MODIFICATION
99 -- ServiceNow - Solicitation 1
- Notice Date
- 6/5/2018
- Notice Type
- Modification/Amendment
- NAICS
- 541611
— Administrative Management and General Management Consulting Services
- Contracting Office
- Other Defense Agencies, USCYBERCOM, USCYBERCOM Contracting, 9800 Savage Road, Ste 6317, Fort Meade, Maryland, 20755, United States
- ZIP Code
- 20755
- Solicitation Number
- HB0001-18-R-0012
- Archive Date
- 6/29/2018
- Point of Contact
- Robert Sheehan, Phone: 4108543914, Jessica Storms,
- E-Mail Address
-
rasheeh@cybercom.mil, proposal_submission@cybercom.mil
(rasheeh@cybercom.mil, proposal_submission@cybercom.mil)
- Small Business Set-Aside
- N/A
- Description
- Modified Solicitation- Proposals Due Date: 15 June 2018 RFP Questions Received ** WHEN SUBMITTING PROPOSALS, CLEARLY INDICATE KNOWLEDGE/REVIEW OF THE UPDATED SOLICITATION HB0001-18-R-0012-P0001 BY STATING: "This proposal is being submitted after review of HB0001-18-R-0012-P0001." Additionally, review the attachment "RFP Questions" for all questions recieved, along with the answers. ** Section SF 1449 - CONTINUATION SHEET ASSET & CONFIGURATION MGMT Contents 1. Scope..................................................................................................................................................... 3 2. Tasks...................................................................................................................................................... 3 3. Place of Performance............................................................................................................................ 4 4. Contractor Staffing Requirements........................................................................................................ 4 5. Period of Performance.......................................................................................................................... 4 6. Task Order Type.................................................................................................................................... 4 7. Security Requirements - Information Security and other miscellaneous requirements..................... 5 7.1. Personnel:......................................................................................................................................... 5 7.1.1. Individual Security Clearance:....................................................................................................... 5 7.1.2. System Administrators Security Requirements:........................................................................... 5 8. Deliverables:.......................................................................................................................................... 5 1. Scope The contractor shall procure ServiceNow professional consulting services to perform the implementation, configuration, training, operations and maintenance of USCYBERCOM's ServiceNow's Asset Management and Configuration Management features. Referenced Document: Concept of Operations for IT Service Management, dated March 21, 2018 2. Tasks The services the contractor shall provide consists of following: 2.1. Project Management The contractor shall provide project management oversight for all tasks under this award. Project management services shall be consistent with the best practices identified by the Project Management Institute. 2.2. Out of the Box Functionality 2.2.1. The contractor shall utilize out of the box functionality as the preferred implementation approach. The objective of utilizing "out of the box" functionality is to ensure that USCYBERCOM is able to upgrade to future versions of ServiceNow without requiring additional expenses due to customization to migrate to the new versions. 2.2.2. Customization Approval: If the contractor proposes a customization, employing other than ServiceNow "out of the box" functionality, the contractor will obtain prior approval from the COR. 2.3. ServiceNow architecture, installation and configuration: 2.3.1. The contractor shall design the overall architecture and ITSM architecture of the ServiceNow application within the unclassified security enclave. The hosted location for the unclassified security enclave will be AWS GovCloud unclassified cloud environment. 2.3.2. The contractor shall install and configure the ServiceNow listed features to operate within the USCYBERCOM unclassified environment. The features to be implemented shall be in accordance with the attached Concept of Operations for IT Service Management. The features to be implemented are: 2.3.2.1. Asset Management; 2.3.2.2. Configuration Management; 2.3.2.3. Discovery. 