Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
SAMDAILY.US - ISSUE OF JULY 29, 2022 SAM #7546
SOURCES SOUGHT

D -- Hydropower Control System Technical Support (SCADA)

Notice Date
7/27/2022 1:37:36 PM
 
Notice Type
Sources Sought
 
NAICS
541512 — Computer Systems Design Services
 
Contracting Office
W071 ENDIST KANSAS CITY KANSAS CITY MO 64106-2896 USA
 
ZIP Code
64106-2896
 
Solicitation Number
W912DQ22R10SS
 
Response Due
8/5/2022 11:00:00 AM
 
Archive Date
08/20/2022
 
Point of Contact
Richard A. Mathena, Phone: 8163892041, Christopher W. Anderson, Phone: 8163893850
 
E-Mail Address
richard.a.mathena@usace.army.mil, Christopher.W.Anderson@usace.army.mil
(richard.a.mathena@usace.army.mil, Christopher.W.Anderson@usace.army.mil)
 
Small Business Set-Aside
SBA Total Small Business Set-Aside (FAR 19.5)
 
Description
PERFORMANCE WORK STATEMENT� Hydropower Control Systems Technical Support Harry S. Truman Power Plant, Warsaw, MO, and Stockton Power Plant Stockton, MO Part 1: General Information 1. GENERAL. This is a non-personnel services contract to provide Hydropower Control Systems Technical Support. The Government shall not exercise any supervision or control over the contract service providers performing the services herein. �Such contract service providers shall be accountable solely to the Contractor who, in turn is responsible to the Government. 1.1 DESCRIPTION OF SERVICES. Provide all personnel, equipment, supplies, transportation, tools, materials, supervision, and other items and non-personal services necessary to perform Hydropower Control Systems Technical Support as defined in this Performance Work Statement except for those items specified as government furnished property and services. �The contractor shall perform to the standards in this contract. 1.2 BACKGROUND. �The Harry S. Truman Power Plant (HST) is located in Warsaw, MO on the Harry S. Truman Reservoir, and the Lake of the Ozarks. It has six slant-axis generators/motors with Kaplan turbines. �The Stockton Power Plant (STK) is located in Stockton, MO on the Stockton Reservoir, and the Sac River. It has a single vertical axis generator with a Kaplan turbine. The hydropower control systems are real-time operational technology (OT) systems used to control and/or monitor various functions such as power generation, auxiliaries, and switchyards. They use a combination of IT and OT type hardware and software. The primary hydropower control system at HST and STK is the supervisory control and data acquisition (SCADA) system. STK is remote operated from HST. The SCADA system is a closed restricted system that�s maintained at an interim secure state (ISS).� 1.3 OBJECTIVE. �Provide technical support to the Government in support of the operations and maintenance of the hydropower control systems at HST and STK.� 1.4 PERIOD OF PERFORMANCE. The period of performance shall be for one (1) base year of 12 months and two (2) 12-month option years. The period of performance reads as follows: Base Year, Option Year I, Option Year II. 1.5 CONTRACTOR PERSONNEL. The Contractor must ensure that personnel accessing OT systems have the proper and current cybersecurity certification to perform cybersecurity functions: DOD Directive 8140.01, DOD 8570.01-M, and DA PAM 25-2-6. 1.6 QUALITY ASSURANCE. �The Government will evaluate the Contractor�s performance in accordance with the Quality Assurance Surveillance Plan. This plan is primarily focused on what the Government must do to ensure that the contractor has performed in accordance with the performance standards. �It defines how the performance standards will be applied, the frequency of surveillance, and the minimum acceptable defect rate(s). � � �� 1.7 HOURS OF OPERATION. �Normal hours of operation at HST and STK are 06:00 and 16:30 Monday thru Friday excluding Federal holidays or when the Government facilities are closed due to local or national emergencies, administrative closings, or similar Government directed facility closings.� 1.8 PLACE OF PERFORMANCE. Onsite technical support will be performed at HST and/or STK. Offsite technical support will be performed at the Contractor�s place of business or other location(s) with minimal disturbances. 1.9 SAFETY. �All onsite technical support must be performed in compliance with the current version of the EM 385-1-1, �U.S. Army Corps of Engineer�s Safety and Health Requirements Manual,� and local policies/procedures including arc flash and the hazardous energy control program. http://www.publications.usace.army.mil/Portals/76/Publications/EngineerManuals/EM_3�� �85-1-1.pdf 1.9.1. Furnish a site-specific Accident Prevention Plan (APP) within 30 days of contract award. Prepare the APP in accordance with the format and requirements of USACE EM 385-1-1. �Cover all paragraph and subparagraph elements in USACE EM 385-1-1, Appendix A, ""Minimum Basic Outline for Accident Prevention Plan"". �The APP shall be job-specific and address any unusual or unique aspects of the project or activity for which it is written. 1.9.2. Furnish an Activity Hazard Analysis within 30 days of contract award. �The Activity Hazard Analysis must address all foreseeable safety concerns such as electrical safety, safety zone protection, fall protection, fire safety, personal protective equipment, signage/protective fencing, and hazardous material handling. 1.10 ANTITERRORISM/OPERATIONS SECURITY REQUIREMENT. �All Contractor and all associated sub?Contractors employees shall comply with applicable security policies and procedures at the contracted work location (provided by the authorized Government representative). �All Contractor and all associated sub?Contractors employees will carry a Government issued photo ID for personal identity verification requirements. �In addition to the changes otherwise authorized by the changes clause of this contract, should the Force Protection Condition (FPCON) at the applicable contracted work location change, the Government may require changes in Contractor security matters or processes. 1.10.1 All Contractor and all associated sub?Contractors employees will receive a CORPS Watch information paper (provided by the authorized Government representative) and provide a written acknowledgement to the COR, no later than 30 calendar days after contract start date or effective date of incorporation of this requirement into the contract. 1.10.2 The Contractor must pre?screen candidates using the E?verify Program (http://www.dhs.gov/E?Verify) website to meet the established employment eligibility requirements. The vendor must ensure that the candidate has two valid forms of Government issued identification to ensure the correct information is entered into the E?verify system. An initial list of verified/eligible candidates must be provided to the COR no later than three (3) business days after the initial contract award. 1.10.3 Per the E-Verify Website the following exemptions apply: Employers whose contracts are exempt from the E-Verify federal contractor rule are not required to enroll in E-Verify. A contract is considered exempt if any one of the following applies: (1) It is for fewer than 120 days. (2) It is valued at less than $150,000, the simplified acquisition threshold (Source: http://www.uscis.gov/e-verify/federal-contractors/exemptions-and-exceptions).� 1.10.4 All contract employees, including subcontractor employees who are not in possession of the appropriate security clearance, will be escorted in areas where they may be exposed to classified and/or sensitive materials and/or sensitive or restricted areas. 1.11 PHYSICAL SECURITY. �Safeguard all government equipment, information and property provided. At the close of each work period, equipment, and materials shall be secured. 1.12 CYBER SECURITY TRIANIG. All Contractor employees, including subcontractor employees must complete the DOD Cyber Awareness Challenge Training before access the OT systems, and annually thereafter. DOD 8570.01 and AR 25-2, all contractor personnel supporting cybersecurity functions shall complete appropriate training with specified timelines and attain and maintain the required IT and cybersecurity training certifications.� 1.13 CONTRACTORS THAT DO NOT REQUIRE CAC BUT REQUIRE ACCESS TO A DOD FACILITY. The contractor and all associated subcontractor employees shall comply with adjudication standards and procedures using the National Crime Information Center Insterstate Identification Index (NCIC-III) and� 1.14 CONTRACTOR PORTABLE ELECTRONIC DEVICES (PED). All Contractor personnel and equipment that will connect to USACE-owned systems are subject to the requirements of this paragraph. This includes all Contractor equipment, including laptops and other portable devices. 1.14.1 All Contractor PEDs shall be approved by the Contracting Officer (KO) or Contracting Officer's Representative (COR) for connection to USACE-owned systems prior to connection. For compliance, security, and network maintenance purposes, authorized individuals within USACE may monitor equipment, systems, and network traffic at any time, per the existing acceptable use and audit policies. USACE reserves the right to audit networks and systems on a periodic basis to ensure compliance with Army policy. Users connecting to USACE-owned equipment with approved PEDs consent to monitoring and inspection of their equipment. 1.14.2 PEDs approved for connection to USACE-owned systems equipment shall meet the following requirements: a)�� �Be subject to scanning or checking by designated USACE personnel before being connected to any USACE-owned equipment. b)�� �This process will be repeated before connection each time the PED goes off-site (crosses the facility boundary). c)�� �Undergo regular maintenance ensuring the PED is patched and up to date and a current full antivirus scan has been completed within the previous 10 days. d)�� �Ensure the PED firewall is enabled and set to ""Public"". e)�� �Demonstrate that all required patching and software/firmware updates are applied, and compliance with any applicable STIGS (Security Technical Implementation Guides) version and release is achieved. f)�� �Employ data-at-rest encryption to protect information stored on the device. The types of information that must be protected include the following: site specific drawings; configuration files; project files; vulnerability data; and any specific information that could potentially lead to a compromise. 1.14.3 If limited connectivity to the Internet is required to update software patches and retrieve updated virus definitions, the following requirements shall be met: a)�� �The host-based firewall on the computer shall be enabled and the network identifier for the Internet connection must be set to ""Public"". b)�� �After the software patches are applied and the virus definitions updated, the computer shall be isolated from the Internet connection, and a full scan with the Antivirus Software completed, resulting with no detections, prior to connection to the USACE-owned equipment. c)�� �Prior to connecting to the equipment, network, or system, antivirus definition files shall be verified to be less than seven days old and a full scan has been completed. 1.14.4 In the event that an authorized or approved non-USACE-owned PED is lost or stolen, user shall immediately notify the Contracting Officer or Contracting Officer's Representative. 1.14.5 Under no circumstances are users authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing authorized or approved USACE-owned or non-USACE-owned resources related to work on this contract. The following activities are strictly prohibited with regards to connecting authorized or approved USACE-owned or non-USACE-owned PEDs to USACE-owned equipment, with no exceptions: a)�� �Using SCADA or other related monitoring and/or control systems for any personal use. b)�� �Connecting unauthorized or unapproved non-USACE PEDs to USACE equipment, systems, or networks. c)�� �Intentional introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). d)�� �Port scanning or security scanning without prior notification to the KO, in coordination with designated site IT personnel. e)�� �Executing any form of network monitoring which will intercept data not intended for the user's host, unless this activity is a part of the user's normal job/duty. f)�� �Hotspot-capable PEDs are not permitted to broadcast Wi-Fi signals as an access point (i.e. function as a router for a wireless network) within and/or around certain areas of the USACE facility premises (e.g., control room and computer server room, unit control equipment enclosures such as RTU cabinets, digital governor or exciter cabinets, etc.) and shall not be connected to USACE equipment, systems, or networks. g)�� �PEDs shall not be loaned or otherwise given to any person other than whom the device is assigned to. h)�� �Exporting software, technical information, encryption software or technology, which is in violation of international or regional export control laws. Notify the KO or COR of any material that is in question. Material in question shall only be exported with KO or COR approval. 1.14.6 Any use of email on SCADA and any related monitoring/control of USACE systems or networks is prohibited. 1.15 DATA RIGHTS. The Government has unlimited rights to all documents/material produced under this contract. �All documents and materials, to include the source codes of any software, produced under this contract shall be Government owned and are the property of the Government with all rights and privileges of ownership/copyright belonging exclusively to the Government. �These documents and materials may not be used or sold by the contractor without written permission from the Contracting Officer. �All materials supplied to the Government shall be the sole property of the Government and may not be used for any other purpose. �This right does not abrogate any other Government rights. 1.16 CONTRACTING OFFICER REPRESENTATIVE (COR). �The COR monitors all technical aspects of the contract and assists in contract administration. The COR is authorized to perform the following functions: assure that the Contractor performs the technical requirements of the contract: coordinate and schedule all activities to be performed by the Contractor: perform inspections necessary in connection with contract performance: maintain written and oral communications with the Contractor concerning technical aspects of the contract: issue written interpretations of technical requirements, including Government drawings, designs, specifications: monitor Contractor's performance and notifies both the Contracting Officer and Contractor of any deficiencies; coordinate availability of government furnished property, and provide site entry of Contractor personnel. �A letter of designation issued to the COR, a copy of which is sent to the Contractor, states the responsibilities and limitations of the COR, especially with regard to changes in cost or price, estimates or changes in delivery dates. �The COR is not authorized to change any of the terms and conditions of the resulting order.� 1.17 POST AWARD CONFERENCE/PERIODIC PROGRESS MEETINGS. The Contractor agrees to attend any post award conference convened by the contracting activity in accordance with Federal Acquisition Regulation Subpart 42.5. The Contracting Officer, Contracting Officers Representative (COR), and other Government personnel, as appropriate, may meet periodically with the contractor to review the contractor's performance. �At these meetings the contracting officer will apprise the contractor of how the government views the contractor's performance and the contractor will apprise the Government of problems, if any, being experienced. �Appropriate action shall be taken to resolve outstanding issues. �These meetings shall be at no additional cost to the government. � 1.18 SCHEDULING. The Contracting Officer�s Representative shall schedule all services performed by the Contractor under this contract. �Primary communications will be via phone and/or email. The Contractor must have normal business hours Monday through Friday excluding Federal Holidays. �A reasonable response time of no more than 4 business days is expected for all inquiries and requests made by the Government.� ? Part 2: Definitions & Acronyms� 2. DEFINITIONS AND ACRONYMS.� 2.1 ARCHITECTURE TYPE. �The level of interconnectivity of an Operational Technology (OT) is a foundational criterion used when determining the priority of a system. �The more connectivity capability, the higher the likelihood that the system can be compromised through a cyber-attack. �There are three main types of interconnections: no interconnection (OT Product, OT Subsystem), closed restricted network connection (OT Closed Restricted System), and interconnected (OT Restricted Interconnected System and OT Connected System). 2.2 BOUNDARY DEFENSE. �When Operational Technology (OT) information travels outside the physical boundary, the information flow must be protected against outside threats. �Firewalls should be used to isolate networks and protect data flow by restricting unnecessary traffic, both inbound and outbound. �Traffic flows should also be encrypted using a VPN. �Intrusion Detection should be used to alert on malicious or unauthorized traffic. �For Operational Technology (OT) that requires information flow between the control network to an external boundary, e.g. Hydrology Reports, the connection will be protected using a data diode or unidirectional gateway instead of a firewall for additional protection. 2.3 BIOS. �Basic Input/Output System. Fundamental system firmware used to boot and initialize system. 2.4 CCI. �Control Correlation Identifier. The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. CCI bridges the gap between high-level policy expressions and low-level technical implementations. CCI allows a security requirement that is expressed in a high-level policy framework to be decomposed and explicitly associated with the low-level security setting(s) that must be assessed to determine compliance with the objectives of that specific security control. This ability to trace security requirements from their origin (e.g., regulations, Information Assurance frameworks) to their low-level implementation allows organizations to readily demonstrate compliance to multiple Information Assurance compliance frameworks. CCI also provides a means to objectively rollup and compare related compliance assessment results across disparate technologies. 2.5 CI. �Critical Infrastructure. CI is defined as, ""Systems & assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters (Critical Infrastructures Protection Act of 2001)."" � 2.6 CONTRACTOR. �A supplier or vendor awarded a contract to provide specific supplies or service to the government. �The term used in this contract refers to the prime. 2.7 CONTRACTING OFFICER (KO). � A person with authority to enter into, administer, and or terminate contracts, and make related determinations and findings on behalf of the government. �Note: The only individual who can legally bind the government. 2.8 CONTRACTING OFFICER'S REPRESENTATIVE (COR). � An employee of the U.S. Government appointed by the contracting officer to administer the contract. �Such appointment shall be in writing and shall state the scope of authority and limitations. �This individual has authority to provide technical direction to the Contractor as long as that direction is within the scope of the contract, does not constitute a change, and has no funding implications. �This individual does NOT have authority to change the terms and conditions of the contract.� 2.9 CYBERSECURITY FUNCTION. A cybersecurity function is further defined as a user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. Examples of these activities include, but not limited to, creating/modifying user accounts, configuring auditing levels, configuring functionality of a device that is restricted from general users, network architecture design, and applying secure configuration to an Operating System or device. � 2.10 DEFECTIVE SERVICE. �A service output that does not meet the standard of performance associated with the Performance Work Statement. 2.11 DELIVERABLE. �Anything that can be physically delivered, but may include non-manufactured things such as meeting minutes or reports. 2.12 IAVAs. �Information Assurance Vulnerability Alerts. The Department of Defense (DoD) information system vulnerabilities are alerted with messages called Information Assurance Vulnerability Alerts (IAVA). Vulnerabilities are evaluated to see what impact (if any) they might have and sent out by to all branches and units within the organization. 2.13 INTERCONNECTIN CAPABILITY. �Architecture's Interconnection capability is determined via the communications that exist between Operational Technology line items, whether they share an information type or not. �Interconnection capability also includes any type of connection between line items and an external network. Interconnection capability is considered a primary risk factor that affects all aspects of the cybersecurity program. �Reviewing network device information from the inventory provides an understanding of the basic networking structure and communication capabilities between the various listed line items and builds a clearer picture of the scope of the potential system. �The UCIC developed five OT architecture types based on regularly occurring interconnection capability: the OT product, OT subsystem, OT closed restricted system, OT restricted interconnected system, and OT connected system. 2.14 ISO. �Information System Owner. Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system, such as the District Chief of Operations. 2.15 ISS. �Interim Secure State. Interim Secure State is achieved when a USACE control system's risk is known and the system has been verified as being technically and physically secured to an acceptable risk tolerance, but it does not have all documentation and/or administrative requirements met for obtaining an Authority To Operate (ATO). ISS is used to verify that a new control system installation, or a system going through a major upgrade, is implementing critical security controls during the installation phase and meets a specific cybersecurity standard (defined in this document) prior to the government taking ownership. ISS is also used to verify that an existing control system is operating at an acceptable state of cybersecurity. � 2.16 IT. �Information Technology. Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. 2.17 KEY PERSONNEL. �Contractor personnel that are evaluated in a source selection process and that may be required to be used in the performance of a contract by the Key Personnel listed in the PWS. �When key personnel are used as an evaluation factor in best value procurement, an offer can be rejected if it does not have a firm commitment from the persons that are listed in the proposal. 2.18 NETWORK SEGMENTATION: �The control network must be segmented or segregated either by logical or physical methods. Examples of logical methods include firewall zones, VLANs, or VPNs. Physical separation is done by deploying additional hardware. Network segmentation is used for isolation of discrete functions or processes. �Each network segment will have its own IP address space or subnet. 2.19 OT. Operational Technology. The hardware and software dedicated to detecting and/or causing changes in physical processes through direct monitoring and control of physical devices to accomplish a specific mission in real time. 2.20 OT PRODUCT. An OT Product (either individual or aggregate) is a PLC with a non-routable IP or serial connection to a touch panel with an embedded operating system, no connection to a computer or server, no communications using a routable protocol, and no connection to any component outside the physical boundary of the project. �This is the foundational building block for the more complex OT systems. �It is important to note that the connection between the touch panel and the PLC must be a one-to-one physical connection. �Any connection with routable communications will elevate the OT Product to an OT Subsystem. There are circumstances, particularly in hydropower facilities, when there are multiple OT Products all accomplishing similar missions but are not interconnected in any way. �The UCIC determines if aggregating those OT Products into one administrative grouping is beneficial for RMF reporting. �If so, this becomes the OT Product aggregate. �It is important to note that the aggregate does not indicate any type of routable communications being used, and therefore does not raise this to the �system� level; it is purely an administrative designation. 2.21 OT SUBSYSTEM. An OT Subsystem (either individual or aggregate) adds workstations or servers to the PLCs for operation from a control room utilizing a routable protocol (Ethernet). �It is important to note that there is no connection to any component that resides outside the logical or physical boundary of the project. �The UCIC, in coordination with the ISO, determines how far a project�s physical boundary extends for the OT to remain a subsystem. �That distance may be different from project to project. �It is possible to group multiple OT Subsystems together when they operate under a single ISO, have the same information type, and have similar system configurations. �This is called an OT Subsystem aggregate. 2.22 OT CLOSED RESTRICTED. An OT Closed Restricted System is a subsystem that is networked to another government-owned and government-operated subsystem for remote control or monitoring capabilities over encrypted communication channels. �The communication over encrypted channels is controlled and maintained on both ends by the same ISO. �This system is not connected to any external network, nor does it have an external network connection capability. 2.23 OT RESTRICTED INTERCONNECTED SYSTEM. An OT Restricted Interconnected System is an OT subsystem or an OT system that has the capability to connect to an external system only through a single-directional push of data (e.g., alarms, trends, and alerts) via a data diode or equivalent technology.� 2.24 OT CONNECTED SYSTEM. �An OT Connected System is an OT Subsystem or OT System that has a bi-directional path between the OT and an external network.� 2.25 PHYSICAL SECURITY. �Actions that prevent the loss or damage of Government property. 2.26 QUALITY ASSURANCE. �The government procedures to verify that services being performed by the Contractor are performed according to acceptable standards. 2.27 QUALITY ASSURANCE Surveillance Plan (QASP). �An organized written document specifying the surveillance methodology to be used for surveillance of contractor performance. � 2.28 QUALITY CONTROL. �All necessary measures taken by the Contractor to assure that the quality of an end product or service shall meet contract requirements. 2.29 RMF. �Risk Management Framework. �A structured approach used to oversee and manage risk for an enterprise. See DOD 8510.01, and NIST SP 800-37 for information and requirements. 2.30 SHB. �Secure Host Baseline, or Army Gold Master. �An image for certain Windows-based operating systems is available from the Government, upon request. 2.31 STIGs. �Security Technical Implementation Guides, as released by the Defense Information Security Agency (DISA). �Seehttps://public.cyber.mil/STIGS for information. 2.32 SUBCONTRACTOR. �One that enters into a contract with a prime contractor. �The Government does not have privity of contract with the subcontractor. 2.33VLAN.: �Virtual LAN (Local Area Network). A subnetwork which can group together collections of devices on separate physical local area networks (LANs). A LAN is a group of computers and devices that share a communications line or wireless link to a server within the same geographical area. 2.34 VM. �Virtual Machine. A virtual machine is a computer file, typically called an image, that behaves like an actual computer. In other words, creating a computer within a computer. It runs in a window, much like any other program, giving the end user the same experience on a virtual machine as they would have on the host operating system itself. 2.35 WORKDAY. �The number of hours per day the Contractor provides services in accordance with the contract. ? Part 3: Government Furnished Property, Equipment, and Services 3. �GOVERNMENT FURNISHED ITEMS AND SERVICES. The Government will provide the Contractor: 3.1 Physical and administrative access to the hydropower control systems at HST and STK. Remote administrative access to the hydropower control systems is strictly prohibited.� 3.2 Physical access to applicable Controlled Unclassified Information / Critical Electrical Infrastructure Information such as network diagrams, source code, program files, configurations, USACE Civil Works RMF polices, and etc. � 3.3 Army Golden Master (AGM) Microsoft Operating System builds. 3.4 Security Technical Implementation Guides (STIGS).� 3.5 Security Content Automation Protocol (SCAP) scanner tool(s). 3.6 Information Assurance Vulnerability Alerts (IAVA�S). 3.7 Any IT and OT hardware that may be necessary.� ? Part 4: Contractor Furnished Items and Services� 4. CONTRACTOR FURNISHED ITEMS AND RESPONSIBILITIES.� 4.1 GENERAL. Furnish all supplies, equipment including personal protective equipment, and services required to perform work under this contract that are not listed under Section 3 of this PWS. 4.2 BASELINE CERTIFICATION. Possess and maintain a current DOD approved baseline IAT Level II certification. See https://public.cyber.mil/cwmp/dod-apporved-8570-baseline-certifications/ . Failure to do so shall result in contract termination. Submit within 14 days of notice to proceed. 4.3 ACCEPTABLE USE POLICY. Sign and return the USACE OT/Control Systems Acceptable Use Policy (AUP). Submit within 14 days of notice to proceed.� 4.5 AVEVA SERVICE AGREEMENT. Provide the annual service agreement for AVEVA In-touch. An instance of the 2020 version of AVEVA In-Touch development is deployed at HST, and instances of the 2020 version of AVEVA In-Touch runtimes are deployed at HST and STK. Submit within 30 days of notice to proceed.� 4.6 AVEA SOFTWARE LICENSE. Provide the perpetual software license for the instance of the AVEVE In-Touch development deployed at HST. The current license is an annual subscription-based license. Submit within 30 days of notice to proceed.� 4.7 ROCKWELL SOFTWARE AND LICENSING. Provide Rockwell Studio 5000 Software and perpetual license for one instance (Need specifics from HST about what they want) ? Part 5: Specific Tasks 5 SERVICES. Provide the following services: 5.1 Provide expertise and consulting on cybersecurity and its application to OT systems and/or environments. Expertise and consulting include but not limited to industry best practices and application; interpretation, and application of Federal cybersecurity publications (see Section 6); vulnerability assessments; remediation and/or mitigation; and etc.� 5.2 Provide expertise and consulting on design, implementation/installation, and maintenance of IT and OT systems and/or environments. Those specifically used for power generation and transmission, auxiliaries, and sequence of events recording.� 5.3 Apply a well-developed and broad working knowledge to the current and future OT systems at HST and STK. Be knowledgeable of and adhere the USACE Civil Works RMF Policies (CUI). Assist with the implementation of said policies. 5.4 Assist the Government in maintaining an ISS (see Section 2) of the SCADA system at HST and STK. �Work includes but not limited to performing taking backup images and restoration; vulnerability scanning; remediation and/or mitigation; applying firmware updates, patches...
 
Web Link
SAM.gov Permalink
(https://sam.gov/opp/4a634cd0f68749699e0a5987e223febf/view)
 
Place of Performance
Address: MO 65355, USA
Zip Code: 65355
Country: USA
 
Record
SN06404530-F 20220729/220727230121 (samdaily.us)
 
Source
SAM.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's SAM Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.