INFORMATION TECHNOLOGY SUPPORT SERVICES

Performance Work Statement

437th Airlift Wing

Joint Base Charleston – Air Base, South Carolina

4 Nov 2020 (Revised 5 Nov 2020)

1. Description of Services The Contractor shall, except as specified in this Performance Work Statement (PWS) as Government furnished property or services, provide all personnel, supervision, and any items and services necessary to perform Wing Information Technology services at Joint Base Charleston Air Base as defined in this PWS. This contract supports the 437th Airlift Wing’s information portal that hosts multiple dynamic web applications in support of the Wing’s mobility mission. The objective of the contract is to provide sustainment for current web applications already in place and develop future solutions necessary to increase capabilities; all with the reliability and speed necessary for the Wing’s demanding global mission. This acquisition will be a strategic sourcing initiative within the Air Mobility Command (AMC) C-17 Installations. Strategic Sourcing is a collaborative contract that optimizes capabilities and relationships with other installations in the most effective and efficient manner. This structured approach will initially allow two participating bases; Dover Air Force Base and McChord Air Force Base to utilize existing Global Reach technologies at the start of contract performance with an option to add other C-17 AMC bases to the requirement in the future. The initial two participating bases will have access to a portal delivery system that will enable them to meet their mission needs and capabilities. This Strategic Sourcing contract is a system sharing initiative allowing Dover and McChord Air Force Base’s to utilize existing system capabilities of Joint Base Charleston to help them maintain mission readiness. The contractor shall use technological solutions to counter inefficiencies within the existing Global Reach infrastructure identified by the Wing’s Technology Innovation Group. The contractor will support Global Reach users and databases providing web application development, configuration management, and application life-cycle management to include maintenance and sustainment, database administration, requirements validation and implementation and help desk support in accordance with established commercial practices. The contractor shall furnish information technology computer programmer support services, tasks, and functions for the 437th Airlift Wing Staff, 437th Operations Group, and 437th Maintenance Group. The Contractor shall support the legacy systems outlined in Appendix C for units currently using the systems outside of the 437 AW. Estimated workload is available in Appendix A.

1.1. Application Design, Development, Support and Maintenance throughout Application Lifecycle The Contractor will be primarily maintain the current Global Reach database and provide web site management. When a technological solution is deemed necessary, the contractor shall plan, design, document, develop, test, and implement scalable system application. In this context, the term "application" is defined, as a program or group of programs designed for end users. The contractor shall be responsible for having in-depth experience and knowledge with web-enabled application development, which will consist of application creation and documentation from inception to delivery to the production environment. The contractor shall provide services including, but not limited to, application development, application security, web services development, web services testing, and security. In addition, the contractor shall:  Maintain, upgrade, improve, modify, expand, and support the existing program as well as dynamic and static web-based initiatives and information technology projects. Serve as a technical expert and advise COR of potential application of emerging computer technology to resolve unique user network requirements.  Design systems to support several simultaneous interactive users.  Translate project requirements into application prototypes.  Provide a report to the COR regarding cost/benefit analyses and risk assessment of new applications and changes to legacy systems.

 Provide a report to the COR of potential project schedule or design changes.  Comply with all information assurance and information security requirements IAW Air Force guidance.  Consult users to identify requirements and evaluate the nature and scope of work to be automated. The contractor shall coordinate system development, modification, or redesign with COR before work is accomplished.  Facilitate working group meetings to provide and receive feedback with end users.

 Provide satisfactory solutions to requirements; deliver timely and quality deliverables.  Train end user on applications.  The contractor shall perform testing of applications to ensure technical adequacy and accuracy.  The contractor shall fully support all unique applications developed to support integrated solutions on this contract. The contractor shall support all software revisions deployed or resident on the system and sub-systems.  Ensure applications security comply with the DISA Application Security & Development Security Technical Implementation Guide which includes source code scanning and the DISA Database STIG and web penetration to mitigate vulnerabilities associated with SQL injections, and cross-site scripting.  The contractor shall be responsible for creating and maintaining web-based applications based on the software listed in Appendix B.

1.2. Change Management The contractor shall provide services that facilitate strategic decisions for the 437 AW with respect to its current and future IT structure and program integration. The Technology Innovation Group (TIG) is the wing’s approval forum for proposed project ideas. The TIG approves the concept and determines the priority of projects. The COR submits the project to the contractor for development. When a new project is approved, the contractor shall provide a New Project Charter (Appendix D) that clearly defines scope of work, project completion date and the estimated number of man-hours to complete the project. Contractor shall provide a monthly written Project Status Report (Appendix D) for each project that includes any variances to time, requirements, and/or constraints encountered as the project progresses. At project completion, the Contractor shall provide a written Project Closeout Report (Appendix D) on the lessons learned and the benefits of the completed project. Contractor is required to attend local meetings and events as the technical advisor on projects that require a complete IT strategy. The government shall retain all rights to the programs/applications/projects developed for the government because of this PWS.

1.2.1. New Development or Change to an Existing Application Request Any member of JB Charleston can submit an idea for a new application or change to an existing application to the TIG using a Change Request Form (CRF). (Appendix D) The CRF is submitted to the COR for vetting and then given to the contractor. The contractor will conduct an initial analysis of the project and provide an estimated workload for the project. The COR presents the CRF to the TIG for approval. In the event there is more than one CRF, the TIG will determine the priority of the projects.

Define Requirements. After the project is approved, the contractor shall conduct a thorough analysis and work closely with the user to define project objectives and create a New Project Charter. (Appendix D) The Project Charter will clearly define project requirements and

milestones for development.

Technical Research. Contractor shall effectively use innovative approaches to accomplish project requirements.

Project Management. Contractor shall track and report project progression to the COR using the Activity Duration Estimates, Milestone List and Project Status Report on a monthly or as required basis. (Appendix D).

Customer Relations. Contractor shall work closely with user to define requirements and provide feedback during all phases of design and development.

Testing. Contractor shall conduct Alpha and Beta testing before project is deployed.

Project Documentation. Contractor shall provide a report on the lessons learned and the benefits of the completed project (Project Closeout). (Appendix D).

1.2.2. Documentation Contractor shall provide written documentation for all system configuration and application changes within 5 duty days after completion and maintain a copy in a continuity book (i.e. documenting data elements, providing documentation within written code, etc.) to include documentation on software licenses.

1.3 System Maintenance, Sustainment and Administration The contractor shall design, develop, and test systems and application changes as well as provide problem resolutions for the existing system. The contractor shall maintain the current baseline of the system and provide application changes and problem fixes to these baselines as required. Specific tasks include the following:  Maintain existing systems and environments IAW disciplined engineering practices and sustain applications, databases and interfaces in compliance with applicable AF/DoD standards  Install, configure and maintain servers, ensure backup/recovery processes are in place.  Make recommendations on hardware and software upgrades for future program integration.  Support system sustainment activities to include maintaining existing legacy systems and environments and to sustain applications, databases and interfaces.  The contractor shall provide database administration support for logical and physical database designs.  The contractor shall be familiar with and be able to work on virtual servers.  The contractor shall ensure the system is operational and available to the end user. In the context of this PWS, uptime is defined as a system, database or application being operational to the end user. Downtime is defined as a system, database or application being partially or fully unavailable to the end user.

 The contractor shall evaluate and make acquisition recommendations for client/server hardware, operating systems and other systems software. Once the technical solution has been acquired, the contractor shall install, configure and operate devices. The contractor shall isolate and repair problems with supported Web, database, and backup server components ensuring website is online and available for use. In addition, the contractor shall: o Plan and respond to service outages. o Diagnose software and hardware failures to resolution. o Implement and ensure security preventive measures are fully functioning. o Monitor and enhance system performance.  The contractor should make every effort to minimize negative impact of any change on the IT enterprise by controlling its implementation through orderly, planned, and standardized methods and procedures.  The contractor shall establish and maintain a development environment that mirrors the operational environment in order to perform testing of the entire system for each upgrade or patch installed to ensure continuing functionality. If a test fails, the contractor shall analyze and test data for each component and rework the system to establish functional equilibrium.  The contractor shall provide information system security by performing risk assessments, executing access controls and providing intrusion detection systems.  The contractor shall implement software patches and security fixes as required by the Network Control Center (NCC) for all assigned servers by the deadline identified within the notification. All EMSEC, COMPUSEC, and COMSEC security compromises shall be identified, repaired and reported to the 628th Communications Squadron.  The contractor shall ensure that all system and application deliverables meet the requirements of all DoD and AF Information Assurance (IA) policy to include DoDI 8500.1, Cybersecurity, and AFI 33-200, Air Force Cybersecurity Program Management. To ensure that IA policy is implemented correctly on systems, contractors shall ensure compliance with DoD and AF Certification & Accreditation policy, specifically DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), and AFI 33-210, Air Force Certification and Accreditation Process (AFCAP).  The contractor shall meet the requirements of DoDI 8520.02, Public Key Infrastructure (PKI) and Public Key (PK) Enabling, in order to achieve standardized, PKI-supported capabilities for biometrics, digital signatures, encryption, identification and authentication.

1.3.1. Disaster Recovery The contractor shall back-up server data through automation every 4 hours and every 24 hours. In the event of a disaster, natural or manmade, the contractor is responsible for safeguarding back-up media and recovery operations once the threat is terminated The Contractor shall recover the designated mission critical applications within 12 hours of infrastructure restoration (i.e. power, air conditioning, network access, etc). Contractor shall practice the disaster recovery process quarterly and provide documentation of results to the COR within 5 days.

1.4. System Assessment and Accreditation (Formerly Certification and Accreditation (C&A)) The contractor shall be responsible for complying with the requirements of the AF IT management process for acquiring and maintaining an Authority to Operate (ATO) for assigned information systems IAW AFI 33-210, Air force Certification and Accreditation Program. Responsibilities include reviewing system configuration, system security, and information assurance controls and developing the accreditation package for review and approval.

1.5. Help Desk Ticket Management The contractor shall provide a managed help desk service for technical and informational support for the website and supported applications listed in Appendix C. The Contractor must be able to assist end users by answering a vast range of basic to complex technical questions. The contractor shall maintain a system to track all aspects of help desk tickets to include problem or question, date/time problem or question reported, estimated completion date, resolution and date/time problem fixed or question answered. The contractor shall process all tickets in a timely manner. When tickets cannot be closed by the next duty day, contractor shall provide the customer with an estimated completion date for each ticket submitted.

1.6. After Hours Support of Mission Critical Services Support shall be available during nonstandard working hours in an on-call status. Contractor shall provide support to ensure the mission critical applications identified in Appendix C are operational and available to the users. The contractor shall provide a single phone number for the Government to contact the on-call support.

1.7. Training Contractor shall conduct one-on-one or group training on all web applications and associated products upon request from users. Other forms of training include but are not limited to briefings, demonstrations, published FAQs, etc. Contractor shall provide electronic notification to users when new enhancements to the applications are available. The contractor shall provide training on new applications and all major changes to current applications within 1 week of change implementation.

1.8. Information Technology Equipment Management The contractor shall perform duties as the equipment custodian for the Information Technology Equipment (ITE) account for any computer equipment specifically assigned for their use. The contractor shall perform all duties related to the tracking and management of IT equipment and assets. Task include, but not limited to, receiving, tagging/identifying, inventorying and turn-in of equipment. Reference AFMAN 33-153, Information Technology (IT) Asset Management (ITAM) and AFMAN 33-282, Computer Security (COMPUSEC).

1.9. Performance of Mission Essential Services Contractors shall be assigned a mission essential designation. In the event of crisis or heightened security caused by a national emergency, natural disaster, or other causes, the Contractor shall continue performance as necessary to ensure the mission essential services designated in Appendix C in support of the JB CHS mission remain operational. Service during these times will be specifically identified by the CO to the Contractor and will be billed against the essential services CLIN.

1.10. Software The contractor shall be responsible for controlling all assigned original software and ensure compliance with certification and accreditation. The contractor shall make recommendations for software upgrades; ensuring software is on the Air Force Evaluated and Approved software list.

2. Reports The contractor shall provide a written Monthly Status Report (MSR) to the COR NLT the 5th day of each month. The MSR shall include the workload performed during the previous month to include the Project Status Reports on the projects being worked, help desk ticket support, server maintenance and results from the quality control inspections conducted by the contractor. Additionally, the contractor shall attend a weekly production meeting with the COR. The contractors shall provide statistical and analytical reports upon request.

3. SERVICES SUMMARY. The Service Summary (SS) captures the service requirements that can be measured and are considered to be Critical operational requirements. The SS included Performance Objectives that describe the desired end result or outcome the Contractor shall achieve. The Performance Thresholds states the minimum acceptable level of performance in terms of quality, timeliness, and quality in realistic and achievable standards. These thresholds are critical to mission success.

PWS Performance Objective Performance Threshold Section 1.1 Maintain compliance with applicable DoD, Complete 99% of all reported updates AF and local policies and instructions. per month on time. Perform security updates to ensure system is in compliance by government deadline 1.1 Ensure website and hosted applications are System uptime shall meet or exceed 98% operational and available to the customer 1.2 Ensure approved projects and application New development projects and 2 changes are completed by the specified application changes shall be completed completion date NLT one week after specified completion date 1.7 Provide training to end-users on all new Provide training within 1 week of change applications and major changes to current implementation. applications 1.5 Resolve Help Desk tickets Performance shall be acceptable when tickets are closed within one duty day or the agreed upon time

1.4 Ensure all documentation and submissions Performance shall be acceptable when for the ATO are completed and A&A documentation and submissions are package is completed and approved by the completed on time 90% of the time and government deadline the A&A is approved. 1.2 Provide complete, accurate and timely Provide accurate reports on time 90% of 1.2.1 reports (deliverables) the time 2

4. GOVERNMENT-FURNISHED PROPERTY AND SERVICES Government property, as prescribes under FAR Part 45 Government Property, will not be provided to the contractor, contractors’ management and/or subcontractors for this requirement. The Government property that is provided below will be considered as incidental to the place of performance and will remain accountable by the Government.

Item Qty Desktop PC 1 per employee Laptop 1 per on-call support Mutli Function Printer 1 Servers 7

All materials will remain the property of the Government and will not be altered or modified. GFP will be returned to the responsible Government COR upon request or at the end of the period of performance.

The Government will furnish approximately 700 square feet of office space for the contractor’s work area. The contractor is responsible for ensuring the facility is maintained in a neat and orderly manner.

5. GENERAL INFORMATION

5.1. Place of Performance. Contractor personnel shall be physically located on Joint Base Charleston-Air.

5.2. Hours of Operation. Normal working hours are between the hours of 7:00am – 4:00pm, Monday through Friday, excluding Federal Government holidays and weekends. On-site staffing is required. A list of all Federal holidays can be found at http://www.opm.gov/operating_status_schedules/Fedhol/index.asp. If these holidays fall on Saturday, the preceding Friday will be observed. If these holidays fall on Sunday, the following Monday will be observed. If a holiday falls on a scheduled service day, the Contractor will be responsible for rescheduling services for the first day post the holiday observance.

5.3. Contractor Full-Time Equivalent Reporting The Contractor shall provide an annual count of the Contractor’s personnel performing work for all DoD requiring activity that use U.S. Government appropriated funds and is the equal to or greater than the Simplified Acquisition Threshold (SAT) [currently $150,000.00]. The Contractor shall report all Contractors’ labor hours, including subcontractor’s labor hours, required for performance of the services provided under the contract at the Enterprise-wide Contract Manpower Reporting Application (eCMRA) site below. Contractors have the inherent responsibility to track personnel on contract; therefore, the Government does not expect additional costs associated with this requirement. The Contractor shall report ALL Contractor labor hours (including subcontractor labor hours) required for performance of services provided under this contract via a secure data collection site. The Contractor is required to completely fill in all required data fields at http://www.ecmra.mil. Reporting inputs will be for the labor executed during the period of performance for each Government fiscal year (FY), which runs 1 October through 30 September. While inputs may be reported any time during the FY, all data shall be reported no later than 31 October of each calendar year. Contractors may direct questions to the CMRA help desk." The effective date of this requirement is the date of contract award. The Contractor shall not implement this action if it believes additional costs will be incurred as a result. In that case, the Contractor shall notify the Government prior to the stated effective date that additional costs will be incurred as well as submit an estimate of the additional costs and await further direction from the Contracting Officer. 1. *Reporting Period: Contractors are required to input data by 31 October of each year. 2. Uses and Safeguarding of Information: Information from the secure web site is considered to be proprietary in nature when the contract number and Contractor identity are associated with the direct labor hours and direct labor dollars. At no time will any data be released to the public with the Contractor name and contract number associated with the data. 3. User Manuals: Data for Air Force service requirements must be input at the Air Force CMRA link. However, user manuals for government personnel and Contractors are available at the Army CMRA link at http://www.ecmra.mil.

5.4. Contractor Identification The contractor is required to provide identification badges for their employees. All contractor personnel shall wear these badges while on duty on the government site. Badges are required to identify the individual, company name, and be clearly and distinctly marked as contractor. Size, color, style, etc. are to be mutually agreed to by contractor and government. The contractor’s identification badge will not be used as an entry requirement for installation entry or into any government designated controlled or restricted area. When conversing with Government personnel during business meetings, over the telephone or via electronic mail, contractor/subcontractor personnel shall identify themselves as such to avoid situations arising where sensitive topics might be better discussed solely between Government employees. Contractors/subcontractors shall identify themselves on any attendance sheet or any coordination documents they may review. Electronic mail signature blocks shall identify their company affiliation. Where practicable, contractor/subcontractors occupying collocated space with their Government program customer should identify their work space area with their name and company affiliation.

5.4. Training Contractor personnel are required to possess the skills necessary to support their company’s minimum requirements of the labor category under which they are performing. Training necessary to meet minimum requirements will not be paid for by the Government or charged to the contract by the contractor.

5.5 Transition Management 5.5.1. The Government anticipates a transition period of up to10 business days for the establishment of operations in preparation for full performance of this contract. The contractor shall develop and implement a comprehensive Transition Plan that addresses the full range of contract entrance and exit transition activities and describes the approach to minimize disruption to ongoing operations. The Contractor shall provide a copy of the Transition Plan within 30 days after contract start date.

5.5.2. The contractor shall work collaboratively with the Government and other contractors to plan and execute an orderly transition and uninterrupted service during the designated contract transition period. At a minimum, the contractor shall address the following activities and deliverables in its Transition Plan and execute those responsibilities during the Entrance Transition period:  Execution of a transition plan approach with detailed schedules and high-level representation of key transition events/phases, activities, and deliverables.  Knowledge transfer from incumbent staff and training plan.  Communications strategy for the transition.  Transition checklist.  Proposed transition kickoff meeting agenda.

5.5.3. The contractor shall support phase-out activities necessary to transition when the contract reaches the end of its performance period. The contractor shall recognize that the services under the contract is vital to the Government and must continue without interruption and that upon contract expiration or termination, a successor, either the Government or another contractor, may

provide the same or similar services. The contractor agrees to coordinate the orderly change to a new contractor or Government provided services such that the level and quality of service, including security if applicable, are not degraded, and to exercise its best efforts and cooperate to effect an orderly and efficient transition to a successor. Upon written notice from the Contracting Officer, the contractor shall:  Furnish phase-in/out service for up to 10 days after contract expiration or contract termination. The unit price of services provided during the phase-in/out period shall not exceed the prices in effect under the contract/Task Order on the date of contract/Task Order expiration or termination of service.  Negotiate in good faith a plan with a successor(s) for determining the nature and extent of phase-in/out services required.  Adopt a disciplined exit transition methodology to ensure the Government receives sufficient technical and non-technical data, data and/or software rights, licenses, and other relevant information.  Develop an exit transition timeline.  Ensure that the Government retains and receive appropriate data rights and equipment.  Knowledge transfer from incumbent staff to new follow-on contractor staff.  Exit transition project management.  Exit transition staffing plan to ensure that the successor has access to key personnel and subject matter experts during relevant periods of the transition.

6. SPECIAL REQUIREMENTS. All of the personnel performing work on this contract will require a Secret security clearance. Contractors shall be able to obtain adequate security clearances prior to performing services

6.1. Network Security Access Access to government systems will be a condition required for this requirement. The Government will provide contractor’s personnel access to system(s) necessary to perform tasks for this requirement. A Common Access Card (CAC) will be required. Upon completion/termination of the contract/order or transfer/termination of contractor personnel, the system account(s) will be closed.

6.2. Personnel Security Investigations (PSI) In accordance with DoD 5200.2-R, Personnel Security Program, consultants, and contractor personnel using unclassified automated information systems, including e-mail, shall have, at a minimum, a completed favorable T1 Investigations. Application/cost for the appropriate PSI shall be the responsibility of the contractor. If contractor personnel are unable to obtain security clearance then they must be replaced. In such instances the contractor shall diligently pursue obtaining the appropriate PSI for its employees prior to assigning them to work and ensure background investigations remain current throughout the contract performance period. Requests for investigation of contractor personnel for security clearance eligibility are processed by the Office of Personnel Management (OPM) and adjudicated by Defense Industrial Security Clearance Office (DISCO). The e-QIP software for initiating PSI can be accessed at http://www.opm.gov/e- qip/index.asp or http://www.dss.mil. Applicants can obtain an SF-86 or SF-85P by visiting the Office of Personnel Management (OPM) website located at: http://www.opm.gov/forms/html/sf.asp. The responsibility for providing the fingerprint cards rests with the contractor.

6.3. Common Access Card (CAC) To be issued a Common Access Cards (CAC), Contractor Personnel, must provide the following information to the requiring activities TA (contact the COR on whom the TA is) in to begin the process of receiving a CAC:  Last Name, First Name, Middle Name & Cadency Name  Person Identifier (SSN, Foreign Identification Number [FIN], ITIN)  Date of Birth  Primary Email  Personnel Category  Organization  Eligibility Expiration Date  Contract number and end date, if applicable

Once a Trusted Agent (TA) creates and submits an application in the Trusted Associate Sponsorship System (TASS), the Contractor has seven days to perform an initial login to TASS and begin the application process before TASS automatically disables the application.

After the Applicant performs the initial login, the Applicant has up to 30 days to complete the application before TASS automatically disables the application. After the applicant submits the application the TA will do their part in the process. Once a TA approves an application, an Applicant has 90 days to have a card issued before TASS automatically disables the application. Every six months (180 days) after the issuance of a valid card, the TA must either re-verify or revoke the application. TASS sends the TA and Applicant an email notification reminding the TA to review the application in intervals of 30, 20, and 10 days before the re-verification due date. If the TA fails to re-verify or revoke the application, the TA and Applicant receive an email notification that TASS has revoked the application. If the TA revokes the application, the TA and Applicant receive an email notification that TASS has revoked the application. If a TA has re- verified an application, he or she must re-verify the record again in six months, providing the card remains valid. The contractor shall retrieve employee CACs immediately upon resignation of employment and turn-in to the TA, COR or CO. All authorized users of DoD information systems shall complete DoD IAA Cyber Awareness Challenge as a condition of access and thereafter must complete annual Cyber Awareness refresher training to maintain an active user account. 6.4. Security Clearance The contractor shall obtain a Secret Clearance for all personnel. All personnel employed by the contractor in the performance of this contract, or any representative of the contractor entering the government installation, shall abide by all security regulations of the installation. Contractor employee whose duties require accessing a DoD unclassified computer/network, working with sensitive unclassified information (either at a Government or contractor facility), or physical access to a DoD facility must be a US citizen and possess a favorable trustworthiness determination prior to installation access. To obtain a favorable trustworthiness determination, each contractor employee must have a favorably completed T3 Investigation which consists of a T1 Investigation including a FBI fingerprint check, credit and law enforcement checks. To maintain continuing authorization for an employee to access a DoD unclassified computer/network, and/or have access to sensitive unclassified information, the contractor shall ensure that the individual employee has a current requisite background investigation. The Contractor’s Security Representative shall be responsible for initiating reinvestigations as required and ensuring that background investigations remain current (not older than 10 years) throughout the contract performance period. If personnel are unable to obtain a clearance or lose their clearance, then they shall be replaced. 6.4.1. Visitor Group Security Agreement (VGSA) IAW to AFI 16-1406, Information Security Program Management, the contractor shall enter into a long-term visitor group security agreement for contract performance on base. This agreement shall outline how the contractor integrates security requirements for contract operations with the Air Force to ensure effective and economical operation on the installation. The agreement shall include:

a. Security support provided by the Air Force to the contractor shall include storage containers for classified information/material, use of base destruction facilities, classified reproduction facilities, use of base classified mail services, security badging, base visitor control, investigation of security incidents, base traffic regulations and the use of security forms and conducting inspections required by DoD 5220.22-R, Industrial Security Regulation, Air Force Policy Directive 31-6, Industrial Security, Air Force Instruction 16- 1406, Industrial Security Program, DoDM 5200.1, Vol 1-4, Information Security Program, and AFI 16-1404, Information Security Program.

b. Security support requiring joint Air Force and contractor coordination includes packaging classified information, mailing and receiving classified materials, implementing emergency procedures for protection of classified information, security checks and internal security controls for protection of classified material and high-value pilferable property.

6.5. Security Education and Training The contractors are required to participate in the government’s in-house and web-based security training program under the terms of the contract. The government will provide the contractor with access to the on-line system. Annually, all contractors will complete all required security training. Required annual training includes Force Protection (AT Level I), Security Administration, and Cybersecurity Awareness.

6.6. Physical Security Contractor employees shall comply with base Operations Plans/instructions for FPCON procedures, Random Antiterrorism Measures (RAMS) and Operation Security (OPSEC), Emergency Management (EM) and local search/identification requirements. The contractor shall safeguard all government property including controlled forms provided for contractor use. At the close of each work period, government training equipment, facilities, support equipment and other valuable materials shall be secured.

6.7. JB CHS Installation Access Requirement All contractors requiring access to the installation requires a criminal history check and fingerprinting prior to accessing the installation. The paperwork required by all employee’s requiring access to the installation is a correctly completed copy of The Contractor Form 74, a copy their Social Security Card, Driver's License or State ID. Contractors who are non-US citizens must also submit an INS Form I-9. All documents must be submitted to the Contract Administrator within five business days of the required access date. All completed and signed documents need to be hand carried by the Contract Administrator to the VCC within three business day (72 hours) prior to access. Blank Contractor Form 74s can be obtain by the COR, the Contract Administrator or at the Visitor Control Center (VCC). After 5 days, the contactors pass will be available for pick-up at one of the two VCCs. The Contractor Form 74 is good for one year from the date of processing. The contractor will need to re-submit using the same process as above in order to receive a new pass. The contractor shall pick-up their pass at either of the two locations;  The Air Base VCC, is located at the Dorchester & Hill Blvd Gate entrance, Bldg. # 1953, and is open 7-days a week, Monday thru Friday, 0600-1800 and on Saturday & Sunday, 0730-1630. Their phone number is 843-963-7807/7463,

 The Weapon Station VCC, is located at the Red Bank Rd & Poseidon Way Gate entrance, Bldg. 302, and is open 6-days a week, Monday through Friday, 0630-1800 and Saturday, 0700- 1100. Their phone number is 843-764-4231/4232

6.8. Base Entry Access Gate Vehicle Checks Entry procedures during periods of increased security maybe changed with little or no notice. Random inbound and outbound vehicle inspections at the gates may occur. Failure to consent to these checks may result in barment by the installation commander or suspended or revoked base driving privileges.

6.9. Base Exercises Entry to or exit from the base may be delayed due to gate closures. Closures are usually for short periods of time. Should you or your employees get stopped at a cordon (exercise perimeter) or get told to evacuate your work area, you may identify yourself to the cordon guard as a Contractor and state the reason you need to remain in the cordon area. The guard will request for exemption from their chain of command. If the exemption is approved, only company or properly marked vehicles will be allowed to cross or remain in the exercise cordon area. If the exemption is not, you will remove yourself from cordon until completion of the exercise. If the exercise causes delays or other problems with your contract performance, immediately notify the contract administrator or requiring agency.

6.10. Traffic Rules And Regulations All Motor Vehicle Codes for the state of South Carolina apply on JBCHS and are strictly enforced. Failure to obey established state, local, and installation traffic rules/regulations may be grounds to suspend or revoke an individual's base driving privileges.  Motorcycle/moped operators are required to wear DOT approved helmets with a visor or similar eye protection, pants extending to the ankles, hard soled boots or closed-toe shoes, gloves and have the headlights on while driving on the installation. In the hours of darkness, riders must wear an article of reflective clothing.  Cellular phones may be used only if vehicle is parked or equipped with a hands-free device. Use of cell phones, including texting, while driving on military installations is prohibited  To show respect for the flag of the United States, all personnel driving a vehicle shall immediately pull to the right side of the roadway or traffic lane and stop while retreat (National Anthem) is sounded. Once the last note has sounded, vehicles may be placed back in motion.  Items Prohibited on JB CHS  Items prohibited in the state of South Carolina are also prohibited on JB CHS. Prohibited items are subject to confiscation. Administrative or judicial action, to include base barment, maybe initiated against any individual possessing a prohibited item on JB CHS. Examples of prohibited items are but not limited to:  All Forms of illegal drugs.

 Shotguns, handguns, machineguns, firearm silencers, ammunition of any type, blasting caps or similar items of explosive material, starter or flare pistols, pellet or BB guns, dynamite, teargas and their dispensing devices, and other similar devices.  Construction tools that require use of explosive materials are authorized if they are required to perform your duties. Contractors who require one of the prohibited items listed above may bring the item onto the installation in performance of the contract (i.e., bird control, wild life management, etc.), but only when specified in contract.  Any blades in excess of four inches, switch blade knives, underwater spear guns, bows and arrows, crossbows, slingshots and blowguns, throw blade knives, blackjacks, nightsticks, clubs, brass knuckles, tomahawks, swords, bolas, fighting sticks, throwing discs, chains, and other similar items that can be used as a weapon.  Photography, videoing or recording are not permitted on JB CHS unless vetted and approved through Public Affairs.  Smoking is not permitted in JB Charleston-controlled spaces. Where smoking is permitted, assure that tobacco products are extinguished and disposed of properly.

6.11. Company/Personnel Property Protection The Contractor shall provide a reasonable degree of protection (security) for your property. The Government accepts no responsibility for lost or stolen materials, equipment or tools, regardless of the item(s) location. Should you be a victim or witness to a crime or incident, please report it immediately to the Base Defense Operations Center (BDOC).

6.12. Operations Security (OPSEC) The Contractor shall meet the requirements and responsibilities established in the Operations Security Instruction, AFI 10-701 and the JB CHS OPSEC Plan. AFI 10-701 specifically states, “OPSEC is everyone’s responsibility.” The Contractor employees, who have access to mission critical information, shall complete all OPSEC training provided by the requiring activities OPSEC program Coordinators within 90 days of employees’ initial assignment to the contract. Contact the appropriate squadron’s Unit OPSEC Coordinator or the Wing OPSEC Program Manager (437 AW/XP) at (843) 963-5534 for additional OPSEC guidance and training as needed.

6.13. Force Protection Conditions Force Protection Conditions (FPCON) are implemented on the base to increase protective measures in anticipation of, or in response to, the threat of terrorist attack. The DoD FPCON consists of five progressive levels of increasing protective measures. The circumstances that apply and the purposes of each protective posture are as follows:  FPCON NORMAL: Applies when a general global threat of possible terrorist activity exists and warrants a routine security posture. At a minimum, access control will be conducted at all DoD installations and facilities.  FPCON ALPHA: Applies when there is an increased general threat of possible terrorist activity against personnel or facilities, and the nature and extent of the threat are unpredictable. ALPHA measures must be capable of being maintained indefinitely.

 FPCON BRAVO: Applies when an increased or more predictable threat of terrorist activity exists. Sustaining BRAVO measures for a prolonged period may affect operational capability and military-civilian relationships with local authorities.  FPCON CHARLIE: Applies when an incident occurs or intelligence is received indicating some form of terrorist action or targeting against personnel or facilities is likely. Prolonged implementation of CHARLIE measures may create hardship and affect the activities of the unit and its personnel.  FPCON DELTA: Applies in the immediate area where a terrorist attack has occurred or when intelligence has been received that terrorist action against a specific location or person is imminent. This FPCON is usually declared as a localized condition. FPCON DELTA measures are not intended to be sustained for an extended duration.

6.14. Regulations And Guidance The contractor may obtain copies of the referenced publications from http://www.e- publishing.af.mil/ or by request from the COR. The Contractor shall stay current with referenced publications revisions throughout the life of the contract. 6.15. Safety Requirements In addition to FAR 5352.223-9001, the Contractor shall maintain and provide a copy of a written safety plan to the wing safety office prior to start of work IAW AFPAM 91-210 section 6.4. Upon request, Contractor shall provide OSHA 300 and 301 logs to the safety office for mishaps occurring on the installation. Any mishaps involving damage to government property or injury to government personnel shall be immediately reported to the base safety office and port operations officer. Contractors, whether regularly involved in routine site operations or engaged in temporary projects must follow all federal and state safety standards. 6.16. Quality This section describes the Quality Control components for this effort. The following sub- sections provide details of various considerations on this effort.

6.16.1. Quality Control Plan (QCP) Contractor shall develop and maintain a quality program to ensure services are performed in accordance with this Performance Work Statement and other commonly accepted commercial practices. The Contractor shall develop and implement procedures to identify and prevent defective services from occurring/reoccurring. As a minimum, the Contractor shall develop quality control procedures that address the areas identified in Section 3, Service Summary. The finalized QCP will be accepted by the Government at the time of the award of the contract. The CO may notify the Contractor of required modifications to the plan during the period of performance. The Contractor then shall coordinate suggested modifications and obtain acceptance of the plan by the CO. Any modifications to the program during the period of performance shall be provided to the CO for review no later than 10 working days prior to effective date of the change. The QCP shall be subject to the Governments review and approval. The Government may find the QCP "unacceptable" whenever the Contractors procedures do not accomplish quality control objective(s). The Contractor shall revise the QCP within 10 working days from receipt of notice that QCP is found "unacceptable."

6.16.2. Quality Assurance Surveillance Plan (QASP) The Government will periodically evaluate the contractor’s performance in accordance with the Quality Assurance Surveillance Plan that will be provided to the successfully contractor prior to performance start date. The information provided from the approved Contractor’s Quality Control Plan will generally be the bases of the QASP. Like the QCP, the QASP can also be modified at any time during contract performance. If changes are made, the Contractor will receive a copy of new QASP prior to implementation.

The government reserves the right to have an outside third party inspector conduct a follow-up inspection to ensure 100% compliance verification.

7. DELIVERABLES

Deliverable Frequency Submit to Project Charter for New Application Development and Changes to existing As required COR applications

Section 1.2, 1.2.1 Recommendations to Hardware and Software As required Upgrades COR

Section 1.3 Continuity Book Review Quarterly, NLT 10th business day of the month COR Section 1.2.2 Run the Security Technical Implementation Guide on all Semi-annually, NLT 10th Servers business day of the month COR

Section 2.1 Practice Disaster Recovery Quarterly, NLT 5 days after COR the process is practiced Section 1.3.1 Report the Number of Security fixes and Software Patches NLT 5th day of each month (Monthly Status Report) COR

Section 2 Assessment and Accreditation Package As required every 3 years COR

Section 1.4 Project Status Report NLT 5th business day of each (Monthly Status Report) month COR

Section 2 Report on Help Desk Ticket Support (Monthly Status NLT 5th day of each month Report) COR

Section 2 Information Technology Annually, NLT 10th business Equipment Inventory day of the month COR

Section 1.8 Contractor Full-Time Equivalent Reporting NLT 31 Oct each calendar year http://www.ecmra.mil. Section 5.3. Transition Plan Within 30 calendar days of COR/CO Section 5.5.1. award Contractor Form 74 and copy of Driver’s license/State ID, Annually or 5 days prior to SSN Card performance of work COR Section 6.6. Quality Control Plan Within 30 calendar days of award CO Section 6.15.1 Within five working days of proposed change Safety Plan *Prior to performance start COR & 628 Wing Safety Section 6.14. date, update as needed

8. APPENDICES

APPENDIX A – Estimated Annual Workload

Work Action %

New Project Development 70 Define Requirements Technical Research Project Management Customer Relations Testing Project Documentation

Existing Project Modification and/or Enhancement

System Maintenance 30

Help Desk Support

Reports

Assessment and Accreditation

TOTAL 100%

Website has over 5500 active accounts and approximately 350 concurrent users at any given time Additional Information Estimated Annual Man-hours Average Annual Help Desk Volume 622 tickets 300 Approximate Annual Security Patches and Security Fixes for System 11,260 1283 Estimated Annual Modification to Existing Programs 12 400 Approximate Number of New Development Projects per Year 3 5504 Current ATO Expires Nov 2017 800 (over 2 years)

Appendix B– Software: assume latest approved Air Force version** Microsoft Windows Operating system *Microsoft Server Platform Microsoft Windows Programming *ColdFusion Enterprise Languages *ColdFusion Enterprise 64-bit *ColdFusion Report Builder *Microsoft Windows Server *Microsoft SQL Enterprise COTS Microsoft Windows Standard Desktop Computer Microsoft Office Adobe Creative Suite Master Collection Corel Draw Adobe Acrobat DC Professional

*Items require extensive working knowledge.

Appendix C – Website Applications (New development applications are added upon completion.)

Aircrew Information Resource - Aircrew Information Resource (AIR) an application that provides a consolidated source for dissemination of applicable directives for flight operations, tracking of completed aircrew read files, and reporting of compliance (FCIF, SARF, and TARF).

Operations Group Data Center - Operations Group Data Center allows for the rapid access to important documents posted by the 437 Operations Group.

Trip Report Input Process - Trip Report Input Process (TRIP) an application that provides a method to document airlift and local mission itineraries and to record aircrew training accomplishments.

Weather Information - Weather Information (WXI) an application that allows the 437th Operations Support Squadron Weather Flight to provide weather support to the; 437th Airlift Wing, the 315th Airlift Wing and the 628th Air Base Wing at Joint Base Charleston. They also provide mission planning weather for North Auxiliary Airfield & local air refueling tracks.

** Airlift Mission Planning - Airlift Mission Planning (AMP) an application that provides aircraft and aircrew scheduling information. Also provides statistics and metrics for aircrew availability reporting. It aids in planning for aircrew, flight line supervisors, Plans and Scheduling supervisors, flight chiefs, as well as commanders from the squadron and group levels all the way up to the wing commander.

Green Log Book - Green Log Book (GLB) an application that allows customers to annotate and track information on actions, occurrences, or incidences for their shift, office, or workcenter.

Life-Support Inspection Flight Equipment - Life-Support Inspection Flight Equipment (LIFE) an application that delivers detailed reports to provide information such as equipment inspection dates and equipment location to aid the Aircrew Flight Equipment Unit in completing its unique mission requirements.

Port Outbound Reporting Tool - PORT, is designed to assist in the performance of tracking aircraft mission by direction(s), improving the aircraft mission entry and reporting process, and providing realtimemission reporting and analysis for the 437th Aerial Port Squadron.

Purchase Authorization Ledger - Purchase Authorization Ledger (PAL) an application that contains information to display purchases of goods and services for participating organizations. It generates worksheets, and provides a ledger of expenditures, refunds, budget changes, and archival records.

Squadron Employee Labor Force - SELF, is an application that extends the abilities of G081 for maintenance personnel with appointment calendars, availability and dispatch rosters, and individualissue items.

Unit File Manager - Unit File Manager (UFM) an application that provides a permission role-based system of file sharing through the internet. Users are able to download content specifically shared for online dissemination. Content uploading is controlled by permissions. The user interface is designed to facilitate easy management of unit files and reduce duplication. eTEST: Online Training - eTEST (eTEST) an application that provides local online hosted Computer Based Training - Annual Block Training, Flightline Badge, HAZSPILL, HAZSTORM, HAZWASTE,

Maintenance Orientation, and Aircraft Status/MESL.

** Mission Essential Readiness Summary - Mission Essential Readiness Summary (MERS) an application that provides tracking ability of aircrew members required readiness training.

Project Prometheus - Project Prometheus (PRO) an application that provides online maintenance course acquisition for; Charleston, Dover, McGuire, Jackson ANG, and Travis. The application allows Training Managers and Monitors to request and track maintenance training courses as well as show student attendance information.

Computer Based Training - Hosted on Global Reach

Frequently Asked Questions - Online listing of questions and answers customer often ask.

Help Desk - Online customer requests for technical issues with Global Reach.

** = Mission Critical Services IAW para 2.6.1

AP P E NDI X D - F o r ms

CHANGE REQUEST (CR) FORM CR Number: (To be assigned) Date Submitted:

CR Title: (Identifies the subject of the proposed change) Author Name: Author Phone:

Author Organization: Author Email:

Problem Statement: (What needs to be fixed.)

Description of Change: (Provide a detailed description of the changes requested; reference any regulatory or policy guidance)

Reason for Change: (Provide a complete statement of the reason for change including necessity and/or benefit.)

Impact of Non-incorporation: (Describe the possible consequences of not incorporating the change.)

GRO Recommendation/Remarks:

GRO Workload Estimate/Development Time:

STAKEHOLDER REGISTER Project Title: Date Prepared: Name Position Role Contact Requirements Information

PROJECT CHARTER Project Title:

Date Project Sponsor: Prepared:

Project Project Manager: Customer:

Project Purpose or Justification:

Project Description:

High-level Project and Product Requirements:

Project Objectives Success Criteria Person Approving

Summary Milestones Due Date

ACTIVITY DURATION ESTIMATES

Date Project Title: Prepared: Duration ID Activity Effort Hours Estimate

MILESTONE LIST Project Title: Date Prepared: Milestone Milestone Description Type

P R O J E C T C L OS E OUT

Project Title: Date Prepared:

SCOPE: Were project objectives and requirements met?

TIME: What was the estimated vs. actual hours?

LESSONS LEARNED

Project Performance Analysis What Worked Well? What Can Be Improved?

Requirements definition and management

Scope definition and management

Schedule

Communication

Reporting

Product-specific information

Other

QUANTIFIABLE BENEFITS (List the benefits of the new application vs the old way of doing things. Are there man-hours and/or other resources saved? Has it created a standardized process or created better oversight?)