1. CONTRACT ID CODE PAGE OF PAGES AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT J 1 2

Transcription

1 1. CONTRACT ID CODE OF S AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT J EFFECTIVE DATE 4. REQUISITION/PURCHASE REQ. NO. 5. PROJECT NO. (If applicable) 25-Jul-2014 M MR-1053 N/A 6. ISSUED BY CODE M ADMINISTERED BY (If other than Item 6) CODE M67854 MARCORSYSCOM 2200 Lester St Bldg 2200 Quantico VA catherine.kummer@usmc.mil MARCORSYSCOM 2200 Lester St Bldg 2200 Quantico VA NAME AND ADDRESS OF CONTRACTOR (No., street, county, State, and Zip Code) 9A. AMENDMENT OF SOLICITATION NO. Conscious Security, Inc 1000 Corporate Drive Suite 119 Stafford VA B. DATED (SEE ITEM 11) CAGE CODE [X] 10A. MODIFICATION OF CONTRACT/ORDER NO. - 10B. DATED (SEE ITEM 13) 4DY30 FACILITY CODE 25-Sep THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS [ ]The above numbered solicitation is amended as set forth in Item 14. The hour and date specified for receipt of Offers [ ] is extended, [ ] is not extended. Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods: (a) By completing Items 8 and 15, and returning one (1) copy of the amendment; (b) By acknowledging receipt of this amendment on each copy of the offer submitted; or (c) By separate letter or telegram which includes a reference to the solicitation and amendment numbers. FAILURE OF YOUR ACKNOWLEDGEMENT TO BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN REJECTION OF YOUR OFFER. If by virtue of this amendment you desire to change an offer already submitted, such change may be made by telegram or letter, provided each telegram or letter makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified. 12. ACCOUNTING AND APPROPRIATION DATA (If required) SEE SECTION G 13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS, IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14. (*) A. THIS CHANGE ORDER IS ISSUED PURSUANT TO: (Specify authority) THE CHANGES SET FORTH IN ITEM 14 ARE MADE IN THE CONTRACT ORDER NO. IN ITEM 10A. [ ] [ ] B. THE ABOVE NUMBERED CONTRACT/ORDER IS MODIFIED TO REFLECT THE ADMINISTRATIVE CHANGES (such as changes in paying office, appropriation date, etc.)set FORTH IN ITEM 14, PURSUANT TO THE AUTHORITY OF FAR 43.1(b). [ ] C. THIS SUPPLEMENTAL AGREEMENT IS ENTERED INTO PURSUANT TO AUTHORITY OF: [X] D. OTHER (Specify type of modification and authority) FAR Option to Extend the Term of the Contract E. IMPORTANT: Contractor [ X ] is not, [ ] is required to sign this document and return copies to the issuing office. 14. DESCRIPTION OF AMENDMENT/MODIFICATION (Organized by UCF section headings, including solicitation/contract subject matter where feasible.) SEE 2 15A. NAME AND TITLE OF SIGNER (Type or print) 16A. NAME AND TITLE OF CONTRACTING OFFICER (Type or print) Michael A Richards, Contracting Officer 15B. CONTRACTOR/OFFEROR 15C. DATE SIGNED 16B. UNITED STATES OF AMERICA 16C. DATE SIGNED BY /s/michael A Richards 25-Jul-2014 (Signature of person authorized to sign) (Signature of Contracting Officer) NSN PREVIOUS EDITION UNUSABLE STANDARD FORM 30 (Rev ) Prescribed by GSA FAR (48 CFR)

2 2 of 2 GENERAL INFORMATION The purpose of this modification is to Exercise and fully fund Option Year 2 SLINs. All other terms and conditions remain unchanged. Accordingly, said Task Order is modified as follows: A conformed copy of this Task Order is attached to this modification for informational purposes only. The Line of Accounting information is hereby changed as follows: The total amount of funds obligated to the task is hereby increased from $2,797, by $1,388, to $4,185, CLIN/SLIN Type Of Fund From ($) By ($) To ($) 8000BA Fund Type - TBD , , BB Fund Type - TBD , , BC Fund Type - TBD , , Fund Type - TBD , , The total value of the order is hereby increased from $2,797, by $1,388, to $4,185, CLIN/SLIN From ($) By ($) To ($) 8000BA , , BB , , BC , , , , The Period of Performance of the following line items is hereby changed as follows: CLIN/SLIN From To

3 1 of 38 SECTION B SUPPLIES OR SERVICES AND PRICES CLIN - SUPPLIES OR SERVICES For FFP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 5000 GCSS LIS Support $2,731, AA R408 Cybersecurity Programmatic Support. The contractor shall perform in accordance with PWS para 2.1. (Fund Type - TBD) 5000AB R408 Certification andaccreditation (C&A)Support. The contractor shall perform in accordance with PWS para 2.2. (Fund Type - TBD) 5000AC R408 Cybersecurity Validation Support. The contractor shall perform in accordance with PWS para 2.3. (Fund Type - TBD) 5000BA R408 Cybersecurity Programmatic Support. The contractor shall perform in accordance with PWS para 2.1. (Fund Type - TBD) 5000BB R408 Certification andaccreditation (C&A)Support. The contractor shall perform in accordance with PWS para 2.2. (Fund Type - TBD) 5000BC R408 Cybersecurity Validation Support. The contractor shall perform in accordance with PWS para 2.3. (Fund Type - TBD) 12.0 MO $21, $253, MO $51, $619, MO $41, $493, MO $21, $253, MO $51, $619, MO $41, $493, R408 Travel (Fund Type- TBD) 1.0 LO $27, $27, For FFP / NSP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 5002 CDRLs. Base Year. $0.00 For FFP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 50 R408 Travel. Option Year 1. (Fund Type - OTHER) 1.0 LO $38, $38, For FFP / NSP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 5004 CDRLs. Option Year one. $0.00 For FFP Items:

4 2 of 38 Item PSC Supplies/Services Qty Unit Unit Price Total Price 8000 GCSS LIS Support $1,365, BA R408 Cybersecurity Programmatic Support. The contractor shall perform in accordance with PWS para 2.1. (Fund Type - TBD) 8000BB R408 Certification andaccreditation (C&A)Support. The contractor shall perform in accordance with PWS para 2.2. (Fund Type - TBD) 8000BC R408 Cybersecurity Validation Support. The contractor shall perform in accordance with PWS para 2.3. (Fund Type - TBD) 12.0 MO $21, $253, MO $51, $619, MO $41, $493, R408 Travel. Option Year 2. (Fund Type - TBD) 1.0 LO $22, $22, For FFP / NSP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 8002 CDRLs. Option Year 2. $0.00

5 3 of 38 SECTION C DESCRIPTIONS AND SPECIFICATIONS Performance Work Statement FOR GLOBAL COMBAT SUPPORT SYSTEMS MARINE CORPS LOGISTICS INFORMATION SYSTEMS PROGRAMMATIC SUPPORT 1.0 General. 1.1 Introduction and organization to be supported: The Marine Corps Systems Command s Global Combat Support Systems Marine Corps (GCSS-MC), Logistics Information Systems (LIS) Office requires Post Deployment Software Support (PDSS) for select United States Marine Corps Logistics IT systems and applications. GCSS-MC LIS is a family of Information Technology (IT) systems and applications providing a logistics capability to support Marine Corps Operating Concepts for the 21st century. 1.0 Scope This Performance Work Statement (PWS) defines the non-personal technical cybersecurity, and interoperability and Supportability (I&S services required by the GCSS-MC LIS Product Manager (PdM) for the fulfillment of GCSS-MC LIS PDSS responsibilities. Cybersecurity involves the actions taken to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentatlity, and non-repudiation. The cybersecurity support services include establishing and maintaining secure system baselines, system certification and accreditations (C&A), and mandatory cybersecurity validations and reporting. The I&S support includes developing system DoD Architecture Framework (DoDAF) artifacts, Information Support Plans (ISPs), Tailored ISPs, Joint Interoperability Test Command (JITC) certifications, and developing system artifacts in support of I&S waivers. The GCSS-MC LIS systems and applications provide critical supply, maintenance, stock control, war planning, warehousing, decision making, and logistics C2 capability that facilitate Life-Cycle Management and Command and Control in support of MAGTF operations now and into the future. The majority of systems to be supported are web-based. The portfolio of Systems is composed of both Government off the Shelf (GOTS) and Commercial Off the Shelf (COTS) software. 1.2 Background: In accordance with DoD Directive E, all acquisitions of Automated Information Systems with connections to the Global Information Grid must be certified and accredited. The primary methodology for certifying and accrediting DoD information systems is the DoD Information Assurance Certification and Accreditation Process (DIACAP) of DoD Instruction However, the contractor must be prepared to transition to the DoD Risk Management Frame Work in accordance with emerging DoD policy updates. In accordance with the Chairman, Joint Chiefs of Staff, Instruction , Interoperability andsupportability of Information Technology and National Security Systems Interoperability is the ability of systems, units, or forces to provide data, information, materiel, and services to, and accept the same from, other systems, units, or forces; and to use the data, information, materiel, and services so exchanged to enable them to operate effectively together. All IT systems that exchange and use information to enable units or forces to operate effectively in joint, combined, coalition, and interagency operations and simulations must be certified. Most of the current GCSS-MC LIS systems and applications are only utilized by the Marine Corps and do not contain joint interfaces. These systems and applications currently have legacy or end of life waivers. As new interfaces are added the systems and applications must meet all Interoperability and Supportability requirements. The systems requiring support are listed in Attachment 1. Due to the diversity of the systems and applications, no single set of tasks meets the needs of each system and application. Some systems and

6 4 of 38 applications may require little support, while others will require extensive assistance. New systems may be added, while others may be retired or otherwise not be supported through this contract. 2.0 General Requirements The contractor is responsible for providing all material, services, and support documentation needed to complete the requirements identified in this PWS and shall provide Cybersecurity, Joint Requirements, Interoperability and Supportability (I&S), and IT Repository Support Services for the specified Logistics Information Systems detailed in Attachment 1. Per NMCARS , Enterprise-wide Contractor Manpower Reporting Application: The contractor shall report ALL contractor labor hours (including subcontractor labor hours) required for performance of services provided under this contract for the United States Marine Corps via a secure data collection site. The contractor is required to completely fill in all required data fields using the following web address Reporting inputs will be for the labor executed during the period of performance during each Government fiscal year (FY), which runs October 1 through September 30. While inputs may be reported any time during the FY, all data shall be reported no later than October 31 of each calendar year. Contractors may direct questions to the help desk, linked at CYBERSECURITY, JOINT REQUIREMENTS, I&S, AND IT PROGRAMMATIC SUPPORT SERVICES Cybersecurity Programmatic Support Cybersecurity/Information Assurance (IA) Impact Assessments. The Contractor shall conduct cybersecurity/information assurance (IA) impact assessments in support of system and application change requests, engineering change proposals, updates to the software baselines,and deliver impact recommendations to the GCSS-MC LIS Information Assurance Manager. (CDRL # A001Technical Reports) System Annual Security Reviews (ASR). The Contractor shall conduct system and application ASRs in accordance with the Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No ). ASR results report shall be provided to the GCSS-MC LIS IAM. (CDRL # A002 Technical Reports) System Annual IT Contingency Plan Test. The Contractor shall develop an IT contingency plan scenario and lead the PdM annual contingency plan test for each system and application in accordance with the FISMA (Title III, Pub. L. No ). Contingency Plan results reports shall be provided to the GCSS-MC LIS IAM. (CDRL # A0 Technical Reports) Track Information Assurance Vulnerability Alerts (IAVAs) and Marine Corps Enterprise Network (MCEN) Operational Directives (OpDirs). The Contractor shall track all IAVAs and MCEN OpDirs daily and notify the GCSS-MC LIS PdM Officers and cybersecurity staff when new IAVAs and OpDirs are released. The Contractor shall review the technical details of IAVAs and MCEN OpDirs to assess impact on GCSS-MC LIS systems prior to implementation. The contractor shall report IAVA and MCEN OP Dir compliance to GCSS-MC LIS PdM Office. (CDRL # A006 Monthly Status Report)

7 5 of I&S and Joint Requirements Programmatic Support. The Contractor shall develop, maintain, and update Information Support Plans (ISPs), Tailored ISPs (TISP), waivers, and DoD Architecture Framework (DoDAF) artifacts in order to meet program joint requirements, interoperability and supportability, and Joint Interface Test Command (JITC) certification requirements for all assigned systems and applications. The contractor shall report I&S and joint requirements compliance status to the GCSS-MC LIS PdM Office (CDRL # A006 Monthly Status Report) IT Repository Programmatic Support. The Contractor shallregister, update, and maintain system and application IT records in all official IT repositories. The contractor shall gather data for initial system and application registration, develop draft system/application registration documentation, and submit IT respository documentation to GCSS-MC LIS government Project Officers. 2.2 CERTIFICATION AND ACCREDITATION (C&A) SUPPORT Certification and Accreditation. The Contractor shall develop and maintain Certification and Accreditation (C&A) packages in accordance with the DoD Information Assurance Certification and Accreditation Process (DIACAP)/DoD Information Assurance Risk Management Framework for assigned GCSS-MC LIS systems and applications. The Contractor shall provide C&A support on site at the Marine Corps Logistics Base in Albany, GA as follows: The contractor shall develop and execute Information Assurance Project Plans for all assigned systems that identify system DIACAP timelines, annual FISMA Testing Events, Privacy Impact Assessments, and other key IA events. (CDRL # A007 POAM (MS Project) and CDRL # A004 Monthly Status Report) The contractor shall develop, integrate, review, and maintain the GCSS-MC LIS System C&A packages to ensure that they meet DoD, DON, and Marine Corps Policy and Guidance. This documentation shall be produced using the Marine Corps Systems Command (MCSC) DIACAP workflows and mandatory artifacts in addition to the current Marine Corps Certification and Accreditation Support Tool (MCCAST) The contractor shall validate that software, hardware, and firmware within GCSS-MC LIS environments are authorized and not restricted from use within the Marine Corps The contractor shall prepare GCSS-MC LIS systems DIACAP packages for information assurance verification and validations as part of the DIACAP and annual FISMA IA control testing requirements. 2.3 CYBERSECURITY VALIDATION SUPPORT The contractor shall provide Cybersecurity validation support for the systems and applications listed in attachment The contractor shallestablish secure baseline system configurations in accordance with applicable policy and DISA Security Technical Implementation Guides (STIGS). This support requires the contractor to securely configure the initial system s baseline to include the Operating System, Database Management System, application server, application tier, and supporting services to meet system design and security requirements The contractor shall conduct internal DIACAP verifications and validations to prepare the systems and applications to successfully pass assessments by independent verification and validation (IV&V) agencies. (CDRL # A004 Monthly Status Report and POA&M) The contractor shall provide system vulnerability remediations anddevelop risk mitigations for all identified GCSS-MC LIS system vulnerabilities. The contractor shall apply missing system patches and correct system configurations to remediate vulnerabilities. The contractor shall develop risk mitigation strategies to address system vulnerabilities that cannot be directly corrected.. (CDRL # A004 Monthly Status Report and POA&M)

8 6 of The contractor shall perform cybersecurity technical reviews on GCSS-MC LIS systems in preparation for system upgrades and application migrations to new hosting environments to ensure that all DoD policies, security configurations, and information assurance controls are properly implemented The contractor shall validate compliance with all applicable IA controls both technical and non-technical. Pre-validation and security reviews shall be executed on all GCSS-MC LIS System elements. Validation activities shall include the use of DISA approved automated security tools, manual checklist, audit analysis, and additional automated security tools provide by the government The contractor shall report and respond to identified system and application cybersecurity violations and incidents The contractor shall conduct IA testing after critical system configuration changes, major software updates, and security incidents to verify the secure system baseline The contractor shall conduct research on vendor, and DoD patches and all applicable IAVAs to ensure the proper installment, implementation, and operational effectiveness of patches. The contractor shall identify if patch implementation will negatively affect security posture, functional, or operational capabilities. The contractor shall provide notification to the GCSS-MC LIS IAM in all cases where a patch will have a negative impact on the systems The contractor shall conduct audits, report, and maintain visibility over all GCSS-MC LIS privileged user assignments, GCSS-MC LIS accounts, role and responsibility assignments, and account approvals to ensure separation of duties and compliance with personnel and information security criteria established in DoD, DON, and Marine Corps Policy and Guidance. (CDRL # A004 Monthly Status Report and POA&M) The contractor shall identify cybersecurity deficiencies as well as other IT telecommunications issues relating to GCSS-MC LIS systems on-site at Marine Corps and support contractor locations as directed by the Government. The contractor shall conduct an analysis of the cybersecurity environment at the location being visited and provide recommendations on how to improve that location s cybersecurity posture to support use of GCSS-MC LIS systems and applications. (CDRL# A005Technical Report) The contractor shall conduct web application vulnerability testing on all GCSS-MC LIS applications for every major release prior to deployment of applications into production environments. The contractor shall test for common security problems such as SQL injection, cross site scripting, command injection, buffer overflow, session management, and other commonly known web application vulnerabilities. 3.0 Deliverables Kickoff Meeting and Task Management. Within 5 working days of the contract start date, the Contractor shall conduct a contract kickoff meeting that includes Government project personnel and Contractor personnel. The kickoff meeting will be held in Albany, Georgia. The Contractor shall submit a proposed agenda to the Project Officer at least two days prior to the kick off meeting. The purpose of this kickoff meeting is to introduce key Government and Contractor personnel, provide clarifications of contractor questions, establish preliminary dates for future program events, and discuss any other item the Project Officer may deem appropriate to discuss Work Breakdown Structure (WBS). The contractor shall deliver a WBS, depicted as a Gantt chart, within ten (10) working days after the award date. Tasks shall have beginning and ending dates and associated deliverables shall be identified. Changes to significant milestones and delivery dates shall be submitted to the COR for the systems represented in advance of the milestone or delivery dates Plan of Action and Milestones (POA&M). The Contractor shall deliver a POA&M using Microsoft Project detailed to the level necessary to clearly communicate the plan for completion of the tasks in this PWS for each application and system. Tasks shall have beginning and ending dates and associated

9 7 of 38 deliverables shall be identified. Once accepted by the government, the POA&M will be incorporated into the effort with updates approved by the COR. Proposed changes to significant milestones and delivery dates shall be submitted to the COR in advance of the milestone or delivery dates and will be reviewed by the government. If accepted by the government, and after appropriate consideration (if required), approved changes will be incorporated via Contracting Officer or Project Officer approval depending on the nature of the change Monthly Status Report (MSR). The contractor shall submit MSRs to the contracting officer s representative (COR) to assist the government s ability to monitor performance in accordance with the WBS and POA&Ms. These reports shall include, at a minimum: (1) how the work accomplished relates to the specific tasks in the WBS, (2) cost and performance reporting for each Task to include identification of costs and projected monthly expenditures by CLIN, and (3) other significant issues (schedule, technical, potential cost or schedule risk issues, etc.) to include proposed resolutions Cybersecurity Test Plans, Scan Results and mitigation strategy for resolving vulnerabilities. The contractor shall document plans and procedures for continuously monitoring the cybersecurity posture of LIS systems and for conducting the annual IA control validation as per DoDI The contractor shall develop mitigation strategies, plans of action, and schedules for resolving vulnerabilities Technical/Trip Report - The Contract support shall prepare Trip Reports on each Site Assistance Visit (SAV) and Point Papers on recommended cybersecurity improvement areas and best practices Information Assurance Workforce Certification Documents. The Contractor shall provide documentation supporting the information assurance certification status of personnel performing information assurance functions. 3.1 Facilities, Other Direct Charges (ODCs), and Travel Requirements. Work efforts in support of this task effort will be accomplished primarily on-site at MCSC at Marine Corps Logistics Base Albany, GA. The government will provide office space and computer resources. This task will require the Contractor to provide facilities in Albany, GA for meetings, teleconferencing, IPTs (of personnel) throughout the course of performance to support the scope of activities. Such facilities are not reimbursed as ODCs. Laptops, cellular equipment/services, and other items of convenience are not reimbursable as ODCs. CONUS and OCONUS travel must be reimbursed in accordance with the JTR. Per Diem shall be in accordance with Local travel is authorized and travel to operational sites may be required. Government printing requirements are MANDATED to use Defense Document Services, DAPS-CAN. ODC requests for printing requirements MUST be obtained and approved by the CEOss Contracting Officer ONLY, prior to conducting these services and after getting applicable waivers.

10 8 of Deliverable Schedule The Contractor shall accomplish the milestones shown in Table 1. Table 1: Deliverable Schedule Deliverable Date Required 4.1 Kickoff Meeting and Task Management 5 working days after award of contract 4.2 Work Breakdown Structure 10 working days after contract award update as required 4.3 POA&Ms (MS Project) Within 30 working days of contract award 4.4 Monthly Status Reports Monthly 5 working days following the end of each month 4.5 Cyber Security Validation Results for each system and application to include mitigation 20 working days after cybersecurity validation event - update monthly and as required strategy (i.e. Plan of Action and Schedule) for resolving vulnerabilities 4.6 Technical/Trip Reports As required 4.7 Information Assurance Work Force Certification Documents 20 working days after contract award and upon request as personnel change 5.0 Government Furnished Items and Services. The government will provide office space, computer resources, access to the Navy Marine Corps Intranet (NMCI), and office supplies. GFE will include an NMCI/NGEN unclassified workstation with network connection. All workstations will be configured with Mircorsoft Windows XP or Windows 7. Workstations will have the following software installed: Microsoft Visio, Microsoft Project, Microsoft Office, Adobe Professional. All contractors will be provided office space equipped with a telephone, network Printer, and access to fax and copy machines. Three non-nmci GCSS-MC LIS IA laptops will be available for contractor use for conducting validations. Enterprise DoD IA tools will be made available for performing validations. Tools currently consist of Eye Retina, DISA SRRs, SCAP Compliance Checker, Flying Squirrel. 6.0 Other Information and Special Conditions. 6.1 Core Hours: Governments core business hours are from Eastern Standard Time Monday through Friday Place of Performance: The Contractor shall perform this effort on the Marine Corps Logistics Base in Albany, GA. Travel will be required to support three cybersecurity and one Interoperability and Supportability coordination meeting at locations in and around the Marine Corps Base Quantico, VA vicinity. The contractor personnel shall be required to attend the coordination meeting at the USMC cybersecurity consortium on an annual basis at locations TBD. LOCATION Number of Trips (Base) Number of Trips (Option 1) Number of Trips (Option 2) Duration Number of Travelers

11 9 of 38 C&A Coordination Days 2 Meetings-Albany, GA to Quantico, VA Joint Requirements Days 1 Meeting-Albany, GA to Quantico, VA USMC Cybersecurty Days 2 Consortium-(location TBD) IV&V event(tbd) Days 2 MCEITS Transition Days 3 IV&V-Albany, GA to Kansas City MCEITS System Migration Meetings Days Applicable Law, Policy and Directives. 50 U.S.C. 435, National Security Act of 1947 (Pub. L. No ), 26 July 1947 PL , Computer Security Act of 1987 (Pub. L. No ), 8 January 1988 PL , Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No ), 23 January U.S.C 552a, The Privacy Act of 1974, 27 September 1974 OMB Circular No. A-130, OMB Management of Federal Information Resources, 28 November 2000 Section 2224 of title 10, United States Code (also known as Defense Information Assurance Program ) January 3, 2007 Chairman, Joint Chiefs of Staff, Instruction (CJCSI) , Interoperability and Supportability of Information Technology and National Security Systems, 21 March 2012 DoDD Interoperability and Supportability of IT and National Security Systems, 5 May 2004

12 10 of 38 DoDI , Policy and Procedures for Management and Use of the Electromagnetic Spectrum, 9 January 2009 DoDD , The Defense Acquisition System, 12 May 20 DoD , DoD Information Security Program, 13 Dec 1996 DoD Instruction , DoD Information Security Program and Protection of Sensitive Compartmented Information, October 9, 2008 DoDD R, Personnel Security Program, January ,2009. DoD R, Physical Security Program, April 9, 2007, Incorporating Change 1, May DoD Directive , Clearance of DoD Information for Public Release, August 22, 200 DoD R, Department of Defense Privacy Program, 14 May2007. DoD , Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), 14 April 2004 DoD , Information Technology Portfolio Management, 10 Oct 2005 DoD G, Guidance for Implementing Net-Centric Data Sharing, April 12, DoD , Commercial Wireless Local-Area Network (WLAN) Devices, Systems, and Technologies, 3 November 2009 DoDD E, Information Assurance, 23 Feb 2007 DoDI , (IA) Implementation, 6 Feb , DoD Instruction, DoD Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007

13 11 of 38 DoD , Ports, Protocols, and Services Management (PPSM), 13 August 2004 DoD , Information Assurance Workforce Improvement Program, 15 August 2004 DoDD M, Information Assurance Training, Certification, and Workforce Management, 19 December 2005 DoD , Information Assurance in Defense Acquisition Systems, 9 July 2004 National Institute of Standards and Technology (NIST) Special Publication (SP) , Managing Information Security Risk Organization, Mission, and Information System View, March 2011, as amended NIST SP , Contingency Planning Guide for Information Technology Systems, 1 June 2002 NIST SP , Guide for Conducting Risk Assessments, July 2002, as amended. NIST SP , Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010, as amended. NIST SP A, Guide for Assessing the Security Controls in Federal Information Systems, June 2010, as amended. NIST SP , Guidelines for Securing Wireless Local Area Networks, February 2012 CNSSP 22, Information Assurance Risk Management Policy for National Security Systems, February 2009, as amended. Marine Corps Order , Marine Corps IA Program (MCIAP), 18 November 2002 USMC ECSD 021, Ports, Protocols, and Services Management version 1.0, 15 May 2012 DoDI , "Public Key Infrastructure and Public Key Enabling", 01 April 2004

14 12 of 38 USMC ECSD 014, USMC Enterprise Cybersecurity Directive 014: WLANS, 30 November 2011 USMC EIAD 018, United States Marine Corps Enterprise IA Directive 018 Marine Corps Certification and Accreditation Process, 2 September Glossary. Committee on National Security Systems Instruction (CNSSI) No. 4009, National Information Assurance (IA) Glossary, April 26, 2010, as amended 9.0 Security Requirements. All personnel performing functions on this task must possess a U.S. Government Secret security clearance. The majority of work will be completed in an unclassified environment. However, contract personnel will be required to perform duties from time to time in a classified environment up to Secret. Any information, records, or data that the contractor may have access to may be highly sensitive. Contractor personnel assigned to the task order in capacities that require access to background and reference materials, source code, possession of a USERID, or other valid computer access, shall possess a SECRET clearance, before assignment to the project. Contractor personnel are required to possess a Secret security clearance prior to the start of work. A user and account on the Navy Marine Corps Internet (NMCI)/Next Generation Enterprise Network (NGEN) to include a CAC card to support PKI access and Marine Corps Web Services when determined by the Government to be necessary for the performance of the tasking within this PWS, if qualified. A user and mail account on the SIPRNET domain to include a SIPRNET token, when determined by the Government to be necessary for the performance of the tasking within this PWS Contractor personnel shall be required to adhere to security regulations, and shall observe and comply with any site-specific security provisions in effect at the various government facilities. Government Common Access Cards and Contractor ID badges shall be worn and displayed at all times while at government facilities or attending government meetings. ALL CONTRACTOR PERSONNEL REQUIRING ACCESS TO CLASSIFIED INFORMATION AND ASSIGNED TO THIS PROGRAM SHALL POSSESS A SECRET CLEARANCE. The prime contractor and all sub-contractors (though the prime contractor) shall certify in writing to the Government that personnel supporting this contract are "Qualified U.S. contractors" per DoD Directive M Chapter 2 Section 2. Qualified U.S. contractors are restricted to U.S. citizens, persons admitted lawfully into the United States for permanent residence, and are located in the United States. All personnel identified on the certification and/or supporting this contract shall be in compliance with Department of Defense, Department of the Navy, and Marine Corps Information and Personnel Security Policy to include completed background investigations (as required) prior to start. This contract shall include a DoD Contract Security Classification Specification (DD Form 254) as an attachment. The contractor shall have a valid Secret Facility Clearance. The Government shall assist the contractor in gaining access to Government agencies and installations related to the systems in question.

15 13 of 38 All U.S. contractors (including subcontractors) shall supplement their current security practices by requiring any personnel involved in executing this contract where critical program information (CPI) has been identified shall protect the CPI to the standards articulated in the Program Protection Plan and in accordance with DoDI and DoD M. Upon contract award, all identified U.S. contractors (including subcontractors) shall acknowledge and meet the requirements stated by the Program Manager for the protection of CPI. The U.S. contractor must immediately notify the U.S. Government upon the discovery of any nonconformance with CPI protection Information Assurance Certifications. The contractor shall staff the Cybersecurity Lead and Cybersecurity Validator Lead with Information assurance Technical (IAT) level III certified personnel. (CISSP required) Contract personnel performing Linux privileged functions shall have a minimum of an IAT level II IA workforce certification plus a Linux certification. Contract personnel performing Oracle privileged functions shall have a minimum of an IAT level II IA workforce certification plus an Oracle certification. All other contract support working Tasks 1-3 above shall have the proper and current information assurance certification to perform information assurance functions in accordance with DoD M, Information Assurance Workforce Improvement Program. This does not apply to contract support working Task 4. The Contractor shall meet the applicable information assurance certification requirements, including- 1. DoD-approved information assurance workforce certifications appropriate for each category and level as listed in the current version of DoD M; IAT level III or IAM Level II or higher preferred and 2. Appropriate operating system certification for information assurance technical positions as required by DoD M. Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing cybersecurity functions. Appendix 2 provides a table for the appropriate certification levels required to meet specific access requirements Phase Out.

16 14 of 38 In order to ensure a smooth phase-in to the next contractor and to prevent possible decreases in productivity or service quality, the contractor shall provide a phase-out plan for the 30 calendar day period prior to the contract end date (i.e. at the end of all option periods). During this period, while still maintaining full performance, the contractor shall make available to key incoming contractor personnel, a representative of the incumbent contractor who is versed in the operation of other functions to be performed. This service shall be made available to explain procedures for conducting IA support, introducing the next contractor to the system owners and functional representatives, etc. Inventories of GFP shall be conducted jointly with the COR and representatives of the incoming contractor. Transfer of GFP will be made at the end of the phase-out period Performance Requirements Summary Performance Requirements Summary Performance-based Task Indicator Standard Surveillance Method Submission of program management deliverables 90% of deliverables are received on time. Any deliverables not received on time are no more than 5 working The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month.

17 15 of 38 days late. Threshold = 90% IA Impact Assessments Maintain a fully staffed team Objective = 100% Team is fully staffed 95% of the time. No position remains vacant longer than 15 working days. The contractor will keep a log of all instances of when there is a vacancy on the team and identify this in the monthly status reports. The COR will confer with the contract Program Manager to verify data included in the monthly reports. Threshold = 95% Annual Security Reviews Timely submission of Cybersecurity deliverables Objective = 100% 90% of deliverables are received on time. Any deliverables not received on time are no more than 5 working days late. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Threshold = 90% IT Contingency Plans Quality submission of cybersecurity deliverables Objective = 100% 85% of cybersecurity documents/artifacts are accepted by the government on initial receipt. 95% of cybersecurity documents/artifacts are accepted by the government on second receipt. Rejected submissions are corrected, resubmitted, and accepted with 15 working days of rejection. Initial submission:

18 16 of 38 Threshold = 85% Objective = 95% Track IAVA compliance Internal validations accurately identify findings that need to be remediated 95% of the findings identified by an external IV&V were already known via internal IV&Vs. The GCSS-MC LIS IAM/IAO will compare independent validation results with internal validation results and track deviations. Threshold = 95% Mandatory IA events scheduled and planned Submission of IA Project plans Objective = 100% 90% of deliverables are received within thirty working days of contract start date The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Any deliverables not received on time are no more than 5 working days late. Threshold = 90% Objective = 100% Approved DIACAP packages Submission of approved DIACAP packages 85% of cybersecurity documents/artifacts are accepted by the government on initial receipt. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. 95% of cybersecurity documents/artifacts are accepted by the government on second receipt. Rejected submissions are corrected, resubmitted, and accepted with 15 working days of rejection. Initial submission: Threshold = 85% Objective = 95%

19 17 of System internal cybersecurity verification and validations performed Internal validations accurately identify findings that need to be remediated 95% of the findings identified by an external IV&V were already known via internal IV&Vs. The GCSS-MC LIS IAM/IAO will compare independent validation results with internal validation results and track deviations. Threshold = 95% System vulnerabilities remediation and risk mitigations System IT POA&Ms illustrate all system vulnerabilities remediated or addressed by risk mitigations Objective = 100% 95% of deliverables are received on time. Any deliverables not received on time are no more than 5 working days late. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Threshold = 95% Contract personnel compliant with DoD IA Workforce Requirements Cybersecurity Site Assistance Visits IA Workforce Certification Compliance Site cybersecurity deficiencies identified and mitigation recommendations reported Objective = 100% 100% of required support personnel are certified in compliance with DoD % of deliverables are received within thirty working days of site assistance visit end date The COR will keep a log of contract IA Workforce compliance received from the contractor. A percent of compliance will be calculated each month. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Any deliverables not received on time are no more than 5 working days late. Threshold = 90% Objective = 100%

20 18 of Appendices. Appendix 1 Systems requiring Support Appendix 2 DoD Approved IAWF Baseline Certifications Appendix 3 GCSS-MC LIS C&A Workload Example

21 19 of 38 Appendix 1 SYSTEMS/APPLICATIONS TO BE SUPPORTED UNDER TASK 2.1, 2.2, 2.3 Albany Data Staging Environment (ADSE) Computer Associates Software Change Management (CASCM) Asset Tracking Logistics & Supply System (ATLASS) v 4.0.x.x (PC Based) Asset Tracking Logistics & Supply System (ATLASS) v 5.0.x.x (Server Based) Air Fortress Secure Wireless Solution Air Defense Wireless Intrusion Detection System Logistics Data Repository (LDR) Logistics Gateway (LOGWAY) Materiel Capability Decision Support System (MCDSS) Marine Corps Provisioning System (PROVISIONING) Marine Corps Interactive Computer Aided Provisioning System (MICAPS) Marine Corps Integrated Maintenance Management System (MIMMS) Marine Corps Integrated Maintenance. Management System Personal Computer (PCMIMMS) Supported Activities Supply System (SASSY) Stock Control System (SCS)-(Currently Air Force managed and accredited) War Reserve System (WRS) WIR Online Process Handler (WOLPH) SYSTEMS/APPLICATIONS TO BE SUPPORTED UNDER TASK 2.1, 2.3 Battle Command Sustainment Support System (BCS3) Common Logistics Command and Control System (CLC2S) Storage and Retrieval Automated Tracking Integrated System (STRATIS) Transportation Capacity Planning Tool (TCPT) Albany Data Staging Environment (ADSE): A server based development environment that provides an integrated solution for extracting, transforming, and loading dispersed data sources from legacy applications to the Global Combat Support System for the Marine Corps (GCSS-MC) and generating error reports for the Cutover Team in order for the units to fix the errors. ADSE consists of two physical Red Hat Linux Servers hosting Oracle Warehouse Builder and Oracle Database. ADSE is a Mission Assurance Category (MAC) III Sensitive System. Air Fortress Secure Wireless Solution: A Type accredited wireless network transport that provides for Layer 2 encryption, high strength security and a highly simplified management model. FORTRESS implements AES encryption at layer 2 of the OSI Model. System consists of Air Fortress ES520 Wireless Access Points, Fortress Secure Client software, and Enterasys switches. GCSS-MC LIS is responsible for Program Management of Air Fortress at each of the six bases where WEB STRATIS is fielded. Air Fortress is a

22 20 of 38 MAC III Sensitive System. Asset Tracking Logistics and Supply System (ATLASS): serves as a data entry device to bridge the gap between the legacy supply system, Supported Activities Supply System (SASSY) and the Global Combat Support System Marine Corps (GCSS-MC) system. ATLASS provides the ability to control, distribute and replenish equipment and supplies in assigned areas of operation, to receive supply support from and provide support to other services. There are two versions of ATLASS. ATLASS 5.0.x.x is a server based version and ATLASS 4.0.x.x is a PC Based desktop application. Both versions of ATLASS are scheduled for decommissioning in January ATLASS is a MAC III Sensitive System. Marine Interactive Computer Aided Provisioning System (MICAPS): is a java web based on-line interactive and batch application that is used as a tool by Marine Corps personnel and their contractors to help automate the provisioning process. The application provides data entry screens for data input, various capabilities and utilities to manipulate the data, and the capability of inputting or outputting the data in the correct Military Standard (MIL-STD) format. The primary objective of the MICAPS is to provide the initial introduction of logistics management information for a new weapon system or equipment and to format and supply Marine Corps management data into the proper input transaction for submission to the Mainframe s Marine Corps Provisioning System (PROVISIONING). MICAPS is a MAC III Sensitive System. Materiel Capability Decision Support System (MCDSS): is a java based web application that provides automated decision support to the Marine Corps Logistics Command (MARCORLOGCOM) logistics managers. It supports the Inventory Manager (IM) through the Commander in their strategic logistics decision-making processes, and the Marine Corps Systems Command (MARCORSYSCOM) program and readiness managers in their strategic decision-making processes. The system impacts those decisions where there is sufficient structure for analysis to be of value, but where the logistics decision-maker s own judgment is absolutely essential. The mission requirement for MCDSS is to promote equipment readiness, reduce maintenance costs, and replace a labor-intensive manual system. MCDSS will be migrated to the Marine Corps Enterprise IT Services (MCEITS) hosting environment in MCDSS is a MAC III Sensitive System. WIR Online Process Handler (WOLPH): is an Oracle application designed to automate the process of recovery, reporting, and management of recoverable items, which cannot be repaired with the resources available to the field commander and have become excess to a command's allowances. WOLPH is also utilized for the disposal of items which are beyond economical repair. WIR is a document identifier code, which is the acronym definition for Recoverable Item Report. WOLPH is used by the Marine Corps for requesting and assigning disposition instructions for assets that fall under one of the following categories: (1) Damage, (2) In Excess, or (3) Obsolete. WOLPH is an Oracle application that provides its customers with user friendly forms and guided menus. WOLPH will be migrated to the MCEITS hosting environment in WOLPH is a MAC III Sensitive System. The Logistics Gateway (LOGWAY): increases productivity by creating an Enterprise portal specifically designed to be the single source of interaction with Marine Corps Logistics Information Systems. The LOGWAY environment provides a standard architecture for web content and application access. Through the use of an Oracle Portal, users experience customizable access to resources in the Oracle database as well as traditional web-based applications. LOGWAY provides Single Sign On (SSO) to multiple GCSS-MC LIS applications and reports. LOGWAY will be migrated to the MCEITS hosting environment in LOGWAY is a MAC III Sensitive System.

23 21 of 38 The Logistics Data Repository (LDR): is an Oracle Database instance that is a centralized source for logistics data. LDR is designed to provide efficient and immediate access to all current and historical unfiltered legacy / enterprise logistics data used in Supply Chain and Life Cycle Management analysis. LDR will be migrated to the MCEITS hosting environment in LDR is a MAC III Sensitive System. Computer Associates Software Change Manager (CASCM): is a Commercial off the Shelf (COTS) solution that s provides a comprehensive, integrated, repository-based change and configuration management solution help effectively manage complex, enterprise-wide development activities throughout the entire application development life cycle. CASCM is a client/server application that supports distributed development. The client/server model used by CASCM is an application server model. In this model, the client process presents data and manages keyboard and device input. The application logic is defined and processed remotely by a dedicated application server. The application server, in turn, provides access to the CASCM database. CASCM is a MAC III Sensitive System. Supported Activities Supply System (SASSY): is the authorized automated supply management system specifically developed to support the Fleet Marine Forces (FMF). SASSY is designed to accomplish supply accounting for all elements of FMF. In addition to improving the Fleet Marine (FM) commander's capability for resource allocation through total asset visibility and centralized control, SASSY minimizes the requirement to perform manual accounting operations. Additionally, an extensive database furnishes the commander with timely and accurate allowance and inventory performance management information. SASSY is a legacy mainframe application that is hosted by the Defense Information Systems Agency (DISA). SASSY is scheduled for decommissioning in January SASSY is a MAC II Sensitive System. Marine Corps Integrated Maintenance Management System (MIMMS): is an automated maintenance management information application designed to support commanders and logistics managers at all command levels in the execution of ground equipment maintenance management functions. MIMMS is a legacy mainframe system executed by all major Marine Corps sites. MIMMS is hosted on the DISA mainframe. The Batch Programs are mainly written in Common Business-Oriented Language (COBOL). The On-line programs are written in NATURAL. MIMMS is scheduled for decommissioning in January MIMMS is a MAC II Sensitive System. Marine Corps Provisioning System (PROVISIONING): supports the introduction of principal end items into the field from the research and development stage through placement in service. PROVISIONING assures that initial spares, repair parts, special tools, test equipment, and support equipment required for initial support of new end items are procured and protected from general issue and distributed on a timely basis to appropriate organizations. PROVISIONING is a legacy mainframe application hosted by DISA. War Reserve System (WRS): is the automated Marine Corps requirements determination system used to compute sustainment requirements in support of both contingency planning and budgeting. Sustainment requirements are computed on two levels. Marine Expeditionary Force (MEF) level sustainment requirements are loaded into both wholesale inventory files as war reserve project requirement quantities and retail inventory files as allowance quantities. Contingency or deliberate planning is the process by which Marine Corps sustainment requirements to support different contingencies are computed for various force structures and support periods. Requirements at this level are available for both supportability testing and