SOURCES SOUGHT
D -- DISA FSO for Support Services for the Department of Defense (DoD) Information Assurance (IA) Range
- Notice Date
- 11/22/2010
- Notice Type
- Sources Sought
- NAICS
- 541512
— Computer Systems Design Services
- Contracting Office
- Defense Information Systems Agency, Procurement Directorate, DITCO-Scott, 2300 East Dr., Building 3600, Scott AFB, Illinois, 62225-5406, United States
- ZIP Code
- 62225-5406
- Solicitation Number
- MAC0016
- Archive Date
- 12/16/2010
- Point of Contact
- Danielle B. Mazander, Phone: 6182299448
- E-Mail Address
-
danielle.mazander@disa.mil
(danielle.mazander@disa.mil)
- Small Business Set-Aside
- N/A
- Description
- Request for Information (RFI) For Defense Information Systems Agency (DISA) Field Security Operations (FSO) for Support Services for the Department of Defense (DoD) Information Assurance (IA) Range Contracting Office Address: Defense Information Systems Agency, DITCO-Scott PL8313, P.O. 2300 East Drive, Bldg 3600, Scott AFB, IL, 62225-5406 Description: Purpose. The purpose of this RFI is to conduct market research which will be used to formulate an acquisition strategy to procure support services for the existing DoD IA Range environment, as well as systems engineering and integration enhancements as required. This RFI is issued solely for information and planning purposes and does not constitute a Request for Proposal or a promise to issue a Request for Proposal in the future. This RFI does not commit the Government to contract for any supply or service. Respondents are advised that the U.S. Government will not pay for any information or administrative costs incurred in responding to this RFI. Background. The Office of the Secretary of Defense, Assistant Secretary of Defense for Network and Information Integration under the Comprehensive National Cybersecurity Initiative (CNCI) tasked DISA, to create an Information Assurance/Computer Network Defense (IA/CND) operational range for cyber exercising and training of personnel as well as testing and evaluating of IA/CND capabilities (people, processes, and technologies). The DoD IA Range has been implemented using an incremental acquisition strategy and follows the acquisition process per DoDI 5000.2. A framework of comprehensive technical and acquisition reviews and a continuous risk management process supports key decision points. This will ensure that program risks are proactively identified and addressed, and reflects best-in-class Information Technology (IT) acquisition management principles. The IA Range (IAR) provides a non-production, operationally realistic, closed environment reflective of Global Information Grid (GIG) Information Assurance/Computer Network Defense (IA/CND) capabilities and network services found at the NetOps Tier 1-3 levels. The IAR provides a Joint-Services environment for cyber exercises, CNDSP training, as well as testing and evaluation of CND products and operational Tactics, Techniques, and Procedures (TTP). The IA Range may be operated in a standalone simulator mode or can interface and interoperate with other ranges provided by Combatant Commands, Services and Agencies (CC/S/A). Communications are secure between all parts of the IA Range and the CC/S/A virtual enclaves. The IA Range traffic routes on a closed network environment and does not impact operational networks. Current Capabilities. The IAR provides a Multi Protocol Label Switching (MPLS) cloud comprised of 6 Provider Edge (PE) routers representative of the DISA GIG. Downstream from 5 of the PE routers are interactive bases that are composed of the standard Cisco design model for networks (Core Layer, Distribution Layer, Access Layer) with 8 disparate distribution zones (user zones) to simulate a given base's cable plant, as well as, a server farm hosting the following services: email (MS Exchange), Active Directory, Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), file share, and print services. Each user zone within a base can support 10 Virtual Local Area Networks (VLAN) comprised of 254 users per VLAN. Downstream from the 6th PE router are 2 facilities for hosting specialized applications similar to the functionality of a Defense Information Systems Agency (DISA) Defense Enterprise Computing Center (DECC) and Community Data Center (CDC). Currently, the IAR CDC hosts both ArcSight and SourceFire. Each interactive base has a traditional boundary architecture consisting of a screening router, firewall, and Point of Presence (POP) router. Within this boundary structure, there is a trusted and un-trusted Demilitarized Zone (DMZ) capability, as well as network sensing devices. The IAR provides a generic Department of Defense (DoD) Tier I, Tier II, and Tier III capability. The CC/S/A's with their individual cyber environments can connect into the IAR through the Information Operations (IO Range) or via Virtual Private Network (VPN) over the Internet or the Defense Research Engineering Network (DREN). The IAR provides a virtual Internet capability consisting of both malicious and benign websites, as well as true DNS architecture. Scripted threats and live Red Team attacks can be launched from the virtual Internet into the IAR GIG environment. The IAR also replicates an Internet Access Point (IAP) allowing the GIG construct to connect with the virtual Internet. Internet screening router,.mil proxy, and Enterprise Recursive Services are available within the IAP architecture. The IAR environment is based on a flexible, open architectural design and is configured to support requirements for each event/exercise. Traffic generation, threat injection, operating system types, patch levels, enclave machines, and network services are all configured in accordance with event/exercise requirements. The environment's open architecture allows for the integration of CC/S/A specific devices, applications, and configurations at the Tier I, II, and III levels. Accordingly, the environment allows for the ability to test, evaluate, and ensure interoperability of enterprise IA devices and applications. Within the IA Range, virtual enclaves can be configured in accordance with specific test requirements. Operationally Realistic Environment. The IA Range uses tools such as Systems Administrator Simulation Trainer ( SAST) and Breaking Point to create the operationally realistic environment. SAST is a suite of software created by the Pacific Northwest National Laboratory to provide a realistic cyber range environment for training people, conducting exercises and testing tools. It is a framework for building capabilities that allow one to describe behavior and generate the respective activity. There is A Network Traffic Synthesizer (ANTS) suite of capabilities within SAST: •· The Multi-User Traffic Tool (MUTT) is a pack of plug-ins that allows ANTS to describe people and generate their behaviour. This capability is sometimes referred to as the traffic generator. It was mostly designed for the production of benign activity. However, the traffic is a side effect. MUTT synthesizes virtual people who use tools like mail clients, web clients, ssh clients, etc. When the virtual people use these tools on a range or in the wild, they create network traffic. This capability is well suited for testing security appliances and training boundary protection technicians. •· The Coordinated Attack Tool (CAT) is a pack of plug-ins that allows ANTS to describe aggressors and generate their behaviour. CAT, by itself does not actually attack a network. It allows you to create attack scenarios that depend on off-the-shelf attack tools like Metasploit. Therefore, CAT is well suited to represent both insider threat and to augment a real red team. •· The Virtual Internet ProvidER (VIPER) is a pack of plug-ins that allows ANTS to describe and provide services that one would find on the internet or local LAN. VIPER provides email services, web services, etc. The purpose of this capability is to augment the standing resources of a range that are typically static. •· Another tool in the suite is SEAL. It was created for managing the resources of a range and the experience of its participants, both local and remote, with a many-to-many view. It has the notion of a master user who is given the rights to administer the range, the participants who consume the resources of the range, and content associated with the activities being performed. BreakingPoint recreates Internet-scale network conditions with real-world applications, l ive security attacks and millions of users. It is used to: •· Create large amounts of realistic user application traffic from interactive bases to Internet and other range locations and in reverse. •· Create simulated network nodes that can interact with the range and make the range appear larger. •· Create realistic network management and service traffic within range enclaves to simulate network administrators and specialized network services. •· Modify the characteristics of a given network segment so it can appear to be across some other media type (cat5 appear to be a satellite link). •· Create large amounts of realistic threat traffic destined for the interactive bases and other range locations and in reverse. •· Play canned scenarios with little configuration or update effort. •· Script test data flows for device cook-offs (repeat and compare). •· Capture traffic that is traversing the range and save it (for later manipulation and replay). •· Support and emulate advanced networking protocols like MPLS and IPv6. •· Create scenarios that combine items above into a single test schema. Physical Technology Model. The IAR construct has multiple server farms to manage network services. All of the server farms draw their computing resources from the blade center chassis. This Dell Blade Center has 16 (dual CPU) server blades running VMWare ESX as the host operating system. Virtual Machines then run the services needed to power the server farms on these ESX hosts. There are 32 ESX servers in the Blade Center, 10 Virtual servers (VMs) running in each base (grows to 80 if base is split for multiple customers), 10 Virtual servers running in DECC and CDC (each) and 20 Virtual servers running in the Virtual internet. All of this is adjustable to meet customer requirements. There are also approximately 5 other special purpose physical servers to support ArcSight, Sourcefire, WSUS, etc. There are a small number of purpose-built devices, such as BreakingPoint, in the construct. The IAR construct uses routers and switches to create the Interactive bases, the DECC, CDC, virtual internet and the GIG backbone. Like the real world different techniques are used at different locations to ensure functions are appropriate and the design looks real. The IAR construct uses the 3 layer design model of 1) access layer where users connect, 2) distribution layer where remote offices are tied into the rest of the network, and 3) the core layer (or network backbone) where data runs to reach outside locations. There are 4 Cisco routers per Interactive base (with the ability to grow to 10 per base), 8 Cisco routers in the Virtual GIG backbone and 1 Juniper router in DECC and CDC (each). The IAR construct uses firewalls to simulate where military bases get external connectivity at the boundary. These are needed in the IA Range construct to give war-fighters the normal structure they see at their bases and to apply normal security practices that the base has. There are currently 2 Cisco ASA firewalls, 1 Cisco PIX firewall and 2 Fortigate firewalls. System Maturity. The IAR is currently at an Initial Operational Capability (IOC) state. Based on current performance, the IAR has met and/or exceeded all Fiscal Year 2010 IOC objectives. The IAR has implemented the following additional services: •- ArcSight •- SourceFire •- Infrastructure and services representative of 5 interactive bases •- Persistent DREN connectivity •- BreakingPoint traffic and threat generator •- The Host Based Security System (HBSS) based on the McAfee ePO product suite. Number of Nodes. Presently, the IA Range Tier I infrastructure is housed within one physical facility with the capability for external connectivity via the IO Range, VPN over DREN, and VPN over Internet. The IA Range hosting facility is located in Stafford, VA. Predicted Future Capabilities. During early FY11, the IAR will conduct numerous requirements gathering sessions with the DoD Community of Interest (COI). The following capabilities will be further assessed during the FY11 requirements gathering phase: •- PKI •- CAC •- Classified Environment •- DISA NIPRNet Hardening Services •- Wireless •- VoIP •- IPv6 System Accreditation. The unclassified environment currently has an Interim Authority To Operate (IATO). The collateral environment currently has an Interim Authority To Test (IATT). Sources Sought: This Sources Sought Synopsis is requesting responses to the following criteria ONLY from small businesses that can provide the required services under the North American Industry Classification System (NAICS) Codes 334516, 517110, 541330, 541370, 541380, 541511, 541512, 541519, and 541611. In addition to Small Businesses, this Synopsis is encouraging responses from qualified and capable Service Disabled-Veteran Owned Small Businesses, Veteran-Owned Small Businesses, Women-owned Small Businesses, HUBZone Small Businesses, Small Disadvantaged Small Businesses, Small Business Joint Ventures, Consortiums and Teaming Partners. This Sources Sought Synopsis is issued to assist the agency in performing market research to determine whether or not there are qualified and capable Small Businesses to provide the aforementioned service. The government is trying to determine if there is reasonable expectation of obtaining offerors from two or more responsible small business concerns. Responses must demonstrate the company's ability to perform in accordance with the Limitations on Subcontracting clause (FAR 52.219-14). Interested small businesses meeting the small business standard of NAICS code 334516, 517110, 541330, 541370, 541380, 541511, 541512, 541519, and 541611 are requested to submit a response to the Contracting Officer within 7 calendar days of issuance of this RFI. Late responses will not be considered. Responses should provide the business's DUNS number and CAGE code and include a statement of self certification under the NAICS code. Additionally, responses should include recent (within the past five years) and relevant experience (work similar in type and scope) to include contract numbers, project titles, dollar amounts, and points of contact with telephone numbers where the responder performed the relevant work. Marketing brochures and/or generic company literature will not be considered. Not addressing all the requested information may result in the Government determining the responder is not capable of performing the scope of work required. Requested Information: Interested vendors are requested to submit a maximum 10 page statement of their knowledge and capabilities to perform the following: 1.0 Scope 1.1 Scope Assumptions. •· The IA Range equipment suite will be relocated by the contractor from a current contractor facility in the Northern Virginia area to a government facility (expected to be the Joint Interoperability Test Command (JITC) in Indian Head, MD). Contractors supporting this program will be expected to adhere to all applicable security standards. •· The IA Range is a currently-existing and operating environment, as described in the "Description" section above. •· The IA Range will deliver additional new capabilities during FY11 and beyond, based on stakeholder requirements. The contractor will support these new capabilities through engineering, implementation and operation. •· The IA Range capabilities will be custom-configured as necessary to support the needs of each customer's training, testing or exercising event. After each event, the IA Range will be baselined to its standard configuration. CC/S/As and other customers of the IA Range will support and collaborate with DISA and the contractor on the requirements and use-cases for the DoD IA Range. Customers of the IA Range will define requirements associated with their specific event - cyber exercises, training classes, or testing initiatives. The IA Range contractor support team will, in turn, use these customer defined requirements to properly configure the range environment in support of each range event. Customers may provide outside resources to the IA Range program office in support of their range event. These outside resources may consist of funding, technical expertise, test/exercise plans, training content to be delivered, computing hardware, and computing software. It is expected that between 5 and 15 customer events will be conducted in FY11 but there may be more or less than that number. Events may be conducted concurrently, depending on customer requirements. •· This task order may be incrementally funded. •· IA Personnel supporting this contract are required to be DoD 8570 compliant. •· IA Range personnel supporting this contact will be capable of obtaining TS/SCI. 1.2 Scope of Contractor Performance. The Contractor shall provide: •· Project Management and administrative support for cost, schedule, deliverables, and milestones/performance. •· Relocate and reestablish the existing IA Range footprint. •· Continue to design, acquire, develop, integrate, test, document, operate, and maintain the IA Range environment consisting of the representative GIG and service architectures. Provide comprehensive support of the underlying hardware/software infrastructure services necessary for the three operational missions of the IA Range. Support planning and execution of customer events on the IA Range. 2.0 Performance Requirements and Specific Tasks. Specific services addressed in this RFI are: •· Task Area 1: Contract-Level and Task Order Management •· Task Area 2: Project Management Plan •· Task Area 3: IA Range Operation •· Task Area 4: Mission Areas 2.1 Task 1 - Contract-Level and Task Order Management. 2.1.1 Subtask 1 - Integration Management Control Planning. Provide the technical (task order level) and functional activities at the Contract Level needed for Program Management. Include productivity and management methods such as Quality Assurance, Progress/status reporting, and Program Reviews at the Contract and Task Order/Sub Task level. Provide the centralized administrative, clerical, documentation and related functions. 2.1.2 Subtask 2 - Technical Interchange Meeting. Contractor shall host a Technical Interchange Meeting (TIM) to ensure a common understanding between the contractor and the Government on the TO requirements. The contractor shall describe the technical approach and the organizational resources and management controls to meet the cost, performance, and schedule requirements throughout the period of performance. The TIM shall include, but not be limited to, the following topics: •· Project Management Plan •· Relocation of the IA Range •· Existing and Planned Applications and Technical Support •· Customer Event Management •· C&A Support Review •· Personnel and Physical Security Issues •· Draft Work Breakdown Structure 2.1.3 Subtask 3 - TO Management. Prepare TO Management Plan describing the technical approach, organizational resources, and management controls to be employed to meet the cost, performance, and schedule requirements throughout TO execution. Provide a Monthly Status Report (MSR) monitoring the quality assurance, progress/status reporting, and program reviews applied to the TO. 2.1.4 Subtask 4 - Progress Reviews/Project Briefings. The contractor shall conduct a formal In Progress Review within 90 days of task award and quarterly thereafter. The contractor shall provide a read ahead copy of other IPR briefings to be provided not less than five (3) business days prior to the briefing. The contractor shall include in the In Progress Review presentation, a list of newly hired personnel, as well as, a list of personnel who have left the contract since the last Quarterly Progress Review with corresponding dates or arrival/departure dates. Also include a list of personnel 8570 certifications, task order financials, and invoice history. The contractor shall document these meetings in Quarterly Review Notes and report the occurrence of these and any other meetings in the MSRs. The contractor's Technical Task Leader (TTL) and appropriate members of the technical team shall meet no less frequently than every 30 days with the appointed Government TM, either in person or via teleconference or a combination of both, to informally discuss progress, request assistance as required, project priorities for the upcoming month and deal with issues raised during the execution of the task. 2.1.5 Subtask 5 - Task Order Staffing. The contract team shall provide the optimum mix of personnel of various labor categories and technical expertise to perform the tasks specified in the technical environments specified in this PWS. Initially, the contractor must provide 50% of personnel meeting the DoD 8570.01-M IA certification requirements within 30 days of contract start date. The contractor must provide to the Government, within 30 days of this task order, a request for waiver for all personnel not meeting DoD IA certification requirements, along with a plan for reaching compliance of the remaining 50% of personnel within 180 days of this task order. New personnel joining the contractor after award of the task order shall meet IA certification requirements within 90 days of assignment of the individual to perform IA work or must be removed from the task order until certification is met or a waiver from the Government is obtained. IA certification programs are intended to produce IA personnel with the demonstrated ability to perform the functions of their assigned position. Each category and skill level has specific training and certification requirements. Meeting these requirements will require a combination of formal training, experiential activities such as on-the-job training, and continuing education. The table below represents the DoD approved baseline certifications for Information Assurance Technical (IAT) and Information Assurance Manager (IAM) personnel. As new categories are added to DoD policy guidance for IA certifications, contractor must comply with established timeframes identified. The Contractor shall provide the Program/Project management support required in executing the IA Range program strategy. The Contractor's Project Manager (PM) shall be the single point-of-contact to ensure effective project management, direction, administration, quality assurance, and control of the Task Order. This PM should be formally certified as a Project Management Professional by the Project Management Institute (PMI) or DAWIA Level III, possess an appropriate DoD Directive 8570.1M IA Management (IAM) level III certification, have experience working within a matrixed organization, and will be considered key personnel. The contractor shall ensure that all contractor personnel performing Systems Administrator (SA) or Systems Service Provider (SSP) functions, and/or having access to the operating system of any DISA owned, managed, or supported Information System, as applicable to this work, are certified at Level II, in accordance with the DISA SA Certification Program. Required certification must be obtained no later than ninety days (90) following the assignment of the individual to perform work. During this period of 90 days, either an industry (in accordance with NIST Special Publication 800-16) or other DoD agency equivalent certification will be acceptable, but must be followed up by completion of the DISA SA Level II Certification. The Government will provide the training materials (to include CBT and CD), laboratory environment, and the test to enable compliance with this requirement. Classroom attendance in Government conducted training will be made available on a space available basis only. However, the inability to attend Government conducted training will not be justification for noncompliance. All contractor personnel performing duties as a SA will maintain compliancy, as applicable with the Joint Security (System Administrator) Checklists (Available on the DoD IASE/IA Portal, under STIGS, Security Checklists < http://iase.disa.mil/stigs/checklist/index.html >). Any contractor personnel who fail to above applicable certification requirement(s) shall be removed from this task order. The contractor shall be responsible for any retraining expenses required by the individual to meet these requirements. A revised resume showing in detail the retraining actions must be submitted and approved by the Government before an individual can be reinstated. 2.2 Task 2 - Project Management Plan. 2.2.1 Subtask 1 - Project Management Plan. The Contractor shall develop and maintain throughout the Task Order period of performance, a Project Management Plan (PMP) that shall be used as a foundation for information and resource management planning. The Contractor shall deliver the PMP to the Government at the kick-off meeting. The Contractor shall keep the PMP up-to-date, be accessible electronically at any time, and be prepared to brief any PMP content to the Government at short notice (within 24 hours). The PMP shall be used as a foundation for the Project Status Report. 2.2.2 Subtask 2 - Transition Plan. The Contractor shall prepare a Transition Plan to present methodology detailing how transition will occur from the current Contractor(s) to the new contractor. The transition activities shall minimize both loss of support and cost. The Transition Plan shall address, at a minimum, the following areas: Transition of Program Management Support and Other Personnel Transition of Task Requirements in the Task Order Asset Transfers [hardware, software, configuration management systems and content] Resource Requirements [personnel and budget] Security Clearance Actions and Status Transition Milestones and Timeline Risk Mitigation Practices The Contractor will relocate all IA Range equipment, including HW, SW, network, network connectivity, from current location in Stafford, VA to JITC in Indian Head, MD, to be completed within 30 days of commencement of contract, and with no more than 1 week of downtime. 2.3 Task 3 - IA Range Operation. The Contractor shall provide the necessary engineering and technical expertise to maintain and operate the DoD IA Range. The Contractor shall plan, design and execute the construction, integration and operation of future DoD IA Range capabilities in accordance with the DISA IA Range Concept of Operations (CONOPS). The Contractor workforce shall be DoD Directive 8570.1M compliant. 2.3.1 Subtask 1 - Cyber Security. The Contractor shall provide the necessary tools and experienced personnel to support the cyber security requirements of the IA Range. The contractor shall ensure IA Range operations are secure and provide consistent protection during all modes of operations whether for training, equipment evaluation, exercise support, or cyber process development. The Contractor shall define the approach and process for Certification and Accreditation of the DoD IA Range, which will be capable of evaluating unaccredited products, technologies, or developing Programs of Record. The Contractor shall provide the necessary tools and experienced personnel to plan, document and track and perform certification functions of the IA Range. 2.3.2 Subtask 2 - Network and Systems Engineering. The Contractor shall support the processes and technologies used by the current IA Range Architecture that incorporates Enterprise functions, services, and applications provided by DISA for all DoD users on the GIG. The Contractor shall develop or adopt an engineering methodology to allow various network simulations, scenarios, and varying constructs to support testing, training, or exercises either against a specific target system, command, or entity, or a standard fixed environment (operating systems, firewall types, boundary devices, protocols, etc) for various types of organizations or missions. The environment shall be able to be reset to a known baseline when required and shall provide for measurement of effectiveness and proficiency. The Contractor shall demonstrate how their engineering approaches will support planned IA Range operations without sacrificing performance. The Contractor shall provide the necessary experienced personnel to support the buildout and maintenance of multiple simulated networks to meet the IA Range ongoing requirements 2.3.3 Subtask 3 - Network Architecture. The Contractor shall support new and innovative approaches to the current network architecture to achieve a "realistic operational" environment that provides Government personnel with system responses that permit "train as we fight" capabilities. This realistic operational capability contains all pertinent network functions, data, processes, and components to provide a comprehensive "real-world" look and feel for the operator based on their expectations when performing their typical duties. This architecture also incorporate a means for providing connections to Combatant Commands, Services, or Agencies to link their Tier II and III services. Additionally, the Contractor shall provide full spectrum capability to support testing, training, and exercising of cyber security functions across all types of cyberspace operations. The Contractor shall provide the necessary experienced Architecture personnel to support the design, integration and/or configuration of network environments that provide a "realistic operational" environment for the DoD IA Range customers, that closely approximates deployed and garrison operational environments as required. 2.3.4 Subtask 4 - Information Technology (IT). The Contractor shall support the current IT infrastructure environment required to support the DoD IA Range architecture including specific hardware and software technologies, communications equipment, processes and procedures, and integration approaches. The Contractor shall provide the required IT support to establish a SharePoint site (up to 100 GB) and up to 100 SharePoint accounts for designated Government and Contractor support personnel 2.3.5 Subtask 5 - Data Management. The Contractor shall establish a single, centralized system for the management of all data required under this Task Order and associated Task Orders. The Contractor shall make the maximum use of existing data and provide maximum use of technical information. The system shall include facilities for storage of all data developed or utilized for this Task Order and Task Orders and shall provide equal access to this data by IA Range personnel as directed by the Government. The Contractor shall ensure all data is centrally available for review to ensure the integrity of the system and supporting documentation. 2.3.6 Subtask 6 - Independent Verification and Validation (IV&V). The Contractor shall provide IV&V of hardware/software applications provided by other vendors through systematic, objective testing of capabilities on representative equipment, against design specifications or objectives. 2.3.7 Subtask 7 - Software Engineering Support. The Contractor shall be capable of supporting software development needs to ensure adequate integration of technical capabilities necessary for IA Range operations and to meet capability goals to achieve IOC. The software environment used to achieve Initial Operating Capability includes the Security Assessment Simulation Toolset (SAST). The Contractor shall have demonstrated experience with the SAST framework. The Contractor shall develop software modules to support adding new capability into the SAST software. In addition to the above, the Contractor shall also have demonstrated experience with the following in the DoD Tier I, II and III environments: •· GIG Architecture, Engineering, Operations and Support •· MPLS •· HBSS McAfee ePO •· ArcSight SIEM •· Sourcefire IDS •· BreakingPoint •· SAST •· PKI •· CAC •· Classified Environment •· DISA NIPRNet Hardening Services •· Wireless •· VoIP •· IPv6 2.3.8 Subtask 8 - Operations. The Contractor shall provide day-to-day operations of the IA range including all access control, Government requirements analysis, maintenance, CM, and help desk support. The Contractor shall also participate in planning activities and other functions that will require DoD IA Range resources to ensure resources are available and appropriately allocated as required. •• Access control functions. The Contractor shall establish a process by which access to the DoD IA Range is managed for all personnel who require access to perform IA Range functions. Security functions are described in detail. •• Customer Requirements Analysis. The Contractor will develop a process in which IA Range customers can engage in describing their mission objectives and the Contractor shall assist in determining the IA Range resources required to support those mission objectives. The Contractor shall provide assistance to IA Range customers in collecting metric information so as to help measure the effectiveness of achieving the mission objectives initially established. •• Maintenance. The Contractor shall track and manage all Information Assurance Vulnerability Alerts (IAVAs) in accordance with DoD Directive O-8530.1, "Computer Network Defense" on Information Assurance Vulnerability Management (IAVM) for the IA Range environment. The Contractor shall apply upgrades of operating systems, software, hardware, and applications as needed to remain consistent with DoD IA standards and policy and the goals and objectives of the DoD IA Range. •• Configuration Management. The Contractor shall develop a comprehensive configuration management process, IAW DoD Mil-HNBK-61A Configuration Management Guidance, to ensure change requirements are appropriately managed for prioritization approval for development and implementation. The CM process at a minimum shall include an Executive Review Board, and a Configuration Control Board. Other review steps may be included as determined by the Contractor. •• New Capabilities: The Contractor shall support the implementation of required new capabilities through planning, acquisition, engineering, implementation, operation and maintenance. •• Help Desk. The Contractor shall establish a help desk that IA Range users can call when issues arise. This service includes providing both internal and external DoD customers with knowledgeable, problem-solving resolutions, in the shortest time possible to minimize any customer downtime or work stoppage. This capability will be available form 0700 - 1700 Eastern time on workdays and may be available for special mission requirements, such as exercises, approved by the DoD IA Range PM or as necessary to satisfy customer event requirements. Further, the Contractor shall produce operational metrics and analysis to improve the DoD IA Range enterprise customers' experience and reduce Help Desk calls. This support includes, but is not limited to, resetting a target environment in support of exercise or other mission activities, establish access to approved customer areas previously defined, and general operational support issues as they occur. 2.3.9 Subtask 9 - Other DoD CC/S/A IA Range Task Order Support. As the capability matures for the DoD IA Range, other Combatant Command/Service/Agencies (CC/S/A) may seek to utilize the DoD IA Range to support building their own Tier III capabilities, training personnel as Cyber warriors, predployment training, Exercise participation, testing/development of cyber processes and procedures for Cyberspace Operations support, or other cyber activity. Each DoD Agency effort will be treated as a customer event. 2.3.10 Subtask 10 - Other Federal Government Agency Task Order Support. As the capability matures for the DoD IA Range, other Federal Government Agencies (i.e. Department of Homeland Security, US Coast Guard, National Guard, etc) may seek to utilize the DoD IA Range to support building their own capabilities, training personnel as Cyber warriors, Exercise participation, testing/development of cyber processes and procedures for Cyberspace Operations support, or other cyber activity. Each Federal Government Agency effort will be treated as a customer event. 2.4 Task 4 - Mission Areas. The DoD IA Range will be required to support three different mission areas, Training, Testing, and Exercise, by providing the realistic IA Range environment that simulates the actual GIG. The Contractor shall provide Subject Matter Experts (SME's) to support the environments and underlying infrastructure of the IA Range that supports the three mission areas. These SME's shall coordinate with the numerous stakeholders to ensure adequate tracking, review, and analysis is provided for identified requirements and integration into the IA Range. The Contractor shall develop an approach to supporting all three mission areas. Support for all mission areas will be provided from 0700 to 1700 Eastern Time daily and 24/7 support for special mission requirements such as exercises The IA Range provides a Joint Services environment for cyber exercises, CNDSP training, and integration testing and evaluation. This is achieved by maintaining and operating the IA Range infrastructure that is used by customers such as: •· Exercise leaders who design and execute exercises •· Trainers who develop curricula and teach students •· Test directors who test and evaluate systems on the IA Range. The IA Range is the GIG-like environment that permits customers to flexibly integrate their own non-production environments and services so as to meet their mission objectives for exercising, training and testing. 2.4.1 Subtask 1 - Training. The DoD IA Range will support numerous training missions. The Contractor shall assist customers in determining IA Range requirements that adequately support customer training requirements, configuring the IA Range to support those training needs, and to assist with metric collection information to measure the effectiveness of the training. The Contractor shall also assist in analyzing how best to achieve the desired training through the IA Range proper environment configuration. The Contractor shall ensure the environment to support the IA/CND training will be as close to realistic as technically possible and yet flexible enough to be tailored to the specific needs of the training activity, course, student, or equipment/tool. The Contractor shall support various training approaches and objectives as required to achieve designated training requirements. 2.4.2 Subtask 2 - Testing. The DoD IA Range will support the Test and Evaluation of numerous DoD Programs of Record (POR). The Contractor shall assist customers in analyzing how to configure the IA Range to support testing POR and major systems under development, configuring the IA Range to support those system evaluation needs, and to assist with metric collection information to measure the effectiveness of the testing activities. The Contractor shall also assist in analyzing how best to achieve the desired testing through the IA Range with proper environment configuration control. The Contractor shall manage the environment such that it could support vendor "cook-offs". The environment to support Program of Record, Systems of Systems and vendor cook-offs will be as close to realistic as technically possible and yet flexible enough to be tailored to the specific needs of the system or systems being tested. 2.4.3 Subtask 3 - Exercising. The IA Range will be utilized to support numerous DoD exercises with realistic cyber scenarios. The Contractor shall provide the capability (personnel, management, security, and facilities) to support DoD exercises utilizing the IA Range. The Contractor shall participate in exercise, planning conferences, scenario development, and execution functions as required. The Contractor shall ensure color team personnel (White, Green, Blue, Red, and others) are provided accesses, as appropriate and authorized, and support equipment necessary to perform their exercise functions. The Contractor shall participate in exercise debriefs as appropriate and provide metric information and analysis of how the IA Range performed in a support role during the exercise. 3.0 Travel. Local travel within the National Capital Region is required and authorized. Other travel may be required and authorized. The Government will review for approval all travel orders under this contract prior to the travel taking place. The Contractor shall provide an estimate of required travel to support this effort. 4.0 Security Requirements. This section shall be considered a supplement to block 15 of the Government provided DD 254, Contract Classification Specification. The following security requirements shall apply to this effort. 4.1 Facility Security Clearance. The work to be performed under this contract is up to and including the Top Secret level and may require Sensitive Compartmented Information (SCI) access eligibility. Therefore the company must have a final Top Secret Facility Clearance Level (FCL) from the Defense Industrial Security Clearance Office (DISCO). 4.2 Security Clearance and Information Technology (IT) Level. All personnel performing on this contract will be U.S. citizens. There are two levels of personnel security requirements under this contract: 4.2.1 All system information assurance (IA) technical support positions require a minimum of interim Secret or interim Top Secret security clearance and interim IT-I (privileged level systems access) eligibility when performance starts. 4.2.1.1 Personnel requiring Top Secret security clearance and/or IT-I eligibility may be considered for a waiver to hire on a case-by-case basis if they do not currently possess their required clearance and/or investigation. Requests for waivers are to be submitted to the Task Monitor, in writing. Waivers will only be considered if: 4.2.1.1.1 The individual has been granted at least an Interim Secret clearance and no known derogatory information exists based on review of the individual's SF 86 by the contractor Facility Security Officer (FSO). 4.2.1.1.2 There is sufficient work to be done at the lower level. An oversight plan will be submitted to the TM for approval and any privileged access will be actively supervised by an IT-I vetted individual. 4.2.1.1.3 Continued performance on this contract is contingent upon receipt of final required clearance and/IT position eligibility. 4.2.2 Administrative and Support positions such as Editor/Analysts and Administrative Assistants performing in roles listed above shall have a minimum interim Secret security clearance and interim IT-II (user level systems access) eligibility when performance starts. 5.0 Information Security and other miscellaneous requirements. 5.1 Contractor personnel will generate or handle documents that contain FOUO information, at both Government and contractor facilities. Storage of any Government classified information or materials at the contractor's facility under this contract are not authorized, unless specific exception is granted by the Government Task Monitor. Any exception for the contractor to store classified will require the contractor's facility to be approved for classified storage by the Defense Security Service (DSS) and appropriate modification of the DD 254. Contractor shall have access to, generate, and handle classified material at Government and contractor facilities. All contractor deliverables shall be marked at a minimum FOUO, unless otherwise directed by the Government. The contractor shall comply with the provisions of the DoD Industrial Security Manual for handling classified material and producing deliverables. The contractor shall comply with DISA Instruction 630-230-19. •5.2 Sensitive Data Stored at Contractor Facilities. The contractor shall ensure that FSO and customer data stored at contractor facilities is protected in compliance with the FSO Security Standard Operating Procedures and the National Industrial Security Program Operating Manual (NISPOM). •5.3 Purchase of Materials on Behalf of the Government. The contractor, at the direction of the Government, shall purchase materials (e.g. ADPE) that will be used in support of this PWS. Any materials purchased on behalf of the Government will become the property of the Government. Responses: Responses to this RFI are to be submitted by e-mail to Sue McCarl susan.mccarl@disa.mil, Paul Wilson paul.wilson@disa.mil, and Jody Swartz jody.swartz2@disa.mil, and RECEIVED by 1 December 2010 at 4:00pm CST. Responses must be single-spaced, Times New Roman, 12 point font, with one inch margins, and compatible with MS Office Word 2003. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personal reviewing RFI responses will have signed non-disclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/DISA/D4AD/DITCO/MAC0016/listing.html)
- Record
- SN02331908-W 20101124/101122234138-3e7ab16567d671cdf7e6974243227788 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |