other Problems effecting quality of services, and trends of problems and the workarounds/resolutions to reduce the number and impact of incidents over time. The contractor shall provide recommendations for Continual Service Improvements based on their analyses and experience. The contractor shall create/maintain a Known Error Database (KEDB) using government procured system/software. 1.3.2.4 Task 2 Subtask 4: Enterprise Network Service Support The contractor shall provide system administration, database administration, messaging and collaboration support, directory services, identity access management, file storage, backup and recovery, print services, end user IT system support, and Key IT Service Support (KITSS) for all current and future C2, business and office information systems maintained on both the unclassified and/or classified networks supporting USTRANSCOM. Systems and capabilities currently supported include but are not limited to the following: Global Command and Control System-Joint (GCCS-J) Single Mobility System (SMS)
Exercise Single Mobility System (ESMS) 1 Joint Flow Analysis System for Transportation (JFAST) Identity and Access Management (e,g , GeoAxis)_ Defense Enterprise Transportation Visualization (TransViz) Automated Message Handling System (AMHS)Learning Management System (e.g. Tandem) 20
Active Directory SiteMinderEmail support Virtual Desktop Infrastructure (VDI) Web services and applications Common Computing Environment (CCE)USTRANSCOM Cloud Environment (UCE) Unclassified Office Information Systems (UOIS)/NIPRNet Classified Office Information Systems (COIS)/SIPRNet The contractor shall provide the following activities as applicable: 1. Provide on-site support IAW HQ USTRANSCOM policies, regulations, guidelines, Memorandum of Agreements (MOAs), Service Level Agreements (SLAs), and Operational Level Agreements (OLAs). 2. Hardware maintenance, system log control, system monitoring, operating system maintenance (e.g., system patching), system backups/restores, Information Assurance Vulnerability Alert (IAVA)/Cyber Tasking Orders (CTO)/security coordination, account management and access control, firewall/network coordination, documentation, tracking, troubleshooting and testing, PKI certificate support for server apps (Apache, BEA Web Logic, etc.). 3. Application support, including troubleshooting, maintaining, updating, testing, customer support, incident resolution, use of configuration management policies and procedures (software/hardware configuration management), whitelisting capabilities (e.g. Applocker), compliance management to differing requirements (DISA, Committee on National Security Systems [CNSS], USTRANSCOM, USCYBERCOM, etc.), creating security evaluation & accreditation documentation, system security compliance, remediation and validation (i.e., SCCVI scan responses and plans of actions and milestones [POA&Ms]), hardware, and software problem diagnosis and resolution. 4. Create, manage, and maintain an automated enterprise level patch management system (e.g., enterprise Windows Server Update Service (WSUS), LanDesk, Yellowdog Updater Modified (YUM)) in the supported environments and ensure systems are patched in accordance with Security, Configuration and Change Management policies & procedures. 5. Build and configure operating systems (e.g., Windows, and Linux) following Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs)/Security Requirements Guides (SRGs)and apply operating system service packs and install Information Assurance Vulnerability Alert (IAVA) security patches in compliance with DoD and IAVA implementation guidelines meeting all CYBERCOM and DoDIN operational directives. 6. 24-hour on-call and after-hour support for all systems, to include but not be limited to maintenance on critical business systems (e.g., AMHS, etc.). 7. Implement release packages into production system and maintain IT service. 1.3.2.4.1 Task 2 Subtask 4.1: Systems Administration Support The contractor shall establish and operate a server operations and maintenance program that provides program management, systems administration, maintenance, computer security, and support for environments (CCE NIPRNet & SIPRNet (primary and alternate site), Legacy) on all 21
USTRANSCOM networks (NIPRNet (TC-UENet), SIPRNet (TC-CENet), Out-of-band, test network), as well as those at the Continuity of Operations (COOP) facility in support of IT Continuity Management. The contractor shall also operate and maintain items such as servers (physical and virtual), firmware, operating systems (e.g., Microsoft Windows, Red Hat Linux, and Solaris), and application software. Systems and networks within the scope of this task are located at HQ USTRANSCOM, multiple locations on Scott AFB, and other locations (e.g, USTRANSCOM satellite offices in Washington, DC and Norfolk, VA). Monday through Friday, the contractor shall provide on-site hours from 0600 to 1700, and on- call from 1701 to 0559. Weekends and holidays, the contractor shall provide on-call 24 hours per day and respond onsite within two (2) hours of notification. There may be instances where the Government will increase the level of support and may extend the on-site hours during contingencies, emergencies, or exercises to 24-hour operations. The Government estimates three (3) contingency/emergency/exercise periods per year. The contractor shall perform the following: 1. Monitor, maintain, and optimize operating systems, applications, and vendor specific software supporting the servers and/or peripheral equipment. 2. Maintain C2, business and office information system accounts, perform account and access management for servers, out-of-band systems, specified applications and databases; activities include but are not be limited to maintenance of an Automated Account Request System (AARS), creation of accounts, issuance of passwords, and resetting locked user accounts within one (1) business day after receipt of request during normal business hours. 3. Activate, deactivate, stop and start services, reboot servers, identify and correct system problems, recover system files when necessary, and perform monitoring and tuning of the servers and services. 4. Plan, implement, install, and monitor system backup capabilities. The contractor shall perform system backups at the primary site, alternate site, and Continuity of Operations (COOP) facility. The contractor shall recover and restore computer files within two (2) hours for high priority requests and 24 hours for standard requests. 5. Monitor the development of relevant technologies and evaluate the need to incorporate new software releases/upgrades as part of the overall lifecycle of the supported system; provide written recommendations for improvements to define requirements for future upgrades/projects. 6. Fault management and analysis, configuration control, and automated performance monitoring on applicable services, servers, and devices. 7. The contractor shall provide Tier II troubleshooting support for incidents and document troubleshooting and resolutions in an automated tool; the contractor will prepare knowledge articles for inclusion in the KEDB/KMDB. The contractor shall respond in accordance with the Incident Priority and Escalation Matrix. 8. Operate and maintain Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP) services. The contractor shall configure and maintain the Government designated DNS servers, maintain DNS entries, and coordinate with outside agencies for DNS issues. 9. Manage, configure, and provide support to exercise systems in support of USTRANSCOM and COCOM exercises (with USTRANSCOM participation).
22
Government estimates are eighteen (18) COCOM exercises per fiscal year with two (2) exercises executed simultaneously. 10. Configure and maintain print devices to include establishing print queues on USTRANSCOM’s print servers and maintaining detailed documentation pertaining to the configuration and location of each device. 11. Manage Certificate Authority (CA) Servers, update Root and Intermediate Certificate Authorities, and troubleshoot authentication issues associated with USTRANSCOM’s Public Key Infrastructure (PKI). 12. Identify, evaluate, document, install, and configure hardware and software to meet user needs ensuring all services, (e.g., Data-at-Rest (DaR), collaboration services, and file storage) are available as required and IAW with Change and Configuration Management policies and procedures. 13. Support certification/recertification actions, and advise on operational impacts of network/system expansions, additions, upgrades, and reconfigurations of hardware and software suites. 14. Coordinate, gain approval, and perform all monthly or periodic maintenance to servers and system infrastructure components (service components) in accordance with the USTRANSCOM ASI process. 15. Additional activities required as part of this task include but are not limited to the following: Review audit logs and report suspicious activity Archive audit logs to external storage as specified by the Government Perform and verify backups of all applicable systems to Government specified locations Perform restorations from backups as directed by the Government Track, monitor, and report system performance and activity Monitor system resources and report incidents and events Perform physical checks of hardware for fault lights and take corrective action Update anti-virus signature files Compare system configuration files against a baseline for changes Maintain compliance of approved configurations for system components (virtual and physical), (e.g., run STIGs/SRGs against systems) Apply operating system upgrades and service packs Manage group policy configuration implementation and problem resolution Create emergency recovery disks Isolate and resolve system issues Perform system configuration changes per supplied and approved documentation The contractor shall respond to hardware or software problems within 15 minutes of initial report during on-site hours and on an on-call basis after duty hours with a two (2) hour response time to begin work. 23
The Government estimates four (4) trips per year in support of this task. 16. The contractor shall maintain current documentation on premise operating system standard build guides and images, and provide updates to the Government with the following assigned suspense dates: Red Hat Linux Standard Build Guide & Image (Fiscal Qtr 4) Windows Server Build Guide & Image (Fiscal Qtr 4) CentOS Security Guide (Fiscal Qtr 1) Windows Security Guides (Fiscal Qtr 1) Windows Defender and Exploit Guard STIG Variance Standard and Checklist (Fiscal Qtr 3) ClamAV Implementation Guide (Fiscal Qtr 1) 1.3.2.4.1.1 Federal Aviation Administration (FAA) Data Feed System Support The contractor shall be responsible for the administration and operations of current and planned FAA data feed systems. The contractor shall provide the operations and maintenance support for 16 RedHat Enterprise Linux (RHEL) FAA-dedicated workstations across Scott AFB (buildings 1900E, 1900W, 1600, and Base Command Post) that reside on the isolated FAA Private Network and run the FAA's Traffic Flow Management System (TFMS). The TFMS application provides the current feed to USTRANSCOM. On average, about every 4-5 years the FAA refreshes TFMS hardware. The contractor shall act as the liaison, escort, and provide hands-on-hardware support for FAA technicians during refresh cycles. The contractor shall identify, evaluate, document, install, and configure unclassified hardware and software to meet user needs and shall ensure all services are available as required. The contractor shall establish detailed fault management, configuration control, and performance monitoring to support USTRANSCOM users. The contractor shall manage, operate and maintain the Traffic Flow Management Data to Government (TFMDG) data feed. The TFMDG data feed is a streaming XML data feed the may change every 2 years or so with no set schedule. The contractor shall ensure seamless integration with GCCS software to capture, filter, bundle, and securely transfer data to DISA DECC Columbus and DECC Montgomery via a DISA Cross-Domain Enterprise Solution (CDES) for consumption by United States Strategic Command (USSTRATCOM). The contractor shall work with technicians from DISA and USSTRATCOM to support troubleshooting, problem isolation, corrective actions, and problem analysis concerning the FAA data feed to include but not be limited to issues with the enterprise cross-domain solution. The contractor shall activate, backup, deactivate, and restart each application’s resources and services, determine problem isolation and correction, perform certification and re-certification actions, and provide advice on operational impacts of network expansions, additions, upgrades, and reconfigurations in hardware and software suites within ten (10) business days of the Government’s request. 1.3.2.4.1.2 Standard Procurement System (SPS) Support The contractor shall provide system administration services, which includes initial load, configuration, patch, STIG/SRG configurations, folder permission, POA&Ms, and operations and maintenance, of both production and test systems. The contractor shall recommend improvements and work closely with TCAQ and the developer on any changing requirements or updates to the servers. The contract shall provide the following: Hardware maintenance with normal preventative maintenance activities 24
Provide server user maintenance (e.g., create/delete users, maintain passwords, and manage permission) Perform and manage server and database backups/restorals Provide support to functional personnel on configuration actions required Create reports from the systems to support reporting requirements (e.g., FIAR audits, OSD initiatives) Perform physical server critical failure restoration. Leverage warranty for repair and/or replacement parts Prepare servers for periodic security scans Prepare any documentation that is needed to support Authority to Operate/Authority to Connect Integrate SPS services into the USTRANSCOM domain to leverage authentication Coordinate with developer (PMO) on specific changes to ensure no deprecation or regression of system 1.3.2.4.2 Task 2 Subtask 4.2: Database Administration and Support The contractor shall provide database administration, maintenance, and optimization support for C2 and office information business applications. The contractor shall operate, maintain, and administer database servers, hardware, and software in support of network management platforms; provide technical problem solving for customer computer support of database applications, troubleshoot issues with existing or developed systems; work with the appropriate resources to resolve them; and develop database interfaces to Command and Directorate/Agency databases. The contractor shall provide database administrative support to C2 and office information business application systems. 1.3.2.4.2.1 Database Service Owner The contractor shall be the Database Service Owner and shall provide necessary life-cycle support for database environment. The contractor shall evaluate the existing Relational Database Management Systems (RDBMS) and any other identified software to determine its ability to continue to support USTRANSCOM requirements and provide recommendations within five (5) business days after the evaluation is complete. 1.3.2.4.2.2 Database Administration The contractor shall provide support for installation, configuration, and migration, and perform day-to-day troubleshooting and performance monitoring of Database Management Systems (DBMS) and databases. The contractor shall provide database administration support that satisfies or exceeds established SLA and OLA agreements. The contractor shall provide administration of Enterprise-wide Oracle Relational Database Management Systems (RDBMS). The contractor shall troubleshoot and resolve issues with underlying databases during normal duty hours with a 15-minute response time from initial problem notification. The contractor will provide afterhours support on an on-call basis with a two (2) hour response time. The contractor shall create, delete, and make any necessary changes required for all database actions within three (3) business days of receiving the approved request.
The contractor shall monitor and tune the database environment on a regular basis to identify 25
bottlenecks, capacity issues, operating system and database software-configuration issues, and remedy them. The contractor shall proactively tune the database by working closely with developers of applications, that run against the database, to make sure that best practices are followed, resulting in good performance. The contractor shall coordinate with software developers to perform periodic software installs and to perform full testing of new releases. The contractor shall provide operating system and Web server administration for the operational, test bed, and training servers that support the above mentioned applications (in section 1.3.2.4). The contractor shall support and implement all relevant security patches and other directed security measures for Database Management systems (DBMSs), as well as other miscellaneous software that may reside on servers the contractor maintains. The contractor shall develop, implement, and periodically test backup, recovery and restoration plans for databases. The contractor shall ensure data replication between different sites (primary and alternate) is kept current and meets documented service levels. The contractor shall be responsible for keeping DBMS releases of the production and alternate site systems in sync and ready for operations. The contractor shall back-up systems, application software, Web content, and databases on a continuing basis and maintain off-site storage at a Government facility to ensure minimal loss of capability or data in the event of a catastrophic host or facility failure. The contractor shall maintain a restoral capability and it shall be exercised semi-annually at a minimum. The contractor shall maintain system documentation IAW Change and Configuration Management policy and procedures, and in a format mutually agreed to by the Government and contractor for existing systems and provide to Government for publishing page changes within fifteen (15) business days of a major change. The contractor shall distribute minor changes within one (1) business day of the change. The contractor shall document all final configurations within the identified configuration management system(s) within two (2) business days of the final configuration change. The contractor shall work with Release and Deployment to ensure any upgrades to the software are thoroughly vetted through the Change Management process, operate acceptably, and do not adversely affect the baseline systems. The contractor shall provide reporting of database management systems status and other reports (e.g., functional reports, Crystal reports), to customers within one (1) business day of request. 1.3.2.4.2.3 Technical Environment The current environment contains the following types of systems: Windows, and Unix/Linux-based MS SQL, MySQL, Oracle databases Oracle Real Application Clusters (RAC), Golden Gate, other Oracle tools and management suites Code developed with SQL, ASP, .NET, VB, and JAVA scripts 1.3.2.4.3 Task 2 Subtask 4.3: Virtual Environment and Storage Management Support The contractor shall provide system administration of the USTRANSCOM virtual hardware and software environment to include the installation, operation, monitoring, provisioning, and maintenance of virtual environments (VMWare, CITRIX) (e.g., Common Computing Environment 26
(CCE), and Common Test Environment (CTE) USTRANSCOM Cloud Environment (UCE)), Network- Attached Storage (NAS), and Storage Area Network (SAN). The contractor shall perform and document periodic hardware maintenance to keep the virtual environment and network storage components operating within functional and design specifications. The contractor shall perform hardware upgrades to include installing additional memory, peripheral devices, processors, storage, and hardware reconfiguration. The contractor shall troubleshoot the environment to correct malfunctions and restore operations in coordination with Incident Management processes. The contractor shall implement all relevant firmware upgrades, security patches, and measures for hardware, operating systems, and software. The contractor shall monitor servers, applications, and services to facilitate the early detection of incidents, impending outages, or degradations. The contractor shall work with the government to establish and enforce standards, normalize and reduce variation in the virtual environments. The contractor shall maintain master operating system configuration and server patching capability. The contractor shall develop and maintain hardware and software documentation in coordination with Configuration and Change Management policies and procedures. The contractor shall work with Capacity Management to ensure the appropriate capacity is available to meet demands on the environment. The contractor shall advise USTRANSCOM regarding any required modifications or upgrades to equipment and software. The contractor shall provide backup and recovery services on the three (3) CCE environments (high assurance, medium assurance, and low assurance) for systems requesting the service when transitioning into or already residing in the CCE environment. 1.3.2.4.4 Task 2 Subtask 4.4: Messaging and Collaboration Support 1.3.2.4.4.1 DoD (Department of Defense) Enterprise E-Mail (DEE) Support and DOD365 The contractor shall provide support for both unclassified and classified DEE and O365. The contractor shall provide Level 1, Tier I/II support as defined in the Service Level Agreement (SLA) between USTRANSCOM and DISA. The contractor shall troubleshoot any DEE/0365 e- mail issues and coordinate with DEE/O365 Service Desk (Level 2 Tier I) as necessary to escalate incidents if unable to resolve. The contractor shall provision and de-provision, maintain and troubleshoot user and non-person entities (e.g., organization boxes, distribution lists, conference rooms, equipment) e-mail accounts utilizing the DISA-provided tools (e.g. DECC Provisioning Online (DEPO) Provisioning Portal). The DEPO Portal is utilized to submit DoD Enterprise E-mail mailboxes and Non Person Entity (NPE) provisioning requests for DoD Enterprise E-mail. The contractor shall act as the Group Manager and shall be administratively responsible for Entitlement Managers within the command. The contractor shall maintain and administer the necessary unclassified mobile infrastructure, (e.g. DISA DoD Mobility Classified Capability (DMCC) and DoD Mobility Unclassified Capability (DMUC)) to facilitate mobile user access to Government e-mail. 1.3.2.4.4.2 Collaboration Tools Support The contractor shall support the Service Owner for collaboration tools (e.g., desktop text, client based Global Video Services (GVS), O365, and voice) and perform the necessary lifecycle support, configuration, and maintenance. The contractor shall review and evaluate new software releases for existing systems as well as emerging technologies and work closely with the Service 27
Portfolio Manager to identify potential updates to the USTRANSCOM Standard Desktop Configuration (SDC). Upon a decision to implement a new version or new/changed capabilities, the contractor shall build and execute design and transition plans to bring the new/changed services online. The contractor shall provide the IT infrastructure and support the requirements for synchronous collaborative planning among USTRANSCOM staff elements, the TCCs, other COCOMs, and DoD agencies. The contractor shall coordinate and integrate collaboration applications used at USTRANSCOM (e.g., DISA Unified Capabilities (UC), SharePoint, Records Management (RM), Office Communications Server (OCS)/Lync Server, MS TEAMs). The contractor shall proactively manage the lifecycle of collaboration capabilities and recommend hardware and software upgrades. The contractor shall maintain configurations of web-based applications, corresponding client software, or other collaboration-related hardware and software IAW configuration management policy. When configuration changes are implemented, the contractor shall follow prescribed change management processes and assist the Government in obtaining an Authority to Operate (ATO), by developing documentation required to support the authorization packages IAW DODI 8510.01. The contractor shall provide daily operational support, and support for contingency operations, and exercises. The contractor shall troubleshoot and provide resolution for collaboration tool issues experienced by users. Problem resolution actions may include recommendations for change, user training, configuration updates, and/or coordination with other services providers (e.g., AMC, DISA) to implement necessary changes/updates. The contractor shall document all recommended/proposed and actual changes in the ITSM tool IAW Incident, Problem and Change Management processes. The contractor shall ensure service levels are met IAW established SLAs and OLAs and take appropriate actions to resolve issues/discrepancies. The contractor shall respond to hardware or software problems within 15 minutes of initial report during on-site hours and on an on-call basis after duty hours with a two (2) hour response time to begin work.
1.3.2.4.4.2.1 UOIS Office Communications Server (OCS)/Lync The contractor shall administer/maintain a UOIS Microsoft Office Communications Server (OCS)/Lync Service hardware and software environment in support of USTRANSCOM users. The contractor shall provision, maintain, and troubleshoot unclassified user e-mail accounts on exchange servers to support OCS. The contractor shall establish local user and group accounts and permissions necessary to support OCS services for the command. The contractor shall also assist in the migration to the DOD O365 collaboration environment. 1.3.2.4.4.2.2 SharePoint Sustainment The contractor shall lead activities related to the functional scoping, technical development, and sustainment of a SharePoint collaborative environment and will be responsible for SharePoint site administration for a large site collection directly supporting 2900 NIPR SharePoint users and 1,250 SIPR SharePoint users. These SharePoint related responsibilities shall include (but not be limited to) management of site collections, web applications (including development and customization of new applications as needed), associated security protocols, and any necessary
28
user interface or system configuration. The contractor shall possess the following experience and skillsets for the enhancement/sustainment, which include JavaScript, CSS, HTML, SharePoint JSOM, ASPX, REST, SharePoint Designer, and overall Front-End Web Design. Specifically, the contractor shall perform the following tasks: Design and configure SharePoint site structure, metadata architecture, page layouts, security models, and configuration for a large organizational site collection. Maintain and administer rights and permissions for site collection administrators, site owners, and content managers. Develop, as needed, customized SharePoint applications aligned to organization business and functional requirements and specifications. Provide technical advice on requirements document development, and test planning if required. Work closely with business process owners to identify and translate business and functional requirements into technical solutions within a defined SharePoint site collection. Configure and administer services applications (e.g., SharePoint Search, index crawls, User Profile Import, Search Center configuration, permissions audits, etc.) at a minimum, monthly, or as defined by Command mission requirements. Manage disk usage across the site collection; perform maintenance activities at monthly intervals as defined by organization requirements. Configure sites, lists, libraries, and other features per organizational needs. Demonstrate ability to manage a large site collection utilizing SharePoint designer, as well as the ability to develop and manage customized solutions based on emerging organizational needs. Conduct data import and transfer from external SharePoint sites. Implement governance and policy, and provide technical advice and recommendations to improve organizational efficiencies. Support the creation and troubleshooting of SharePoint user accounts, and ensure proper access as identified by the customer. 1.3.2.4.4.2.3 Records Management (RM) Sustainment The contractor shall lead activities related to the functional scoping, technical development, Operation and Maintenance (O&M), and sustainment of the USTRANSCOM RM collaborative system and shall be responsible for RM systems administration and database administration (SA/DBA) for a large site collection directly supporting 2,500 NIPRNet RM users and 2,000 SIPRNet RM users. The USTRANSCOM RM system will be integrated to process data from the USTRANSCOM DEPS SharePoint instance hosted by DISA; the USTRANSCOM TMT instance hosted by Army PEO EIS; a local USTRANSCOM RM SA/DBA hosting environment (CPE, HCI, etc.); local USTRANSCOM file shares; and other USTRANSCOM databases as required. 1.3.2.4.4.2.3.1 Micro Focus Content Manager Administration. The contractor shall maintain enterprise Records Management (RM) and Information Management (IM) services and Operation and Maintenance (O&M) of required applications (e.g., Micro Focus Content Manager, Enterprise Content Management, Microsoft SharePoint integration, Server
29
Management). The contractor shall perform Micro Focus Content Manager administration duties to include: Support the Command Records Manager initiatives and Content Manager System Administrator projects. Provide input into RM program and policy development in areas or processes specific to Content Manager. Provide server maintenance and patching for the two on premise Control Point servers. Maintenance and patching for all other servers hosted in the DISA environment will be provided by DISA. O&M support for the CM, CP, and SDM applications will be required on all servers (on premise and in the DISA environment) to ensure they are available, indexing properly, being monitored, and have configuration updates as required. Oversee system security and data integrity, and monitor use of resources. Oversee system continuity of operations (COOP) mechanisms. Leverage experience to provide input to improvements (People, Processes, Tools, Technical) in the environment. Exhibits the capability to resolve issues independently; coordinate and communicate changes and major issues. Serve as the technical expert for all matters pertaining to the secure operation of the Content Manager electronic RM solution. The work requires sound knowledge of research methods and data analysis techniques. Documentation and management/support of system upgrade(s) and installation(s) of new features or add-ons. Serve as the liaison to the RM Office and the vendor and the primary point of contact for the RM solution. Provide local Tier 1 and 2 user support, Provide local user training to both groups and individuals. 1.3.2.4.4.2.3.2 Micro Focus Secure Content Management (SCM) Systems Engineering. The contractor shall provide administration, maintenance, and support of the USTRANSCOM approved electronic Records Management (RM) applications that comprise the Micro Focus SCM capability, including Micro Focus Content Manager (CM), ControlPoint (CP), and Structured Data Manager (SDM), all on both NIPRNet and SIPRNet. As the SCM Subject Matter Expert (SME), the contractor shall consult and assist in the design and configuration of the applications for testing and approval prior to introduction to a production environment, as well as the integration with enterprise solutions such as Microsoft SharePoint, Active Directory, Exchange, and other data repositories. The contractor shall perform Micro Focus SCM systems engineering duties to include: Provide knowledge and expertise in all aspects of SCM configuration, to include Record Type, Retention Schedule, User Account, Security Group, and Location development. Design deployment packages for deployment to the enterprise. Maintain the Micro Focus IDOL content index and infrastructure. Provide server maintenance and patching for the two on premise Control Point servers. Maintenance and patching for all other servers hosted in the DISA environment will be 30
provided by DISA. O&M support for the CM, CP, and SDM applications will be required on all servers (on premise and in the DISA environment) to ensure they are available, indexing properly, being monitored, and have configuration updates as required. Create and maintain build and procedure documents, including training on the use and configuration of the application for various skill levels. Contribute to the integration of the SCM applications with Microsoft SharePoint, Microsoft Task Management Tool (TMT), and other data repositories, providing records collection and search capabilities from SharePoint and other data repositories into the SCM apps. Research, diagnose, and troubleshoot problems with the SCM applications and resolve challenges as they arise. Develop and maintain storage metrics for current and long-term usage. Support end-users in the creation of reports and statistics on records imported to Content Manager. Serve as the liaison to the RM Office and the SCM vendor. Assist and participate in the deployment and continuous improvement of the RM program. Manage ControlPoint data repositories to include metadata and full content indexing, grammar configuration, scheduling, policies, and conflict resolutions. Maintain ControlPoint connectors – File System, SharePoint, Exchange, and Content Manager, including management of connector configuration files. Maintain Micro Focus IDOL environment and IDOL content engines. Provide advice and support regarding ControlPoint reporting with SQL Reporting Services. Provide advice and support regarding database designer tools and mapping legacy applications. Provide advice and support regarding databases and database formats for Microsoft SQL, Oracle, DB2, Sybase, and Java Database Connectivity (JDBC). Provide local Tier 1 and 2 user support, Provide local user training to both groups and individuals.
1.3.2.4.5 Task 2 Subtask 4.5: Directory Services The contractor shall operate and maintain unclassified and classified Active Directory, Lightweight Directory Access Protocol (LDAP), and Identity Access Management (IdAM) services (e.g., Active Directory, SiteMinder) following best practices for Access Management. The contractor shall adhere to access policies within the configuration of systems and services and grant access accordingly. The contractor shall support access reviews and audits as required. The contractor shall perform the following administrative tasks: Create and manage user and computer accounts, security groups, and application-
31
specific data Partner with information security team and application owners to define requirements for and support for IdAM services Manage permissions as authorized and prescribed by the Government Add and remove domain controllers Manage and monitor replication Ensure the proper assignment and configuration of operations master roles Perform regular backups of the directory database Configure forest-wide LDAP settings Manage the domain and domain controller security policies. Configure directory service parameters, e.g., setting the functional level of a forest or putting the directory in the special List-Object security mode Perform health check Provide metrics on performance Provide application/system support Maintain policy servers Troubleshoot and resolve incidents The contractor shall proactively identify issues with hardware, software, or capacity, and recommend and implement approved solutions that correct the situation (following Incident and Problem Management processes). The contractor shall assess virtual and physical environments to ensure compliance with security directives, apply patches, and implement fixes as necessary IAW USTRANSCOM patch policy. 1.3.2.4.6 Task 2 Subtask 4.6: End-User Information Technology (IT) System Support The contractor shall install, operate, and maintain end-user devices to include personal computers, monitors, virtualized clients, laptops, mobile devices, Portable Electronic Devices (PEDs) (e.g., tablet, iPhone) and peripherals (e.g., printers, multi-function device, plotters) supporting USTRANSCOM and TWCF-funded supporting organizations as required. For all computer systems, peripherals, and other hardware devices within the scope of this task, the contractor shall support the government established technical support program to install, maintain, upgrade, replace, and in the event of a failure or degradation in performance, analyze, troubleshoot, and restore systems/devices to operational status. The government shall be the Service Owner for end- user IT systems. The contractor shall coordinate and manage all equipment installations within the scope of this task. The contractor shall collect metrics on numbers of users supported, types of support, devices supported, time required to process requests during each phase of the request lifecycle and other metrics as determined by the Government to identify trends and make process improvements. The contractor shall support design and transition activities of services they manage as required. The contractor shall document and provide knowledge articles for inclusion in the Knowledge Management and Tier 0 systems. The contractor shall at a minimum of twice annually, provide process improvements, investment candidates, cost savings and efficiency recommendations to the Government.
32
1.3.2.4.6.1 End-User Device Provisioning Service 1.3.2.4.6.1.1 Request Fulfillment The contractor shall fulfill end-user devices service requests within timeframes identified in the Service Catalog and applicable Service Level Agreements. The contractor shall document actions (e.g., inventory consumption, request for change, action taken) within the ITSM tool. 1.3.2.4.6.1.2 End-User Device Loaner Program The contractor shall manage the end-user device loaner program to include process, devices, and capabilities. The contractor shall manage, maintain, and control the temporary issuance of end- user devices to USTRANSCOM personnel. The contractor shall configure devices and provide user training to ensure all systems work as prescribed. The contractor shall inform the Government of status of program on a periodic basis, at least quarterly. 1.3.2.4.6.2 End-User Device Operations and Maintenance The contractor shall track and provide monthly data metrics on utilization of program assets in the MSR on the 15th day of each month. The scope of this task covers all manufacturer brands of desktop and laptop computers, virtual desktop clients (e.g., thin/zero clients), PEDS, printers, and scanners and standard configurations. This task also includes the first touch USTRANSCOM network setup of multi-function (printer / copier/scanner/digital sender) devices. 1.3.2.4.6.2.1 Troubleshoot and Repair The contractor shall repair, troubleshoot, administer, and maintain end-user devices. The contractor shall apply Government approved operating system updates and/or patches. The contractor shall maintain a whitelisting capability for application for use on the desktop (e.g.). The contractor shall troubleshoot and resolve system problems or issues to increase system reliability and enhance overall system performance. The contractor shall load and configure approved client software on end-user devices as necessary to support access to services and use of peripherals. The contractor shall configure and maintain network settings on USTRANSCOM’s end-user devices. The contractor shall remediate and resolve vulnerabilities identified during monthly security scans to ensure all USTRANSCOM end-user devices are in compliance. The contract shall respond to Negligence Discharge of Classified Information (NDCI) formerly called Classified Message Incidents (CMIs) and take appropriate action to remediate issues. The contractor shall respond to incidents in the performance of this subtask IAW paragraph 1.6, Incident Priority and Escalation Matrix. The contractor shall document maintenance actions in the ITSM system. The contractor shall provide remote and/or desk side support to USTRANSCOM users to aid in the implementation of new capabilities, resolution of software problems, and assist in troubleshooting issues associated with accessing and utilizing servers and peripherals. When required, the contractor shall transport workstations to and from customer work area within one (1) business day for on-site customers and two (2) business days for customers off-base within the local area, configure and connect workstation, and test workstation for functional operation. The contractor shall support Problem Management activities and document work-arounds, and identify the root causes of problems. The contractor shall support the Event Management process by providing thresholds and key performance indicators to monitor end-user device service. The contractor shall respond to alerts when received and take appropriate action. The contractor shall maintain a list of equipment under warranty. The contractor shall use warranty repairs for 33
equipment under warranty. The contractor shall be the Government’s point- of-contact to contact the appropriate manufacturer, obtain replacement parts, and return the defective system or components to the manufacturer in accordance with manufacturer’s disposition instructions. The contractor will follow asset management processes. End-users device support may be extended to 24 hours per day and 7 days per week during real- world events, contingencies, exercises, or as requested by the Government. 1.3.2.4.6.2.2 Functional Area Communications and Computer Systems Manager (FACCSM) Program The contractor shall manage USTRANSCOM Functional Area Communications and Computer Systems Manager (FACCSM) program. The contractor shall be the Command FACCSM, shall advise the Government on program status and recommended changes. The contractor shall set-up and breakdown hardware and software required to support USTRANSCOM locally hosted conferences (e.g. Time-Phased Force Deployment Data (TPFDD) Refinement conference, Force Flow conference), also monitor and provide IT support throughout duration of conferences. 1.3.2.4.6.2.3 Computer Equipment Lifecycle Program (CERP) The contractor shall track and manage the lifecycle of Government computer equipment, associated devices IAW the CERP identified in USTCI 33-16. The contractor shall provide the Government with annual projection of hardware requirements based on life cycle expectancy and warranty expiration no later than 1 June for each period of performance. Prepare inoperable or lifecycle depleted computers for turn-in. The contractor shall remove magnetic media, degauss media IAW degaussing device manufacturer directions, and wipe media IAW Government instructions; track degaussing/wiping activities in a log; and transfer to Inventory Control Team for disposition. The contractor shall provide the degaussing function for USTRANSCOM users and additional Scott AFB organizations when requested and as available. 1.3.2.4.6.2.4 Computer System Maintenance and Logistics Support The contractor shall provide life cycle support (equipment in use beyond warranty, excluding end-user devices) for unclassified and classified USTRANSCOM C4 infrastructure located at Scott AFB, IL, and the COOP sites site. A list of equipment in use beyond warranty shall be maintained by the contractor and updates provided to the government within five (5) business days of any change. The Government will provide an initial list and the contractor shall validate the list no later than ten (10) business days after contract start. The contractor response time from Government notification is 24 hours to start work on location, excluding weekends and holidays. Expected restoral is within 48 hours, excluding weekends and holidays, after work start. Maintenance under this category shall not be required during other than principal period of maintenance (PPM) periods. Out-of-warranty equipment is “per call” and includes materials, tools, diagnostics, test equipment, documentation, and travel. Replacement parts or equipment shall be acquired IAW paragraph 3.4. The Government estimates approximately five (5) calls per year. As previously stated, there may be occasional situations where the Government will waive the specified repair time. This will occur when there is no impact on the mission and it is cost advantageous for the Government to wait for the shipment of replacement 34
parts. 1.3.2.4.6.2.5 Mobile Device Support Services The contractor shall establish and manage a Wireless communications and Mobile device program for both the unclassified and classified devices at USTRANSCOM IAW USTRANSCOM Policy Directive (USTCPD) 33-10. The contractor shall assign a primary and alternate Personal Wireless Communications System (PWCS) Equipment Custodians (PEC), IAW AFMAN 17-1203 and maintain accountability of devices. The contractor shall provide PED/mobile device (e.g., tablet, iPhone) support to include issuing, configuration, testing, activation\deactivation of handheld devices, fundamental mobile device familiarization training provided on an individual basis, system sanitization and basic troubleshooting, logistical support, and corrective actions. Currently DISA provides our Mobile Device Management System. The contractor shall provide all aspects of program maintenance and, including recommending hardware and software upgrades and life-cycle replacement, drafting policies and procedures, and the implementation and integration of new wireless services and technologies. The contractor shall provide mobile devices with worldwide capabilities to USTRANSCOM senior-level executives, as required. The contractor shall ensure USTRANSCOM and National Security Agency directives for security and configuration are met for applicable devices. The contractor shall submit and/or provide solution recommendations within three (3) business days of the Government’s request, at a minimum annually no later than 1st working day of June each year. The contractor shall produce an implementation plan for approved requirements within five (5) business days of approval. The contractor shall review and track billing and device/phone plan costs on a monthly basis. The contractor shall perform an annual revalidation of all issued user devices to include hardware inventory and recommending changes to specific mobile access plans (increasing, decreasing, or eliminating). The contractor shall provide an annual revalidation report no later than 1st working day of February each period of performance. The contractor shall respond to customer service requests and inquiries using the ITSM tool IAW paragraph 1.6, as applicable. After duty hours, the contractor shall respond within two (2) hours from time of notification and begin work. 1.3.2.4.6.3 Virtual Desktop Infrastructure (VDI) Support The contractor shall configure, maintain and sustain a VDI Solution as a desktop service. The contract shall be responsible for application packaging and virtualization, deployments, documentation, and release control. The contractor shall perform Operating System (OS) image development and endpoint configuration in support of virtualized desktop utilizing Government provided tools (e.g., VMWare Horizon, ProfileUnity, FlexApp). The contractor shall sustain baseline OS image and patch level as well as maintain VMWare snapshots and clones. The contractor shall develop and sustain virtualization of applications, to include but not limited to create/maintain/update application packages, test application packages, build user profiles, configure application settings, and create/maintain user access controls. The contractor shall create and maintain VDI pools for user communities. The contractor shall develop and maintain Standard Operating Procedures for VDI Environment The contractor shall provide all aspects of program maintenance including recommending hardware and software upgrades and life-cycle replacement, drafting policies and procedures for Government approval, and the implementation and integration of new/changes to services and 35
technologies. 1.3.2.4.6.4 Command-wide Functional Area Communications and Computer Systems Manager (FACCSM) / Client Support Administrator (CSA) Support The contractor shall perform duties as the primary FACCSM / Client Support Administrator (CSA) in support of USTRANSCOM work environment for both Unclassified and Classified environments (i.e., NIPRNet and SIPRNet). That contract shall support TCJ3, TCJ6, TCJ8, TCJ5/4, and TCAQ directorates in their associated work locations from 0700 – 1600, daily and shall provide on-call support as requested with a two (2) hour response time. Support for this subtask may be extended to 24x7 during real-world events, contingencies, exercises, or as required by USTRANSCOM. The contractor shall provide and assist with IT requirements. The FACCSMs/CSAs shall perform the following duties:
Maintain workstations, laptops, associated multi-function devices, printers, phones, and conference room communications equipment located throughout the directorate locations in Bldgs. 1700, 1900E/W, 1961, 1991 and other designated locations (e.g., Fusion Center floor, Force flow conference center). This includes a monthly validation to ensure workstations are operational and ready for use. Provide FACCSM/CSA support for Force Flow conferences (e.g. support conference attendees needs, assist with account creation) Maintain laptops for source selection Install approved non-standard software on pertinent workstations Keep non-standard software up-to-date with patches Perform NIPR to SIPR document transfers, SIPR to NIPR document transfers (SIPR burn privileges) Assist with creating self-extracting files for burning to CD Provide support and troubleshooting for end-user device issues and problems The contractor shall serve as an inventory account custodian, performing accountability checks as directed Requests network file access Requests modification of file permission for personnel moving between offices Interfaced with Service Desks to resolve issues and report incidents Provide desk-side and telephone customer support (to include one-on-one training) Manager distribution lists as needed Assist with workstation moves, printer mappings Provide IT support both hardware and software (to include support for teleworkers) o Replace printer toner cartridges Assist with conference room AV equipment issues Perform SIPR token trusted agent duties; assist with processing SIPR tokens and resolving problems The contractor shall have a working knowledge of common desktop/laptop operating systems, software applications (e.g. Microsoft Office,), and graphical data representation and data 36
modeling tools (\). The contractor shall provide users with basic operating and application assistance. 1.3.2.4.7 Task 2 Subtask 4.7: Key IT Support Staff (KITSS) The contractor shall provide special Command, Control, Communications, and Computer (C4) support for implementing and maintaining C4 executive-level information technology services, including but not limited to mobile/wireless computing and telecommunications support to USTRANSCOM their immediate support staff, USTRANSCOM Liaison Officers (LNOs) located at various Combatant Commands throughout the world, and other senior managers approved by the USTRANSCOM Chief of Staff (TCCS). The service provided to the LNO shall be in accordance with standing Command Arrangement Agreements (CAA). The contractor shall assist with market research, perform testing, and implement C4 technical solutions supporting senior leaders, their support staff, and LNOs for both unclassified and classified command and control requirements. The contractor shall assist the Government develop new requirements and associated documentation for new/upgraded C4 capabilities. The contractor shall submit draft requirements to Service Portfolio Management, Change Management, and/or Request Fulfillment management as applicable. The contractor shall act as the liaison for coordinating communications and computer support requirements for commanders’ visits across the globe. The contractor shall monitor and report planned, unplanned, and potential system outages to senior-level executives for coordination and approval. The contractor shall provide executive-level users with off-station unsecure and secure remote access services (e.g., Executive Communication Kit (ECK), dial-up, Virtual Private Network (VPN)), to include support to USTRANSCOM classified network. This service must allow full access to network resources, including but not limited to email, network folders, and worldwide Web browsing capabilities, etc. The contractor shall report all issues IAW established processes/policy. The contractor shall provide set-up and configuration of end-user devices, appropriate software, and troubleshooting diagnosis of equipment required for remote access. The contractor shall perform operational checks on C4 end-user devices prior to Temporary Duty (TDY) assignments. The contractor shall be knowledgeable on the technical/architectural requirements associated with communications interfaces and supporting network infrastructures. The contractor shall repair, troubleshoot, administer, and maintain C4 end-user devices and services, ensuring activity integration with prescribed Event, Incident, and Problem Management processes. The contractor shall create, delete, and maintain network accounts (unclassified and classified), and e-mail accounts; configure, support and troubleshoot desktops, laptops, personal electronic devices (PEDs), software, printers, desktop Video Teleconferencing (VTC) equipment, other peripherals, and network connectivity; and support remote access program for both the classified and unclassified local area networks, including on-base quarters for directors and above. The contractor shall provide continuous support to Flag/General Officers and Very Important Persons (VIPs) five (5) business days per week, and on-call as required. Support may be extended to 24 hours per day and 7 days per week during real-world events, contingencies, major exercises, or upon Government request. Response time during on-call periods shall be no more than two (2) hours to begin work on-site. 1.3.2.4.7.1 USTRANSCOM KITSS The contractor will perform the above tasks in support of USTRANSCOM. Core on-site hours are 37
from 0600 to 1700, Monday through Friday. On-call hours are from 1701 to 0559, Monday through Friday, and 24 hours per day during weekends and holidays. The Government estimates four annual (4) trips per year in support of this task. 1.3.2.5 Task 2 Subtask 5: Network Infrastructure Management The contractor shall provide Operations and Maintenance (O&M) support for the USTRANSCOM network infrastructure (either physical or virtual). This infrastructure includes multiple, disparate Tier I and Tier II network architectures. The contractor shall operate, monitor, manage, maintain, install, and troubleshoot USTRANSCOM network infrastructure devices and services within the scope of this task. The Government estimates between six (6) and eight (8) trips annually in support of this task. 1.3.2.5.1 Task 2 Subtask 5.1: Network Infrastructure Support The contractor shall install, operate, maintain, monitor, manage, and troubleshoot USTRANSCOM’s classified and unclassified networks (e.g., routers, switches, cabling, etc.). The contractor shall support all networking backbone (physical, data, network, transport, and session layers of the OSI model) issues between internal Scott AFB networks, including USTRANSCOM, Air Force, SDDC, and external networks as required. 1.3.2.5.1.1 Design and Document The contractor shall document and maintain accurate enterprise network architecture diagrams (physical and logical), equipment room layouts with rack elevation diagrams, inside and outside plant specifications, and hardware configuration utilizing government provided tools (e.g., Visio, CMDB) with 98% accuracy, documenting all changes within two (2) business days of receipt. The contractor shall make changes in accordance with change and configuration management processes, within the prescribed process timelines. The contractor shall ensure network architectures are synchronized with enterprise level architectures, as applicable. The contractor shall perform quarterly reviews and provide reports on architecture synchronization metrics encompassing, but not limited to, number of network architecture reviews performed and number of resulting changes performed. The contractor is responsible for maintaining a repository of the authoritative source for all diagrams and documentation. All documentation shall comply with the Department of Defense Architecture Framework (DoDAF). The contractor shall coordinate and work closely with Enterprise Engineering, Program Engineering and Tier III to provide network capability for USTRANSCOM mission. The contractor shall maintain networks in accordance with applicable STIGs/SRGs, National Security Agency (NSA), CNSS, NIST, DOD, USTRANSCOM guidance, and commercial best security and engineering practices. 1.3.2.5.1.2 Lifecycle Plan
In support of the infrastructure service owner, the contractor shall recommend and perform approved infrastructure lifecycle management activities. The contractor shall coordinate with the government for future infrastructure designs and needed capabilities for the CCE or Joint Information Environment (JIE), Defense Transportation Systems and the Joint Deployment and Distribution Architecture-Enhanced (JDDA-E). In coordination with Service Portfolio Management, the contractor shall establish and maintain a three (3) year service lifecycle plan to include opportunities for implementing new technologies, increased efficiencies and improved 38
service. The contractor shall coordinate plans with the Government and implement approved system and network design changes, system upgrades or equipment replacement utilizing applicable ITSM processes. The initial lifecycle plan shall be presented to the Government within 90 calendar days of contract start and updated semi-annually thereafter (i.e., April and October). The lifecycle plan shall include a detailed annual equipment spend-plan delivered to the Government as per the IT Financial Management process. 1.3.2.5.1.3 Install and Maintain The contractor shall install and maintain the network transport medium (i.e., fiber, wireless, copper) to include user access drops at their desks. The contractor shall operate, proactively monitor, and maintain network connectivity within and between USTRANSCOM buildings, other Scott AFB buildings (as designated by the Government), Senior Officer Quarters, and network extensions to off-site locations. The contractor shall perform cryptographic circuit maintenance as required. The contractor shall minimize disruption of day-to-day operations for planned upgrades IAW the USTRANSCOM ASI process. The contractor shall maintain an annualized availability rating of 99.75% (metrics collected and reported monthly in MSR), not to include scheduled maintenance windows. The contractor shall operate, maintain, and manage both secure and non-secure wireless communication infrastructure equipment and service within USTRANSCOM buildings. Examples of equipment and services include, but are not limited to, access points, wireless LAN controllers, security devices and applications, mobile device managers, and other related equipment and software used in providing wireless services. The wireless service is considered part of the USTRANSCOM network. /Commercial National Security Algorithm Suite (CNSA) Suite The contractor shall provide support for Domain Name Server (DNS) and Simple Mail Transfer Protocol (SMTP) capability for classified and unclassified networks to support USTRANSCOM. The contractor shall maintain inbound and outbound SMTP Gateway servers to support email traffic to and from the unclassified TRANSCOM.MIL/USTRANSCOM.MIL/TRANSPORT.MIL and classified TRANSCOM.SMIL.MIL / USTRANSCOM.SMIL.MIL / TRANSPORT.SMIL.MIL domains. The contractor shall configure and manage Internet Protocol (IP) address space and VLANs, issue IP addresses for new equipment/workstations and troubleshoot IP address issues with outside agencies. The contractor shall configure and maintain USTRANSCOM Commander’s Travel Kits that provide both classified and unclassified network capability over broadband, Integrated Services Digital Network (ISDN), and internet connections while on the road. The contractor shall review and provide technical solutions and costing (TS&C) for network centric service requests within three (3) business days of the request. The contractor shall implement approved network centric service requests within ten (10) business days of approval, provided the necessary hardware is available. The contractor shall respond to service desk incident and request fulfillment actions in the performance of this subtask IAW paragraph 1.6. The contractor shall provide support for this subtask on an on-call basis after duty hours with a two (2) hour response time to begin work. 1.3.2.5.2 Task 2 Subtask 5.3: Telephone Support Services The contractor shall perform Telephone Control Officer (TCO) duties IAW USTCI 33-12. The contractor shall act as the focal point for all telephone-related matters, including but not limited to 39
requests for new telephone service, changes to existing services, and relocation of existing phones. The contractor shall maintain an inventory of Government provided replacement phones: POTS (plain old telephone system) and VoIP/VoSIP (Voice over Internet Protocol/ Voice over Secure Internet Protocol) for all break/fix actions. The contractor shall coordinate with the Government to refill stock of phones when it falls below the pre-determined level of Government agreement. The contractor shall submit, track, and manage telephone service requests (TSRs) through the host base directed system/method. The contractor shall submit updates to the base telephone directory and Defense Red Switch Network (DRSN) telephone directory and provide USTRANSCOM user phone familiarization training upon request. 1.3.2.5.3 Task 2 Subtask 5.4: Long Haul Communications
The contractor shall manage the USTRANSCOM Long Haul Telecommunication program. The contractor shall submit, review, and validate all telecommunication requirements via the DISA Direct system similar tracking system. The contractor shall coordinate telecommunication requirements with the 375th Communications Squadron, Air Force Long Haul Telecommunications office, Defense Information Systems Agency (DISA), and Defense Information Technology Contracting Office (DITCO), as required. The contractor shall evaluate requirements submitted through requirements process or similar tracking systems. The contractor shall support technical conclusions for customer requirements, relative costs, and advantages of alternate approaches, lead times, and supporting requirements. The contractor shall negotiate with customers concerning modifications of requirements to reduce anticipated technical problems, excess costs, and schedules for required services. The contractor shall semi- annually review and validate all long-haul circuits (Communication Service Authorization) utilized by USTRANSCOM. The contractor shall work with the Government to re-award circuits when current vendor contracts expire. The contractor shall assist the Government in maintaining records on all circuits owned by USTRANSCOM.