2.4. Asset Management and Configuration Management Processes: 2.4.1. ITIL Process Definition: The contractor shall work with USCYBERCOM to define and customize the ITIL industry best practices related to Asset Management (AM) and Configuration Management (CM) to operate within USCYBERCOM. 2.4.2. ITIL Policy Guidance: The contractor shall provide guidance to USCYBERCOM regarding corresponding AM and CM policies that shall support the implementation of AM and CM within USCYBERCOM. 2.5. Data Exchange with National Security Administration (NSA) instance of ServiceNow 2.5.1. The contractor shall implement the exchange of data between USCYBERCOM's instance of ServiceNow and NSA's instance of ServiceNow. 2.6. Knowledge Transfer: The contractor shall provide technical and functional knowledge transfer of each configured feature(s) implemented to the USCYBERCOM IT operations and maintenance organization. This knowledge transfer shall consist of both informal and formal methods. Additionally, the contractor shall produce documentation to correspond to the "AS BUILT" configuration of each application to be used by the technical operations and maintenance organization. 2.7. End User Training: The contractor shall develop end user training materials for each application prior to going live. This training shall consist primarily of "just-in-time" training, utilizing a self-service training model and a combination of video screen captures and textual materials. 2.8. Operations and Maintenance Support: The contractor shall provide ongoing operations and maintenance (O&M) support for the ServiceNow installation and configuration. This O&M support shall include maintaining the ServiceNow installation, configurations and support for the AM, CM and Discovery features as well as upgrading the ServiceNow application itself if required. O&M does not include supporting the operating system or functionality below the ServiceNow application layer. 3. Place of Performance Performance for this order shall be at USCYBERCOM's primary offices are located at 9800 Savage Road, Ft. Meade, Maryland 20755. All work will be performed within USCYBERCOM's offices in the greater Ft. Meade, Maryland area. 4. Contractor Staffing Requirements The contractor shall propose the labor category mix and hours to complete the tasking herein. The staffing plan shall identify and personnel critical to accomplishing the work and proposed clearances for each full time equivalent. 5. Period of Performance The period of performance will be five (5) months from task order award. 6. Task Order Type This task order will be issued as a Time and Materials award. AM/CM SOW Page 5 of 7 05/22/18 7. Security Requirements - Information Security and other miscellaneous requirements 7.1. Personnel: 7.1.1. Individual Security Clearance: All individuals working on this task order must possess an active Top Secret (TS)/ Sensitive Compartmented Information (SCI) with a Counter Intelligence Polygraph (CI Poly), TS/SCI with CI/Poly. 7.1.2. System Administrators Security Requirements: Staff who may be system administrators or require elevated network or systems access, must comply with DoD 8570.01-M requirements in addition to an active TS/SCI with CI polygraph. 8. Deliverables: The following is a list of consolidated deliverables. All deliverables shall be sent softcopy to the Contracting Officer's Representative (COR). For deliverables that are not documentation, a delivery memo shall be sent to the COR, specifying the deliverable and date delivered. AM/CM SOW Page 6 of 7 05/22/18 Deliverable Number Deliverable Reference Deliverable Name Deliverable Format Government or Contractor Format Due Date1 1. 4.1 Project Kickoff Meeting/ Kickoff presentation Contractor 10 days after contract start date 2. 4.1 Communication Plan MS Word Contractor 15 days after contract start date 3. 4.1 Risk Management Plan MS Word Contractor 15 days after contract start date 4. 4.1 Issue Management Plan MS Word Contractor 15 days after contract start date 5. 4.1 Project Schedule MS Project Contractor 15 days after contract start date, then weekly updates 6. 4.2 ServiceNow Software Physical Media 5 days after contract start date 7. 4.3 Install and configure baseline ServiceNow software in Unclassified environment Functioning baseline application 10 days after USCYBERCOM provides hosting environment 8. 4.4 Asset Management Concept of Operations Document MS Word/Visio Government 35 days after contract start date 9. 4.4 Configuration Management Concept of Operations Document MS Word/Visio Government 35 days after contract start date 10. 4.7 Security CONOPS MS Word/Visio Government 45 days after contract start date 11. 4.7 Configure Management Plan MS Word/Visio Government 45 days after contract start date 12. 4.7 System Security Plan MS Word/Visio Government 75 days after contract start date ITEM NO SUPPLIES/SERVICES QUANTITY UNIT UNIT PRICE AMOUNT 0001 Task Asset and Configuration Management FFP FOB: Destination NET AMT INSPECTION AND ACCEPTANCE TERMS Supplies/services will be inspected/accepted at: CLIN INSPECT AT INSPECT BY ACCEPT AT ACCEPT BY 0001 Destination Government Destination Government DELIVERY INFORMATION CLIN DELIVERY DATE QUANTITY SHIP TO ADDRESS DODAAC / CAGE 0001 N/A N/A N/A N/A CLAUSES INCORPORATED BY REFERENCE 52.202-1 Definitions NOV 2013 52.203-2 Certificate Of Independent Price Determination APR 1985 52.203-3 Gratuities APR 1984 52.203-6 Restrictions On Subcontractor Sales To The Government SEP 2006 52.203-11 Certification And Disclosure Regarding Payments To Influence Certain Federal Transactions SEP 2007 52.203-12 Limitation On Payments To Influence Certain Federal Transactions OCT 2010 52.203-17 Contractor Employee Whistleblower Rights and Requirement To Inform Employees of Whistleblower Rights APR 2014 52.204-2 Security Requirements AUG 1996 52.204-4 Printed or Copied Double-Sided on Postconsumer Fiber Content Paper MAY 2011 52.204-7 System for Award Management OCT 2016 52.204-9 Personal Identity Verification of Contractor Personnel JAN 2011 52.204-10 Reporting Executive Compensation and First-Tier Subcontract Awards OCT 2016 52.204-14 Service Contract Reporting Requirements OCT 2016 52.204-18 Commercial and Government Entity Code Maintenance JUL 2016 52.204-19 Incorporation by Reference of Representations and Certifications. DEC 2014 52.209-2 Prohibition on Contracting with Inverted Domestic Corporations--Representation NOV 2015 52.215-1 Instructions to Offerors--Competitive Acquisition JAN 2017 52.215-6 Place of Performance OCT 1997 52.215-8 Order of Precedence--Uniform Contract Format OCT 1997 52.217-5 Evaluation Of Options JUL 1990 52.217-8 Option To Extend Services NOV 1999 52.217-9 Option To Extend The Term Of The Contract MAR 2000 52.219-1 Small Business Program Representations OCT 2014 52.219-2 Equal Low Bids OCT 1995 52.219-6 Notice Of Total Small Business Set-Aside NOV 2011 52.222-3 Convict Labor JUN 2003 52.222-19 Child Labor -- Cooperation with Authorities and Remedies JAN 2018 52.222-20 Contracts for Materials, Supplies, Articles, and Equipment Exceeding $15,000 MAY 2014 52.222-25 Affirmative Action Compliance APR 1984 52.222-26 Equal Opportunity SEP 2016 52.222-26 (Dev) Equal Opportunity (Deviation 2017-O0008) SEP 2017 52.222-36 Equal Opportunity for Workers with Disabilities JUL 2014 52.222-36 (Dev) Equal Opportunity for Workers with Disabilites (Deviation 2017-O0008) SEP 2017 52.222-36 Alt I Equal Opportunity for Workers with Disabilities (July 2014) - Alternate I JUL 2014 52.222-36 Alt I (Dev) Equal Opportunity for Workers with Disabilities (SEPT 2017) - Alternate I (Deviation 2017-O0008) SEP 2017 52.222-37 Employment Reports on Veterans FEB 2016 52.222-46 Evaluation Of Compensation For Professional Employees FEB 1993 52.222-50 Combating Trafficking in Persons MAR 2015 52.222-50 Combating Trafficking in Persons MAR 2015 52.222-55 Minimum Wages Under Executive Order 13658 DEC 2015 52.222-62 Paid Sick Leave Under Executive Order 13706 JAN 2017 52.223-6 Drug-Free Workplace MAY 2001 52.223-18 Encouraging Contractor Policies To Ban Text Messaging While Driving AUG 2011 52.224-1 Privacy Act Notification APR 1984 52.224-2 Privacy Act APR 1984 52.224-3 Privacy Training JAN 2017 52.227-14 Rights in Data--General MAY 2014 52.232-8 Discounts For Prompt Payment FEB 2002 52.233-1 Disputes MAY 2014 52.233-1 Alt I Disputes (May 2014) - Alternate I DEC 1991 52.233-3 Protest After Award AUG 1996 52.242-15 Stop-Work Order AUG 1989 52.243-4 Changes JUN 2007 52.249-2 Termination For Convenience Of The Government (Fixed-Price) APR 2012 52.249-2 Alt I Termination for Convenience of the Government (Fixed-Price) (Apr 2012) - Alternate I SEP 1996 52.249-2 Alt II Termination For Convenience Of The Government (Fixed Price) (Apr 2012) - Alternate II SEP 1996 52.249-8 Default (Fixed-Price Supply & Service) APR 1984 52.249-8 Alt I Default (Fixed-Price Supply and Service) (Apr 1984) - Alternate I APR 1984 52.249-14 Excusable Delays APR 1984 52.252-2 Clauses Incorporated By Reference FEB 1998 252.203-7002 Requirement to Inform Employees of Whistleblower Rights SEP 2013 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting OCT 2016 252.211-7008 Use of Government-Assigned Serial Numbers SEP 2010 252.223-7004 Drug Free Work Force SEP 1988 252.232-7003 Electronic Submission of Payment Requests and Receiving Reports JUN 2012 252.232-7006 Wide Area WorkFlow Payment Instructions MAY 2013 252.239-7010 Cloud Computing Services OCT 2016 252.239-7017 Notice of Supply Chain Risk NOV 2013 252.247-7023 Transportation of Supplies by Sea APR 2014 CLAUSES INCORPORATED BY FULL TEXT 52.219-4 NOTICE OF PRICE EVALUATION PREFERENCE FOR HUBZONE SMALL BUSINESS CONCERNS (OCT 2014) (a) Definitions. See 13 CFR 125.6(e) for definitions of terms used in paragraph (d). (b) Evaluation preference. (1) Offers will be evaluated by adding a factor of 10 percent to the price of all offers, except-- (i) Offers from HUBZone small business concerns that have not waived the evaluation preference; and (ii) Otherwise successful offers from small business concerns. (2) The factor of 10 percent shall be applied on a line item basis or to any group of items on which award may be made. Other evaluation factors described in the solicitation shall be applied before application of the factor. (3) When the two highest rated offerors are a HUBZone small business concern and a large business, and the evaluated offer of the HUBZone small business concern is equal to the evaluated offer of the large business after considering the price evaluation preference, award will be made to the HUBZone small business concern. (c) Waiver of evaluation preference. A HUBZone small business concern may elect to waive the evaluation preference, in which case the factor will be added to its offer for evaluation purposes. The agreements in paragraphs (d) and (e) of this clause do not apply if the offeror has waived the evaluation preference. ___ Offeror elects to waive the evaluation preference. (d) Agreement. A HUBZone small business concern agrees that in the performance of the contract, in the case of a contract for (1) Services (except construction), at least 50 percent of the cost of personnel for contract performance will be spent for employees of the concern or employees of other HUBZone small business concerns; (2) Supplies (other than procurement from a nonmanufacturer of such supplies), at least 50 percent of the cost of manufacturing, excluding the cost of materials, will be performed by the concern or other HUBZone small business concerns; (3) General construction. (i) At least 15 percent of the cost of contract performance to be incurred for personnel will be spent on the prime contractor's employees; (ii) At least 50 percent of the cost of the contract performance to be incurred for personnel will be spent on the prime contractor's employees or on a combination of the prime contractor's employees and employees of HUBZone small business concern subcontractors; (iii) No more than 50 percent of the cost of contract performance to be incurred for personnel will be subcontracted to concerns that are not HUBZone small business concerns; or (4) Construction by special trade contractors. (i) At least 25 percent of the cost of contract performance to be incurred for personnel will be spent on the prime contractor's employees; (ii) At least 50 percent of the cost of the contract performance to be incurred for personnel will be spent on the prime contractor's employees or on a combination of the prime contractor's employees and employees of HUBZone small business concern subcontractors; (iii) No more than 50 percent of the cost of contract performance to be incurred for personnel will be subcontracted to concerns that are not HUBZone small business concerns. (e) A HUBZone joint venture agrees that the aggregate of the HUBZone small business concerns to the joint venture, not each concern separately, will perform the applicable percentage of work requirements. (f)(1) When the total value of the contract exceeds $25,000, a HUBZone small business concern nonmanufacturer agrees to furnish in performing this contract only end items manufactured or produced by HUBZone small business concern manufacturers. (2) When the total value of the contract is equal to or less than $25,000, a HUBZone small business concern nonmanufacturer may provide end items manufactured by other than a HUBZone small business concern manufacturer provided the end items are produced or manufactured in the United States. (3) Paragraphs (f)(1) and (f)(2) of this section do not apply in connection with construction or service contracts. (g) Notice. The HUBZone small business offeror acknowledges that a prospective HUBZone awardee must be a HUBZone small business concern at the time of award of this contract. The HUBZone offeror shall provide the Contracting Officer a copy of the notice required by 13 CFR 126.501 if material changes occur before contract award that could affect its HUBZone eligibility. If the apparently successful HUBZone offeror is not a HUBZone small business concern at the time of award of this contract, the Contracting Officer will proceed to award to the next otherwise successful HUBZone small business concern or other offeror. (End of clause) 52.225-25 PROHIBITION ON CONTRACTING WITH ENTITIES ENGAGING IN CERTAIN ACTIVITIES OR TRANSACTIONS RELATING TO IRAN--REPRESENTATION AND CERTIFICATIONS. (OCT 2015) (a) Definitions. As used in this provision-- Person-- (1) Means-- (i) A natural person; (ii) A corporation, business association, partnership, society, trust, financial institution, insurer, underwriter, guarantor, and any other business organization, any other nongovernmental entity, organization, or group, and any governmental entity operating as a business enterprise; and (iii) Any successor to any entity described in paragraph (1)(ii) of this definition; and (2) Does not include a government or governmental entity that is not operating as a business enterprise. Sensitive technology-- (1) Means hardware, software, telecommunications equipment, or any other technology that is to be used specifically-- (i) To restrict the free flow of unbiased information in Iran; or (ii) To disrupt, monitor, or otherwise restrict speech of the people of Iran; and (2) Does not include information or informational materials the export of which the President does not have the authority to regulate or prohibit pursuant to section 203(b)(3) of the International Emergency Economic Powers Act (50 U.S.C. 1702(b)(3)). (b) The offeror shall email questions concerning sensitive technology to the Department of State at CISADA106@state.gov. (c) Except as provided in paragraph (d) of this provision or if a waiver has been granted in accordance with 25.703-4, by submission of its offer, the offeror- (1) Represents, to the best of its knowledge and belief, that the offeror does not export any sensitive technology to the government of Iran or any entities or individuals owned or controlled by, or acting on behalf or at the direction of, the government of Iran; (2) Certifies that the offeror, or any person owned or controlled by the offeror, does not engage in any activities for which sanctions may be imposed under section 5 of the Iran Sanctions Act. These sanctioned activities are in the areas of development of the petroleum resources of Iran, production of refined petroleum products in Iran, sale and provision of refined petroleum products to Iran, and contributing to Iran's ability to acquire or develop certain weapons or technologies; and (3) Certifies that the offeror, and any person owned or controlled by the offeror, does not knowingly engage in any transaction that exceeds $3,500 with Iran's Revolutionary Guard Corps or any of its officials, agents, or affiliates, the property and interests in property of which are blocked pursuant to the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.) (see OFAC's Specially Designated Nationals and Blocked Persons List at http://www.treasury.gov/ofac/downloads/t11sdn.pdf). (d) Exception for trade agreements. The representation requirement of paragraph (c)(1) and the certification requirements of paragraphs (c)(2) and (c)(3) of this provision do not apply if- (1) This solicitation includes a trade agreements notice or certification (e.g., 52.225-4, 52.225-6, 52.225-12, 52.225-24, or comparable agency provision); and (2) The offeror has certified that all the offered products to be supplied are designated country end products or designated country construction material. (End of provision) 252.204-7012 SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (OCT 2016) (a) Definitions. As used in this clause-- Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. Contractor attributional/proprietary information means information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company. Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. Covered contractor information system means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. Covered defense information means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is-- (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Forensic analysis means the practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Malicious software means computer software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. This definition includes a virus, worm, Trojan horse, or other code-based entity that infects a host, as well as spyware and some forms of adware. Media means physical devices or writing surfaces including, but is not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system. Operationally critical support means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. Rapidly report means within 72 hours of discovery of any cyber incident. Technical information means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data--Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code. (b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections: (1) For covered contractor information systems that are part of an information technology (IT) service or system operated on behalf of the Government, the following security requirements apply: (i) Cloud computing services shall be subject to the security requirements specified in the clause 252.239-7010, Cloud Computing Services, of this contract. (ii) Any other such IT service or system (i.e., other than cloud computing) shall be subject to the security requirements specified elsewhere in this contract. (2) For covered contractor information systems that are not part of an IT service or system operated on behalf of the Government and therefore are not subject to the security requirement specified at paragraph (b)(1) of this clause, the following security requirements apply: (i) Except as provided in paragraph (b)(2)(ii) of this clause, the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, ``Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations'' (available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer. (ii)(A) The Contractor shall implement NIST SP 800-171, as soon aspractical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award. (B) The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. (C) If the DoD CIO has previously adjudicated the contractor's requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract. (D) If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. (3) Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, inaddition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan. (c) Cyber incident reporting requirement. (1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall-- (i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor's network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor's ability to provide operationally critical support; and (ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil. (2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at http://dibnet.dod.mil. (3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/index.aspx. (d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer. (e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. (f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. (g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause. (h) DoD safeguarding and use of contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the contractor (or derived from information obtained from the contractor) under this clause that includes contractor attributional/proprietary information, including such information submitted in accordance with paragraph (c). To the maximum extent practicable, the Contractor shall identify and mark attributional/proprietary information. In making an authorized release of such information, the Government will implement appropriate procedures to minimize the contractor attributional/proprietary information that is included in such authorized release, seeking to include only that information that is necessary for the authorized purpose(s) for which the information is being released. (i) Use and release of contractor attributional/proprietary information not created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is not created by or for DoD is authorized to be released outside of DoD-- (1) To entities with missions that may be affected by such information; (2) To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents; (3) To Government entities that conduct counterintelligence or law enforcement investigations; (4) For national security purposes, including cyber situational awareness and defense purposes (including with Defense Industrial Base (DIB) participants in the program at 32 CFR part 236); or (5) To a support services contractor (``recipient'') that is directly supporting Government activities under a contract that includes the clause at 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information. (j) Use and release of contractor attributional/proprietary information created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this clause that is created by or for DoD (including the information submitted pursuant to paragraph (c) of this clause) is authorized to be used and released outside of DoD for purposes and activities authorized by paragraph (i) of this clause, and for any other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Government's use and release of such information. (k) The Contractor shall conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. (l) Other safeguarding or reporting requirements. The safeguarding and cyber incident reporting required by this clause in no way abrogates the Contractor's responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements. (m) Subcontracts. The Contractor shall-- (1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties. The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information and will require protection under this clause, and, if necessary, consult with the Contracting Officer; and (2) Require subcontractors to-- (i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(B) of this clause; and (ii) Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause. (End of clause) 252.213-7000 NOTICE TO PROSPECTIVE SUPPLIERS ON USE OF SUPPLIER PERFORMANCE RISK SYSTEM IN PAST PERFORMANCE EVALUATIONS (MAR 2018) (a) The Supplier Performance Risk System (SPSR) application (https://www.ppirssrng.csd.disa.mil/) will be used in the evaluation of suppliers' past performance in accordance with DFARS 213.106-2(b)(i). (b) SPRS collects quality and delivery data on previously awarded contracts and orders from existing Department of Defense reporting systems to classify each supplier's performance history by Federal supply class (FSC) and product or service code (PSC). The SPRS application provides the contracting officer quantifiable past performance information regarding a supplier's quality and delivery performance for the FSC and PSC of the supplies being purchased. (c) The quality and delivery classifications identified for a supplier in SPRS will be used by the contracting officer to evaluate a supplier's past performance in conjunction with the supplier's references (if requested) and other provisions of this solicitation under the past performance evaluation factor. The Government reserves the right to award to the supplier whose quotation or offer represents the best value to the Government. (d) SPRS classifications are generated monthly for each contractor and can be reviewed by following the access instructions in the SPRS User's Manual found at https://www.ppirssrng.csd.disa.mil/pdf/PPIRS-SR_UserMan.pdf. Contractors are granted access to SPRS for their own classifications only. Suppliers are encouraged to review their own classifications, the SPRS reporting procedures and classification methodology detailed in the SPRS User's Manual, and SPRS Evaluation Criteria available from the references at https://www.ppirssrng.csd.disa.mil/pdf/SPRS_DataEvaluationCriteria.pdf. The method to challenge a rating generated by SPRS is provided in the User's Manual. (End of provision) 252.225-7048 EXPORT-CONTROLLED ITEMS (JUNE 2013) (a) Definition. ``Export-controlled items,'' as used in this clause, means items subject to the Export Administration Regulations (EAR) (15 CFR Parts 730-774) or the International Traffic in Arms Regulations (ITAR) (22 CFR Parts 120-130). The term includes-- (1) ``Defense items,'' defined in the Arms Export Control Act, 22 U.S.C. 2778(j)(4)(A), as defense articles, defense services, and related technical data, and further defined in the ITAR, 22 CFR Part 120; and (2) ``Items,'' defined in the EAR as ``commodities'', ``software'', and ``technology,'' terms that are also defined in the EAR, 15 CFR 772.1. (b) The Contractor shall comply with all applicable laws and regulations regarding export-controlled items, including, but not limited to, the requirement for contractors to register with the Department of State in accordance with the ITAR. The Contractor shall consult with the Department of State regarding any questions relating to compliance with the ITAR and shall consult with the Department of Commerce regarding any questions relating to compliance with the EAR. (c) The Contractor's responsibility to comply with all applicable laws and regulations regarding export-controlled items exists independent of, and is not established or limited by, the information provided by this clause. (d) Nothing in the terms of this contract adds, changes, supersedes, or waives any of the requirements of applicable Federal laws, Executive orders, and regulations, including but not limited to- (1) The Export Administration Act of 1979, as amended (50 U.S.C. App. 2401, et seq.); (2) The Arms Export Control Act (22 U.S.C. 2751, et seq.); (3) The International Emergency Economic Powers Act (50 U.S.C. 1701, et seq.); (4) The Export Administration Regulations (15 CFR Parts 730-774); (5) The International Traffic in Arms Regulations (22 CFR Parts 120-130); and (6) Executive Order 13222, as extended. (e) The Contractor shall include the substance of this clause, including this paragraph (e), in all subcontracts. (End of clause)
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/notices/a98e77416274c15281aa729c3a85d172)
- Place of Performance
- Address: 9800 Savage Road, Fort Meade, Maryland, 20755-6940, United States
- Zip Code: 20755-6940
- Zip Code: 20755-6940
- Record
- SN04944261-W 20180607/180605231200-a98e77416274c15281aa729c3a85d172 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |