1. CONTRACT ID CODE PAGE OF PAGES AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT J 1 2

1. CONTRACT ID CODE OF S AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT J 1 2 2. 3. EFFECTIVE DATE 4. REQUISITION/PURCHASE REQ. NO. 5. PROJECT NO. (If applicable) 25-Jul-2014 M67854-13-MR-1053 N/A 6. ISSUED BY CODE M67854 7. ADMINISTERED BY (If other than Item 6) CODE M67854 MARCORSYSCOM 2200 Lester St Bldg 2200 Quantico VA 22134-6050 catherine.kummer@usmc.mil 7-432-5613 MARCORSYSCOM 2200 Lester St Bldg 2200 Quantico VA 22134-6050 8. NAME AND ADDRESS OF CONTRACTOR (No., street, county, State, and Zip Code) 9A. AMENDMENT OF SOLICITATION NO. Conscious Security, Inc 1000 Corporate Drive Suite 119 Stafford VA 22554 9B. DATED (SEE ITEM 11) CAGE CODE [X] 10A. MODIFICATION OF CONTRACT/ORDER NO. - 10B. DATED (SEE ITEM 13) 4DY30 FACILITY CODE 25-Sep-2012 11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS [ ]The above numbered solicitation is amended as set forth in Item 14. The hour and date specified for receipt of Offers [ ] is extended, [ ] is not extended. Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods: (a) By completing Items 8 and 15, and returning one (1) copy of the amendment; (b) By acknowledging receipt of this amendment on each copy of the offer submitted; or (c) By separate letter or telegram which includes a reference to the solicitation and amendment numbers. FAILURE OF YOUR ACKNOWLEDGEMENT TO BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN REJECTION OF YOUR OFFER. If by virtue of this amendment you desire to change an offer already submitted, such change may be made by telegram or letter, provided each telegram or letter makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified. 12. ACCOUNTING AND APPROPRIATION DATA (If required) SEE SECTION G 13. THIS ITEM APPLIES ONLY TO MODIFICATIONS OF CONTRACTS/ORDERS, IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14. (*) A. THIS CHANGE ORDER IS ISSUED PURSUANT TO: (Specify authority) THE CHANGES SET FORTH IN ITEM 14 ARE MADE IN THE CONTRACT ORDER NO. IN ITEM 10A. [ ] [ ] B. THE ABOVE NUMBERED CONTRACT/ORDER IS MODIFIED TO REFLECT THE ADMINISTRATIVE CHANGES (such as changes in paying office, appropriation date, etc.)set FORTH IN ITEM 14, PURSUANT TO THE AUTHORITY OF FAR 43.1(b). [ ] C. THIS SUPPLEMENTAL AGREEMENT IS ENTERED INTO PURSUANT TO AUTHORITY OF: [X] D. OTHER (Specify type of modification and authority) FAR 52.217-9 Option to Extend the Term of the Contract E. IMPORTANT: Contractor [ X ] is not, [ ] is required to sign this document and return copies to the issuing office. 14. DESCRIPTION OF AMENDMENT/MODIFICATION (Organized by UCF section headings, including solicitation/contract subject matter where feasible.) SEE 2 15A. NAME AND TITLE OF SIGNER (Type or print) 16A. NAME AND TITLE OF CONTRACTING OFFICER (Type or print) Michael A Richards, Contracting Officer 15B. CONTRACTOR/OFFEROR 15C. DATE SIGNED 16B. UNITED STATES OF AMERICA 16C. DATE SIGNED BY /s/michael A Richards 25-Jul-2014 (Signature of person authorized to sign) (Signature of Contracting Officer) NSN 7540-01-152-8070 PREVIOUS EDITION UNUSABLE 30-105 STANDARD FORM 30 (Rev. 10-83) Prescribed by GSA FAR (48 CFR) 53.243

2 of 2 GENERAL INFORMATION The purpose of this modification is to Exercise and fully fund Option Year 2 SLINs. All other terms and conditions remain unchanged. Accordingly, said Task Order is modified as follows: A conformed copy of this Task Order is attached to this modification for informational purposes only. The Line of Accounting information is hereby changed as follows: The total amount of funds obligated to the task is hereby increased from $2,797,125.00 by $1,388,112.00 to $4,185,237.00. CLIN/SLIN Type Of Fund From ($) By ($) To ($) 8000BA Fund Type - TBD 0.00 253,440.00 253,440.00 8000BB Fund Type - TBD 0.00 619,008.00 619,008.00 8000BC Fund Type - TBD 0.00 493,440.00 493,440.00 8001 Fund Type - TBD 0.00 22,224.00 22,224.00 The total value of the order is hereby increased from $2,797,125.00 by $1,388,112.00 to $4,185,237.00. CLIN/SLIN From ($) By ($) To ($) 8000BA 0.00 253,440.00 253,440.00 8000BB 0.00 619,008.00 619,008.00 8000BC 0.00 493,440.00 493,440.00 8001 0.00 22,224.00 22,224.00 The Period of Performance of the following line items is hereby changed as follows: CLIN/SLIN From To

1 of 38 SECTION B SUPPLIES OR SERVICES AND PRICES CLIN - SUPPLIES OR SERVICES For FFP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 5000 GCSS LIS Support $2,731,776.00 5000AA R408 Cybersecurity Programmatic Support. The contractor shall perform in accordance with PWS para 2.1. (Fund Type - TBD) 5000AB R408 Certification andaccreditation (C&A)Support. The contractor shall perform in accordance with PWS para 2.2. (Fund Type - TBD) 5000AC R408 Cybersecurity Validation Support. The contractor shall perform in accordance with PWS para 2.3. (Fund Type - TBD) 5000BA R408 Cybersecurity Programmatic Support. The contractor shall perform in accordance with PWS para 2.1. (Fund Type - TBD) 5000BB R408 Certification andaccreditation (C&A)Support. The contractor shall perform in accordance with PWS para 2.2. (Fund Type - TBD) 5000BC R408 Cybersecurity Validation Support. The contractor shall perform in accordance with PWS para 2.3. (Fund Type - TBD) 12.0 MO $21,120.00 $253,440.00 12.0 MO $51,584.00 $619,008.00 12.0 MO $41,120.00 $493,440.00 12.0 MO $21,120.00 $253,440.00 12.0 MO $51,584.00 $619,008.00 12.0 MO $41,120.00 $493,440.00 5001 R408 Travel (Fund Type- TBD) 1.0 LO $27,289.00 $27,289.00 For FFP / NSP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 5002 CDRLs. Base Year. $0.00 For FFP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 50 R408 Travel. Option Year 1. (Fund Type - OTHER) 1.0 LO $38,060.00 $38,060.00 For FFP / NSP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 5004 CDRLs. Option Year one. $0.00 For FFP Items:

2 of 38 Item PSC Supplies/Services Qty Unit Unit Price Total Price 8000 GCSS LIS Support $1,365,888.00 8000BA R408 Cybersecurity Programmatic Support. The contractor shall perform in accordance with PWS para 2.1. (Fund Type - TBD) 8000BB R408 Certification andaccreditation (C&A)Support. The contractor shall perform in accordance with PWS para 2.2. (Fund Type - TBD) 8000BC R408 Cybersecurity Validation Support. The contractor shall perform in accordance with PWS para 2.3. (Fund Type - TBD) 12.0 MO $21,120.00 $253,440.00 12.0 MO $51,584.00 $619,008.00 12.0 MO $41,120.00 $493,440.00 8001 R408 Travel. Option Year 2. (Fund Type - TBD) 1.0 LO $22,224.00 $22,224.00 For FFP / NSP Items: Item PSC Supplies/Services Qty Unit Unit Price Total Price 8002 CDRLs. Option Year 2. $0.00

3 of 38 SECTION C DESCRIPTIONS AND SPECIFICATIONS Performance Work Statement FOR GLOBAL COMBAT SUPPORT SYSTEMS MARINE CORPS LOGISTICS INFORMATION SYSTEMS PROGRAMMATIC SUPPORT 1.0 General. 1.1 Introduction and organization to be supported: The Marine Corps Systems Command s Global Combat Support Systems Marine Corps (GCSS-MC), Logistics Information Systems (LIS) Office requires Post Deployment Software Support (PDSS) for select United States Marine Corps Logistics IT systems and applications. GCSS-MC LIS is a family of Information Technology (IT) systems and applications providing a logistics capability to support Marine Corps Operating Concepts for the 21st century. 1.0 Scope This Performance Work Statement (PWS) defines the non-personal technical cybersecurity, and interoperability and Supportability (I&S services required by the GCSS-MC LIS Product Manager (PdM) for the fulfillment of GCSS-MC LIS PDSS responsibilities. Cybersecurity involves the actions taken to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentatlity, and non-repudiation. The cybersecurity support services include establishing and maintaining secure system baselines, system certification and accreditations (C&A), and mandatory cybersecurity validations and reporting. The I&S support includes developing system DoD Architecture Framework (DoDAF) artifacts, Information Support Plans (ISPs), Tailored ISPs, Joint Interoperability Test Command (JITC) certifications, and developing system artifacts in support of I&S waivers. The GCSS-MC LIS systems and applications provide critical supply, maintenance, stock control, war planning, warehousing, decision making, and logistics C2 capability that facilitate Life-Cycle Management and Command and Control in support of MAGTF operations now and into the future. The majority of systems to be supported are web-based. The portfolio of Systems is composed of both Government off the Shelf (GOTS) and Commercial Off the Shelf (COTS) software. 1.2 Background: In accordance with DoD Directive 8500.01E, all acquisitions of Automated Information Systems with connections to the Global Information Grid must be certified and accredited. The primary methodology for certifying and accrediting DoD information systems is the DoD Information Assurance Certification and Accreditation Process (DIACAP) of DoD Instruction 8510.01. However, the contractor must be prepared to transition to the DoD Risk Management Frame Work in accordance with emerging DoD policy updates. In accordance with the Chairman, Joint Chiefs of Staff, Instruction 6212.01, Interoperability andsupportability of Information Technology and National Security Systems Interoperability is the ability of systems, units, or forces to provide data, information, materiel, and services to, and accept the same from, other systems, units, or forces; and to use the data, information, materiel, and services so exchanged to enable them to operate effectively together. All IT systems that exchange and use information to enable units or forces to operate effectively in joint, combined, coalition, and interagency operations and simulations must be certified. Most of the current GCSS-MC LIS systems and applications are only utilized by the Marine Corps and do not contain joint interfaces. These systems and applications currently have legacy or end of life waivers. As new interfaces are added the systems and applications must meet all Interoperability and Supportability requirements. The systems requiring support are listed in Attachment 1. Due to the diversity of the systems and applications, no single set of tasks meets the needs of each system and application. Some systems and

4 of 38 applications may require little support, while others will require extensive assistance. New systems may be added, while others may be retired or otherwise not be supported through this contract. 2.0 General Requirements The contractor is responsible for providing all material, services, and support documentation needed to complete the requirements identified in this PWS and shall provide Cybersecurity, Joint Requirements, Interoperability and Supportability (I&S), and IT Repository Support Services for the specified Logistics Information Systems detailed in Attachment 1. Per NMCARS 5237.102, Enterprise-wide Contractor Manpower Reporting Application: The contractor shall report ALL contractor labor hours (including subcontractor labor hours) required for performance of services provided under this contract for the United States Marine Corps via a secure data collection site. The contractor is required to completely fill in all required data fields using the following web address https://doncmra.nmci.navy.mil. Reporting inputs will be for the labor executed during the period of performance during each Government fiscal year (FY), which runs October 1 through September 30. While inputs may be reported any time during the FY, all data shall be reported no later than October 31 of each calendar year. Contractors may direct questions to the help desk, linked at https://doncmra.nmci.navy.mil. 2.1 CYBERSECURITY, JOINT REQUIREMENTS, I&S, AND IT PROGRAMMATIC SUPPORT SERVICES 2.1.1 Cybersecurity Programmatic Support. 2.1.1.1 Cybersecurity/Information Assurance (IA) Impact Assessments. The Contractor shall conduct cybersecurity/information assurance (IA) impact assessments in support of system and application change requests, engineering change proposals, updates to the software baselines,and deliver impact recommendations to the GCSS-MC LIS Information Assurance Manager. (CDRL # A001Technical Reports) 2.1.1.2 System Annual Security Reviews (ASR). The Contractor shall conduct system and application ASRs in accordance with the Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347). ASR results report shall be provided to the GCSS-MC LIS IAM. (CDRL # A002 Technical Reports) 2.1.1.3 System Annual IT Contingency Plan Test. The Contractor shall develop an IT contingency plan scenario and lead the PdM annual contingency plan test for each system and application in accordance with the FISMA (Title III, Pub. L. No. 107-347). Contingency Plan results reports shall be provided to the GCSS-MC LIS IAM. (CDRL # A0 Technical Reports) 2.1.1.4 Track Information Assurance Vulnerability Alerts (IAVAs) and Marine Corps Enterprise Network (MCEN) Operational Directives (OpDirs). The Contractor shall track all IAVAs and MCEN OpDirs daily and notify the GCSS-MC LIS PdM Officers and cybersecurity staff when new IAVAs and OpDirs are released. The Contractor shall review the technical details of IAVAs and MCEN OpDirs to assess impact on GCSS-MC LIS systems prior to implementation. The contractor shall report IAVA and MCEN OP Dir compliance to GCSS-MC LIS PdM Office. (CDRL # A006 Monthly Status Report)

5 of 38 2.1.2 I&S and Joint Requirements Programmatic Support. The Contractor shall develop, maintain, and update Information Support Plans (ISPs), Tailored ISPs (TISP), waivers, and DoD Architecture Framework (DoDAF) artifacts in order to meet program joint requirements, interoperability and supportability, and Joint Interface Test Command (JITC) certification requirements for all assigned systems and applications. The contractor shall report I&S and joint requirements compliance status to the GCSS-MC LIS PdM Office (CDRL # A006 Monthly Status Report) 2.1.3 IT Repository Programmatic Support. The Contractor shallregister, update, and maintain system and application IT records in all official IT repositories. The contractor shall gather data for initial system and application registration, develop draft system/application registration documentation, and submit IT respository documentation to GCSS-MC LIS government Project Officers. 2.2 CERTIFICATION AND ACCREDITATION (C&A) SUPPORT 2.2.1 Certification and Accreditation. The Contractor shall develop and maintain Certification and Accreditation (C&A) packages in accordance with the DoD Information Assurance Certification and Accreditation Process (DIACAP)/DoD Information Assurance Risk Management Framework for assigned GCSS-MC LIS systems and applications. The Contractor shall provide C&A support on site at the Marine Corps Logistics Base in Albany, GA as follows: 2.2.1.1 The contractor shall develop and execute Information Assurance Project Plans for all assigned systems that identify system DIACAP timelines, annual FISMA Testing Events, Privacy Impact Assessments, and other key IA events. (CDRL # A007 POAM (MS Project) and CDRL # A004 Monthly Status Report) 2.2.1.2 The contractor shall develop, integrate, review, and maintain the GCSS-MC LIS System C&A packages to ensure that they meet DoD, DON, and Marine Corps Policy and Guidance. This documentation shall be produced using the Marine Corps Systems Command (MCSC) DIACAP workflows and mandatory artifacts in addition to the current Marine Corps Certification and Accreditation Support Tool (MCCAST). 2.2.1.3 The contractor shall validate that software, hardware, and firmware within GCSS-MC LIS environments are authorized and not restricted from use within the Marine Corps. 2.2.1.4 The contractor shall prepare GCSS-MC LIS systems DIACAP packages for information assurance verification and validations as part of the DIACAP and annual FISMA IA control testing requirements. 2.3 CYBERSECURITY VALIDATION SUPPORT The contractor shall provide Cybersecurity validation support for the systems and applications listed in attachment 1. 2.3.1 The contractor shallestablish secure baseline system configurations in accordance with applicable policy and DISA Security Technical Implementation Guides (STIGS). This support requires the contractor to securely configure the initial system s baseline to include the Operating System, Database Management System, application server, application tier, and supporting services to meet system design and security requirements. 2.3.2 The contractor shall conduct internal DIACAP verifications and validations to prepare the systems and applications to successfully pass assessments by independent verification and validation (IV&V) agencies. (CDRL # A004 Monthly Status Report and POA&M) 2.3.3 The contractor shall provide system vulnerability remediations anddevelop risk mitigations for all identified GCSS-MC LIS system vulnerabilities. The contractor shall apply missing system patches and correct system configurations to remediate vulnerabilities. The contractor shall develop risk mitigation strategies to address system vulnerabilities that cannot be directly corrected.. (CDRL # A004 Monthly Status Report and POA&M)

6 of 38 2.3.4 The contractor shall perform cybersecurity technical reviews on GCSS-MC LIS systems in preparation for system upgrades and application migrations to new hosting environments to ensure that all DoD policies, security configurations, and information assurance controls are properly implemented.. 2.3.5 The contractor shall validate compliance with all applicable IA controls both technical and non-technical. Pre-validation and security reviews shall be executed on all GCSS-MC LIS System elements. Validation activities shall include the use of DISA approved automated security tools, manual checklist, audit analysis, and additional automated security tools provide by the government. 2.3.6 The contractor shall report and respond to identified system and application cybersecurity violations and incidents. 2.3.7 The contractor shall conduct IA testing after critical system configuration changes, major software updates, and security incidents to verify the secure system baseline. 2.3.8 The contractor shall conduct research on vendor, and DoD patches and all applicable IAVAs to ensure the proper installment, implementation, and operational effectiveness of patches. The contractor shall identify if patch implementation will negatively affect security posture, functional, or operational capabilities. The contractor shall provide notification to the GCSS-MC LIS IAM in all cases where a patch will have a negative impact on the systems. 2.3.9 The contractor shall conduct audits, report, and maintain visibility over all GCSS-MC LIS privileged user assignments, GCSS-MC LIS accounts, role and responsibility assignments, and account approvals to ensure separation of duties and compliance with personnel and information security criteria established in DoD, DON, and Marine Corps Policy and Guidance. (CDRL # A004 Monthly Status Report and POA&M) 2.3.10 The contractor shall identify cybersecurity deficiencies as well as other IT telecommunications issues relating to GCSS-MC LIS systems on-site at Marine Corps and support contractor locations as directed by the Government. The contractor shall conduct an analysis of the cybersecurity environment at the location being visited and provide recommendations on how to improve that location s cybersecurity posture to support use of GCSS-MC LIS systems and applications. (CDRL# A005Technical Report) 2.3.11 The contractor shall conduct web application vulnerability testing on all GCSS-MC LIS applications for every major release prior to deployment of applications into production environments. The contractor shall test for common security problems such as SQL injection, cross site scripting, command injection, buffer overflow, session management, and other commonly known web application vulnerabilities. 3.0 Deliverables. 3.0.1 Kickoff Meeting and Task Management. Within 5 working days of the contract start date, the Contractor shall conduct a contract kickoff meeting that includes Government project personnel and Contractor personnel. The kickoff meeting will be held in Albany, Georgia. The Contractor shall submit a proposed agenda to the Project Officer at least two days prior to the kick off meeting. The purpose of this kickoff meeting is to introduce key Government and Contractor personnel, provide clarifications of contractor questions, establish preliminary dates for future program events, and discuss any other item the Project Officer may deem appropriate to discuss. 3.0.2 Work Breakdown Structure (WBS). The contractor shall deliver a WBS, depicted as a Gantt chart, within ten (10) working days after the award date. Tasks shall have beginning and ending dates and associated deliverables shall be identified. Changes to significant milestones and delivery dates shall be submitted to the COR for the systems represented in advance of the milestone or delivery dates. 3.0.3 Plan of Action and Milestones (POA&M). The Contractor shall deliver a POA&M using Microsoft Project detailed to the level necessary to clearly communicate the plan for completion of the tasks in this PWS for each application and system. Tasks shall have beginning and ending dates and associated

7 of 38 deliverables shall be identified. Once accepted by the government, the POA&M will be incorporated into the effort with updates approved by the COR. Proposed changes to significant milestones and delivery dates shall be submitted to the COR in advance of the milestone or delivery dates and will be reviewed by the government. If accepted by the government, and after appropriate consideration (if required), approved changes will be incorporated via Contracting Officer or Project Officer approval depending on the nature of the change. 3.0.4 Monthly Status Report (MSR). The contractor shall submit MSRs to the contracting officer s representative (COR) to assist the government s ability to monitor performance in accordance with the WBS and POA&Ms. These reports shall include, at a minimum: (1) how the work accomplished relates to the specific tasks in the WBS, (2) cost and performance reporting for each Task to include identification of costs and projected monthly expenditures by CLIN, and (3) other significant issues (schedule, technical, potential cost or schedule risk issues, etc.) to include proposed resolutions. 3.0.5 Cybersecurity Test Plans, Scan Results and mitigation strategy for resolving vulnerabilities. The contractor shall document plans and procedures for continuously monitoring the cybersecurity posture of LIS systems and for conducting the annual IA control validation as per DoDI 8510.01. The contractor shall develop mitigation strategies, plans of action, and schedules for resolving vulnerabilities. 3.0.6Technical/Trip Report - The Contract support shall prepare Trip Reports on each Site Assistance Visit (SAV) and Point Papers on recommended cybersecurity improvement areas and best practices. 3.0.7 Information Assurance Workforce Certification Documents. The Contractor shall provide documentation supporting the information assurance certification status of personnel performing information assurance functions. 3.1 Facilities, Other Direct Charges (ODCs), and Travel Requirements. Work efforts in support of this task effort will be accomplished primarily on-site at MCSC at Marine Corps Logistics Base Albany, GA. The government will provide office space and computer resources. This task will require the Contractor to provide facilities in Albany, GA for meetings, teleconferencing, IPTs (of 10-30 personnel) throughout the course of performance to support the scope of activities. Such facilities are not reimbursed as ODCs. Laptops, cellular equipment/services, and other items of convenience are not reimbursable as ODCs. CONUS and OCONUS travel must be reimbursed in accordance with the JTR. Per Diem shall be in accordance with http://www.defensetravel.dod.mil/site/perdiemcalc.cfm. Local travel is authorized and travel to operational sites may be required. Government printing requirements are MANDATED to use Defense Document Services, 1-877-DAPS-CAN. ODC requests for printing requirements MUST be obtained and approved by the CEOss Contracting Officer ONLY, prior to conducting these services and after getting applicable waivers.

8 of 38 4.0 Deliverable Schedule The Contractor shall accomplish the milestones shown in Table 1. Table 1: Deliverable Schedule Deliverable Date Required 4.1 Kickoff Meeting and Task Management 5 working days after award of contract 4.2 Work Breakdown Structure 10 working days after contract award update as required 4.3 POA&Ms (MS Project) Within 30 working days of contract award 4.4 Monthly Status Reports Monthly 5 working days following the end of each month 4.5 Cyber Security Validation Results for each system and application to include mitigation 20 working days after cybersecurity validation event - update monthly and as required strategy (i.e. Plan of Action and Schedule) for resolving vulnerabilities 4.6 Technical/Trip Reports As required 4.7 Information Assurance Work Force Certification Documents 20 working days after contract award and upon request as personnel change 5.0 Government Furnished Items and Services. The government will provide office space, computer resources, access to the Navy Marine Corps Intranet (NMCI), and office supplies. GFE will include an NMCI/NGEN unclassified workstation with network connection. All workstations will be configured with Mircorsoft Windows XP or Windows 7. Workstations will have the following software installed: Microsoft Visio, Microsoft Project, Microsoft Office, Adobe Professional. All contractors will be provided office space equipped with a telephone, network Printer, and access to fax and copy machines. Three non-nmci GCSS-MC LIS IA laptops will be available for contractor use for conducting validations. Enterprise DoD IA tools will be made available for performing validations. Tools currently consist of Eye Retina, DISA SRRs, SCAP Compliance Checker, Flying Squirrel. 6.0 Other Information and Special Conditions. 6.1 Core Hours: Governments core business hours are from 0900-1500 Eastern Standard Time Monday through Friday. 6.1.2 Place of Performance: The Contractor shall perform this effort on the Marine Corps Logistics Base in Albany, GA. Travel will be required to support three cybersecurity and one Interoperability and Supportability coordination meeting at locations in and around the Marine Corps Base Quantico, VA vicinity. The contractor personnel shall be required to attend the coordination meeting at the USMC cybersecurity consortium on an annual basis at locations TBD. LOCATION Number of Trips (Base) Number of Trips (Option 1) Number of Trips (Option 2) Duration Number of Travelers

9 of 38 C&A Coordination 3 3 3 5 Days 2 Meetings-Albany, GA to Quantico, VA Joint Requirements 1 1 1 5 Days 1 Meeting-Albany, GA to Quantico, VA USMC Cybersecurty 1 1 1 5Days 2 Consortium-(location TBD) IV&V event(tbd) 1 0 0 5 Days 2 MCEITS Transition 0 1 0 5 Days 3 IV&V-Albany, GA to Kansas City MCEITS System Migration Meetings 0 2 0 5 Days 2 7.0 Applicable Law, Policy and Directives. 50 U.S.C. 435, National Security Act of 1947 (Pub. L. No. 110-53), 26 July 1947 PL 100-235, Computer Security Act of 1987 (Pub. L. No. 100-235), 8 January 1988 PL 107-347, Federal Information Security Management Act of 2002 (FISMA) (Title III, Pub. L. No. 107-347), 23 January 2002 5 U.S.C 552a, The Privacy Act of 1974, 27 September 1974 OMB Circular No. A-130, OMB Management of Federal Information Resources, 28 November 2000 Section 2224 of title 10, United States Code (also known as Defense Information Assurance Program ) January 3, 2007 Chairman, Joint Chiefs of Staff, Instruction (CJCSI) 6212.01, Interoperability and Supportability of Information Technology and National Security Systems, 21 March 2012 DoDD 4630.05 Interoperability and Supportability of IT and National Security Systems, 5 May 2004

10 of 38 DoDI 4650.01, Policy and Procedures for Management and Use of the Electromagnetic Spectrum, 9 January 2009 DoDD 5000.01, The Defense Acquisition System, 12 May 20 DoD 5200.01, DoD Information Security Program, 13 Dec 1996 DoD Instruction 5200.01, DoD Information Security Program and Protection of Sensitive Compartmented Information, October 9, 2008 DoDD5200.2-R, Personnel Security Program, January 1987 27,2009. DoD 5200.08-R, Physical Security Program, April 9, 2007, Incorporating Change 1, May DoD Directive 5230.09, Clearance of DoD Information for Public Release, August 22, 200 DoD 5400.11-R, Department of Defense Privacy Program, 14 May2007. DoD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the Department of Defense (DoD) Global Information Grid (GIG), 14 April 2004 DoD 8115.01, Information Technology Portfolio Management, 10 Oct 2005 DoD 8320.02-G, Guidance for Implementing Net-Centric Data Sharing, April 12, 2006. DoD 8420.01, Commercial Wireless Local-Area Network (WLAN) Devices, Systems, and Technologies, 3 November 2009 DoDD 8500.01E, Information Assurance, 23 Feb 2007 DoDI 8500.2, (IA) Implementation, 6 Feb 20 8510.01, DoD Instruction, DoD Information Assurance Certification and Accreditation Process (DIACAP), 28 November 2007

11 of 38 DoD 8551.1, Ports, Protocols, and Services Management (PPSM), 13 August 2004 DoD 8570.01, Information Assurance Workforce Improvement Program, 15 August 2004 DoDD 8570.01-M, Information Assurance Training, Certification, and Workforce Management, 19 December 2005 DoD 8580.01, Information Assurance in Defense Acquisition Systems, 9 July 2004 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39, Managing Information Security Risk Organization, Mission, and Information System View, March 2011, as amended NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, 1 June 2002 NIST SP 800-30, Guide for Conducting Risk Assessments, July 2002, as amended. NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, February 2010, as amended. NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, June 2010, as amended. NIST SP 800-153, Guidelines for Securing Wireless Local Area Networks, February 2012 CNSSP 22, Information Assurance Risk Management Policy for National Security Systems, February 2009, as amended. Marine Corps Order 5239.2, Marine Corps IA Program (MCIAP), 18 November 2002 USMC ECSD 021, Ports, Protocols, and Services Management version 1.0, 15 May 2012 DoDI 8520.2, "Public Key Infrastructure and Public Key Enabling", 01 April 2004

12 of 38 USMC ECSD 014, USMC Enterprise Cybersecurity Directive 014: WLANS, 30 November 2011 USMC EIAD 018, United States Marine Corps Enterprise IA Directive 018 Marine Corps Certification and Accreditation Process, 2 September 2008 8.0 Glossary. Committee on National Security Systems Instruction (CNSSI) No. 4009, National Information Assurance (IA) Glossary, April 26, 2010, as amended 9.0 Security Requirements. All personnel performing functions on this task must possess a U.S. Government Secret security clearance. The majority of work will be completed in an unclassified environment. However, contract personnel will be required to perform duties from time to time in a classified environment up to Secret. Any information, records, or data that the contractor may have access to may be highly sensitive. Contractor personnel assigned to the task order in capacities that require access to background and reference materials, source code, possession of a USERID, or other valid computer access, shall possess a SECRET clearance, before assignment to the project. Contractor personnel are required to possess a Secret security clearance prior to the start of work. A user and email account on the Navy Marine Corps Internet (NMCI)/Next Generation Enterprise Network (NGEN) to include a CAC card to support PKI access and Marine Corps Web Services when determined by the Government to be necessary for the performance of the tasking within this PWS, if qualified. A user and mail account on the SIPRNET domain to include a SIPRNET token, when determined by the Government to be necessary for the performance of the tasking within this PWS Contractor personnel shall be required to adhere to security regulations, and shall observe and comply with any site-specific security provisions in effect at the various government facilities. Government Common Access Cards and Contractor ID badges shall be worn and displayed at all times while at government facilities or attending government meetings. ALL CONTRACTOR PERSONNEL REQUIRING ACCESS TO CLASSIFIED INFORMATION AND ASSIGNED TO THIS PROGRAM SHALL POSSESS A SECRET CLEARANCE. The prime contractor and all sub-contractors (though the prime contractor) shall certify in writing to the Government that personnel supporting this contract are "Qualified U.S. contractors" per DoD Directive 5220.22-M Chapter 2 Section 2. Qualified U.S. contractors are restricted to U.S. citizens, persons admitted lawfully into the United States for permanent residence, and are located in the United States. All personnel identified on the certification and/or supporting this contract shall be in compliance with Department of Defense, Department of the Navy, and Marine Corps Information and Personnel Security Policy to include completed background investigations (as required) prior to start. This contract shall include a DoD Contract Security Classification Specification (DD Form 254) as an attachment. The contractor shall have a valid Secret Facility Clearance. The Government shall assist the contractor in gaining access to Government agencies and installations related to the systems in question.

13 of 38 All U.S. contractors (including subcontractors) shall supplement their current security practices by requiring any personnel involved in executing this contract where critical program information (CPI) has been identified shall protect the CPI to the standards articulated in the Program Protection Plan and in accordance with DoDI 5200.39 and DoD 5200.39-M. Upon contract award, all identified U.S. contractors (including subcontractors) shall acknowledge and meet the requirements stated by the Program Manager for the protection of CPI. The U.S. contractor must immediately notify the U.S. Government upon the discovery of any nonconformance with CPI protection. 10.0 Information Assurance Certifications. The contractor shall staff the Cybersecurity Lead and Cybersecurity Validator Lead with Information assurance Technical (IAT) level III certified personnel. (CISSP required) Contract personnel performing Linux privileged functions shall have a minimum of an IAT level II IA workforce certification plus a Linux certification. Contract personnel performing Oracle privileged functions shall have a minimum of an IAT level II IA workforce certification plus an Oracle certification. All other contract support working Tasks 1-3 above shall have the proper and current information assurance certification to perform information assurance functions in accordance with DoD 8570.01-M, Information Assurance Workforce Improvement Program. This does not apply to contract support working Task 4. The Contractor shall meet the applicable information assurance certification requirements, including- 1. DoD-approved information assurance workforce certifications appropriate for each category and level as listed in the current version of DoD 8570.01-M; IAT level III or IAM Level II or higher preferred and 2. Appropriate operating system certification for information assurance technical positions as required by DoD 8570.01-M. Contractor personnel who do not have proper and current certifications shall be denied access to DoD information systems for the purpose of performing cybersecurity functions. Appendix 2 provides a table for the appropriate certification levels required to meet specific access requirements. 11.0 Phase Out.

14 of 38 In order to ensure a smooth phase-in to the next contractor and to prevent possible decreases in productivity or service quality, the contractor shall provide a phase-out plan for the 30 calendar day period prior to the contract end date (i.e. at the end of all option periods). During this period, while still maintaining full performance, the contractor shall make available to key incoming contractor personnel, a representative of the incumbent contractor who is versed in the operation of other functions to be performed. This service shall be made available to explain procedures for conducting IA support, introducing the next contractor to the system owners and functional representatives, etc. Inventories of GFP shall be conducted jointly with the COR and representatives of the incoming contractor. Transfer of GFP will be made at the end of the phase-out period. 12.0 Performance Requirements Summary Performance Requirements Summary Performance-based Task Indicator Standard Surveillance Method Submission of program management deliverables 90% of deliverables are received on time. Any deliverables not received on time are no more than 5 working The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month.

15 of 38 days late. Threshold = 90% 2.1.1.1 IA Impact Assessments Maintain a fully staffed team Objective = 100% Team is fully staffed 95% of the time. No position remains vacant longer than 15 working days. The contractor will keep a log of all instances of when there is a vacancy on the team and identify this in the monthly status reports. The COR will confer with the contract Program Manager to verify data included in the monthly reports. Threshold = 95% 2.1.1.2 Annual Security Reviews Timely submission of Cybersecurity deliverables Objective = 100% 90% of deliverables are received on time. Any deliverables not received on time are no more than 5 working days late. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Threshold = 90% 2.1.1.3 IT Contingency Plans Quality submission of cybersecurity deliverables Objective = 100% 85% of cybersecurity documents/artifacts are accepted by the government on initial receipt. 95% of cybersecurity documents/artifacts are accepted by the government on second receipt. Rejected submissions are corrected, resubmitted, and accepted with 15 working days of rejection. Initial submission:

16 of 38 Threshold = 85% Objective = 95% 2.1.1.4 Track IAVA compliance Internal validations accurately identify findings that need to be remediated 95% of the findings identified by an external IV&V were already known via internal IV&Vs. The GCSS-MC LIS IAM/IAO will compare independent validation results with internal validation results and track deviations. Threshold = 95% 2.2.1.1 Mandatory IA events scheduled and planned Submission of IA Project plans Objective = 100% 90% of deliverables are received within thirty working days of contract start date The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Any deliverables not received on time are no more than 5 working days late. Threshold = 90% Objective = 100% 2.2.1.2Approved DIACAP packages Submission of approved DIACAP packages 85% of cybersecurity documents/artifacts are accepted by the government on initial receipt. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. 95% of cybersecurity documents/artifacts are accepted by the government on second receipt. Rejected submissions are corrected, resubmitted, and accepted with 15 working days of rejection. Initial submission: Threshold = 85% Objective = 95%

17 of 38 2.3.2 System internal cybersecurity verification and validations performed Internal validations accurately identify findings that need to be remediated 95% of the findings identified by an external IV&V were already known via internal IV&Vs. The GCSS-MC LIS IAM/IAO will compare independent validation results with internal validation results and track deviations. Threshold = 95% 2.3.3 System vulnerabilities remediation and risk mitigations System IT POA&Ms illustrate all system vulnerabilities remediated or addressed by risk mitigations Objective = 100% 95% of deliverables are received on time. Any deliverables not received on time are no more than 5 working days late. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Threshold = 95% Contract personnel compliant with DoD IA Workforce Requirements 2.3.10 Cybersecurity Site Assistance Visits IA Workforce Certification Compliance Site cybersecurity deficiencies identified and mitigation recommendations reported Objective = 100% 100% of required support personnel are certified in compliance with DoD 8570.01 90% of deliverables are received within thirty working days of site assistance visit end date The COR will keep a log of contract IA Workforce compliance received from the contractor. A percent of compliance will be calculated each month. The COR will keep a log of due dates and actual dates received for all contract deliverables. A percent received on-time will be calculated each month. Any deliverables not received on time are no more than 5 working days late. Threshold = 90% Objective = 100%

18 of 38 13. Appendices. Appendix 1 Systems requiring Support Appendix 2 DoD Approved IAWF Baseline Certifications Appendix 3 GCSS-MC LIS C&A Workload Example

19 of 38 Appendix 1 SYSTEMS/APPLICATIONS TO BE SUPPORTED UNDER TASK 2.1, 2.2, 2.3 Albany Data Staging Environment (ADSE) Computer Associates Software Change Management (CASCM) Asset Tracking Logistics & Supply System (ATLASS) v 4.0.x.x (PC Based) Asset Tracking Logistics & Supply System (ATLASS) v 5.0.x.x (Server Based) Air Fortress Secure Wireless Solution Air Defense Wireless Intrusion Detection System Logistics Data Repository (LDR) Logistics Gateway (LOGWAY) Materiel Capability Decision Support System (MCDSS) Marine Corps Provisioning System (PROVISIONING) Marine Corps Interactive Computer Aided Provisioning System (MICAPS) Marine Corps Integrated Maintenance Management System (MIMMS) Marine Corps Integrated Maintenance. Management System Personal Computer (PCMIMMS) Supported Activities Supply System (SASSY) Stock Control System (SCS)-(Currently Air Force managed and accredited) War Reserve System (WRS) WIR Online Process Handler (WOLPH) SYSTEMS/APPLICATIONS TO BE SUPPORTED UNDER TASK 2.1, 2.3 Battle Command Sustainment Support System (BCS3) Common Logistics Command and Control System (CLC2S) Storage and Retrieval Automated Tracking Integrated System (STRATIS) Transportation Capacity Planning Tool (TCPT) Albany Data Staging Environment (ADSE): A server based development environment that provides an integrated solution for extracting, transforming, and loading dispersed data sources from legacy applications to the Global Combat Support System for the Marine Corps (GCSS-MC) and generating error reports for the Cutover Team in order for the units to fix the errors. ADSE consists of two physical Red Hat Linux Servers hosting Oracle Warehouse Builder and Oracle Database. ADSE is a Mission Assurance Category (MAC) III Sensitive System. Air Fortress Secure Wireless Solution: A Type accredited wireless network transport that provides for Layer 2 encryption, high strength security and a highly simplified management model. FORTRESS implements AES encryption at layer 2 of the OSI Model. System consists of Air Fortress ES520 Wireless Access Points, Fortress Secure Client software, and Enterasys switches. GCSS-MC LIS is responsible for Program Management of Air Fortress at each of the six bases where WEB STRATIS is fielded. Air Fortress is a

20 of 38 MAC III Sensitive System. Asset Tracking Logistics and Supply System (ATLASS): serves as a data entry device to bridge the gap between the legacy supply system, Supported Activities Supply System (SASSY) and the Global Combat Support System Marine Corps (GCSS-MC) system. ATLASS provides the ability to control, distribute and replenish equipment and supplies in assigned areas of operation, to receive supply support from and provide support to other services. There are two versions of ATLASS. ATLASS 5.0.x.x is a server based version and ATLASS 4.0.x.x is a PC Based desktop application. Both versions of ATLASS are scheduled for decommissioning in January 2014. ATLASS is a MAC III Sensitive System. Marine Interactive Computer Aided Provisioning System (MICAPS): is a java web based on-line interactive and batch application that is used as a tool by Marine Corps personnel and their contractors to help automate the provisioning process. The application provides data entry screens for data input, various capabilities and utilities to manipulate the data, and the capability of inputting or outputting the data in the correct Military Standard (MIL-STD) format. The primary objective of the MICAPS is to provide the initial introduction of logistics management information for a new weapon system or equipment and to format and supply Marine Corps management data into the proper input transaction for submission to the Mainframe s Marine Corps Provisioning System (PROVISIONING). MICAPS is a MAC III Sensitive System. Materiel Capability Decision Support System (MCDSS): is a java based web application that provides automated decision support to the Marine Corps Logistics Command (MARCORLOGCOM) logistics managers. It supports the Inventory Manager (IM) through the Commander in their strategic logistics decision-making processes, and the Marine Corps Systems Command (MARCORSYSCOM) program and readiness managers in their strategic decision-making processes. The system impacts those decisions where there is sufficient structure for analysis to be of value, but where the logistics decision-maker s own judgment is absolutely essential. The mission requirement for MCDSS is to promote equipment readiness, reduce maintenance costs, and replace a labor-intensive manual system. MCDSS will be migrated to the Marine Corps Enterprise IT Services (MCEITS) hosting environment in 2014. MCDSS is a MAC III Sensitive System. WIR Online Process Handler (WOLPH): is an Oracle application designed to automate the process of recovery, reporting, and management of recoverable items, which cannot be repaired with the resources available to the field commander and have become excess to a command's allowances. WOLPH is also utilized for the disposal of items which are beyond economical repair. WIR is a document identifier code, which is the acronym definition for Recoverable Item Report. WOLPH is used by the Marine Corps for requesting and assigning disposition instructions for assets that fall under one of the following categories: (1) Damage, (2) In Excess, or (3) Obsolete. WOLPH is an Oracle application that provides its customers with user friendly forms and guided menus. WOLPH will be migrated to the MCEITS hosting environment in 2014. WOLPH is a MAC III Sensitive System. The Logistics Gateway (LOGWAY): increases productivity by creating an Enterprise portal specifically designed to be the single source of interaction with Marine Corps Logistics Information Systems. The LOGWAY environment provides a standard architecture for web content and application access. Through the use of an Oracle Portal, users experience customizable access to resources in the Oracle database as well as traditional web-based applications. LOGWAY provides Single Sign On (SSO) to multiple GCSS-MC LIS applications and reports. LOGWAY will be migrated to the MCEITS hosting environment in 2014. LOGWAY is a MAC III Sensitive System.

21 of 38 The Logistics Data Repository (LDR): is an Oracle Database instance that is a centralized source for logistics data. LDR is designed to provide efficient and immediate access to all current and historical unfiltered legacy / enterprise logistics data used in Supply Chain and Life Cycle Management analysis. LDR will be migrated to the MCEITS hosting environment in 2014. LDR is a MAC III Sensitive System. Computer Associates Software Change Manager (CASCM): is a Commercial off the Shelf (COTS) solution that s provides a comprehensive, integrated, repository-based change and configuration management solution help effectively manage complex, enterprise-wide development activities throughout the entire application development life cycle. CASCM is a client/server application that supports distributed development. The client/server model used by CASCM is an application server model. In this model, the client process presents data and manages keyboard and device input. The application logic is defined and processed remotely by a dedicated application server. The application server, in turn, provides access to the CASCM database. CASCM is a MAC III Sensitive System. Supported Activities Supply System (SASSY): is the authorized automated supply management system specifically developed to support the Fleet Marine Forces (FMF). SASSY is designed to accomplish supply accounting for all elements of FMF. In addition to improving the Fleet Marine (FM) commander's capability for resource allocation through total asset visibility and centralized control, SASSY minimizes the requirement to perform manual accounting operations. Additionally, an extensive database furnishes the commander with timely and accurate allowance and inventory performance management information. SASSY is a legacy mainframe application that is hosted by the Defense Information Systems Agency (DISA). SASSY is scheduled for decommissioning in January 2014. SASSY is a MAC II Sensitive System. Marine Corps Integrated Maintenance Management System (MIMMS): is an automated maintenance management information application designed to support commanders and logistics managers at all command levels in the execution of ground equipment maintenance management functions. MIMMS is a legacy mainframe system executed by all major Marine Corps sites. MIMMS is hosted on the DISA mainframe. The Batch Programs are mainly written in Common Business-Oriented Language (COBOL). The On-line programs are written in NATURAL. MIMMS is scheduled for decommissioning in January 2014. MIMMS is a MAC II Sensitive System. Marine Corps Provisioning System (PROVISIONING): supports the introduction of principal end items into the field from the research and development stage through placement in service. PROVISIONING assures that initial spares, repair parts, special tools, test equipment, and support equipment required for initial support of new end items are procured and protected from general issue and distributed on a timely basis to appropriate organizations. PROVISIONING is a legacy mainframe application hosted by DISA. War Reserve System (WRS): is the automated Marine Corps requirements determination system used to compute sustainment requirements in support of both contingency planning and budgeting. Sustainment requirements are computed on two levels. Marine Expeditionary Force (MEF) level sustainment requirements are loaded into both wholesale inventory files as war reserve project requirement quantities and retail inventory files as allowance quantities. Contingency or deliberate planning is the process by which Marine Corps sustainment requirements to support different contingencies are computed for various force structures and support periods. Requirements at this level are available for both supportability testing and

22 of 38 withdrawal procedures in the event of a mobilization. WRS is a legacy mainframe application hosted by DISA. WRS is a MAC II Sensitive System. Stock Control System (SCS): is an Air Force managed and operated mainframe application that automates the asset management of wholesale items of supply. The primary functions of SCS are to provide current asset visibility, maintain balances, process requisitions and provide status to worldwide customers. The Air Force currently maintains the applications certification and accreditation. GCSS-MC LIS Systems and Applications to receive limited programmatic and cybersecurity validation support. Battle Command Sustainment Support System - Node Management (BCS3-NM): is an instance of the Army's BCS3 Sustainment Command and Control software application providing additional functionality and data for In-transit Visibility (ITV) and Asset Visibility (AV) to provide more effective management of the global distribution pipeline. BCS3-NM extends baseline BCS3 capabilities for ITV and AV above the tactical and operational levels creating an ability to provide end-to-end visibility within a Common Operating Picture (COP) that extends to Joint and Defense Agency distribution managers across the Joint Deployment and Distribution Enterprise (JDDE). BCS3-NM is available in the NIPR environment currently and is planned to have a similar capability in the SIPR environment. The Marine Corps utilizes BCS3-NM laptops on the Marine Corps Enterprise Network (MCEN) that connects back to the ARMY BCS3-NM servers. The Marine Corps employment of BCS3-NM is MAC II Sensitive on the NIPRNET and MAC II Classified on the SIPRNET. Common Logistics Command and Control System (CLC2S): is a web-enabled, tactical-level logistics command and control (Log C2) software application. The application satisfies combat service support (CSS) command and control (planning and execution requirements) utilizing an open architecture to establish a framework that is scalable, maintainable, robust and flexible in order to provide for future growth, enhancement, and the addition of new functional capabilities. CLC2S is employed as a MAC II Sensitive application when utilized on the NIPRNET and MAC II Classified when utilized on the SIPRNET. Transportation Capacity Planning Tool (TCPT): is a net centric/web accessible Command and Control (C2) tool that aids with the planning, tracking, management, and execution of transportation centric missions. TCPT provides additional situational awareness of the logistics battle space by providing transportation and logistics commanders with a digital dashboard view of available resources to aid with managing and executing his current and future transportation centric mission requirements. TCPT is employed as a MAC II Sensitive application when utilized on the NIPRNET and MAC II Classified when utilized on the SIPRNET. WEB Storage Retrieval Automated Tracking Integrated System (WEB-STRATIS): is a web accessible transaction-oriented process control system, which provides constant tracking and control of material at all stages in the physical distribution process. It is designed to accommodate a manually executed file transfer interface with Supported Activities Supply System (SASSY) and GCSS-MC Enterprise. WEB STRATIS utilizes wireless handheld scanners to perform warehouse operations. WEB STRATIS is designed to utilize the Air Fortress secure wireless solution. WEB STRATIS is a MAC III Sensitive system.

23 of 38 Additional System Details: ATLASS 5.0.x.x (two servers), MICAPS 6.0.x.x (three servers), MCDSS 5.0.x.x (three servers), WOLPH 3.0.x.x (three servers), LOGWAY 1.0.x.x (four servers), LDR 3.0.x.x (two servers), CASCM 12.1.x.x (one server and desktop clients), and ADSE 1.0.x.x (two servers) are all single instance applications hosted in Albany, GA. SASSY, MIMMS, PROVISIONING, SCS and WRS are single instance mainframe applications hosted on the DISA mainframe. BCS3-NM laptops are distributed across the Marine Corps to each of the MEFs. The laptops connect back to the Army Enterprise servers. The Army is the Joint Program Office that controls the laptop baselines. CLC2S and TCPT are moderately complex systems due to multiple modes of operation. These systems operate in multiple instances and configurations across the Marine corps in both garrison and tactical environments. WEB STRATIS is a moderately complex system that that operates at five garrison locations and currently only one deployed location. WEB STRATIS employs virtual servers, wireless access points, handheld client scanners at each location. Each WEB STRATIS implementation only supports the local warehouse requirements. Systems are currently accredited under DIACAP and have not transitioned to the Risk Management Framework. Formal FIPS 199 categorization will occur during system transition to the Risk Management Framework.

24 of 38 Appendix 2 http://iase.disa.mil/eta/iawip/content_pages/iabaseline.html

25 of 38 Appendix 3 GCSS-MC LIS C&A Workload Sample Each application and systems require at least 1/3 of the IA Controls to be tested, test the IT Contingency Plans, and perform annual security reviews each year. This appendix documents the current accreditation status of each application. System and application accreditation efforts may take up to twelve months. CLC2S, BCS3-NM, TCPT, and WEB STRATIS, PROVISIONING, SASSY, and MIMMS all require re-accreditation in FY13. CLC2S, BCS3-NM, TCPT, and WEB STRATIS will only be supported under task 2.1 and 2.3.

26 of 38

27 of 38 SECTION D PACKAGING AND MARKING All Deliverables shall be packaged and marked IAW Best Commercial Practice.

28 of 38 SECTION E INSPECTION AND ACCEPTANCE Inspection and Acceptance for this task order shall be conducted by the Government at Destination. The following FAR clauses are hereby incorporated by reference into this task order: FAR 52.246-2, "Inspection of Supplies -- Fixed Price" (AUG 1996). FAR 52.246-4, "Inspection of Services -- Fixed Price" (AUG 1996).

29 of 38 SECTION F DELIVERABLES OR PERFORMANCE The periods of performance for the following Items are as follows: 5000AA 9/28/2012-9/27/2013 5000AB 9/28/2012-9/27/2013 5000AC 9/28/2012-9/27/2013 5000BA 9/28/2013-9/27/2014 5000BB 9/28/2013-9/27/2014 5000BC 9/28/2013-9/27/2014 5001 9/28/2012-9/27/2013 50 9/28/2013-9/27/2014 8000BA 9/28/2014-9/27/2015 8000BB 9/28/2014-9/27/2015 8000BC 9/28/2014-9/27/2015 8001 9/28/2014-9/27/2015 CLIN - DELIVERIES OR PERFORMANCE The periods of performance for the following Items are as follows: 5000AA 9/28/2012-9/27/2013 5000AB 9/28/2012-9/27/2013 5000AC 9/28/2012-9/27/2013 5000BA 9/28/2013-9/27/2014 5000BB 9/28/2013-9/27/2014 5000BC 9/28/2013-9/27/2014 5001 9/28/2012-9/27/2013 50 9/28/2013-9/27/2014 8000BA 9/28/2014-9/27/2015 8000BB 9/28/2014-9/27/2015 8000BC 9/28/2014-9/27/2015 8001 9/28/2014-9/27/2015 Services to be performed hereunder will be provided at Marine Corps Logistics Base in Albany, GA.

30 of 38 SECTION G CONTRACT ADMINISTRATION DATA 252.232-7006 WIDE AREA WORKFLOW PAYMENT INSTRUCTIONS (JUN 2012) (a) Definitions. As used in this clause-- Department of Defense Activity Address Code (DoDAAC) is a six position code that uniquely identifies a unit, activity, or organization. Document type means the type of payment request or receiving report available for creation in Wide Area WorkFlow (WAWF). Local processing office (LPO) is the office responsible for payment certification when payment certification is done external to the entitlement system. (b) Electronic invoicing. The WAWF system is the method to electronically process vendor payment requests and receiving reports, as authorized by DFARS 252.232-70, Electronic Submission of Payment Requests and Receiving Reports. (c) WAWF access. To access WAWF, the Contractor shall-- (1) Have a designated electronic business point of contact in the Central Contractor Registration at https://www.acquisition.gov;and (2) Be registered to use WAWF at https://wawf.eb.mil/ following the step-by-step procedures for self-registration available at this Web site. (d) WAWF training. The Contractor should follow the training instructions of the WAWF Web-Based Training Course and use the Practice Training Site before submitting payment requests through WAWF. Both can be accessed by selecting the ``Web Based Training'' link on the WAWF home page at https://wawf.eb.mil/. (e) WAWF methods of document submission. Document submissions may be via Web entry, Electronic Data Interchange, or File Transfer Protocol. (f) WAWF payment instructions. The Contractor must use the following information when submitting payment requests and receiving reports in WAWF for this contract/order: (1) Document type. The Contractor shall use the following document type(s). Invoice 2 in 1 (2) Inspection/acceptance location. The Contractor shall select the following inspection/acceptance location(s) in WAWF, as specified by the contracting officer. TBD (3) Document routing. The Contractor shall use the information in the Routing Data Table below only to fill in applicable fields in WAWF when creating payment requests and receiving reports in the system. Routing Data Table* Field Name in WAWF Pay Official DoDAAC Issue By DoDAAC Data to be entered in WAWF M67443 M67854

31 of 38 Admin DoDAAC M67854 Inspect By DoDAAC Ship To Code Ship From Code Mark For Code Service Approver (DoDAAC) Service Acceptor (DoDAAC) Accept at Other DoDAAC LPO DoDAAC DCAA Auditor DoDAAC Other DoDAAC(s) Contract Number M67854 with Extension ACSS Not Applicable Not Applicable Not Applicable M67854 with Extension ACSS M67854 with Extension ACSS Not Applicable Not Applicable Not Applicable Not Applicable - (4) Payment request and supporting documentation. The Contractor shall ensure a payment request includes appropriate contract line item and subline item descriptions of the work performed or supplies delivered, unit price/cost per unit, fee (if applicable), and all relevant back-up documentation, as defined in DFARS Appendix F, (e.g. timesheets) in support of each payment request. (5) WAWF email notifications. The Contractor shall enter the email address identified below in the ``Send Additional Email Notifications'' field of WAWF once a document is submitted in the system. TBD (g) WAWF point of contact. (1) The Contractor may obtain clarification regarding invoicing in WAWF from the following contracting activity's WAWF point of contact. Jeff Sanders Jeffrey.sanders@usmc.mil (229) 639-7339 (2) For technical WAWF help, contact the WAWF helpdesk at 866-618-5988. (End of clause) Accounting Data SLINID PR Number Amount -------- ---------------------- --------------------- 5000AA M95450-12-RC-S9L55 253440.00 LLA : AA 17211061A2A 252 67854 067443 2D M95450 2RCS9L5535LY 5000AB M95450-12-RC-S9L55 619008.00 LLA : AA 17211061A2A 252 67854 067443 2D M95450 2RCS9L5535LY 5000AC M95450-12-RC-S9L55 493440.00 LLA : AA 17211061A2A 252 67854 067443 2D M95450 2RCS9L5535LY 5001 M95450-12-RC-S9L55 27289.00

32 of 38 LLA : AA 17211061A2A 252 67854 067443 2D M95450 2RCS9L5535LY BASE Funding 1393177.00 Cumulative Funding 1393177.00 MOD 01 Funding 0.00 Cumulative Funding 1393177.00 MOD 02 5000BA M95450-13-RC-Z6G15 253440.00 LLA : AB 1731106 1A2A 252 67854 067443 2D M95450 3RCZ6G1535CH 5000BB M95450-13-RC-Z6G15 619008.00 LLA : AB 1731106 1A2A 252 67854 067443 2D M95450 3RCZ6G1535CH 5000BC M95450-13-RC-Z6G15 493440.00 LLA : AB 1731106 1A2A 252 67854 067443 2D M95450 3RCZ6G1535CH 50 M95450-13-RC-Z6G15 38060.00 LLA : AB 1731106 1A2A 252 67854 067443 2D M95450 3RCZ6G1535CH MOD 02 Funding 14948.00 Cumulative Funding 2797125.00 MOD 8000BA M95450-14-RC-Z6L73 253440.00 LLA : AC 1741106 1A2A 310 67854 067443 2D M95450 4RCZ6L7335CH 8000BB M95450-14-RC-Z6L73 619008.00 LLA : AC 1741106 1A2A 310 67854 067443 2D M95450 4RCZ6L7335CH 8000BC M95450-14-RC-Z6L73 493440.00 LLA : AC 1741106 1A2A 310 67854 067443 2D M95450 4RCZ6L7335CH 8001 M95450-14-RC-Z6L73 22224.00 LLA : AC 1741106 1A2A 310 67854 067443 2D M95450 4RCZ6L7335CH MOD Funding 1388112.00 Cumulative Funding 4185237.00

33 of 38 SECTION H SPECIAL CONTRACT REQUIREMENTS SECTION H. SPECIAL CONTRACT PROVISIONS. H.1 Contracting Officer s Representative (COR) The Contracting Officer has designated a Contracting Officer s Representative in accordance with DFARS 201.602-2 (2). The COR is not authorized to negotiate changes, direct the contractor, or obligate the Government. The COR for this task order is: Jeff Sanders Information Assurance Manager GCSS-MC-LIS MCSC (229) 639-7339 All Contract Data Requirements List (CDRL) deliverables are to be submitted to the COR, and the COR is responsible for tracking and acceptance. H. 2 Identification of Contractor Employees Contractor employees shall identify themselves as contractor personnel by introducing themselves or being introduced as contractor personnel and displaying distinguishing badges or other visible identification for meetings with Government personnel. In addition contractor personnel shall appropriately identify themselves as contractor employees in telephone conversations and in formal and informal written correspondence. H.3 Organizational Conflict of Interest (OCI) Limitation of Future Contracting. The Contracting Officer has determined that this acquisition may give rise to a potential conflict of interest. Prospective Offerors should read FAR Subpart 9.5 -- Organizational and Consultant Conflicts of Interest. This task may involve systems engineering and technical direction for the GCSS LIS program that will preclude Contractor involvement in future efforts. The restrictions upon future contracting are as follows: If the Contractor, under the terms of this task order, or through the performance of tasks pursuant to this task order, is required to provide systems engineering and technical direction for a system or helps to develop specifications or statements of work to be used in a competitive acquisition, the Contractor shall be ineligible to supply the system or major components of the system as a prime Contractor and shall be precluded from being a Subcontractor or consultant to a supplier of the system or any of its major components under an ensuing Government contract. This restriction shall remain in effect for a reasonable time, sufficient to avoid unfair competitive advantage or potential bias (this time shall in no case be less than the duration of the initial production contract). To the extent that the work under this contract requires access to proprietary, business confidential, or financial data of other companies, and as long as these data remain proprietary or confidential, the Contractor shall protect the data from unauthorized use and disclosure and agrees not to use it to compete with those other companies. (a) Organizational Conflict of Interest means that because of other activities or relationships with other persons, a person is unable or potentially unable to render impartial assistance or advice to the government, or the person s objectivity in performing the contract work is or might be otherwise impaired, or a person has an unfair competitive advantage. Person as used herein includes corporations, partnerships, joint ventures, and other business enterprises.

34 of 38 (b) The contractor warrants that to the best of its knowledge and belief, and except as otherwise set forth in the contract, the contractor does not have any organizational conflict of interest(s) as defined in paragraph (a). (c) It is recognized that the effort to be performed by the Contractor under this contract may create a potential organizational conflict of interest on the instant contract or on a future acquisition. In order to avoid potential conflict of interest, and at the same time to avoid prejudicing the best interest of the government, the right of the contractor to participate in future procurement of equipment and/or services that are the subject of any work under this contract shall be limited as described below in accordance with the requirements of FAR 9.5. (d) (1) The contractor agrees that it shall not release, disclose, or use in any way that would permit or result in disclosure to any party outside the government any information provided to the contract by the government during or as a result of performance of this contract. Such information includes, but is not limited to, information submitted to the government on confidential basis by other persons. Further, the prohibition against release of government provided information extends to cover such information whether or not in its original form, e.g., where the information has been included in contractor generated work or where it is discernible from materials incorporating or based upon such information. This prohibition shall not expire after a given period of time. (2) The contractor agrees that it shall not release, disclose, or use in any way that would permit or result in disclosure or any party outside the government any information generated or derived during or as a result of performance of this contract. This prohibition shall expire after a period of three years after completion of performance of this contract. (3) The prohibitions contained in subparagraphs (d)(1) and (d)(2) shall apply with equal force to any affiliate of the contractor, any subcontractor, consultant, or employee of the contractor, any joint venture involving the contractor, any entity into or with which it may merge or affiliate, or any successor or assign of the contractor. The terms of paragraph (f) of the Special Contractor Requirement relating to notification shall apply to any release of information in contravention of this paragraph (d). (e) The contractor further agrees that during the performance of this contract and for a period of three years after completion of performance of this contract, the contractor, any affiliate of the contractor, any subcontractor, consultant, or employee of the contractor, any joint venture involving the contractor, any entity into or with which it may subsequently merge or affiliate or any other successor or assign of the contractor, shall not furnish to the United States Government, either as a prime contractor or as a subcontractor, or as a consultant to a prime contractor or as a subcontractor, any system, component or services which is the subject of the work to be performed under this contract. This exclusion does not apply to any re-competition for those systems, components, or services on the basis of work statements growing out of the effort performed under this contract, from a source other than the contractor, subcontractor affiliate, or assign of either, during the course of performance of this contract or before the three year period following completion of this contract has lapsed, the contractor may, with the authorization of the cognizant contracting officer, participate in a subsequent procurement for the same system, component, or service. In other words, the contractor may be authorized to compete for procurement(s) for systems, components or services subsequent to an intervening procurement. (f) The contractor agrees that, if after award, it discovers an actual or potential organizational conflict of interest; it shall make immediate and full disclosure in writing to the contracting officer. The notification shall include a

35 of 38 description of the actual or potential organizational conflict of interest, a description of the action, which the contractor has taken or proposes to take to avoid, mitigate, or neutralize the conflict, and any other relevant information that would assist the contracting officer in making a determination on this matter. Notwithstanding this notification, the government may terminate the contract for the convenience of the government if determined to be in the best interest of the government. (g) Notwithstanding paragraph (f) above, if the contractor was aware, or should have been aware, of an organizational conflict of interest prior to the award of this contract or becomes, or should become aware of an organizational conflict or interest after award of this contract and does not make an immediate and full disclosure in writing to the contracting officer, the government may terminate this contract for default. (h) If the contactor takes any action prohibited by this requirement or fails to take action required by this requirement, the government may terminate this contract by default. (i) The contracting officer's decision as to the existence or nonexistence of the actual or potential organization conflict of interest shall be final and is not subject to the clause of this contract entitled "DISPUTES" (FAR 52.233.1). (j) Nothing in this requirement is intended to prohibit or preclude the contractor from marketing or selling to the United States Government its product lines in existence on the effective date of this contract; nor, shall this requirement preclude the contractor from participating in any research and development. Additionally, sale of catalog or standard commercial items are exempt from this requirement. (k) The contractor shall promptly notify the contracting officer, in writing, if it has been tasked to evaluate or advise the government concerning its own products or activities or those of a competitor in order to ensure proper safeguards exist to guarantee objectivity and to protect the government's interest. (l) The contractor shall include this requirement in subcontracts of any tier which involve access to information or situations/conditions covered by the preceding paragraphs, substituting "subcontractor" for "contactor" where appropriate. (m) The rights and remedies described herein shall not be exclusive and are in addition to other rights and remedies provided by law or elsewhere included in this contract. (n) Compliance with this requirement is a material requirement of this contract. H.4 Contractor Support Public Trust Determinations Per Marine Corps Systems Command Policy Letter 1-09, all Contractor support that require a CAC are required to submit a Standard Form 85P, "Questionnaire for Public Trust Positions," and two copies of DD Form 258 "Applicant Fingerprint Card" to the Command's Security Program office along with a personnel roster of submissions and an addressed Federal Express container addressed to OPM, 1137 Branchton Road, Box 618, Boyers, PA 16018.

36 of 38 The Contractor is responsible for determining when adjudications have been entered by reviewing the notification status of their respective personnel. Once this has been completed, the Contractor may request the issuance of the CAC using the Contract Verification System (CVS) procedures. However, if issues are discovered, the Department of the Navy, Central Adjudication Facility (DONCAF) will place a "No Determination Made" in the Joint Personnel Adjudication System (JPAS) and forward the investigation to the submitting office for the Government to adjudicate. H. 5 Substitution of Key Personnel a. Key personnel definition. Key personnel are understood to be those individuals who were proposed in the Contractor s technical submission, and specifically listed herein, who are necessary to fill the requirements of the task order. Key Personnel Cyber SME II Cyber SME II Cyber SME I Jesse Corray Scott Benson Daryl Kitchens b. The contractor shall assign to this task order those people identified as key personnel and who are necessary to fulfill the requirements of this task order. No substitutions shall be made except in accordance with this clause. c. Guidance on Substitutions. All substitution requests must be submitted, in writing, at least fifteen (15) days [thirty (30) days if security clearance is to be obtained] in advance of the proposed substitutions to the Contracting Officer. d. Requests for Substitutions. All requests for substitutions must provide a detailed explanation of the circumstances necessitating the proposed substitution, and any other information requested by the Contracting Officer. All proposed substitutes must have qualifications that are equal to or higher than the qualifications required of the person to be replaced. The Contracting Officer or his/her authorized representative will evaluate such requests and promptly notify the Contractor of his/her approval or disapproval thereof. H.6 Post Award Conference Within 30 days of the start of performance, the awardee shall organize a Kickoff Meeting to be attended by the COR and contractor personnel to reconcile performance requirements including: detailed WBS, 30-day staffing plan, use of team members/subcontractors, security requirements, funding and management of funds, and quality control measures in response to the Performance Requirements Survey (PRS).

37 of 38 SECTION I CONTRACT CLAUSES FAR 52.217-9 -- OPTION TO EXTEND THE TERM OF THE CONTRACT. (MAR 2008) (a) The Government may extend the term of this contract by written notice to the Contractor within 30 days prior to completion of the base period; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 60 days before the contract expires. The preliminary notice does not commit the Government to an extension. (b) If the Government exercises this option, the extended contract shall be considered to include this option clause. (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed three years. (End of Clause) FAR 52.217-8 -- OPTION TO EXTEND SERVICES. (NOV 1999) The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within twelve (12) months of the period of performance end date. (End of Clause)

38 of 38 SECTION J LIST OF ATTACHMENTS Exhibit A - Contract Data Requirements Lists (CDRLs) Attachment 1 - Final DD254