1.3.2.6 Task 2 Subtask 6: Visual Information Services 1.3.2.6.1 Task 2 Subtask 6.1: USTRANSCOM Audio Visual (AV) and Video Teleconferencing (VTC) Operational Support The contractor shall setup, test, and operate Audio Visual (AV) systems within USTRANSCOM IAW USTCI 33-7. The contractor shall setup, execute, and take down fixed and portable Video Teleconferencing (VTC) service and equipment in support of USTRANSCOM mission requirements. This effort will not include the operation and maintenance support of the Joint Worldwide Intelligence Communications System (JWICS), Joint Executive Video System (JEVS), or the Political Advisor’s (POLAD) VTC system. As issues arise, the contractor shall open and track incident tickets as applicable, utilizing the Government-provided ITSM tool suite. USTRANSCOM has ~170 AV/VTC studios, conference rooms, digital signage, desktop VTCs, operation centers across Scott AFB, IL, ~14 NIPRNet/SIPRNet studios are located at Norfolk, VA and 1 SIPRNet VTC suite located Washington, D.C. The contractor shall provide operational support for AV/VTCs during normal duty hours as outlined in paragraph 3.1. The contractor shall provide support during extended hours from 0430-0730 and 1630-2200 when scheduled in advance IAW USTRANCOM Instruction 33-7. The contractor shall provide on-call support as requested with a two (2) hour response time. Support for this subtask may be extended to 24x7 during real-world events, contingencies, 40
exercises, or as required by USTRANSCOM. The contractor shall identify a focal point to the Government for this task. The focal point shall be available during normal duty hours listed in paragraph 3.1. The contractor shall provide inputs IAW paragraph 1.3.1.2 to include metrics and provide analyses on equipment installation activities, trouble tickets, and incidents (with special attention to senior leader level issues in a weekly activity report). 1.3.2.6.1.1 Task 2 Subtask 6.1.1: Audiovisual (AV) Support The contractor shall provide operational support of AV systems in USTRANSCOM conference rooms, training rooms, auditoriums, senior leader offices, video walls (e.g., 1900E Lobby, Rear Lobby), signage systems, and command center work areas in USTRANSCOM facilities on Scott AFB. The contractor shall provide user assistance and instructions for operating USTRANSCOM AV systems on Scott AFB. The contractor shall provide, manage and keep current knowledge articles as applicable via the Government provided Knowledge Management System. The contractor shall provide on-site AV support, to include briefing assistance, for USTRANSCOM Commander (TCCC), USTRANSCOM Deputy Commander (TCDC), and USTRANSCOM Chief of Staff (TCCS) attended briefing events at USTRANSCOM facilities on Scott AFB. The contractor shall provide on-site AV support, to include but not limited to, briefing assistance for all events (e.g., meetings, briefings, distinguished visitor visits, award ceremonies, retirement ceremonies, and command presentations) in the Seay Auditorium and Heritage Hall (Building 1900E). 1.3.2.6.1.2 Task 2 Subtask 6.1.2: Video Teleconferencing (VTC) Support The contractor shall provide operational support of both portable and fixed USTRANSCOM secure and non-secure VTC systems. The contractor shall setup/configure USTRANSCOM VTC systems. The contractor shall manage scheduling and provide operational assistance, as needed, for conference initiation to VTC customers IAW USTRANSCOM policy/guidance. The contractor shall perform Tier-I on-site first-line troubleshooting and equipment repair or replacement to restore operational capability to VTC. The contractor shall re-key crypto devices, as needed. The contractor shall provide user assistance and instruction of USTRANSCOM VTC systems to include VTC participation professionalism such as microphone operation and hazards, general courtesies, and camera presence. The contractor shall provide on-site VTC support, to include facilitator support, for all USTRANSCOM Commander (TCCC), USTRANSCOM Deputy Commander (TCDC), and USTRANSCOM Chief of Staff (TCCS) attended VTC events in USTRANSCOM facilities on Scott AFB. The contractor shall provide utilization metrics for VTCs, compiled monthly and annually, that document the number and hours of VTCs completed by classification and the number of VTC sessions per conference room. For contractor-operated VTC sessions, the metrics shall also document the number of cancelled VTC sessions and the number of VTC events per hour per day. Monthly metrics shall be provided in their Monthly Status Report (MSR). 1.3.2.6.1.3 Task 2 Subtask 6.1.3: Server and Multipoint Control Unit (MCU) VTC Support The contractor shall provide operational and maintenance support of Internet Protocol (IP) VTC Multipoint Control Units (MCUs), network traversal systems and software, VTC suite management 41
systems. The contractor shall analyze IAVAs for applicability related to VTC equipment, maintain patching and configurations for MCUs IAW Change and Configuration Management policies and procedures. The contractor shall also create and maintain Certification and Accreditation (C&A) documentation and status. 1.3.2.6.1.4 Task 2 Subtask 6.1.4: Communications Security (COMSEC) Responsible Officer (CRO) Duties and Secure Voice Responsible Officer (SVRO) The contractor shall provide primary CRO and alternate CRO(s) as required to manage COMSEC material necessary for classified AV/VTC communication encryption within the AV/VTC support team. The contractor shall provide primary SVRO and alternate SVRO(s) as required to manage Secure Telephone Equipment (STE), Secure Telephone Units (STUs), and material necessary for classified voice communication encryption within the AV/VTC support team. 1.3.2.6.2 Task 2 Subtask 6.2: USTRANSCOM, SDDC and JECC AV/ VTC Maintenance and Engineering Support The contractor shall design, program, install, test, and maintain AV/VTC technologies within USTRANSCOM (70%), SDDC (20%), and JECC (10%) facilities. The contractor shall design and provide technical engineering, documentation, and program support for USTRANSCOM and SDDC AV/VTC capabilities. A manufacturer-certified master programmer (e.g., Crestron) must perform all control system programming. The contractor shall not have a conference room scheduled to be down for more than four weeks without prior negotiation with the Government and an approved ASI. While USTRANSCOM conference rooms and VTC studios are disbursed throughout the USTRANSCOM campus of buildings, design and technical engineering support will be required at locations at Scott AFB, IL; Norfolk, VA; and Washington, D.C. SDDC will require design and technical engineering support at locations on Scott AFB. The contractor shall provide AV/VTC Maintenance and Engineering support during normal duty hours from 0730–1630, Monday through Friday, excluding federal holidays. The contractor shall minimize impact to operations for repairs or installations, as much as possible. The contractor shall provide a method of calling or recalling personnel to support unscheduled or emergency maintenance requirements as determined by the government. The contractor shall provide, and maintain a delivery schedule for each project/initiative they work, utilizing the Government-provided project management tool. At a minimum, the contractor shall record a breakdown of hours expended against each project/initiative by skill set on a weekly basis. The contractor shall provide this information in the MSR. The contractor shall work projects/initiatives based on the documented, prioritized, project list established by the Government. The contractor shall provide Tier I/II support for cable television trouble calls to verify proper television configuration for USTRANSCOM and SDDC locations on Scott AFB. Cable television issues determined to be beyond the local display or AV system shall be reported to the government cable television representative for action. The contractor shall also provide escort services to the cable television representative for trouble calls as available. The contractor shall mount necessary shelving and connect audio and video cables as necessary for proper operation of the display. The contract shall track and manage all cable television locations and will schedule a trouble call with the cable provider with input from the contractor. The cable television location and user will be reports to the government on a quarterly basis or as required by the TCCS.
42
1.3.2.6.2.1 Task 2 Subtask 6.2.1: USTRANSCOM AV/VTC Maintenance and Engineering Support The contractor shall provide all levels of on-site maintenance and repair for all AV/VTC systems (to include but not limited to desktop VTC, portable, and pc-based (e.g. Global Video Services (GVS)) to the device level. This includes diagnostics, removal, replacement, security requirements, engineering changes, engineering recommendations, and evaluations, Original Equipment Manufacturer (OEM) interface for repairs, replacement, and warranty issues, programming and configuration of control systems, audio processors, displays, fiber matrix switches, and all other components used for AV/VTC systems. The contractor shall update the AV/VTC systems as required to adapt new technologies into existing systems as required by the Government. The contractor shall develop recommendations to include professional grade equipment upgrades, installation methods and practices, data communication methods and practices, and updating of system operation guides IAW suspense assigned by Government. The contractor shall create, maintain, and provide operating instructions to the VTC operations team and customers for VTC rooms not manned by VTC operations. The contractor shall document and publish operator level instructions for AV systems as part of the deliverables for any change or upgrade to a VTC system. The contractor shall submit required documentation for firewall modifications or gateway systems and provide technical advice to the customer on operations and configurations of the systems. The contractor shall ensure desktop VTCs (both NIPRNet and SIPRNet) are configured to comply with the USTRANSCOM Standard Operating Procedures (SOP), exercise maintenance contracts, updated firmware, and troubleshoot connections. The contractor shall maintain and update the VTC architecture, to include a graphical representation, and document them in accordance with configuration management processes. The contractor shall provide access to the architectures in a format that can be modified by the Government. The contractor shall develop and maintain AV/VTC assessment and authorization (A&A) products/documentation for connection approvals and supporting authorization activities IAW DODI 8510.01. The contractor shall update firmware to the approved/recommended versions as required. The contractor shall utilize the available GFE test equipment to provide troubleshooting to the device level. The contractor shall remove and ship defective devices to the manufacturer for warranty repair or out-of-warranty repair as required. The contractor shall interface with the equipment manufacturers as necessary for AV/VTC systems to replace defective equipment, and obtain parts, firmware, and software updates, for warranty and non-warranty issues. The contractor shall ensure accurate and timely updates to ITSM tools and provide any after action reports for service interruptions as required by the Government. The contractor shall perform and document preventative maintenance on equipment suggested by the manufacturer. The contractor shall perform equipment alignments, calibrations, and system updates. All video wall systems will be aligned by a certified commercial Imaging Science Foundation (ISF) professional for re- alignment of video systems when required. The contractor shall provide annual proof of current programming certifications (e.g., Crestron) from OEMs to government. The contractor shall engineer, design, program, integrate existing, and install new AV/VTC systems. The contractor shall perform annual reviews of installed AV/VTC equipment and provide recommendations for upgrading equipment no later than 31 March of each period of 43
performance. The contractor shall submit to the Government for review and approval of AV/VTC designs and project schedule in a timely manner in accordance with government priorities. Any changes to the design shall be coordinated with the Government prior to implementation. The contractor shall comply with configuration management and change management processes and practices. The contractor shall provide a copy of the programming code in a usable and modifiable format within thirty (30) business days of implementation. The contractor shall perform modifications to office furniture (e.g., tables, podiums) and provide recommendations for new cabinetry to house AV/VTC systems. The contractor shall maintain and manage all AV/VTC control systems and audio processor software, system drawings, and other documentation in support of engineering design. The contractor shall develop and maintain documentation that includes but is not limited to system drawings, parts breakdown with price estimates, touch panel layouts, requirements documentation in a repository, circuit actions, comprehensive test plans, and completion schedules. The contractor shall conduct an acceptance test with the Government representative to ensure proper operation of the system/facility in accordance with the approved project schedule. The contractor shall clean the area at the end of each day. The contractor shall ensure the room is scheduled in advance. The contractor shall provide technical assistance to the Test Lab in the development and testing of new or modified equipment. The contractor shall ensure asset configuration management processes are followed. The contractor shall support the integration of the DISA-provided collaboration tool, currently Defense Collaboration Services (DCS), into existing AV/VTC systems. Task 2 1.3.2.6.2.2 Task 2 Subtask 6.2.3: SDDC AV/VTC Maintenance and Engineering Support The contractor shall perform the same tasks as described in section 1.3.2.6.2.1 above. 1.3.2.6.2.4 Task 2 Subtask 6.2.4: JECC AV/VTC Maintenance and Engineering Support The contractor shall perform the same tasks as described in section 1.3.2.6.2.1 above. 1.3.3 Task 3: Service Support (Service Strategy, Design and Transition) The contractor shall perform Service Support for the services and functional areas & capabilities in the scope of this contract. The contractor shall be responsible for effective and efficient management of supporting capabilities and processes. The contractor’s responsibilities shall include the following areas/processes: IT Service Portfolio Management Business Relation Management Demand Management IT Financial Management Support Service Asset and Configuration Management Application Portfolio Management Service Design Support Service Catalog Management IT Project Management
44
Service Level Management Availability Management Capacity Management IT Service Continuity Management Change Management Technical Management & Oversight Design and Transition Planning and Support Release and Deployment Management Service Evaluation and Testing Tool Support & Tool Portfolio Management IT Knowledge Management CSI Support The contractor shall attend meetings or conferences held at USTRANSCOM, SDDC, or other locations as identified by the Government, and provide meeting/conference minutes IAW paragraph 1.3.1.6. The contractor shall provide weekly accomplishment as inputs to WAR IAW 1.3.1.2. 1.3.3.1 Task 3 Subtask 1: Service Portfolio Management 1.3.3.1.1 Task 3 Subtask 1.1: IT Service Portfolio Management The contractor will assist the Service Portfolio Manager in operating the Service Portfolio Management (SPfM) process. The SPfM process requires continual re-evaluation of existing, improved or retired services to adapt to changing business conditions. This will be accomplished through rigorous planning and analysis based on comprehensive business information, such as leveraging top-down Business Service Management (BSM) analysis, an approach for managing IT from the perspective of the business. The contractor shall develop and/or maintain full process documentation (e.g., roles and responsibilities, Inputs/Outputs, Process Flows) for Government approval upon request. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare briefings and supporting materials no later than 48 hours prior to any presentation. At a minimum, the contractor shall perform a semi- process review and recommend Continual Service Improvement (CSI) initiatives/opportunities for consideration to the Service Portfolio Manager & CSI Manager as required. The contractor will aid the manager by performing the activities in sections 3.1.1.1-3.1.2. 1.3.3.1.1.1 Define the IT Service Portfolio The contractor shall collect information and inventories of existing services, identify and define the requirements for the requested service, review or establish the business case for implementing the service, and maintain this information for each service in the portfolio. The contractor shall build the business case for a proposed new service, within ten (10) business days of the completion of requirement definition. The inputs to Service Portfolio include inputs from the business/customers (BRMs and the IT Governance process), inputs from Strategy, and inputs from CSI.
45
To gather and manage the inputs from business, the contractor shall be responsible for the execution of USTRANSCOM IT Service Governance process IAW USTRANSCOM Policy Directive 33-32, Chief Information Officer (CIO) Program, and USTCI 8200.02, Information Technology Service Management, (e.g., IT Service Portfolio Management Process, IT Services Working Group (ITSWG)) to include meeting scheduling, meeting minutes, & creating/facilitating material for decision/discussion. To gather and manage inputs from Strategy, the contractor shall be the liaison between the J6 Enterprise Strategy team and the Service Portfolio Manager. The contractor will also be the point of contact and facilitator for the receipt, processing, and transmission of Strategy- related IT activities which require alignment with the IT Service Portfolio. Additionally, the contractor shall help develop and update service strategies. To gather inputs from CSI, the contractor shall work in close coordination with the CSI Manager to select CSI initiatives for processing by the Service Portfolio Management Process at the direction of the IT Service Portfolio Manager. 1.3.3.1.1.2 Analyze the IT Service Portfolio The contractor shall work with the Service Portfolio Manager, BRMs, Customers, Service Owners, USTRANSCOM IT engineering, J6 IT operations management, and IT Financial Management to perform required analysis of the as-is service portfolio and any proposed service change. In order to fulfill this task, the contractor shall perform, but not be limited to, strategic portfolio reviews that consist of the following: Performing a strategic assessment of the benefits and potential value generation of the IT services. Review the long-term business goals & IT Strategy and determine what services are required to meet those goals. The Portfolio review will include a detailed analysis of Portfolio alignment to established organizational goals. The contractor will then analyze the requested service for financial viability, operational capability, and technical feasibility to determine how the organization is going to achieve the desired state. The result of the analysis shall be presented to the Portfolio Manager. At the direction of the Portfolio Manager, the contractor shall create, publish, and maintain the Service Portfolio Plan, which is reviewed and adjusted semi-annually. With service portfolio analysis complete, the contractor shall identify and make recommendations on services that provide the same or similar functions to avoid duplicating services. Assist the Service Portfolio Manager by analyzing the organization’s business needs and ability to expand its offerings. Recommend which services to run as usual and which to transform into new services. The contractor shall also make recommendations to retire services that no longer meet minimum technical and functional objectives. Additionally, the contractor shall work with the above teams to identify total cost of each service provided within the Service Portfolio. The contractor shall document these service costs within the service catalog in coordination with the IT Service Catalog team. In order to fulfill this task, the contractor shall perform proposed change analysis that consists of but is not limited to the following: The contractor shall provide analysis and be the facilitator for proposed new or changed 46
services within the Government provided governance. The contractor shall also process and track portfolio or service change proposals through their lifecycle utilizing the USTRANSCOM governance process (e.g., Service Portfolio, Change management) to deploy new and enhanced services into operation with minimal risk. The contractor shall review and ensure proposals are in alignment with the long-term business goals & IT Strategy. The contractor shall perform the triage assessment of new/changed service proposals by working in conjunction with Change Management and Service Catalog Management. As part of change analysis, the contractor shall assess and subsequently identify any service change proposal that provides the same or similar functions as existing service to avoid duplicating services. Oversight and reporting for planning and developing new and enhanced services for requests that have been approved 1.3.3.1.1.3 Approve Services and Service Changes The contractor shall prepare all major service change proposal packages for decision by the Service Portfolio Manager or other decisional bodies (e.g., CSCB, ECCB, MAM) as directed by the Service Portfolio Manager. The service change proposal shall be prepared for decisional actions such as, but not limited to, retaining, replacing, renewing, or retiring the services. The contractor shall coordinate and facilitate the movement of proposals through the service management process outlined in USTCI 8200.02. As required, use the inputs from technical solution Courses of Action (COAs) generation (TCJ6 Engineering team), IT Financial Management, and others, to prepare a business case analysis that ensures complete service lifecycle, impacts to service operations, sustainment, training and other holistic service model and costs are considered. As a result of proposal inputs, the contractor shall, in conjunction with the Service Catalog team, ensure all proposals are properly documented in the service pipeline, service catalog, and retired services.
1.3.3.1.1.4 Charter the Service Additions, Deletions, or Changes When additions, deletion, or changes to services are approved, the contractor shall communicate the results and action items to the organization to implement service or service portfolio changes.
1.3.3.1.2 Task 3 Subtask 1.2: Business Relationship Management The contractor shall use best practices and a Business Relationship approach to ensure customer satisfaction by establishing and maintaining constructive relationships between the customer and service providers, listening to the customers, understanding their service level needs, and providing recommended service changes to the Government. The contractor shall provide Business Relationship Manager Services and be responsible for all processes associated with BRM. The contractor’s intermediary role of discerning both service needs and business needs is essential to ensure that services and service levels are of value to the customer and that services accurately match all needs and avoid over or under delivery of services. Contractor customer support shall include the following: Schedule, manage, and facilitate the USTRANSCOM IT services working group
47
meetings and provide administrative support to include: - Provide presentation material no later than 48 hours prior to meetings - Provide action item management with updated action items and meeting minutes IAW section 1.3.1.6. Be the customer focal point for new services, which include performing the following duties: - Develop high-level customer requirements for a proposed new service within three (3) business days following completion of customer interaction(s). Building the business case for a proposed new service, within ten (10) business days of the completion of requirement definition. Ensure the service provider is meeting the business needs of the customer as articulated in the Service Catalog or requirements document of new and/or changed services as compared to metrics of service delivery from the Service Level Management function: - Review metrics of applicable services as directed by the Government, but at least monthly. - Average user/customer survey satisfaction - Percentage survey response - Level of user satisfaction
Work with customers to identify changes to the customer environment or technology trends that could potentially impact the type, level, or utilization of service provided Work with customers to ensure that services and service levels deliver value Work with customers and identify changes to the customer environment that could potentially impact the type, level, or utilization of services provided Arrange and mediate cases in which there are conflicting requirements for services from different business units (e.g., Directorates, Divisions) - Document results and recommendation upon conclusion and provide to the Government within three (3) business days Establish and manage a formal complaint and escalation process for the customer - Provide feedback to the customer within one (1) business day from any change in status - Provide quarterly reports to the Government on status and metrics of this process The Business Relationship Manager will work regularly with Service Portfolio Management, Financial Management, Design Coordination, Service Level Management, Demand Management, and Availability Management to ensure the delivery of services to the customer. In support of the Service Portfolio Manager, the Business Relationship Manager shall establish and manage, within the Government provided IT Service Management tool, the following items and shall keep them current: Customer Portfolio listing of customers by organization and further defined and selectable by unique customer needs Customer Agreement Portfolio 48
Service Requirements Customer satisfaction metrics and analysis Register of all opportunities, requests, complaints, and compliments.
In support of the Service Catalog, the contractor will synchronize efforts with Service Catalog Management and produce customer-based additional information for each defined service. In support of that, the contractor shall produce the following within ninety (90) calendar days of contract start, and within two (2) business days per new/changed service agreement: Stakeholder definitions Defined Business outcomes (per defined service) Agreements on funding (per defined service) Schedule of customer activities to define deliverable timelines Schedule of training and awareness events to avoid customer business disruption Reports on customer perception of service performance (per defined service)
1.3.3.1.3 Task 3 Subtask 1.3: Service Catalog Management Contractor shall perform management of the USTRANSCOM IT Service Catalog. The Contractor shall manage the Service Catalog information, ensure accuracy of the content, ensure availability of the catalog to those with authorized access, and ensure support for other service management processes that depend on service catalog information. The direct correlation of the Service Catalog as an enabling capability throughout the ITSM Service Lifecycles is key. The active management of the accuracy of the data is paramount to the success of the delivery of services. Key activities for Service Catalog Management include: The contribution to the definition of services and service packages Development and maintenance of service and service package descriptions appropriate for the service catalog Interfaces, dependencies, and consistency between the service catalog, the overall service portfolio, and the configuration management system The Service Catalog is used to support the delivery of Enterprise Infrastructure IT services to USTRANSCOM. It includes a customer-facing view (or views) of the IT Services in use, how they are intended to be used, the business processes they enable, and the levels and quality of service the customer can expect for each service. The catalog also includes information about supporting services required by the service provider to deliver customer-facing services. The Service Catalog is comprised of both services and the product portfolio. In support of the services and product portfolio, service catalog management will maintain the listing of approved products for both software and hardware. The contractor will perform due diligence on explaining risk and costs to the Government prior to entering any service information into the catalog. The contractor will manage and represent the service catalog while interfacing with other key service management processes (e.g., Service Portfolio Management, Change Management). The contractor will continually assess catalog content, structure, descriptions, availability, and ease of use of the IT Service catalog and will provide a report containing aforementioned attributes with recommended improvements quarterly. 49
The contractor Service Catalog management team will manage the catalog change process and perform changes to the Service Catalog to include participating in the changes through Service Portfolio Management processes, Change Control Boards, project portfolio management of the employment of revised services, and completion of documentation within the Service Catalog. The contractor will produce meeting minutes within one (1) business day at the completion of the board meeting, and develop and utilize an organized tracking process for all changes within the Government prescribed tools. The Government anticipates approximately five (5) to ten (10) Service Catalog changes per month.
1.3.3.1.4 Task 3 Subtask 1.4: Technical Working Group
The contractor shall support the Technical Working Group chaired by the IT Service Portfolio Manager. The TWG is comprised of Technical Management, Service Owners, and functional teams. The TWG meets to review change proposals submitted to the portfolio to validate the requests, determine requirements and develop possible course of actions to fulfill those requirements. The contractor shall prepare slides to include the agenda, take meeting minutes, and take action on change proposals based upon direction of TWG meetings. The contractor will also facilitate any meetings necessary in support of the TWG (e.g. Integrated Project Team meetings).
1.3.3.1.5 Task 3 Subtask 1.5: Demand Management (Optional) The contractor shall be responsible for Demand Management at the direction of the Government to understand, anticipate, and influence customer demand for services and the provision of capacity to meet those demands. The contract shall be the Demand Management Process Owner and Manager. The contractor shall implement Strategic Demand Management by analyzing patterns of business activity (PBAs) to develop user profiles (UPs) to help anticipate demand for services. Both internal and external factors should be reviewed to understand these patterns. The contractor shall identify sources of demand; these sources may include, but are not limited to people, processes, and applications. The contractor shall develop PBAs that document patterns of demand. The PBAs will consider the frequency, volume, location, and duration of that demand. The contractor shall place documented PBAs under change control. User profiles (UPs) shall be developed by the contractor to document sources of demand and their individual patterns. These UPs combine one or more PBAs to determine overall patterns. The contractor shall utilize these patterns to assist in determining cyclical changes in demand and include a summary in the quarterly reports. The Demand Management functional lead shall work closely with Capacity Management to ensure appropriate capacity is available to meet the anticipated demand. The Demand Management function shall be involved and prevalent in several service lifecycle stages. Demand Management shall assist with the evaluation of the Service Portfolio to analyze service and forecast additional resources for services. Demand Management shall also work with Financial Management to influence demand through differential charging or show back for services if applicable. To optimize the design of the service, the Service Design team relies on the demand forecasts provided by the Demand Management team. The contractor shall provide demand information so the designed service can anticipate the demand for the service to ensure that the service is “the right sized” and appropriately engineered. The Demand Management team shall work with the Service Catalog Management team to ensure the demand for the service is 50
documented in the Service Catalog. Lastly, Demand Management shall work with Service Operations to ensure planning for changes in demand are performed; also, that adjustments are made to operations of a service through resource scheduling and workload balancing of the service.
1.3.3.2 Task 3 Subtask 2: IT Financial Management Support The contractor shall provide requirements refinement, and procurement support to USTRANSCOM Enterprise Infrastructure (EI) portfolio, to included market research, budgetary quotes, and budget estimates. The contractor shall not disclose budgetary information to any person or entity without authorization of the Contracting Officer, COR, or appropriate Government representative. 1.3.3.2.1 Task 3 Subtask 2.1: Procurement Management Support The contractor shall monitor, track funding status for all procurement actions (approximately 200 purchases), and provide accurate information to spend plans that are due monthly, four (4) business days prior to spend plan brief, or as required. The contractor shall coordinate requirements with stakeholders and subordinate commands to gather details on hardware/software capabilities needed and provide staffing assistance support according to the applicable instructions and procedures. The contractor shall assist in analysis and documentation of requirements. The contractor shall work in coordination with the COR, PMs, contract managers, asset managers (both hardware and software), and budget managers to develop and staff acquisition packages for execution of EI procurement actions (e.g., software, software renewals, and new hardware buys). The contractor shall assist the Government in coordinating with enterprise and program engineering and performing program management support for USTRANSCOM EI systems programs or initiatives. The contractor shall provide management assistance to USTRANSCOM to include planning, policy development, technical integration and interoperability, and life-cycle support. The contractor shall provide managerial assistance with DoD and USTRANSCOM directed programs/projects. Some major development programs/projects may have pre- established USTRANSCOM requirements/resources, where the contractor’s objective is to take information, organize it into system development, implementation, and management plans, and then assist in directing the planned actions to achieve the established goals. The contractor shall identify and document equipment and/or products associated with the assessment, implementation, installation, and monitoring of initiatives they support. The contractor shall provide analysis of DoD publications and instructions when requested IAW suspense assigned by the Government. Additionally, the contractor shall prepare appropriate briefs, information papers in support of system, program or initiative objectives IAW established goals no later than two (2) business days prior to scheduled briefing. The contractor shall assist the Government with requirements definitions and preparation of documentation in support of Corporate Governance Process (CGP).
1.3.3.3 Task 3 Subtask 3: Service Asset and Configuration Management Support 1.3.3.3.1 Task 3 Subtask 3.1: Configuration Management Support
1.3.3.3.1.1 Management and Planning In support of the government Configuration Management (CfM) Process Owner, he contractor shall 51
be the Configuration Management Process Manager responsible for managing and documenting processes, and recommending, facilitating, and managing CfM policy. The contractor shall work with managers from all functional areas for all activities associated CfM. The purpose of CfM is to ensure the assets required to deliver services are properly controlled, and that accurate and reliable information about these assets is available when and where it is needed. The high-level activities include management and planning, configuration identification, configuration control, status accounting and reporting, verification and audit. The contractor shall ensure full CfM process documentation (e.g., roles and responsibilities, Inputs/Outputs, Process Flows) is completed for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare CfM briefings and supporting materials no later than 48 hours prior to any presentation. At a minimum, the contractor shall perform a semi-annual process review and recommend CSI initiatives/opportunities for consideration to the CSI Manager. In accordance with the CfM policy, the contractor shall develop, provide, and maintain all Configuration Management Plans and any subsequent policies of USTRANSCOM. The contractor shall use the Government-directed Configuration Management System (CMS) for all SACM artifacts supporting Configuration Items (CI). At the Government’s request, the contractor shall attend meetings as part of this task.
Deliverables: Configuration Management Plan (CMP) within 120 calendar days after contract start and annually thereafter or sooner as directed. The CMP shall support all enclaves and include management of established baselines determined and under Government configuration control – Technical Working Group, Client Services Change Board and Enterprise Configuration Control Board. Briefings and artifacts are as required: It is estimated to have two briefings per month.
1.3.3.3.1.2 Identification and Management of Configuration Items A configuration item (CI) is an asset, service component or other item that is, or will be, under the control of configuration management. The government will approve all baselines and maintain authority to approve/disapprove continued operations for noncompliance. The contractor shall support the baseline, maintain configuration items, control changes to CIs and report noncompliance related to this task. The contractor shall ensure configuration items are grouped and managed together (e.g., a set of components may be grouped into a release). The contractor shall select configuration items using selection criteria established in the Configuration Management Plan; and they shall be grouped, classified, and identified in such a way that they are manageable and traceable throughout the service lifecycle. The contractor’s configuration identification process shall: Define and document criteria for selecting configuration items and the components that compose them Select the configuration items and the components that compose them based on documented criteria Assign unique identifiers to configuration items Specify the relevant attributes of each configuration item
52
Specify when each configuration item is placed under configuration management Identify the owner responsible for each configuration item
1.3.3.3.1.3 Service Asset and Configuration Reporting The contractor shall provide Service Asset and Configuration Reports as required by the Government within two (2) business days from time of request. It is expected the number of reports to be ten (10) or less per month. Typical reports may include but are not limited to the following: A list of product configuration information included in a specific configuration baselines A list of configuration items and their configuration baselines Details of the current revision status and change history Status reports on changes and deviations Status reports detailing noncompliance per government approved thresholds for configuration baselines for all enclaves Capture/track POA&Ms related to noncompliance for configuration baselines Details of the status of delivered and maintained products concerning part and traceability numbers Revision status Report on unauthorized usage of hardware and software Unauthorized CIs detected Variations from CMS to physical audit reports Status reports of assets for a business unit or software license holdings (often required by financial management for budgeting, accounting, and charging)
1.3.3.3.1.4 Change Control In coordination with the CfM process owner and functional teams, the contractor shall provide change control for all TCJ6-provided infrastructure baselines and configuration items to include hardware and software. The contractor shall utilize tools, technology, service management architectures, service management processes, and measurement methods & metrics to ensure most effective, efficient and repeatable oversight to support configuration management to enforce compliance of baseline configurations. The contractor shall create, edit, maintain, and coordinate office information system baseline images for USTRANSCOM (both unclassified and classified) to include, but not be limited to, end user devices, servers, and network infrastructure. The contractor shall follow established change and configuration management processes to create baseline images for each hardware platform implemented within fourteen (14) business days after hardware receipt; coordinate an image security scan; coordinate image functionality test; record and store copies of all created images; and update stored copies of all images with approved application software, application patches, and registry changes.
Deliverables: Compliance reporting will be provided no less than monthly to Configuration Managers. Reporting shall represent all enclaves and indicate variances of established baselines 53
determined and under Government configuration control –Technical Working Group, Change Management Control Board and Enterprise Configuration Control Board.
1.3.3.3.1.5 Configuration Control Board (CCB) The contractor’s Configuration Manager (CfM) shall facilitate and participate in the Government’s CCB. The contractor’s CfM shall act as the liaison between the Government and contractor to provide any additional information that the CCB requires. The outcome of this participation is to ensure contractor activities are focused in the areas the Government deems important and changes within USTRANSCOM’s OIS and COIS are properly vetted across all affected areas. The Government estimates potentially one (1) annual trip in support of this sub task.
1.3.3.3.2 Task 3 Subtask 3.2: Service Asset Management Support 1.3.3.3.2.1 Task 3 Subtask 3.2.1: Software Portfolio Management The contractor shall perform effective and efficient software license management. The contractor shall work with applicable sales representatives to ensure that USTRANSCOM Enterprise has adequate copies of all software based upon the established user authorization/entitlements. The contractor shall distribute documentation as needed by software users. The contractor shall work with USTRANSCOM program managers (PMs) to develop an accurate list of required software and maintain an Enterprise Software (ES) requirement list by program, for future reference, and provide the requirement list no later than the 5th business day of each month or an agreed upon monthly date.
The number of licenses required is determined by the licensing terms defined in license agreements agreed by both customer and vendor. These can take many forms, such as those relating to core, processors, workstations, millions of instructions per second (MIPS) and concurrent users, which are the unit costs, volume that generally form the basis of vendor mechanisms for software license charges. The contractor shall utilize the detailed licensing terms to aid in the development of cost benefit analysis and purchasing schemas. The contractor shall prepare and deliver software cost/benefit analyses within ten (10) business days of the Government’s request. The contractor shall coordinate with the PMs and CORs to clearly define the options for software products and determine the costs, benefits, and potential risks associated with proposed course of action. The contractor shall provide a recommendation for software acquisition based on cost/benefit findings.
The contractor shall work in coordination with the COR, PMs, contract managers, and budget managers to assist in the development of acquisition packages for execution of new and renewal of managed software licenses. The Application Portfolio Manager will determine the best pricing model based upon supporting software-specific acquisition data is available for the Procurement Management Support team to develop and execute the acquisition.
The contractor shall be the primary OPR for any software-related vendor or Government audits of software licensing. Those actions can include reconciliation and reporting, investigation and reporting, remediation and reporting, Renewals management, and Audit management.
54
1.3.3.3.2.1.1 Task 3 Subtask 3.2.1.1: Enterprise Software Portfolio Management (ESPfM) The Contractor will support Enterprise Software Portfolio Management for USTRANSCOM. The Contractor will be familiar with software licensing models used by software companies and provide guidance and recommendations for USTRANSCOMs license needs. The contractor shall assist with the development and maintenance an Enterprise Software Application Portfolio policy for USTRANSCOM. The contractor will perform an annual review of all Enterprise Software Portfolio Management Policies, Instructions, and Guidance and present recommendations for changes March of each year. The contract shall provide and maintain reports, purchase records and other necessary documentation to ensure software assets are compliant with Audit Readiness regulations and rules. The contractor will develop the list of software in a structured portfolio of applications with descriptions and capabilities, and assist in establishing entitlement criteria. The contractor will use the Government-directed repository to create/maintain a logical media library framework for all enterprise software artifacts to include software product information, Enterprise Software Initiative (ESI) cost/benefit analyses, software allocations, software transactions, software briefs, point papers, related documents, software contracts and acquisition documentation.
Enterprise Software (ES) is defined as any software title purchased and maintained with Software Assurance (Software Maintenance) that resides on USTRANSCOM systems, component command systems, and used within Programs of Record (POR). The contractor shall also maintain a record of the software library content. Updates and additions to the software library will be completed within five (5) business days of approval. The contractor will work with the Enterprise Service Portfolio Management, the Enterprise Service Catalog Management, and the Enterprise Change Management teams to help ensure Enterprise Software Portfolio related processes are fit-for-use and fit-for- purpose, as well as review Enterprise Software Portfolio processes regularly for process improvement, at least quarterly, or as needed. The contractor shall provide results of the process-reviews and process improvement initiatives to the CSI Manager, for inclusion in CSI reports to the Government. The contractor shall participate in all requested process improvement activities relating to Software Portfolio Management.
The Government estimates one (1) potential trip annually in support of this sub task.
1.3.3.3.2.1.1.1 Enterprise Software Asset Configuration Management The contractor will establish and maintain a software asset inventory, following the Service Asset and Configuration Management (SACM) process, definitions, and policy, for all software utilized throughout USTRANSCOM, its components, and Programs of Record (PORs) for which Enterprise Software Portfolio Management is responsible (e.g., Oracle, Micro Focus, and IBM Enterprise License Agreements). Using the government provided tools, the contractor shall accurately document, track, and maintain the inventory of USTRANSCOM software by contract number and provide the inventory, categorized at the Government’s direction, no later than the 5th business day of each month or an agreed upon monthly date. The software asset inventory attributes will include a list of the current license rights and entitlements that have been acquired by a legal entity. The inventory will also include configuration information pertaining to the software such as version, release, etc., for all applicable systems (server and client), commercial, and Government applications implemented within USTRANSCOM.
55
1.3.3.3.2.1.1.2 Consumption The contractor will work with the Enterprise Service Catalog team to assist in the development of entitlements and will use the entitlement guidance provided by the Government to baseline-authorized usage of software, as well as perform license consumption tracking and management. The contractor will utilize Government-provided inventory management software and discovery or technology tools to obtain the count of recognized software code as part of the installed inventory process. The inventory will be maintained on a Government-provided information system accessible to the entire command. This information will provide the software consumption metric.
The contractor shall define how software consumption is tracked and reported per software title according to the different license structures used by vendors (e.g., core, processor based, user CAL, etc…). This process must ensure user consumption against authorizations/entitlements are included in the metrics. The focus of consumption management should be on both completeness and data quality. Licensing metrics may not be based purely on physical installation, as many license limitations are not metrics-based, but still restrict use. Therefore, it is important to assess the terms and conditions of the license agreement and establish what further metrics or data can be used to demonstrate compliance. Where possible, such metrics should be agreed upon with the vendor and documented as part of the licensing contract. The software consumption metrics will be provided in real-time using the tools employed by USTRANSCOM or other means, as directed by the Government. At a minimum, the software consumption metric will be provided in monthly metrics on software.
1.3.3.3.2.1.1.3 Inventory management The contractor will perform industry-recognized inventory management practices to include establishing and managing inventory order points, consumption rates, safety levels; establishing/managing economic order quantities; and performing reviews. The Contractor shall collect inventory reports from Command Software Portfolio Managers and account for them. The contractor shall also provide Service Owners and leadership visibility on all inventory management levels, thresholds, and metrics. The contractor shall assist Service Owners with managing current and future demand to ensure availability. Government requested metrics will be provided as part of the monthly status report and managed/provided in real time via the Government provided tools.
1.3.3.3.2.1.1.4 Recapitalization The Contractor will utilize Government furnished tools, and recommend new tools when applicable, to track utilization of software on the network and provide monthly metrics (or as requested by the Government) associated with that task. They will make recommendations and draft policy for the recapitalization of un-used or underused software. To represent the recapitalization rates on managed software in the best way, metrics shall be maintained by the contractor and provided as part of the monthly report.
1.3.3.3.2.1.1.5 Software Lifecycle Management The Contractor shall perform Lifecycle Management for the products within their Software Portfolio. The Contractor shall track the latest version of software in their portfolio and submit request for testing and evaluation for use within all applicable networks and environments. The Contract shall 56
maintain a roadmap of software by product that tracks the release and end of support dates of the software within their Software Portfolio and provide them on a monthly basis. The contractor will work with Enterprise Configuration Management to ensure that software consumed is to the latest approved version and track Plan of Action and Milestones (POA&M) for all installations not updated within the identified deadline.
1.3.3.3.2.1.2 Task 3 Subtask 3.2.1.2: Command Software Portfolio Management (CSPfM) The Contractor will support Command Software Portfolio Management for USTRANSCOM. The Contractor will be familiar with software licensing models used by software companies and provide guidance and recommendations for USTRANSCOMs license needs. The contractor shall assist with the development and maintenance a Command Software Application Portfolio policy for USTRANSCOM. The contract shall provide and maintain reports, purchase records and other necessary documentation to ensure software assets are compliant with Audit Readiness regulations and rules. The contractor will develop the list of software in a structured portfolio of applications with descriptions and capabilities, and assist in establishing entitlement criteria. The contractor will use the Government-directed repository to create/maintain a logical media library framework for all command software artifacts to include software product information, Enterprise Software Initiative (ESI) cost/benefit analyses, software allocations, software transactions, software briefs, point papers, related documents, software contracts and acquisition documentation. Command Software (CS) is defined as any software title purchased and maintained with Software Assurance (Software Maintenance) that resides on USTRANSCOM systems and used within USTRANSCOM Programs of Record (POR). The contractor shall also maintain a record of the software library content. Updates and additions to the software library will be completed within five (5) business days of approval. The Command Software Portfolio Management will work with the Command Service Portfolio Management, the Command Service Catalog Management, and the Command Change Management teams to help ensure Command Software Portfolio related processes are fit-for-use and fit-for- purpose, as well as review Command Software Portfolio processes regularly for process improvement, at least quarterly, or as needed. The contractor shall provide results of the process- reviews and process improvement initiatives to the CSI Manager, for inclusion in CSI reports to the Government. The contractor shall participate in all requested process improvement activities relating to Software Portfolio Management.
The Government estimates one (1) potential trip annually in support of this sub task.
1.3.3.3.2.1.2.1 Command Software Asset Configuration Management The contractor will establish and maintain a software asset inventory, following the Service Asset and Configuration Management (SACM) process, definitions, and policy, for all software utilized throughout USTRANSCOM, and its Programs of Record (PORs) for which Command Software Portfolio Management is responsible (e.g., Microsoft, Cisco, and Adobe Enterprise License Agreements) and Enterprise Software consumed by USTRANSCOM and its PORs. Using the government provided tools, the contractor shall accurately document, track, and maintain the inventory of USTRANSCOM software by contract number and provide the inventory, categorized at the Government’s direction, no later than the 5th business day of each month or an agreed upon monthly date. The software asset inventory attributes will include a list of the current license rights and entitlements that have been acquired by a legal entity. The inventory will also include
57
configuration information pertaining to the software such as version, release, etc., for all applicable systems (server and client), commercial, and Government applications implemented within USTRANSCOM.
1.3.3.3.2.1.2.2 Consumption The contractor will work with the Service Catalog team to assist in the development of entitlements and will use the entitlement guidance provided by the Government to baseline-authorized usage of software, as well as perform license consumption tracking and management. The contractor will utilize Government-provided inventory management software and discovery or technology tools to obtain the count of recognized software code as part of the installed inventory process. The inventory will be maintained on a Government-provided information system accessible to the entire command. This information will provide the software consumption metric.
The contractor shall define how software consumption is tracked and reported per software title according to the different license structures used by vendors (e.g., core, processor based, user CAL, etc…). This process must ensure user consumption against authorizations/entitlements are included in the metrics. The focus of consumption management should be on both completeness and data quality. Licensing metrics may not be based purely on physical installation, as many license limitations are not metrics-based, but still restrict use. Therefore, it is important to assess the terms and conditions of the license agreement and establish what further metrics or data can be used to demonstrate compliance. Where possible, such metrics should be agreed upon with the vendor and documented as part of the licensing contract. The software consumption metrics will be provided in real-time using the tools employed by USTRANSCOM or other means, as directed by the Government. At a minimum, the software consumption metric will be provided in monthly metrics on software.
1.3.3.3.2.1.2.3 Inventory management The contractor will perform industry-recognized inventory management practices to include establishing and managing inventory order points, consumption rates, safety levels; establishing/managing economic order quantities; and performing reviews. The Contractor shall collect inventory reports from Portfolio Software Managers and account for them. The contractor shall also provide Service Owners and leadership visibility on all inventory management levels, thresholds, and metrics. The contractor shall assist Service Owners with managing current and future demand to ensure availability. Government requested metrics will be provided as part of the monthly status report and managed/provided in real time via the Government provided tools.
1.3.3.3.2.1.2.4 Recapitalization The Contractor will utilize Government furnished tools, and recommend new tools when applicable, to track utilization of software on the network and provide monthly metrics (or as requested by the Government) associated with that task. They will make recommendations and draft policy for the recapitalization of un-used or underused software. To represent the recapitalization rates on managed software in the best way, metrics shall be maintained by the contractor and provided as part of the monthly report.
58
1.3.3.3.2.1.2.5 Software Lifecycle Management The Contractor shall perform Lifecycle Management for the products within their Software Portfolio. The Contractor shall track the latest version of software in their portfolio and submit request for testing and evaluation for use within all applicable networks and environments. The Contract shall maintain a roadmap of software by product that tracks the release and end of support dates of the software within their Software Portfolio and provide them on a monthly basis. The contractor will work with Enterprise Configuration Management to ensure that software consumed is to the latest approved version and track Plan of Action and Milestones (POA&M) for all installations not updated within the identified deadline.
1.3.3.3.2.1.3 Task 3 Subtask 3.2.1.3: Portfolio Software Management (PfSM) The Contractor will support Command Software Portfolio Management for USTRANSCOM. The Contractor will be familiar with software licensing models used by software companies and provide guidance and recommendations for USTRANSCOMs license needs. The contractor shall assist with the development and maintenance a Command Software Application Portfolio policy for USTRANSCOM. The contract shall provide and maintain reports, purchase records and other necessary documentation to ensure software assets are compliant with Audit Readiness regulations and rules. The contractor will develop the list of software in a structured portfolio of applications with descriptions and capabilities, and assist in establishing entitlement criteria. The contractor will use the Government-directed repository to create/maintain a logical media library framework for all command software artifacts to include software product information, Enterprise Software Initiative (ESI) cost/benefit analyses, software allocations, software transactions, software briefs, point papers, related documents, software contracts and acquisition documentation. Command Software (CS) is defined as any software title purchased and maintained with Software Assurance (Software Maintenance) that resides on TCUENet and TCCENet. The contractor shall also maintain a record of the software library content. Updates and additions to the software library will be completed within five (5) business days of approval. The contractor shall participate in all requested process improvement activities relating to Software Portfolio Management.
The Government estimates one (1) potential trip annually in support of this sub task.
1.3.3.3.2.1.3.1 Portfolio Software Asset Configuration Management The contractor will establish and maintain a software asset inventory, following the Service Asset and Configuration Management (SACM) process, definitions, and policy, for all software utilized throughout the TCUENet and TCCENet, (e.g., Microsoft, Cisco, and Adobe Enterprise License Agreements) Enterprise Software, and Command Software consumed by the TCUENet and TCCENet. Using the government provided tools, the contractor shall accurately document, track, and maintain the inventory of USTRANSCOM software by contract number and provide the inventory, categorized at the Government’s direction, no later than the 5th business day of each month or an agreed upon monthly date. The software asset inventory attributes will include a list of the current license rights and entitlements that have been acquired by a legal entity. The inventory will also include configuration information pertaining to the software such as version, release, etc., for all applicable systems (server and client), commercial, and Government applications implemented.
1.3.3.3.2.1.3.2 Consumption 59
The contractor will work with the Service Catalog team to assist in the development of entitlements and will use the entitlement guidance provided by the Government to baseline-authorized usage of software, as well as perform license consumption tracking and management. The contractor will utilize Government-provided inventory management software and discovery or technology tools to obtain the count of recognized software code as part of the installed inventory process. The inventory will be maintained on a Government-provided information system accessible to the entire command. This information will provide the software consumption metric.
The contractor shall define how software consumption is tracked and reported per software title according to the different license structures used by vendors (e.g., core, processor based, user CAL, etc…). This process must ensure user consumption against authorizations/entitlements are included in the metrics. The focus of consumption management should be on both completeness and data quality. Licensing metrics may not be based purely on physical installation, as many license limitations are not metrics-based, but still restrict use. Therefore, it is important to assess the terms and conditions of the license agreement and establish what further metrics or data can be used to demonstrate compliance. Where possible, such metrics should be agreed upon with the vendor and documented as part of the licensing contract. The software consumption metrics will be provided in real-time using the tools employed by USTRANSCOM or other means, as directed by the Government. At a minimum, the software consumption metric will be provided in monthly metrics on software.
1.3.3.3.2.1.3.3 Inventory management The contractor will perform industry-recognized inventory management practices to include establishing and managing inventory order points, consumption rates, safety levels; establishing/managing economic order quantities; and performing reviews. The Contractor shall collect inventory reports from Software Managers and account for them. The contractor shall also provide Service Owners and leadership visibility on all inventory management levels, thresholds, and metrics. The contractor shall assist Service Owners with managing current and future demand to ensure availability. Government requested metrics will be provided as part of the monthly status report and managed/provided in real time via the Government provided tools.
1.3.3.3.2.1.3.4 Recapitalization The Contractor will utilize Government furnished tools, and recommend new tools when applicable, to track utilization of software on the network and provide monthly metrics (or as requested by the Government) associated with that task. They will make recommendations and draft policy for the recapitalization of un-used or underused software. To represent the recapitalization rates on managed software in the best way, metrics shall be maintained by the contractor and provided as part of the monthly report.
1.3.3.3.2.1.3.5 Software Lifecycle Management The Contractor shall perform Lifecycle Management for the products within their Software Portfolio. The Contractor shall track the latest version of software in their portfolio and submit request for testing and evaluation for use within all applicable networks and environments. The Contract shall maintain a roadmap of software by product that tracks the release and end of support dates of the software within their Software Portfolio and provide them on a monthly basis. The contractor will 60
work with Enterprise Configuration Management to ensure that software consumed is to the latest approved version and track Plan of Action and Milestones (POA&M) for all installations not updated within the identified deadline.
1.3.3.3.2.2 Task 3 Subtask 3.2.2: Hardware Asset Management 1.3.3.3.2.2.1 Task 3 Subtask 3.2.2.1: Hardware Management The contractor shall provide overall management and control of USTRANSCOM hardware assets. To include managing and distributing ADPE assets, and being responsible to work with Service Asset and Configuration Management in defining Configuration Items (CIs) for H/W assets.
1.3.3.3.2.2.1.1 ADPE & Configuration Management Support The contractor shall: IAW USTCI 33-16, ensure the command’s ADPE inventory is accurately reflected in the Government specified asset management database and act as the command’s single point of contact for that database (currently USTRANSCOM uses the Air Force Equipment Management System (AFEMS) Asset Inventory Management (AIM)). Work with IT FM procurement team to compare procurement information to received assets and enter CI, warranty and support contract information into Configuration Management System (CMS). CIs shall be logged in the CMS within two (2) business days from inventory arrival. Serve as the Equipment Custodian (EC) for all ADPE assets transiting or stored in the warehouse. The contractor shall provide, or ensure availability of, the monthly warehouse equipment- inventory report, to include warranty expiration, NLT than five (5) business days of the following month.
1.3.3.3.2.2.1.2 ADPE Distribution and Disposal The contractor shall: Manage staging and ADPE asset storage area. Provide inventory control for USTRANSCOM ADPE hardware assets and act as the command’s focal point for receiving, distributing, and disposing of all USTRANSCOM ADPE. Properly dispose of excess or end-of-life information technology (IT) hardware assets through Defense Logistics Agency (DLA) Disposition Services (formerly known as Defense Reutilization and Marketing Office (DRMO)) or per USTRANSCOM guidance. Provide knowledge articles (e.g., procedures for shipping, disposal, and requesting assets from warehouse) when necessary to effectively share IT Service Management information to aid and assist the provisioning of IT services. Be on-call after duty hours with a two (2) hour on-site response time to provide spares and/or parts. Computer hardware, warehousing facility and warehousing equipment (e.g., forklift, shelving, pallet jack) will be Government Furnished Equipment. A dedicated delivery 61
vehicle will not be provided, however access to the base motor pool may be used. The contractor shall provide all other necessary equipment to complete the task in accordance with established service levels.
1.3.3.3.2.2.1.3 Program Management The contractor shall: Maintain a current listing of all Equipment Custodians (ECs) and alternates; ensure updates are completed within three (3) business days when ECs change. Provide ECs and alternate ECs training necessary to accomplish their duties. Ensure all ECs conduct an annual physical inventory of all USTRANSCOM-accountable ADPE hardware assets and provide a report of any discrepancies identified within five (5) business days of completion of the inventory. The contractor shall provide inventory information to the Base Equipment Control Officer (BECO) no later than 31 December and 30 June each contract year. Work with customers and investigating officials when a Report of Survey is required
1.3.3.3.2.2.2 Task 3 Subtask 3.2.2.2: Inventory Control The contractor shall work with IT Financial Management & Procurement and Event Management teams to establish inventory reorder thresholds and quantities and inform the Government if established equipment inventory thresholds have been reached.
1.3.3.4.2 Task 3 Subtask 4.2: Information Technology (IT) Project Management The contractor shall provide the Government Project Portfolio Manager project management support for the USTRANSCOM unclassified and classified network portfolio of services. In the performance of project management tasks, the contractor shall integrate activities across the ITSM service lifecycle (Strategy, Design, Transition, Operations, and CSI) to include, but not limited to IT Service Portfolio Management, Change Management, Technical Management, and Release and Deployment processes to ensure proper selection, assignment, and management of the projects. The contractor shall facilitate weekly project status meetings with key project personnel, as well as attend meetings or conferences held at USTRANSCOM, SDDC, or other locations as identified by the Government, and provide meeting/conference minutes within one (1) day of meeting completion. Approximately twenty (20) new approved projects annually with varying complexity and timeline. The contractor will be an expert in understanding and usage of the PPM tool (e.g., CA Clarity) in use by USTRANSCOM. The contractor shall provide training and knowledge of the system when requested. The contractor shall understand and participate in the process definition and configuration of the PPM tool. The contractor shall assist in the annual process review and recommend process improvements to the project management process. (20. The contractor shall assist and participate in the periodic, e.g., monthly, PPM review by the Enterprise Infrastructure IT Services Portfolio Manager and other USTRANSCOM J6 leadership, unless otherwise directed by the Portfolio Manager.
62
1.3.3.4.2.1 Task 3 Subtask 4.2.2: IT Project Management The contractor shall manage the implementation of IT solutions as specified by the Government. This effort shall apply Project Management Institute (PMI) best practices and Information Technology Infrastructure Library (ITIL) Design Coordinator role best practices to align the IT services with the business needs for the following activities: Project Integration Management Scope Management Time Management Cost Management Quality Management Human Resources Management Communications Management Risk Management Procurement Management Plans shall be developed for each of the activities as required through the process groups of Initiating, Planning, Executing, Monitoring & Controlling, and Closing the projects.
Utilizing PMI recommended practices within Initiating, Executing, Monitoring & Controlling, and Closing each project requires the contractor to manage assigned projects with a minimum of weekly Project Management feedback reports (verbal or written as directed by the Government) and In- Progress Reviews (IPRs) as directed by the Government. Each assigned project will require the contractor to develop and deliver the following process group outputs, using Government approved templates, unless waived by the Government:
The contractor shall have significant experience in IT Project Management. within Initiating, Executing, Monitoring & Controlling provide project performance status, monthly reviews. Each assigned project will also require the contractor to develop and deliver the following process group outputs, using Government-approved templates, unless waived by the Government Deliverable Title Delivery Schedule Project Charter Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Stakeholder Identification/Register Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5)
63
Deliverable Title Delivery Schedule business days of Government comment. Project Management Plan Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Requirements List Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Scope Statement Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Work Breakdown Structure (WBS) Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Project Schedule Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Cost Baseline/Project Budget Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Communications Plan Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Risk Identification & Management Plan Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) business days of Government comment. Procurement Plan Initial draft shall be submitted within 20 business days of project assignment, and the final draft within five (5) 64
Deliverable Title Delivery Schedule business days of Government comment. Weekly Project Performance/Status Weekly Reports Meeting Minutes Within one (1) day of meeting completion. Transition to Operations Plan Initial draft shall be submitted within ten (10) business days after completion of last WBS activity, and the final draft within five (5) business days of Government comment Post-Project Review Report Initial draft shall be submitted within ten (10) business days after completion of last WBS activity, and the final draft within five (5) business days of Government comment
The contractor shall have a good understanding and working knowledge of Microsoft Project®, Microsoft Visio®, and the standard Microsoft Office® suite and be proficient in the use of those products. a current Project Management Professional (PMP) Certification from the Project Management Institute (PMI) and a minimum of 2 years of 1.3.3.4.3 Task 3 Subtask 4.3: Service Level Management The contractor shall be the Service Level Management Process Manager. The goal of the Service Level Management is to ensure that all current and planned IT services are delivered to agreed achievable targets.
1.3.3.4.3.1 Process Management The contractor shall create, document, and maintain the process documentation for the Service Level Management Process. The contractor shall work with other functional areas within ITSM service models to ensure all documentation is current and relevant to assist in process execution. The contractor shall provide full process documentation for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare briefings and supporting materials no later than 48 hours prior to any presentation. The contractor shall perform a process review, at a minimum semi-annually, and recommend CSI initiatives/opportunities for consideration to the Service Portfolio Manager & CSI Manager as required. The contractor shall create/compile, submit for approval, and subsequently lifecycle manage all Service Level Management policy & artifacts. Artifacts shall include, but not limited to, document templates for SLAs, SLRs, and OLA.
65
1.3.3.4.3.2 Service Level Management The contractor shall be the Service Level Manager and shall ensure Service Level Management process activities are performed to the level prescribed in the Service Level Management policy or other defined documentation of the Service Level Management process. The contractor shall work closely with, but not limited to, Customers, BRMs, Service Portfolio Management, Availability Management, and Capacity Management to define, document, agree, monitor, measure, report, and review the level of IT services provided with in the Service Portfolio to ensure service delivery within service level targets. The contractor shall be responsible for and perform the following activities: The contractor shall produce and maintain IT Service Level Agreements, Service Level Requirements, Service Level Targets, and Operational Level Agreements. Ensure specific and measurable targets are developed for all IT Services and investigate corrective measures whenever service level changes warrant such action as prescribed in agreements, process, or policy. Conduct semi-annual service reviews, identify service opportunities in the CSI Register, and manage appropriate Service Improvement Plans. Monitor and aid in the improvement of customer satisfaction with the quality of service delivered. Produce and manage service reports that include, but are not limited to, details of all aspects of the service and its delivery, including current and historical performance, breaches and weaknesses, major events, changes planned, current and predicted workloads, customer feedback, and improvement plans and activities. The service reports shall be reviewed at least annually and provided to the Service Portfolio Manager. 1.3.3.5 Task 3 Subtask 5: Availability Management (Optional) 1.3.3.5.1 Availability Management Owner The contractor shall be the Availability Management Process Owner. They will be responsible for creating, managing and documenting processes, and recommending and facilitating Availability Management policy. The purpose of Availability Management is to allow the organization to sustain IT service-availability that supports the business at a justifiable cost, and ensure level of availability delivered for customer needs are met. The high-level activities include realizing availability requirements, compiling availability plans, monitoring availability, and monitoring maintenance obligations. The contractor shall provide full process documentation for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare Availability briefings and supporting materials no later than 48 hours prior to any presentation. At a minimum, the contractor shall perform a semi-annual process review and recommend CSI initiatives/opportunities for consideration to the CSI Manager. The contractor shall work with managers from all functional areas to ensure acceptance of Availability as the single focal point for Availability-related issues. The contractor shall ensure that designs and implementations are synchronized with Service Level, IT Service Continuity,
66
Security Management, and Capacity Management.
1.3.3.5.2 Availability Management Manager The contractor shall be the Availability Manager and shall ensure Availability Management process activities are performed to the level prescribed in the Availability Management policy or other defined documentation of the Availability Management process.
The contractor shall create, document, and maintain availability plans that document measures or initiatives designed to improve IT Services Availability. At a minimum, availability plans shall contain trend analyses, incidents leading to reduced Service Availability, and current and planned measures for Availability improvement. 1.3.3.5.2.1 Availability Design The contractor shall design appropriate and cost-justifiable availability technical features and procedures to meet the agreed business availability levels. As part of the design, the contractor shall consider the following: reliability, maintainability, serviceability, resilience, and security. The designs must provide a clear overview of the end-to-end availability of the system. The contractor shall support design and transition activities as required. 1.3.3.5.2.2 Availability Testing The contractor shall ensure that all availability, resilience, and recovery mechanisms are subject to regular testing; tested annually at a minimum. 1.3.3.5.2.3 Availability Monitoring and Reporting The contractor shall work with Event Management and technical support to identify Availability targets and thresholds to measure and monitor services. Additionally, the contractor shall work with Service Level Management to monitor maintenance obligations and ensure Service Level Agreement (SLA) and Operational Level Agreement (OLA) Availability targets are met. The contractor shall provide other Service Management processes and IT Management with information related to service and component availability. This includes comparing achieved vs. agreed upon availability and the identification of areas where availability must be improved. The contractor shall provide these improvement ideas to Service Portfolio Management as investment inputs on a periodic basis, at a minimum annually, to support budget planning and execution. The contractor shall provide the following in their monthly report: Availability of IT Services relative to the availability agreed in SLAs and OLAs Number of service interruptions (caused by Availability issues) Average duration of service interruptions (caused by Availability issues) Percentage of services and infrastructure components under availability monitoring Number of implemented measures with the objective of increasing availability 1.3.3.6 Task 3 Subtask 6: Capacity Management (Optional) 1.3.3.6.1 Capacity Management Owner
67
The contractor shall be the Capacity Management Process Owner. They are responsible for creating, managing, and documenting processes, and recommending and facilitating Capacity Management policy. The purpose of Capacity Management is to provide optimum and cost- effective provisioning of IT services by helping organizations match their IT resources to business demands. The high-level activities include application sizing, workload management, demand management, modeling, capacity planning, resource management, and performance management.
The contractor shall provide full process documentation for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare Capacity briefings and supporting materials no later than 48 hours prior to any presentation. At a minimum, the contractor shall perform a semi-annual process review and recommend CSI initiatives/opportunities for consideration to the CSI Manager. The contractor shall be the single focal point for Capacity-related issues and work with managers from all functional areas for all activities associated with Capacity Management. The contractor shall ensure that designs and implementations are synchronized with Service Level, IT Service Continuity, Security Management, and Availability Management. 1.3.3.6.2 Capacity Management Manager The contractor shall be the Capacity Manager and shall ensure Capacity Management process activities are performed to the level prescribed in the Capacity Management policy or other defined documentation of the Capacity Management process. The contractor shall work closely with Demand Management and create, document, and maintain capacity plans that document known business initiatives, known business volume forecasts, forecast of service utilization and performance, other potential impacts on service capacity and performance, and initiatives to adjust service capacity and performance. The contractor shall translate business needs and plans into capacity and performance requirements for services and IT infrastructure, and ensure that future capacity and performance needs can be fulfilled. 1.3.3.6.2.1 Capacity Design The contractor shall coordinate with Tier II (Tech support) and Tier III (Engineering support) and design appropriate and cost-justifiable availability technical features and procedures to meet the agreed upon business availability levels. As part of the design, the contractor shall consider the following: reliability, maintainability, serviceability, resilience, and security. The designs must provide a clear overview of the end-to-end availability of the system. The contractor shall support design and transition activities as required. 1.3.3.6.2.2 Capacity Monitoring and Reporting The contractor shall work with Event Management and technical support to identify Capacity targets and thresholds to measure and monitor services. Additionally, the contractor shall work with Service Level Management to monitor maintenance obligations and ensure SLA and OLA Capacity targets are met. The contractor shall manage, control, and predict the performance and capacity of operational services, and the utilization and capacity of IT resources and individual IT components. The contractor shall initiate proactive and reactive actions to ensure that the performances and 68
capacities of services meet their agreed targets. The contractor shall provide other Service Management processes and IT Management with information related to service and resource capacity, utilization and performance through interactions and a Capacity Report, published quarterly. The contractor shall provide suggested improvements as investment inputs for future funding on a periodic basis, at a minimum annually, to support budget planning.
The contractor shall provide the following in their monthly report: Number of incidents occurring because of insufficient service or component capacity Deviation of the predicted capacity development from actual course Number of adjustments to service and component capacities due to changing demand Number of unplanned increases to service or component capacity as result of capacity bottlenecks Resolution time for identified capacity bottlenecks Percentage of capacity reserves at times of normal and maximum demand Percentage of services and infrastructure components under capacity monitoring 1.3.3.7 Task 3 Subtask 7: IT Service Continuity Management (Optional) 1.3.3.7.1 IT Service Continuity Management Owner The contractor shall be the IT Service Continuity Management (ITSCM) Process Owner. They are responsible for creating, managing, and documenting processes, and recommending and facilitating Continuity Management policy. The purpose of ITSCM is to manage risks that could seriously affect IT services. In this case, Continuity refers to both continuity and disaster recovery. The contractor shall provide full process documentation for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare ITSCM briefings and supporting materials no later than 48 hours prior to any presentation. At a minimum, the contractor shall perform a semi-annual process review and recommend CSI initiatives/opportunities for consideration to the CSI Manager. The contractor shall work closely with BRMs and Service Portfolio Management to ensure IT services are designed to support Business Continuity Management (a.k.a. Continuity of Operations) and aligns with command continuity strategy. The contractor shall work with managers from all functional areas to ensure acceptance of IT Continuity as the single focal point for Continuity- related issues. The contractor shall ensure that designs and implementations are synchronized with Availability, Service Level, Security, and Capacity Management. 1.3.3.7.2 IT Service Continuity Management Manager The contractor shall be the ITSCM Manager and shall ensure ITSCM process activities are performed to the level prescribed in the ITSCM policy or other defined documentation of the ITSCM process. The ITSCM manager shall ensure that the IT service provider can always provide minimum agreed upon Service Levels, by reducing the risk from disaster events to an acceptable level and planning for the recovery of IT services. The contractor shall create, and maintain continuity of operations plan to support operations IAW 69
USTRANSCOM Handbook 10-01 Continuity of Operations. The contractor shall ensure plans meet priority from the business (TCJ3), and priority restoral matrices along with system dependencies is documented, maintained and executable. The contractor shall coordinate with applicable Tier II (Technical support) and Tier III (Engineering support) personnel to develop plans. These plans will be created within 90 calendar days of contract start, reviewed quarterly, and at a minimum, exercised on an annual basis.
The contractor shall ensure all members of the IT Staff, and Service Owners are aware of their exact duties to ensure all relevant information is readily available to support disaster recovery and continuity of operations. The contractor shall provide information to the Readiness and Joint training to support exercise planning and monthly reporting. 1.3.3.7.2.1 Design Services for Continuity The contractor shall coordinate with Tier II (Technical support) and Tier III (Engineering support), and design appropriate and cost-justifiable continuity mechanisms and procedures to meet the agreed business continuity targets. The contractor shall perform business impacts, and design risk reduction measures, and recovery plans for all new and existing services. The contractor shall support design and transition activities as required. At a minimum, the contractor shall provide annual investment inputs for future funding on a periodic basis to support budget planning. 1.3.3.7.2.2 Continuity Review and Reporting The contractor shall perform post-mortem review of service continuity tests and invocations and initiate corrective actions where required, IAW, with CSI process. The contractor shall provide as part of their monthly report, status of services covered by continuity plans, number of identified gaps, number of continuity events actually carried out, and shortcoming identified during practices.
1.3.3.8 Task 3 Subtask 8: Change Management 1.3.3.8.1 Change Process Owner The contractor shall assist the Change Management Process Owner and shall be responsible for helping to develop, manage, and document processes, integrating changes into the risk management framework (RMF), and recommending and facilitating Change Management policy. The contractor shall control the lifecycle of all Changes throughout the Change Management processes. The contractor shall assist the Change Management Process Owner to ensure the Change Management Process is documented and maintained within the Government provided Service Knowledge Management System (SKMS). The contractor shall assist the Change Management Process owner to ensure the Change Managers and Practitioners are identified, trained, and able to complete their responsibilities as prescribed by the Change Management Process activity roles, definitions, and policy. The contractor shall assist the Change Management Process Owner to provide, document and maintain templates, threshold definitions, and guidance for the authorization of Changes. Guidance includes but is not limited to process flow diagrams, definitions, and criteria of Change Types according to the Enterprise Change Management SOP The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare Change Management Process 70
decisional briefings and supporting materials no later than 48 hours prior to any presentation.
1.3.3.8.2 Change Process Manager The contractor shall be the Change Manager and shall ensure Change Management Process activities are performed to the level prescribed in the Change Management Policy or other defined documentation of the Change Management Process. The contractor shall control the lifecycle of all Changes with the primary objective to enable beneficial Changes to be made with minimum disruption to IT services. The Change Manager shall supply the other IT Service Management processes with information on planned and ongoing Changes. The Change Manager shall review each Normal Change as a candidate for Standard Change and submit them to the CSCB for approval, as appropriate. The contractor shall facilitate an assessment and subsequent authorization of each proposed Change to meet stated business requirements. In support of the Change Process, the contractor shall perform Request for Change (RFC) logging and review, in accordance with Change Process policy/documentation. The contractor shall reject/return proposals, to submitters, that (1) do not contain all information required for assessment, (2) are repeats of earlier RFCs, or (3) are deemed impractical with the Change Management Leads approval. For those RFCs that need additional information, the contractor shall provide brief details for the rejection to the initiator. The contractor shall provide an appeal process for rejected RFCs as part of the documented process. The contractor shall determine the required level of authorization for the assessment of a proposed Change and coordinate its approval. Significant Changes are passed on to the Client Systems Change Board (CSCB) for assessment, while minor Changes are immediately assessed and authorized by the Change Manager. The contractor shall support Change Management meetings (e.g. CCB, CSCB) by providing at a minimum, but not be limited to scheduling, agendas, and meeting minutes. The Change Manager shall coordinate within USTRANSCOM as necessary to gain the approval for Changes that require higher-level authority. The contractor shall perform and manage change scheduling. The contractor shall ensure schedules are prioritized based on business needs rather than IT needs. The contractor shall group changes into releases, as necessary, to minimize impact to operations. Additionally, the contractor shall create and distribute the Forward Schedule of Change (FSC) to appropriate personnel to maintain awareness of future changes that may impact availability of services. The contractor shall work closely with the Authorized Service Interruption (ASI) Manager to ensure Projected Service Outages (PSOs) are coordinated and approved as required. The contractor shall perform and manage the build authorization and assess the Project Plans for completeness and risk prior to seeking approval authority to move to the Change Build phase. The contractor shall work closely with the Release and Deployment Manager to build a release package ready for deployment. For small or minor changes that are not part of a release, the Change Manager shall coordinate the creation of the release package. The contractor shall facilitate all Change Deployment authorizations. The contractor shall assess if all required Change components were built and properly tested, to ensure that the predicted and actual performance matches business needs. After a test evaluation, within 5 (five) business days the contractor shall provide a documented recommendation to the Government on whether to
71
accept prior test results or conduct additional testing. The decision to accept prior test results will be made by the designated Government authority. Prior to conducting testing and assessment, the contractor shall review the listing of previously completed tests/configurations, the USTRANSCOM approved products list (APL), or equivalent product listing, Service Catalog, and other accessible DoD APLs to determine if testing has been previously conducted for the specified product or service in order to avoid duplication of effort. The contractor shall facilitate the authorization of the Change to be deployed. The contractor shall facilitate the release and deployment for small minor changes that are not part of a release. The contractor shall track and report on minor change deployments (e.g., Standard Changes) that do not require Release and Deployment. The contractor shall review Standard Changes for issues or trends and include monthly results as metrics included in the monthly status report. In conjunction with the Change Process Owner, the Change Manager shall use the Government provided ITSM tool to perform post-implementation reviews and document results and lessons learned.
1.3.3.8.2.1 Emergency Change The contractor shall assess, coordinate authorization, and implement an Emergency Change as quickly as possible. The contractor shall document the Emergency Change process and approval authority, and shall invoke it if normal Change Management procedures cannot be applied because an emergency requires immediate action.
1.3.3.8.2.2 Monitoring and Reporting At a minimum, the contractor’s quarterly report shall include the following: Projected Service Outages Number of major changes assessed by the CSCB (Client Systems Change Board) Number of CSCB (Client Systems Change Board) meetings Average time from registering an RFC with Change Management until the RFC is either approved or rejected Number of accepted vs. rejected RFCs Number of Emergency Changes assessed by the ECSCB (Emergency Client Systems Change Board) Number of Changes nominated for Standard change, and number of Standard Change processes implemented
1.3.3.8.3 Change Evaluation The contractor shall assess major Changes, like the introduction of a new service or a substantial change to an existing service, before those Changes are allowed to proceed to the next phase in their lifecycle. The following evaluation should be done and documented in the ITSM tool: Change Evaluation prior to Planning: The contractor shall assess a proposed major Change before authorizing the Change planning phase. 72
Change Evaluation prior to Build: The contractor shall assess a proposed major Change before authorizing the Change build phase. Change Evaluation prior to Deployment: The contractor shall assess a proposed major Change before authorizing the Change deployment phase. Change Evaluation after Deployment: The contractor shall assess a major Change after it has been implemented, to verify if the Change has met its objectives and shall identify any lessons learned.
1.3.3.8.4 Change Management Queue and Task Management The contractor shall manage their assigned change management queues within the government’s ITSM tool to ensure the following: Each RFC and/or task will be assigned to an individual within one business day of creation. The status of the RFC and/or task will reflect the current working status. RFC's and/or tasks placed in "Pending or closed" status must have a comment explaining the reason for the status change. (IE: Parts on order, expected delivery date 14 Sep 2021). RFC's and/or tasks will be updated with current information at a minimum of (1) once every 10 working days with the current "way Ahead" added in the comments.
1.3.3.9 Task 3 Subtask 9: Technical Management and Oversight The contractor shall perform Technical Management and Oversight for the services and functional areas & capabilities contained in the scope of this contract. The contractor shall lifecycle manage (recommend to establish new, modify, improve, retire) ITSM capabilities (processes, systems, tools) to provide IT Services. The contractor shall implement Technical Management and Oversight processes to ensure services transition from design into operations effectively and efficiently. The contractor shall be responsible for the synchronization and integration of tools and processes to support the IT Service Lifecycle. The contractor shall be responsible for Design/Transition Planning & Support, Release and Deployment, Service Evaluation and Testing, Tool Portfolio Management, and ITSM Knowledge Management.
1.3.3.9.1 Task 3 Subtask 9.1: Design & Transition Planning & Support 1.3.3.9.1.1 Design & Transition Planning In coordination with Service Portfolio Management, the contractor shall be responsible for systems, tools, technology, service management architectures, service management processes, and measurement methods & metrics to ensure most effective and efficient, repeatable capabilities exist to support the design, transition to further operations of IT services. The contractor shall review and recommend changes to processes associated with service design & transition to help ensure the most effective and efficient processes are utilized. Reviews of each process and tool capability shall happen regularly (at a minimum, yearly) and be included in semi-annual reports. Technical Management and Oversight shall review ITSM capabilities, assess new emerging technologies, perform gap analysis, and provide subsequent recommendations as the ITSM systems/processes/tools capability service owner to the IT Service Portfolio Manager.
73
1.3.3.9.1.2 Service Transition Support The contractor shall be the Service Transition Process Owner & Manager. For Service Transitions managed by the Project Management Team, this Manager will be the primary liaison between the multiple affected/involved Operations Teams to that assigned Project Manager. For Service Transitions not designated to be run by the Project Management Team (i.e., not deemed as large projects), this Manager will fill the role of the Project Manager in the Service Design and Transition phases to ensure proper transition to operations. Service Transition needs to provide a high level of consistency in order for the IT service provider to meet the needs of the customer. The contractor will plan and coordinate resources to ensure that the requirements of Service Strategy encoded in Service Design are effectively realized in Service Operations. The contractor shall: Coordinate activities across projects, suppliers, and service teams Establish new or changed services into production within the cost, quality and time estimates Ensure that all parties adopt the common framework of standard re-useable processes and supporting systems Provide clear and comprehensive plans that enable customer and business change projects to align with those plans Identify, manage, and control risks to minimize the chance of failure and disruption across transition activities Monitor and improve the performance of the Service Transition stage of the Service Lifecycle As part of project planning, it is imperative the clear description of workforce training & capacity is presented as planning feedback on all projects, regardless of size. The contractor shall identify and maintain resource availability within the functional work teams to assist in a matrixed fashion to transition new or changed services or service models. This availability review shall be presented as part of the PPM process at least monthly or when requested by the Government, whichever comes first. This capacity factoring shall be used to develop work breakdown structures and sequencing of activities. 1.3.3.9.1.3 Configuration Management In coordination with SACM and functional teams, the contractor shall provide configuration control for all TCJ6-provided infrastructure baselines and configuration items to include hardware and software. The contractor shall create, edit, maintain, and coordinate office information system baseline images for USTRANSCOM (both unclassified and classified) to include, but not be limited to, end user devices, servers, and network infrastructure. The contractor shall follow established change and configuration management processes to create baseline images for each hardware platform implemented within fourteen (14) business days after hardware receipt; coordinate an image security scan; coordinate image functionality test; record and store copies of all created images; and update stored copies of all images with approved application software, application patches, and registry changes. 1.3.3.9.2 Task 3 Subtask 9.2: Release and Deployment Management
74
The contractor shall be the Release and Deployment Process Owner responsible for documenting processes and recommending and facilitating Release and Deployment policy. The contractor shall identify a Release and Deployment Manager. The Release and Deployment Manager shall ensure the appropriate planning of releases is conducted, activities are communicated, and records updated in the Configuration Management System (CMS) and Service Knowledge Management System (SKMS). The contractor shall be responsible for educating process participants and ensuring compliance, measuring success of process against key performance indicators (KPIs) and other targets, and continual process improvement. The contractor will provide all process documentation (e.g., process flow, narrative with definitions, policies, and procedures) for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor will provide monthly Release and Deployment metrics that cover the quality and timeliness of Release and Deployment process activities: metrics will include but not be limited to Processing Time, successful/failed Release & Deployment Packages, and Proportion of Automatic Release Distribution. The contractor shall work in tandem with Change Management and Configuration Management to plan, schedule, and control the movement of releases to test and production environments. The contractor shall plan, schedule, and control the build, test, and deployment of releases, and ensure new functionality required by the business is delivered while protecting the integrity of existing services. The contractor shall create and manage the library of Release and Deployment Models and document them in the Government-provided ITSM tool. The contractor will utilize ITIL best practices to define the standard contents of the Release and Deployment Models. The primary goal of Release Management is to ensure that the integrity of the live environment is protected and that the correct components are released. The contractor shall minimize the risk associated with transitioning a service by considering all aspects of a service to ensure that the service meets the needs of the business and can be well supported. Transitions shall ensure that high-quality services and components are released, as well as ensuring that all elements of the release (e.g., training, knowledge, support processes, contracts, and other items) are included as part of the release. The contractor will also ensure that the service or service change is not installed and forgotten by including early life support into Release and Deployment. Through early life support, the contractor will identify and coordinate resources to ensure that the service’s critical early life is well supported until operations staff can fully support the service based upon agreed upon transition plan.
1.3.3.9.2.1 Release and Deployment Planning The contractor shall coordinate creation of Release and Deployment Plans, and schedule releases with customers and stakeholders to deliver new/changed functionality required by the business while protecting the integrity of existing services. The contractor shall assign authorized Changes to Release Packages, define the scope, build requirements, deployment methodology, testing criteria, schedule, transition to operation criteria, back out procedures and content of Releases and document them in the Government-provided ITSM tool. The contractor shall deliver a release and deployment plans and release package within the time prescribed by the Government (for each release). The contractor shall create and manage templates to standardize documentation within the automated tool, as needed, within 90 calendar days from contract start date and in a semi-annual review thereafter.
75
1.3.3.9.2.2 Build & Test The contractor shall identify a Release Packaging and Build Manager. The Release Packaging and Build Manager shall be responsible for ensuring each release is built and packaged correctly and finalizing the details of the release configuration to be deployed into the production environment. The Release Packaging and Build Manager shall be responsible for reporting any outstanding known errors and workarounds to problem management for inclusion in Known Error Database (KEDB). The contractors shall work with functional and technical management teams to build, configure, and test the release package. The contractor shall create test procedures for the supporting test plan and collect necessary test data. The contractor shall work with service evaluation and testing (section 1.3.3.9.3) to test the release package and produce a test report within three (3) business days from test completion. Following evaluation and testing, the contractor shall check the baseline Release Package into the definitive media library. 1.3.3.9.2.3 Deploy The contractor shall identify a Deployment Manager. The Deployment Manager shall ensure the release deploys to the production environment correctly and effectively. The Deployment Manager also assumes the responsibility for early life support to ensure the release is supported properly until Service Operations can fully assume the support responsibility for the release based upon the agreed upon transition plan. The contractor shall work with Change Management to move/promote or back out if necessary, the release package into the production environment and will include a transfer of release to operations. The contractor shall coordinate any downtime required with ASI managers to minimize impact to operations. The contractor shall resolve operational issues quickly during an initial period (early life support) after Release deployment, and remove any remaining errors or deficiencies. The contractor shall work with Service Operations to retire service assets that are replaced by new release. 1.3.3.9.2.4 Review & Closure
The contractor shall capture and document experiences, performance targets, and achievement reviews and lessons learned in the Government-provided automated ITSM tool within five (5) business days from release closure. 1.3.3.9.3 Task 3 Subtask 9.3: Service Validation and Test Support The contractor shall support the life cycle of IT Services through effective Service Design configurations. The contractor shall provide expertise and assistance as part of an integral team comprised of Technical Management, Service Owners, functional teams, and others to ensure the best service designs are created and ready for transition into operations with minimal issues or problems. The contractor shall aid in the technical design of systems, hardware, and software configurations to provide desired services at service levels agreed upon by the IT Service Portfolio Manager and the customer. The contractor shall evaluate IT systems and products for integration, interoperability, compatibility, security, and functionality. The contractor shall evaluate proposed additions, upgrades, patches, and changes to the operational IT environments. Service Design Configuration Support will support the requirements of the DoD RMF and provide 76
the necessary documentation to support RMF authorization IAW National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53a, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, Rev. 4. Test and evaluation will also be conducted in accordance with NIST SP) 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, and applicable CNSS, NSA, NIST, DOD, DISA, USCYBERCOM, and USTRANSCOM guidelines and best practices. The contractor shall ensure products, systems, release packages and services under evaluation integrate with the USTRANSCOM operational environments. Product configurations provided by the vendor or other supporting organizations will be assessed by the contractor to ensure compatibility with DoD/USTRANSCOM functional, operational, and security standards/requirements. The contractor shall provide an assessment of the vendor-proposed system configuration and engineering designs within the suspense assigned by the Government. If no proposed configuration is provided, the contractor shall recommend proposed configurations and architectures, to include the recommended operating system, Microsoft Windows Group Policy Object (GPO) settings, and application(s) configuration(s) to ensure compatibility with DoD/USTRANSCOM functional, operational, and security standards/requirements based on test results and knowledge of the target environments. The contractor shall collaborate with designated Government functional and technical stakeholders during tests and assessments to achieve a final secure and functional configuration of the product under evaluation. The contractor shall document proposed secure configurations in technical configuration guides and provide implementation plans/documentation to ensure secure configurations are maintained during release deployment. When a commercial software application or package does not perform as required during test/evaluation, the contractor shall contact the appropriate commercial vendor (customer service center) or Government POC for the software product within one (1) business day after the failure occurs to resolve the problem. The contractor shall also document this information in the test analysis report. Software incident reports will be in the format specified by the government, but must include the start date and completion date of the troubleshooting session, a log of the troubleshooting actions, identification of the software causing the problem, and an explanation of the probable cause for the error. Final software incident reports are submitted to the Government when the issue is resolved or after the contractor certifies the problem cannot be resolved. Only the Government can close out a software incident report after reviewing the report. The contractor shall provide test analysis reports no later than five (5) business days after test completion. Test analysis reports shall include, but are not limited to compatibility with existing DoD or USTRANSCOM systems, identification of limitations (security, functionality, utility), and a determination of components necessary to meet user requirements. Test analysis reports shall be in the format specified by the Government. The contractor shall prepare briefings on test results when needed by the Government, and provide the briefing materials two (2) business days prior to the presentation. The contractor shall maintain a searchable master listing of all tests and evaluations that are completed in the performance of this task. The format for this listing will be specified by the Government, and will include sufficient details to identify the test and results, such as the system, date tested, summary of test results, and recommendation(s) made.
77
1.3.3.9.3.2 Testing and Integration Lab The contractor shall operate and manage the USTRANSCOM IT Testing and Integration Laboratory (“Test Lab”, also known as the “Security Evaluation & Analysis Center (SEAC)”) for the Government. The Test Lab provides a secure, isolated testing environment that mirrors the USTRANSCOM operational environments. The contractor shall use the Test Lab to perform simultaneous testing (to include, but not limited to, fit-for-use and fit-for-purpose testing), analysis, integration, and evaluations of commercial and Government software, software patches and commercial hardware to ensure compatibility with USTRANSCOM network and policies within the suspense agreed upon with the Government. The contractor shall provide projected timelines for each testing activity to include WBS for task that require a level of effort greater than 10 (ten) business days. The contractor shall evaluate hardware and software solutions to determine if they meet DoD and USTRANSCOM security, operability, and functionality requirements. The contractor shall conduct test and assessment activities in support of USTRANSCOM’s risk management program utilizing Government-furnished test equipment on- site at Scott AFB. The contractor shall develop, document, and provide test and evaluation services and relevant processes in support of this task. The contractor shall ensure processing time and service levels are tracked and published monthly. The contractor shall maintain the current and projected workload data and present as part of the monthly report. The contractor’s assessment and validation procedures shall use industry best practices (e.g., ISO, CMMI, ITIL) and be applicable to Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), similar cloud-based service environments, as well as existing and future physical hardware USTRANSCOM IT environments (e.g., servers, networks, storage networks, and associated support hardware/software). In support of this task, the contractor shall perform the following: Operate the Test Lab environments Manage Test Lab hardware and software configurations Prepare and maintain Test Lab environment documentation (e.g., hardware rack elevations, warranty information, test network diagrams, Test Lab floor plans, test equipment inventories) As the Test Lab operator, recommend hardware and software upgrade requirements Work with Design & Transition Planning & Support and Enterprise Engineering to develop enterprise system and application configuration guidance Prepare, apply, and document test and evaluation processes and procedures 1.3.3.9.3.3 Test Environment Installation, Operation and Maintenance Support The contractor shall use Government furnished equipment (GFE) and software to provision and maintain representative test environments. The test environment duty hours are 0700-1700 Monday through Friday. The contractor shall request/coordinate hardware/software procurement (including life cycle upgrades) as needed to maintain a functional environment. As needed, the contractor shall also establish and support virtual networks within the USTRANSCOM Test Lab. In support of this activity, the contractor shall operate and maintain the Test Lab environments: Perform system administration of the physical and virtual systems comprising the test environment, to include installing and configuring system components and mirror operational environment as closely as possible 78
Utilize the USTRANSCOM (ITSM) tool suite and capability to document and maintain configurations, ensure applications and operating systems are current versions and up to date on security vulnerability patches Ensure consistency with the operational production environments, and other work as needed to replicate the production environment(s) of USTRANSCOM and conduct realistic operational, functional, and security tests Provide compliance data, as needed, to the Government for response to USCYBERCOM task orders; develop POA&Ms as needed; and submit requests for exemption/waiver to policy/direction that cannot be complied with IAW prescribed DoD policy/instruction Implement approved hardware and software upgrades The contractor shall also perform equipment custodial duties In addition to the above, the contractor shall: Review IT Strategies and IT Service Portfolio goals to ensure the test environment planning, programming, & budgeting are in alignment, and shall document requirements for the environment to support policy, strategy, & goals accomplishment Submit documented requirements to the Government semi-annually (31 Dec & 30 Jun) at a minimum or sooner if requested 1.3.3.9.3.4 Test and Assessment Operations Metrics and Process/Procedure Documentation The contractor shall collect and provide the Government with monthly metrics on test and assessment activity. List and status of tests and assessments performed Uptime statistics based on service availability for test environment to include test events denied due to lack of available equipment The contractor shall maintain current documentation on test and assessment processes and procedures and provide as a deliverable to the Government the following documents in accordance with these assigned suspense dates: Test and Assessment SOP & Checklists (Fiscal Qtr 4) USTRANSCOM Cybersecurity Reference Guide (Fiscal Qtr 1) Windows Defender and Exploit Guard STIG Variance Standard and Checklist (Fiscal Qtr 3) 1.3.3.9.3.5 New Technology Integration The contractor will assess new technologies submitted by the Government for integration into the USTRANSCOM operational environment. The contractor will assess the new technologies based on principles delineated in NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security, Revision A), SP 800-84, SP 800-115, and the DOD RMF, NSA, NIST, CNSS, USCYBERCOM, DISA, and USTRANSCOM requirements and best practices. Technologies will be assessed based on technical, security, functional, and operational characteristics to meet defined user requirements, and may include COTS/GOTS products, 79
service-unique software, C2 systems, and USTRANSCOM-unique systems. The contractor will provide test analysis reports of new technologies no later than five (5) business days after test or assessment completion. The new technology test analysis reports shall be in the format specified by the government, to include but not limited to: compatibility of the tested or assessed technology/capability with existing systems; identification of functional, operational, or security limitations; and a determination of components necessary to meet user requirements. 1.3.3.9.4 Task 3 Subtask 9.4: Tool Portfolio Management and Support The contractor shall be the Service Owner and Service Manager for the ITSM tools used by the USTRANSCOM IT organization(s) to provide, monitor, operate, and support IT services. The ownership and management responsibilities of the tool suite shall include, but not be limited to, Tool Portfolio Management, lifecycle planning & execution, capacity planning & execution, configuration management, change management, operations & maintenance, and associated documentation. 1.3.3.9.4.1 ITSM Tools Portfolio Management The contractor shall create and manage a service portfolio of ITSM support tools in support of, and in synchronization with, the IT Service Portfolio Manager (TCJ6-S) and the Service Operations lead (TCJ6-OYM). The portfolio shall have clear capability descriptions of the tools and be mapped to the capabilities needed within the Service Lifecycles of Strategy, Design, Transition, Operations, and CSI. The contractor shall be responsible for gathering requirements and managing capability lifecycles, which includes but is not limited to, proposing new capabilities, performing business case analysis, comparisons, and retirement of these tools within the portfolio. The goal of the Tools Service Portfolio Manager is to maintain an up-to-date, enabling tool suite that brings increased effectiveness and efficiencies to the IT service organizations. Through proper portfolio planning and management, the contractor shall ensure comprehensive real-time information as well as required data and compiled metrics are available to each service lifecycle, as required, to enable communications and informed decision-making among functional areas. The contractor shall provide and maintain a comprehensive view of the IT support automation capabilities, gaps, and future needs. The contractor shall produce a semi-annual ITSM Tools Management Plan. As part of that plan, the contractor shall provide the capability analysis and defined lifecycle plans for each capability and associated tool. 1.3.3.9.4.2 ITSM Tools Management
The contractor shall ensure the configuration of the ITSM tools suite (e.g., Remedy, Solar Winds, Cascade, CA Clarity PPM, BMC ProactiveNet Performance Management [BPPM], Atrium Discovery and Dependency Mapping [ADDM]) matches the requirements of each service lifecycle. The contractor shall capture ITSM tools requirements from established processes and functions to ensure the necessary configuration meets the needs of the organization. In conjunction with ITSM Tools Portfolio Management, the contractor will define any potential gaps or overlaps in capability to provide efficient and effective ITSM tools capabilities. The contractor shall track, plan, and manage the lifecycle (procurement, installation, integration, maintenance, replacement, decommission) for all ITSM suite tool capabilities. The contractor shall install, configure, maintain, & decommission the ITSM tool capabilities.
80
This includes requesting/coordinating hardware/software procurement (including lifecycle upgrades); performing project management (e.g. government provided requirements management tool and schedules); building and configuring systems to be STIG compliant; performing functional testing; developing system accreditation supporting documentation; requesting security evaluations and remediation of findings; and performing operational deployment. The contractor shall deliver a roadmap CMDB/BMC Discovery (formally known as ADDM) no later than 30 September 2017. Requirements identified in Appendix H of this document. The contractor shall perform the day-to-day operation and maintenance of the ITSM & event management tool suite (e.g., Remedy, Solar Winds, Cascade, CA Clarity PPM, BPPM, ADDM, and Transaction Management Application Response Timer [TMART]). This includes, but is not limited to, maintaining the existing configuration, installing application patches/upgrades, developing POA&Ms, submitting requests for exemption/waiver to policy/direction, performing tuning tasks, performing equipment custodial duties, and configuring the event management tool suite. The contractor shall collect, record, and store all event management information and response time parameters. processes and configure functions as needed in ITSM tools. The contractor shall provide recommendations on ways to automate key ITIL best practices. The contractor shall interact seamlessly with customers, assess customer requirements, and configure the ITSM tool suite to satisfy those requirements. The contractor shall provide support for PKI connectivity, Active Directory, and database syncing to the ITSM tool as well as configure the tool to incorporate data from network monitoring and discovery tools (e.g., Atrium Discovery and Dependency Mapping (ADDM), BMC ProactiveNet Performance Management (BPPM), Solarwinds, NetScout, and others). The contractor shall accomplish the following: Ensure personnel coverage for administration during normal duty hours Ensure that database and application backup servers are current and ready for use and coordinate with USTRANSCOM security and test facility for review of each release Identify, evaluate, review logs, document, install, and configure hardware and software to meet user needs and ensure all services are available Activate, deactivate, and restart each application’s resources/services Perform daily backups of the CMDB Coordinate with Tier I (i.e. USTRANSCOM Service Desk), Tier III (e.g., Remedy Support, vendor), and other external support personnel to resolve issues as quickly as possible Provide ITSM statistical reports, as requested, on a periodic basis to functional and service owners and USTRANSCOM J6 Leadership Create and maintain dashboards to support Customer Service Monitoring (CSM) and Business Activity Monitoring (BAM) services Configure tool functional areas based on Service Owner, and Manager requirements. Create and maintain Tier 0 front end (e.g. MyIT) Operate and maintain tools and provide views to entities/organization to provide SA,
81
and more effectively provide services. 1.3.3.9.4.2.2 Customer Service Monitoring (CSM) and Business Activity Monitoring (BAM) Support The contractor shall provide Customer Service Monitoring (CSM) and Business Activity Monitoring (BAM) services on-site at Scott AFB during normal duty hours and on-call after duty hours with a two (2) hour response time to begin work. The contractor shall maintain and enhance USTRANSCOM CSM and BAM services using Government-furnished event management tools. The contractor shall provide CSM and BAM support, to include installation, configuration, and application administration of the Government procured event management tool suites (e.g., BMC Proactive Performance Manager (BPPM), Atrium Discovery and Dependency Mapping (ADDM), and Transaction Management Application Response Timer (TMART)) and ensures STIG compliance. The contractor shall perform event management functions to include collection, evaluation, and reporting of service levels experienced by JDDE customers. The contractor shall coordinate with targeted JDDE AIS to obtain system specific event management requirements (e.g., uptime, response time, etc.). The contactor shall create and configure event management custom knowledge modules and assist in the customization of COTS knowledge modules, as required to obtain the JDDE AIS event management information. The contractor shall create and recommend data for dashboards to support CSM and BAM services. Dashboards will be created for select customer bases (e.g., TCJ6, TCJ3, TCAQ, etc.) using BMC Remedy Information Technology Service Management (ITSM) suite. The contractor shall coordinate with targeted JDDE AIS to obtain system specific event management requirements (e.g., uptime, response time, etc.). The contactor shall develop event management custom knowledge modules and assist in the customization of COTS knowledge modules, as required to obtain the JDDE AIS event management information. The contractor shall establish criteria for alarms on service-level breaches based on the JDDE AIS event management requirements and integrate those alarms into customer-defined dashboards. The contractor shall collect and provide the government monthly metrics on network monitoring events alerted by event management tools. The metrics shall include, but not be limited to the following: List of false alerts reported by event management tools (e.g., alerts which do not correlate to system/network outage). Reports based on KPIs provided by the government on monitored systems (e.g., uptime/downtime statistics of monitored command and control systems compared to KPIs). Total downtime to include maintenance and unscheduled outages for event management tools managed by Service Assurance team. Report to include cause/fix and duration of each unscheduled outage. List of on call activity. Report shall include time notified, time tech arrived on station, and time issue was resolved. If tech was able to resolve issue without reporting on station, include only time called and time resolved. The contractor shall attend meetings held at USTRANSCOM and/or other locations as identified by the Government. The Government estimates three (3) trips per year in support of this task.
82
1.3.3.9.4.2.3 ITSM Suite Roadmap The contractor shall deliver a roadmap of the ITSM suite, no later than six (6) weeks after the Government work area reopens. Requirements are identified in Appendix I of this document. To enable communications and informed decision-making among functional areas, the contractor shall: Use proper configuration management to ensure comprehensive real-time information as well as required data and compiled metrics are available to each service lifecycle Ensure comprehensive network views and management tools are available to each service lifecycle as required This will occur six (6) weeks after the Government reopens the work area. 1.3.3.9.5 Task 3 Subtask 9.5: Knowledge Management The Government requires a reliable and proactive Knowledge Management capability as an integral part of delivering and supporting services. The contractor shall be the ITSM Knowledge Manager and be accountable for the Knowledge Management Process. USTRANSCOM ITSM Knowledge Manager shall ensure the organization is able to gather, analyze, store, and share knowledge and information in support of delivering IT Services. Knowledge Management shall manage IT service, providing information across teams and organizations and across lifecycles to share perspectives, ideas, experience, and information. Knowledge Management shall ensure this information is available and in the right place at the right time to enable informed decisions and to improve efficiency by reducing the need to rediscover knowledge. The contractor shall utilize the Service Knowledge Management System (SKMS) and the Known Error Database. The SKMS will be the central repository of the data, information, and knowledge to manage the lifecycle of IT services. The contractor shall draft Knowledge Management policy for Government approval and provide the capability to store, analyze, and present the service provider's data, information, and knowledge. The contractor shall control access to the SKMS to ensure the knowledge, information, and data is appropriate for each audience. While the primary system will be the ITSM tool suite, it potentially may not be a single system and it will be inherent upon the contractor to recommend improvements and other systems to be federated, based on a variety of data sources. The contractor shall provide full process documentation for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare Knowledge Management briefings and supporting materials no later than 48 hours prior to any presentation. The contractor shall perform Knowledge Management process reviews at least semi-annually or at the direction of the Government and recommend CSI initiatives/opportunities for consideration to the CSI Manager. The contractor shall identify information captured and processed in the ITIL- described structure of Data-to-Information-to-Knowledge-to-Wisdom with the goal for improvements to increase Wisdom. The contractor shall perform all Knowledge Management data capture coordination activities and gather, track, and report KPIs. Required KPIs are to be reported within 90 calendar days from the start of the contract and quarterly thereafter. The minimum, but not limited to, Critical
83
Success Factors and KPIs are as follows: CSF: Availability of Knowledge and information that helps to support management decision- making. KPI: Increased number of accesses to the SKMS by managers KPI: Increased percentage of SKMS searches by managers that receive a rating of “good” CSF: Reduced time and effort required to support and maintain services KPI: Increased number of times that material is re-used in documentation such as procedures, test design, and service desk scripts. KPI: Reduced transfer of issues to other people and more resolution at lower staff levels KPI: Increased percentage of incidents solved by use of known errors CSF: Successful implementation and early life operation of new and changed services with few knowledge-related errors KPI: Reduced number of incidents and problems categorized as “knowledge-related” CSF: Improved accessibility and management of standards and policies KPI: Increased number of standards and policies stored in the KMS KPI: Increased number of times that standards and policies in the SKMS have been accessed KPI: Increased percentage of standards and policies that have been reviewed by the agreed review date 1.3.3.10 Task 3 Subtask 10: CSI Process Support The Continual Service Improvement (CSI) process main goal is to use methods from quality management in order to learn from past successes and failures. The CSI process aims to improve the effectiveness and efficiency of IT processes and services continually.
1.3.3.10.1 CSI Manager The contractor shall be the CSI Process Manager and be responsible for managing improvements to IT Service Management processes and IT services. The contractor shall be responsible for creating, managing, and documenting CSI processes, as well as recommending and facilitating CSI policy. The contractor shall act as the single focal point for CSI-related issues. The contractor shall communicate the vision of CSI across all areas of the contract and IT organization. The contractor shall ensure CSI activities are coordinated throughout the service lifecycle. The contractor shall provide full process documentation for Government approval within 90 calendar days of contract start. The contractor shall complete all documentation for process changes within three (3) business days after it is determined a change is needed. The contractor shall prepare CSI briefings and supporting materials no later than 48 hours prior to any presentation. The contractor shall perform a process review, at a minimum semi-annually, and recommend CSI initiatives/opportunities for consideration to the Government. 1.3.3.10.1.1 Service Reviews and Assessments
84
The contractor shall work closely with process owners, service owners, service level managers, and other managers from all functional areas to identify and collect CSI initiatives and improvement opportunities. These opportunities are identified through Service Reviews/Evaluations, Assessments, and findings and initiatives maintained in the CSI Register. For all types of reviews, the contractor shall build improvement plans and make improvements, as required. 1.3.3.10.1.1.1 Regular Reviews The contractor shall perform regular reviews of service performance. The contractor shall review IT business services and infrastructure services, and evaluate processes on a regular basis, at a minimum once a year. The contractor shall improve service quality where necessary, and identify more economical ways of providing a service where possible. The contractor shall provide a report for each service reviewed or process evaluated. 1.3.3.10.1.1.2 Service Level Triggered Reviews The contractor shall work with Service Level Managers to ensure that monitoring requirements are defined. The contractor shall ensure monitoring tools are in place to gather data. The contractor shall capture baseline data against which to measure improvement. The contractor shall continually track and measure the performance of the service provider and design improvements to processes, services, and infrastructure in order to increase efficiency, effectiveness, and cost effectiveness. The contractor shall identify areas where the targeted process metrics are not reached, and hold regular bench markings, audits, maturity assessments, and reviews. Results and findings shall be documented in report. 1.3.3.10.1.2 Maintain CSI Register The contractor shall create and maintain a CSI Register to track initiatives and possible improvements. The contractor shall categorize the entries into small, medium, or large undertakings, and identify a level of effort required for each. Additionally, a benefit for each initiative shall be assessed and recorded in the CSI register. The contractor shall prioritize each initiative and shall present it to senior management for review on a monthly basis, or as determined by the Government. 1.3.3.10.2 Seven-step Improvement Processes Owner/Manager The contractor shall be the Seven-step Improvement Process Owner/Manager and shall ensure process activities are performed to the level prescribed in the CSI policy or other defined CSI process documentation. The contractor shall ensure all members of the IT Staff and Service Owners are aware of their exact duties to ensure elements of the seven-step improvement process throughout the service lifecycle are performed. The contractor shall plan and manage support for improvement tools and processes. The contractor shall coordinate interfaces between the seven- step improvement process, other processes, service owners/managers, and IT functions. 1.3.3.10.3 Reporting The contractor shall work with service owners/manager and functional leads to provide analyst reports to help identify trends and establish if they are positive or negative. The contractor shall provide the following in their quarterly report: Number of formal Service Reviews carried out during the reporting period Number of weaknesses which were identified during Service Review, to be addressed
85
by improvement initiatives Number of formal Process Bench Markings, Maturity Assessments, and Audits carried out during the reporting period Number of formal Process Evaluations carried out Number of weaknesses which were identified during Process Evaluation, to be addressed by improvement initiatives Number of CSI initiatives, resulting from identified weaknesses during Service Reviews and Process Evaluations Number of CSI initiatives which were completed during the reporting period
1.3.5.1.3 Task 5 Subtask 1.4: Communications Security (COMSEC)
The contractor shall execute COMSEC processes and procedures IAW DoD policy and USTRANSCOM Government direction. The contractor shall provide a minimum of two COMSEC support personnel to maintain and ensure Two Person Integrity (TPI) on-site at Scott AFB when required during duty hours 0830–1500 hrs. Monday–Friday and on-call support with a one (1) hour response time to begin work. This extended coverage specifically applies to support for secure voice capabilities, which involves operation, installation, and maintenance for secure telephones, secure mobile telephones, secure facsimile machines, and cryptographic secure voice keys as well as training to users and maintenance of records for secure voice instruments throughout the command.
1.3.5.1.3.1 COMSEC Daily Operations and Maintenance The contractor shall provide on-going daily support for USTRANSCOM’s COMSEC mission. This includes, but is not limited to the following: Providing COMSEC oversight for USTRANSCOM, the TCCs, and other direct reporting elements to include all USTRANSCOM sub-accounts Maintaining and assisting in developing USTRANSCOM policies and procedures for handling, controlling, and protecting COMSEC assets; disseminate urgent, doctrinal, policy, and procedural COMSEC information received from DoD within USTRANSCOM Ordering and maintaining COMSEC material; coordinating acquisition of cryptographic keying materials Operating the Key Management Infrastructure (KMI) for the generation of electronic cryptographic keys Issuing COMSEC material to authorized personnel Enforcing Government-established controls so only properly cleared personnel with a legitimate need to know are permitted access to COMSEC material Providing disposition instructions for keying material that is no longer required; coordinating cryptographic circuit maintenance Performing COMSEC incident reporting
86
Providing After Action Reviews (AARs) regarding COMSEC issues Submitting ad-hoc and recurring reports IAW suspense assigned by the Government (e.g. ad-hoc Practices Dangerous to Security (PDS), monthly Joint Training Information Management System (JTIMS), monthly Defense Readiness Reporting System (DRRS), etc.) Providing point papers and briefings on COMSEC issues and requirements IAW suspense assigned by the Government Maintain the USTRANSCOM Inter-theater COMSEC Package (ICP) Program Publish annexes and integrate USTRANSCOM ICP program as required for support to Contingency Plans (CONPLANS) and Operation Plans (OPLANS) Provide support to the appropriate command’s response cell during real world and exercise missions IAW suspense assigned by the Government 1.3.5.1.3.2 COMSEC Account Management
The contractor shall maintain a Cryptographic COMSEC Equipment Account (CCEA) and duties shall include serving as the CCEA Custodian with Standard Base Supply System (SBSS) at Scott Air Force Base (SAFB); ensuring complete accountability for all Controlled Cryptographic Items (CCI) for USTRANSCOM to include ensuring CCI equipment is entered into SAFB SBSS account records and the COMSEC Material Control System (CMCS) as appropriate; managing USTRANSCOM CCEA IAW COMSEC policy to ensure account administration meets all inspection requirements; and conducting daily accountability semiannual inventories of assigned assets IAW COMSEC policy.
1.3.5.1.3.3 COMSEC Education, Training, and Awareness (ETA) The contractor shall coordinate and implement the COMSEC Education, Training, and Awareness (ETA) program, to include developing comprehensive user-training program for COMSEC Responsible Officers; managing cryptographic agent training and scheduling; training users in the rules for use, safeguarding, controlling, and the proper destruction of COMSEC aids; and providing training on Secure Voice procedures and equipment. 1.3.5.1.3.4 COMSEC Metrics and Process/Procedure Documentation The contractor shall collect and provide the Government with monthly metrics on COMSEC activity. The metrics will include, but not limited to: List of documented Practices Dangerous to Security (PDS) List of COMSEC equipment ordered and status List of COMSEC equipment received and added to inventory Number and type of training sessions held Number of KMI Operating Account Agents (KOAAs) and SVROs initially trained and qualified to accomplish their duties Number of KOAA and SVRO accounts assessed semiannually (January & July) List of on-call activity. Report shall include time notified, time tech arrived on station, and time issue was resolved. If tech was able to resolve issue without reporting on 87
station, include only time notified and time resolved. The contractor shall maintain current documentation on COMSEC processes and procedures and provide the following deliverable documents to the government IAW the assigned suspense dates. COMSEC Personnel Recall Roster (in TDOC IntelShare) (Fiscal Qtr 1,2,3,4) COMSEC Training SOP (Fiscal Qtr 1) COMSEC Tracking SOP (Fiscal Qtr 2) Requesting NSA Key Support SOP (Fiscal Qtr 2) Loading [Keying] Cryptographic Devices SOP (Fiscal Qtr 3) COMSEC Account Management SOP (Fiscal Qtr 4) 1.3.5.1.3.5 Sensitive Compartmented Information Facility (SCIF) Representative (Optional)
The contractor shall serve as a Special Security Representative (SSR) for the USTRANSCOM SCIF located in Building 1900, first floor, and shall ensure compliance with SSR governing directives applicable to a SCIF. 1.3.5.1.5 Task 5 Subtask 1.5: Emissions Security (EMSEC) The contractor shall support the USTRANSCOM Chief Information Security Officer, and Chief Information Officer (CIO) in providing all services for implementing and conducting the Emissions Security (EMSEC) Program for USTRANSCOM. In support of this function, the contractor shall support the government in defining EMSEC requirements, assessments, identification and implementation of required countermeasures, and other requirements related to the emissions security of USTRANSCOM systems and networks. The contractor will assist the government in completing EMSEC countermeasures reviews for information systems, communications systems, and cryptographic equipment requires authenticating and validating the information systems, communications systems, and cryptographic equipment countermeasures reviews; applying the countermeasures; inspecting the system; and certifying EMSEC requirements have been met in conjunction with the host installation information protection (IP) office. The contractor shall function as the USTRANSCOM EMSEC point of contact and SME to provide guidance to USTRANSCOM personnel to ensure protection of USTRANSCOM systems and information, and compliance with National Security Telecommunications and Information Systems Security Committee (NSTISSC), Committee on National Security Systems Instructions (CNSSI), Air Force System Security Instruction (AFSSI) 7700 series instructions, DoD, and other applicable policy. In this regard, the contractor shall coordinate with the host installation IP/ IA office, Certified Telecommunications and Electrical Machinery Protected from Emanations Security (TEMPEST) Technical Authority (CTTA), functional users, USTRANSCOM authorization element, and other offices to address USTRANSCOM EMSEC requirements and obtain needed assessments and countermeasures for protecting USTRANSCOM systems. The contractor will support host installation TEMPEST/EMSEC assessments by serving as the point of contact, providing required drawings, technical documentation, submitting requests, waivers, etc., as needed to accomplish the assessment. 1.3.5.1.5.1 EMSEC Metrics and Process/Procedure Documentation The contractor shall collect and provide the Government with quarterly metrics on EMSEC activity.
88
The metrics will include, but not limited to: EMSEC assessments supported or processed, to include findings of the assessment and systems certified EMSEC risks and countermeasures implemented to mitigate risks The contractor shall maintain current documentation on USTRANSCOM EMSEC processes and procedures and provide the following deliverable documents to the government IAW the assigned suspense dates. USTRANSCOM EMSEC SOP & Checklists (Fiscal Qtr 4)
1.3.5.1.6 Task 5 Subtask 1.6: Continuous Security Monitoring
For assets residing within USTRANSCOM physical and virtual enclaves located at Scott AFB, IL; USTRANSCOM Commercial Cloud Environment; Defense Enterprise Computing Center (DECC)—St. Louis, MO other designated location; and Joint Enabling Capabilities Command (JECC)—Norfolk, VA, and cloud-based systems, the contractor shall:
Gather and maintain system configuration information, e.g., operating systems/versions, key software/versions, STIG compliance (SCAP) to monitor the USTRANSCOM unclassified and classified systems for compliance with command security policies Monitor cybersecurity dashboards and take action as appropriate to address issues that are outside USTRANSCOM’s risk tolerance Perform monthly vulnerability scanning and analysis Perform on-request validation scans for USTRANSCOM cyber-key terrain/systems Report vulnerability scanning results to the Government within three (3) business days of the completion of the scan Assist system administrators of USTRANSCOM systems with identifying potential remediation actions for all identified vulnerabilities Update information in the Continuous Monitoring and Risk Scoring (CMRS) or other designated system in accordance with USCYBERCOM requirements Compile reports/analysis as requested by the Government
In addition, the contractor shall be responsible for operations, sustainment, and equipment custodian responsibilities for GFE. The contractor shall be responsible for systems administration of Government furnished scanning systems at Scott AFB, IL; USTRANSCOM Commercial Cloud Environment; Defense Enterprise Computing Center (DECC)—St. Louis, MO other designated location; and Joint Enabling Capabilities Command (JECC)—Norfolk, VA.
The contractor shall perform network discovery scans on a quarterly basis and compare results of discovery scans against reports of assets as identified by HBSS (or replacement tool as designated by the Government). Any systems identified by HBSS, but not by the network discovery scans, shall be incorporated into monthly scanning activities. Any systems not covered by HBSS shall be provided to the HBSS team for analysis.
89
Additionally, in support of all assets residing within the USTRANSCOM Mobility Air Forces (MAF) C2/Distributed Enclave (DE) and Surface Deployment and Distribution Command (SDDC) C2/Centralized Enclave (CE) located at Scott AFB, IL, Ramstein AB, GE, Hickam AFB, HI, McConnell AFB, KS, and GATES DEV located at O’Fallon, IL and Fairview Heights, IL, the contractor shall:
Perform vulnerability scanning on a bi-annual basis utilizing AMC and SDDC Government furnished network scanners Analyze results of vulnerability scans performed by AMC and SDDC on a monthly basis Provide feedback and remediation assistance as appropriate Perform patch compliance spot checks for verification. Perform Manage eMASS user accounts (i.e., add, delete, and assign/update roles) for USTRANSCOM’s instance of eMASS per Government direction Maintain and execute processes for reviewing and routing of authorization packages Assist the SCA in accomplishing monthly audits of approved minor modifications Create and process authorization packages as requested by the Government Track status of checklists and packages from submission through approval/disapproval decision by the Authorizing Official (AO) Generate metrics for packages processed and the associated cycle times; include these metrics in the MSR. As a minimum, metrics will support the service delivery objectives such as the 5-day triage time, 30-day IATT processing time, and 60-day ATO/ATC processing time.
1.0 Continuous Monitoring Installation, Operations and Maintenance Support The contractor shall perform installation of continuous monitoring tools IAW USTRANSCOM processes. This includes: Requesting/coordinating on hardware/software procurement (incl. lifecycle upgrades) Performing project management, e.g., Government provided requirements management tool and schedules Building and configuring systems to be STIG compliant Performing functional testing Developing system accreditation supporting documentation Requesting security evaluations and remediation of findings Performing operational deployment The contractor shall perform day-to-day operation and maintenance of the scanning/monitoring tool suite IAW USTRANSCOM Configuration and Change Management processes. This includes: Maintaining the existing configuration and integrity of the tool suite in accordance with applicable policies and instructions Requesting authorized service interruptions (ASIs) Utilizing the USTRANSCOM ITSM tool suite and capability, installing software patches and upgrades, ensuring applications and operating systems are current versions and up to date on security vulnerability patches 90
Performing tuning tasks Ensuring Business Continuity Management (BCM) plans are in place, executable, and followed for this service (including storage of authentication credentials and backups) The contractor shall perform equipment custodian duties, provide compliance data as needed to the Government in response to USCYBERCOM orders, develop plans of action and milestones (POA&Ms) as needed, and submit requests for exemption/waiver to policy/direction that cannot be complied with IAW prescribed DoD policy/instruction. The contractor shall document changes to scanning/monitoring tools (e.g. software installs, patching, software configuration changes, etc.) in accordance with Change Management policies and provide configuration management data on all of its managed systems according to the schedule and format directed by the Government. ------
1.1 Security Auditing, Continuous Monitoring and Vulnerability Management Metrics and Process/Procedure Documentation The metrics will include: Number of scan reports reflecting known un-remediated and unmitigated vulnerabilities provided to system POCs Number of systems on the USTRANSCOM network (including AMC and SDDC enclaves) with Category 1 vulnerabilities Number and type of issues adjudicated from USTRANSCOM cybersecurity dashboards Deliverable: USTRANSCOM TCJ6 Code Scanning Policy (Fiscal Qtr 1) ------Managed Services
Security Control Management The contractor shall identify, and provide to the government a listing of recommended enterprise security controls/enhancements that provide mission assurance for systems supporting USTRANSCOM’s mission. In addition, the contractor will identify, and provide to the government a listing of inheritable security controls (e.g., common controls), to include test results, artifacts, POA&Ms, and other compelling evidence for compliance and non-compliance. This listing and supporting artifacts will be updated as needed or minimally or quarterly basis. . 1.3.6 USTRANSCOM; and the applicable DISA STIGs/SRGs, Systems Security Engineering, An Integrated Approach to Building Trustworthy Resilient Systems, Task 6: Web Applications and Support The contractor shall provide Web development, content management, and Electronically Stored Information (ESI) search support to USTRANCOM. The contractor shall identify a key person to the Government to serve as a focal point for this task. The contractor shall provide, and maintain a delivery schedule for each project/initiative utilizing the Government-provided project management tool. At a minimum, the contractor shall record breakdown of hours expended against each project/initiative by skill set on a weekly basis. The contractor shall provide this information in the Monthly Status Report. The contractor shall work projects/initiatives based on 91
the priority established by the Government. The contractor shall attend meetings or conferences held at USTRANSCOM and/or other locations as identified by the Government, and provide meeting/conference minutes IAW paragraph 1.3.1.5. The Government estimates two (2) trips annually required to support this task. 1.3.7 Task 8: Joint Operational Support Airlift Center (JOSAC) Support The contractor personnel whom support the below subtasks 1 through 3 shall be required to telework on a situational basis. In performance of these duties, the contractor shall set office procedures for reporting to work, measuring and reviewing work prior to Government acceptance, and time attendance and recording. All telework shall be performed on Government issued laptops, and the contractor shall take all appropriate measures to safeguard Government information. The contractor shall be required to telework not to exceed twice a month, in order to verify telework capabilities and remain current on telework requirements. Verification of telework capabilities and any issues encountered which prevent normal operations while teleworking shall be electronically documented and communicated to the JOSAC Programs and Analysis Branch chief within two (2) business days of telework duty completion. The contractor shall be required to telework on the first or third Friday of each month, or as coordinated with the Government. In the event of a real world/unplanned outage, the contractor shall contact the JOSAC Programs and Analysis Branch Chief for further instruction on telework procedures. The Government will furnish a NIPR laptop with VPN connectivity to USTRANSCOM for telework access to include access to Government systems, files and email. No classified work shall be performed while teleworking. The Government will define the means of communication during telework hours.
1.3.8.1 Task 8 Subtask 1: JOSAC Data Entry Support The contractor shall support updating the functional database within the government supplied Operational Support Airlift (OSA) scheduling system. The current system in use is the Joint Air Logistics Information System (JALIS). The contractor shall identify, compile, and utilize available information to update and input data daily within the scheduling system. These database updates include information pertaining to Notices to Airman (NOTAMs), updates to Logistic Flight Records, aircraft identification and performance information, flying unit information, Office of the Secretary of Defense (OSD) Comptroller cost figures, and standard remarks information. The contractor shall also update and input data for all applicable airfields/airports. Examples of such information include, airfield hours, fuel contract information, weight bearing capacity, and runway dimensions. The contractor is responsible for entry and accuracy of data elements in the scheduling system. 1.3.8.2 Task 8 Subtask 2: JOSAC Scheduling System Support The contractor shall provide administrative support to assist JOSAC in performing a variety of tasks associated with the scheduling system, as well as system upgrades administered by the scheduling system Program Management Office (PMO). The contractor shall serve as a technical proponent and shall assist JOSAC with implementation of scheduling system changes and upgrades. Support shall include: End-user-level testing, implementation, and operation of operating system software and related system components 92
Analysis of data communications networks Connectivity and access to the scheduling system to include required hardware/software configuration changes System administration and management to include user accounts System security/software patches Analysis of computer communications such as protocols, response times, and data transmissions Importing/exporting data and file transfers Building/tailoring data base queries and tables Installation, administration, configuration, and operation of applications related to the scheduling system to include database query software (currently Oracle Discoverer Desktop/Web) and visibility software/servers and applications to include JOSAAMS, JTASK, Find-a-Flight, etc. The contractor shall document, track and report to the scheduling system PMO all software deficiencies and JOSAC system change requests in the MSR. The contractor shall respond to trouble reports from scheduling system users. The contractor shall also respond to the JOSAC Oracle Discoverer users in support of database connectivity. The contractor shall provide a monthly report with the status of system/software deficiencies, to include trouble report resolution, no later than the 5th business day of each month. The contractor shall provide at least one person to be on-site for this subtask in the hours from 0730 to 1630. 1.3.8.3 Task 8 Subtask 3: JOSAC FACCSM and Gatekeeper The contractor shall perform FACCSM duties for JOSAC IAW USTCI 33-1 and USTCI 33-16; and Gatekeeper duties for JOSAC IAW USTCI 33-3. 1.3.9 Task 9: Cloud Support
USTRANSCOM utilizes and maintains a number of software applications on the NIPRNet. As such, it requires managed services and a commercial cloud service offering (CSO) capable of processing workloads at DoD Cloud Computing SRG Impact Levels 2, 4, and 5 (IL2, IL4, and IL5). This will ensure USTRANSCOM’s NIPR applications can continue to operate securely in an established commercial CSO with secure environments that are in accordance with DoD policies and directives. The objective of this task is to facilitate the delivery of capability and support to applications within the CSO environment.
Migration of applications from an on premises DoD computing environment to a CSO will not be provided under this task area. However, the contractor shall provide managed services and support to applications already migrated/being migrated into the environment by the Government. There are currently seventeen (17) systems of record in the Cloud with five (5) more expected in the near future. 1.3.9.1 Task 9 Subtask 1: Managed Services Task The contractor shall: Develop/maintain authorization documentation and artifacts designed for secure operation and authorization of the cloud-based system IAW DODI 8510.01.
93
Ensure proper access control to the master CSO account by following strong password, multi-factor authentication, and least-privilege administration policies set by the Government. Develop and document procedures manual, run book, operations and administration procedures that meet requirements and adhere to defined policies. Review and approve infrastructure Operations and Administration procedures. Coordinate network requests, such as bandwidth, IP address, PPS declarations, and firewall changes. Recommend improvements to infrastructure security architecture and tools. Audit Operations and Administration policies for compliance with Government security policies and Service Agreement terms and conditions. Assist with audits of the environment by third parties if applicable. Notify the Government of all activities that would impact the Government’s use of the CSO services, including maintenance, incident response and scheduled improvements. Work with the CSO technical team in the event of an outage, to troubleshoot issues, restore infrastructure service, identify root causes and provide recommendations for changes to avoid future occurrences. Assist with CSO Portfolio Management service to manage and improve the CSO portfolio. Collaborate with the Government to define, analyze, approve, and review all new and/or changed CSO service offerings. Deploy Government-approved monitoring agents (if applicable) on production instances, work with the Government team to identify alerting thresholds, discuss notification processes and procedures. Setup project information, collect Government contact information, agree on communication and governance protocols, recurring meetings and reporting cadence when on-boarding a system into the cloud environment. Define strategies for final on-boarding activities, such as parallel processing (for cut-over from current to new production environment), data migration, network and DNS migration, and change management. Provide tools within cloud enclave to support on-boarding strategies. Manage and operate all services in VDMS/VDSS Environment, including network based services (e.g., routing, DNS, NTP, SMTP, SFTP, IdAM, etc.), and security services (e.g., Firewalls, Active Directory, Certificate Management, key management, account management, logging and auditing, etc.) in coordination with the Government. Sustain and secure all VDMS/VDSS services. Gather credentials and licensing requirements (as applicable); confirm access to all systems. Create/manage accounts/keys/certificates supporting applications hosted in the CSO. Setup document templates, distribution lists, notification and escalation processes. Run inventory script and gather Government environment information, when requested by 94
the Government. Tag systems per agreed upon standards, configure and test backups per requirements. Setup and configure native CSO monitoring services. Maintain system monitoring account, IAM user with vendor recommended policy. Maintain Unified Threat Management (UTM) for system managed operations team to access the environment remotely, configure compliance and perform endpoint monitoring if applicable. Respond to security findings at the request of the Government. Responses may require re- architecting, assistance with design of new enterprise capability, or reassessment of policies, practices, or structure. 1.3.9.2 Task 9 Subtask 2: Remote Infrastructure Monitoring The contractor shall: Provide availability and performance monitoring. This includes daily remote monitoring of all production instances under the support contracts as per the agreed SLAs identified and described in Appendix J. Provide Capacity Management service to monitor cloud resource use and recommend capacity optimization and planning functions. Set capacity notices to allow notification to the Government of any impending storage/space/cost issues that may arise, 1.3.9.3 Task 9 Subtask 3: Routine Infrastructure Maintenance The contractor shall: Truncate database, OS, and application server logs per the agreed upon requirements from the Government. Resize storage volumes to support growth. Perform regular maintenance of the environment, addressing event log errors and warnings. 1.3.9.4 Task 9 Subtask 4: Patching The contractor shall: Patch all systems including (OS, Database updates/upgrades). The patch must be approved by the Government and use approved automation. Patch Operating Systems and applications for Information Assurance (IA) Vulnerability Management (IAVM) compliance. Leverage the patch process to enable the patch if it requires reboot of an instance. Recommend changes to the Government to improve orchestration and self-service activities by role-restricted application management teams. The patch process involves applying the patch to a base machine image, verifying it and then redeploying it as the basis of operational instances.
95
Test and apply non-critical vendor software patches according to the lifecycle update of the software. 1.3.9.5 Task 9 Subtask 5: Access Management The contractor shall: Manage permissions that control the CSO accounts to launch instances through scripts. Manage Security Groups and manage rules for each security group that allow only authorized traffic to or from associated instances. Review audit logs and report suspicious activity. Provide privileged user management and authorization artifact generation and capture. 1.3.9.6 Task 9 Subtask 6: Network Management The contractor shall: Create and manage DNS records in the DoD transport.mil NIPRNet DNS servers as directed by the Government. Manage existing routing tables, subnets/or edit existing subnets Manage internal and external IP ranges (including Elastic IP (EIP) Management) if applicable. Allocate internal and external IP addresses to tenant applications as applicable. Provide gateway management (CSO to CSO or CSO to DoD on premise environment). Manage Security Groups, to include creation, editing and deleting). Enable and manage network flow monitoring capabilities.
1.3.9.7 Task 9 Subtask 7: Change Management The contractor shall: Recommend procedures associated with Government-authorized project change requests. Provide impact analysis associated with proposed changes. Propose maintenance change schedules and change plan. Implement approved changes per approved change request procedures. Manage changes to the baseline, project plan, committed maintenance and enhancement dates. Respond to alerts and notify the Government about changes in status within terms of the SLA. Suppress redundant alert notifications pertaining to the same root cause. Generate tickets for selected alert types using ticketing system. Maintain an audit trail of all detected alert conditions and their resolution lifecycle. 1.3.9.8 Task 9 Subtask 8: Incident/Problem Management 96
The contractor shall: Manage/operate DoD information system in alignment with the Cybersecurity Service Provider (CSSP) Service Level Agreement (SLA). Enable and perform log analysis and alerting capabilities for the Government’s environment. Propose and obtain mutual agreement with TCJ6-YM on Incident/Problem workflow, escalation, communication and reporting processes that support the Service Level requirements. Troubleshoot and triage tickets using available tools and knowledge bases. Manage the entire Incident/Problem resolution lifecycle, including detection, diagnosis, progress reporting, repair and recovery, documentation and knowledge base updates. Record resolution of the trouble ticket in the online ticketing system. Ensure incident resolution activities conform to defined Change Control procedures. Conduct proactive trend analysis to identify recurring problems, identify associated consequences and provide report to Government. Track and report monthly recurring Incidents, problems and failures and communicate associated consequences to the Government. Recommend solutions to the Government to address trends, recurring Incidents, problems or failures. 1.3.9.9 Task 9 Subtask 9: Service Reporting: The contractor shall provide the following metrics to TCJ6-Y, no later than the 10th calendar day of each month: Utilization report (Resource usage report). Incident / Change / Service and Problem report. Cost report. Data reduction and reporting, to include visibility to billing data by accounts, services, program tags, and dates. Security report for infrastructure components (logins, intrusion, distributed denial of service (DDOS), and other anomalies). In addition, the contractor shall conduct status reviews with the Government to discuss incident activity, enhancement work (including backlog and new requests), planning, and issue resolution. Status review updates shall be provided monthly to TCJ6-Y. 1.3.9.10 Task 9 Subtask 10: Backup, Restore and Data Retention The contractor shall: Work with the Government to determine/adhere to the appropriate local and/or offsite backup requirements as well as data retention policy. Work with the Government to arrive at a mutually agreed upon backup solution to implement and deploy based upon cost, feasibility, and data recovery needs, if applicable. Perform twice a year restore ‘testing’, as requested by Government, to ensure backup data 97
is usable. Perform data archiving and recovery per agreed to requirements from the Government at completion of Task 9, Subtask 1. 1.3.9.11 Task 9 Subtask 11: Transition to New CSP (Optional Task)
Should TRANSCOM decide to pursue an alternate CSP, the contractor shall maintain existing services in current CSO while transiting all of USTRANSCOM’s applications and the entire environment to an equivalent implementation in the new CSO. During the transition, the contractor shall document all activities and procedures completed, and report any issues promptly to the COR and Lead Engineer. Other transition tasks include: Transition of VDSS/VDMS services Establish the account structures in the new provider comparable to the current implementation Implement current security and management policies to result in an environment comparable to the current environment from a functional and security perspective Once complete, de-provision/close out current environment and account structure 1.4 Deliverables The contractor shall develop emails, staff packages, point papers, reports, inputs to weekly activity reports, and briefings in response to staff tasks or assigned duties: The contractor shall provide these products IAW the suspense assigned by the Government or through the Government staffing process.
All deliverables shall meet professional standards and meet the requirements set forth in contractual documentation. The contractor shall provide all deliverables electronically, and other than software, in Microsoft Office (Word, Excel, PowerPoint, Project, etc.) formats pursuant to the following schedule. The deliverables are not to be separately priced, but shall be included in the monthly price. All technical data and noncommercial software delivered under this task order are developed exclusively at the Government’s expense, and in accordance with Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.227-7013 and DFARS 252.227-7014, the Government has unlimited rights in these deliverables. For all other noncommercial data delivered under this task order, the Government has the right to use, modify, reproduce, release, display, or disclose, in whole or part, in any manner and for any purpose whatsoever, and to have or authorize others to do so.
1.4.1 Packaging, Packing and Shipping The contractor shall provide all deliverables and other project related products, reports, etc., as an electronic file e-mail attachment whenever possible. The contractor shall generate all document deliverables using standard office automation software, i.e., standard Microsoft Office products. If the contractor determines that it would be more beneficial to use non-standard office automation software to generate any of the required deliverables, the contractor must notify and receive approval from the COR prior to generation of those deliverables. In the event
98
deliverables cannot be delivered via e-mail, they shall be hand delivered on Compact Disc (CD). Multiple deliverables may be combined on a CD.
1. Annual: NLT 31 March for each period of performance1.3.3.9.3.4Quarterly NLT ten (10) business days prior to the end of each quarter1.3.3.9.4.2Current state and desired outcomes 2. Recommendation for quick wins and initials set of activities 3. Roadmap 4. ITSM architecture, which shall include the following: a. Environment architecture b. Performance expectations c. Integrations (interfaces with other tools) d. Hardware e. Database review f. Network review 5. Training materials as needed No later than six (6) weeks after the Government work area reopens Normally Monthly Cloud Report detailing No later than the 10th calendar day of each weekly; NLT all of the metrics requested in month the close of the Cloud task business on 1.3.10.4.1Wednesday of 1.Current state and desired No later than six (6) weeks after the outcomes Government work area reopens 2.Recommendation for quick wins and initials set of activities 3.Roadmap 4.ITSM architecture, which shall include the following: a. Environment architecture b. Performance expectations c. Integrations (interfaces with other tools) d. Hardware e. Database review f. Network review 5.Training materials as needed
99
1.3.10.1.2 ISSE Supporting Documentation: Quarterly NLT ten (10) business days prior - System Administration Cyber to the end of each quarter Security Training Brief (Fiscal Qtr 4) - Unix Security Training Brief (Fiscal Qtr 2) - FACCSM Training Briefing (Fiscal Qtr 4) - TCP/IP Training Briefing (Fiscal Qtr 2) - Secure Shell (SSH) Training Brief (Fiscal Qtr 1) - Stunnel Training Brief (Fiscal Qtr 1)
- Host-Based Firewall Technologies for Linux/UNIX (Fiscal Qtr 1) - USTRANSCOM Security Capabilities Overview (Fiscal Qtr 4) - Educational Cyber Alert (Fiscal Qtr 1,2,3,4) - Cyberspace Defense Handout (tri- fold) (Fiscal Qtr 4) - Talking Papers (Fiscal Qtr 2) OPTIONAL. Cyber security support for USTRANSCOM Component Commands and Cyber Security Service Provider Subscribers summary of assessments or incident response activities performed
1.3.10.1.3 Security Risk Assessments IAW suspense assigned by the Govt
1.3.10.1.2 Metrics Monthly NLT 5 business days after the end of the month
100
1.3.10.1.3 Security Auditing, and Quarterly NLT ten (10) business days prior Vulnerability Management to the end of each quarter Process/Procedure Documentation: - USTRANSCOM Vulnerability Management SOP & Checklists (Fiscal Qtr 4) - USTRANSCOM System Security Evaluation SOP & Checklists (Fiscal Qtr 4)
- Security Evaluation Process 2Service Delivery Summary (SDS) The Services Delivery Summary (SDS) represents the most important contract objectives that, when met, will ensure contract performance is satisfactory by measuring Timeliness, Compliance, Accuracy, Availability and tracking of Security Incidents. Although not all PWS requirements are listed in the SDS, the contractor is fully expected to comply with all requirements in the PWS.
PWS Para Performance Objective Performance Threshold
95% of the time Trip Reports are received within five (5) business days after 1.3.1.5 Trip Reports (Compliance) completion of travel and contains all details related to the trip and information on the traveler 95% of the time minutes are provided Meeting/Conference Minutes within two (2) business days upon request 1.3.1.6 (Accuracy) by the Government and contain all results and impacts of the meeting/conference
95% of the time tickets are resolved IAW 1.3.2 Ticket Resolution (Timeliness) paragraph 1.6
95% of the time tickets are assigned 1.3.2 Ticket Assignment (Accuracy) appropriately IAW paragraph 1.6
Ticket Proactive Notification 95% of the time proactive notifications 1.3.2 (Accuracy) are provided IAW paragraph 1.6
101
95% of the time missed resolutions are 1.3.2 Ticket Missed Resolution (Accuracy) escalated IAW paragraph 1.6
95% of the time tickets are escalated 1.3.2 Ticket Escalation (Accuracy) appropriately IAW paragraph 1.6
95% of the time the Government is 1.3.2 Ticket Notification (Timeliness) properly notified IAW paragraph 1.6
102
PWS Para Performance Objective Performance Threshold IT Ops Center is able to contact the on- call technician nine (9) of every ten (10) 1.3.2 On-call Support (Availability) attempts made outside of normal duty hours 95% of the time, documentation Process and Procedure accurately reflects current operational 1.3.2 Documentation processes and procedures; tool and system (Compliance) references; organizational references and contact information; and policy references. No more than 1 late document per month and no more than 5 days late. For final deliverables, no more than two sets of Process and Procedure corrections/edits and all corrections must 1.3.2 Documentation be accomplished within 2 days or other (Compliance) such time periods as mutually determined between the government and the tasked contractor. 100% of the time, provide notification to Unplanned Outage Notification 1.3.2 the IT Ops Center for unplanned outages (Availability) within 15 minutes of detection. 95% of the time, on call personnel will 1.3.2 On-Call Response Time (Availability) begin work within two (2) hour of contact
103
PWS Para Performance Objective Performance Threshold Service Desk Performance Metrics 95% of the time, reports accurately 1.3.2.1 Report (Accuracy) reflects status. Account issuance and password 95% of the time issued within one (1) 1.3.2.1.2 resets (Timeliness) business day. 68% of the time, technicians will resolve 1.3.2.1.2.1 First contact resolution by the issues at first notification (phones, email, Service Desk (Timeliness) chat, etc.)
Known error records updates 98% of the time updates will be accurate 1.3.2.3.3 (Accuracy) and on-time During on-site hours: within 15 minutes of Hardware and Software Problem initial report during on-site hours 1.3.2.4.4.2 Response (Availability) After duty hours on an on-call basis with a 2-hour response time On-site: 1 business day Workstation Transport to Customers 1.3.2.4.6.2.1 (Timeliness) Off-base within the local area: 2 business days On-call periods shall be no more than two 1.3.2.4.7 Key IT Staff Support (Timeliness) (2) hours to begin work on-site 1.3.2.5.1.3 Availability Rate (Availability) 99.75% annualized availability rate. Provide Technical Solutions and 90% of the time TS&C is provided within Costing (TS&C) to requests 1.3.2.5.1.3 three (3) business days of request (Timeliness) 95% of the time response is received within 15 minutes of initial problem 1.3.2.5.1.3 Trouble Ticket Response (Timeliness) notification during normal duty hours and within two (2) hours if on-site response is required during non-duty hours
104
PWS Para Performance Objective Performance Threshold
On-site AV support for TCCC, 100% of the time support is provided on- 1.3.2.6.1.1 TCDC, and TCCS site for TCCC, TCDC, and TCCS attended (Availability) briefing events. On-site VTC support for TCCC, 100% of the time support is provided on- 1.3.2.6.1.2 TCDC, and TCCS site for TCCC, TCDC, and TCCS attended (Availability) briefing events. Respond within 30 minutes of notification 1.3.2.6.1.2 Response and on-site correction of and provide hourly updates until an agreed system failures (Availability) upon plan to restore is identified 100% of the time COMSEC materials are 1.3.2.6.1.4 CRO Duties (Compliance) properly accounted and controlled in accordance with established policies 95% of the time instructions are published AV Operator level instructions 1.3.2.6.2.1 within 20 business days of any changes or (Accuracy) upgrades and are 100% error free Preventative maintenance as 98% of the time preventative maintenance 1.3.2.6.2.1 prescribed by the equipment is accomplished in accordance with the manufacturer (Compliance) manufacturer’s instructions. Successful install and programming 95% of the time installs are completed as of AV/VTC equipment 1.3.2.6.2.1 scheduled and are 100% error free (Compliance) No more than 3 total days delay per month Accurate and timely configuration of to all customer test activities attributable test environment resources as to improper or late configuration of test 1.3.3.9.3.1 required by test plans and customer environments. All improper test requirement (Accuracy and configurations identified and corrected Timeliness) within one (1) workday
105
PWS Para Performance Objective Performance Threshold
95% of the time the Government is 1.3.4.4 Negative Impacts to Operational notified within one (1) hour of any Status (Timeliness) negative impacts to operational status 95% of the time the IT Operations 1.3.4.5 Outage/Restoral Messages (Accuracy) Management is notified within one (1) hour of awareness of outage/restoral 100% of the time, no successful intrusions into the networks under the contractor’s 1.3.5.1.1, Security Operations (Security control due to negligence or deviation 1.3.5.1.2 Incidents) from established procedures in performing actions specified by this task. 100% of the time security mechanisms are running supported software versions and 1.3.5.1.1, Software and Operating System are up to date on security vulnerability 1.3.5.1.2 Versions (Compliance) patches with any exceptions approved by government in writing 99.9% availability must be maintained for all cyber security defense, and intrusion Uptime for Cyber/Information detection monitoring and incident 1.3.5.1.1, Security Infrastructure Mechanisms management services (e.g. firewall 1.3.5.1.2 (Compliance) protection service for a specific area of coverage must be operational 99.9% of the time) 1.3.5.1.1, 100% of the time, provide notification to Unplanned Outage Notification 1.3.5.1.2, the CyOC for unplanned outages within (Timeliness) 1.3.5.1.4 15 minutes of detection. USTRANSCOM Cyber Operations Center 1.3.5.1.1, (CyOC) is able to contact the on-call 1.3.5.1.3, On-call Support (Availability) technician nine (9) of every ten (10) 1.3.5.1.4 attempts made outside of normal duty hours 1.3.5.1.1, 100% of the time, on call personnel will 1.3.5.1.4 On-call Response Time (Availability) begin work within one (1) hour of contact
106
PWS Para Performance Objective Performance Threshold
99% of the time, detect all incidents and events identified within available audit 1.3.5.1.2 Incident Detection (Compliance) logs or by network sensors in the networks under their control. 95% of the time, review all incidents 1.3.5.1.2 Incident Response (Timeliness) flagged by monitors within 30 minutes of detection.
COMSEC Equipment Accountability 100% accountability for USTRANSCOM 1.3.5.1.4 (Compliance) Controlled Cryptographic Items (CCI) COMSEC Practice Dangerous to 100% of the time, provide notification to 1.3.5.1.4 Security (PDS) Notification the Government of any COMSEC PDS (Compliance) within 1 hour of detection 100% training accomplished for all 1.3.5.1.4 COMSEC Training ( Compliance) CROs/SVROs 95% of the time, documentation Process and Procedure accurately reflects current operational 1.3.5.2 Documentation processes and procedures; tool and system (Compliance) references; organizational references and contact information; and policy references. No more than 1 late document per month and no more than 5 days late. For final deliverables, no more than two sets of Process and Procedure corrections/edits and all corrections must 1.3.5.2 Documentation be accomplished within 2 days or other (Compliance) such time periods as mutually determined between the government and the tasked contractor. No more than 1 late document per month and no more than 5 days late. For final deliverables, no more than two sets of Reporting Accuracy and Timeliness: corrections/edits and all corrections must Prepare written products (letters, be accomplished within 2 days or other plans, vulnerability/scanning reports, such time periods as mutually determined 1.3.5.2 briefings, presentations, schedules, between the government and the tasked and other documentation) in an contractor. All draft material provided at accurate and timely manner. least 2 working days prior to meetings or (Accuracy and Timeliness) review boards. Final, security reviewed copies of all briefings/ presentations provided at least 1 working day prior to presentation
107
PWS Para Performance Objective Performance Threshold
100% of the time, satisfactory ratings are Security Assessments of achieved during assessments of 1.3.5.2 USTRANSCOM USTRANSCOM security on all activities (Compliance) defined within this task Content: No more than 1 deviation per month from established principles and directives. 100% of assessments will address all required elements and consider Accurate and timely security security functionality from existing DoD assessments, in prescribed format, in and USTRANSCOM layered accordance with the engineering architectures. 1.3.5.2.1 principles outlined in NIST SP 800- Format: No more than 1 late document 27 and requirements of the DoD per month and no more than 5 days late. RMF Security Incidents and For final deliverables, no more than two Compliance) sets of corrections/edits and all corrections must be accomplished within 2 days or other such time periods as mutually determined between the government and the tasked contractor 100% of the time, for incident response, contractor FTE is on site within 24 hours Security Support for TCCs and of notification. Assessments/incident 1.3.5.2.1.1 Cyber Security Service Provider response activities accomplished in Optional Subscribers (Compliance) accordance with DoD directives and standard accepted practices of security engineering
Accurate and timely configuration of No more than 3 total days delay per month vulnerability management and to all vulnerability management activities scanning environment resources as attributable to improper or late 1.3.5.2.2 required by vulnerability management configuration of environments. All plan and government requirement improper configurations identified and (Timeliness) corrected within 1 workday
Timeliness: No more than 12 hours of unplanned network downtime per month due to due to negligence or deviation from Effective operation and system established procedures in performing administration of scanning and 1.3.5.2.2 actions specified by this task. (not to vulnerability management systems include downtime awaiting replacement (Availability) parts). No more than one minor non- recoverable data loss per year. System availability will be 98% or better.
108
PWS Para Performance Objective Performance Threshold
100% of the time, no successful intrusions into the networks under the contractor’s Security Operations (Security 1.3.5.2.2 control due to negligence or deviation Incidents) from established procedures in performing actions specified by this task. 100% of the time security mechanisms are running supported software versions and Software and Operating System 1.3.5.2.2 are up to date on security vulnerability Versions (Compliance) patches with any exceptions approved by government in writing 100% of the time, provide notification to Unplanned Outage Notification 1.3.5.2.2 the CyOC for unplanned outages within (Timeliness) 15 minutes of detection. 98% of the time, required USTRANSCOM DoD PPSM actions are accomplished by the suspense date 1.3.5.2.3 DoD PPSM (Timeliness) established by the government; 100% of PPSM actions completed in accordance with DoD policy
eMASS Entries (Accuracy and 98% of the time, eMASS entries are 1.3.5.2.3 Timeliness) accurate and complete. No more than 1 late document per quarter and no more than 5 days late. For final deliverables, no more than two sets of Accurate and timely production of corrections/edits and all corrections must materials required to obtain AO be accomplished within 2 days or other 1.3.5.2.4 approval of SIPRNET burn such time periods as mutually determined documentation (Accuracy and between the government and the tasked Timeliness) contractor. All documentation submitted in accordance with timelines established by AF AO for approvals Content: No more than 1 deviation per month from established principles of secure software engineering Accurate and timely production of Format: No more than 1 late document materials required to assess software 1.3.5.2.5 per quarter and no more than 5 days late. security posture of USTRANSCOM For final deliverables, no more than two applications and software. sets of corrections/edits and all corrections (Accuracy and Timeliness) must be accomplished within 2 days or other such time periods as mutually determined between the government and
109
PWS Para Performance Objective Performance Threshold the tasked contractor. All documentation submitted in accordance with timelines established by USTRANSCOM authorizing official (AO) for approvals Technical and application support to configure primary and secondary services supporting Web shop The contractor shall ensure 96% managed portals (both development 1.3.6.3 availability. and production); for classified and unclassified networks; for public and private domains. (Availability) No more than one late cyber- incident report or unreported cyber-incident in a twelve (12) Provide timely cyber-incident 4.4 month period. reporting.
1.3.3.9.4.2.3 ITSM Architecture No later than six (6) weeks after the Government ITSM roadmap defined and work area reopens documented, key architecture and implementation plan/configuration guide, and roles and responsibilities of key stakeholders 2.1Accurate and timely production of materials required to assess software security posture of USTRANSCOM applications and software Incident Priority and Escalation Matrix The incident priority matrix is the basis to classify incidents and is determined by an assessment of urgency and impact of an issue.
Impact: 1 Command-Wide: Affects majority of users across command. 2 Multiple Users in one location: Affects multiple users in one building (e.g., Bldg 1900 East, Bldg 1900 West, 1961, 1990, etc.). 3 Single Group/Team: Affects a team of any size that provides a unique/functional capability. 4 Individual: Affects a single user.
Urgency: 1. Work stoppage: Incident creating a work stoppage that cannot be mitigated. 2. Work degradation: Incident creating work degradation where core work can still be accomplished, either with a workaround or with additional effort. 3. Work not affect: Incident where enhanced features or capability not operable, but core work can be accomplished. 110
Incident Priority Matrix
2 - Multiple IMPACT 1 - Command- 3 - Single users in one 4 - Individual Wide Group/Team location URGENCY 1 - Work 1 - Critical / 1 - Critical / 2 - High 3 - Medium Stoppage Major Major 2 - Work 1 - Critical / 2 - High 3 - Medium 4 - Low Degraded Major 3 - Work not 3 - Medium 3 - Medium 4 - Low 4 - Low affected Note: VIP individuals automatically get one higher level of priority. The following incident response/escalation matrix identifies the time-frames and actions required to take for an incident based on its priority:
Incident Response Matrix Target Time Target Time to Engage to Document (From Target Time Target Time Notification Severity & Assign Assignment) to Escalate to Resolve Level 1 – Critical / Major 10 min 10 min 15 mins 2 hours TCJ6
2 - High 1 hour 30 min 30 mins 4 hours TCJ6-O Auto system 3 - Medium 2 hours 1 hour 4 hours 1 business day notification Auto system 4 - Low 4 hours 1 hour 6 hours 2 business days notification
111
2 3GOVERNMENT WORKSTATIONS AND EQUIPMENT The Government will provide an office environment and the following resources to the contractor for performance of this contract. The Government will provide sufficient workspace at a Government facility for the contractor in support of this requirement. The Government will provide standard office equipment (telephone, computer, software, base network access, etc.) for official use only during contract performance. The use of additional contractor requested office space, for exclusive use in performing this contract, shall be evaluated on an “as needed” basis and may be approved at the discretion of USTRANSCOM. The Government will provide the contractor access to the base motor pool, on an “as needed” basis to perform tasks associated with this PWS. The Government will provide no Government Furnished Equipment (GFE) at off-site contractor locations for use within the performance of this contract, except that the Government may provide Government NIPR laptop computers with VPN capability for approved telework to contractors. This telework may include: JOSAC services (Task 8).
3 4GENERAL INFORMATION 4.1 Place of Performance The contractor shall perform services on-site at Scott AFB, IL, and other locations: other designated location, USTRANSCOM Office, Washington D.C.; JECC, Norfolk, VA; and the Pentagon. NOTE: Trips other designated location in performance of this PWS are considered local travel. Normal duty hours are 0730–1630, Monday-Friday, excluding Government holidays, unless otherwise specified within the task areas. These hours are subject to change due to support for increased operational tempo outside the normal workday. Unless otherwise specified in this PWS, after-hours afterhours response to on-site calls will be within two hours from time of notification. 4.2Period of Performance Period of Performance for the Base Period is 1 October 2021 through 30 September 2022. Period of Performance for the First Option Period is 1 October 2022 through 30 September 2023. Period of Performance for the Second Option Period is 1 October 2023 through 30 September 2024. Period of Performance for the Third Option Period is 1 October 2024 through 30 September 2025. Period of Performance for the Fourth Option Period is 1 October 2025 through 30 September 2026. 4.3Travel Performance under this contract may require contractor travel within and outside the Continental 112
United States. The Government will reimburse the contractor for travel expenses subject to the Federal Acquisition Regulation (FAR) and the Joint Travel Regulation (JTR). All contractor Utravel shall be coordinated with and validated by the primary or alternate COR prior to incurring any travel expenses. The contractor shall identify personnel who will be traveling in sufficient time to obtain the lowest possible rates for airfare, rental car, and lodging. For long distance travel, a minimum of five (5) business days’ advance notice from the travel commencement date is required. The travel request shall be in writing and contain the dates, location, and estimated travel costs. Contractor invoices (along with associated receipts) shall support all travel reimbursement requests. The contractor shall report actual travel costs IAW paragraph 1.3.1.5.
Number Number Number Task of of Trips of Days People 1.3.2.4.1 Task 2 Subtask 4.1: Systems 4 1-3 1-2 Administration Support 1.3.2.4.7.1 Task 2 Subtask 4.7.1: USTRANSCOM 4 1-2 1 KITSS 1.3.2.5 Task 2 Subtask 5: Network Infrastructure 6-8 1-2 1-2 Management 1.3.3.3.1.4 Task 3 Subtask 3.1.4: Change Control 1 1-3 1 1.3.3.3.1.5 Task 3 Subtask 3.1.5: Configuration 1 1-3 1 Control Board (CCB) 1.3.3.3.2 Task 3 Subtask 3.2: Application 1 1-3 1 Management 1.3.3.9.4.2.2 Customer Service Monitoring (CSM) 3 1-5 1 and Business Activity Monitoring (BAM) Support 1.3.4 Task 4: Exercise and Contingency Operations 20 1-5 1-2 Support 1.3.5.1 Task 5 Subtask 1: Security Operations 17 1-5 1-2 Management Support 1.3.5.2 Task 5 Subtask 2: Risk Management 6 1-5 1-2 1.3.5.2.1.1 Task 5 Subtask 2: Cyber security 10 1-5 1-2 support for USTRANSCOM Component Commands and Cyber Security Service Provider Subscribers (Optional) 1.3.6 Task 6: Web Applications and Support 2 1-5 1-2 1.3.6.4.1 Task 6 Subtask 4.1: Deposition/Court 1 1-5 1 Proceeding Support
4.4Other Direct Costs (ODCs) The Government will reimburse allowable ODCs incurred in the performance of this contract. ODCs include software, group teleconferencing fees, and membership/conference fees. The 113
primary or alternate COR will approve all ODCs prior to incurring any expenses. The contractor shall submit ODC requests in writing to the COR at least five (5) business days in advance of incurring any expenses. The request shall contain estimated costs. The contractor shall submit a minimum of three (3) competitive quotes to support the price quote submitted for expenditures in support of the program. Contractor invoices (along with associated receipts) shall support all ODC reimbursement requests. In no event shall the contractor be authorized to purchase ODCs that exceed the ODC amount funded in the contract.
4.4.1 Management/Acquisition of 3rd Party Software Licenses Software licenses shall be transferable to the Government and shall not conflict with Federal law. Prior to purchase, the licenses shall be submitted to the Contracting Officer (CO) and Contracting Officer's Representative (COR) for review. If the CO determines provisions are inconsistent with Federal law and regulation, the contractor shall negotiate changes with the software vendor at no additional cost to the Government. After the CO's review the license provisions, price quotes for software and licenses shall be submitted to the CO and COR for review prior to purchase. If the contractor is unable to negotiate changes that are acceptable to the Government, the CO and COR shall be notified immediately. Contractor shall obtain the CO's concurrence prior to proceeding with any software and licenses procurement. Licenses or Terms and Agreements for third party software acquired on behalf of the Government shall not include the following: Indemnification - IAW 13 USC §1341 - Government cannot indemnify vendor; all indemnification language shall be removed. Patent & Copyright Infringement Litigation - 28 USC § 516 - Only the Department of Justice (DOJ) has authority to control any Intellectual Property litigation on behalf of the Government; any contradictory language shall be removed. Disputes, Venue & Jurisdiction - IAW 41 USC §71 - The Contracts Disputes Act places venue in Federal Court; licenses shall not have jurisdiction and venue in State Court. Binding Arbitration - FAR 33.214(g) - Shall not agree to binding arbitration. Automatic Renewal 31 USC §1341 - No automatic renewal language is acceptable, as it poses a potential Anti-Deficiency Act (ADA) violation. Payment, NET 30 days - 31 USC §3903 - Payments are subject to the Prompt Payment Act; NET 30 payment shall not be guaranteed. Order of Precedence - FAR 52.212-4(s) shall be the "official" order of precedence rather than one submitted by the licensor. Audit Clause - Shall be replaced with "upon conclusion of the license and upon written request of the licensor, the government will provide a certificate of compliance duly executed by an official with authority to provide such certification." Warranty - IAW FAR 52.212-4(o) - The software shall be warrantied for a minimum period of 180 days. Termination Rights - IAW FAR 52.212-4(l) & (m) - There shall be no unilateral termination by the licensor. 114
Installation and other restrictions - There shall be no click licenses and contractor shall be certain license agreement comports with mission requirements. Third Party Software - Imbedded software shall be identified and checked for legal sufficiency. Taxes - IAW FAR 52.212-4(k) - Any applicable taxes shall be included in the licensor's price. 4.5 Key Personnel The following positions, at a minimum, shall be designated as Key Personnel. The Government does not intend to dictate the exact composition of the ideal team, but instead, encourages the contractor to identify a group of Key Personnel who work together well to ensure that the tasks are carried out effectively and efficiently. The contractor shall propose appropriate labor categories for these positions. • Program Manager • Service Desk Lead • Server Operation and Maintenance (O&M) Lead • Network Infrastructure Management Lead • Security Operations Management Support Lead • Risk Management Support Lead • Web Application and Support Lead The contractor shall notify the COR in writing of any changes to personnel IAW paragraph 1.3.1.8 Task 1 Subtask 8: Personnel Status Report. 4.5.1 Program Manager Reference Task 1: Contract Level and Contract Management. The Contractor shall identify a Program Manager to serve as the Government’s POC and to provide technical and administrative supervision and guidance for all contractor personnel assigned to the contract, supervise on- going technical efforts, and manage contract performance. The Program Manager must be an employee of the prime contractor. The name of the Program Manager and alternate(s), who shall act for the contractor when the Program Manager is absent, shall be designated in writing to the CO within three (3) business days after contract start. The contractor shall notify the CO in writing to any changes to the Program Manager or alternate(s) within three (3) business days after the information is known. Program Manager responsibilities include, but are not limited to, interfacing with Government management personnel, staffing of all tasks, formulating and enforcing work standards, assigning schedules, reviewing work discrepancies, and communicating policies, purposes, and goals of the organization to subordinates. It is required that the Program Manager have the following qualifications and demonstrated experience: At a minimum possess applicable intermediate ITIL certification (e.g., Service Operations, Service Transition, Service Agreement and Offering (SOA)) Proven expertise in the management and control of complex information systems architectures involving multiple disparate database, network, and communications 115
subsystems Proven skills in manpower utilization, procurement, training, problem resolution, and employee relations Experience in the management of cost, performance, and schedules on contracts It is desired that the Program Manager have the following qualifications and demonstrated experience: Currently possess and maintain Project Management Professional (PMP) certification Experience providing technical innovations for a large-scale organization, such the military or other large Government organization Possess excellent written and verbal communication skills, and have experience in presenting material to senior DoD and non-DoD officials C4 experience in a military headquarters or command center environment 4.5.2 Service Desk Lead Reference Task 2 Subtask 1: IT Operations Management and Service Desk. The Service Desk Lead is responsible for managing a top-notch service desk in support of HQ USTRANSCOM. The Service Desk Lead shall prepare reports on incidents status and performance of request fulfillment. It is required that the Service Desk Lead have the following qualifications and demonstrated experience: Minimum of three (3) years of experience managing a Service Desk tool suite for a large enterprise network Working knowledge in all aspects of automation, telecommunications, and IT networks Excellent troubleshooting and problem solving skills Good communication skills: be able to communicate with ease in front of large audiences of senior IT and communications personnel It is desired that the Service Desk Lead have the following qualifications and demonstrated experience: Desired Service Desk Manager Certification, e.g., Service Desk Institute (SDI) Service Desk Manager, Help Desk Institute (HDI) Support Center Team Lead Minimum of three (3) years of experience with Service Operations and IT Service Management Preferred a minimum of ten (10) years of experience in Information Technology 4.5.3 Server Operation and Maintenance (O&M) Lead Reference Task 2 Subtask 4: Enterprise Network Service Support. The Contractor shall provide a Server Operation and Maintenance Lead who is responsible for systems administration, operations, maintenance, and support for all USTRANSCOM networks. O&M shall include servers (physical and virtual), firmware, operating systems, software applications, SANs, and computer security compliance. A robust server maintenance capability ensures that key and supporting services provided to the end user are reliable and available. It is required that the Task Lead for Server Operation and Maintenance have the following 116
qualifications and demonstrated experience: Demonstrated experience providing overall enterprise-level network system administration, planning, and management High degree of technical expertise with systems, servers, protocols, Windows/PC based client/server workstations and Server Administration. Technical Level II certification per DoDi 8570 DoD 8570.01-M Experience designing, managing, monitoring, and optimizing geographically dispersed networked systems Experience performing Operations & Maintenance and installing upgrades It is desired that the Task Lead for Server Operation and Maintenance have the following qualifications and demonstrated experience: Experience supervising system administrators Experience with leading projects and Project management skills Developing, implementing, and documenting network systems Experience and/or working knowledge with the following: VMware ESXi and View MS Windows Server, Active Directory, Outlook, System Center Configuration Manager (SCCM), and System Center Operations Manager (SCOM) 4.5.4 Network Infrastructure Management Lead Reference Task 2 Subtask 5: Network Infrastructure Management. The contractor shall provide a Network Infrastructure Management Lead who will provide expertise in areas of local area and wide area IP-based networks (LAN and WAN). He/she will provide advanced technical analyses of automation challenges and problems; develop/identify technical solutions responsive to the needs of the Command; ensure information exchange and prevent duplication of effort; recommend and provide procedures, policies, and technical solutions to HQ USTRANSCOM C4S challenges. He/she will participate in the planning and execution of network installations and hardware upgrades and provide a technical point of contact for all matters related to the contractor’s C4S efforts. It is required that the Network Infrastructure Management Lead have the following qualifications and demonstrated experience: (OPTIONAL) Technical Level II certification per DoD 8570.01-M Have extensive experience managing operational networks in diverse environment Experience management gateways and Domain Name Services (DNS) It is desired that the Network Infrastructure Management Lead have the following qualifications and demonstrated experience: Have experience using Network analysis tools (CISCO Network Configuration Manager, CISCO Network Analysis Modules) LAN troubleshooting/problem determination skills (Ethernet, Hot Standby Router Protocol (HSRP), Enhanced Interior Gateway Routing Protocol (EIGRP), Border Gateway Protocol (BGP)) CISCO firewall/Virtual Private Network (VPN) equipment, Adaptive Security 117
Appliance, CISCO Aggregation Service Routers (ASR), and Virtual Switching Systems (VSS) IP services, e.g., IP, Multicast, Quality of Service (QOS), and Simple Network Management Protocol (SNMP) 4.5.5 Security Operations Management Support Lead Reference Task 5 Subtask 1: Security Operations Management Support. The Security Operations Management Support Lead shall be the contractor lead to the Government for Security Operations Management. The minimum skills and experience/working knowledge required are as follows: Technical Level IIIII certification per DoD 8570.01-M Have a minimum of seven (7) years of IA/cyber security experience, with at least four (4) of those involving application of DoD policy, direction, and guidance to customer environments NIST and DoD security policies, directives, and guidelines Host Based Security System (HBSS) operations and monitoring Network/system architecture design and implementation Network architecture and design (e.g., security stack and integration with office automation products and services to include production, test, development, and demilitarized zone (DMZ) enclaves). Auditing (e.g., system accounts, security logs, system and network anomalies) Security Metrics – capture & documentation It is desired that the Security Operations Management Support Team Lead have the following skills and experience/working knowledge: Current Microsoft server and workstation operating system (OS) security configurations Current Red Hat Linux Enterprise OS security configurations Current Unix OS security configurations Current Microsoft server security VMware functionality and security Database functionality and security (e.g., Oracle, MS SQL) Border device security (e.g., firewall, VLANs, IP Subnetting, Ports and protocols) Encryption standards Technical writing – technical documents and user training materials 4.5.6 Risk Management Support Lead Reference Task 5 Subtask 2: Risk Management. The minimum skills and experience/working knowledge required are as follows: Technical Level III and Management Level II certification per DoD 8570.01-M Minimum of seven (7) years of IA/cyber security experience, with at least four (4) of those involving application of DoD policy, direction, and guidance to customer 118
environments At a minimum possess applicable intermediate ITIL certification (e.g., Service Operations, Service Design, Planning, Protection and Optimization (PPO), Release, Control and Validation (RCV)) NIST and DoD security policies, directives, and guidelines Network/system architecture design and implementation Vulnerability scanning, e.g., Retina and Nessus Network architecture and design (e.g., security stack and integration with office automation products and services to include production, test, development, and DMZ enclaves It is desired that the Risk Management Support Task Lead have the following skills and experience/working knowledge: Current Microsoft server and workstation OS security configurations Current Red Hat Linux Enterprise OS security configurations Current Unix OS security configurations Current Microsoft server and desktop application security Current Microsoft Windows Group Policy Object (GPO) security configurations VMware functionality and security Database functionality and security, e.g., Oracle, MS SQL, MS Access Border device security, e.g., firewall, VLANs, IP Subnetting, Ports and protocols) Encryption standards Application code scanning with Fortify or other government furnished systems Metrics capture & documentation Technical writing, to include technical documents and user training materials 4.5.7 Web Application and Support Lead Reference Task 6: Web Applications and Support. The Web Application and Support Lead is responsible for ensuring system availability and reliability for all SQL, Web, network monitoring, and portal servers supporting USTRANSCOM locations. Systems to be maintained are on SIPRNet, and NIPRNet networks. The Web Application and Support Lead prepares reports on status, outage, and performance of current systems and provides impact assessments of new systems. The Web Application and Support Lead will be responsible for managing portal administrators, graphics designer, content management personnel, system administrators, Web developers, and database developers/architects.
It is required that the Web Application and Support Lead should be able to demonstrate experience with the following: Experience leading a team At a minimum possess ITIL Foundations certification Broad understanding of information technology principles, concepts, and techniques including software languages, design concepts, test methods, and integration practices 119
Extensive knowledge, experience and planning skills in the area of system integration testing, Web application development and networks, such as those described in this PWS. Ability to analyze requirements and ensure the capture of business processes Experience with software test and evaluation plans Experience providing support gathering, documenting, testing, and deploying of Web content Highly experienced using Cold Fusion, C#, JavaScript, ASP, and .NET program languages Superior knowledge of current web-design trends and techniques, a strong online portfolio displaying user-centered design, and experience with Web database solutions definite assets It is desired that the Web Application and Support Lead should be able to demonstrate experience with the following: Excellent written and verbal communication skills that effectively and clearly present technical approaches and findings to customers, senior DoD, and non-DoD officials Systems architecture development Design and implement COOP program with alternate site Collaborate with and assist in the development of security fixes with security engineers and development teams Knowledgeable on Web policies stated in OSD Web Site Administration, DoD Instruction 5230.29, DoD Directives 5230.9 and 5200.40 Responsible for implementing security and access controls Ability to develop, implement, and maintain web-based application systems Experience in developing, testing, and implementing Web parts for the portal Knowledge of JavaScript, Cascading Style Sheets (CSS), Hypertext Preprocessor (PHP) and dynamic Hypertext Markup Language (HTML); experience with .NET and team foundation Understand and develop reports using SQL Ability to complete a comprehensive, multi-disciplinary security assessment addressing both content and technical issues at least annually on all portal/web/SQL servers SharePoint experience, including architecture, installation, configuration, Web parts, and best practices Understanding of virtual environments with knowledge of clustering
4.6 Contractor Furnished Equipment and Services Except for those items or services specifically stated in paragraph 2, the contractor shall furnish everything needed to perform this contract. For those tasks to be performed off-site at the contractor’s facilities, the contractor shall provide all necessary office furnishings and equipment.
120
4.7 Contractor Employee Qualifications/Certifications The contractor shall ensure that all personnel employed to perform services under this contract are qualified, trained, certified, and licensed, in accordance with applicable laws and regulations. A file containing the qualifications and certifications of each employee shall be maintained by the contractor and made available to the Government for review, upon request. 4.8 Quality Assurance The contractor shall support Government agency reviews and audits of all services and support provided under this contract. The contractor shall be prepared to support Quality Assurance reviews conducted by the Government. The Government reserves the right to authorize an independent verification and validation of the contractor’s procedures, methods, data, equipment, and other services provided at any time during the performance of contract. 4.9 Requirements Affecting Contractor Personnel Performing Mission Essential Services This applies to personnel supporting Task Area 2 (Subtasks 1, 2, 4, 5, 6), 3 (Subtasks 3.3, 9.4), 4, 5 (Subtask 1), and 6 only and only during contingencies/emergencies/exercises. The CO has identified all or a portion of the services performed under this contract as “Emergency-Essential” as defined and described in DoD Instruction (DoDI) 1100.22, “Policy and Procedures for Determining Workforce Mix.” Hereafter, the personnel identified by the contractor to perform these services shall be referred to as “Mission Essential Contractor Personnel.” Within twenty (20) business days after contract start, the contractor shall provide a written list of all “Mission Essential Contractor Personnel” to the Contracting Officer or designee. The list shall identify individual employee names and their work locations under this contract. The CO, as required to comply with or perform pursuant to DoD requirements, shall direct the contractor to comply with requirements intended to safeguard the safety and health of Mission Essential Contractor Personnel. The CO may communicate the requirements through a letter of notification or other means, and subsequently modify the contract to incorporate the requirements. 4.10 Non-Disclosure Agreement (NDA) for Contractor Employees Due to the sensitive nature of the data and information being worked with on a daily basis, completion of non-disclosure statements will be required by contractor personnel to ensure information that is considered sensitive or proprietary is not compromised. All contractor personnel will be required to sign a NDA. The Government will retain these documents. See Appendix 3, Non-Disclosure Agreement. The contractor may also be required to sign a non-disclosure agreement in accordance with DFARS 227.7103-7 if access to required technical data or computer software that was delivered to the Government with restrictions as described in DFARS 227-7103-7. Before obtaining access to another contractor’s proprietary information, in accordance with FAR 9.505-4, the contractor must agree with the other company to protect the information, complete necessary agreements, and furnish such agreements to the Contracting Officer.
5 CYBER SECURITY 5.1 Handling of Non-Public Information 121
In performance of this contract, the contractor may have access to Covered Defense Information. The contractor agrees (a) to use and protect such information from unauthorized disclosure IAW DoD Instruction 8582.01: Security of Unclassified DoD Information on Non-DoD Information Systems; (b) to use and disclose such information only for the purpose of performing this contract and to not use or disclose such information for any personal or commercial purpose; (c) to comply with other current Federal and DoD information protection and reporting requirements for specified categories of information (e.g., medical, proprietary, critical program information (CPI), personally identifiable information, export controlled); (d) to obtain permission of the Government Requiring Activity before disclosing/discussing such information with a third party; (e) to return and/or electronically purge, upon Government request, any DoD information no longer required for contractor performance; and (f) to advise the Contracting Officer (CO) and/or Contracting Officer’s Representative (COR) of any unauthorized release of such information. 5.2 Periodic Government Inspections The contractor (and its subcontractors) shall authorize Government inspections and reviews of its unclassified IT environment where DoD information is resident or transiting to assure compliance with DoD cyber security requirements throughout the contract performance period. The contractor shall be responsible for taking corrective action based upon the impact and severity of identified weaknesses. The Government will limit inspections to a maximum of one per year. The contractor shall allow follow-on visits, if requested, to confirm resolution of any significant weaknesses identified during the inspections. 5.3 Remote Access Contractor Furnished Equipment (CFE) employed for remote access to a Government network must meet or exceed equivalent Government Furnished Equipment (GFE) cyber security computing requirements. The contractor shall ensure that all CFE (hardware and software) employed to access these environments meet the following minimum Government cyber security requirements and provide periodic certification of compliance as a pre-requisite to being granted network access.
(a) Use of personally owned systems is prohibited; (b) Operating systems and applications must be configured for compliance with the applicable Security Technical Implementation Guides (STIGs); (c) DoD approved anti-virus and anti-spyware software must be installed and signatures must be configured to automatically update on a daily basis; (d) DoD approved host-level firewall must be utilized and configured to permit traffic by exception only, dropping all other traffic. If the host-level firewall provides intrusion detection or prevention, the signatures or rules must be updated at the same intervals as the anti-virus software. (e) Computers must be Information Assurance Vulnerability Management (IAVM) compliant; (f) Computers must be scanned with the currently approved DoD scanner solution at a minimum of every 30 days. All vulnerabilities must be remediated and reported to the cognizant Information System Security Manager; (g) Contractor employees must possess a current Government issued Common Access Card (CAC) and install Government certified CAC readers; and
122
(h) Verification of compliance with these requirements must be provided to an appointed government representative on a monthly basis. 5.4 Incident Handling 5.4.1. Operationally Critical Support
The services designated under this contract are “operationally critical support” as defined in DFARS 252.204-7012.
5.4.2. Cybersecurity Incident Reporting
5.4.2.1. In addition to the DFARS 252.204-7012 reporting requirements for unclassified systems and DoD Manual (DoDM) 5220.22, National Industrial Security Program Operating Manual (NISPOM) for classified systems, reportable cyber-incidents include, but are not limited to, the following:
5.4.2.1.1. Unauthorized data exfiltration, manipulation or disclosure of any DoD information resident on or transiting the contractor's (or its subcontractors') unclassified or classified information systems or networks.
5.4.2.1.2. Unauthorized access to the contractor’s (or its subcontractors’) unclassified or classified information system(s) or networks(s) on which DoD information is resident or transiting.
5.4.2.1.3. Cyber-incidents as listed in the MITRE ATT&CK Framework available at https://attack.mitre.org/, incorporated herein by reference, which affect network or information systems where DoD information is resident or transiting.
5.4.2.1.4. Notifications by a federal, state, or local law enforcement agency or cyber-center (i.e., National Cyber Investigative Joint Task Force (NCIJTF), National Cybersecurity & Communications Integration Center (NCCIC)) of being a victim of a successful or unsuccessful cyber-event, anomaly, incident, insider threat, breach, intrusion, or exfiltration.
5.4.2.2. If the cyber-incident affects a classified system, vulnerabilities associated with the incident will be classified per the current version of USTRANSCOM Instruction 31-02, Security Classification Guide.
5.4.3. Cybersecurity Incident Reporting Timelines
In addition to providing the notification required by DFARS 252.204-7012, the contractor is required to notify USTRANSCOM as soon as practicable, but no later than 4 hours after discovering a reportable cyber-incident. The reporting timeline begins when the incident is discovered or reported to the company, its employees, contractors, or cybersecurity firm responsible for providing cybersecurity and response for the company. The contractor shall contact the USTRANSCOM Cyber Operations Center (CyOC) via phone at 618-220-4222. If the contractor does not immediately reach the CyOC via phone, the contractor shall send an email notification to [email protected].
123
5.4.4. Mandatory Reporting Data
5.4.4.1. The contractor shall work with the USTRANSCOM CyOC through resolution of the incident. Within 4 hours of becoming aware of a reportable cyber-incident, the contractor shall provide an initial notification of the incident, even if some details are not yet available, which includes, but is not limited to, the following information:
(a) Company Name (b) Who will be the POC with contact information (c) Contracting Officer POC (name, telephone, email) (d) Overall Assessment –Description of incident, data at risk, mitigations applied (e) Indicators of compromise (f) Vector of attack (if known) (g) Estimated time of attack (if known)
5.4.4.2. The contractor shall provide a follow-on cyber-incident report to the USTRANSCOM CyOC within 24 hours of becoming aware of a reportable cyber-incident, which includes, but is not limited to, the following information:
(a) Contractor unique Commercial and Government Entity (CAGE) code (b) Contract numbers affected (c) Facility CAGE code where the incident occurred if different than the prime Contractor location (d) POC if different than the POC recorded in the System for Award Management (name, address, position, telephone, email) (e) Contracting Officer POC (name, telephone, email) (f) Contract clearance level (g) Name of subcontractor and CAGE (if applicable) code if incident occurred on a subcontractor network (h) DoD programs, platforms, systems, or information involved (i) Location(s) of compromise (j) Date incident discovered (k) Type of compromise (e.g., unauthorized access, inadvertent release, other) (l) Description of technical information compromised (m) Any additional information relevant to the information compromise
5.4.5. Incident Reporting Coordination
5.4.5.1. In the event of a cyber-incident, USTRANSCOM may conduct an on-site review of network or information systems where DoD information is resident on or transiting to assist the contractor in evaluating the extent of the incident and to share information in an effort to minimize the impact to both parties. Date and time of on-site visits will be mutually agreed upon by USTRANSCOM and the contractor in advance.
5.4.5.2. The contractor agrees to allow follow-on actions by the Government (e.g., USTRANSCOM, Federal Bureau of Investigation, Department of Homeland Security, DC3, etc.) to 124
further characterize and evaluate the suspect activity. The contractor acknowledges that damage assessments might be necessary to ascertain an incident methodology and identify systems compromised as a result of the incident. Once an incident is identified, the contractor agrees to take all reasonable and appropriate steps to preserve any and all evidence, information, data, logs, electronic files and similar type information (reference NIST Special Publication 800-61: Computer Security Incident Handling Guide, (current version)) related to the incident for subsequent forensic analysis so that an accurate and complete damage assessment can be accomplished by the Government.
5.4.5.3. The contractor is not required to maintain an organic forensic capability, but must ensure data is preserved (e.g., remove an affected system, while still powered on, from the network) and all actions documented until forensic analysis can be performed by the Government or, if the Government is unable to conduct the forensic analysis, a mutually agreed upon third party (e.g., Federally Funded Research and Development Center (FFRDC), commercial security contractor, etc.). Any follow-on actions shall be coordinated with the contractor via the Contracting Officer.
5.4.5.4. The contractor agrees to indemnify and hold the government harmless for following any recommendations to remedy or mitigate the cyber-incident following the actions under 1.5.1. and 1.5.2.
5.4.6. Confidentiality and Non-Attribution Statement
The Government may use and disclose reported information as authorized by law and will only provide attribution information on a need-to-know basis to authorized persons for cybersecurity and related purposes (e.g., in support of forensic analysis, incident response, compromise or damage assessments, law enforcement, counter intelligence, threat reporting, and trend analysis). The Government may share threat information with other USTRANSCOM industry partners without attributing or identifying the affected contractor.
5.4.7. Subcontracts.
5.4.7.1. The contractor shall include the above cybersecurity language in paragraphs 1.1 through 1.7 in subcontracts, or similar contractual instruments, including subcontracts for commercial items, without alteration, except to identify the parties.
5.4.7.2. The contractor shall require subcontractors to report cyber-incidents defined in paragraph 1.2.1. to the prime contractor when DoD’s information resides on the subcontractor’s system(s) or network(s). 5.5 Information Assurance Contractor Training and Certification (Jan 2008)
5.5.1. In concert with DFARS 252.239-7100, Information Assurance Contractor Training and Certification, DoD 8570.01-M, Information Assurance Workforce Improvement Program, and USTCI 6600.01, Policy for Cyberspace Workforce (CW) Management, the Contractor shall ensure all personnel conducting cyberspace workforce role functions in support of or on DoD information systems, software, networks, and enclaves satisfy and maintain the appropriate DoD-approved baseline security certification and all applicable computing environment certification requirements 125
commensurate with their current job duties in support of all environments (e.g., development, staging, client test, quality assurance, user acceptance testing, sandboxes, preproduction environments, and associated information system failover, contingency components, and infrastructure as code) in which they are performing work, to include off-site locations, throughout the contract performance period:
5.5.1.1. At least one DoD 8570.01-M mandated Information Assurance (IA) certification per defined role in Appendix E in the following categories: IA Technical (IAT), IA Management (IAM), and/or IA System Architect and Engineer (IASAE). Additional certification requirements exist for personnel supporting Cyber Security Service Provider (CSSP) functions (Analyst, Support, Responder, Auditor, Service Provider/Manager). A current list can be found at https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/.
5.5.1.2. Contractor personnel shall hold at least one Computing Environment (CE) certification or certificate for the operating system(s) and/or security related tools/devices they support as defined by the contractor’s cyberspace function listed in Appendix E satisfying one of the following categories:
1. Software development (e.g., java, .net. C++, python, Visual Basic, etc.) 2. Network support/defense (e.g., Splunk, Cisco, McAfee, etc.) 3. Cloud or virtualization (e.g., Azure, AWS, oracle, IBM, etc.) 4. Operating System (e.g., Microsoft, Linux, Solaris, etc.) 5. Application (e.g., database, backup, automation, webserver, network, proxy, firewall, etc.)
5.5.1.3. Contractor personnel shall participate in local training on USTRANSCOM procedures and operations practices upon arrival and a reoccurring annual basis. Contractor personnel who require certifications as outlined above must complete an on-the-job evaluation and provide proof of evaluation to the Contracting Officer Representative (COR) will validate the necessity for contractor personnel to attend USTRANSCOM-specific training and provide written certification to the USTRANSCOM Manpower and Personnel Directorate (TCJ1) that such training is USTRANSCOM-specific and required in order for contractor personnel to perform the requirements of their contract. Contractor personnel must also provide proof to the COR or designee of appropriate CE certification(s) and/or certificate(s) they support. The contractor shall provide, in the monthly Personnel Status report, information detailing the contractor personnel assigned, required certifications, and associated certification status.
5.5.1.4. Contractor personnel requiring privileged access (i.e., any elevated privilege beyond normal user-level access) must complete a Privileged Access Agreement, referred to herein as a Statement of Acceptance and Responsibilities (SOAR). A new SOAR must be executed prior to a role change that requires privileged access. Contractor personnel will need to maintain certification status by completing continuous learning requirements as defined by the respective certification provider (e.g., ISC2, ISACA, CompTIA, etc). Contractor personnel will monitor current certification provider activity to see if they have imposed additional continuously learning requirements.
5.5.2. Contractor personnel who do not have current certification(s) or certificate(s) as specified in Appendix E for their specified roles shall be denied access to information systems unless a waiver 126
has been granted by the USTRANSCOM Authorizing Official (AO).
5.5.2.1. DoD-approved baseline security certifications as delineated in DoD 8570.01-M are not eligible for an AO waiver.
5.5.2.2. The USTRANSCOM AO may allow up to six months for contractor personnel to obtain DoD-approved certification(s) or certificate(s) for designated role requirements in situations of severe operational or personnel constraints. AO waivers must include an expiration date not to exceed six months and be documented in the individual’s IA training record. Consecutive waivers for personnel are prohibited. 5.6 Developer Environment 5.6.1. Secure Software The Contractor shall meet all Government specifications for design, development and implementation of secure applications and configurations through applying secure software development processes and secure coding practices with each Software Release Candidate. These include but are not limited to applicable DoD Security Technical Implementation Guide (STIGs), Security Requirements Guide (SRGs), industry best practices, vendor security guidance and applicable product security patches. Contractor software will not contain programming errors listed on the current approved version of the Common Weakness Enumeration (CWE)/SANS TOP 25 Most Dangerous Software Errors, Open Web Application Security Project (OWASP) Top Ten or an unsecure configuration found by applying the DISA Application Security and Development Security (ASD) STIG, applicable Enclave Test and Development (T&D) and application STIGs/SRGs.
5.6.2. Static Application Security Testing (SAST) The Contractor shall run static code scans using a Government-approved code scan tool (e.g. Micro Focus Fortify) to mitigate potential of security vulnerabilities from being deployed into the production environment. Scans will utilize current scan engine and rule pack as determined by release candidate delivery date. If the software code has been redeveloped or refactored (changing the source code without modifying the external functional behavior), new scans must be provided to the Government by the Contractor.
54.6.3. DISA Security Requirements Guides (SRGs) and Security Technical Implementation Guides (STIGs) Compliance The contractor shall run the applicable Enclave T&D and ASD STIGs against their environments and deliver results NLT 60 days after the contract start date and NLT 60 days after each DISA STIG/SRG update is released.
The Contractor shall register with the DISA STIG library (https://cyber.mil/stigs/) upon contract award to receive notifications for updates to ensure the application and supporting application technology (i.e. operating system, database, servers, etc.) comply with the most up-to-date version of the DISA SRGs and STIGs. The Contractor shall evaluate each SRG/STIG item, determine applicability based on presence of technology/functionality, and annotate the checklist comment section for each item with statements of review status, applicability, and compliance/non- compliance. In the event of a non-compliant SRG/STIG check, the contractor will annotate open SRGs/STIG findings, along with fix or proposed mitigation actions, on a Plan of Action and
127
Milestones (POA&M) for Government approval.
5.6.4. Unsupported Components Contractor’s development efforts will not utilize unsupported/extended support hardware, software, firmware or computer code unless specifically agreed upon by the Government. Contractor will ensure unsupported components are replaced/removed prior to end of life per a Government approved POA&M. The Government approved POA&M will outline the transition to supported components during any extended support period.
The contractor shall provide code scans with every release candidate. The scans will include all application source code written for the application and Third-Party Libraries (TPL) that were modified for inclusion in the application. Non-functional (non-evoked) code within the TPLs will not be included in scan output. When scanned, source code will be in plain text format and encoded components (e.g., base64 images) will not be included.
5.6.5. Flaw Remediation Contractor software releases will not introduce any unmitigated vulnerabilities unless specifically agreed upon by the Government. The Contractor shall analyze code scan results, remediate findings, provide rationale on false positives. Findings mitigated to a lower severity will be agreed upon by the Government.
The Contractor will track all open findings on a Government reviewed and approved Plan of Action and Milestones (POA&M). The Contractor will establish a Burn Down Plan to prioritize remediation actions based on finding severity and Government discretion. The Contractor will assist the Government Information System Security Manager with conducting an annual review of scan findings to ensure the POA&M and Burn Down Plan accurately reflect the current risk posture of the software. The Contractor will provide the results of the review to the Government.
The Contractor agrees not to charge any amount of cost to this or any other Government contract pertaining to the resolution/correction of software deficiencies resulting from the Contractor’s development efforts. The Contractor agrees that resolution of such deficiencies shall be at no cost to the Government.
5.6.6. Development Security Operations (DevSecOps) The Contractor will follow the DOD Enterprise DevSecOps Reference Design (https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Referen ce%20Design%20v1.0_Public%20Release.pdf?ver=2019-09-26-115824-583) when developing in USTRANSCOM hosted development environments. The Contractor will adhere to all policies and procedures established for the authorization boundary of USTRANSCOM hosted development environments.
6 SECURITY (Physical, Personnel, Information, Industrial and Antiterrorism) 6.1 General Security Information The majority of daily work associated with this PWS is at the Unclassified level, but contractor personnel may be required to access TOP SECRET (TS) or TS-Sensitive Compartmented 128
Information (TS-SCI) information during performance of this contract. Specific security requirements are identified in the DD Form 254, DoD Contract Security Classification Specification. A completed/signed DD Form 254 is attached to the contract.
SECURITY REQUIREMENTS (AUG 1996) (a) This clause applies to the extent that this contract involves access to information classified "Confidential," "Secret," or "Top Secret." (b) The Contractor shall comply with- (1) The Security Agreement (DDForm441), including the National Industrial Security Program Operating Manual (DoD 5220.22-M); and (2) Any revisions to that manual, notice of which has been furnished to the Contractor. (c) If, subsequent to the date of this contract, the security classification or security requirements under this contract are changed by the Government and if the changes cause an increase or decrease in security costs or otherwise affect any other term or condition of this contract, the contract shall be subject to an equitable adjustment as if the changes were directed under the Changes clause of this contract. 6.2 Citizenship and Clearance Requirements The contractor’s, subcontractors, and/or partner’s personnel performing services under this contract shall be citizens of the United States of America. Overall, all contractor personnel shall possess the appropriate personnel security investigation for the position(s) occupied. Contractor personnel shall be required to have a background investigation that corresponds with the sensitivity level of the tasks to be performed. 6.3 Clearance Requirements and Position Sensitivity Contractor personnel with IA administrative privileges and/or who will monitor DoD IT systems or software as designated by DoD 8500.1/ DODM 5200.02may be rated at the various levels listed below. The stipulation of the numbers and what IT/Automated Data Processing (ADP) levels the contractors will have is approved by the COR or the CO before the start of the contract. The contractor shall not divulge any financial, planning, programming, or budgeting information without the express consent of the Government as outlined in Operational Security (OPSEC) and Information Security regulations or be held liable for punitive damages incurred as a result of release of such information. The contractor shall comply with all appropriate provisions of applicable security regulations while assigned to this contract for DoD and USTRANSCOM. The following guidance will be followed when determining background investigation and clearance levels for this contract depending on requirements:
POSITION LEVEL: Information Technology (IT)-I Automated Data Processing (ADP)-I or Critical Sensitive Positions (TOP SECRET): IT/ADP-I and Critical Sensitive Positions are those positions that: require access to Top Secret information; development or approval of plans, policies, or programs that affect the overall operations of the DoD or of a DoD component; development or approval or war plans, plans or particulars of future major or special operations of war, or critical and extremely important items of war; investigative and certain investigative support duties, the issuance of personnel security clearances or access authorizations, or the making of personnel security determinations; 129
fiduciary, public contact, or other duties demanding the highest degree of public trust; duties falling under Special Access programs; directly responsible for the planning, direction, and implementation of a computer security program; major responsibility for the direction, planning and design of a computer system, including the hardware and software; or can access a system during the operation or maintenance in such a way, and with a relatively high risk for causing grave damage, or realize a significant personal gain; and any other position so designated by the head of the component or designee.
BACKGROUND INVESTIGATION REQUIREMENTS: (IT-I/ADP-I or Critical Sensitive) Requirements for TOP SECRET: Positions designated by the Government as Critical Sensitive/ADP-I/IT-I rating require a Tier 5 or an older Single Scope Background Investigation (SSBI) if it still within scope favorably adjudicated (a favorable adjudication grants eligibility at the TOP SECRET level as prescribed by DODM 5200.02). The IT-I/ADP-I requirements mandate the contractor have a minimum Facilities Clearance (FCL) at the TOP SECRET level due to investigation submissions as directed in DoD 5220.22-M, DoD 5200.01 and the Joint Personnel Adjudications System (JPAS).
POSITION LEVEL: Information Technology (IT)-II Automated Data Processing (ADP)-II Or Non-Critical Sensitive Positions (SECRET): IT/ADP-II and Non-Critical Sensitive Positions are those positions that: have access to Secret or Confidential information; Security police/provost marshal-type duties involving the enforcement of law and security duties involving the protection and safeguarding of DoD personnel and property; category II automated data processing positions; duties involving education and orientation of DoD personnel; duties involving the design, operation, or maintenance of intrusion detection systems deployed to safeguard DoD personnel and property; responsible for the direction, planning, design, operation, or maintenance of a computer system, and whose work is technically reviewed by a higher authority of the ADP-I category to ensure the integrity of the system; and any other position so designated by the head of the Component or designee.
BACKGROUND INVESTIGATION REQUIREMENTS: (IT-II/ADP-II/Non-Critical Sensitive) Requirements for SECRET: Positions designated by the Government at the Non-Critical Sensitive/ADP-II/IT-II rating require a Tier 3 or National Agency Check with Local Credit (NACLC) if it is still within scope favorably adjudicated (a favorable adjudication grants eligibility at the SECRET level as prescribed by DODM 5200.02. The IT-II/ADP-II requirement mandates the contractor have a minimum FCL at the SECRET (or higher) level due to investigation submissions as directed in DoD 5220.22-M, DoD 5200.01 and JPAS.
POSITION LEVEL: Information Technology (IT)-III Automated Data Processing (ADP)-III Or Non-Sensitive Positions (Position of Trust Determination) (No Classified Access) All other positions involved in computer activities and Common Access Card. No clearance is 130
granted for classified access and only a Position of Trust (PoT) is awarded and posted in JPAS.
BACKGROUND INVESTIGATION REQUIREMENTS: (IT-III/ADP-III/Non-Sensitive) Requirements for Position of Trust Determinations (No Classified Access): Positions designated by the Government at the Non-Sensitive/ADP- III/IT-III rating require a Tier 1 or National Agency Check with Inquiries (NACI) if it is still within scope favorably adjudicated (a favorable adjudication issues a Position of Trust determination as prescribed by DODM 5200.02The investigation must be posted in JPAS or DISS before a CAC or NIPRNET access will be granted. To obtain interim CAC/NIPRNET access, Tier 1 investigations will be opened with fingerprint, name and criminal records checks returned favorably before the credentials (CAC and NIPRNET) are issued. Tier 1 submissions will be completed on the Standard Form (SF) 85 and submitted with electronic fingerprints to USTRANSCOM personnel security program manager for processing. No classified access will be granted based on the Tier 1 investigation.
NOTE: The above requirements for IT-III/ADP-III/Non-Sensitive Positions are for access to unclassified systems only. Contractors who require access to classified systems or areas must have interim or final adjudication of background investigations at the Critical or Non-Critical Sensitive levels.
USTRANSCOM will only process Tier 1 Position of Trust investigations and will not complete any personnel security investigations for classified access. It is incumbent upon the contractor to have the appropriate investigations completed upon start of the contract. Personnel who do not have the proper investigation will be denied the ability and access to USTRANSCOM facilities until investigations have been favorably adjudicated.
6.4 Security Clearance and Special Access Requirements All positions on this contract require a minimum of a SECRET clearance. In addition, some positions on this contract require access to Sensitive Compartmented Information (SCI). Contractors requiring access to TS-SCI or TS must have an eligibility determination of TOP SECRET as granted by the DoD Consolidated Adjudication Facility (CAF). Tasks that require collateral TOP SECRET and TOP SECRET/SCI eligibility or TOP SECRET/SCI or Special Access are outlined in the table below. TS-SCI will not be released to contractor employees without specific release approval of the originator.
PWS Task Area Restricted TOP SCI Para System SECRET Eligibility Access 1.3.2.1 Duty Controller X 1.3.2.4. Enterprise Network Service Support X X (Only GCCS Top Secret) 1.3.2.4.1 System Administration X X 1.3.2.4.2 Database Administration X X
131
1.3.2.4.3 Virtual Environment and Network X X Storage 1.3.2.4.4 Messaging and Collaboration X X PWS Task Area Restricted TOP SCI Para System SECRET Eligibility Access 1.3.2.4.5 Directory Services & Identity Access X X Management 1.3.3.9.3 Test and Assessment X 1.3.3.9.4 CSM and BAM X 1.3.4.2 Communications, Cyberspace, and X X X Exercise Planning 1.3.4.4 SATCOM Management and Planning X X X 1.3.4.5 MILSTAR Operations and Management X X X 1.3.4.6 Airborne Communications Task X X X Management 1.3.5.1.1 Cyber Security Defense X X 1.3.5.1.2 Intrusion Detection Monitoring & X X Incident Management 1.3.5.1.3 Cyber Threat Analysis X X 1.3.5.1.4 COMSEC X X 1.3.5.1.5 EMSEC X X 1.3.5.1.6 Continuous Monitoring X 1.3.5.2.1 ISSE X 1.3.5.2.2 Auditing, & Vuln Mgmt X 1.3.5.2.3 Authorization X 1.3.5.2.4 Insider Threat Risk Mitigation X 1.3.5.2.5 Software Assurance X
NOTE: A minimum of one (1) contractor shall be TS cleared for paragraph 1.3.5.1.1. All contractors shall be TS cleared and SCI eligible for activities associated with paragraph 1.3.5.1.2, 1.3.5.1.3, 1.3.5.1.4, and 1.3.5.1.5. 6.5 Facilities Clearance Level (FCL) The contractor must have a valid FCL at the TOP SECRET level. Interim FCLs are acceptable provided they are not expired. FCL procedures and security guidelines for adjudicative requirements are outlined in DoD 5220.22-M and DODM 5200.02. FCLs and Interim FCLs must be awarded by the Defense Counterintelligence and Security Agency (DCSA) Facility Clearance Branch. 6.6 Personnel and Facilities Clearance Validation Upon contract award, the contactor shall submit the names of contractor personnel to the USTRANSCOM contracting team (contracting officer or COR or contract specialist) for vetting through JPAS or DISS to ensure investigative and clearance requirements have been satisfied. This shall be completed before the COR/Trusted Agent (TA) accesses the DoD Trusted Associate Sponsorship System (TASS) and creates and approves a CAC application 132
for issuance of the CAC to the contractor’s personnel. If a contractor’s employee does not have the required investigative or security clearance level based on the Government’s determination, the contractor’s employee will be denied the ability to work in support of this contract and the employee’s information will not be loaded into TASS. 6.7 Common Access Card Issuance Procedures CACs will only be approved for a period not to exceed three years, or less if the contract is for less than three years. Once approved in TASS, the contractor employees may go to the nearest Real-Time Automated Personnel Identification System (RAPIDS)/Defense Enrollment Eligibility Reporting System (DEERS) office for CAC issuance. 6.8 Access to Scott Air Force Base or USTRANSCOM Facilities Upon receipt of the CAC, permanently assigned contractor personnel located at USTRANSCOM at Scott AFB (SAFB), IL, may obtain the AF 1199 (Restricted Area Badge) if the employee meets the requirements set forth in SAFB Instruction 31-101, Integrated Defense. This stipulates that personnel who request AF 1199’s be assigned physically on SAFB at least four (4) days a week with a desk computer and phone before a AF 1199 will be issued. The Government will provide unrestricted access to facilities, consistent with security clearance and need to know, necessary for the on-site personnel to perform their work IAW the contract. Contractor personnel assigned on-site at USTRANSCOM will wear and display the Restricted Area badge at all times while in Government facilities. Visits to SAFB by contractor personnel who do not possess the CAC will be facilitated by the COR/CO sponsoring the employee through the online base access system. 6.9 Visits by Non-Assigned Contractors to USTRANSCOM/SDDC Buildings Any visit(s) by contractor personnel not permanently assigned to this contract (i.e., company presidents, company security managers, contractor personnel not permanently assigned at SAFB, etc.) require an electronic visit request be submitted using JPAS. JPAS visits can be forwarded to the Security Management Office (SMO) code: USTC -SDDC. The visit request shall annotate the contract number in the POC block of the visit request and the name/phone number of either the functional, COR or CO in the phone number block. 6.10 Visits by Permanently Assigned Contractors Permanently assigned contractor employees on SAFB will require a visit request for the current period of performance posted in JPAS to SMO: USTC-CONT. The visit request will annotate the contract number in the POC block of the visit request and the name/phone number of either the functional, COR or CO in the phone number block. Upon in-processing permanently assigned contractors will require a copy of the DD254 for this contract to show the classified access level for this contract and to assist in assigning permissions on restricted area badges. 6.11 Security and Emergency Operations Training Contractor employees assigned to USTRANSCOM and utilizing its enterprise networks shall attend/complete security training as prescribed by DoD and USTRANSCOM instructions. At a minimum this includes: Employee Initial Security Training, Annual Security Awareness Training, Operations Security (OPSEC), DoD Antiterrorism Level 1 Training, Active Shooter Training, Personally Identifiable Information (PII) Training, Emergency Operations and any Security Stand Down Day Training scheduled by the Commander, USTRANSCOM. Contract employees assigned elsewhere shall attend security training established by their respective 133
government security offices and/or installations. SCI training will be conducted by the SSO USTRANSCOM and contractor personnel will attend all training for this SCI requirement. 6.12 Additional Security Conditions All contractors assigned to USTRANSCOM/SDDC on SAFB will complete the contactor in- processing checklist before the start of work on this or any contract/contract in USTRANSCOM. Contractor personnel shall complete the out-processing checklist on the last day of the contract or upon termination or reassignment from duties under this contract. Upon completion of this contract, the contractor’s personnel shall surrender all Government supplies, materials and equipment to the COR. All contractor personnel assigned to this contract who possess CAC cards shall return those cards to the SSC when completing out-processing. No CAC’s or AF 1199 (Restricted Area badges) will be turned into the contractor’s company. Contractor personnel physically working at USTRANSCOM at SAFB, IL, shall complete a security debriefing statement (SF 312) upon completion of the contract. 6.13 Derogatory Information If the Government notifies the contractor that the employment or the continued employment of any contractor personnel is prejudicial to the interests or endangers the security of the United States of America, that employee shall be removed and barred from the worksite. This includes security deviations/incidents and credible derogatory information on contractor personnel during the course of the contract’s period of performance as noted in JPAS. Personnel who have incident reports posted in JPAS will be denied the ability to support the contract until the issues have been resolved and the incident has been removed in JPAS. The contractor shall make any changes necessary in the appointment(s), at no additional cost to the Government. If any incident involves or may involve the mishandling of classified information or a potential Negligent Discharge of Classified Information, the USTRANSCOM Protection and Response Office (618-220-6538/6531) will be notified within 24 hours during the normal work week and within 72 hours if the incident occurs over the weekend. 6.14 Accessing NATO Information No contractor employee will access NATO information without first being indoctrinated on NATO and having that access recorded in JPAS. Any NATO information accessed will be only on SIPRNet. Senders of NATO information will ensure the receiving network is accredited and the receiving point is a Sub-Registry or authorized Control Point. No NATO information will be stored with US classified information. Access to NATO information will be based on need-to- know, appropriate access level, and training. NATO information will not be disseminated to unauthorized users. NATO information will be printed only on authorized copiers and printers. All printed NATO classified information must be strictly controlled and tracked in a NATO registry. Contact the USTRANSCOM Sub-Registry for additional control measures. USTRANSCOM will indoctrinate all on-site contractor employees and document in JPAS. Company FSOs are responsible for all annual NATO refresher briefings per NISPOM paragraph 10-706 and record the date of the annual briefings in JPAS.
6.15 Security Debriefing Contractor personnel physically working at USTRANSCOM at SAFB, IL, shall complete a security debriefing statement (SF 312) upon completion of the contract.
134
Security Regulation Guidance: Department of Defense (DoD): 2000.16 (DoDI Antiterrorism (AT) Standards) 5200.01 (DoDM Information Security Program) DODM 5200.02 (DoD Personnel Security Program) 5200.08-R (DoD Physical Security Program) 5220.22-M (National Industrial Security Program Operating Manual-NISPOM) 8500.1 (DTIC- Cyber-Security) 2000.12 (DoDI Antiterrorism (AT) Program) DISA 300.115.3 Circular: (SIPRNet Security Classification Guide)
DoD regulations found at: http://www.dtic.mil/whs/directives/corres/pub1.html
USTRANSCOM USTRANSCOM Instruction 31-02 (USTRANSCOM Security Classification Guide) USTRANSCOM Instruction 31-12 (Operations Security - OPSEC)
Scott Air Force Base: SAFB Instruction 31-101 (Installation Security Instruction), Integrated Defense
USTRANSCOM Force Protection (Industrial Security) Points of Contact: Attn: TCCS-PR (Steve Strait or Steve Stegen) 508 Scott Drive Scott AFB IL 62225 Commercial: 618-220-6531/220-7892 (respectively) Email at [email protected] or [email protected] TCCS-PR Approval: Steven M Strait, USTRANSCOM SSC, 618-220-6531 TCCS-PR Tracking #: USTRANSCOM-FP-XX-20
135
Appendix A: Acronyms
Acronym Definition 3D Three Dimensional AAR After Action Review AARS Automated Account Request System ADDM Atrium Discovery and Dependency Mapping ADP Automated Data Processing ADPE Automated Data Processing Equipment AEHF Advanced Extremely High Frequency AF Air Force AFB Air Force Base AFEMS Air Force e-Equipment Management System AFI Air Force Instruction AFNIC Air Force Network Integration Center AFSSI Air Force System Security Instruction AIM Asset Inventory Management AIS Automated Information System(s) AISSP Automated Information Systems Security Program ALERTS Aircrew Life-Sustaining Equipment Records Tracking System AMC Air Mobility Command AMHS Automated Message Handling System AMP Analysis of Mobility Platform AO Authorizing Official APfM Application Portfolio Management APL approved products list APM Application Portfolio Management APOD Aerial Port Of Debarkation ASI Authorized Services Interruptions ASP Active Server Pages AT Antiterrorism AT21 Agile Transportation for the 21st Century ATO Authority To Operate BAM Business Activity Monitoring BCM Business Continuity Management BECO Base Equipment Control Officer BMC Business Model Canvas BPPM BMC ProactiveNet Performance Management 136
BRM Business Relationship Management BSM Business Service Management C2 Command and Control C4 Command, Control, Communications, and Computer C4S Command, Control, Communications, and Computer Systems CAA Command Arrangement Agreements CAB Chief’s Action Board CAB Change Advisory Board CAC Common Access Card CBA Capabilities Based Assessment CBT Computer Based Training CC/S/A COCOM/Service/Agency CCB Configuration Control Board CCE Common Computing Environment CCEA Communications Security Equipment Account CCI Controlled Cryptographic Items CD Compact Disc CDD Capabilities Development Document CDE Corporate Data Environment CE Computing Environment CERT Computer Emergency Response Team CFE Contractor Furnished Equipment CFML ColdFusion CFR Code of Federal Regulations CG Communications Group CGP Corporate Governance Process CI Configuration Item CIO Chief Information Officer CIP Critical Infrastructure Protection CIPS Cyberspace Infrastructure Planning System CISO Chief Information Security Officer CIWG Collaboration Information Working Group CJCS Chairman Joint Chiefs of Staff C-KT Cyber-Key Terrain CL Confidentiality Level CLIN Contract Line Item Number CLSA Component Level Services Assessment CM Configuration Manager or Content Manager (Micro Focus) CMCS Communications Security Material Control System 137
CMDB Configuration Manager Database CMI Classified Message Incident CMRS Continuous Monitoring and Risk Scoring CMS Configuration Management System CND Computer Network Defense CND-A CND-SP Analyst CND-IR CND-SP Incident Responder CND-IS CND-SP Infrastructure Support CNDSP Computer Network Defense Service Provider CNSSI Committee on National Security Systems Instructions CO Contracting Officer COA Course of Action COCOM Combatant Command COE Common Operating Environment COIS Classified Office Information System COMSEC Communications Security CONOPS Concept of Operations CONPLANS Contingency Plans CONUS Contiguous United States COOP Continuity of Operations COP Common Operational Picture COR Contracting Officer Representative COTS Commercial Off The Shelf CP Control Point (Micro Focus) CPE Common Production Environment CRO Communications Security (COMSEC) Responsible Officer CSI Continual Service Improvement CSM Customer Service Monitoring CSSP Cyber Security Service Provider CTE Common Test Environment CTI COP Transportation Interface CTO Chief Technology Officer CTTA Certified TEMPEST Technical Authority CVS Contract Verification System Common Weakness Enumeration/System Administration, Networking, and CWE/SANS Security Institute CWRAF Common Weakness Risk Analysis Framework CWSS Common Weakness Scoring System D2C2 Deployable Distribution Command and Control 138
DaR Data at Rest DBA Database Administrator DBaaS Database as a Service DCO Defense Connect Online DCO Defensive Cyber Operations DCS Defense Collaboration Services DDOC Deployment Distribution Operations Center DEE Department of Defense Enterprise E-Mail DEERS Defense Enrollment Eligibility Reporting System DEPO DECC Provisioning Online DESMF Department of Defense Enterprise Service Management Framework DFARS Department of Defense Federal Acquisition Regulation Supplement DHCP Dynamic Host Configuration Protocol Department of Defense (DoD) Information Assurance Certification and DIACAP Accreditation Process DISA Defense Information Systems Agency DISCO Defense Industrial Security Clearance Office DITCO Defense Information Technology Contracting Office DM4-A Director Mobility Forces Air DM4-S Director Mobility Forces Surface DMZ Demilitarized Zone DNS Domain Name Server/Service DO Duty Officer DoD Department of Defense DoDD Department of Defense Directive DoDI Department of Defense Instruction DoDIN Department of Defense Information Network DPO Distribution Process Owner DRRS Defense Readiness Reporting System DSE DPO Secure Enclave DSS Defense Security Service DSVRO Directorate Secure Voice Responsible Officer DTM Directive-Type Memorandum DTS Defense Transportation System DV Distinguished Visitor DWCA Defense Workforce Certification Application EC Equipment Custodian ECAB Emergency Change Advisory Board ECK Executive Comm Kit 139
ECMA European Computer Manufacturers Association ECO Equipment Control Officer EI Enterprise Infrastructure EITDR Enterprise Information Technical Data Repository ELB Events Logbook eMASS Enterprise Mission Assurance Support Service EMSEC Emission Security EnCEP EnCase® Certified eDiscovery Practitioner ESI Electronically Stored Information ESM Evaluator Scoring Metrics ESMS Exercise Single Mobility System ET Event Test ETA Education, Training, and Awareness ETMS Enhanced Traffic Management System FAA Federal Aviation Administration FACCSM Functional Area Communications and Computer Systems Manager FAR Federal Acquisition Regulation FCL Facilities Clearance Level FISMA Federal Information Security Management Act FMO Functional Management Office FOIA Freedom of Information Act FOS Family of Systems FSC Forward Schedule of Change GBS Global Broadcast System GCCC Global C4 Coordination Center GCCS Global Command and Control System GCCS-I3 GCCS-Integrated Imagery and Intelligence GCSS Global Combat Support System GDSS Global Decision Support System GEOLOC Geographic Location GFE Government Furnished Equipment GIG Global Information Grid GOTS Government Off The Shelf GPO Group Policy Object GPR GCCS Problem Report HBSS Host Based Security System HIPAA Health Insurance Portability and Accountability Act HIS Host Integrity at Startup HP Hewlett-Packard 140
HQ Headquarters HTML Hypertext Markup Language I-3 Integrated Imagery and Intelligence IA Information Assurance IaaS Infrastructure as a Service IACOP Information Assurance Common Operational Picture IAT Information Assurance Technical IATO Interim Authority to Operate IAVA Information Assurance Vulnerability Alert IAVM Information Assurance Vulnerability Management IAW in accordance with IAW In Accordance With IAWIP Information Assurance Workforce Improvement Program ICD Initial Capabilities Document ICDB Integrated Communications Database ICP Inter-theater COMSEC Package ICS Integrated Customer Support IdAM Identity Access Management IDS Intrusion Detection Systems IETF Internet Engineering Task Force IGC Integrated Data Environment/Global Transportation Network Convergence IM Information Management IMS Integrated Master Schedule IP Internet Protocol IP Information Protection IPL Integrated Priority List IPR In-Process Review IPR Interim Program Review IPS Intrusion Prevention Systems IPT Integrated Process Team IPTV Internet Protocol Television ISDN Integrated Services Digital Network ISF Imaging Science Foundation ISP Information Support Plan ISSE Information Systems Security Engineering ISSM Information System Security Manager IT Information Technology ITES-2S Information Technology Enterprise Solutions 2 Services 141
ITIL Information Technology Infrastructure Library ITS Information Tool Suite ITSM Information Technology Service Management ITV In-Transit Visibility IV&V Independent Verification and Validation JALIS Joint Air Logistics Information System JALIS NG Joint Air Logistics Information System Next Generation JCC Joint Cyber Center JCD Joint CERT Database JDBC Java Database Connectivity JCIDS Joint Capabilities Integration and Development System JCS Joint Chiefs of Staff JDDA-E Joint Deployment and Distribution Architecture-Enhanced JDBC Java Database Connectivity JDDE Joint Deployment and Distribution Enterprise JDDOC Joint Deployment and Distribution Operations Center JDNET JOPES Direct Network Interface JET JOPES Editing Tool JFAC Joint Federated Assurance Center JFAST Joint Flow Analysis System for Transportation JFRR Joint Forces Readiness Report JIMS Joint Incident Management System JMET Joint Mission Essential Task JMETL Joint Mission Essential Task List JMRR Joint Monthly Readiness Report JOPES Joint Operations Planning and Execution System JOPP Joint Operational Planning Process JOSAC Joint Operational Support Airlift Center JPAS Joint Personnel Adjudications System JPMO Joint Program Management Office JPS Joint Personnel System JSC Joint Spectrum Center JTEN Joint Training and Experimentation Network JTF-PO Joint Task Force - Port Opening JTIMS Joint Training Information Management System JTR Joint Travel Regulation JUCC Joint Unified Combatant Commands KEDB Known Error Database KMI Key Management Infrastructure 142
LAN Local Area Network LDAP Lightweight Directory Access Protocol LRA Local Registration Authority MAC Mission Assurance Category MAF Military Airlift Forces MAM Mission Area Manager MAN Metropolitan Area Network MAP Mission Area Plans MCEB Military Communications-Electronics Board MCSE MS Certified Solutions Expert MCU Multipoint Control Unit MILSTAR Military Strategic and Tactical Relay System MOA Memorandum of Agreements MOSS Microsoft Office SharePoint Server MSC Military Sealift Command MSEL Master Scenario Events List MSR Monthly Status Report NACI National Agency Check with Inquiries NACLC National Agency Check with Local Credit NAS Network-Attached Storage NCES Net-Centric Enterprise Services NDA Non-Disclosure Agreement NIPRNET Non-secure Internet Protocol Router Network NIST National Institute of Standards & Technology NLT No later than NMS-CO National Military Strategy for Cyber Operations NOTAM Notice to Airman National Security Telecommunications and Information Systems Security NSTISSC Committee O&M Operation and Maintenance Office of the Assistant Secretary of Defense (Network and Information OASD (NII) Integration) OCONUS Outside Contiguous United States OCS Office Communications Server ODC Other Direct Cost OIS Office Information System OLA Operational Level Agreement OPLANS Operation Plans OPR Office of Primary Responsibility 143
OPSEC Operational Security OSA Operational Support Airlift OST Operations Support Team OT&E Operational Test and Evaluation OWASP Open Web Application Security Project PaaS Platform as a Service PB President’s Budget PBA Patterns of Business Activity PDS Practices Dangerous to Security PKI Public Key Infrastructure PL/SQL Procedural Language/Structured Query Language PM Program Manager PMO Program Management Office PMP Project Management Professional POA&M Plan of Action and Milestones POC Point of Contact POM Program Obligation Memorandum PoT Position of Trust PPM Project Portfolio Management PPSM Ports, Protocols, and Services Management PR Program Review PSO Projected Service Outages PWS Performance Work Statement QTB Quarterly Training Brief RAPIDS Real-Time Automated Personnel Identification System RDBMS Relational Database Management Systems REMDEV Remedy Development RF Radio Frequency RFC Request for Change RM Records Management RMF Risk Management Framework RQT Rapid Query Tool SaaS Software as a Service SACM Service Asset and Configuration Management SAFB Scott Air Force Base SAN Storage Area Network SATCOM Satellite Communications SBSS Standard Base Supply System SCA Security Control Assessor 144
SCI Sensitive Compartmented Information SCIF Sensitive Compartmented Information Facility SCM Secure Content Management (Micro Focus) SDDC Surface Deployment and Distribution Command SDM Structured Data Manager (Micro Focus)
SF Standard Form SIEM Security Information and Event Management SIPRNET Secret Internet Protocol Router Network SKMS Service Knowledge Management System SLA Service Level Agreement SLC3S Senior Leader Command, Control, and Communications System SME Subject Matter Expert SMINT Scheduling and Movement Interface SMO Security Management Office SMS Single Mobility System SMTP Simple Mail Transfer Protocol SOA Service Oriented Architecture SOP Standard Operating Procedures SP Special Publications SPfM Service Portfolio Management SPOD Surface Port Of Debarkation SQL Structured Query Language SSBI Single Scope Background Investigation SSC Security Services Center SSIS SQL Server Integration Services SSR Special Security Representative ST&E Security Test and Evaluation STE Secure Telephone Unit STIG Security Technical Implementation Guide STU Secure Terminal Equipment SVRO Secure Voice Responsible Officer TA Technical Assessment TA Trusted Agent TACC Tanker Airlift Control Center TAG Technical Advisory Board TCAQ USTRANSCOM Directorate of Acquisition TCC Transportation Component Command TCCC USTRANSCOM Commander 145
TCCS USTRANSCOM Chief of Staff TCCS-IM USTRANSCOM Chief of Staff Information Management TCDC USTRANSCOM Deputy Commander TCJ3 USTRANSCOM Operations and Plans Directorate USTRANSCOM Command, Control, Communications and Computer Systems TCJ6 Directorate TCJ6-X TCJ6 Distribution Capabilities and Support Division TCJ8 USTRANSCOM Program Analysis and Financial Management Directorate TCJA USTRANSCOM Staff Judge Advocate Directorate TCJA-FO USTRANSCOM Freedom of Information Office TCO Telephone Control Officer TDY Temporary Duty TEMP Test and Evaluation Master Plans Telecommunications and Electrical Machinery Protected from Emanations TEMPEST Security TFMDG Traffic Flow Management Data to Government TIAC Technical Information Analysis Center TMART Transaction Management Application Response Timer TMT Task Management Tool TPI Two Person Integrity
TransViz Transportation Visualization TS Top Secret TS&C Technical Solutions and Costing TS-SCI Top Secret-Sensitive Compartmented Information TUCHA Type Unit Characteristic UBE Unsolicited Bulk E-Mail UC Unified Capabilities UDDI Universal Description, Discovery and Integration UDOP User Defined Operational Picture UML Unified Modeling Language UOIS Unclassified Office Information System UP User Profiles USAF United States Air Force USC United States Code USCYBERCOM United States Cyber Command USTCI United States Transportation Command Instruction USTRANSCOM United States Transportation Command VIP Very Important Person 146
VOIP Voice Over Internet Protocol VPN Virtual Private Network W3C World Wide Web Consortium WAN Wide Area Network WWW World Wide Web XML Extensible Markup Language xRM Any Business Entity – Relationship Management
147
Appendix B: References Air Force Instruction (AFI) 10-601, Operational Capability Requirements Development, November 5 2013, https://static.e-publishing.af.mil/production/1/af_a3_5/publication/afi10- 601/afi10-601.pdf AFMAN 17-1302-O, Communications Security (COMSEC) Operations (FOUO), February 2, 2017; available on Warehouse Management System (WMS) at: https://wmsweb.afncr.af.mil/wms/default.aspx MPTO 00-33B-5001, Air Force Communications Security (COMSEC) Accounting Methods and Procedures Technical Order, Sept 2016 AFMAN 17-1203, Information Technology (IT) Asset Management (ITAM), May 18, 2019, https://static.e- publishing.af.mil/production/1/saf_cio_a6cn/publication/afma n17-1203/afman17-1203.pdf CJCSI 3150.25E, Joint Lessons Learned Program, Apr 2012, http://www.dtic.mil/cjcs_directives/cdata/unlimit/3150_25.pdf CJCSI 3170.01I, Joint Capabilities Integration and Development System, Jan 2015, http://www.dtic.mil/cjcs_directives/cdata/unlimit/3170_01.pdf CJCSI 3320.01D, Electromagnetic Spectrum Use in Joint Military Operations, Jan 2013, http://www.dtic.mil/cjcs_directives/cdata/unlimit/3320_01.pdf CJCSI 3320.02F, Joint Spectrum Interference Resolution (JSIR), Mar 2013, http://www.dtic.mil/cjcs_directives/cdata/unlimit/3320_02.pdf CJCSI 3320.03C, Joint Communications Electronics Operation Instructions, Oct 2013, http://www.dtic.mil/cjcs_directives/cdata/unlimit/3320_03.pdf CJCSI 3500.01H, Joint Training Policy and Guidance for the Armed Forces of the United States, Apr 2014, http://www.dtic.mil/cjcs_directives/cdata/unlimit/3500_01.pdf CJCSI 3500.02B, Universal Joint Task List (UJTL) Policy and Guidance for the Armed Forces of the United States, Jan 2014, http://www.dtic.mil/cjcs_directives/cdata/unlimit/3500_02.pdf CJCSI 6251.01D, Narrowband Satellite Communications Requirements, Nov 2012, http://www.dtic.mil/cjcs_directives/cdata/unlimit/6251_01.pdf CJCSI 6510.01F, Information Assurance (IA) and Support to Computer Network Defense (CND), Feb 2011, http://www.dtic.mil/cjcs_directives/cdata/unlimit/6510_01.pdf CJCSM 3122.01A, Joint Operation Planning and Execution System (JOPES), Volume I (Planning Policies and Procedures) Limited/Restricted Distribution, Sept 2006, http://jointstaff.js.smil.mil/portal/site/jsportal/jelmanuals/ CJCSM 3122.02D, JOPES, Volume III (Crisis Action Time-Phased Force and Deployment Data Development and Deployment Execution) Limited/Restricted Distribution, Apr 2011, http://jointstaff.js.smil.mil/portal/site/jsportal/jelmanuals/ CJCSM 3122.03C, JOPES, Volume II (Planning Formats and Guidance) Limited/Restricted Distribution, http://jointstaff.js.smil.mil/portal/site/jsportal/jelmanuals
148
CJCSM 3320.01C, Joint Operations in the Electromagnetic Operational Environment, Dec 2012, http://www.dtic.mil/cjcs_directives/cdata/unlimit/m332001.pdf CJCSM 3320.02C, Joint Spectrum Interference Resolution (JSIR) Procedures, Jun 2013, http://www.dtic.mil/cjcs_directives/cdata/unlimit/m332002.pdf CJCSM 3500.03C, Joint Training Manual for the Armed Forces of the United States, Jan 2011 http://www.dtic.mil/cjcs_directives/cdata/unlimit/m350003.pdf CJCSM 6254.01F, MILSTAR Network Operating Procedures, Classified document, June 2011, http://jointstaff.js.smil.mil/portal/site/jsportal/jelmanuals/ CJCSM 6510.01B, Cyber Incident Handling Program, July 10, 2012 https://www.jcs.mil/Portals/36/Documents/Library/Manuals/m651001.pdf?ver =2016-02-05-175710-897 CJCSN 3500.01, Chairman’s Joint Training Guidance (CJTG), Oct 2014, http://www.dtic.mil/cjcs_directives/cdata/unlimit/n350001.pdf Department of Defense (DoD) Enterprise Service Management Framework (DESMF) edition II, 8 Nov 2013, https://community.apan.org/esmf_consortium_working_groups/m/desmf_ed_ii/default.aspx. DoDD 8000.01, Management of the Department of Defense Information Enterprise (DoD IE), March 17, 2016; Incorporating Change 1, July 27, 2017, http://www.dtic.mil/whs/directives/corres/pdf/800001p.pdf DoD Directive (DoDD) 4500.43, Operational Support Airlift (OSA), May 2011, http://www.dtic.mil/whs/directives/corres/pdf/450043p.pdf DoDD 4500.56, DoD Policy on the Use of Government Aircraft and Air Travel, Apr 2009, http://www.dtic.mil/whs/directives/corres/pdf/450056p.pdf DoDD 8000.01, Management of the Department of Defense Information Enterprise (DoD IE), March 17, 2016; Incorporating Change 1, July 27, 2017, http://www.dtic.mil/whs/directives/corres/pdf/800001p.pdf DoDD 8115.01, Information Technology Portfolio Management, Oct 2005, http://www.dtic.mil/whs/directives/corres/pdf/811501p.pdf DoD Instruction (DoDI) 1100.22, Policy and Procedures for Determining Workforce Mix, Apr 2010, http://www.dtic.mil/whs/directives/corres/pdf/110022p.pdf DoDI S-5100.92, Defense and National Leadership Command Capability (DNLCC) Governance (U) Classified Document, May 2009, http://www.dtic.smil.mil/whs/directives/corres/pdf/510092p.pdf DoDI 5158.06, Distribution Process Owner, Jul 2007, http://www.dtic.mil/whs/directives/corres/pdf/515806p.pdf DoDI 8115.02, Information Technology Portfolio Management Implementation, Oct 2006, http://www.dtic.mil/whs/directives/corres/pdf/811502p.pdf DoDI 8410.02, NetOps for the Global Information Grid (GIG), Dec 2008, http://www.dtic.mil/whs/directives/corres/pdf/841002p.pdf DoDI 8440.01, DoD Information Technology (IT) Service Management (ITSM), Dec 2015, 149
http://www.dtic.mil/whs/directives/corres/pdf/844001p.pdf DoDI 8500.01 Cybersecurity, Mar 2014, http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), Mar 2014, http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DoDI 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling, May 2011, http://www.dtic.mil/whs/directives/corres/pdf/852002p.pdf DoDI 8530.01, Cybersecurity Activities Support to DoD Information Network Operations, March 7, 2016; Incorporating Change 1, July 25, 2017 DoDI O-8530.2, Support to Computer Network Defense (CND), Mar 2001, Limited/Restricted Distribution, http://www.dtic.smil.mil/whs/directives/corres/pdf/85302p.pdf DoDI 8551.01 Ports, Protocols, and Services Management (PPSM), May 28, 2014; Incorporating Change 1, July 27, 2017 DoD 8570.01–M, Information Assurance Workforce Improvement Program http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf E-Government Act of 2002 (Public Law 107-347), Incorporating Change 3, Jan 2012, http://csrc.nist.gov/drivers/documents/HR2458-final.pdf Federal Acquisition Reform Act of 1996 (Division D of Public Law 104-106), Feb 1996, http://www.osec.doc.gov/oam/archive/docs/FARA.pdf Information Technology Management Reform Act (Division E of Public Law 104-106), Feb 1996, http://www.dol.gov/ocfo/media/regs/ITMRA.pdf ITIL v3. Axelos Global Best Practice Solutions, Accessed Apr 1, 2015, https://www.axelos.com/best-practice-solutions/itil Joint Publication (JP) 3-0, Joint Operations, Aug 2011, http://www.dtic.mil/doctrine/new_pubs/jp3_0.pdf JP 3-12, Cyberspace Operations www.dtic.mil/doctrine/new_pubs/jp3_12R.pdf JP 5-0, Joint Operation Planning, Aug 2011, http://www.dtic.mil/doctrine/new_pubs/jp5_0.pdf JP 6-0, Joint Communications System, Jun 2010, http://www.dtic.mil/doctrine/new_pubs/jp6_0.pdf National Military Strategy for Cyber Operations (NMS-CO), Dec 2006, http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOperations/07-F-2105doc1.pdf NMS-CO Implementation Plan Classified Document, http://www.intelink.sgov.gov/wiki/NMS-CO_I-Plan National Security Presidential Directive (NSPD) 28, United States Nuclear Weapons Command and Control, Safety, and Security, Classified Document, Mar 1982, http://www.intelink.sgov.gov/w/images/d/d5/NSPD.pdf NIST FIPS 140-2, Security Requirements for Cryptographic Modules, Mar, 25, 150
2001 NIST SP 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, Aug 2000, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-160, Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, March 21, 2018, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Rev. A, Jun 2004, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-30, Guide for Conducting Risk Assessments, Rev. 1, Sep 2012, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, Rev. 4, Feb 2010, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, Mar 2011, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Rev 4, Apr 2013, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-53a, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, Rev. 4, Dec 2014, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-61, Computer Security Incident Handling Guide, Rev. 2, Aug 2012, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, Sept 2006, http://csrc.nist.gov/publications/PubsSPs.html NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, Sep 2008, http://csrc.nist.gov/publications/PubsSPs.html Paperwork Reduction Act (Public Law 104-13, Chapter 35 of title 44, United States Code), May 1995, http://www.archives.gov/federal-register/laws/paperwork-reduction/3501.html Project Management Institute, February 2015, Project Management Institute Home. Retrieved from Making Project Management Indispensable for Business Results: http://www.pmi.org/ USTRANSCOM Federal Acquisition Regulation (FAR) Supplement 5552.204-9000, Notification of Government Security Activity and Visitor Group Security Agreements http://farsite.hill.af.mil/archive/USTRANSCOM/2007-06/5552.htm#P3_63 USTRANSCOM Instruction 10-27 Joint Task Force Port Opening Verification Program, Jan 2012, http://www.transcom.mil/cmd/fpindex.cfm. USTRANSCOM Instruction 33-1, Computer Security (COMPUSEC) Education, Training, and Awareness Program, Dec 2013, http://www.transcom.mil/cmd/fpindex.cfm. USTRANSCOM Instruction 33-3, Management of Portals and Web Sites, Dec 2011, http://www.transcom.mil/cmd/fpindex.cfm.
151
USTRANSCOM Instruction 33-12, Unclassified and Classified Telephone and Facsimile Machine Use, Oct 2014, http://www.transcom.mil/cmd/fpindex.cfm. USTRANSCOM Instruction 33-7, Command Audiovisual and Video Teleconferencing Support, Apr 2013, http://www.transcom.mil/cmd/fpindex.cfm. USTRANSCOM Instruction 33-16, Management of Information Technology Hardware & Software Assets, February 22, 2019, https://transcom.deps.mil/org/csg/km/pubs/Directives/I33-16.pdf USTRANSCOM Instruction 33-47, Information Technology Service Options for USTRANSCOM Users, May 2015, http://www.transcom.mil/cmd/fpindex.cfm. USTRANSCOM Policy Directive (USTCPD) 33-10, Cellular/Multi-function Voice and Data Device Management, May 2013, https://ww2.ustranscom.mil/publications/showPublication.cfm?docID=342EDD3B-1EC9-F26D- 0728B4657D01309B. USTRANSCOM Policy Directive (USTCPD) 33-32, Chief Information Officer (CIO) Program, March 9, 2017, https://ww2.ustranscom.mil/publications/showPublication.cfm?docID=AC3BABA8- 1EC9- F26D-07392DF8B1D66B33. USTRANSCOM Requirements for Enclave Cyber Security (Interim Draft), available upon request.
152
Appendix C: Nondisclosure and Conflict of Interest Agreements NONDISCLOSURE AGREEMENT AND AGREEMENT TO DISCLOSE POTENTIAL CONFLICTS OF INTEREST FOR CONTRACTOR EMPLOYEES ON USTRANSCOM CONTRACTS NOTE: This Agreement is a standard agreement designed for use by contractor (including sub- contractor) employees assigned to work on USTRANSCOM contracts. Its use is designed to protect non-public Government information from disclosure, identify potential conflicts of interest, and prevent violations of federal statutes/regulations. The restrictions contained in this agreement also serve contractors by promoting compliant behavior that keeps contractors eligible to compete for Government contracts. These restrictions are in addition to any restrictions required by a Classified Information Nondisclosure Agreement (SF 312) in order to access classified information. In addition to the potential impact on future business opportunities, failure to abide by this agreement could result in administrative, civil, or criminal penalties specified by statute or regulation. 1. I, , currently an employee of , hereby agree to the terms and conditions set forth below. 2. I understand that I may have access to confidential business information, contractor bid or proposal information (as defined by FAR 3.104-1), and/or source selection information (as defined by FAR 2.101) either for contract performance, as a result of working in a USTRANSCOM facility, or of working near USTRANSCOM personnel, contractors, visitors, etc. I fully understand that such information is sensitive and must be protected in accordance with 41 U.S. C. §2101-§2107 and FAR 3.1.
3. In the course of performing under contract/order # or some other contract or sub-contract for USTRANSCOM, I agree to:
(a) Use only for Government purpose any and all confidential business information, contractor bid or proposal information, and/or source selection sensitive information to which I am given access. I agree not to disclose “non-public information” by any means (in whole or in part, alone or in combination with other information, directly, indirectly, or derivatively) to any person except to a US Government official with a need to know or to a non-Government person (including, but not limited to, a person in my company, affiliated companies, sub-contractors, etc.) who has a need to know related to the immediate contract/order, has executed a valid form of this non-disclosure agreement, and receives prior clearance by the Contracting Officer. All distribution of the documents will be controlled with the concurrence of the Contracting Officer. I understand that misuse of non- public information is subject to penalties established in applicable laws, regulations, or Government- wide policies.
(b) “Non-public information,” as used herein includes confidential or proprietary business information ((advance procurement information (future requirements, acquisition strategies, statements of work, budget/program/planning data, etc.); source selection information (proposal rankings, source selection plans, contractor bid or proposal information); Personally Identifiable Information (PII) or information protected by the Privacy Act (social security numbers, DoD ID numbers, home addresses, etc.); sensitive information protected from release under the Freedom of Information Act (pre-decisional deliberations, litigation materials, privileged material, etc.); Export 153
Controlled Items (as defined by DFARS 252.225-7048); Controlled Unclassified Information (as defined by 32 CFR Part 2002); Covered Defense Information (as defined by DFARS 204.7301); and information otherwise protected from disclosure by statute, Executive order or regulation designated as confidential that has not been released to the general public and has not been authorized for such release.
(c) Nonpublic information also includes trade secrets as defined by 18 U.S.C. §1839. The term "trade secret" means all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if—
(1) the owner thereof has taken reasonable measures to keep such information secret; and
(2) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information;
(d) Not use such information for any non-Governmental purposes, including, but not limited to, the preparation of bids or proposals, or the development or execution of other business or commercial ventures.
(e) Store the information in such a manner as to prevent inadvertent disclosure or releases to individuals who have not been authorized access to it.
4. I understand that I must never make an unauthorized disclosure or use of confidential business information, contractor bid or proposal information, and/or source selection sensitive information unless:
(a) The information has otherwise been made available without restriction to the Government, to a competing contractor or to the public.
(b) The Contracting Officer determines that such information is not subject to protection from release.
5. I agree that I shall not seek access to “non-public information” beyond what is required for the performance of the services I am contracted to perform. I agree that when I seek access to such information, attend meetings, or communicate with other parties about such information, I will identify myself as a contractor. Should I become aware of any improper or unintentional release or disclosure of “non-public information,” I will immediately report it to the Contracting Officer in writing. I agree that I will return all forms (including copies or reproduction of original documents) of any “non-public information” provided to me by the Government for use in performing my duties to the control of the Government when my duties no longer require this information.
6. Because the Government expects unbiased judgment and recommendations from contractors performing work under its contracts and orders, I agree to advise the Contracting Officer of any 154
actual or potential personal conflicts of interest I may have related to any work I perform under this contract/order with the government. Personal conflicts of interest include any matter in which I or my spouse, minor child, or household member has a financial interest. A financial interest is any interest in, or affiliation with, a prime contractor, subcontractor to a prime contractor, any offerors, or any prospective subcontractor to any offeror for the program, contract, or other matter for which I am performing a support task under this contract. The financial interest can take the form of any ownership interest (including but not limited to: stock; ownership of bonds; vested or unvested retirement benefits; a loan or other financial arrangement that is other than an arm’s-length transaction; employment, or an arrangement concerning prospective employment including negotiations therefore; or any non-arm’s length loan, any gift from or other non-arm’s length financial arrangement with any person who is directly communicating with the government on behalf of the prime contractor, subcontractor, or any prospective subcontractor or offeror). With respect to conflict of interest disclosures required under this agreement, a financial interest in, or affiliation with, the prime contractor that is my employer under this contract does not have to be disclosed to the Contracting Officer. If any potential conflicts of interest, real or otherwise, do present themselves, then I shall immediately disclose the pertinent information to the Contracting Officer. I acknowledge that my access to certain non-public information may disqualify me or my company from certain future contracts with the U.S. Government.
7. I understand that this agreement is personal to me and shall survive and remain in full force and effect notwithstanding any change in current employment.
By signing below, I certify that I have read and understand the terms of this Non-Disclosure Agreement and Agreement to Disclose Potential Conflicts of Interest, and voluntarily agree to be bound by its terms.
______Signature of Contractor Employee Date
Printed Contractor Employee Name
______Government Contracting Officer’s Representative Date
155
Appendix D: Estimated Workload The Estimated Workload is based on the duration of one Fiscal Year. Actual workload may vary depending on the requirements of USTRANSCOM and other Government entities Task 2: Service Operations Task 2 Subtask 1: IT Operations Management & Service Desk Task 2 Subtask 1.1: IT Operations Management—Duty Controller Estimated hours: 9,300 Task 2 Subtask 1.2: USTRANSCOM Service Desk Estimated hours: 15,360
CPE/CDE NIPRNet SIPRNet (NIPRNet & SIPRNet) UOIS + C2 CIOS + C2
Physical Servers 96 Windows 45 Windows 0 3 0
162 Mixed 89 Mixed 45 18 20 25 Virtual Server Environment Windows & Windows & Windows Windows Windows Windows Linux Linux
Two (2) storage units with ~140TB raw storage each (SIPRNet) SAN Two (2) storage units with ~260TB raw storage (NIPRNet)
Physical: 500 Router/Switches Virtual: 17 5, WIFI Access Points Expected to grow to 20+ Security Devices 81 84 3 Desktop Computers 60 3200 3000 Laptop Computers (all shall be considered wireless 3000 50 Force Flow capable) Printers (Include JECC 1 307 167 + JECC devices) Multi-Function Devices 48 Plotters 25 2 Scanners 115 5 User Accounts (Totals) 23815 ~2700 - OIS Accounts 2915 ~2700 - C2 Accounts 20900 Organizational Mailboxes 700 700 Distribution Lists 2600 2600 Vmware Accounts 70 70 Senior Leaders 60 156
Mobile and Wireless Devices 313 USTRANSCOM, ~60 JECC BBs VOIP Telephones 3300 7 Secure Telephone Devices 450 VTC Devices 28 6 Estimated monthly Service Desk calls: 3850 Estimated monthly IGC account creation: 400 of 3850 Estimated monthly IGC Service Desk Ticket creation: 175 Account creation for OIS, CIOS, and other PORs IAWIP: IAT-2 and Sec+ Estimated Request Fulfillments per year: 400 Task 2 Subtask 2: Command and Control (C2) Systems Program Support Estimated hours: 1,860 Task 2 Subtask 2.1: GCCS Program Support Estimated hours: 930 Task 2 Subtask 3: Problem Management Estimated hours: 2,790 Task 2 Subtask 4: Enterprise Network Service Support Task 2 Subtask 4.1: System Administration Support Estimated hours: 33,480 Estimated annual number of USTRANSCOM exercises/contingencies/network emergencies: 3 (estimated 1 month duration) Estimate number of exercises/contingencies supported for setup of work area: 18 per year Estimated annual on-call events: 36 Task 2 Subtask 4.1.1: FAA Data Feed System Support Estimated hours: 1,395 Task 2 Subtask 4.1.2: Standard Procurement System (SPS) Support Estimated hours: 465 Application Servers: Windows (1 Production, 1 Test) - WebMethods and Cognos Database Servers: Windows (1 Production, 1 Test) - Sybase Server Task 2 Subtask 4.4: Messaging and Collaboration Support Task 2 Subtask 4.4.1: DEE: 5000+ accounts (NIPRNet and SIPRNet), estimated hours 930 Task 2 Subtask 4.4.2: Collaboration Services: Estimated hours 1,860 Task 2 Subtask 4.4.2.1: OCS: 3000+ accounts, 1 pool; Estimated hours: 1,860 Task 2 Subtask 4.4.2.2.: SharePoint: estimated hours 1,860; support SharePoint sites for 2,900 NIPRNET SharePoint users and 1,250 SIPRNET SharePoint users Task 6: Web Applications Task 6 Subtask 1: Web Development Estimated hours: 6,045 Task 6 Subtask 2: Customer Support and Content Admin Estimated hours: 2,790 Content tools used: Adobe Dreamweaver, RSync, WinSCP, Gatekeeper request process, Workflow Task 6 Subtask 3: Web Development Support Estimated hours: 930 157
Task 6 Subtask 4: Electronically Stored Information (ESI) Search Support–eDiscovery Estimated hours: 1,860 Estimate approximately one (1) trip/court appearance per year. Historically the contractor has not had to appear in court. Web Application and Support Technical Environments/Skills: Web Apps and Sites: Webapps: 20+ ZONE 3 - One site: WW2 ZONE 2, Public DMZ - One site: o http://www.transcom.mil ZONE 2, Restricted DMZ - Two sites: WW2 and JOSAC ZONE 1 - Two sites: BORIS and NATASHA (back-end administration) Current Web Development Technical Environment ColdFusion Markup Language (CFML) - version 10+ ColdFusion Builder Hypertext Markup Language (HTML) - including HTML5 Cascading Style Sheets (CSS) - including CSS-3 JavaScript and JavaScript Libraries - including jQuery and Asynchronous JavaScript and XML (AJAX) Structured Query Language (SQL) JAVA - Hybernate, Struts, and Spring frameworks GIT Revision Control SharePoint, .Net, ASPX Apache HTTP Server Tomcat Java Servlet and Java Server Pages (JSP) container Oracle Database Server – version 11g Multiple IDEs (Net Beans, Eclipse, Dreamweaver) Current Web Technical Environment Windows Server 2008 r2 DataCenter VMware and VSphere Secure Shell Apache HTTP Server Tumbleweed/Axway OCSP Tomcat Java Servlet and Java Server Pages (JSP) container Cold Enterprise Server – version 10+ Oracle Database Server – version 11g Virtual Servers – 13 (Win2k8 – 4 Oracle and 9 web/application) (SIPRNet-5/NIPRNet-8) 158
Physical Servers – 7 (5 Win2k8, 1 Solaris 10 – 2 Oracle, 2 web/application, 1 content management, 2 backup) (SIPRNet- 1/NIPRNet-6) Current eDiscovery Technical Environment Windows Server 2008 r2 Enterprise Guidance EnCase Solaris 10 Microsoft SQL Server Physical Servers – NIPRNet-4 Isilion NAS Task 6: Web Applications Task 6 Subtask 1: Web Development Estimated hours: 6,045 Task 6 Subtask 2: Customer Support and Content Admin Estimated hours: 2,790 Content tools used: Adobe Dreamweaver, RSync, WinSCP, Gatekeeper request process, Workflow Task 6 Subtask 3: Web Development Support Estimated hours: 930 Task 6 Subtask 4: Electronically Stored Information (ESI) Search Support–eDiscovery Estimated hours: 1,860 Estimate approximately one (1) trip/court appearance per year. Historically the contractor has not had to appear in court. Web Application and Support Technical Environments/Skills: Web Apps and Sites: Webapps: 20+ ZONE 3 - One site: WW2 ZONE 2, Public DMZ - One site: o http://www.transcom.mil ZONE 2, Restricted DMZ - Two sites: WW2 and JOSAC ZONE 1 - Two sites: BORIS and NATASHA (back-end administration) Current Web Development Technical Environment ColdFusion Markup Language (CFML) - version 10+ ColdFusion Builder Hypertext Markup Language (HTML) - including HTML5 Cascading Style Sheets (CSS) - including CSS-3 JavaScript and JavaScript Libraries - including jQuery and Asynchronous JavaScript and XML (AJAX) Structured Query Language (SQL) JAVA - Hybernate, Struts, and Spring frameworks
159
GIT Revision Control SharePoint, .Net, ASPX Apache HTTP Server Tomcat Java Servlet and Java Server Pages (JSP) container Oracle Database Server – version 11g Multiple IDEs (Net Beans, Eclipse, Dreamweaver) Current Web Technical Environment Windows Server 2008 r2 DataCenter VMware and VSphere Secure Shell Apache HTTP Server Tumbleweed/Axway OCSP Tomcat Java Servlet and Java Server Pages (JSP) container Cold Enterprise Server – version 10+ Oracle Database Server – version 11g Virtual Servers – 13 (Win2k8 – 4 Oracle and 9 web/application) (SIPRNet-5/NIPRNet-8) Physical Servers – 7 (5 Win2k8, 1 Solaris 10 – 2 Oracle, 2 web/application, 1 content management, 2 backup) (SIPRNet- 1/NIPRNet-6) Current eDiscovery Technical Environment Windows Server 2008 r2 Enterprise Guidance EnCase Solaris 10 Microsoft SQL Server Physical Servers – NIPRNet-4 Isilion NAS
Table 1. Level of effort—CPE estimated devices, accounts, etc. being supported
160
CPE/CDE NIPRN SIPRNet (NIPRNet & et UOIS COIS + C2 SIPRNet) + C2 Physical Servers 96 windows 45 win 0 0 0 162 89 Virtual Server Environment 45 win 18 win 20 win mix 25 Win mix (win (win & & Linu Linu x) x) Two (2) storage units with ~140TB raw storage each (SIPRNet) SAN Two (2) storage unit with ~260TB raw storage (NIPRNet) Eight (8) RecoverPoint devices (4 SIPRNet / 4 NIPRNet) Physical: 500 Routers/Switches Virtual: 17 5, expected to Wifi Access Points grow to 20+ Security Devices 81 84 35 Desktop Computers 60 320 ,3000 Laptop Computers (all shall 50 Force Flow be considered wireless capable) 200 Printers (includes JECC 167 + devices) 1 307 JECC Multi-function Devices 48 Plotters 25 2 Scanners 115 5 User Accounts (Totals) 238 ~2700 15
OIS Accounts 291 ~27004 5 C2 Accounts 209 2000 Organizational Mailboxes 700 700 Distribution Lists 260 2600 VMware Accounts 70 70 Senior Leaders 60 Mobile and Wireless Devices 313 TRANSCOM, ~60 JECC BBs Voice over IP Telephones 330 750 0 Secure Telephone Devices 450 VTC Devices 28 67 161
*Server Estimates for individual C2 and Business Systems Support are broken out in the below tables and ARE part of the roll-up number in the aggregate table
Note: Ratio between Microsoft Windows and Unix/Red Hat Linux servers is about 65/35 respectively
*Server Estimates for individual C2 and Business Systems Support are broken out in the below tables and ARE part of the roll-up number in the aggregate table
Note: Ratio between Microsoft Windows and Unix/Red Hat Linux servers is about 65/35 respectively
Below are quantities of COMSEC items that should be reflected under the SIPR column:
Security Devices [Total = 220 Encryption Devices] KG-175A – 44 KG-75A – 6 KG-175B – 16 KIV-19M – 40 KG -175D – 79 KIV-7M – 16 KG-175G – 9 KYV-5M – 5 KG-250 – 1 KG-250X – 4
Mobile and Wireless Devices [Total = 33 Secure Mobile/Wireless Devices] GSM – 19 ISM – 14
Secure Telephone Devices [Total = 182 Secure Telephone Devices] OMNI – 13 STE – 169
Table 2: Service Estimates for C2 and Business Systems Support
Task 2.4, para 1.3.2.4 Servers
GCCS-J 102 (94 unix, 9 windows) ELB 6 windows
162
LDAP and Siteminder 28 unix
UOIS Web physical/virtual servers 14 windows
COIS Web physical/virtual servers 5 windows Virtual servers 6 windows SAN 4 windows eDiscovery servers 2 windows
NAS (Network Attach Storage) 2 windows AVOCENT DSVIEW Servers 2 windows Oracle Enterprise 2 windows
Task 2.4.1.1, para 1.3.2.4.1.1. Servers AMHS 4 windows
Task 2 Subtask 4.2: Database Administration and Support Oracle Databases: 72 SQL Server Databases: 9 Sybase Database: 3 Estimated hours: 19,995
Task 2.4.2, para 1.3.2.4.2 Servers Legacy Remedy ARS 12 windows
Tandem 4 windows
Remedy ARS ITSM 30 virtual windows
IACOP 2 windows
Oracle Enterprise 2 windows ITS 1 windows
163
Task 2 Subtask 4.3: Virtual Environment and Storage Management Support Virtual & Storage Environments described in Table 1 above Estimated hours: 7,440 Task 2 Subtask 4.4: Messaging and Collaboration Support Task 2 Subtask 4.4.1: DEE: 5000+ accounts (NIPRNet and SIPRNet), estimated hours 930 Task 2 Subtask 4.4.2: Collaboration Services: Estimated hours 1,860 Task 2 Subtask 4.4.2.1: OCS: 3000+ accounts, 1 pool; Estimated hours: 1,860 Task 2 Subtask 4.4.2.2.: SharePoint: estimated hours 1,860; support SharePoint sites for 2,900 NIPR SharePoint users and 1,250 SIPR SharePoint users Task 2 Subtask 4.4.2.3: Records Management (RM): estimated hours 4,650 support RM services for 2,500 NIPRNet and 2,000 SIPRNet RM users Task 2 Subtask 4.5: Directory Services Estimated hours: 6,510 Task 2 Subtask 4.6: End-User IT System Support Estimated hours: 1,395 Supported environments described in Table 1 above Task 2 Subtask 4.6.1: End-User Device Service Provisioning Estimated hours: 4,650 Government estimates: ~100 request per month Task 2 Subtask 4.6.2: End-User Operations and Maintenance Estimated hours: 6,510 Government estimates: ~150 incidents per month Task 2 Subtask 4.6.2.2: FACCSM program Government estimates: ~75 Directorate FACCSMs Estimated conferences/events: 69 Conference / 36 Training events per year. Average of 30-40 manhours for each event (that includes account creations, workstation prep, dedicated desk side support and clean up). Task 2 Subtask 4.6.2.3: Computer Equipment Lifecycle Program (CERP) Government estimates: 5-year lifecycle Task 2 Subtask 4.6.2.4: Computer System Maintenance and Logistics Support Estimated annual lifecycle support events: 5 Task 2 Subtask 4.6.2.5: Mobile Device Support Services IPhones devices: ~34 IPads devices: ~12 Hotspots: ~22 Task 2 Subtask 4.6.3: Virtual Desktop Infrastructure (VDI) Support Estimated hours: 2,325 Projected # of VDI Users: 2000-2250 (using zero clients) Thick: 450-700 Task 2 Subtask 4.6.4: Service Design and Transition Support Estimated hours: 465 Task 2 Subtask 4.6.5: Command-wide Functional Area Communications and Computer Systems Manager (FACCSM) / Client Support Administrator (CSA) Support Estimated hours: 11,160 Number of workstations: ~970
164
Force Flow conference: ~20 times a year. Approximately 50% of conferences last one week and 50% last two weeks. Force Flow conference support typically requires a 50% increase in Contractor level of effort and support outside of normal duty hours (including weekends). Task 2 Subtask 4.7.1: USTRANSCOM KITSS Estimated hours: 5,580 Flag Officer/General Officer (FO/GO) & Support staff estimates: ~63 personnel (~15 FO/GO)
Executive Communications Kit packages (ECK - commander's travel kits) 1. TCCC Travel Kit (NIPRNet) 2. TCCC Travel Kit (SIPRNet) 3. USTRANSCOM ECK NIPRNet (new kit currently in testing) 4. USTRANSCOM ECK SIPRNet (new kit currently in testing) 5. GCCS-J (Global Command and Control System - Joint) 6. AMHS (Automated message Handling System)
Task 2 Subtask 5: Network Infrastructure Management Note: The USTRANSCOM network environment is highly segmented based on community of interest and risk profile associated with its systems. IT solutions must be able to be tailored to function in this type of architecture. Task 2 Subtask 5.1: Network Infrastructure Support Estimated hours: 22,350 Estimated annual on-call events: 36 Sr. Leader Travel Kits (ECK): 4 Technical Solution and Costing requests: Approximately 80 annually Task 2 Subtask 5.3: Telephone Support Services Estimated hours: 550 Task 2 Subtask 5.4: Long Haul Communications Estimated hours: 400 Task 2 Subtask 6: Visual Info Services Task 2 Subtask 6.1: USTRANSCOM AV/VTC Operational Support Task 2 Subtask 6.1.1: Audiovisual Support Estimated hours: 5,115 Task 2 Subtask 6.1.2: Video Teleconferencing Support Estimated hours: 4,185 Task 2 Subtask 6.1.3: Server and Multipoint Control Unit (MCU) VTC Support Estimated hours: 4,650 Task 2 Subtask 6.1.4: Communications Security (COMSEC) Responsible Officer (CRO) Duties and Secure Voice Responsible Officer (SVRO) Estimated hours: 465 Task 2 Subtask 6.2 USTRANSCOM and SDDC AV/VTC Maintenance and Engineering Support Estimated number of annual AV/VTC Engineering Designs: 17 Task 2 Subtask 6.2.1: USTRANSCOM AV/VTC Maintenance and Engineering Support 165
Estimated number of Major Upgrades per year: 4-5 Estimated number of Medium Upgrades per year: 2 Estimated number of Minor Upgrades per year: 15 Estimated number of trouble tickets: 30 a month Estimated hours: 8146 Task 2 Subtask 6.2.3: SDDC AV/VTC Maintenance and Engineering Support Estimated number of Major/Medium Upgrades per year: 2-3 Estimated number of Minor Upgrades per year: 5 Estimated number of trouble tickets: 12 a month Estimated hours: 3908 Task 2 Subtask 6.2.4: JECC AV/VTC Maintenance and Engineering Support Estimated number of Major/Medium Upgrades per year: 0-1 Estimated number of Minor Upgrades per year: 2-3 Estimated number of trouble tickets: 8 a month Estimated hours: 966
Task 3: Service Management Support Task 3 Subtask 1.1: IT Service Portfolio Management Estimated hours: 3,720 Estimated new/changed service reviews: 100 per year Task 3 Subtask 1.2: Business Relationship Management (BRM) Estimated hours: 1,860 Task 3 Subtask 1.3: Service Catalog Management Estimated hours: 1,860 Task 3 Subtask 1.4: Technical Working Group Estimated hours: 1,860 Task 3 Subtask 1.5: Demand Management Estimated hours: 2,790 Task 3 Subtask 2 and 2.1: IT FM Support Estimated hours: 3,720 Task 3 Subtask 3.1: Configuration Management Support Estimated hours: 3,720 Task 3 Subtask 3.2: Service Asset Management Support Estimated number of software titles: 400 Estimated hours: 7,440 (1860 Enterprise, 1860 Command, 3,720 Portfolio) Estimated annual number of cost/benefit analyses: 25 Task 3 Subtask 3.3: H/W Management - Asset Management Estimated hours: 5,580 # of Maintained in inventory: 14,600, valued ~$53M Task 3 Subtask 4.1.1: Project Portfolio Management Estimated hours: 930 Task 3 Subtask 4.1.2: IT Project Management Estimated hours: 10,230 Task 3 Subtask 4.2: Service Level Management Estimated hours: 3,720 Task 3 Subtask 5: Availability Management Estimated hours: 1,860 166
Task 3 Subtask 6: Capacity Management Estimated hours: 1,860 Task 3 Subtask 7: IT Service Continuity Management Estimated hours: 1,860 Task 3 Subtask 8: Change Management Estimated hours: 3,720 Task 3 Subtask 9: Technical Management and Oversight Task 3 Subtask 9.1: Design & Transition Planning & Support Estimated hours: 3,720 Task 3 Subtask 9.2: Release and Deployment Management Estimated hours: 3,720 Task 3 Subtask 9.3.1: Service Design Configuration Support Estimated hours: 6,045 Estimated # of Baseline Changes: 5 Estimated # of technology evaluations: 150 Estimated # of devices/virtual instances: 150 Estimated # of technical configuration guides: 24 Task 3 Subtask 9.3.2-4: Test Lab, Test Environment Installation, O&M, and Metrics Estimated hours: 5,115 Task 3 Subtask 9.3.5: New Technology Integration Estimated hours: 3,720 Estimated # of technology and capability integration evaluations per year: 24 Task 3 Subtask 9.4.1: ITSM Tools Portfolio Management Estimated hours: 930 Task 3 Subtask 9.4.2 and 9.4.2.1: ITSM Tools Management Estimated hours: 5,580 Task 3 Subtask 9.4.2.2: CSM and BAM Support Estimated hours: 7,440 Hours Estimated # of devices/virtual instances: 15 NIPRNet/15 SIPRNet Estimated number of on-call events: 30 Dashboards: 12 estimated Task 3 Subtask 9.5: Knowledge Management Estimated hours: 1,860 Task 3 Subtask 10: CSI Process Support Estimated hours: 2,790
Task 4: Exercise & Contingency Operations Support Task 4 Subtask 1: Readiness & Joint Training Estimated hours: 930 Task 4 Subtask 2: Communications, Cyberspace, and Exercise Planning Estimated hours: 3,720 Task 4 Subtask 3: Communications Spectrum Management Estimated hours: 1,860 Task 4 Subtask 4: SATCOM Management and Planning Estimated hours: 1,860 Task 4 Subtask 5: MILSTAR Operations and Management Estimated hours: 1,860 167
Task 4 Subtask 6: Airborne Communications Task Management Estimated hours: 372 Task 4 Subtask 7: Tactical Communications Task Management Estimated hours: 930 Task 4 Subtask 8: Contingency, Emergency, Exercise Operations Support Estimated hours: 465
Task 5: Security Task 5 Subtask 1: Security Operations Management Estimated hours: 3,720 Task 5 Subtask 1.1: Cyber Security Defense Estimated hours: 18,600 Estimated # of devices/virtual instances: 250 (Used FY14 #s with slight increase) Estimated number of on-call events: 50 per year Task 5 Subtask 1.2: Intrusion Detection Monitoring and Incident Management Estimated hours: 20,460 Estimated # of devices/virtual instances: 100 (Used FY14 #s with slight increase) Task 5 Subtask 1.3: Cyber Threat Estimated hours: 5,580 Task 5 Subtask 1.4: COMSEC Estimated hours: 6,510 # of COMSEC Responsible Officer (CRO)/Secure Voice Responsible Officer (SVRO) sub-accounts: 20 COMSEC, 30 Secure Voice Accounts Estimated # of devices: 1600 COMSEC/CCI devices Estimated number of on-call events: 15 per year Task 5 Subtask 1.4.5: Sensitive Compartmented Information Facility (SCIF) Representative (Optional) Estimated hours: 260 Task 5 Subtask 1.5: EMSEC Estimated hours: 930 Estimated # of coordinated assessments: 5 per year Task 5 Subtask 1.6: Continuous Monitoring Estimated hours: 7440 Estimated # of devices/virtual instances: 30 Estimated number of systems to scan and analyze within USTRANSCOM enclaves: 4,000 Estimated number of systems to analyze within subscriber (AMC/SDDC) enclaves: 2,500
Task 5 Subtask 2: Risk Management Estimated hours: 1,860
Note: Effective 1 October 2014, the current DIACAP accreditation documents and validation process (approximately 200 IA controls) must be converted to the Risk Management Framework (approximately 2000 IA controls)
Task 5 Subtask 2.1: ISSE 168
Estimated hours: 5,580 Risk assessments: 150
Task 5 Subtask 2.1.1: Cyber security support for USTRANSCOM Component Commands and Cyber Security Service Provider Subscribers (Optional) Estimated hours: 3,720 Task 5 Subtask 2.2: Security Auditing, and Vulnerability Management Estimated hours: 7440 Estimated number of special security audits: 4 annually Evaluations of systems: 150 Task 5 Subtask 2.3: Authorization Support Task 5 Subtask 2.3.1: Authorization Support for USTRANSCOM Physical and Virtual Environments Estimated hours: 11,160 Estimated # of accreditation packages for development: 20 Core packages for this task include but are not limited to: 2. Enclave: TC-UENet (NIPRNet Enterprise) 3. Enclave: TC-CENet (SIPRNet C2 systems only) 4. CDE (NIPRNet) - Common Developmental Environment 5. CDE (SIPRNet) - Common Developmental Environment 6. CPE (NIPRNet) - Common Production Environment 7. CPE (SIPRNet) - Common Production Environment 8. GVS/VTC (NIPRNet) 9. GVS/VTC (SIPRNet) 10. ASDE 4 (NIPRNet) 11. ASDE 5 (NIPRNet_ 12. ASDE 6 (SIPRNet) Task 5 Subtask 2.3.2: Authorization Support for the Security Control Assessor (SCA) and Authorizing Official (AO) Estimated hours: 13,020 (FY18) Estimated hours: 13,020 (FY19) Estimated hours: 13,020 (FY20) Estimated hours: 13,020 (FY21)
Estimated # of minor modification packages: 50 annually Estimated # accreditation packages for IV&V: 200 (40 categorized as Simple, 120 categorized as Complex, and 40 as Highly Complex using the System Complexity Model) (Based on the General Services Administration statement published in the ISSLOB RFI and the desire to standardize the method for determining the level of effort in assessing federal information systems that is independent of a given vendor.) 169
Estimated # of minor mod package audits per month: 5 Task 5 Subtask 2.4: Insider Threat Estimated hours: 1,860 Estimates: Approximately 60 systems and users each quarter will require processing and validation for SIPR removable media privileges. Of those, approximately 10 users each cycle will require additional escalation/troubleshooting to ensure the required functionality is operational. Task 5 Subtask 2.5 Software Assurance Estimated hours: 1,860 Task 6: Web Applications Task 6 Subtask 1: Web Development Estimated hours: 6,045 Task 6 Subtask 2: Customer Support and Content Admin Estimated hours: 2,790 Content tools used: Adobe Dreamweaver, RSync, WinSCP, Gatekeeper request process, Workflow Task 6 Subtask 3: Web Development Support Estimated hours: 930 Task 6 Subtask 4: Electronically Stored Information (ESI) Search Support–eDiscovery Estimated hours: 1,860 Estimate approximately one (1) trip/court appearance per year. Historically the contractor has not had to appear in court. Web Application and Support Technical Environments/Skills: Web Apps and Sites: Webapps: 20+ ZONE 3 - One site: WW2 ZONE 2, Public DMZ - One site: o http://www.transcom.mil ZONE 2, Restricted DMZ - Two sites: WW2 and JOSAC ZONE 1 - Two sites: BORIS and NATASHA (back-end administration) Current Web Development Technical Environment ColdFusion Markup Language (CFML) - version 10+ ColdFusion Builder Hypertext Markup Language (HTML) - including HTML5 Cascading Style Sheets (CSS) - including CSS-3 JavaScript and JavaScript Libraries - including jQuery and Asynchronous JavaScript and XML (AJAX) Structured Query Language (SQL) JAVA - Hybernate, Struts, and Spring frameworks GIT Revision Control SharePoint, .Net, ASPX
170
Apache HTTP Server Tomcat Java Servlet and Java Server Pages (JSP) container Oracle Database Server – version 11g Multiple IDEs (Net Beans, Eclipse, Dreamweaver) Current Web Technical Environment Windows Server 2008 r2 DataCenter VMware and VSphere Secure Shell Apache HTTP Server Tumbleweed/Axway OCSP Tomcat Java Servlet and Java Server Pages (JSP) container Cold Enterprise Server – version 10+ Oracle Database Server – version 11g Virtual Servers – 13 (Win2k8 – 4 Oracle and 9 web/application) (SIPRNet-5/NIPRNet-8) Physical Servers – 7 (5 Win2k8, 1 Solaris 10 – 2 Oracle, 2 web/application, 1 content management, 2 backup)(SIPRNet- 1/NIPRNet-6) Current eDiscovery Technical Environment Windows Server 2008 r2 Enterprise Guidance EnCase Solaris 10 Microsoft SQL Server Physical Servers – NIPRNet-4 Isilion NAS
Task 7: C4S Training (Optional) Task 7 Subtask 1: Training Support (Optional) Estimated number of total courses taught: 11 Estimated number of basic/intermediate courses taught: 9 Estimated number of advanced courses taught: 2 Estimated course duration range: half day to three days Estimated number of courses offered monthly: each course taught 2 time / month Estimated number of courses requiring modification annually: 4 Estimated hours: 2,790 Task 7 Subtask 2: Support for New Training Requirements (Optional) Estimated number of new courses requiring development annually: 2 Estimated hours: 160 Task 7 Subtask 3: Training Videos and Computer Based Training (CBT) Development (Optional) Estimated hours: 1,860 171
Task 8: JOSAC Support Task 8 Subtask 1: JOSAC Data Entry Support Estimated hours: 1,860 Task 8 Subtask 2: JOSAC Scheduling System Support Estimated hours: 1,860 Task 8 Subtask 3: JOSAC FACCSM and Gatekeeper Support Estimated hours: 465
172
Appendix E: Information Assurance Contractor Training and Certification
IAT IAT IAM IAM IAM CND CND CND CND IASAE Task Area IA Function None IAT I II III I II III A IR IS AU I 2.0, para T-II.1-20, 1.3.2.0 23-28, 30, X (FACCSM) 31 2.1, para N/A X 1.3.2.1 2.1.1, para N/A X 1.3.2.1.1 X X 2.1.2, para T-II.1-31 (max. (min 1.3.2.1.2 30%) 70%) 2.2, para N/A X 1.3.2.2 2.2.1, para N/A X 1.3.2.2.1 2.2.1.1 para T-II.1-20, X 1.3.2.2.1.1 23-31 2.2.2, para N/A X 1.3.2.2.2 2.3, para N/A X 1.3.2.3 2.4, para T-II.1-20, X 1.3.2.4 23-31 2.4.1, para T-II.1-20, X 1.3.2.4.1 23-31 2.4.1, para T-I.1-19 X 1.3.2.4.1 2.4.1.1, para T-II.1-20, X 1.3.2.4.1.1 23-31
173
2.4.1.2, para T-II.1-20, X 1.3.2.4.1.2 23-31 2.4.2, para N/A X 1.3.2.4.2 2.4.2.1, para T-I.1-19 X 1.3.2.4.2.1 T-II.1-11, 2.4.2.2, para 14-15, 17- X 1.3.2.4.2.2 20, 23-28, 30-31 2.4.3, para T-II.1-31 X 1.3.2.4.3 T-I.1,3- 2.4.4, para 4,7,10- X 1.3.2.4.4 11,13- 15,17,19 2.4.4.1, para T-II.1-31 X 1.3.2.4.4.1 2.4.4.2.1, T-1.2-4, para X 6,9,10 1.3.2.4.4.2.1 2.4.4.2.2, para N/A X 1.3.2.4.4.2.2 X 2.4.4.2.3, T-II.1-31 para 1.3.2.4.4.2.3 T-II.1-20, 2.4.5, para 23-28, 30, X 1.3.2.4.5 31 2.4.6, para T-I.1-19 X 1.3.2.4.6
174
T-II.1-20, 2.4.6.2, para 23-28, 30, X 1.3.2.4.6.2 31 T-II.1-20, 2.4.6.5, para 23-28, 30, X 1.3.2.4.6.5 31 2.4.7, para T-II.1-20, X 1.3.2.4.7 23-31 2.5, para N/A X 1.3.2.5 2.5.1, para T-II.1-31 X 1.3.2.5.1 2.5.2, para T-I.1-19 X 1.3.2.5.2 2.5.3, para T-I.1-19 X 1.3.2.5.3 2.5.4, para T-I.1-19 X 1.3.2.5.4 2.6, para N/A X 1.3.2.6 2.6.1.3, para T-I.1-19 X 1.3.2.6.1.3 3.0, para N/A X 1.3.3 3.1, para N/A X 1.3.3.1 3.2, para N/A X 1.3.3.2 3.3, para N/A X 1.3.3.3 3.4, para N/A X 1.3.3.4
175
3.5, para N/A X 1.3.3.5 3.6, para N/A X 1.3.3.6 3.7, para N/A X 1.3.3.7 3.8, para N/A X 1.3.3.8 3.9, para N/A X 1.3.3.9 3.9.1, para N/A X 1.3.3.9.1 3.9.2, para N/A X 1.3.3.9.2 T-II.1, 3-6, 3.9.3, para 8-11, 13-16, X 1.3.3.9.3 18, 20, 23- 28, 30-31 T-II.1, 3-6, 3.9.4, para 8-11, 15-16, X 1.3.3.9.4 18, 20, 23- 28, 31 3.9.5, para N/A X 1.3.3.9.5 3.10, para N/A X 1.3.3.10 4, para 1.3.4 N/A X 4.1, para N/A X 1.3.4.1 4.3, para N/A X 1.3.4.3 4.4, para N/A X 1.3.4.4
176
4.5, para N/A X 1.3.4.5 4.6, para N/A X 1.3.4.6 4.7, para N/A X 1.3.4.7 4.8, para N/A X 1.3.4.8 6, para 1.3.6 N/A X 6.1, para N/A X 1.3.6.1 6.2, para N/A X 1.3.6.2 6.3, para T-II.1-20, X 1.3.6.3 23-31 6.4, para T-I.1-19 X 1.3.6.4*** 7, para 1.3.7 N/A X 8.1, para N/A X 1.3.8.1 8.2, para T-II.1-20, X 1.3.8.2 23-31 8.3, para T-I.1-19 X 1.3.8.3 9.1, para, X X T-II.3-6, 8-9, 1.3.9.1 ( (Cloud 15, 21, 23 lead) T-III.4-6, 9- 10, 14, 17 9.1, para, X T-II.3, 9 1.3.9.2 9.1, para, X T-II.3, 5, 14 1.3.9.3
177
9.1, para, X T-II.3-4, 11, 1.3.9.4 25-27 9.1, para, X T-II.2, 7-8, 1.3.9.5 24 9.1, para, X T-II. 6-9, 21, 1.3.9.6 28 9.1, para, X T-II.4-5, 27 1.3.9.7 9.1, para, X T-II.2-5, 7, 1.3.9.8 15, 17-18, 27-28 9.1, para, X
1.3.9.9 9.1, para, X T-II.3, 8, 14, 1.3.9.10 25 9.1, para, X T-II.3, 5, 8 1.3.9.11
178
Appendix F: Operating Systems/Software/Applications Supported ABSS DCO Liferay Portal ActiveClient DOORS Log management tools ADDM EMC RecoverPoint (e.g., Splunk, Syslog- Adobe Acrobat Pro, Flash, ERWin ng) Photoshop, Shockwave Firewalls (e.g., Checkpoint Micro Focus Content Player, Creative Suite, NG/Firewall-1, Manager, Control Dreamweaver IPFilter, Raptor, Point, and Structured AMHS Sidewinder, Windows Data Manager. Anti-virus Software (e.g., Firewalls) Microsoft Access, DOS, Symantec, McAfee, Fore Internet Operating Exchange, Internet Trend Micro) Software (IOS) Information Server, Anti-Malware tools Foreview Foundation Internet Explorer, (McAfee, F-Prot, FormFlow Filler Lync, Office, Office ClamAV, GEOPDF Communicator, SPAMAssassin) GOGlobal Outlook, Project, Apache, Apache Web Good Technology Server SCCM, SQL Server, Server Google Earth Visio, Windows, Apple (e.g., OS X, iOS) Hewlett Packard (HP) Windows Media Player Applocker Open View, Network Microsoft Windows OS ARC GIS Node Manager, SOA Mozilla Firefox, ArcServiT Systinet UDDI Thunderbird Army Gold Master Host Based Security Multi Router Traffic Software System (HBSS) Grapher (MRTG) BCS3 IBM Landesk Manager MultiCal Bind Version 8.0 and infinite IVe b/I mySQL above InfoConnect Nagios Blackberry (e.g., Desktop Intrusion Detection NavFit Manager, Enterprise Systems (e.g., Snort, Navisphere Manager Server) ISS Real Secure, Netscape Communicator, BMC Patrol Argus, Barnyard) iPlanet BPPM IP Ultra Scan 2000 NetViz Calendar Creator Plus IPTV (e.g., HaiVision Network Associates Cascade InStream, Furnace, Sniffer Pro CIPS Stingray) Network Tools (e.g., Argus Cisco (e.g., Internet ITS (formerly CRIS) TCPDUMP, nmap) Operating Software J2SE Runtime On-Track (IOS), Cisco Works) Environment Open BSD 2.8 and above Classify for Outlook JALIS Oracle (e.g., Database, ColdFusion JetForm, FormFlow Client) Commpower XML Portal JFAST Parallels Content Filtering (e.g., JInitiator Perl Bluecoat Proxy server, JTEN PES Squid, SmartFilter) LANDesk Management PFPS Crystal Reports Suite PowerTrak DBSign Web Signer LDAP Proxy Server (e.g., Bluecoat)
179
PureEdge Sun Solaris CentOS, RedHat Viewer Putty Symantec AntiVirus Linux) Quota Advisor Tanium Verity K2 Records Management Telos AMHS 2005 Winiip (RM) Terminal Access WinSCP Red Hat Linux 7.0 and Controller Access WinZip above Control System WSUS Remedy (e.g., Action (TACACS) VMWare (e.g., ESX, Request System) Teradata vCenter, vMotion) Rightrix TightVNC Vulnerability scanning Roxio CD Creator TMART tools (e.g., Nessus, RSync Tomcat nmap) SACOP TransViz Secure Shell (SSH) UNIX operating systems Sendmail (e.g., SOLARIS, HP- SiteMinder UX, FreeBSD, Software assurance tools (e.g., Fortify, Burp, OWASP ZAP) SolarWinds Splunk
180
Appendix G: Protocols in Use Asynchronous Transfer Mode (ATM) Link analysis Border Gateway Protocol (BGP) Network Address Translation Challenge Handshake Authentication Network architectures and concepts Protocol (CHAP) (e.g., Asynchronous Transfer Mode Common Services/Protocols (e.g., (ATM), Classless Inter-Domain Routing Domain Name Service (DNS)) (CIDR), Gigabit Ethernet, Ethernet, Network Address Translation (NAT), Computer forensics Router/Switch Functions, Remote Content delivery Access Server (RAS), Transmission Dense Wavelength Division Control Protocol/Internet Protocol Multiplexing (DWDM) (TCP/IP), Virtual Private Networking Domain Name Service (DNS) (VPN)) Dynamic Host Configuration Protocol Network traffic analysis (DHCP) Novell Internetwork Packet Emulated Local Area Network (ELAN) Exchange/Sequenced Packet Exchange (IPX/SPX) Ethernet (10BaseT, 10BaseF, 100BaseT, 100BaseF, 1000BaseFX, 1000BaseSX, Novell Link Support Protocol (NLSP) 1000BaseT) Open Shortest Path First (OSPF) Ethernet 802.3 and Ethernet 802.2 Password Authentication Protocol (PAP) (IPX/SPX) Point-to-Point Protocol (PPP) Fiber Channel (FC) Private/Public Network Node/Network Fiber Distributed Data Interface (FDDI) Interface (PNNI) Hot Standby Routing Protocol (HSRP) RADIUS Hyper Text Transfer Protocol (HTTP) Remote Dial-in Access (Analog and Information security concepts (e.g., Digital) authentication, confidentiality, integrity, Secure Hyper Text Transfer Protocol non-repudiation, network segmentation, (HTTPS) Public Key Infrastructure (PKI), and Secure Shell (SSH) others) Secure systems architectures and design Information security devices Simple Mail Transfer Protocol (SMTP) Integrated Services Digital Network Simple Network Management Protocol (ISDN) (SNMP) Interim Local Management Interface Spanning Tree Protocol (STP) (ILMI) Stateful packet inspection IP Port Security 802.1a devices/applications Internet Protocol Security (IPsec) Storage Area Network (SAN) IP Network/Subnetwork design and Switched, routed, and bridged services management Synchronous Optical Network (SONET) LAN Emulation (LANE)
181
Transmission Control Protocol /Internet Protocol (TCP/IP) UNIX and Windows operating systems environments User Network Interface (UNI) Virtual Local Area Network (VLAN) Virtual Private Network (VPN) Windows Internet Naming Service (WINS) Wireless Ethernet (802.11a/b/g/n)
182
Appendix H: Requirement for CMDB/BMC Discovery Roadmap
USTRANSCOM J6 is requesting the services of the contractor analyze the performance and configuration of the Remedy CMDB/Discovery platform currently installed at USTRANSCOM’s headquarters at Scott, AFB in Illinois. The analysis will focus on identifying gaps and underutilized capabilities to develop a roadmap for the planned upgrade and future expansion of the CMDB/Discovery associated with our Service Portfolio.
USTRANSCOM is looking to have the contractor identify features and functionality in the Remedy CMDB/Discovery toolset to improve current operations. The contractor will also evaluate various potential paths and recommend how best to take advantage of the Discovery, Reconciliation, Normalization and population of the CMDB.
Scope of Services
The contractor shall perform the following activities: 1. Execute all necessary project management activities to ensure a successful outcome a. Create project timeline b. Monitor and report progress against schedule 2. Analyze the business objectives a. Desired end-state b. Regulatory guidelines / constraints 3. Collect CMDB architecture and platform information a. Hardware b. Operating System c. Database structure d. Applications and versions e. System Load f. Integration g. Long SQL calls h. Thread usage i. High-level view of Atrium CMDB j. Atrium CMDB Classes k. Atrium CMDB Datasets l. Security limitations 4. Collect current state process information a. Definitions b. Asset and Configuration Management relationship c. Roles, responsibilities and permissions d. Asset lifecycle e. Asset and configuration consumers f. Review current practices, processes, roles and governance g. Review Service Desk function and Incident Management capabilities and integration h. Operational measurements 5. Analyze current state process information against desired state and identify gaps 6. Collect current state integration information a. List of ITSM integrations 183
b. Asset / Configuration specific integration c. Normalization Engine d. Reconciliation Engine e. Authoritative sources 7. Analyze current state integration information against desired state and identify gaps 8. Recommend roadmap and CMDB architecture document outlining activities and tasks necessary to achieve the desired end state a. Environment architecture b. Performance expectations c. Integrations d. Hardware e. Database Review f. Network review g. Roles and responsibilities 9. Provide training as necessary
Deliverables
6. Current state and desired outcomes 7. Recommendation for quick wins and initials set of activities 8. Roadmap 9. CMDB architecture, which should include the following. a. Environment architecture b. Performance expectations c. Integrations (interfaces with other tools) d. Hardware e. Database review f. Network review 10. CMDB/Discovery Training materials as needed.
Measure of success
Remedy CMDB/Discovery roadmap defined and document, key architecture and implementation plan/configuration guide, and roles and responsibilities of key stakeholders no later than 30 Sep 17. Documentation should include what assets (e.g., network devices, servers, client workstations, software, etc…) the Discovery tool will identify and how they will be populated in the CMDB.
184
Appendix I: Deliverable Table Requirement for ITSM Roadmap
USTRANSCOM J6 is requesting the services of the contractor to analyze the performance and configuration of the ITSM tool suite installed at USTRANSCOM’s headquarters at Scott, AFB in Illinois. The analysis will focus on identifying gaps and underutilized capabilities to develop a roadmap for the planned upgrade and future expansion of the BMC Remedy core and integrated tools associated with our Service Portfolio.
USTRANSCOM is looking to have the contractor identify features and functionality in the ITSM toolset to improve current operations and enable comprehensive ITSM process adoption. The contractor will also evaluate various potential paths and recommend how best to take advantage of the capabilities in each of these tools that facilitate adoption of the core ITSM processes. This shall occur six (6) weeks after the Government reopens the work area. of Services
The contractor shall perform the following activities: 1. Execute all necessary project management activities to ensure a successful outcome a. Create project timeline b. Monitor and report progress against schedule 2. Analyze the business objectives a. Desired end-state b. Regulatory guidelines / constraints 3. Collect current ITSM architecture and platform information a. Hardware b. Operating System c. Database structure d. Applications and versions e. System Load f. Integration g. Security limitations 4. Collect current state process information a. Definitions b. Roles, responsibilities and permissions c. Lifecycle management d. Review current practices, processes, roles and governance e. Review Service Desk function and Incident Management capabilities and integration f. Operational measurements 5. Analyze current state process information against desired state and identify gaps 6. Collect current state integration information a. List of ITSM integrations b. Normalization Engine c. Reconciliation Engine d. Authoritative sources 7. Analyze current state integration information against desired state and identify gaps 8. Recommend roadmap and ITSM architecture document outlining activities and tasks necessary to achieve the desired end state 185
a. Environment architecture b. Performance expectations c. Integrations d. Hardware e. Database Review f. Network review g. Roles and responsibilities 9. Provide training as necessary
186
Appendix J: Cloud Support Service Level Agreements
Service Level Agreements (SLA) for Task 9 (Cloud):
Managed Environment SLA: contractor will maintain the online availability of the managed environment for a minimum availability in any given month as provided in the chart below (excluding applications not deployed in multiple AZ, scheduled Government outages, force majeure, and outages that result from any Government technology issues or incorrect application configurations and/or CSP reported outages). Anything less will result in a service credit to the Government as indicated in the chart below.
“Monthly Uptime Percentage” is calculated by subtracting from 100% the percentage of minutes during the month in which the service was unavailable
Table 1. Deliverable Table
PWS Para Deliverable Title Delivery Schedule 1.3.1.1 Contract Management Plan Initial Submission: within 15 business days of contract award Final: 5 business days from receipt of the Govt’s comments Annual Update: within 15 business days of the option year being exercised 1.3.1.2 Weekly Activity Report Weekly IAW government suspense 1.3.1.3 Monthly Status Report (MSR) By the 15th of the month following the reporting period Final: MSR shall be submitted NLT the last business day of the final period of performance 1.3.1.4 In-Process Reviews (IPRs) 2 business days prior to the IPR 1.3.1.5 Trip Reports Within 5 business days of travel completion 1.3.1.6 Meeting/Conference Minutes Within 1 business day after the meeting/conference 1.3.1.8 Employment Status Report Within 20 business days of the contract start date Updates: within 5 business days of any personnel change 1.3.1.9 Finalized Transition-In Plan Within 5 business days of award 1.3.1.10 Transition-Out Plan 45 calendar days prior to expiration of the contract 1.3.1.11 Contractor Manpower Reporting Inputs: may be reported anytime during http://www.ecmra.mil/ the FY, all data shall be reported NLT 31 Oct of each calendar year, beginning with 2017.
187
1.3.2 Service Operations Process Full process documentation: within 90 Documentation, Briefings, and calendar days of contract start Supporting Materials Process changes: within 3 business days after determination that a change is needed. Problem Management briefings and supporting materials: NLT 48 hours prior to any presentation Process Review: semi-annually, at a minimum 1.3.2 Supplier Support Recommendations The contractor shall make recommendations to the Govt for increased supplier quality in the quarterly report. 1.3.2 Warranty and Maintenance No later than 31 December and 30 June Contract Inventory Information each contract year 1.3.2.1.1 Automation reviews Semi-annually 1.3.2.1.2.1 Incident Management monthly No later than 5 business days of the report following month 1.3.2.1.2.1 Incident Management weekly report Weekly NLT the first business day of the following week 1.3.2.1.2.1 Incident reports as requested Within 1 business day of request. 1.3.2.1.2.2 Request Fulfillment monthly report No later than 5 business days of the following month 1.3.2.1.2.2 Request Fulfillment weekly report Weekly NLT the first business day of the following week 1.3.2.2 Account and System Within 2 business days of the Govt’s Administration documents and request presentations 1.3.2.2 C2 Systems Support briefs, As assigned by the Govt information papers, and documents 1.3.2.2 C2 Systems Support Continuity Copy to Govt NLT 1 Sep for each period Manuals of performance 1.3.2.2 IPR Presentation Materials 2 business days prior to the IPR 1.3.2.2.1 On-call/Alert Roster Updated Monthly 1.3.2.3 Problem Management Process Full process documentation: within 90 Documentation calendar days of contract start Process changes: within 3 business days after determination that a change is needed. Problem Management briefings and supporting materials: NLT 48 hours prior to any presentation 1.3.2.3.3 Problem Record Reviews and Error Reviews: as necessary Records Updates: within 1 day from closure
1.3.2.3.4 Known Error DataBase (KEDB) Need to create it within 90 calendar days on contract start and keep current 1.3.2.3.4 Monthly Problem Report Monthly as part of the MSR
188
1.3.2.4.1 Audit Record Within five (5) business days after system inspection 1.3.2.4.2.1 Evaluate RDBMS & other software Within 5 business days after the evaluation and provide recommendations is complete 1.3.2.4.2.2 Create, delete, or change database Within 3 business days of the request user accounts 1.3.2.4.2.2 Publish system documentation page Major Changes: within 15 business days changes of change Minor Changes: within 1 business day of change 1.3.2.4.2.2 System status and other reports Within 1 business day of request 1.3.2.4.2.2 Troubleshooting issues with Normal Duty Hours: 15-minute response underlying databases time from initial problem notification After Duty Hours: on an on-call basis with a 2-hour response time to begin work 1.3.2.4.4.2.2 Create, delete, or change SharePoint Within 3 business days of the request or user accounts
1.3.2.4.4.2.2 Design and configure SharePoint Major Changes to the Command’s site structure, metadata architecture, Landing Page: within 5 business days of page layouts, security models, and change configuration for a large Minor Changes: within 1 business day of organizational site collection. change
1.3.2.4.4.2.2 Maintain and administer rights and Additions or modifications to site permissions for site collection collection administrator or site owner administrators, site owners, and permissions: within 3 business days of the content managers. request
1.3.2.4.4.2.2 Configure and administer services Monthly; provide services as identified in applications as identified above PWS, and provide written report on status updates to program manager 1.3.2.4.4.2.2 Manage disk usage across the site Monthly; provide services as identified in collection, perform maintenance PWS, and provide written report on status activities at monthly intervals as updates to program manager defined by organization requirements, and provide initial incident management support. 1.3.2.4.4.2.2 Monitor server and network Daily: Ensure customers have access to performance based on defined system, and report directly to program parameters manager if system access is unavailable.
Monthly: Provide written report on monthly system availability (by percentage of uptime during business hours) to program manager.
189
1.3.2.4.4.2.2 Provide monthly training sessions Monthly: Provide one monthly training and on demand demonstrations for session to approximately 30 personnel, site collection administrators, site including audience of site owners, content owners, and content managers. managers, and users.
As Required: As identified by program manager, provide on demand demonstrations, either in a classroom environment, or at the customer’s desktop, with training on features, usage, and capabilities of SharePoint. 1.3.2.4.4.2.2 Conduct data import and transfer As requested by program manager, from external SharePoint sites complete within 15 business days of request. 1.3.2.4.4.2.2 Develop customized SharePoint Within 15 business days of request. applications based on approved requirements documentation 1.3.2.4.6 Processes Improvements, Twice annually Investment Candidates, and Cost Savings Recommendations 1.3.2.4.6.1.2 Data Metrics Monthly 1.3.2.4.6.1.2 Program Status At least quarterly 1.3.2.4.6.1.3 Standards Operating Procedures for Initial: Within 90 calendar days of contract VDI support start Updates: 5 business days of any change 1.3.2.4.6.2.3 Hardware Requirements Projections NLT 1 June for each Period of Performance 1.3.2.4.6.2.4 Equipment List (beyond warranty) Initial List: 10 business days after contract start Updates: 5 business days of any change 1.3.2.4.6.2.5 Security and Configuration Recommendations: 3 days after Govt Directives Compliance request; minimally, once a year NLT 1 Jun Recommendations and Plans Implementation plan: 5 business days after Govt approval 1.3.2.4.6.2.5 User Devices Revalidation NLT 1 Feb for each period of performance
1.3.2.4.6.5. Monthly Validation Report on Monthly validation report to be submitted to operational status of workstations Government NLT 2 business days of the end of the month 1.3.2.5.1.1 Inside and Outside Plant Within 2 business days of the needed Specifications and Network change Infrastructure Hardware Configuration 1.3.2.5.1.1 Network Architecture Diagrams Within 2 business days of the needed and Equipment Room Layouts change
190
1.3.2.5.1.1 Quarterly reviews and provide Quarterly, or within 5 business days of the reports on number or reviews and Govt’s request resulting changes performed 1.3.2.5.1.2 Detailed annual equipment spend Within 90 calendar days of contract start plan and then semi-annually thereafter 1.3.2.5.1.2 Three (3) year service lifecycle plan Within 90 calendar days of contract start and then semi-annually thereafter 1.3.2.5.1.3 Availability rate Monthly 1.3.2.5.1.3 Technical Solutions and Costing Within 3 business days of request (TS&C) 1.3.2.5.3 TCO inventory Provide to government within one (1) business of request. 1.3.2.5.4 Review and validate all long haul Semi-annually circuits 1.3.2.6 Weekly Activity Report (WAR) COB every Wednesday, or as direct by the Government 1.3.2.6.1.2 VTC Metrics Monthly in MSR; Annually NLT 15th business day of January each period of performance 1.3.2.6.2 Delivery schedule for each Monthly in MSR. project/initiative with breakdown of hours expended. 1.3.2.6.2.1 Annual VTC Hardware and No later than 31 March of each period of Software Upgrade performance Recommendations 1.3.2.6.2.1 AV/VTC designs and project In a timely manner in accordance with schedule government priorities 1.3.2.6.2.1 AV/VTC Operator Level Within 20 business days of any changes or Instructions upgrades 1.3.2.6.2.1 AV/VTC programming code in a Within 30 business days of completed usable and modifiable format install 1.3.2.6.2.1 AV/VTC recommendations for No later than 31 March of each period of equipment and conference rooms performance 1.3.2.6.2.1 Proof of current programming Annually certifications (e.g., Crestron) from OEMs to government 1.3.2.6.2.1 VTC Architecture Graphical Quarterly NLT the 5th business day of Representation each quarter 1.3.3.1.1 IT SPfM Process Documentation Full process documentation: within 90 calendar days of contract start Process changes: within 3 business days after determination that a change is needed. Problem Management briefings and supporting materials: NLT 48 hours prior to any presentation Process Review: semi-annually, at a minimum
191
1.3.3.1.2 Agreements on funding (per Within 90 calendar days of contract start defined service) Within 2 days per new/changed service agreement 1.3.3.1.2 Case Mediation Documentation Within 3 business days 1.3.3.1.2 Defined Business outcomes (per Within 90 calendar days of contract start defined service) Within 2 days per new/changed service agreement 1.3.3.1.2 Formal Complaint and Escalation Within 1 business day from any change in Feedback to Customer status 1.3.3.1.2 Formal Complaint and Escalation Quarterly reports 1.3.3.1.2 New Services Business Cases Within 10 business days of the completion of requirement definition 1.3.3.1.2 New Services Requirements Within 3 days following completion of customer interaction(s) 1.3.3.1.2 Reports on customer perception of Within 90 calendar days of contract start service performance (per defined Within 2 days per new/changed service service) agreement 1.3.3.1.2 Schedule of customer activities to Within 90 calendar days of contract start define deliverable timelines Within 2 days per new/changed service agreement 1.3.3.1.2 Schedule of training and awareness Within 90 calendar days of contract start events to avoid customer business Within 2 days per new/changed service disruption agreement 1.3.3.1.2 Services Working Groups Action IAW section 1.3.1.6 (Within 1 business Item Updates and Meeting Minutes day after the meeting/conference) 1.3.3.1.2 Services Working Groups Meetings NLT 48 hours prior to meetings Presentation Material 1.3.3.1.2 Stakeholder definitions Within 90 calendar days of contract start Within 2 days per new/changed service agreement 1.3.3.1.3 Develop Patterns of Business Within 10 business days of identified Activities (PBAs) pattern. 1.3.3.1.3 Report cyclical changes in demand Quarterly 1.3.3.2.1 Service Portfolio analysis and Upon request or as requirements change information 1.3.3.2.2 Spend Plans 4 business days prior to Spend Plan brief, or as required 1.3.3.2.2 System, Program or Initiative Briefs NLT two (2) business days prior to and Information Papers scheduled briefing 1.3.3.3.1.1 Configuration Management Plan Initial: within 120 days after contract start Updates: Annually thereafter or sooner as directed
192
1.3.3.3.1.1 Management and Planning Process Full process documentation: within 90 Documentation calendar days of contract start Process changes: within 3 business days after determination that a change is needed. Problem Management briefings and supporting materials: NLT 48 hours prior to any presentation Process Review: semi-annually, at a minimum 1.3.3.3.1.3 Service Asset and Configuration Within two 2 business days, as required by Reports the Govt 1.3.3.3.2 Process-Reviews and Process At least quarterly, or as needed Improvement Initiatives 1.3.3.3.2 Software Library Updates and Within 5 business days of approval additions 1.3.3.3.2.1.1 USTRANSCOM Software NLT the 5th business day of each month or Inventory an agreed upon monthly date 1.3.3.3.2.1.2 Software Consumption Metric Monthly as part of the MSR 1.3.3.3.2.1.3 Govt Requested Metrics Monthly as part of the MSR 1.3.3.3.2.1.5 Cost/Benefit Briefing Initial: within 80 business days of the contract start date Annual: NLT 31 March for each period of performance 1.3.3.3.2.1.5 Software Cost/Benefit Analyses Within 10 business days of the Govt’s request 1.3.3.3.2.1.5 Software Requirements List NLT the 5th business day of each month or an agreed upon monthly date 1.3.3.3.2.3 Application Portfolio of TWCF- Within 120 days of the task start date Funded Known Software 1.3.3.3.3.1.1 Monthly Warehouse Equipment- NLT than 5 business days of the following Inventory Report month 1.3.3.3.3.1.3 Equipment Custodian (EC) Listing Updates: within three (3) business days when ECs change 1.3.3.3.3.1.3 Physical Inventory Reports to Semi-annual: NLT 31 December and 30 BECO June each contract year 1.3.3.9.3.1 Additional Testing No later than two (2) business days after Recommendation identification of prior testing 1.3.3.9.3.1 Assessments of Vendor-Proposed IAW the suspense assigned by the Govt System Configuration and Engineering Designs 1.3.3.9.3.1 Documentation to support RMF IAW the suspense assigned by the Govt certification and accreditation 1.3.3.9.3.1 Software Incident Report No later than two (2) business days after identification 1.3.3.9.3.1 Technical Configuration Guides IAW the suspense assigned by the Govt and Supporting Implementation Plans/Documentation 193
1.3.3.9.3.1 Test Analysis Reports No later than five (5) business days after test completion 1.3.3.9.3.1 Test Result Briefing Materials Two (2) business days prior to presentation 1.3.3.9.3.3 Compliance Data to Support Task IAW the suspense assigned by the Govt` Orders 1.3.3.9.3.3 Exemption/Waiver Request IAW prescribed DoD policy/instruction 1.3.3.9.3.3 Life cycle Upgrade IAW the suspense assigned by the Govt Recommendations 1.3.3.9.3.3 POA&Ms IAW prescribed DoD policy/instruction 1.3.3.9.3.4 Metrics Monthly NLT five (5) business days after the start of each month -
1.3.3.9.3.4 - CentOS Security Guide (Fiscal Quarterly NLT ten (10) business days prior to Qtr 1) the end of each quarter - Windows Security Guides (Fiscal Qtr 1) - USTRANSCOM Cybersecurity Reference Guide (Fiscal Qtr 1) - Layered Defenses Standard (Fiscal Qtr 2) - Account Validation Standard (Fiscal Qtr 2) - Logging Format Standard (Fiscal Qtr 2) - Log Centralization Standard (Fiscal Qtr 2) - Privileged Actions Auditing Standard (Fiscal Qtr 2) - ClamAV Implementation Guide (Fiscal Qtr 1) - USTRANSCOM Enhanced Mitigration Experience Toolkit SOP & Checklists (Fiscal Qtr 3) - Red Hat Linux Standard Build Guide & Image (Fiscal Qtr 4) - Windows Server Build Guide & Image (Fiscal Qtr 4)
194
1.3.3.9.4.2 11. Current state and desired No later than six (6) weeks after the outcomes Government work area reopens 12. Recommendation for quick wins and initials set of activities 13. Roadmap 14. ITSM architecture, which shall include the following: a. Environment architecture b. Performance expectations c. Integrations (interfaces with other tools) d. Hardware e. Database review f. Network review 15. Training materials as needed
1.3.4 C4S Annexes, Technical reviews Using Govt provided automated software and evaluations, briefings, tools, when applicable, and provide IAW information papers, requirements the suspense assigned by the Govt or documents, customer interviews, through the Govt staffing process site surveys, metrics, monthly JMET assessments 1.3.4 Continuity Folders Annually NLT 1 September each period of performance 1.3.4 Emails, Staff Packages, Point IAW suspense assigned by the Govt or Papers, Reports, or Briefings through the Govt staffing process 1.3.4 Meeting/Conference Minutes Within 2 business days after completion of the meeting/conference 1.3.4 Technical Reviews IAW the suspense assigned by the Govt or through the Govt staffing process 1.3.4 Trip Reports Within 5 business days after completion of travel 1.3.4 Weekly Activity Report Inputs IAW suspense assigned by the Govt or through the Govt staffing process Normally weekly; NLT the close of business on Wednesday of each week 1.3.4.1 Directorate Quarterly Training Brief Quarterly, IAW with suspense assigned by (QTB) associated with JMETs Govt or through the Govt staffing process 1.3.4.1 Lessons learned inputs Within 3 business days after contingency, exercise, and training events 1.3.4.1 Training objectives, training plans, Using Govt provided automated software JMRR, JFRR, JMETL Update tools, when applicable, and provide IAW the suspense assigned by the Govt or through the Govt staffing process
195
1.3.4.2 Plans, C4S and Cyber Using Govt provided automated software annexes/sections, training objectives, tools, when applicable, and provide IAW MSELs, lessons learned, orders, the suspense assigned by the Govt or exercise planning schedule through the Govt staffing process 1.3.4.2, Plans, C4S Annexes, technical Using Govt provided automated spectrum 1.3.4.4 evaluations and advice, monthly management software tools, when JMET assessments applicable, and provide IAW the suspense assigned by the Govt or through the Govt staffing process 1.3.4.4 Monthly metrics of number and 2 business days prior to presentation timeliness of requests 1.3.4.4 Notify IT Operations Management Within 1 hour of any negative impacts to of operational status impacts operational status 1.3.4.4 Technical evaluations of SATCOM Periodically, at a minimum annually. 1.3.4.5 MILSTAR operations Technical IAW the suspense assigned by the Govt or advice through the Govt staffing process 1.3.4.5 MILSTAR outage/restoral Within 1 hour of awareness of messages and send to the outage/restoral USTRANSCOM IT Operations Management 1.3.4.6 IPL Nomination Packages IAW the suspense assigned by the Govt or through the Govt staffing process 1.3.4.7 Tactical C4S IAW the suspense assigned by the Govt or reviews/recommendations and through the Govt staffing process plans 1.3.5.1 Meeting/Conference Minutes Within 2 business days after completion of the meeting/conference 1.3.5.1 Metrics Monthly NLT 5 business day after the end of the month 1.3.5.1 Trip Reports Within 5 business days after completion of travel 1.3.5.1.1 Cyber Security Defense Quarterly NLT ten (10) business days prior Process/Procedure Documentation: to the end of each quarter
196
1.3.5.1.1 - Cyber Security Defense Personnel Quarterly NLT ten (10) business days prior to Recall Roster (in TDOC IntelShare) the end of each quarter (Fiscal Qtr 1,2,3,4) - USTRANSCOM Host Based Security Suite (HBSS) SOP & Checklists (Fiscal Qtr 4) - USTRANSCOM CSSP Continuity of Service Plan & Checklists (Fiscal Qtr 1) - USTRANSCOM Firewall SOP & Checklists (Fiscal Qtr 4) - USTRANSCOM CSSP COOP Plan (Fiscal Qtr 1) - USTRANSCOM Web-Proxy SOP & Checklists OI (Fiscal Qtr 4) - USTRANSCOM Email Gateway SOP & Checklists (Fiscal Qtr 3) - MailAV Build Guide (Fiscal Qtr 1)-
1.3.5.2.3.2.3 Ports, Protocols and Service Matrix Monthly NLT 1 business day after the end of the month 1.3.5.1.1.2, Exemption/Waiver Request IAW prescribed DoD policy/instruction 1.3.5.1.2.2, 1.3.5.2.2.4 1.3.5.1.1.2, Life-cycle Upgrade IAW the suspense assigned by the Govt 1.3.5.1.2.2, Recommendations 1.3.5.1.1.2, Maintenance Log Extracts Monthly NLT 1 business day after the end 1.3.5.1.2.2, of the month 1.3.5.1.1.2, POA&Ms IAW prescribed DoD policy/instruction 1.3.5.1.2.2, 1.3.5.1.1.2, System Configuration Data IAW the suspense assigned by the Govt 1.3.5.1.2.2, 1.3.5.1.2 Intrusion Detection Monitoring and Quarterly NLT 10 business days prior to Incident Management the end of each quarter Process/Procedure Documentation: - Intrusion Detection Monitoring and Incident Management Personnel Recall Roster (in TDOC IntelShare) (Fiscal Qtr 1,2,3,4) - USTRANSCOM Cyber Incident Response SOP & Checklists (Fiscal Qtr 1)
197
1.3.5.1.2 - USTRANSCOM Cyber Quarterly NLT 10 business days prior to the Monitoring SOP & Checklists end of each quarter (Fiscal Qtr 4) - USTRANSCOM Sensor and Consolidated Logging Infrastructure SOP & Checklists (Fiscal Qtr 4) - Network Intrusion Detection System (NIDS) Build Guide: Argus, Snort and TCPDump (Fiscal Qtr 1) - NIDS Build Guide: Bro (Fiscal Qtr 1) - Barnyard Build Guide (Fiscal Qtr 1) - USTRANSCOM Incident Reporting SOP & Checklists (Fiscal Qtr 2) - USTRANSCOM Security Event / Incident Analysis SOP & Checklists (Fiscal Qtr 4) 1.3.5.1.2 Inventory of Log Data Monthly NLT one1 business day after the Sources/Resident Locations end of the month 1.3.5.1.2 Weekly Security Event Analysis 1 business day prior to the briefing Results 1.3.11.3.5.1. Emails, Staff Packages, Point IAW suspense assigned by the Govt or 2, 1.3.5.1.3, Papers, Reports, or Briefings through the Govt staffing process 1.3.5.1.4 1.3.5.1.3 Cyber Threat Analysis Quarterly NLT 10 business days prior to Process/Procedure Documentation: the end of each quarter - Cyber Threat Personnel Recall Roster (in TDOC IntelShare) (Fiscal Qtr 1,2,3,4) - USTRANSCOM Intel/AS&W Receipt SOP & Checklists (Fiscal Qtr 4) - USTRANSCOM Intel/AS&W Analysis SOP & Checklists (Fiscal Qtr 4) - USTRANSCOM Intel/AS&W Product Generation SOP & Checklists (Fiscal Qtr 1)
1.3.5.1.3 - USTRANSCOM Intel/AS&W Quarterly NLT 10 business days prior to the Distribution SOP & Checklists end of each quarter (Fiscal Qtr 1)
198
1.3.5.1.3 Cyber Threat Briefs, Information Within 1 business day of completion of the Papers and Threat Tippers analysis 1.3.5.1.3 Weekly CSSP Threat Briefing 1 business day prior to the briefing 1.3.5.1.4 COMSEC Process/Procedure Quarterly NLT 10 business days prior to Documentation: the end of each quarter - COMSEC Personnel Recall Procedures (Fiscal Qtr 1,2,3,4) - COMSEC Training SOP (Fiscal Qtr 1) - COMSEC Tracking SOP (Fiscal Qtr 2) - Requesting NSA Key Support SOP (Fiscal Qtr 2) - Loading [Keying] Cryptographic Devices SOP (Fiscal Qtr 3) - COMSEC Account Management SOP (Fiscal Qtr 4) 1.3.5.1.4 Recurring and Ad-hoc Reports IAW suspense assigned by the Govt 1.3.5.1.5 EMSEC Process/Procedure Quarterly NLT 10 business days prior to Documentation: the end of each quarter - USTRANSCOM EMSEC SOP & Checklists (Fiscal Qtr 4) 1.3.5.1.6 Exemption/Waiver Request IAW prescribed DoD policy/instruction 1.3.5.1.6 Life-cycle Upgrade IAW the suspense assigned by the Govt Recommendations 1.3.5.1.6 Maintenance Log Extracts Monthly NLT 1 business day after the end of the month 1.3.5.1.6 Network Discovery Scan/HBSS Quarterly NLT ten (10) business days prior Comparative Analysis to the end of each quarter 1.3.5.1.6 Network Discovery Scans Quarterly NLT ten (10) business days prior to the end of each quarter 1.3.5.1.6 POA&Ms IAW prescribed DoD policy/instruction 1.3.5.1.6 Continuous Monitoring Quarterly NLT ten (10) business days prior Process/Procedure Documentation: to the end of each quarter - USTRANSCOM Security Configuration Management SOP & Checklists (Fiscal Qtr 1) - USTRANSCOM Reviewing Vulnerability Scanner Findings Guide (Fiscal Qtr 3) 1.3.5.1.6 - USTRANSCOM Enterprise Quarterly NLT ten (10) business days prior to Information Security Continuous the end of each quarter Monitoring SOP & Checklists (Fiscal Qtr 2) 1.3.5.1.6 System Configuration Data IAW the suspense assigned by the Govt 1.3.5.1.6 Vulnerability Scan Results and Within three (3) business days of the Presentation Materials for CIO completion of the scan
199
1.3.5.2 Emails, Staff Packages, Point IAW suspense assigned by the Govt or Papers, Reports, or Briefings through the Govt staffing process 1.3.5.2 Meeting/Conference Minutes Within 2 business days after completion of the meeting/conference 1.3.5.2 Trip Reports Within 5 business days after completion of travel 1.3.5.2.1 ISSE Supporting Documentation: Quarterly NLT ten (10) business days prior - System Administration Cyber to the end of each quarter Security Training Brief (Fiscal Qtr 4) - Unix Security Training Brief (Fiscal Qtr 2) - FACCSM Training Briefing (Fiscal Qtr 4) - TCP/IP Training Briefing (Fiscal Qtr 2) - Secure Shell (SSH) Training Brief (Fiscal Qtr 1) - Stunnel Training Brief (Fiscal Qtr 1)
- Host-Based Firewall Technologies for Linux/UNIX (Fiscal Qtr 1) - USTRANSCOM Security Capabilities Overview (Fiscal Qtr 4) - Educational Cyber Alert (Fiscal Qtr 1,2,3,4) - Cyberspace Defense Handout (tri- fold) (Fiscal Qtr 4) - Talking Papers (Fiscal Qtr 2) - OPTIONAL. Cyber security support for USTRANSCOM Component Commands and Cyber
1.3.5.2.1 Security Service Provider Quarterly NLT ten (10) business days prior to Subscribers summary of the end of each quarter assessments or incident response activities performed 1.3.5.2.1 Security Risk Assessments IAW suspense assigned by the Govt 1.3.5.2.1, Metrics Monthly NLT 5 business days after the end 1.3.5.2.2, of the month 1.3.5.2.3, 1.2.5.2.5
200
1.3.5.2.2 Security Auditing, and Quarterly NLT ten (10) business days prior Vulnerability Management to the end of each quarter Process/Procedure Documentation: - USTRANSCOM Vulnerability Management SOP & Checklists (Fiscal Qtr 4) - USTRANSCOM System Security Evaluation SOP & Checklists (Fiscal Qtr 4)
- Security Evaluation Process Training Brief (Fiscal Qtr 1) - Vulnerability Management Training Briefing (Fiscal Qtr 1)
1.3.5.2.3.1 Monitoring Strategy Document IAW suspense assigned by the Govt 1.3.5.2.3.1 Registration of the systems in IAW suspense assigned by the Govt eMASS 1.3.5.2.3.1 Residual Risk Statement and Risk IAW suspense assigned by the Govt Acceptance Briefing 1.3.5.2.3.1 Security Assessment Plan IAW suspense assigned by the Govt 1.3.5.2.3.1 Security Control Artifacts IAW suspense assigned by the Govt 1.3.5.2.3.3 - Authorization Quarterly NLT ten (10) business days prior to Process/Procedure the end of each quarter Documentation: - USTRANSCOM Security Assessment Report SOP & Checklist (Fiscal Qtr 4). - Security Control Selection Response and Inheritance Guide (Fiscal Qtr 2) - USTRANSCOM Assessment and Authorization SOP & Checklists (Fiscal Qtr 4) - Reference list of core artifacts and inheritable controls (Fiscal Qtr 1,2,3,4) - Authorizations Example Artifacts/Documentation (if requested)Fiscal Qtr 1.3.5.2.3.2 PPSM Exception Requests IAW suspense assigned by the Govt 1.3.5.2.3.2 PPSM Registry Inputs IAW suspense assigned by the Govt 1.3.5.2.3.2 PPSM Risk Assessment Reviews IAW suspense assigned by the Govt with Recommendations 1.3.5.2.3.2 PPSM Submissions Status IAW suspense assigned by the Govt 1.3.5.2.3.2 Recommended Enterprise Security Quarterly NLT ten (10) business days prior Controls/Enhancements to the end of each quarter 201
1.3.5.2.3.2 Results of Security Control IAW suspense assigned by the Govt Compliance IV&V in eMASS 1.3.5.2.4 Draft SIPR Removable Media Quarterly NLT 5 business days after the Quarterly Validation/Package for start of each quarter AO approval 1.3.5.2.4 Insider Threat/SIPR Removable Quarterly NLT 5 business days prior to the Media Process/Procedure end of each quarter Documentation: - USTRANSCOM Insider Threat SOP & Checklists (Fiscal Qtr 4) - Process/procedures for FACCSMs to collect required workstation/user information (Fiscal Qtr 4) 1.3.5.2.4 Metrics Quarterly NLT 5 business days after the start of each quarter 1.3.5.2.5 CWRAF Vignettes IAW the suspense assigned by the Govt 1.3.5.2.5 Software Assurance Quarterly NLT 5 business days prior to the Policy/Process/Procedure end of each quarter Documentation: - Software Assurance SOP & Checklists (Fiscal Qtr 1) - Software Assurance Standard (Fiscal Qtr 4) 1.3.5.2.5 Software Testing Tool Guidance IAW the suspense assigned by the Govt and Configurations 1.3.6 Delivery Schedules Included in the Monthly Status Report: by the 15th of the month following the reporting period
1.3.6.1 Documentation that addresses user IAW the suspense assigned by the Govt requirements, database design, application development, user level documentation, and deployment documentation to include reference to dependent systems and services 1.3.6.1 The contractor shall perform Documentation will be prepared in both thorough functional user testing of electronic and printed formats, and applications and services, and maintained within the Web shop work area prepare user-level documentation in and in the WebDocs. compliance with laws, regulations, and DoD level and USTRANSCOM guidance prior to release to the customer for review and acceptance.
202
1.3.6.2 Minor adjustments coordination Within three (3) business days of receiving with the content owner when the request or following approval for required, and ensure publication to publication (public domain services only) the production environments 1.3.6.2 Report the number of content Weekly, quarterly, and annually support requests and the length of time to complete each request. 1.3.6.3 Best Practices Report Monthly as part of MSR 1.3.6.3 Configuration Documentation No duration given: Both electronic and printed forms; maintained within the Web Shop work area and in WebDocs 1.3.6.4 Training Plan Initial: within twenty-five (25) business days after the course requirements are finalized Revisions: within twenty-five (25) business days after written notice from the Govt 1.3.6.5 Security Posture Best Practices Monthly Research 1.3.6.5 TCJA and TCJA-FO Support Status Quarterly Updates 1.3.7.1 Training Support (Optional) Initial: within twenty-five (25) business Training Plan days after the course requirements are finalized Revisions: within twenty-five (25) business days after written notice from the Govt
1.3.7.2 Support for New Training Initial: within twenty-five (25) business Requirements (Optional) days after the course requirements are Training Plan finalized Revisions: within twenty-five (25) business days after written notice from the Govt
1.3.7.3 Training Videos and Computer Draft: within 40 business days of Govt Based Training (CBT) request Development Final: within 10 business days of receipt of Govt comments 1.3.8 Telework Capability Within two (2) business days of telework Validation/Issue Reporting duty completion 1.3.8.2 Monthly Status Report with the No later than the 5th business day of each status of system/software month deficiencies, trouble report resolution 1.3.9.9 Monthly Cloud Report detailing No later than the 10th calendar day of each all of the metrics requested in month the Cloud task
203
1.3.10.4.1 1.Current state and desired No later than six (6) weeks after the outcomes Government work area reopens 2.Recommendation for quick wins and initials set of activities 3.Roadmap 4.ITSM architecture, which shall include the following: a. Environment architecture b. Performance expectations c. Integrations (interfaces with other tools) d. Hardware e. Database review f. Network review 5.Training materials as needed
204
1.3.10.1.2 ISSE Supporting Documentation: Quarterly NLT ten (10) business days prior - System Administration Cyber to the end of each quarter Security Training Brief (Fiscal Qtr 4) - Unix Security Training Brief (Fiscal Qtr 2) - FACCSM Training Briefing (Fiscal Qtr 4) - TCP/IP Training Briefing (Fiscal Qtr 2) - Secure Shell (SSH) Training Brief (Fiscal Qtr 1) - Stunnel Training Brief (Fiscal Qtr 1)
- Host-Based Firewall Technologies for Linux/UNIX (Fiscal Qtr 1) - USTRANSCOM Security Capabilities Overview (Fiscal Qtr 4) - Educational Cyber Alert (Fiscal Qtr 1,2,3,4) - Cyberspace Defense Handout (tri- fold) (Fiscal Qtr 4) - Talking Papers (Fiscal Qtr 2) OPTIONAL. Cyber security support for USTRANSCOM Component Commands and Cyber Security Service Provider Subscribers summary of assessments or incident response activities performed
1.3.10.1.3 Security Risk Assessments IAW suspense assigned by the Govt
1.3.10.1.2 Metrics Monthly NLT 5 business days after the end of the month
205
1.3.10.1.3 Security Auditing, and Quarterly NLT ten (10) business days prior Vulnerability Management to the end of each quarter Process/Procedure Documentation: - USTRANSCOM Vulnerability Management SOP & Checklists (Fiscal Qtr 4) - USTRANSCOM System Security Evaluation SOP & Checklists (Fiscal Qtr 4)
4.5 CSSP- Security IAWIP Evaluation Status Report Process Monthly 5 business days after the end of the month
3.5 Service Delivery Summary (SDS) The Services Delivery Summary (SDS) represents the most important contract objectives that, when met, will ensure contract performance is satisfactory by measuring Timeliness, Compliance, Accuracy, Availability and tracking of Security Incidents. Although not all PWS requirements are listed in the SDS, the contractor is fully expected to comply with all requirements in the PWS
PWS Para Performance Objective Performance Threshold 95% of the time Trip Reports are received within five (5) business days after completion of travel 1.3.1.5 Trip Reports and contains all details related to the trip and information on the traveler
95% of the time minutes are provided within two (2) business days upon request by the 1.3.1.6 Meeting/Conference Minutes Government and contain all results and impacts of the meeting/conference 95% of the time tickets are acknowledged IAW 1.3.2 Ticket Acknowledgement paragraph 1.6 95% of the time tickets are resolved IAW 1.3.2 Ticket Resolution paragraph 1.6 95% of the time tickets are assigned 1.3.2 Ticket Assignment appropriately IAW paragraph 1.6 95% of the time missed acknowledgements 1.3.2 Ticket Missed Acknowledgment notifications are handled IAW paragraph 1.6 95% of the time proactive notifications are 1.3.2 Ticket Proactive Notification provided IAW paragraph 1.6
206
95% of the time missed resolutions are 1.3.2 Ticket Missed Resolution escalated IAW paragraph 1.6 95% of the time tickets are escalated 1.3.2 Ticket Escalation appropriately IAW paragraph 1.6 95% of the time the Government is properly 1.3.2 Ticket Notification notified IAW paragraph 1.6 IT Ops Center is able to contact the on- call technician nine (9) of every ten (10) attempts 1.3.2 On-call Support made outside of normal duty hours
95% of the time, documentation accurately reflects current operational processes and Process and Procedure 1.3.2 procedures; tool and system references; Documentation organizational references and contact information; and policy references. No more than 1 late document per month and no more than 5 days late. For final deliverables, no more than two sets of corrections/edits and all Process and Procedure corrections must be accomplished within 2 days 1.3.2 Documentation or other such time periods as mutually determined between the government and the tasked contractor.
100% of the time, provide notification to the IT 1.3.2 Unplanned Outage Notification Ops Center for unplanned outages within 15 minutes of detection. 95% of the time, on call personnel will begin 1.3.2 On-Call Response Time work within two (2) hour of contact 100% of the time ADPE is properly accounted 1.3.2 ADPE EC Duties and controlled in accordance with established policies Service Desk Performance Metrics 95% of the time, reports accurately 1.3.2.1 Report reflects status. Account issuance and password 95% of the time issued within one (1) 1.3.2.1.2 resets business day. 68% of the time, technicians will resolve issues First contact resolution by the 1.3.2.1.2.1 at first notification (phones, email, chat, etc.) Service Desk
Reduce the number of incidents and service 1.3.2.1.2.3 Self-help site resolution requests a minimum of 25%
207
98% of the time updates will be accurate and 1.3.2.3.3 Known error records updates on-time During on-site hours: within 15 minutes of initial Hardware and Software Problem report during on-site hours 1.3.2.4.4.2 Response After duty hours on an on-call basis with a 2-hour response time On-site: 1 business day 1.3.2.4.6.2.1 Workstation Transport to Customers Off-base within the local area: 2 business days
On-call periods shall be no more than two 1.3.2.4.7 Key IT Staff Support (2) hours to begin work on-site 1.3.2.5.1.3 Availability Rate 99.75% annualized availability rate. 90% of the time approved solutions are implemented within ten (10) business days of 1.3.2.5.1.3 Implement Approved solutions approval, provided necessary hardware is available Provide Technical Solutions and 90% of the time TS&C is provided within three 1.3.2.5.1.3 Costing (TS&C) to requests (3) business days of request 95% of the time response is received within 15 minutes of initial problem notification during 1.3.2.5.1.3 Trouble Ticket Response normal duty hours and within two (2) hours if on-site response is required during non-duty hours 100% of the time support is provided on- site for On-site AV support for TCCC, 1.3.2.6.1.1 TCCC, TCDC, and TCCS attended briefing TCDC, and TCCS events. 100% of the time support is provided on- site for On-site VTC support for TCCC, 1.3.2.6.1.2 TCCC, TCDC, and TCCS attended briefing TCDC, and TCCS events. Respond within 30 minutes of notification and Response and on-site correction of 1.3.2.6.1.2 provide hourly updates until an agreed upon plan system failures to restore is identified 100% of the time COMSEC materials are 1.3.2.6.1.4 CRO Duties properly accounted and controlled in accordance with established policies 95% of the time instructions are published within 1.3.2.6.2.1 AV Operator level instructions 20 business days of any changes or upgrades and are 100% error free Preventative maintenance as 98% of the time preventative maintenance is 1.3.2.6.2.1 prescribed by the equipment accomplished in accordance with the manufacturer manufacturer’s instructions. 208
Preventative maintenance as 98% of the time preventative maintenance is 1.3.2.6.2.1 prescribed by the equipment accomplished in accordance with the manufacturer manufacturer’s instructions. Successful install and programming 95% of the time installs are completed as 1.3.2.6.2.1 of AV/VTC equipment scheduled and are 100% error free 95% of the time instructions are published within 1.3.2.6.2.1 VTC Operator level instructions 20 business days of any changes or upgrades and are 100% error free 1.3.2.6.2.2 Task 2 Subtask 6.2.2: 95% of the time the contractor shall inform the Installation of t he Glocal Operations Government within 2 business days of any 1.3.2.6.2.2 Center (GOC) Knowledge impediments to meeting IOC or FOC dates Wall/VTC Suite No more than 3 total days delay per month to all Accurate and timely configuration of customer test activities attributable to improper or test environment resources as late configuration of test environments. All 1.3.3.9.3.1 required by test plans and customer improper configurations identified and corrected test requirement within one (1) workday
95% of the time notification occurs no later than 1.3.3.9.3.1 Software Failure Notification one (1) business day after failure occurs
No more than 15 hours of unplanned network downtime per month due to internal Effective operation and system administrative or test network problems (not to administration of test systems, include downtime awaiting replacement parts). 1.3.3.9.3.2 computer and telecommunications No more than two minor non-recoverable data Administrative, and test network losses per year. System Availability will be 98% environments or better.
1.3.3.9.4.2.3 ITSM Architecture No later than six (6) weeks after the Government ITSM roadmap defined and work area reopens documented, key architecture and implementation plan/configuration guide, and roles and responsibilities of key stakeholders 95% of the time the Government is notified Negative Impacts to Operational 1.3.4.4 within one (1) hour of any negative impacts Status to operational status 95% of the time the IT Operations 1.3.4.5 Outage/Restoral Messages Management is notified within one (1) hour of awareness of outage/restoral
209
100% of the time, no successful intrusions into the networks under the contractor’s control due to 1.3.5.1.1, Security Operations negligence or deviation from established 1.3.5.1.2 procedures in performing actions specified by this task. 100% of the time security mechanisms are running supported software versions and are up to 1.3.5.1.1, Software and Operating System date on security vulnerability patches with any 1.3.5.1.2 Versions exceptions approved by government in writing
99.9% availability must be maintained for all cyber security defense, and intrusion detection monitoring and incident management services 1.3.5.1.1, Uptime for Cyber/Information (e.g. firewall protection service for a specific area 1.3.5.1.2 Security Infrastructure Mechanisms of coverage must be operational 99.9% of the time)
1.3.5.1.1, 100% of the time, provide notification to the 1.3.5.1.2, Unplanned Outage Notification CyOC for unplanned outages within 15 minutes 1.3.5.1.4 of detection. USTRANSCOM Cyber Operations Center 1.3.5.1.1, (CyOC) is able to contact the on-call technician 1.3.5.1.3, On-call Support nine (9) of every ten (10) attempts made outside 1.3.5.1.4 of normal duty hours
1.3.5.1.1, 100% of the time, on call personnel will begin On-call Response Time 1.3.5.1.4 work within one (1) hour of contact 99% of the time, detect all incidents and events identified within available audit logs or by 1.3.5.1.2 Incident Detection network sensors in the networks under their control. 95% of the time, review all incidents flagged by 1.3.5.1.2 Incident Response monitors within 30 minutes of detection.
100% accountability for USTRANSCOM 1.3.5.1.4 COMSEC Equipment Accountability Controlled Cryptographic Items (CCI) 100% of the time, provide notification to the COMSEC Practice Dangerous to 1.3.5.1.4 Government of any COMSEC PDS within 1 Security (PDS) Notification hour of detection 100% training accomplished for all 1.3.5.1.4 COMSEC Training CROs/SVROs
210
95% of the time, documentation accurately reflects current operational processes and Process and Procedure 1.3.5.2 procedures; tool and system references; Documentation organizational references and contact information; and policy references. No more than 1 late document per month and no more than 5 days late. For final deliverables, no more than two sets of corrections/edits and all Process and Procedure corrections must be accomplished within 2 days 1.3.5.2 Documentation or other such time periods as mutually determined between the government and the tasked contractor.
No more than 1 late document per month and no more than 5 days late. For final deliverables, no more than two sets of corrections/edits and all corrections must be accomplished within 2 days Reporting Accuracy and Timeliness: or other such time periods as mutually Prepare written products (letters, determined between the government and the plans, vulnerability/scanning reports, 1.3.5.2 tasked contractor. All draft material provided at briefings, presentations, schedules, least 2 working days prior to meetings or review and other documentation) in an boards. Final, security reviewed copies of all accurate and timely manner. briefings/ presentations provided at least 1 working day prior to presentation
100% of the time, satisfactory ratings are Security Assessments of achieved during assessments of USTRANSCOM 1.3.5.2 USTRANSCOM security on all activities defined within this task
Content: No more than 1 deviation per month from established principles and directives. 100% of assessments will address all required elements and consider security functionality from existing DoD and USTRANSCOM layered architectures. Accurate and timely security assessments, in prescribed format, in Format: No more than 1 late document per month accordance with the engineering and no more than 5 days late. For final 1.3.5.2.1 principles outlined in NIST SP 800- deliverables, no more than two sets of 27 and requirements of the DoD corrections/edits and all corrections must be RMF accomplished within 2 days or other such time periods as mutually determined between the government and the tasked contractor
211
100% of the time, for incident response, contractor FTE is on site within 24 hours of Security Support for TCCs and notification. Assessments/incident response 1.3.5.2.1.1 Cyber Security Service Provider activities accomplished in accordance with DoD Optional Subscribers directives and standard accepted practices of security engineering
Accurate and timely configuration No more than 3 total days delay per month to all of vulnerability management and vulnerability management activities attributable to scanning environment resources improper or late configuration of environments. 1.3.5.2.2 All improper configurations identified and as required by vulnerability corrected within 1 workday management plan and government requirement Timeliness: No more than 12 hours of unplanned network downtime per month due to due to negligence or deviation from established Effective operation and system procedures in performing actions specified by this 1.3.5.2.2 administration of scanning and task. (not to include downtime awaiting vulnerability management systems replacement parts). No more than one minor non- recoverable data loss per year. System availability will be 98% or better.
100% of the time, no successful intrusions into the networks under the contractor’s control due to 1.3.5.2.2 Security Operations negligence or deviation from established procedures in performing actions specified by this task. 100% of the time security mechanisms are running supported software versions and are up to Software and Operating System 1.3.5.2.2 date on security vulnerability patches with any Versions exceptions approved by government in writing
100% of the time, provide notification to the 1.3.5.2.2 Unplanned Outage Notification CyOC for unplanned outages within 15 minutes of detection. 98% of the time, required USTRANSCOM DoD PPSM actions are accomplished by the suspense date established by the government; 100% of 1.3.5.2.3 DoD PPSM PPSM actions completed in accordance with DoD policy
98% of the time, eMASS entries are 1.3.5.2.3 eMASS Entries accurate and complete.
212
No more than 1 late document per quarter and no more than 5 days late. For final deliverables, no more than two sets of corrections/edits and all Accurate and timely production of corrections must be accomplished within 2 days materials required to obtain AO or other such time periods as mutually 1.3.5.2.4 approval of SIPRNET burn determined between the government and the documentation tasked contractor. All documentation submitted in accordance with timelines established by AF AO for approvals
Content: No more than 1 deviation per month from established principles of secure software engineering Accurate and timely production of Format: No more than 1 late document per materials required to assess software 1.3.5.2.5 quarter and no more than 5 days late. For final security posture of USTRANSCOM deliverables, no more than two sets of applications and software. corrections/edits and all corrections must be accomplished within 2 days or other such time periods as mutually determined between the government and 1.3.5.2.5 Accurate and timely production of the tasked contractor. All documentation materials required to assess software submitted in accordance with timelines security posture of USTRANSCOM established by USTRANSCOM authorizing applications and software official (AO) for approvals Technical and application support to The contractor shall ensure 96% configure primary and secondary availability. services supporting Web shop 1.3.6.3 managed portals (both development and production); for classified and unclassified networks; for public and private domains.
Incident Management SLA: Incidents are assigned severity levels (“Incident Severity”) (e.g. P1, P2, P3, P4) based on the impact to the business. Incidents apply to all facets of the enterprise, to include development, pre-production, and production. The guidelines below will be used for setting incident severity:
Incident Priority Follow Up / Target for Defined Updates Resolution P1: Critical 60 minutes 4 hours Direct impact to USTRANSCOM operations or mission critical functions 213
P2: High Twice a Day 8 hours Impact to non- critical business functions P3: Moderate Daily 48 hours General service impacts (e.g., degradation of service, loss of resilience, interruption of service that does not meet thresholds for P1 or P2) P4: Low Once a week 120 hours No impact to business functions or service level
Service Request SLA: Service requests are assigned severity levels (e.g. P1, P2, P3, P4) based on the urgency of the need to support the business. Service requests apply to all facets of the enterprise, to include development, pre-production, and production. Service requests are defined below as:
Request Priority Follow Up / Target for Defined Updates Fulfillment P1: Emergency 60 minutes 60 minutes Emergency change to avoid or cure potential business impact
Service Requests that are included as Emergency include: Emergency access revocation
Certain firewall changes designated by Customer as Emergency based on the impact and urgency to the Customer Business
214
P2: Urgent Twice a day 8 hours Non-Standard service request that the customer requires in order to complete day-to-day business activity
Service Requests that are Urgent include:
Non-emergency access revocation,
Certain firewall changes designated by Customer as Urgent based on the impact and urgency to the Customer Business, and Certain other Service Request designated by Customer as Urgent based on the impact and urgency to the Customer Business. P3: Moderate Daily 48 hours A standard service request that has normal urgency. P4: Low Once a week 120 hours A trivial task or routine activity with no time sensitivity or urgency.
215