Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF DECEMBER 03, 2003 FBO #0736
SOLICITATION NOTICE

R -- Provide information assurance support services for the sustaining base mission of the NETCOM ESTA Information Assurance Directorate.

Notice Date
12/1/2003
 
Notice Type
Solicitation Notice
 
Contracting Office
ACA, ITEC4 - West, ITEC4 Contracting, Bldg. 61801, Room 3212, Fort Huachuca, AZ 85613-5000
 
ZIP Code
85613-5000
 
Solicitation Number
W91RUS-04-R-0012
 
Response Due
12/31/2003
 
Archive Date
2/29/2004
 
Point of Contact
Vincent A. Suarez, Jr., 520-538-8890
 
E-Mail Address
Email your questions to ACA, ITEC4 - West
(vincent.suarez@netcom.army.mil)
 
Small Business Set-Aside
N/A
 
Description
NA PWS has been revised to meet 24k character limit. Send e-mail to Vince Suarez to request complete copy. Army Information Assurance (IA) Directorate Sustaining Base Performance Work Statement of 2 October 2003 1.0 Objective. The objective of this performance work statement is to provide the necessary programmatic tasks and outcomes with standards for practices, and activities for successful Information Assurance (IA) activities for the management and quality as surance of the Army G6/Netcom. The objective the service provider follows is the successful outcome for the Army G6/NETCOM office which is: information operations that protect and defend G6/NETCOM, its components, and information and information systems by ensuring their availability, integrity, confidentiality and non-repudiation in its fullest capacity. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities as necessary for the Army G6/NETCOM directorate. 2.0 Applicable Documents and Standards. All relevant Army instructions documentation, and format examples are placed on URL http:www.XXX.youseetithere.mil!! 3.0 Tasks: The Army Information Assurance (IA) Directorate Sustaining Base Mission is to provide IA product expertise; policy and tactics, techniques and procedures expertise; intelligence expertise; and technical, management and administrative support services in support of the IA initiatives. Contractor support tasks required by the IA Directorate are in the areas of technical support, programmatic analyses, studies and analyses, briefings, training support, and technical reviews and analyses of National, Department of Defense (DoD), Joint Staff, other federal agencies and depa rtments' IA policies as they relate to Army level policy. The Contractor shall provide subject matter experts proactively providing technical support to the Government in the definition of actions and processes required to transition to and comply with th e DoD and national level policies. The Contractor is able to apply best business practices in assessing IA needs and reporting, which encompasses managing and organizing data sufficient to report actionable changes. The contractor shall suggest processes to improve IA posture for NETCOM/G6 needs at the highest and lowest end-user information/recipient level. Impacts analysis and prioritization of actions and requests shall be available from the subject matter expert on a routine basis and not less than w eekly for updates. 3.1 Policy, Guidance, and Tactics, Techniques, and Procedures (TTP) Development: The contractor shall provide services in the development of policies and TTP for inclusion in the Army IA and Computer Network Defense (CND) Program in support of the Army??????s IA Defense-In-Depth strategy. The Defense-In-Depth strategy mus t provide a seamless interface between the sustaining base and the tactical/objective force. The Contractor shall, on at least a daily basis, analyze information, assess its relevance from policy or standards, and identify and relate technical and procedu ral recommendations for securing backdoors into Army networks and systems. The contractor shall monitor and assist in notification of over site at ARMY sites for the detection of malicious mobile code and provide support to the eradication tools and proce dures, wireless personal electronic devices (PED) and wireless local area network (WLAN) security strategies, virtual private network (VPN) security strategies, ports and protocols registration policies and procedures, to include a method for accomplishing the registration process, procedures for implementing DoD mandated polices for IA and CND. The contractor shall act as the IA Directorate central point of contact gathering and collating information with the Army Program Manager (PM) for Active Directory, the National Security Agency, and other organizations as required to formulate and implemen t IA policy concerning the use of Windows 2000 and later operating systems and components to include, Active Directory, Internet Server Administrator, and other Microsoft Windows security software. Failure to identify or recommend updates within 72 hours o f receipt of an update from any agency will not meet the performance standard. Subject matter experts shall be available to the Government providing assessments to proactively avert contingencies. The Contractor shall be knowledgeable of the DoD Operati onal and Systems Architectures including IA-25A and applicable DOD documents and directives in their development process, have demonstrated expertise in the development of operational and systems architectures, be capable of interface with the CIO/G-6 Arch itectures Directorate on all IA architectural issues, shall have demonstrable knowledge assessing and evaluating capabilities-based identification of a needs process; implemented under the Joint Warfighting Capabilities Assessment (JWCA), Joint Capabilitie s Integration and Development System (JCIDS). 3.2 Information Systems Security Engineering and Analysis: The contractor shall have the ability to provide information systems security engineering and management support. The contractor assesses the security posture of select information systems and ne tworks, to include new technologies, e.g., new operating systems, WLANs. and VPNs; the capabilities and optimum application of IA/CND tools, to include firewalls, intrusion detection systems, information assurance vulnerability alert (IAVA) management tool s, scanners, and proxy technologies. The contractor shall recommend information systems and networks security solutions that apply IA concepts and technologies that support the Army IA Program and identify new, state-of-the-art enabling technologies/IA se curity tools for potential integration into the command, control, communications, and computers, (C4) architecture. The contractor shall convey this leading edge technology and the impacts to Army systems and internal-within Army systems) and external-l inked but outside Army systems, risks associated. 3.3 Information Assurance Vulnerability Alert (IAVA) Management Process: The contractor shall be experienced and involved in providing support implementation of the Army??????s IAVA process. The Army will not re-process or train subject matter experts ex cept for contingencies and requirements growth (more sites or mission expansion). The contractor shall monitor the input time for patch processing to establish metrics and alert the Government of the sites potentially vulnerable. The contractor shall as sist and demonstrate subject matter expertise in assisting in oversight of IAVA incident identification by the Army Network Operations and Security Center (ANOSC) and Computer Emergency Response Team (ACERT), incident acknowledgement and compliance reporti ng by Army Directors of Information Management (DOIM), NETCOM Regional CIOs (RCIO), MACOMs?????? Program Executive Offices (PEO) and Program Managers (PM), and other responsible activities. The contractor shall be capable of managing and recommending chan ges/upgrades as appropriate to the Army??????s web-enabled, structured query language (SQL) IAVA Compliance Reporting Database (CRD) to include training IA Directorate staff in the proper use of the CRD, troubleshooting problems associated with the CRD, de veloping reports using report generating software and ensuring that CRD data is properly transferred to the DOD IAVA Vulnerability Management System (VMS). The contractor shall be experienced in the reporting and managing of the Army??????s IAVA Complianc e Verification Team (one government point of contact, one IA vendor and in parallel with one member of IA Criminal Investigative Division (CID)of the Computer Crimes Investigation Unit CCIU),, to include predeployment notification requirements, the on site activities of the IAVA CVT, and the use of state-of -the-art scanning and assessment tools to identify network and operating system vulnerabilities. The contractor shall be certified and proficient in the use of Internet Security Scanner (ISS) and the Harris STAT scanning tools and capable of evaluating c onfiguration, operating system, and application-based vulnerabilities and assessing depth and degree of potential compromises to Army networks. After receiving Government approval, the contractor shall perform reviews of designated installation reviews wi th system administrators, sites come in randomly by request. Reports shall be provided to the COR in executive summary (EXSUM) format within five days of completion and a final report, prepared in appropriate format for signature by the Senior CIO/G-6, NETCOM IAVA Official, within 10 days of completion of the CVT visit. 3.4 Training and Education: (1) The contractor shall have the capacity and the capability to present up to 20 CONUS/OCONUS training courses, annually, that meet Army certification requirements for Information Assurance Managers (IAM), and Program Managers (IAPM) pursuant to AR 25-I nformation Assurance (IA). Planning for and obtaining Government inputs, to approved Government training packages, will be demonstrated in the offered training (, i.e., lessons learned are incorporated into deployed training packages on a going forward ba sis/continuous improvement) . The approval and review process takes the Government 5-7 business days for completion of activities encompassing acceptance and processing certificate signatures in advance. The Government validates the training packages pr ior to release, with the contractor capable of presenting a DOD Information Technology Security Certification and Accreditation Process DITSCAP training course, within five days after Government approval of the training package. This training material sha ll familiarize and qualify personnel in the application of the DITSCAP process as well as organizing and assembling instructional materials, preparing training requests, and coordinating the conduct of Quarterly IA Workshops and other training as required and supporting training policy development and the documentation and promulgation of IA training and education requirements. Certificates shall be generated and provided to attendees completing the training. The vendor shall check identification of each attendee, using any Government issued picture identification card, to validate attendance of training. Training locations are randomly selected by the Government. (2) The contractor shall possess the capacity, experience, and capability to assess needs for system requirements, apply training methods, and present data required to provide the most current training information. This culminates in the delivery of a vi rtual, interactive online training capability/virtual classroom, to train personnel worldwide at their home station using Internet connectivity, virtual machine-ware (VMWare), and web technologies. The contractor shall provide training to IA personnel on the use of select IA/CND tools (e.g., scanners, IAVA patch management tools, and firewalls) and to recognize ??????hacker?????? attack modalities, patterns, and signatures, and to secure Army information systems from attacks that use known IAVA exploits. The virtual interactive classroom shall employ VMWare to create virtual networks to train on streaming video/audio, and classroom chat sessions. The contractor shall provide VMWare and interactive training capabilities that deliver ??????hands on?????? tr aining where the students log on to virtual servers to set up and employ IA tools and to understand IAVA vulnerabilities, assess and define problems, fix the vulnerability, test the fix, and report compliance. Training schedules shall be developed to ensu re that instructors are present to provide virtual, interactive, on-demand IA training to students worldwide during their normal duty day. While traditional computer based training (CBT) may be incorporated into this capability, this virtual, interactive, online, on-demand IA training capability should not be confused with traditional CBT. (3) The contractor shall operate, maintain, and upgrade, as required, the IA Training and Orientation Demonstration (also known as: Hacker Demo). See URL link youseetitnow.mil 3.5 Certification and Accreditation (C&A): The contractor shall provide security C&A support to the IA Directorate, to include reviewing and evaluating documentation associated with Secure Internet Protocol Router Network (SIPRNet) and Nonsecure Internet Protocol Router Network (NIPRNet) C&A plans and processes, System Security Authorization Agreements (SSAA), or specific C&A actions, recommend policies, procedures, and actions as appropriate and make recommendations to Designated Approving Authority (DAA) on the issuance of authorities to operate (ATO) or interim authorities to operate (IATO). The contractor shall coordinate with all network DAAs to ensure consistent methods, processes and configurations, as applicable, with noted exceptions tracked, for common practices, achieving an Army network as depicted in the TLA. 3.6 Budget and Fiscal/Program Objective Memorandum (POM): The contractor shall provide Army budget and POM support in the Army Planning, Programming Budgeting and Execution System (PPBES) process and experience in the planning, budgeting and execution of resources. The contractor shall provide examples of PPBES tools used to support a Department of Defense (DoD) see DOD 5000 series information. http://dod5000.dau.mil/DOCS/DoDI%205000.2-signed%20(May%2012,%202003).doc http://www.defenselink.mil/comptro ller/fmr/01/01_index.pdfor Army organization(s) on a weekly basis. The demonstrated planning tools and methodologies used shall provide the least errors and most accurate processes and data. The contractor shall provide cost estimating methodologies prio r to reporting. The contractor??????s reporting and analysis shall demonstrate experience in the planning, budgeting and execution of resources at Service or Agency level because of proactive measures and few data errors. The contractor shall demonstrate experience in developing program and budget data and monitoring the execution of the program/budget. Products delivered shall demonstrate experience in preparation of input to the Army POM; input for the OSD Program Review and other OSD funding analysis requirements; preparation of input for the Army Budget Estimate Submission (BES), Army Funding Letter, and OSD Program Budget Decisions (PBDs); preparation of briefing materials, information papers, spreadsheets, and other documents as required for Army, O SD, and Congressional funding presentation requirements; and formulation of Budget Estimates and associated unfinanced requirements (UFRs) as well as expertise in the review of IA planning and programming documents such as the Army Plan (TAP), the Army Pla nning Guidance Memorandum (APGM), and Defense Planning Guidance (DPG). The contractor shall process budget changes to include reclamas and budget justifications. Reports, briefings and documents shall be created with the highest quality and best practic es for comptroller requirements and program tracking needs. 3.7 Strategic Planning and Program Management: The contractor shall demonstrate the capability to develop the IA Strategic Plan and support the development of the IA Investment Strategy, in reports, studies, briefings and presentations in accordance with direction and guidance provided in Subdivision E of the Clinger-Cohen Act of 1996 and the DoD CIO Information Management Strategic Plan dated October 1999. The contractor shall conduct mission area analyses, identify mission priorities, refine the Army??? ???s IA requirements, monitor and critically review long range IA and CND technologies and procedural trends, and review Army IA goals and objecti ves, activity timelines, and changes in requirements and investment strategies to ensure IA Directorate products and services remain on azimuth with the Strategic Plan. 3.8 Web Risk Assessment: The contractor shall be responsible for maintaining full communication and equipment support. The contractor shall manage, schedule and train the Army??????s Web Risk Assessment Cell (AWRAC) to conduct operations security (OPSE C), website policy, and other security and administrative reviews of publicly accessible websites to meet DoD publicly assessable website security requirements and increase the Army??????s web security posture. The Contractor shall identify, report, and re solves security and policy violations; represent the IA Directorate at the Joint Web partnership meetings; coordinate efforts with the Joint Web Risk Assessment Cell, the Interagency OPSEC Support Staff, and the Vulnerability Assessment Division (VAD), 1st Information Operations Command as required; and review DoD and Army regulations, policies, instructions, and manuals pertaining to web security and assist with writing changes to Army web policy. For the current needs in identity theft, a specific focus of practical policy and security procedures is ongoing. The contractor supports these elements with and demonstrates current capacity in AR 25-Information Assurance (IA); establish security policie s and procedures for protecting all sensitive information while in storage or in transit, conforms to AWRAC, by -Augmenting current capability with National Guard / Reserve Assets -Obtaining state-of-the-art software to search websites for unauthorized personal data -Requiring all publicly accessible and private Army websites be vetted prior to being hosted on Army servers. 3.9 Office Management, General Administrative, and Conference Organization: (1) The contractor shall manage office business activities, to include personnel, administrative, personnel security, and logistical support operations. The contractor shall manage the office electronic calendar; personnel scheduling; travel arrangements ; records management IAW Modern Army Record Keeping System (MARKS) standards; facilities coordination; correspondence, action folder and suspense tracking, and meeting conference, and event preparation and coordination. Of not less than 56 random site vi sits, any travel will require prior approval of the cognizant ordering official which is either the contracting officer or the COR. Subsequent trip report pursuant to FTR/JTR standard http://www.odedodea.edu/foia/iod/pdf/1200_2.pdf shall be provided for e ach trip and personnel performing travel. Consolidated reports shall be provided, with prior approval and justification. (2) The contractor shall organize and administer conferences, to include preparing baseline management plans setting forth the details, schedules, and timetables for workshops and conferences; perform preliminary negotiations and site inspections (as ne eded) in preparation for conferences and workshops; and serve as a conference site coordinator once a Ggovernment representative has approved a site contract. The contractor shall perform logistical support requirements to include staffing the registration /information desk, checking meeting rooms and equipment, arranging for audiovisual services, identifying copier support, preparing nametags and conference attendee packages as needed, answering participants logistical questions, and coordinating the logist ical close-out of the workshop. 3.10 Army Key Management Infrastructure (KMI): The contractor shall research, evaluate, and recommend policies and TTP for Army participation in the KMI Domains, to include Joint Electronic Key Management system (EKMS), Public Key Infrastructure (PKI), De fense Message Service DMS), and Product Service Node (PRSN), as required. The contractor shall demonstrate the capability of developing policies and procedures that govern generation a nd distribution of electronic key from national and Service level sources to the end-item communications security (COMSEC) box, and policies and procedures that manage the distribution of other COMSEC material, the functioning of the COMSEC Central Office of Record, and the data repository that will support the Services, DoD Agencies, and warfighting Combatant Commanders (CC). 3.11. CONUS Regional Chief Information Officer (RCIO) Program Support (Option, if exercised). The Contractor shall provide facility support and IA management services at the following locations with staff levels appropriate to the risk and area maintenanc e, but not to exceed five personnel per site, available on an annual basis: 3.11.1. (option, if exercised) The contractor shall support management processes and user implementation for IA policy, Regional Implementation Guidance, Validation of Waivers and coordinating requests and follow up with compliance requirements and changes . To accomplish this, significant travel to sites requiring certification validations, compliance inspections and regional implementation requirements shall be performed at least weekly. Working with the systems managers and input points of contact (POCs ) the contractor shall apply the best business practices and subject matter expertise for the Compliance Reporting Database, by ensuring through site visits and oversight functions, the accuracy of data entry/update/modifications/reporting. The contractor shall provide guidance and assistance to Army IA community members and communicate with and on behalf of the Designated Approval Authority for processing user accreditation and certification issues and documents. The contractor shall issue regional acc reditation and certifications to POCs and resolve challenges to maintain or acquire this accreditation and certification. 3.11.2. (option, if exercised) COMSEC and PKI accounts will be affected with the contractor providing oversight and updates of the effects on these accounts. 4.0 Government Furnished Facilities and Services. The Government shall provide Government site contract personnel designated to perform at the Government site with adequate workspace and material equivalent to that used by Government personnel, e.g., pers onal computer, desk, chair, cabinet space, telephone, reproduction, and office supplies, for official use only. 5. Place of Contract Performance. The Contractor shall perform work primarily at Government location(s). Some positions may be performed at a site designated by the Contractor. 6.0 Security. Contractors shall, at a minimum, be cleared to SECRET and may be cleared and indoctrinated up to TOP SECRET/SCI as is appropriate to perform this mission. 7. Travel. All travel will be at the direction of the Government and will be reimbursed IAW the Joint Travel Regulation (JTR). 7.1 The Contractor shall perform travel, as approved, to attend meetings, conferences, demonstrations and working groups, as necessary to perform the tasks described in this PWS. It is anticipated that extensive travel will be required for both Continental United States (CONUS) and OCONUS travel. Subsequent trip reports shall be provided pursuant to FTR/JTR standard http://www.odedodea.edu/foia/iod/pdf/1200_2.pdf within 5 days of completion of the travel. 7.2 The Contractor shall conform to requirements of Status of Forces Agreements in the host country, when in travel status outside of the United States.
 
Place of Performance
Address: Presidential Tower 2511 Jefferson Davis Highway, 9th Floor Arlington VA
Zip Code: 22202
Country: US
 
Record
SN00479118-W 20031203/031202075239 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.