Background - GovCon Wire - Disable one drive in o365

U.S. Department of TransportationOffice of the Chief Information OfficerOffice of Information Technology Shared Services Enterprise Information Technology Shared Services(EITSS)Infrastructure OperationsPerformance Work StatementContents TOC \o "1-3" \h \z \u 1.Background PAGEREF _Toc516489003 \h 52.ITSS Operations Overview PAGEREF _Toc516489004 \h 53.Scope and Scale PAGEREF _Toc516489005 \h 84.Period and Place of Performance PAGEREF _Toc516489006 \h 85.PERSONNEL: PAGEREF _Toc516489007 \h 91.1Key Personnel PAGEREF _Toc516489008 \h 96.Operating Hours PAGEREF _Toc516489009 \h 107.Tasks PAGEREF _Toc516489010 \h 107.1.Task 1: Management PAGEREF _Toc516489011 \h 107.1.1.SUB-TASK 1.1: TASK MANAGEMENT PAGEREF _Toc516489012 \h 107.1.2.SUB-TASK 1.2: SERVICE MANAGEMENT SYSTEM (SMS) PAGEREF _Toc516489013 \h 127.1.3.SUB-TASK 1.3: QUALITY MANAGEMENT PLANNING PAGEREF _Toc516489014 \h 137.1.4.SUB-TASK 1.4: SERVICE REQUEST MANAGEMENT(SRM) ADMINISTRATION PAGEREF _Toc516489015 \h 147.1.5.SUB-TASK 1.5: SERVICE LEVEL MONITORING AND REPORTING PAGEREF _Toc516489016 \h 147.1.6.SUB-TASK 1.6: CROSS-FUNCTIONAL COORDINATION PAGEREF _Toc516489017 \h 157.1.7.SUB-TASK 1.7: CUSTOMER SERVICE SUPPORT PAGEREF _Toc516489018 \h 167.1.8.SUB-TASK 1.8: KNOWLEDGE MANAGEMENT PAGEREF _Toc516489019 \h 167.1.9.SUB-TASK 1.9: AVAILABILITY MANAGEMENT PAGEREF _Toc516489020 \h 177.1.10.SUB-TASK 1.10: CAPACITY MANAGEMENT PAGEREF _Toc516489021 \h 187.1.11.SUB-TASK 1.11: PERFORMANCE MANAGEMENT PAGEREF _Toc516489022 \h 187.1.12.SUB-TASK 1.12: INCIDENT (OUTAGE OR SERVICE DEGRADATION) MANAGEMENT PAGEREF _Toc516489023 \h 197.1.13.SUB-TASK 1.13: PROBLEM MANAGEMENT PAGEREF _Toc516489024 \h 207.1.14.SUB-TASK 1.14: ADMINISTRATIVE SUPPORT PAGEREF _Toc516489025 \h 217.1.15.SUB-TASK 1.15: TRANSITION IN PAGEREF _Toc516489026 \h 217.1.16.SUB-TASK 1.16: TRANSITION OUT PAGEREF _Toc516489027 \h 227.2.Task 2: Endpoint Engineering PAGEREF _Toc516489028 \h 247.2.1.SUB-TASK 2.1: ENDPOINT ENGINEERING PLANNING AND ANALYSIS PAGEREF _Toc516489029 \h 247.2.2.SUB-TASK 2.2: ENDPOINT ENGINEERING REQUIREMENTS DEFINITION AND DOCUMENTATION PAGEREF _Toc516489030 \h 247.2.3.SUB-TASK 2.3: ENDPOINT IMAGE BUILD SUPPORT PAGEREF _Toc516489031 \h 257.2.4.SUB-TASK 2.4: ENDPOINT PATCH MANAGEMENT PAGEREF _Toc516489032 \h 267.2.5.SUB-TASK 2.5: ENDPOINT RESEARCH AND TECHNOLOGY INNOVATION PAGEREF _Toc516489033 \h 287.3.Task 3: Infrastructure Engineering PAGEREF _Toc516489034 \h 287.3.1.SUB-TASK 3.1: GENERAL INFRASTRUCTURE ENGINEERING REQUIREMENTS PAGEREF _Toc516489035 \h 287.3.2.SUB-TASK 3.2: NETWORK ENGINEERING PAGEREF _Toc516489036 \h 297.3.3.SUB-TASK 3.3: SECURITY ENGINEERING SUPPORT PAGEREF _Toc516489037 \h 307.3.4.SUB-TASK 3.4: SITE ENGINEERING SERVICES FOR NEW SITES OR SITE UPGRADES PAGEREF _Toc516489038 \h 317.3.5.SUB-TASK 3.5: BACKUP AND STORAGE ENGINEERING SUPPORT PAGEREF _Toc516489039 \h 327.3.6.SUB-TASK 3.6: INFRASTRUCTURE PATCH MANAGEMENT PAGEREF _Toc516489040 \h 337.3.7.SUB-TASK 3.7: INFRASTRUCTURE RESEARCH AND TECHNOLOGY INNOVATION PAGEREF _Toc516489041 \h 347.3.8.SUB-TASK 3.8: EMAIL ENGINEERING PAGEREF _Toc516489042 \h 347.3.9.SUB-TASK 3.9: COMMUNICATIONS AND USER COLLABORATION ENGINEERING PAGEREF _Toc516489043 \h 377.3.10.SUB-TASK 3.10: ENGINEERING TEST LAB SUPPORT PAGEREF _Toc516489044 \h 377.3.11.SUB-TASK 3.11: FACILITY MOVES ENGINEERING SUPPORT PAGEREF _Toc516489045 \h 387.3.12.SUB-TASK 3:12: VIDEO TELECONFERENCE (VTC) ENGINEERING SUPPORT PAGEREF _Toc516489046 \h 397.3.13.SUB-TASK 3:13: FILE AND PRINT SERVER ENGINEERING PAGEREF _Toc516489047 \h 427.3.14.SUB-TASK 3:14: ENGINEERING AND OPERATIONS SURGE SUPPORT PAGEREF _Toc516489048 \h 437.3.15.SUB-TASK 3.15: REMOTE MANAGEMENT & ACCESS ENGINEERING PAGEREF _Toc516489049 \h 447.3.16.SUB-TASK 3.16: SERVER HOSTING ENGINEERING PAGEREF _Toc516489050 \h 457.3.17.SUB-TASK 3.17: SOFTWARE DEPLOYMENT PAGEREF _Toc516489051 \h 477.3.18.SUB-TASK 3.18: DESKTOP SECURITY SERVICES PAGEREF _Toc516489052 \h 487.3.19.SUB-TASK 3.19: ENTERPRISE MONITORING PAGEREF _Toc516489053 \h 487.4.Task 4: Infrastructure Operations PAGEREF _Toc516489054 \h 497.4.1.SUB-TASK 4.1: INFRASTRUCTURE GENERAL SUPPORT PAGEREF _Toc516489055 \h 497.4.2.SUB-TASK 4.2: INFRASTRUCTURE OPERATIONS AND ADMINISTRATION PAGEREF _Toc516489056 \h 497.4.3.SUB-TASK 4.3: NETWORK OPERATIONS SUPPORT PAGEREF _Toc516489057 \h 517.4.4.SUB-TASK 4.4: SECURITY OPERATIONS SUPPORT PAGEREF _Toc516489058 \h 537.4.5.SUB-TASK 4.5: FIREWALL SECURITY MANAGEMENT PAGEREF _Toc516489059 \h 547.4.6.SUB-TASK 4.6: INTRUSION DETECTION SERVICES PAGEREF _Toc516489060 \h 547.4.7.SUB-TASK 4.7: ENTERPRISE OPERATIONS CENTER (EOC) PAGEREF _Toc516489061 \h 557.4.8.SUB-TASK 4.8: SYSTEMS OPERATIONS AND MAINTENANCE PAGEREF _Toc516489062 \h 607.4.9.SUB-TASK 4.9: SYSTEMS DEPLOYMENT AND TESTING PAGEREF _Toc516489063 \h 627.4.10.SUB-TASK 4.10: SECURITY AND PRIVACY PAGEREF _Toc516489064 \h 627.4.11.SUB-TASK 4.11: INTEGRATION MANAGEMENT PAGEREF _Toc516489065 \h 647.4.12.SUB-TASK 4.12: PRINT SERVER MANAGEMENT PAGEREF _Toc516489066 \h 657.4.13.SUB-TASK 4.13: SERVICE OPERATIONS PAGEREF _Toc516489067 \h 657.4.14.SUB-TASK 4.14: STORAGE AND DATA MANAGEMENT OPERATIONS PAGEREF _Toc516489068 \h 667.4.15.SUB-TASK 4.15: DATABASE ADMINISTRATION PAGEREF _Toc516489069 \h 677.4.16.SUB-TASK 4.16: MIDDLEWARE ADMINISTRATION PAGEREF _Toc516489070 \h 697.4.17.SUB-TASK 4.17: END USER ADMINISTRATION PAGEREF _Toc516489071 \h 707.4.18.SUB-TASK 4.18: REMOTE MANAGEMENT & ACCESS OPERATIONS PAGEREF _Toc516489072 \h 717.4.19.SUB-TASK 4.19: WEB HOSTING SUPPORT PAGEREF _Toc516489073 \h 727.4.20.SUB-TASK 4.20: IT SERVICE CONTINUITY AND DISASTER RECOVERY (DR) SUPPORT PAGEREF _Toc516489074 \h 727.4.21.SUB-TASK 4.21: SERVER OPERATIONS PAGEREF _Toc516489075 \h 737.4.22.SUB-TASK 4.22: BACKUP AND RECOVERY PAGEREF _Toc516489076 \h 747.4.23.SUB-TASK 4.23: EMAIL AND MOBILE DEVICE MANAGEMENT PAGEREF _Toc516489077 \h 757.4.24.SUB-TASK 4.24: CLOUD ENVIRONMENT MANAGEMENT PAGEREF _Toc516489078 \h 767.5.Task 5: Data Center Operations PAGEREF _Toc516489079 \h 787.5.1.SUB-TASK 5.1: GENERAL DATA CENTER SUPPORT PAGEREF _Toc516489080 \h 787.5.2.SUB-TASK 5.2: DATA CENTER ACCESS CONTROL PAGEREF _Toc516489081 \h 797.5.3.SUB-TASK 5.3: DATA CENTER OPERATIONS AND ADMINISTRATION PAGEREF _Toc516489082 \h 797.5.4.SUB-TASK 5.4: DATA CENTER SECURITY PAGEREF _Toc516489083 \h 817.6.Task 6: Application Hosting PAGEREF _Toc516489084 \h 817.6.1.SUB-TASK 6.1: APPLICATION HOSTING GENERAL TASKS PAGEREF _Toc516489085 \h 817.6.2.SUB-TASK 6.2: HOSTING PLANNING AND ANALYSIS PAGEREF _Toc516489086 \h 837.6.3.SUB-TASK 6.3: HOSTING REQUIREMENTS AND DESIGN PAGEREF _Toc516489087 \h 837.6.4.SUB-TASK 6.4: NETWORK HOSTING PAGEREF _Toc516489088 \h 847.6.5.SUB-TASK 6.5: HOSTING HARDWARE AND SOFTWARE SUPPORT PAGEREF _Toc516489089 \h 857.6.6.SUB-TASK 6.6: HOSTING BACKUP AND RESTORE PAGEREF _Toc516489090 \h 867.6.7.SUB-TASK 6.7: HOSTING CONTINUITY PLANNING AND EXECUTION PAGEREF _Toc516489091 \h 867.6.8.SUB-TASK 6.8: HOSTING DATABASE MANAGEMENT PAGEREF _Toc516489092 \h 897.6.9.SUB-TASK 6.9: HOSTING SECURITY PAGEREF _Toc516489093 \h 907.6.10.SUB-TASK 6.10: HOSTING INITIATION PAGEREF _Toc516489094 \h 927.6.11.SUB-TASK 6.11: DESIGN THE PRODUCTION ARCHITECTURE PAGEREF _Toc516489095 \h 937.6.12.SUB-TASK 6.12: DEPLOY THE ENVIRONMENT PAGEREF _Toc516489096 \h 937.6.13.SUB-TASK 6.13: INSTALL AND CONFIGURE SERVERS PAGEREF _Toc516489097 \h 947.6.14.SUB-TASK 6.14: HARDEN THE PRODUCTION ENVIRONMENT PAGEREF _Toc516489098 \h 947.6.15.SUB-TASK 6.15: SIMULATED MIGRATION PAGEREF _Toc516489099 \h 947.6.16.SUB-TASK 6.16: PRODUCTION MIGRATION PAGEREF _Toc516489100 \h 958.Deliverables PAGEREF _Toc516489101 \h 969.Task Service Level Agreements PAGEREF _Toc516489102 \h 116BackgroundThe U.S. Department of Transportation (DOT) is the United States Government's principal agency for transportation of all Americans and providing essential transportation safety services. The mission of DOT is to serve the United States by ensuring a fast, safe, efficient, accessible and convenient transportation system that meets our vital national interests and enhances the quality of life of the American people, today and into the future. Integral to these responsibilities is the open sharing of information that is sensitive to the Department and national security. DOT faces the challenge of providing important services and products to the American people while simultaneously reducing costs and protecting sensitive information.The DOT Office of the Chief Information Officer (OCIO) supports the DOT mission by leading the development and implementation of an enterprise information technology (IT) infrastructure across DOT. The DOT OCIO Office of Information Technology Shared Services (ITSS) is responsible for providing a reliable, cost effective, scalable, secure, and flexible enterprise computing platform that supports and enhances customer IT needs and capabilities from requirements gathering through design, development, testing, and implementation.ITSS currently manages an IT support services contract for the DOT Common Operating Environment (COE) which provides Infrastructure and standard Operations support for DOT customers. The contract is used by many DOT organizations to provide IT services. To ensure the continuity and availability of the critical IT services that ITSS and these other DOT organizations currently provides to DOT customers, ITSS is executing this solicitation to enable DOT to award performance-based follow-on contract(s). ITSS will work in tandem with assigned TO Contracting Officers (CO), Contracting Officer’s Representatives (COR) and Government technical monitors to achieve DOT’s enterprise goals and objectives. All task orders awarded through the EITSS acquisition will require the approval of ITSS’s Business Management Office (BMO) to ensure DOT is maximizing its business solutions and planning for continued growth and success of IT Enterprise services at DOT. The Enterprise Information Technology Shared Services (EITSS) contract will facilitate ITSS as it moves forward in executing the work requirements of the COE and Operating Administrations, provide visibility and transparency into provider performance, and lead the alignment of services to support ITSS’s vision, organizational structure, personnel skills, and mission requirements. Under the EITSS contract, ITSS is re-structuring its contracting approach and moving towards a performance-based environment for all of DOT. The EITSS contract will include several Performance Work Statements including Program Management and Integration Support (Attachment J-1) End User Support to include seat management, help desk support, and etc. (Attachment J-2),Infrastructure Operations to include hosting, networking, cybersecurity, and etc. (Attachment J-3).This document is the Infrastructure Operations Performance Work Statement (PWS), and includes work required to operate and maintain the Infrastructure environment. The work performed in this PWS will be monitored, tested, and reported by the Program Management and Integration Support PWS awardee. This will provide DOT an impartial evaluation of the Infrastructure services performed by the Contractor. ITSS Operations OverviewThis Performance Work Statement (PWS) establishes the requirements for ITSS Infrastructure Services. The Contractor shall provide operations personnel and services for the full spectrum of ITSS operations projects, platforms, and services, to include endpoints, infrastructure, networks, and security. As a leader in the industry, DOT anticipates the Contractor will be capable to utilize and support Service and Software Management Systems widely used in the IT industry to include Remedy, SolarWinds, BigFix and/or similar products. (Refer to Attachment J) The Contractor is responsible for providing trained and skilled personnel to design, build, manage, and administer these solutions as outlined in this PWS. The Government will not be responsible for training the Contractor workforce on these solutions. In performance of these services, the Contractor shall:Provide end-to-end, lifecycle support for all current and future production systems (all devices connected to the network) in operation today and in the future and supported by ITSS (current production systems are described in the Attachments. Provide a qualified workforce capable of performing the required tasks under this contract to ensure the effective management and administration of all work activities. This includes ensuring that all work activities are performed in a timely and cost-effective manner while maintaining the highest quality of performance.Deploy and maintain Government-furnished end user hardware and software to end users located at DOT locations and senior DOT executive residences.Deploy, maintain, and utilize and support the Government-furnished equipment (GFE) Knowledge Management System for service desk agents.Utilize and support the GFE Service Management System (SMS), currently Remedy, and any other successor system. Utilize and support the GFE Monitoring system (currently SolarWinds) and any successor system.Provide technical assistance to DOT in defining core software image package specifications for desktops, laptops, servers, and other in-scope devices.Support DOT’s deployment of firewall, network access control, program control, anti-virus, anti- spyware, data security, and remote access solutions on all end user devices.Monitor networks and endpoints and provide status and measurements for the operational environment.Provide proactive and scheduled console monitoring of infrastructure and systems (e.g., hardware, applications, network, batch schedule, interfaces, etc.), respond to messages, and take corrective action as required.Perform day-to-day operation of the distributed computing environment, providing and supporting a stable infrastructure, and effectively and efficiently perform operational and processing procedures to ensure Service Level Agreements (SLAs) conform to requirements and policies, and comply with security requirements.Provide technical support for all hardware/equipment in the data center computing infrastructure, to include, but not limited to, network, storage, hosting, mail, and security equipment, both physical and virtual. Install, configure and maintain database system software to support the normal business operation of DOT applications and other database associated software components.Implement physical and logical security plans consistent with DOT security policies, and develop and provide documentation demonstrating adherence to the plans, processes and procedures.Support activities that include provisioning and day-to-day management of the installed server environment, and effectively and efficiently perform procedures to ensure services meet regulatory requirements.Provide skilled personnel for backup and storage services (e.g., RAID array, SAN, NAS, tape, optical, Cloud, O365 backups, etc.).Support email and all requests for email system modification and/or enhancements received after the system is implemented, and classified as planned software maintenance including, mobile device support, mobile device management, COOP/DR support, remote usage, and support of FISMA requirements.Provide life cycle management expertise and support. This expertise will include requirements analysis, architecture development, system design, integration management, systems development and implementation assistance.Provide support and services for systems used by DOT to include real-time communication services such as IP telephony, presence information, instant messaging, and video conferencing with non-real-time communication services such as voicemail, email, and text.Provide advanced knowledge and skills to support current and future technologies and services including, but not limited to, Internet of Things (IoT), 3D Printing, AI Infrastructure, Mobile Platforms, Data Center Optimization Initiative, Enterprise Infrastructure Solutions, Virtualization, License Management, Shared Service Consolidation, Software Defined Networks, Cloud Computing Solutions, Automation, Artificial Intelligence, Big Data Analysis, and Robotics. Establish and manage endpoint and infrastructure engineering processes to ensure end-to-end integration and improve service delivery.Perform endpoint and infrastructure engineering in support of development activities including requirements definition, design, development, integration, test, and transition to operations.Perform design analysis, requirement analysis, alternatives analysis solutions, system capacity analysis, and concept of operations development, and document results.Perform engineering and integration Project Management for current and future ITSS systems hardware and software.Develop systems engineering planning documents, design documents and SOPS for all Infrastructure and Endpoint systems. Manage, maintain and expand as necessary an Engineering Test Lab infrastructure. Evaluate, test, and document Commercial Off-The-Shelf (COTS) and Government Off the Shelf (GOTS) software and hardware products and solutions including development and engineering tools.Coordinate with the Test Lab on testing of all changes before they are released into the production environment. Coordinate activities at the system interface boundaries with other contractors and Government organizations.Develop and integrate service delivery processes with those of the Government to ensure a seamless user experience.Promote IT innovation to enhance business performance through research and development, studies, and assessments of evolving technologies and industry best practices, including DevOps practices and processes, in endpoint and infrastructure solutions to achieve costs savings and improve support and services to ITSS customers.Adhere to and integrate with cross-functional requirements and service management support processes such as incident, problem, change, release, test, asset, and configuration management ply with all Federal Security mandates (e.g., FISMA, NIST, and FedRAMP), adhere to DOT specific policy (e.g., DOT Cyber Security Compendium), and designed and built in collaboration with DOT Information Assurance (IA) team to ensure all required security controls are built into each solution.Application migration, builds, installation and configuration set-up including self-provisioning;Migration of Modal equipment to the appropriate Government’s datacenter;Base Server administration activities including console monitoring, BIOS, Operating System (OS);Managed Security Services including monthly audits, antivirus, firewall and virtual private network (VPN), host-based intrusion detection, and intrusion prevention systems;24x7x365 monitoring and reporting of hardware, software, incidents, outages, problems and bandwidth issues;Backup, restore and offsite storage services;Support for migration of hardware, software, data tapes, etc., as applicable to a different facility at customer request and/or end of contract;On-demand scalable bandwidth;Adherence to customer asset life cycle management requirements and associated reporting;Administration of accounts, media services, and domain access (FTP, etc.);Full service patch management including server, OS, security, application, etc.;Full development, testing, and production environments, integrated with change and release management procedures;Project management and implementation; andLife-cycle support services to include planning and analysis; requirements definition; design specifications; development; availability management, capacity management, performance, service level monitoring, incident management, problem management, and account management.ITSS is seeking support from a highly-qualified IT operations service provider who has the capabilities, processes, and a proven record of providing innovative and practical end-to-end IT operations services to Government organizations similar in size, scale, and complexity to DOT. The critical objective is to quickly develop cost-effective and flexible solutions that securely meet customer needs while effectively integrating into the agreed-upon IT operations.Services will be implemented using solutions primarily furnished by the Government. However, the Government is receptive and open to other solution recommendations including managed services, tools, and products. The Government requests that if an alternative solution is provided, that it be quoted separately in addition to a quote to maintain the current in-house services and tools. Scope and Scale This Operations PWS sets forth the requirements and responsibilities of the parties with respect to the Operations Services required by applicable customers of DOT.An overview of the services required is provided below:1.Management2.Endpoint Engineering3.Infrastructure Engineering4.Infrastructure Operations5. Data Center Operations6.Application HostingPeriod and Place of Performance The Period of Performance (POP) includes a base period of two years and five option periods for a total of 84 months. The POP is:Base Period: October 1, 2018 – September 30, 2020 (24 months)Option Period 1: October 1, 2021 – September 30, 2022 (12 months)Option Period 2: October 1, 2022 – September 30, 2023 (12 months)Option Period 3: October 1, 2023 – September 30, 2024 (12 months)Option Period 4: October 1, 2024 – September 30, 2025 (12 months)Option Period 5: October 1, 2025 – September 30, 2026 (12 months)Place of Performance:Services will be provided to users primarily at the Government sites in the Washington, DC Metropolitan Area and DOT field sites as described in the statement of work or task orders, or unless otherwise stipulated by the CO and COR. In addition, services will be delivered to users at all locations as enumerated in Attachment J.PERSONNEL:The Contractor shall provide the skilled personnel, including all management and supervisory staff, required for the effective and efficient performance of this PWS. The following is expected of the Contractor as it relates to the personnel:The Program Manager shall be an employee of the Prime Contractor. The Contractor shall supply qualified, cleared, and trained personnel to staff this contract. The Contractor shall provide security-cleared personnel who have the necessary technical, project management, and administrative expertise to support the assessment, planning, and execution of the projects.The Contractor shall provide annual training to personnel assigned to this contract to ensure that their technical skills and knowledge of equipment, systems and applications remain current and up-to-date, to include, but not be limited to, new releases of products and applications.The Contractor shall track DOT required training (e.g. security and records management training), ensure mandatory policies are followed and wherever possible, and complete all training requirements at least three (3) business days prior to the deadline.The Contractor shall ensure hours/cost are billed to the respective cost centers and/or functional task.The DOT reserves the right to review resumes of all personnel assigned to this contract and the results of the background investigations conducted by the Contractor. If the Government does not believe that the quality of performance meets performance standards stated in the contract, or is not in line with the requirement(s) of any resultant task order, the Contracting Officer will notify the Contractor in writing. The Contractor shall notify DOT of its remediation plan for performance and/or conduct issues within 2 business days. The remediation plan must include a time period (not to exceed 30 days) by which the performance concerns will be mitigated. The Department reserves the right to withhold invoice payments due to contractor performance issues. If after 30 days, the Contractor’s performance has not improved, DOT requires the Contractor to provide qualified personnel consistent with the contract for the effective and efficient performance of this contract. In circumstances where the Contractor may pose a threat or security concern, DOT has the right to require the immediate removal of Contractor personnel by communicating with the Contracting Officer and Contract Program Manager and/or Operations Manager. This clause is independent of, does not replace, and does not supersede any clause(s) within the contract that allows the Government to terminate this contract for default or any other reason.Key PersonnelThe Contractor shall provide resumes for the key personnel to be approved by the Government prior to beginning the onboarding process at DOT throughout the contract. The following positions are considered key personnel by the government.Program ManagerOperations ManagerInfrastructure ManagerArchitecture ManagerTransition ManagerQuality Manager Network ManagerSecurity ManagerIf a performance requirement does not have an associated key personnel category requested, it is assumed the Program Manager will provide oversight to the contract personnel.Operating Hours The following are the operating hours for the various tasks within scope of this contract. For services with limited operating hours (less than 24x7x365) additional after-hours and weekend work will be required (e.g., for maintenance windows, emergency or surge work.):Infrastructure Operations: 24x7x365Infrastructure & Endpoint Engineering: Monday through Friday 7:00 AM – 7:00 PM local timeData Center Operations: 24x7x365Application Hosting: Monday through Friday 7:00 AM – 7:00 PM local timeEmail Operations Support: 24x7x365Network & Security Operations Center: 24x7x365End User Services: 24x7x365TasksTask 1: ManagementSUB-TASK 1.1: TASK MANAGEMENTWithin ten (10) business days following the task order award date, the Contractor shall attend a Kickoff Meeting to review TO goals and objectives, and to discuss technical requirements, administrative matters, security requirements, project Transition, Government Furnished Information / Materials / Equipment (GFI/GFM/GFE), the milestone schedule, review cycles, and invoicing. At the meeting, the Contractor shall present their project plan and timeline, as well as plan for controlling task costs and schedules. The meeting shall be attended by all Contractor key personnel and shall be held at a location to be determined by the Government.Also at the meeting, the Contractor shall provide the Names of All Key Project Managerial Staff, contact information, and their resumes to permit the designated DOT staff to immediately commence security and badging actions. Additional Contractor team names shall be forwarded on the forms as they become available. No later than thirty (30) calendar days after award, in accordance with all federal laws including the Presidential Directive 13495 on non-managerial hiring, the Contractor shall submit to the COR 100% of their proposed team names.The Contractor shall manage proposed team members in compliance with all security and other onboarding requirements.The Contractor shall provide a qualified workforce capable of performing the required tasks under this contract to ensure the effective management and administration of all work activities. This includes ensuring that all work activities are performed in a timely and cost effective manner while maintaining the highest quality of performance.The Contractor shall integrate management of all tasks within the contract as described in the work requirements. The Contractor shall structure work activities in a manner that ensures that the Contractor’s goals and objectives are synchronized with those of ITSS and reflect the attributes of a transparent and customer-oriented effort across DOT. The Contractor shall monitor work performance, measure results, ensure timely and professional delivery of contracted product deliverables and solutions, support management decision-making, and facilitate communications.The Contractor shall identify, track, and report on risks, resolve problems, and verify effectiveness of corrective actions.The Contractor shall institute and maintain a process that ensures problems and action items discussed with the Government are tracked through resolution and shall provide timely status risk and issue reporting.The Contractor shall ensure results of Contractor actions taken to improve performance are tracked and lessons learned incorporated into applicable processes.The Contractor shall establish, maintain, and/or update a documented set of disciplined, mature, and continuously improving processes for administering all TO efforts with an emphasis on cost-efficiency, schedule, performance, responsiveness and consistently high- quality delivery.The Contractor shall deliver Meeting Notes from the Kickoff Meeting within three (3) business days of the meeting to the COR and track any associated action items through completion.The Contractor shall submit a Management Plan (MP) within thirty (30) business days of award that describes the technical approach, organizational structure and resources, communications plan, and management and quality controls to be employed to establish and monitor the cost, schedule, technical, and performance requirements through execution. The MP is an evolutionary document that shall be updated with significant changes as required. The Contractor shall work from the latest Government-approved version of the MP.Contractor shall prepare and deliver a formal Written Monthly Status Report to the COR and other designed Federal personnel that provides at a minimum, the following information:A summary of work performed in the preceding month for each task area, which includes major milestones achieved or missed, deliverables, upcoming activities, and any anticipated issues that will prevent attainment of milestones and/or deliverables;A summary of project financial status for each task area including, but not limited to, funded amount, expended to date, funding remaining, and estimate to complete;A summary of all deliverables submitted from task inception to date showing the date submitted, and the status of the deliverable (i.e. accepted, rejected). For rejected deliverables, the Contractor shall provide an explanation why the deliverable was rejected, the corrective action plan, and the revised delivery date;A summary of the personnel who performed work (i.e., charged direct labor hours) during the month by task area to include, but not be limited to, their name, job title, task area worked, labor category, and hours charged;A summary of funding status (e.g., funded amount, expended amount, planned burn percent, and actual burn percent) and burn chart (for Time and Materials or Labor-hour tasks only); andAn attachment providing data, analysis, and reporting of performance against each contractual SLA; the Contractor shall include an improvement plan for any missed SLAs.The Contractor shall ensure all deliverables, documentation, and artifacts strictly adhere to the DOT policies, processes, and templates as applicable.The Contractor shall deliver a Kickoff Briefing for new work requirements no less than three (3) business days prior to the Kickoff meeting.Contractor-proposed formats for reports, deliverables and documentation shall be approved by the Government prior to acceptance.The Contractor shall ensure that all Contractor staff conduct themselves with the utmost of professional courtesy and standards at all times, notably in ‘customer facing’ service transactions to include service call center site support, meetings, written communications and etc.The Contractor shall respond, during Operating Hours, to all technical or cost concerns raised by DOT Task Managers and/or COR, and will acknowledge, via email within one (1) hour of receipt. All responses will be in writing and resolved within twenty-four (48) hours unless a unique circumstance prohibits otherwise. The Contractor shall then respond in writing to the DOT Task Managers and COR accordingly.The Contractor shall provide a deliverables schedule to ensure on-time delivery of contract requirements.The Contractor shall provide, for all tasks and subtasks, meeting support by planning and arranging for meetings, preparing meeting materials and recording and disseminating minutes; developing and tracking correspondence, reports (including ad hoc) and briefing materials; maintaining a document library.The Contractor shall conduct informal knowledge transfer to Government personnel when needed to clarify or communicate some aspect of the performance of this Task Order.SUB-TASK 1.2: SERVICE MANAGEMENT SYSTEM (SMS)The Contractor shall utilize, operate, maintain, configure, customize, support, and update the GFE SMS and any successor system. The Contractor shall advise the Government regarding needed changes to the SMS. The Contractor shall assist in configuring the GFE SMS parameters to customize the instance for ITSS and its customers based on usage and need.The Contractor shall categorize, prioritize and log all inquiries (e.g., incidents, problems, service requests, changes, and other) in the SMS.The Contractor shall analyze service outages and degradations, and recurring incidents and problems and perform root cause analysis to inform the Government of the underlying issue.The Contractor shall document service requests in the SMS and address or escalate per DOT policies and procedures.The Contractor shall document general inquiries and other Government-approved events in the SMS and address or escalate per DOT policies and procedures.The Contractor shall assist in configuring the SMS such that it automatically sends an acknowledgement email no more than thirty (30) minutes after the ticket is opened to end users upon opening a ticket submitted through any channel with a description of the incident.The Contractor shall assist in configuring the SMS to enable end users to view the status of their ticket in the system as well as create their own ticket.The Contractor shall assist in configuring the SMS to provide full transparency/access of the raw data to the COR.The Contractor shall verify with the end user that the ticket may be closed through verbal or written means. If verbal approval is received, the service desk agent may close the ticket. If written approval is received, the agent may close the ticket. If no approval is received, a minimum of three (3) attempts to reach the end user for confirmation shall be attempted and must be made during operating hours with at least four hours between attempts.The Contractor shall establish thresholds, subject to Government approval, that will trigger email communication to designated DOT and ITSS personnel based on certain events; triggers will be based on ticket volume, open tickets, closed tickets, and other related measures. Thresholds will be adjustable on a weekly basis.The Contractor shall assist in configuring SMS mandatory fields for service desk agents per Government direction.The Contractor shall assist in configuring mandatory fields for end users creating tickets in the SMS.The Contractor shall assist in configuring SMS ticket queues in accordance with Government requirements.The Contractor shall assist in configuring the SMS such that all Government-designated Contractors and third parties are provided bi-directional access to both read and write (i.e., update) tickets.The Contractor shall work with the Government to configure the SMS to produce custom and ad hoc reports.The Contractor shall develop and, if needed implement, a contingency plan in the event the Government’s SMS is not available. The Contractor shall deliver the plan at Government request.The Contractor is responsible for providing trained and skilled personnel to design, build, manage, and administer the SMS System, and any other successor system. SUB-TASK 1.3: QUALITY MANAGEMENT PLANNINGThe Contractor shall provide an updated Quality Management Plan (QMP) (updating that version submitted in the Offeror’s proposal) that contains, as a minimum, the items listed below to the COR for acceptance not later than fifteen (15) business days after award. The COR will notify the Contractor of acceptance or required modifications to the plan.The updated QMP shall include the following minimum requirements:A description of the inspection system to cover all major services and deliverables. The description shall include specifics as to the areas to be inspected on both a scheduled and unscheduled basis, frequency of inspections, and the title and organizational placement of inspectors.A description of the methods to be used for identifying and preventing defects in the quality of service performed.A description of the records to be kept to document inspections and corrective or preventative actions taken.All records of inspections performed shall be retained and made available to the Government as required by applicable regulations.SUB-TASK 1.4: SERVICE REQUEST MANAGEMENT(SRM) ADMINISTRATIONThe Contractor shall execute the complete process of Service Request Management administration including receipt, analysis, estimation, pricing, and reporting of Customer Service Requests (CSR). CSRs define requirements that are in-scope of the Task Order but undefined at time of award of the Task Order.The Contractor shall receive, process, price, and estimate solutions to CSRs.The Contractor shall operate, maintain, monitor, and report from, a GFE, web-based CSR tracking tool viewable by the Government 24x7x365. The tracking tool shall be updated within one (1) business day of receipt of a CSR from the Government.The Contractor shall perform the response activities required to collect the CSR, analyze, request clarification, recommend alternatives, meet with the requestor, and document the response to the CSR. This process shall continue through and including, but not limited to, the requestor’s decision to proceed.The Contractor shall provide CSR Monthly Reports describing the details of received CSRs.The Contractor shall deliver a written, initial technical/price estimate to a CSR within five (5) business days of request unless the Government authorizes an extension based on the complexity of the request.The Contractor shall revise the initial technical/price estimate upon DOT clarification of requirements within five (5) business days of clarification unless the Government authorizes an extension based on complexity of the request.If, at any point within the CSR Administration process, it appears that the requested work is not within current funding, the Contractor shall immediately inform the COR and Contract Specialist.SUB-TASK 1.5: SERVICE LEVEL MONITORING AND REPORTINGThe Contractor shall monitor and report on all Service Level Agreements and inform the CO’s Representative when SLAs are being breached or are about to be breached.The Contractor shall report Service Level performance and attainment on a GFE dashboard no less than once a month. The Contractor shall configure, operate, and maintain the GFE service level dashboard.The Contractor shall monitor service level performance, document and report on service level performance, and recommend service level improvement plans.The Contractor shall develop, document, and/or update (where existing) Service Level Monitoring and Reporting Procedures that meet DOT requirements and adhere to defined DOT policies.The Contractor shall report on SLA Performance and Improvement Results.The Contractor shall provide both ad hoc and new service level reports as well as service level analytics capability.The Contractor shall coordinate SLA monitoring and reporting with designated DOT representative and third parties.The Contractor shall measure, analyze, and provide management reports on performance relative to SLAs.The Contractor shall develop and deliver SLA Improvement Plans where SLAs are breached.The Contractor shall implement SLA improvement plans.The Contractor shall develop, document, update (where appropriate), and execute service level monitoring and reporting procedures that meet DOT requirements and adhere to defined DOT policies.The Contractor shall furnish an SLA monitoring and reporting tool. Data from the tool shall be exportable to the Government service management system. Data provided by the Contractor must meet requirements for the Government's data center optimization initiative.The Contractor shall report on SLA performance and improvement results.The Contractor shall coordinate SLA monitoring and reporting with designated DOT representative and third parties.The Contractor shall measure, analyze, and provide management reports on performance relative to SLAs.The Contractor shall develop and deliver SLA improvement plans where SLAs are breached.The Contractor shall implement SLA improvement plans.The Contractor shall provide DOT read only portal access to performance and SLA reporting and monitoring systems in near real time.The Contractor shall respond to inquiries and incidents submitted through the ticketing system in accordance with SLAs.SUB-TASK 1.6: CROSS-FUNCTIONAL COORDINATIONThe Contractor shall coordinate with Asset Management (including Hardware and Software), Change Management, Configuration Management, Release Management, Test Management, Infrastructure Operations, End User Operations, Data Center Management, and Telephony Management on all changes and daily operations. The Contractor shall comply with all approved plans, policies and standard operating procedures for Asset Management (including Hardware and Software), Change Management, Configuration Management, Release Management and Test Management, End User Operations and Data Center Management. The Contractor shall submit all changes for review and approval with the appropriate documentation including, but not limited to, change cost, risk impact assessment, security considerations, documented back-out plans, communication plans and communications, implementation plans, and verification steps. SUB-TASK 1.7: CUSTOMER SERVICE SUPPORTThe Contractor shall collaborate with the appropriate ITSS personnel to ensure production of reports and internal delivery processes are in compliance with the DOT objectives.The Contactor shall track expenditures related to services for which the Contractor has operational responsibility, and perform analysis of expenditures including, but not limited to, trends in recurring costs and sufficiency of funds in order to drive down costs.The Contactor shall perform routine and ad hoc analysis as required by ITSS personnel to ensure accurate and timely workload data is provided to the respective customers.The Contactor shall process workload data to develop monthly workload reports in accordance with DOT requirements.The Contactor shall develop the workload / billing statements. The billing process is dependent upon timely receipt of accurate workload data for each of the Service Cost Centers from the Contractors.The Contactor shall track expenditures related to services for which the Contractor has operational responsibility, and perform analysis of expenditures including, but not limited to, trends in recurring costs.The Contactor shall review and provide analysis of the workload data is required to ensure an accurate report of workload data is provided in the Customer Billing statements.The Contractor shall support the ITSS personnel to include, but not be limited to, creation and maintenance of service catalog, product items and all order forms.The Contractor shall support the ITSS personnel to include, but not be limited to, creation and maintenance of all order forms.The Contractor shall support the ITSS personnel to include, but not be limited to, processing customer orders.The Contractor shall support the ITSS personnel to include, but not be limited to, processing monthly customer workload for billing.SUB-TASK 1.8: KNOWLEDGE MANAGEMENT The Contractor shall utilize, operate, maintain, configure, secure, support, and update the GFE Knowledge Management System (KMS) (a component of the SMS) and any successor system, document solutions in the KMS. The KMS is developed through the course of daily operational use, as well as augmented by additional source information. The Contractor shall document solutions developed at the service desk in the GFE SMS or any successor system. Solutions shall be documented within ten (10) business days of incident closure.The Contractor shall operate and update the GFE KMS for service desk agents. The GFE KMS will be a single environment for knowledge management with views for customers, administrators and support staff. The GFE KMS will utilize commercially available solutions to common technical problems or the Contractor’s own database of technical solutions to common problems per the Offeror’s technical solution.The Contractor shall update the GFE KMS knowledge base with technical solutions.The Contractor shall maintain the GFE KMS knowledge base including, but not limited to, creating, adding, modifying, and deleting documents as appropriate. Outdated knowledge documents shall be marked inactive.The Contractor shall propose, every thirty (30) days, Updates to the Content of the Knowledge Base created using tickets received, trends in incidents and problems, and known issues in the environment. Observed incidents and problems shall result in proposed updates to the knowledge base which shall be reviewed and approved by the Government.The Contractor shall furnish commercial knowledge documentation and execute import into the GFE SMS.SUB-TASK 1.9: AVAILABILITY MANAGEMENTThe Contractor shall develop, document, update (where appropriate), and execute availability management procedures and determine appropriate tools and methods that support DOT’s availability management requirements.The Contractor shall maintain high availability of each application in accordance with SLAs.The Contractor shall maintain high data center network availability in accordance with SLAs.The Contractor shall implement Government-approved availability management policies and procedures.The Contractor shall, when requested by the Government, participate in user requirements gathering and analysis when new applications are being defined to ensure that applications are designed to deliver the levels of availability required by the business.The Contractor shall create availability and recovery design criteria to be applied to new or enhanced infrastructure design.The Contractor shall coordinate with the IT service support and service delivery management personnel from DOT and third party contractors to research, review, and assess availability issues and optimization opportunities.The Contractor shall recommend appropriate tools and practices to measure and report on agreed upon availability SLAs for the infrastructure.The Contractor shall implement approved availability SLA measurement tools and practices.The Contractor shall monitor and maintain an awareness of technology advancements and hosting best practices related to availability optimization and periodically provide updates to ITSS management.The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for infrastructure management. The Contractor shall ensure that all availability management improvement initiatives conform to defined change control procedures.The Contractor shall participate in availability management review sessions as requested.The Contractor shall specifically identify and report on problems related to outage of any system under this task order.The Contractor shall monitor and report actual availability achieved versus targets, and ensure shortfalls are addressed promptly and effectively.The Contractor shall conduct availability assessment review sessions and provide cost- justified improvement recommendations across the service.The Contractor shall coordinate with DOT and third party service contractors to gather information on application availability issues and trends to be used for trend analysis.The Contractor shall produce and maintain a forward-looking availability plan, which coordinates, prioritizes, and plans approved IT availability improvements.The Contractor shall provide a range of IT availability reporting to ensure that agreed levels of availability, reliability, and maintainability are measured and monitored on an ongoing basis.The Contractor shall perform regular reviews of the availability management process and its associated techniques and methods to ensure that all are subjected to continuous improvement and remain fit for their purposes.SUB-TASK 1.10: CAPACITY MANAGEMENTThe Contractor shall develop, document, update (where appropriate), and execute capacity management procedures that meet requirements and adhere to defined policies.The Contractor shall establish and implement a comprehensive capacity management planning process and deliver a Capacity Management Plan which describes processes, procedures, governance, roles and responsibilities for managing datacenter and application hosting capacity.The Contractor shall define, develop, and implement tools that allow for effective capacity monitoring/trending of infrastructure, applications, and components. The Contractor shall assess and report capacity impacts when adding, removing or modifying applications.The Contractor shall continually monitor IT resource usage to enable proactive identification of capacity and performance issues daily.The Contractor shall capture trending information and forecast future DOT capacity requirements based on DOT-defined thresholds monthly.The Contractor shall recommend changes to capacity to improve service performance monthly.The Contractor shall assess impact/risk and cost of capacity changes, reflecting impact on other applications. Per Government requirements, a trade-off analysis and a business case may be requested.The Contractor shall maintain capacity levels to optimize use of existing IT resources and minimize DOT costs.The Contractor shall ensure adequate capacity exists within the environment taking into account daily, weekly, and seasonal variations in capacity demands. Contractor shall notify DOT within one (1) hour when capacity reaches an agreed upon threshold.SUB-TASK 1.11: PERFORMANCE MANAGEMENTThe Contractor shall develop, document, update (where appropriate), and execute performance management procedures that meet DOT requirements and adhere to defined DOT policies.The Contractor shall assist the application owner in tuning hosted applications to maintain optimum performance in accordance with change management procedures.The Contractor shall manage service resources (e.g., devices, file tables, and data traffic) to meet defined availability and performance.The Contractor shall proactively evaluate, identify, and recommend configurations or changes to configurations to enhance performance.The Contractor shall assess and remediate incidents/problems related to performance daily.The Contractor shall develop and deliver performance improvement plans when requested by the Government.The Contractor shall implement improvement plans and coordinate with third parties as required.The Contractor shall provide technical advice and support to the application maintenance and development staffs as required.SUB-TASK 1.12: INCIDENT (OUTAGE OR SERVICE DEGRADATION) MANAGEMENTThe Contractor shall develop, document, update (where appropriate) and execute incident (outage) management processes that meet DOT requirements and adhere to defined DOT policies.The Contractor shall adhere to DOT incident management policies and procedures.The Contractor shall use a GFE incident management system and knowledge database, including all hardware, software, databases, automated monitoring tools, and management and reporting tools.The Contractor shall monitor the incident management system for automatically generated and logged incident alerts. The Contractor will be notified by the COR if relief is given in response to a system outage.The Contractor shall follow the knowledge database documents, and configuration database(s) documents when resolving incidents.The Contractor shall identify and classify incident severity level characteristics and handle per agreed-upon incident response procedures.The Contractor shall diagnose and resolve incidents and implement appropriate corrective actions for known errors (e.g., workarounds for known unresolved problems).The Contractor shall deliver a Root Cause Analysis document for each Severity 1 incident resolution in accordance with SLAs.The Contractor shall escalate incidents as appropriate within Contractor, DOT, or third party vendor as soon as it is clear that the incident management technician is unable to resolve the incident without additional assistance.The Contractor shall track incident resolution progress through to final closure and record/update incident record status.The Contractor shall provide expert functional and process assistance for in-scope applications at Tier 3 and escalate to Tier 4 as required.The Contractor shall update and verify that all records (e.g., inventory, asset, and configuration management records) are updated to reflect completed/resolved incident.The Contractor shall document solutions to resolved incidents in central knowledge database and accurately update all information pertinent to trouble tickets including general verbiage, codes, etc.The Contractor shall notify designated DOT personnel of all Severity 1 and Severity 2 level incidents per agreed upon incident management procedures and timeline.The Contractor shall maintain current and historical records of all calls and the resolution of those calls for the life of the task order and provide reporting and trend data.The Contractor shall document and implement an end-to-end incident identification, escalation, resolution management and closure process including those incidents escalated to third parties for resolution.The Contractor shall identify and provide initial determination whether an incident should be classified as a problem (e.g., whether preventive action may be necessary to avoid incident recurrence) and, in conjunction with the appropriate problem management group, raise a problem record to initiate action.The Contractor shall track ongoing status of any incident records to ensure that identified problems are addressed and resolved.The Contractor shall conduct incident review sessions and provide listing and status of same categorized by incident severity impact.The Contractor shall conduct follow-up with application owners who reported incidents to verify that the incident was resolved to the owner’s satisfaction.The Contractor shall close out incidents that were resolved satisfactorily.The Contractor shall report status and resolution of incidents monthly.The Contractor shall flag all incidents that require root cause analysis (i.e., Severity 1 and Severity 2 incidents) per the agreed upon procedures.SUB-TASK 1.13: PROBLEM MANAGEMENTThe Contractor shall develop, document, update (where appropriate) and execute problem management processes that meet DOT requirements and adhere to defined DOT policies.The Contractor shall develop and implement appropriate procedures and methodologies that support DOT-approved problem management and root cause analysis requirements in a manner that complies with DOT requirements.The Contractor shall use a GFE problem management knowledgebase where information about problems, root cause, known errors, workarounds, and problem resolution actions are recorded and tracked.The Contractor shall ensure that recurring problems that meet defined criteria related to the Contractor’s service responsibility area are reviewed using root cause analysis processes.The Contractor shall conduct proactive trend analysis, on a continuous basis of incidents and problems to identify recurring situations that are or may be indicative of future problems and points of failure.The Contractor shall develop and recommend corrective actions or solutions to address recurring incidents and problems or failures, as well as mitigation strategies and actions to take to avert potential problems identified through trend analysis.The Contractor shall document and update problem management knowledgebase with information regarding problem resolution actions, activities, and status (e.g., root cause, known errors, workarounds, etc.).The Contractor shall coordinate with DOT and third party Contractors to ensure that knowledge on problems related to other service areas is captured and entered into a centralized problem management knowledgebase.The Contractor shall provide status reports detailing the root cause of and procedure for correcting recurring problems and Severity 1 and Severity 2 incidents until closure, as determined by DOT.The Contractor shall conduct problem management review meetings and provide listing and status of same categorized by problem impact.The Contractor shall periodically review the state of open incidents and related problems, and the progress being made in addressing these problems.The Contractor shall create request for change (RFC) documentation with recommended corrective actions to be taken to resolve a problem and submit to change management for review and approval.The Contractor shall provide problem management reporting.SUB-TASK 1.14: ADMINISTRATIVE SUPPORTThe Contractor shall provide administrative support for infrastructure operations including order processing, change management support, customer support, and documentation (e.g., meeting minutes.)The Contractor shall process orders, provision customers, and produce reports and monthly workload billings in alignment with the ordering database.The Contractor shall support ITSS in preparation for monthly Change Control Board (CCB) meetings, and provide a report on issues requiring the Contractor and ITSS personnel resolution.The Contractor shall log all requests related to providing customer support services into the DOT SMS.The Contractor shall use electronic resources compatible with current or future ITSS requirements and standards, such as the GFE SMS, to store, maintain and secure all deliverable documents and any other documentation generated under the contract.The Contractor shall maintain complete files in chronological order by subject including, but not limited to, all referenced attachments, enclosures and/or exhibits.The Contractor shall cooperate with any Freedom of Information Action (FOIA) requests and other legal requests for data pursuant to DOT or other legal investigation.The Contractor shall prepare and deliver Meeting Minutes for every meeting attended by a Government representative if requested by a Government representative; meeting minutes shall be delivered on the following business day by close of business.SUB-TASK 1.15: TRANSITION INThe Contractor shall provide a Revision to the Transition Plan submitted as part of the Contractor’s proposal, to the COR for approval within fifteen (15) business days of award. The Transition Plan shall include milestones and when properly trained, qualified, and certified personnel will accomplish full assumption of all requirements identified in the contract by the completion of the Transition period. The Transition Plan shall include start up, mobilization schedule, and Transition depicting the chronological sequence of events, which the Contractor shall accomplish beginning on contract start date.The Contractor shall incorporate termination dates of existing Contractor performance periods and DOT planned major project dates into the Transition plan.The Contractor shall demonstrate the ability to quickly staff the requirement to meet the Transition schedules dictated by the expiring contract(s).The Contractor shall demonstrate the ability to ensure proposed personnel are vetted to guarantee they meet DOT suitability and security clearance process thus aiding in a more expedient process.The Contractor shall perform analyses and planning to develop the plans for Transitioning DOT services and sites to their operations.Starting the first day of the Transition period, the Contractor shall ensure necessary personnel actions, appropriate training, (including, but not limited to, any required certifications), as well as non-personnel considerations such as materials and supplies, equipment, facilities, sub-contracts, leases, environmental issues, safety and security, etc. are accomplished in accordance with the accepted Transition plan.The Contractor shall perform relocations of equipment, as necessary, as directed by the COR.The Contractor shall fulfill the requirements of this PWS within the time period designated in the Task Order. During this timeframe, the Contractor shall implement their proposed implementation strategy and perform critical tasks to expediently obtain employee security clearances; recruit and staff required positions; establish management processes and controls; and other tasks the contactor deems necessary to initiate pre-Transition and Transition tasks the specified time listed in the Task Order.The Contractor shall accept Assumption of Responsibility in accordance with their Government-approved Transition Plan.SUB-TASK 1.16: TRANSITION OUTAt the Transition Out of the contract, the Contractor and Government shall conduct a joint application inventory assessment to ensure a full accounting. The Contractor shall permit the successor Contractor (and the successor Contractor’s employees) to observe and become familiar with any and all operations specified in the contract for a COR specified timeframe, prior to the expiration or termination of the contract.The Contractor shall provide complete electronic copies (updating where existing) of completely updated operations manuals and plans under this contract to include but not limited to standards, policies, processes, diagrams and workflows, and all other required documents.The Contractor shall maintain full operational status of systems and equipment, and continue all current work in progress until the successor Contractor assumes full operational responsibility. The Contractor shall not destroy, delete, or otherwise dispose of any files or data upon expiration or termination of the contract, without prior permission from the COR.The Contractor shall fully cooperate with the successor Contractor and the Government so as not to interfere with their work or duties.The Contractor shall deliver current, operational copies of all application components and libraries, as requested by the Government, and provide code for all interfaces to all systems for which they are responsible.The Government will own all enhancements or improvements made to Government systems by the Contractor over the course of this contract.The Contractor shall not claim or mark any such program or enhancement as copywritten by or for any vendor.The Contractor shall provide a Transition Out Plan that thoroughly delineates the steps to be taken to transfer all work under this contract to DOT, or to follow on Contractors as Transition Out and effectively manage the execution of all Transition activities accordingly. The Transition Out Plan shall encompass the following:The Transition approach, strategy, and options for moving out of current contract functional area(s) production/operations;Resources shall be identified to include, but not be limited to: hardware, software, facilities, personnel, and other special resources (e.g., service and maintenance contracts);A description of how stakeholder/customers will be involved in or informed about the Transition Out implementation activities, and if the customer may be needed to participate at some level;Risk probability, impact of occurrence, and time frame of occurrence shall be evaluated and described. Qualitative and quantitative methods should be used as appropriate to measure the nature of the risk;Any conversion details, sequencing, Transition of production environment, and maintenance of infrastructures and equipment shall be included to discuss the level of work which is to be performed during the Transition period and the impact of the Transition on that work (i.e. system maintenance, software development, support services, etc.);Product or system documentation and how information is stored and accessed shall be included, with descriptions of material that will be produced during the continuity of operations and Transition activities and details on where documentation is stored, how it is accessed, and what will be Transitioned;A description and reconciliation of GFE, all of which shall be returned to DOT during a Transition out;Intellectual property shall be handled as part of the Transition process. Intellectual property may include, but not be limited to, various documentation, supplier and subcontractor information, service agreements, or original designs or plans; completion of NDAs between the incumbent and DOT; and any intellectual property transferred, sold, or retained by the incumbent Contractor depending on the contractual agreements in place. Intellectual property that is a direct result of work on the contract deliverables will be Transitioned to the new Contractor in order to ensure the successful completion of the project. The contract pricing takes intellectual property into consideration and as such, any resulting intellectual property will be owned by DOT;How knowledge will be transferred from the incumbent staff to the staff of the new Contractor (e.g., documentation/instruction manuals including, but not limited to, as-built documents, formal training classes, one-on-one training/knowledge transfer, etc. shall be included to ensure continuity for the contract); andReporting and communication procedures for the Transition period (before, during, and after) shall be included, and identify the type of evaluations (review, audit, or test) as well as anomalies that are identified during the performance of these evaluations.The Contractor shall meet with DOT representatives to determine how the Transition will take place, develop schedules, and collaborate on execution of the Transition out requirements.The Contractor shall manage all Transition Out activities in accordance with the approved Transition Out Plan, ensure all milestones are completed effectively, and ensure timely and seamless phase out for closure of the contract.The Contractor shall support a seamless and orderly phase-out Transition at the expiration of this contract.The Contractor shall participate in Transition Out meetings.The Contractor shall conduct and coordinate all on-boarding or shut down activities with the Government including, but not limited to obtaining or returning secure badging for team personnel.The Contractor shall transfer all related support (functional and technical) documentation and records in ITSS specified electronic format.The Contractor shall make staff identified as key personnel available to work with Subject Matter Experts from the Government and the incumbent Contractor immediately after successor contract award.Task 2: Endpoint EngineeringSUB-TASK 2.1: ENDPOINT ENGINEERING PLANNING AND ANALYSISThe Contractor shall provide endpoint engineering support. For purposes of this PWS, an “endpoint device” is defined as an Internet-capable computer hardware device operated by a user that is connected (via cable or wireless connection) to a Local Area Network (LAN) or Wide Area Network (WAN) and accepts communications back and forth across the network. Endpoint devices include, but are not limited to, desktop computers, laptop computers, thin client computers, and mobile devices (e.g., mobile phone, tablet, wearable). NOTE: The current DOT Endpoint Environment is described in Attachment J (Endpoint Environment Description).The Contractor shall conduct endpoint engineering planning resulting in a documented technical plan describing what must be accomplished, how endpoint engineering will be done, how the effort will be scheduled, what resources are needed, and how the endpoint engineering effort will be monitored and controlled.The Contractor shall develop new, or update and enhance existing, Engineering Design and Development Standard Operating Procedures (SOPs).The Contractor shall perform endpoint engineering technical planning and analysis based on DOT and ITSS requirements.The Contractor shall provide recommendations for new or enhanced endpoint solutions based on market research and planning and analysis results.The Contractor shall participate in technical and business planning sessions to establish standards, architecture, and project initiatives.The Contractor shall perform project management functions for endpoint engineering projects in alignment with the DOT frameworks and methodology, and shall prepare and deliver appropriate documentation as required.The Contractor shall conduct regular planning for technology refreshes and upgrades per DOT ITSS refresh requirements and schedules.The Contractor shall conduct monthly technical reviews with ITSS government staff and provide recommendations to improve effectiveness, increase efficiency, and reduce costs based on the planning and analysis results.The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. SUB-TASK 2.2: ENDPOINT ENGINEERING REQUIREMENTS DEFINITION AND DOCUMENTATIONEndpoint Engineering Requirements Definition and Documentation are the activities and tasks to elicit, collect, analyze, document, approve, and control requirements for endpoint solutions. The Contractor shall facilitate the process to define endpoint solution requirements and standards.The Contractor shall participate in appropriate endpoint solution requirements-gathering activities (e.g., focus groups, interviews).The Contractor shall document endpoint solution requirements (e.g., system requirements specifications, data models, upgrade requirements) in agreed-to formats. The Contractor shall ensure endpoint solution requirements meet Federal and DOT IT security and Information Assurance policies.The Contractor shall define endpoint solution acceptance test criteria.The Contractor shall deliver documented requirements and acceptance test criteria per approved requirements standards.SUB-TASK 2.3: ENDPOINT IMAGE BUILD SUPPORTEndpoint Image Build Support includes the activities associated with building endpoint software images. The Contractor shall build and maintain a master endpoint image as well as unique endpoint images for other DOT organizations as required. Endpoint image core software is defined as the suite of software programs used to build a DOT-defined standard endpoint images for a supported device (e.g., operating system or O/S, software, office productivity and messaging software, security tools, and remote connectivity software). NOTE: The DOT master endpoint image build is provided in Attachment JThe Contractor shall develop and document new, or update and enhance existing, endpoint image build procedures that meet DOT requirements and adhere to defined policies.The Contractor shall provide technical assistance to DOT in defining endpoint image package specifications for desktops, laptops, mobile devices, servers, and ITSS supported endpoint devices.For all approved endpoint image builds, the Contractor shall deliver a project plan of activities, milestones and timelines for project completion.The Contractor shall build a master endpoint image, as well as an endpoint image build for each DOT Operating Administration, and shall maintain the images consistent with DOT licensing and security standards.The Contractor shall maintain a list of security patches / upgrades for the master endpoint image and DOT Operating Administration images and ensure image patches and upgrades do not have a negative effect on users.The Contractor shall prepare for, conduct, and document results from integration, system, and end user testing of endpoint image builds to validate that they perform in accordance with the approved specifications, that they can be deployed successfully, and that they successfully operate with all current supported applications, hardware, and software.For image builds leveraging the current operating system, the Contractor shall complete the image build and testing within twenty business days of Contractor receipt of an endpoint image requirements. Upon completion of endpoint image testing, the Contractor shall notify the EITSS Program that the image is available for independent testing (and independent testing will be completed within 5 business days of notification).For image builds leveraging the current operating system, the Contractor shall address any issues identified by the independent testing team (overseen by the EITSS Program) and deliver a final image build not later than thirty business days of Contractor receipt of image requirements.The Contractor shall use government-provided utilities and tools to build and maintain endpoint images that comply with image build policies and procedures.The Contractor shall document and manage endpoint builds using formal project management tools, methodologies, and standards (e.g., ITIL change and configuration management practices).If maintenance service is withdrawn from a product by the software vendor, the Contractor shall assess and recommend a suitable upgrade or replacement for consideration not less than 90 calendar days in advance of the service end-of-life date.The Contractor shall work with the Government to document and communicate the effect and impact of system software changes.The Contractor shall provide Tier 3 engineering support for endpoint images in coordination with the ITSS Service Desk, using the ITSS ticketing system and standard escalation procedures. The Contractor shall report on Tier 3 support monthly.The Contractor shall permit and support third-party audits (e.g., technical, management, testing, and security) and independent testing of engineered solutions approved by DOT authorized/designated personnel.The Contractor shall certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC) and US Government Configuration Baseline (USGCB). The standard installation, operation, maintenance, updates, and/or patching of software shall not alter the configuration settings from the approved FDCC/USGCB configuration. Offerings that require installation should follow OMB Memorandum 07-18. The Contractor shall run in the standard user context without elevated system administration privileges. The Contractor shall use Security Content Automation Protocol (SCAP) validated tools with FDCC/USGCB Scanner capability to certify their products operate correctly with FDCC/USGCB configurations and do not alter FDCC/USGCB settings.The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. SUB-TASK 2.4: ENDPOINT PATCH MANAGEMENTThe Contractor shall provide Endpoint Patch Management support to create a consistently configured endpoint environment that is secure against known vulnerabilities in endpoint operating systems and software for all ITSS supported endpoints.The Contractor shall develop a new, or update and enhance the existing, endpoint patch cycle process to guide the normal application of patches and updates to all ITSS supported endpoint devices and to facilitate the application of standard patch releases and updates.The Contractor shall collect and review information regarding both endpoint security issues and patch releases to identify endpoint security issues and software updates that are relevant to the supported ITSS endpoint environment.The Contractor shall alert ITSS management and, upon DOT direction, end users of endpoint security issues or updates to the endpoint applications and systems in use.The Contractor shall update the configuration management database as part of the endpoint patch management process.The Contractor shall establish relationships with the key endpoint operating system, network device, and application vendors to facilitate the timely release and distribution of information on endpoint product security issues and patches.The Contractor shall actively monitor software releases of new patches or upgrades from original equipment manufacturers and notify the COR within 48 hours of release.The Contractor shall determine whether the newly released patch or upgrade is necessary, obtain DOT approval and direction on release, and test prior to release unless otherwise directed. The Contractor shall consider vendor-reported criticality (e.g., high, medium, low) and the existence of a known exploit or other malicious code in recommending timing of endpoint patch releases. At the direction of the government, the Contractor shall support immediate deployment of emergency patches for all ITSS supported endpoint devices relative to the mitigation of security weaknesses.The Contractor shall prepare for, conduct, and document results from patch testing to validate that they perform in accordance with the approved specifications, that they can be deployed successfully, and that they successfully operate with all current supported applications, hardware, and software.The Contractor shall complete testing and support deployment of critical endpoint security patches for all ITSS supported endpoint devices at the earliest feasible point but not later than 7 business days of release from the manufacturer. This timeline assumes not more than 3 business days for independent testing by the EITSS Program Management and Task Order Integration independent testing team following completion of Engineering Contractor testing but prior to deployment. The government may make an exception to this timeframe for zero-day patches, which generally shall be deployed within 48 hours of release unless otherwise specified by the government.The Contractor shall deploy critical functional patches for all ITSS supported endpoint devicesas determined by ITSS – not later than 15 business days of release from the manufacturer. This deadline assumes not more than 5 business days for independent testing by the third-party EITSS Program Management and Task Order Integration independent testing team following completion of Engineering Contractor testing but prior to deployment.The Contractor shall deploy general functionality patches and updates for all ITSS supported endpoint devices not later than 20 business days of release from the manufacturer. This deadline assumes not more than 5 business days for independent testing by a third-party contractor following completion of Engineering Contractor testing but prior to deployment.The Contractor shall deploy infrastructure-related patches approved for use in the environment for all ITSS supported endpoint devices and ensure relevant software is maintained at no less than N-1 versions (where “N” is the current commercial standard major version).Upon completion of successful patch testing, the Contractor shall notify the ITSS EITSS Program Office that the patch is available for independent testing by the third-party contractor.The Contractor shall deliver an enterprise Patch Report for all ITSS supported endpoint devices monthly not later than 5 business days following the end of each month identifying the status of patches.The Contractor shall deliver a monthly report for distribution to ITSS Government leadership, the OCIO CISO and DOT Modal Organization providing situational awareness on the status of Patch Management, Vulnerability Management; Anti-Virus; Configuration Compliance (including White List / Exceptions and Waivers) for all endpoints. The Contractor shall deliver reports customized to ITSS Government leadership, the OCIO CISO and each Modal Organization individually.The Contractor shall execute the endpoint patch management process for all ITSS supported endpoint devices from the receipt of the endpoint software updates through acceptance testing and production deployment.The Contractor shall conduct endpoint patch testing for all ITSS supported endpoint devices in the test environment (see Task 3 (Engineering Test Lab) of this PWS) which mirrors the production environment as closely as possible.The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. SUB-TASK 2.5: ENDPOINT RESEARCH AND TECHNOLOGY INNOVATIONTo ensure that ITSS is taking advantage of the latest endpoint-related technology, products, solutions, services, trends, and innovations, the Contractor should proactively monitor industry and government trends and conduct independent research on potential use in alignment with relevant DOT business and technology strategies.The Contractor’s Endpoint Research and Technology Innovation support shall focus on identifying clear and measurable improvements to the performance of installed endpoint solutions. In addition, the Contractor shall identify opportunities for potential cost savings.The Contractor shall provide a written report accompanied with recommendations analyzing relevant endpoint engineering and solution topics that assess their potential for meeting ITSS and DOT standards and business needs, security requirements, alternative technical solutions, emerging technologies and innovations, and potential and feasibility for augmenting and/or replacing existing endpoint capabilities.The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. Task 3: Infrastructure EngineeringSUB-TASK 3.1: GENERAL INFRASTRUCTURE ENGINEERING REQUIREMENTSThe Contractor shall provide infrastructure engineering support to ensure that the IT infrastructure is sufficiently robust, scalable, and efficient to deliver the integrated services underlying the physical environment that supports the processes, physical resources, and operators required for developing and integrating IT applications and support services.The Contractor shall provide infrastructure engineering to include the design and development; integration and testing; and migration / deployment support functions for new and existing ITSS-managed infrastructure solutions.The Contractors shall provide infrastructure engineering support to further refine and improve on the solution as technology, business needs, and the DOT IT infrastructure mission evolve.The Contractor shall use an engineering development lifecycle methodology consistent with the ITIL framework to support projects initiated by DOT. This includes supporting the design, documentation, and implementation of infrastructure upgrades and improvements.The Contractor shall provide project-management support for infrastructure engineering projects, in addition to the technical resources to assist with the design, documentation, and implementation work. All infrastructure engineering projects supported by the Contractor shall follow the DOT best practice frameworks and methodologies.The Contractor shall support infrastructure engineering projects that may consist of the building and deployment of new networks and infrastructure components (to include security features) as well as the removal of existing network features and infrastructure components.For all approved infrastructure engineering projects, the Contractor shall deliver a project plan of activities, milestones and timelines for project completion.The Contractor shall engineer and build solutions for deployments, and engineering project management support for deployments, of new facilities and upgrades of existing facilities throughout the DOT.The Contractor shall conduct technology refreshment projects in accordance with DOT guidance and upon approval of the COR.The Contractor shall provide Infrastructure Engineering Tier 3 support in coordination with the ITSS Service Desk (and using the ITSS ticketing system and standard escalation procedures) to resolve network outages to include logging and reporting each user trouble call, regularly providing customers with status updates, and successfully closing out incidents on a priority ranking basis. This includes monitoring the infrastructure ticketing queues and troubleshooting and resolving infrastructure-related service requests, incidents, and problems. The Contractor shall report on Tier 3 support monthly.The Contractor shall recommend new products and technology for supporting all layers of the IT infrastructure architecture.The Contractor shall test and certify hardware and software changes before release into production.The Contractor shall permit and support third-party audits (e.g., technical, management, testing, and security) and independent testing of engineered solutions approved by DOT authorized/designated personnel. The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. SUB-TASK 3.2: NETWORK ENGINEERINGThe Contractor shall provide network engineering services to supporting the electronic transport of data across the ITSS-managed infrastructure and/or external third parties.Contractor supported network engineering services include the planning, design, and development/integration aspects of networked systems used for the transmission of information in voice, data, and/or video formats. This includes engineering support for the following ITSS-managed network components: Data Network; Remote Access; Voice Services; Security Services, New Site Installation Services, 3rd Party Network Access Services, Wireless Access Services, and Mobility VPN Access Services. NOTE: A description of the current Network Environment is provided in Attachment J.In conducting Network Engineering Planning, the Contractor shall:Develop (or update existing) and deliver network architecture documentation.Develop and deliver a network asset refresh plan.Submit capacity and trending analysis for network infrastructure.Develop and submit impact analyses and associated plans.Develop and submit plans for site additions or deletions upon COR request.In conducting Network Engineering Design and Implementation, the Contractor shall:Design and support the implementation of the network architecture based on approved documentation.Design, configure, and support the deployment of network assets based on the approved refresh plan; deliver monthly status report.Design and support the implementation of changes to the network infrastructure based on the results of the capacity and trending analysis.Design and support the implementation of changes to the network infrastructure based on impact analyses and associated plans.Design and support the implementation of approved recommendations on maintaining the network cable plant to industry standard.Support the implementation of network cable plant standards.Design and support the implementation of network devices to meet DOT availability requirements.Design and implement Site additions or deletionsSUB-TASK 3.3: SECURITY ENGINEERING SUPPORTThe Contractor shall support the engineering of the Security Services component within Infrastructure Engineering. The Security Services component applies to hardware, software and services provided to maintain network security. This includes: protection from unauthorized devices, software or users; protection from unauthorized access to, or use of, the network and networked assets; firewall services; intrusion detection and reporting; security monitoring; security architecture services; data protection; and prevention of malicious code entry into the network. The Contractor shall provide security engineering support in accordance with Federal and DOT security mandates, policies, standards, and procedures. NOTE: A description of the current Security Environment and Assets is provided in Attachment J. The Contractor shall provide security engineering support to develop and maintain a flexible security architecture; provide protection from unauthorized use of, or access to, the ITSS- managed network and networked assets; and protect all data residing on the network from intrusion, destruction, or compromise.In conducting Security Engineering Planning, the Contractor shall:Assess the current security architecture and deliver improvement recommendations.Develop and deliver plans that improve security to physical and logical devices connected to the network.Develop and deliver recommendations for security assets refresh or upgrade on an annual basis.Develop and deliver recommendations for improved network security.Develop and deliver recommendations for policies to improve security vulnerability and penetration testing.Develop and deliver plans for Security Services asset updates or patches.In conducting Security Engineering Design and Implementation, the Contractor shall:Design, test, and support implementation of the approved Security architecture improvements.Design and support implementation of monitoring and managing access plans as approved.Design, test, and support implementation of plans to secure network attached devices.Design, test, and support implementation of approved firewall policies.Design, test, and support implementation and reporting on Security Services assets refresh or upgrade; deliver a monthly status report.Design and support implementation of approved recommendations for improving network security.Design and support implementation of approved policies for security vulnerability and penetration testing.Design, test, and support implementation of updates or patches approved for Security Services assets. For this, the Contractor shall adhere to the requirements and timelines in Section 7.3.7 (Infrastructure Patch Management).Design, test, implementation, and support of all Continuous Diagnostic Monitoring (CDM) tools and technologies. The CDM program includes the federally mandated implementation of specific security tools which will be installed over the next year. SUB-TASK 3.4: SITE ENGINEERING SERVICES FOR NEW SITES OR SITE UPGRADESThe Contractor shall provide engineering services for any field or data center site moves, additions, or upgrades. Services provided within this include, but are not limited to planning and supporting the installation of network equipment, voice and data network cable plant, WAN circuit(s), and all planning and engineering required to ensure site functionality.The Contractor shall conduct site surveys to provide written plans to include identifying the new / upgraded site layout, space considerations, and structural considerations. The Contractor shall provide site engineering support that establishes and maintains a predictable cost and methodology to install a new / upgraded networked ITSS- supported DOT location and results in the installation of sufficient data and voice ports that meet standards for network cable plant and match the number of projected users for the site.In conducting New / Upgraded Site Installation Engineering Planning, the Contractor shall:Develop (or update and improve existing) and deliver standard procedures for New / Upgraded Site Installations.For all approved New / Upgrade Site Installation projects, the Contractor shall deliver a project plan of activities, milestones, and timelines for project completion.In conducting New Site Installation Engineering Design and Implementation, the Contractor shall:Support implementation of ITSS-approved policies and procedures for New / Upgraded Site Installation.Design and support implementation of approved New / Upgraded Site Installation plans.SUB-TASK 3.5: BACKUP AND STORAGE ENGINEERING SUPPORTThe Contractor shall support the Backup and Storage engineering component within Infrastructure Engineering. The Backup and Storage engineering component applies to Attached Storage (all storage used to store end user data that is directly attached to a physical application server) and Shared Storage (a centralized and consolidated storage environment for end user data and includes Storage Area Network (SAN), and Network Attached Storage (NAS)).The Contractor shall provide backup and storage engineering support for the Shared Storage Services infrastructure as a centralized, integrated, tiered repository for ITSS-supported DOT user data. The purpose of the Shared Storage Services infrastructure is the elimination of storage underutilization, avoidance of “islands of storage,” a decrease in overall recovery time and efficiency of storage administration and management (including management of storage capacity). NOTE: A description of the current Storage Environment is provided in Attachment J. The Contractor shall support the refresh of the backup and storage assets based on ITSS’s standard refresh cycle.In conducting Backup and Storage Engineering Planning, the Contractor shall:Develop and deliver recommendations on the Backup and Storage Architecture.Develop and deliver plans on shared storage consolidation and Application Server migration to Shared Storage environment on a quarterly and on demand basis.Develop and deliver a Backup and Storage Services refresh plan on an annual and on demand basis as requested by the Government.Develop and deliver plans for meeting ITSS-managed Backup and Storage demands.Develop and deliver plans to add additional Shared Storage.In conducting Backup and Storage Engineering Design and Implementation, the Contractor shall:Design, test, and support implementation of approved updates to the Backup and Storage Services architecture.Design and support implementation of backup and storage consolidation based on approved recommendations.Support the deployment, management, communication, and reporting on activities related to Storage Services asset refresh; deliver monthly status report.Design and support the implementation of Backup and Storage provisioning and allocation processes based on approved policies.Follow all Federal and DOT laws, regulations, mandates, and guidelines, policies, procedures, and security requirements to ensure that data is backed up and stored securely. SUB-TASK 3.6: INFRASTRUCTURE PATCH MANAGEMENTThe Contractor shall provide Infrastructure Patch Management support to create a consistently configured infrastructure environment that is secure against known infrastructure vulnerabilities.The Contractor shall develop (or review and update the existing) the infrastructure patch cycle process to guide the normal application of patches and updates to infrastructure equipment and to facilitate the application of standard patch releases and updates.The Contractor shall collect and review information regarding both infrastructure security issues and patch releases to identify relevant infrastructure security issues and software updates relevant to the deployed DOT endpoint environment.The Contractor shall alert ITSS management and, upon DOT direction, end users of infrastructure security issues or updates to the endpoint applications and systems in use.The Contractor shall update the configuration management database as part of the infrastructure patch management process.The Contractor shall establish relationships with the key operating system, network device, and application vendors to facilitate the timely release and distribution of information on infrastructure product security issues and patches.The Contractor shall actively monitor the release of new patches or upgrades from original equipment manufacturers and notify DOT personnel within 48 hours of release.The Contractor shall determine whether the patch or upgrade is necessary, obtain DOT approval and direction on release, and test prior to release unless otherwise directed. The Contractor shall consider vendor-reported criticality (e.g., high, medium, low) and the existence of a known exploit or other malicious code in recommending timing of infrastructure patch releases.The Contractor shall complete testing and deployment of critical infrastructure security patches at the earliest feasible point but not later than 7 business days of release from the manufacturer. This timeline assumes not more than 3 business days for independent testing by the EITSS Program Management and Task Order Integration independent testing team following completion of Engineering Contractor testing but prior to deployment. The government may make an exception to this timeframe for zero-day patches, which generally shall be deployed within 48 hours of release unless otherwise specified by the government.The Contractor shall deploy critical functional patches not later than 15 business days of release from the manufacturer. This deadline assumes not more than 5 business days for independent testing by the EITSS Program Management and Task Order Integration independent testing team following completion of Engineering Contractor testing but prior to deployment.The Contractor shall deploy general functionality patches and updates not later than 20 business days of release from the manufacturer. This deadline assumes not more than 5 business days for independent testing by a third-party contractor following completion of Engineering Contractor testing but prior to deployment.The Contractor shall deploy patches to applications in the image or approved for use in the environment, ensuring all image software is maintained at no less than N-1 versions (where “N” is the current commercial standard major version).Upon completion of successful patch testing, the Contractor shall notify the ITSS EITSS Program Office that the patch is available for independent testing by the third-party contractor.The Contractor shall deliver a Patch Report monthly not later than 5 business days following the end of each month identifying the status of patches. The Patch Report shall include a breakout of infrastructure equipment patch status by DOT Operating Administration as applicable.The Contractor shall execute the infrastructure patch management process from the acquisition of the patch updates through acceptance testing and production deployment.The Contractor shall conduct infrastructure patch testing in the ITSS test environment (see Task 5 (Engineering Test Lab) of this PWS) which mirrors the production environment as closely as possible.SUB-TASK 3.7: INFRASTRUCTURE RESEARCH AND TECHNOLOGY INNOVATIONTo ensure that ITSS is taking advantage of the latest infrastructure-related technology, products, solutions, services, trends, and innovations, the Contractor should proactively monitor industry and government trends and conduct independent research on potential use in alignment with relevant DOT business and technology strategies.The Contractor’s Infrastructure Research and Technology Innovation support shall focus on identifying potential solutions providing clear and measurable improvements to the performance of the ITSS-managed infrastructure.The Contractor’s Infrastructure Research and Technology Innovation support shall focus on identifying potential cost savings for ITSS-managed infrastructure.The Contractor shall provide a written report accompanied with recommendations analyzing relevant infrastructure solution topics that assess their potential for meeting ITSS and DOT standards and business needs, alternative technical solutions, emerging technologies and innovations, potential cost savings, and potential and feasibility for augmenting and/or replacing existing infrastructure capabilities.SUB-TASK 3.8: EMAIL ENGINEERINGThe Contractor shall provide Email Engineering support through an integrated set of methodologies and products to enhance the operations of hardware, software, and cloud hosted systems to include the collection and analysis the email systems information, diagnosis of problems, and development of recommendations to resolve problems.In providing general Email Engineering support, the Contractor shall:Establish (or update existing) and maintain Email systems and software configuration baseline data and documentation.Conduct redesign activities that modify functionality and/or produce technical improvements to enhance software and security.Monitor system execution and performance; track and report change requests and discrepancy reports; perform problem analysis and resolution; and provide technical assistance to the end- user.Perform system and software conversion activities that include the transition of existing applications from one environment to another.Perform production control activities such as the support of cyclical changes to operational workloads, compression, data restores, reorganization of files, recovery of systems, production of reports, download/upload of information, and setup and verification of fields and programs for the execution of production runs.Support the development and maintenance of a Disaster Recovery (DR) Plan to meet DOT IT Service Continuity and Disaster Recovery requirements.Support the execution of disaster recovery procedures in accordance with the DR Plan.Develop user-friendly interfaces between different automation functions and upload/download capabilities.Develop and, upon government approval, implement an audit strategy to ensure the integrity and confidentiality of data.In support of Email System Procedures and Standards, the Contractor shall establish (or update existing) procedures and standards using all applicable standards and procedures as required by the Federal Information Processing Standards, DOT requirements, other standards, and the DOT standards and policies.In support of Email System Deployment and Testing, the Contractor shall translate the Email system specifications and detailed design documentation into system components, code, or both.In support of Email Systems Integration, the Contractor shall support analysis of the distribution of functionality across systems, development of system interface concepts, designs and specifications, and the development of specifications and standards for information transfer between systems.In support of Email COTS Integration, the Contractor shall support implementing Email COTS solutions to include: the configuration of COTS database tables, parameters, and interfaces, as well as the design, development and test of reports, interfaces, conversions, extensions and forms.In support of Email Interoperability Testing, the Contractor shall conduct testing to ensure interoperability with existing DOT systems, to include: access to existing servers, compatibility with operating systems, COTS software and client organization applications, and communications and telecommunications systems.In support of Email Systems Documentation, the Contractor shall maintain current supporting Email documentation, including manuals for operations, system maintenance, user and training, and plans (e.g., system integration and site implementation). The documentation shall be dynamic to be modified to take advantage of new methodologies, techniques and tools. The documentation shall follow the latest approved standards for the system.In support of Email Configuration Management, the Contractor shall provide System Engineering to which may include implementation of new application systems, and maintenance and/or enhancement of existing applications to support the Email solution. The Contactor shall support the Email configuration management activities throughout the life- cycle.Contractor supported Email Configuration Management responsibilities shall include the review of all software, hardware, network, and application changes to identify potential issues, conflicts or problems relating to the proposed changes or the timing of the changes. Changes shall include: installation of new products and components; new versions; upgrades; engineering changes; new agency-developed applications and modifications to agency applications; and development and implementation of a Configuration Management database and associated plans.In support of Email Technical Refreshment, the Contractor shall identify aging technology or the technology at risk of becoming obsolete during the lifecycle of a program, and identifying technology refreshment activities required to prevent the decay of the Information Technology infrastructure on which programs are dependent. This shall include the identification of specific targets of possible aging technology and recommendation of specific technology to replace it. The Contractor shall deliver technical refreshment recommendations to include specific timelines and milestones, cost/benefit scenarios, and detailed replacement procedures. Upon government approval, the Contractor shall support the configuration, installation and operation of the recommended technology as deemed necessary by the government to refresh the aging technology.In support of Email Technology Infusions, the Contractor shall evaluate the ITSS’s operational use of Email IT and identify general and specific areas where current, upcoming or state-of-the- art technology would enhance the organization’s operation. This shall include identification of the operational components evaluated, specific descriptions of the enhancements possible if the recommended technology were infused into the organization, and specific description of the technology available to realize the enhanced capability.For all approved Email projects, the Contractor shall deliver a project plan of activities, milestones, and timelines for project completion.Upon government approval of the project plan, the Contractor shall execute the project to include the configuration, installation, and operation of the recommended technology as deemed required by the government.The Contractor shall ensure all Email Engineering deliverables, documentation, and artifacts adhere to the DOT policies, processes, and templates.The Contractor shall provide Email Engineering Tier 3 support in coordination with the ITSS Service Desk (and using the ITSS ticketing system and standard escalation procedures) to resolve network outages to include logging and reporting each user trouble call, regularly providing customers with status updates, and successfully closing out incidents on a priority ranking basis. This includes monitoring the infrastructure ticketing queues and troubleshooting and resolving infrastructure-related service requests, incidents, and problems. The Contractor shall report on Tier 3 support monthly.SUB-TASK 3.9: COMMUNICATIONS AND USER COLLABORATION ENGINEERINGThe Contractor shall provide ongoing engineering and operational support for the DOT and ITSS Communication and Collaboration tools, which include but are not limited to, software that allows for Voice and Video sharing, Web Conferencing, Video Teleconferencing (VTC), Instant Messaging & Presence, and content collaboration platforms (e.g. SharePoint, Microsoft Dynamics, etc.) The Contractor shall support the planning and refresh of Communication and Collaboration assets based on ITSS’s standard refresh cycle.The Contractor shall develop and deliver recommendations for improving the current communications and user collaboration architecture and technology solutions that best meets DOT and ITSS business requirements.In conducting communications and user collaboration Engineering Design and Implementation, the Contractor shall:Design, develop, test, and support implementation of approved changes to the communications and user collaboration architecture and technology.Support the deployment, management, communication, and reporting on activities related to communications and user collaboration refresh; Provide communications and user collaboration Tier 3 support in coordination with the ITSS Service Desk (and using the ITSS ticketing system and standard escalation procedures) to resolve relevant incidents and problems to include logging and reporting each user trouble call, regularly providing customers with status updates, and successfully closing out incidents on a priority ranking basis. This shall include monitoring the relevant ticketing queues and troubleshooting and resolving communications and user collaboration related service requests, incidents, and problems. The Contractor shall ensure all communications and user collaboration deliverables, documentation, and artifacts adhere to the DOT Enterprise policies, processes, and templates.SUB-TASK 3.10: ENGINEERING TEST LAB SUPPORTThe Contractor shall maintain, and operate an Engineering Test Lab (based on government-provided specifications) that replicates as closely as possible the current DOT infrastructure. The Government’s intent is that the Contractor shall maintain the Test Lab Environment including all infrastructure and devices, but the testing will be performed by an independent contractor. NOTE: An Engineering Test Lab description is provided in Attachment J.The Contractor shall provide the services, processes, and supporting documentation to operate the engineering test environment. This shall include but not be limited to developing operating procedures, design documents, diagrams, inventories; developing administrative and management processes and documentation to ensure proper operation of the test environment; monitoring the operation of the test environment; conducting performance evaluations of the test environment; and scheduling and executing technology refreshes and other activities to ensure the ongoing operation of the test environment.The Contractor shall ensure test lab servers and workstations are kept current with DOT standard versions and configurations.The Contractor shall, at all times, ensure that only approved software and configurations are loaded on approved lab hardware. The Contractor shall call to the attention of the government any software discovered in the lab that is in violation of the standard architecture.The Contractor shall perform regular backups of the test lab files. The Contractor shall schedule automated backups and verify the successful completion of backups weekly.The Contractor shall ensure the test environment continuously mirrors the DOT environment to the greatest extent possible as it is refreshed.The Contractor shall make configuration changes in the test lab at the direction of the COR.The Contractor shall plan for future test lab configuration changes and production deployments in coordination with the COR.The Contractor shall make test lab configuration changes in compliance with security policies and procedures and change control procedures.The Contractor shall ensure test lab configuration changes are in accordance with controlled and repeatable procedures established by the Contractor and approved by the COR.The Contractor shall ensure all Engineering Test Lab design documentation, and artifacts adhere to the DOT policies, processes, and templates.The Contractor shall permit and support third-party audits (e.g., technical, management, testing, and security) and use of the test lab for independent testing of engineered solutions by the EITSS Program Management and Task Order Integration contractor as approved by DOT authorized/designated personnel.SUB-TASK 3.11: FACILITY MOVES ENGINEERING SUPPORTThe Contractor shall support the engineering for facility moves. The Facilities Moves Engineering Support applies to the planning, design, and installation support for the move from a current DOT site to a new site. Services provided within this component are one-time activities that include, but are not limited to planning and supporting the installation of network equipment, voice and data network cable plant, WAN circuit(s), and all planning and engineering required to ensure site functionality.The Contractor shall provide new site engineering support that establishes and maintains a predictable cost and methodology to install a new networked ITSS-supported DOT location and results in the installation of sufficient data and voice ports that meet standards for network cable plant and match the number of projected users for the site.In conducting Facility Move Engineering Planning, the Contractor shall:Develop (or update and improve existing) and deliver policies and procedures for Facility Moves.For all approved Facility Move projects, the Contractor shall deliver a project plan of activities, milestones, and timelines for project completion.In conducting Facility Move Engineering Design and Implementation, the Contractor shall:Support implementation of ITSS-approved policies and procedures for Facility Moves.Design and support implementation of approved Facility Move plans.The Contractor shall ensure all Facilities Move Engineering Support deliverables, documentation, and artifacts adhere to the DOT policies, processes, and templates.SUB-TASK 3:12: VIDEO TELECONFERENCE (VTC) ENGINEERING SUPPORTThe Contractor shall provide systems development and engineering/technical services for implementation, from concept through deployment, of VTC systems to enable efficient information exchange of voice/video/data. These products include legacy, current, and next generation VTC systems and the planning, research, design, testing, integration, verification, customization of those systems, subsystems, and components. In support of VTC Planning, the Contractor shall perform analyses to develop new or modify/upgrade in-service VTC systems with consideration of the Government's overall mission and technical requirements in addition to the physical limitations of the VTC systems configuration. These analyses shall provide necessary documentation to support the development of new VTC systems or the modification/upgrade and/or replacement of existing VTC systems to meet mission and operational requirements. Specifically, the Contractor shall:Conduct surveys, interviews, and process analysis at specified sites to determine and document capabilities of existing VTC systems and their adequacy to recommend current and future mission and operational requirements. This includes identifying the relevant processes and relationships between business processes, training requirements, VTC systems and technology, and facilities that are key to successfully implementing new or enhanced VTC solutions.Research, identify, analyze, and document system performance and interoperability requirements to achieve, improve or upgrade the VTC system.Conduct detailed user requirement analyses to determine and document site schedules, level of data, VTC system requirements, communications requirements and constraints, and other potential site unique constraints.Develop VTC system design alternatives based on the results of operational and performance requirements analysis to postulate recommend potential technical approaches. This shall include the development of documentation and design drawings to support the configuration and arrangement of the proposed VTC system elements; system improvement / production engineering documentation and drawings to support the configuration and arrangement of the modified VTC system elements; and updates to engineering documentation and drawings to support the configuration and arrangement of the upgraded VTC system elements.Evaluate design concepts by performing comparative analysis of VTC design concepts considering supportably, technology availability, reliability, compatibility, interoperability, and cost effectiveness. This shall include program needs, modifications and upgrades of existing systems, human interfaces, information handling, database management, and communications networking. The Contractor shall research and identify alternatives, formulate selection criteria, evaluate alternatives, and perform sensitivity checks.Document the Implementation Plan for the new, modified and upgraded VTC system integration, equipment, and subsystems with distinctly defined near, mid and long-term initiatives. The Implementation Plan shall include project schedules to include activity durations and effort milestones to support management of overall communication and risk management of the VTC effort.In support of VTC Engineering Research, Design and Testing, the Contractor shall research VTC technologies and develop designs for the development of new VTC systems ranging from small room to large facility solutions. Specifically, the Contractor shall:Develop and review VTC system requirement analysis and assess the proposed system’s ability to meet operational and organizational requirements. This shall include conducting surveys at proposed installation sites to determine architecture designs and conceptual architectural alternatives, design options, operational assessments, and post deployment evaluations.Conduct and review site surveys that identify facility layout, space considerations, cable plant layout, and structural considerations. The Contractor shall identify the organization’s points of contact for supporting the system design, upgrade, operations and maintenance activities.Identify, evaluate, and document VTC system design options to include the scale of requirement, room specific functionality, scheduling functionality, energy management, and overall maintenance design. The evaluation shall identify the strengths and weaknesses associated with the various design alternatives and provide a recommend course of action. The evaluation shall assess the strengths and weaknesses of proposed alternatives based on their impact to the user organization’s mission and training requirements, facility impacts such as power and space, and the effect of the design alternative on the Total Cost of Ownership.Document the VTC system design and alternatives. The design document shall include an implementation plan, hardware and software Material Equipment List (MEL), anticipated VTC equipment and services, network requirements, engineering drawings, panel diagrams, Graphical User Interface (GUI) layouts, staffing plan, and a Plan of Action and Milestones (POA&M) on the provision of an integrated VTC capability to customers.Participate in milestone design review meetings, technical reviews, and conference presentations to provide VTC design expertise. The Contractor shall provide VTC specification drawings and technical reports (including charts and hardware and software documentation) detailing the purpose and objectives of the proposed VTC system, operational constraints and summarization of the research of the tasks listed above.Participate in research and development of new and emerging VTC technologies to include an evaluation of the potential application of the new technology to installed and planned VTC systems and an assessment of additional organizational risk factors and opportunities.Develop a mockup to evaluate VTC system design including software customization. Evaluation may occur in the ITSS test lab or at end user facility.Resolve system deficiencies to include identification, diagnosis, and documentation of observed VTC system, subsystem or equipment testing. The Contractor shall recommend changes to the Government for review, evaluation, and input to development of the system design.Maintain configuration control of the technical documentation and drawings.In support of VTC Integration and Verification, the Contractor shall integrate, verify, upgrade, and repair VTC systems to meet mission, design and operational requirements. Specifically, the Contractor shall:Prepare site-specific implementation plans that identify organization responsibilities and all schedules for implementation and verification.Prepare an integration plan that describes technical approach, interface requirements, electrical and physical layouts, and schedule of events.Provide support services to integrate, and/or upgrade, VTC equipment that are fully compliant with relevant standards and specifications.Conduct physical, manufacturing, and production testing for all VTC system components. The Contractor shall verify all system cables, ports, hardware, and panels integrating programming code into the systems to ensure full system operability prior to system delivery and installation.Develop VTC system acceptance verification plans and perform VTC system acceptance verification to ensure that the newly installed or modified/enhanced in-service VTC system meets all functional, operational, and performance characteristics within the specification and it adheres to all identified standards. The Contractor shall provide documentation to validate the acceptance verification plan provides complete coverage of all documented system requirements.Provide independent and objective evaluation of verification plans, procedures, results, and data. The Contractor shall identify and track deficiencies to closure and recommend corrective measures. The Contractor shall take corrective action to resolve problems identified by the Government.Plan for and conduct performance and integration validation of VTC systems to identify defects and potential system limitations.Document verification results and identify problems and issues associated with the VTC system. The Contractor shall develop and provide verification result reports, requirement traceability matrices, and other required verification documentation.In support of VTC Software Customization, the Contractor shall provide services to define, code, debug, and verify software. As required, the Contractor shall follow the guidance and mandatory elements of the manufacturer’s proprietary software. Specifically, the Contractor shall:Identify and define the functional and performance requirements for each component of the modified or enhanced in-service VTC system and document how the identified requirements satisfy the specific mission, goals, and objectives of the fully integrated system.Document the GUI, system specifications, and design which shall include a detailed functional summary for each module, including all data inputs, screen formats for each input function, input data sources, processing requirements, interface requirements, data flow, and proposed programming languages. It shall include a description of the function and purpose of each module, accuracy and validity requirements, timing, flexibility, interfacing requirements and constraints, security requirements, and output destination(s) and formats.Document the network specifications which shall include a layout and description of the organization’s network architecture, classification requirements, and source requirements.Incorporate state of the art tools and technologies in system solutions providing the user a certified and tailored GUI and system programming.Customize, code, debug, and validate the required units, modules, and programs in accordance with the VTC specifications. The Contractor shall customize, develop, and validate source code to ensure compliant VTC functionality meeting user requirements of the modified or enhanced in-service system.Create user training materials and conduct training for the VTC systems and user interfaces.Provide independent and objective validation of modified or enhanced in-service system specifications, production designs, and source code. The Contractor shall identify and track deficiencies to closure and recommend corrective measures. The Contractor shall take corrective action to resolve code problems as identified by the Government.The Contractor shall ensure all VTC Engineering, Equipping, and Provisioning Support deliverables, documentation, and artifacts adhere to the DOT policies, processes, and templates.The Contractor shall provide VTC Tier 3 support in coordination with the ITSS Service Desk (and using the ITSS ticketing system and standard escalation procedures) to resolve relevant incidents and problems to include logging and reporting each user trouble call, regularly providing customers with status updates, and successfully closing out incidents on a priority ranking basis. This includes monitoring the relevant ticketing queues and troubleshooting and resolving VTC-related service requests, incidents, and problems. The Contractor shall report on Tier 3 support monthly.SUB-TASK 3:13: FILE AND PRINT SERVER ENGINEERINGThe Contractor shall provide file and print server (and any subsequent solution) support associated with the provisioning and day-to- day management of the installed infrastructure and corresponding support services. NOTE: A list of current Server equipment is provided in Attachment J. Specifically, the Contractor shall:Support activities that include provisioning and day-to-day management of the installed file and print server environment, and effectively and efficiently performing procedures to ensure services meet ITSS delivery requirements.Review current file and print server artifacts (e.g., file and print server architecture, standards, and requirements) and provide a report with improvement recommendations along with a time- phased Implementation Plan that identifies activities, tasks, timelines, and milestones.Upon government approval, execute file and print server improvement Implementation Plan.Develop and document file and print server engineering procedures that comply with defined policies, including relevant federal, DOT, and ITSS regulations and procedures.Coordinate with application server groups (e.g., database access and rights, application access control lists) in accordance with policies.Monitor, operate, maintain, and support operating systems installed on file and print servers.Install new file and print servers, upgrade, troubleshoot, repair, and/or rebuild existing file and print servers.Actively monitor software release of new patches or upgrades for file and print servers from original equipment manufacturers and notify DOT personnel within 48 hours of release.Determine whether the file and print server patch or upgrade is necessary, obtain DOT approval and direction on release, and test prior to release unless otherwise directed.Upon government approval, plan for and conduct file and print server patch or upgrade testing.Schedule file and print server downtime and plan such that end users are notified well in advance to avoid or mitigate inconveniences.Perform file and print server backups as per proposed scheduled or by policy.The Contractor shall ensure file and print Server Engineering deliverables, documentation, and artifacts adhere to the DOT policies, processes, and templates.The Contractor shall provide file and print Server Tier 3 support in coordination with the ITSS Service Desk (and using the ITSS ticketing system and standard escalation procedures) to resolve relevant incidents and problems to include logging and reporting each user trouble call, regularly providing customers with status updates, and successfully closing out incidents on a priority ranking basis. This includes monitoring the relevant ticketing queues and troubleshooting and resolving Print Server-related service requests, incidents, and problems. The Contractor shall report on Tier 3 support monthly.SUB-TASK 3:14: ENGINEERING AND OPERATIONS SURGE SUPPORTSpecial conditions or urgent needs may create a need for additional engineering and operations capability. This optional task allows the Government to meet these additional needs as they arise.The Contractor shall provide Engineering and Operations surge support for limited duration requirements.The government may order surge support services at any time at the discretion of the Contracting Officer.Engineering and Operations Surge Support is included as separate contract line items associated with each performance period (i.e., base and options).The Contractor shall be capable of supporting engineering and operations surge requirements across all PWS tasks and labor categories.The Government will attempt to provide the Contractor with 20 day notification of surge support requirements including locations, durations, specific services required, suggested number of personnel, and any other surge unique information.The Contractor shall calculate and propose any additional Task Order costs to the Government.The CO shall approve any additional costs prior to the Contractor executing a surge support requirement.The Contractor shall supply, when requested, additional personnel to support projects of varying durations and scopes.The Contractor shall provide a Weekly Activity Report (WAR) on Surge Support to include, but not be limited to, dates of service; type of services rendered; the number of hours charged to the Government, and any outstanding technical and/or cost concerns.SUB-TASK 3.15: REMOTE MANAGEMENT & ACCESS ENGINEERINGRemote Access includes tools and systems which allow for end users to work remotely from GFE or other Government approved methods. This includes, but is not limited to, Virtual Private Network (VPN) and Virtual Desktop Infrastructure (VDI). Remote Management includes the use of tools and utilities to remotely manage and administer infrastructure and end user devices. These include remote desktop services and tools, Out of Band Management (OBM) technologies, and other configuration management tools. The Contractor shall provide Remote Management and Access Engineering support through an integrated set of methodologies and products to enhance the operations of hardware, software, and cloud hosted systems to include the collection and analysis the remote management and access information, diagnosis of problems, and development of recommendations to resolve problems.In providing general Remote Management and Access Engineering support, the Contractor shall:Establish (or update existing) and maintain Remote Management and Access systems and software configuration baseline data and documentation.Conduct redesign activities that modify functionality and/or produce technical improvements to enhance software and security.Monitor system execution and performance; track and report change requests and discrepancy reports; perform problem analysis and resolution; and provide technical assistance to the end- user.In support of Remote Management and Access Documentation, the Contractor shall maintain current supporting Remote Management and Access documentation, including manuals for operations, system maintenance, user and training, and plans (e.g., system integration and site implementation). The documentation shall be dynamic to be modified to take advantage of new methodologies, techniques and tools. The documentation shall follow the latest approved standards for the system.In support of Remote Management and Access Configuration Management, the Contractor shall provide System Engineering to which may include implementation of new application systems, and maintenance and/or enhancement of existing applications to support the Remote Management and Access solution. The Contactor shall support the Remote Management and Access configuration management activities throughout the life- cycle.Contractor supported Remote Management and Access Configuration Management responsibilities shall include the review of all software, hardware, network, and application changes to identify potential issues, conflicts or problems relating to the proposed changes or the timing of the changes. Changes shall include: installation of new products and components; new versions; upgrades; engineering changes; new agency-developed applications and modifications to agency applications; and development and implementation of a Configuration Management database and associated plans.In support of Remote Management and Access Technical Refreshment, the Contractor shall identify aging technology or the technology at risk of becoming obsolete during the lifecycle of a program, and identifying technology refreshment activities required to prevent the decay of the Information Technology infrastructure on which programs are dependent. This shall include the identification of specific targets of possible aging technology and recommendation of specific technology to replace it. The Contractor shall deliver technical refreshment recommendations to include specific timelines and milestones, cost/benefit scenarios, and detailed replacement procedures. Upon government approval, the Contractor shall support the configuration, installation and operation of the recommended technology as deemed necessary by the government to refresh the aging technology.In support of Remote Management and Access Technology Infusions, the Contractor shall evaluate the ITSS’s operational use of Remote Management and Access systems and identify general and specific areas where current, upcoming or state-of-the- art technology would enhance the organization’s operation. This shall include identification of the operational components evaluated, specific descriptions of the enhancements possible if the recommended technology were infused into the organization, and specific description of the technology available to realize the enhanced capability.For all approved Remote Management and Access projects, the Contractor shall deliver a project plan of activities, milestones, and timelines for project completion.Upon government approval of the project plan, the Contractor shall execute the project to include the configuration, installation, and operation of the recommended technology as deemed required by the government.The Contractor shall ensure all Remote Management and Access Engineering deliverables, documentation, and artifacts adhere to the DOT policies, processes, and templates.The Contractor shall provide Remote Management and Access Engineering Tier 3 support in coordination with the ITSS Service Desk (and using the ITSS ticketing system and standard escalation procedures) to resolve network outages to include logging and reporting each user trouble call, regularly providing customers with status updates, and successfully closing out incidents on a priority ranking basis. This includes monitoring the infrastructure ticketing queues and troubleshooting and resolving infrastructure-related service requests, incidents, and problems. The Contractor shall report on Tier 3 support monthly.SUB-TASK 3.16: SERVER HOSTING ENGINEERINGThe Contractor shall provide Server Hosting Engineering support through an integrated set of methodologies and products to enhance the operations of hardware, software, and cloud hosted systems to include the collection and analysis the remote management and access information, diagnosis of problems, and development of recommendations to resolve problems.In providing general Server Hosting Engineering support, the Contractor shall:Establish (or update existing) and maintain Server Hosting platforms, hardware, and software configuration baseline data and documentation.Conduct redesign activities that modify functionality and/or produce technical improvements to enhance software and security.Monitor system execution and performance; track and report change requests and discrepancy reports; perform problem analysis and resolution; and provide technical assistance to the end- user.In support of Server Hosting Documentation, the Contractor shall maintain current supporting Server Hosting documentation, including manuals for operations, system maintenance, user and training, and plans (e.g., system integration and site implementation). The documentation shall be dynamic to be modified to take advantage of new methodologies, techniques and tools. The documentation shall follow the latest approved standards for the system.In support of Server Hosting Configuration Management, the Contractor shall provide System Engineering to which may include implementation of new application systems, and maintenance and/or enhancement of existing applications to support the Server hosting solution. The Contactor shall support the Server Hosting configuration management activities throughout the life- cycle.Contractor supported Server Hosting Configuration Management responsibilities shall include the review of all software, hardware, network, and application changes to identify potential issues, conflicts or problems relating to the proposed changes or the timing of the changes. Changes shall include: installation of new products and components; new versions; upgrades; engineering changes; new agency-developed applications and modifications to agency applications; and development and implementation of a Configuration Management database and associated plans.In support of Server Hosting Technical Refreshment, the Contractor shall identify aging technology or the technology at risk of becoming obsolete during the lifecycle of a program, and identifying technology refreshment activities required to prevent the decay of the Information Technology infrastructure on which programs are dependent. This shall include the identification of specific targets of possible aging technology and recommendation of specific technology to replace it. The Contractor shall deliver technical refreshment recommendations to include specific timelines and milestones, cost/benefit scenarios, and detailed replacement procedures. Upon government approval, the Contractor shall support the configuration, installation and operation of the recommended technology as deemed necessary by the government to refresh the aging technology.In support of Server Hosting Infusions, the Contractor shall evaluate the ITSS’s operational use of Server Hosting platforms and systems and identify general and specific areas where current, upcoming or state-of-the- art technology would enhance the organization’s operation. This shall include identification of the operational components evaluated, specific descriptions of the enhancements possible if the recommended technology were infused into the organization, and specific description of the technology available to realize the enhanced capability.For all approved Server Hosting projects, the Contractor shall deliver a project plan of activities, milestones, and timelines for project completion.Upon government approval of the project plan, the Contractor shall execute the project to include the configuration, installation, and operation of the recommended technology as deemed required by the government.The Contractor shall ensure all Server Hosting deliverables, documentation, and artifacts adhere to the DOT policies, processes, and templates.The Contractor shall provide Server Hosting Engineering Tier 3 support in coordination with the ITSS Service Desk (and using the ITSS ticketing system and standard escalation procedures) to resolve network outages to include logging and reporting each user trouble call, regularly providing customers with status updates, and successfully closing out incidents on a priority ranking basis. This includes monitoring the infrastructure ticketing queues and troubleshooting and resolving infrastructure-related service requests, incidents, and problems. The Contractor shall report on Tier 3 support monthly.SUB-TASK 3.17: SOFTWARE DEPLOYMENTThe Contractor shall deploy software, software images, and all categories of patches in accordance with industry standards Government direction.The Contractor shall provide technical assistance to DOT in defining core software image package specifications for desktops, laptops, servers, and other in-scope devices.The Contractor shall deploy one or more master software builds to DOT end user hardware in accordance with DOT procedures and policies.The Contractor shall deploy additional software image builds for the DOT Offices that require a unique image different from the master and maintain the images consistent with DOT licensing and security standards.The Contractor shall operate necessary utilities/tools to maintain and ensure compliance with core software image build deployment and management policies and procedures.The Contractor shall manage core software images and application deployment efforts using formal project management tools, methodologies, and standards (e.g., IT Infrastructure Library change and configuration management practices).The Contractor shall operate, support, and administer software distribution tools regardless of technology.The Contractor shall automate core software image builds deployment processes (e.g., remote upgrading of desktop images).The Contractor shall recreate from backup, within three (3) business days of Government request, end user desktop environments to previous state including, but not limited to, base build plus all end user-specific features, functions and applications, as required.The Contractor shall conduct post-deployment reviews and provide results to DOT within ten(10) business days of deployment conclusion.The Contractor shall operate necessary utilities/tools to maintain and ensure compliance with application software deployment and management policies and procedures.The Contractor shall deploy approved application software builds on applicable devices within three (3) business days of Government request.The Contractor shall operate, support, and administer software distribution tools.SUB-TASK 3.18: DESKTOP SECURITY SERVICESThe Contractor shall execute all security actions necessary to secure the desktop including, but not limited to, deployment of network access control, program control, anti-virus, anti- spyware, anti-malware, data security, and remote access solutions on all end user devices.The Contractor shall push anti-virus/spyware/malware update files to all end users no more than twenty-four (24) hours after approval from DOT excepting Critical Security updates.The Contractor shall identify and coordinate with the infrastructure team the removal of any infected system from the network.The Contractor shall support and manage the encryption of end user devices for international travelers to FIPS 140-2 standards including, but not limited to, data cleansing per DOT policies and following NIST guidelines, no more than twenty-four (24) hours after return of the end user device by the end user.The Contractor shall assess any end user loaner device for unauthorized changes by comparing before and after use and notifying DOT within twenty-four (24) hours of determination if suspicious differences are identified.The Contractor shall test and push updates to security applications to the end user desktop at DOT direction. Upgrades within a version (e.g., 1.1 to 1.2) shall be completed no more than ten (10) business days from receipt of update from DOT. Upgrades from one version to the next (e.g., 1.3 to 2.0) shall be completed no more than thirty (30) business days from receipt of update from DOT.The Contractor shall provide the required tools, and perform forensic analysis of security events that occur within the scope of Operations, and aid in those events that cross scope between the Operations TO and another TO (e.g., Engineering).The Contractor shall report, within one (1) hour of occurrence, all Security Incidents to all designated DOT security personnel.The Contractor shall participate in Security Incident Response Conference Calls with the Government and other Contractors in the event of any critical security incident as deemed appropriate by the Government and on a 24x7x365 basis.The Contractor shall participate in such conference calls and shall have access to systems and component status for those elements of the infrastructure that are specific to their TO.The Contractor shall provide (1) a Draft Security Incident Report each hour during a declared security event during business hours, (2) a Draft Security Incident Report outside operating hours as required by the government, and (3) a comprehensive After Action Report after the event, or as requested by ITSS Security Team.SUB-TASK 3.19: ENTERPRISE MONITORINGThe Contractor shall utilize, operate, maintain, configure, customize, support, and update the GFE Enterprise Monitoring System (EMS) and any successor system. (Current system is Solar Winds.) The Contractor shall advise the Government regarding needed changes to the EMS. The Contractor shall assist in configuring the GFE EMS parameters to customize the instance for ITSS and its customers based on usage and need.The Contractor shall assist in configuring the EMS such that it automatically sends an alert email no more than two (2) minutes after an alert is triggered. The Contractor shall assist in configuring the EMS to enable end users to view the status of alerts in the system. The Contractor shall assist in configuring the EMS to provide full transparency/access of the raw data to the ITSS Government leadership. The Contractor shall assist in defining the minimum baseline for creating new alerts based on Government requirements. This shall include, but is not limited to, the name of the alert, alert trigger configuration, the service owner, customer contact, the customer impact, and procedure for escalation. The Contractor shall assist in configuring EMS monitoring and alerts in accordance with Government requirements.The Contractor shall work with the Government to configure the EMS to produce custom and ad hoc reports.Task 4: Infrastructure OperationsSUB-TASK 4.1: INFRASTRUCTURE GENERAL SUPPORTThe Contractor shall provide full lifecycle support for all production systems as enumerated in (but not limited to) Attachment J (including email but excluding applications hosted by external application hosting providers) in operation and supported by ITSS. The Contractor shall provide, in accordance with the requirements specified herein, all labor, management, configuration, supervision, and other resources necessary to support all production systems managed by ITSS.The Contractor shall conduct independent quality assurance reviews of closed tickets to ensure they are properly coded.The Contractor shall investigate all missed SLAs and report statistics and reasons monthly.The Contractor shall survey end-users about their experience and report the results along with analysis during monthly status briefings.The Contractor shall ensure that all overall Federal and specific DOT directives, mandates and requirements are adhered to during the planning, execution, and operational maintenance of this TO.The Contractor shall use GFE tools compatible with current and future DOT / ITSS requirements and standards, such as the GFE SMS, to store, maintain and secure all deliverable documents and any other documentation generated under the contract.The Contractor shall provide life cycle management expertise. This expertise shall (or must) include, but not be limited to, requirements analysis, architecture development, system design, and integration management, systems development and implementation assistance.The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. SUB-TASK 4.2: INFRASTRUCTURE OPERATIONS AND ADMINISTRATIONThe Contractor shall provide proactive and scheduled monitoring of infrastructure and systems in near real time (e.g., hardware, network, batch schedule, and interfaces), respond to messages, and take corrective action as required.The Contractor shall develop and maintain standard automated scripts to monitor systems software.The Contractor shall recommend and install tools for infrastructure operations; and identify and report problems including, but not limited to, system, file, disk, and application problems.The Contractor shall perform troubleshooting, repair, and escalation of incidents and problems.The Contractor shall execute preventive measures for proactive monitoring and recommend redundancy or self-healing capabilities to limit outages that impact service delivery.The Contractor shall identify and report incidents and problems affecting applications.The Contractor shall resolve or assist in resolving application problems and escalate as required.The Contractor shall develop and document standards and procedures for process management and reporting of performance and issues.The Contractor shall implement and manage scheduling tools for managing/automating job execution (e.g., workflow processes, interdependencies, requirements, file exchange functions).The Contractor shall manage data on the file servers including, but not limited to, tracking file and folder ownership, permissions, usage quotas, and auditing permission changes.The Contractor shall enable Public Key Infrastructure and manage secure messaging/encryption/digital signature/digital certifications.The Contractor shall set up end user accounts, perform access control, manage files and disk space, and manage transaction definitions.The Contractor shall perform system or component configuration changes necessary to support computing services conforming to Contractor-proposed and DOT-approved change management requirements.The Contractor shall provide usage statistics reports that will support chargeback and other reporting requirements.The Contractor shall comply with all Federal and DOT policies including, but not limited to the following, and document compliance with FISMA, OMB Circular A-123, OMB Circular A-130, NIST FIPS, SAS 70, CFO audits, Federal Managers Financial Integrity Act of 1982, OMB Circular A-127.The Contractor shall produce an Inventory Report, Task Management Report, Vulnerability Management Report; and reports for all endpoints for customer situational awareness.The Contractor shall provide ongoing engineering and operational support for the DOT and ITSS Communication and Collaboration tools, which include but are not limited to, software that allows for Voice and Video sharing, Web Conferencing, Video Teleconferencing (VTC), Instant Messaging & Presence, and content collaboration platforms (e.g. SharePoint, Microsoft Dynamics, etc.) The Contractor shall provide Canned, Custom, and Ad Hoc Reporting related to infrastructure operations at Government direction.The Contractor shall perform Government-requested reporting in formats, frequencies, and with content as specified by the Government.The Contractor shall implement and support a GFE Dashboard. The type of data needed for reporting purposes are: dates of services; type of services rendered by Contractor; number of hours charged to Government. The Contractor shall identify in detail any outstanding technical and/or cost concerns.The Contractor shall monitor/track and report hours by each service category to which all costs are attributed.SUB-TASK 4.3: NETWORK OPERATIONS SUPPORTThe Contractor shall perform network operations support including installation/removal, changes, moves, adds, audits, disposition of equipment, cabling and disconnection services, status reporting, environmental monitoring, troubleshooting, firewall management, operations, maintenance, and problem resolution.The Contractor shall perform environmental monitoring, which shall be accomplished through in-place systems with alerts/alarms supplemented with new or additional devices to ensure the environment is operating within limits.The Contractor shall execute network performance monitoring and provide status and measurements for the operational environment.The Contractor shall backup security device and network device configurations.The Contractor shall define and execute the escalation process for alerts.The Contractor shall operate and maintain automated tools to monitor networks, in real-time, to respond to problems and perform break/fix services (physical or logical), provide 24x7x365 operational reporting of services availability, and proactively identify performance degradation.The Contractor shall provide staff to support core business hours. The Contractor shall maintain maximum availability of the production network in accordance with SLAs.The Contractor shall use and support DOT-provided tools to augment operations and reporting including, but not limited to, the collection of Simple Network Management Protocol traps for all seven layers of the OSI Stack.The Contractor shall continuously model networks to provide performance forecasting, and shall measure with automated tools to predict capacity and potential impact to applications and network topology.The Contractor shall install and remove network hardware and software as well as perform routine IMACs for infrastructure devices and software. Such activities will be subject to change control procedures and require maintenance of the asset records.The Contractor shall manage software for all network devices (including, but not limited to, file and print servers) including, but not limited to, the base images, software updates, server operating system software, security software, and standard network tools.The Contractor shall provide incident management and analysis (e.g., spike analysis and analysis of unexpected data flow, missing data flows, etc.).The Contractor shall manage license compliance for installed software provided by the Government, and report instances of installed software not part of the standard configuration.The Contractor shall develop and document network administration requirements and procedures.The Contractor shall maintain IP addressing schemes, router configurations, routing tables, VPN configurations, IPV4 and IPV6 allocations, etc.The Contractor shall manage user accounts as needed for access and maintaining network resources (e.g., logon user ID and password maintenance).The Contractor shall maintain and provide audit information including, but not limited to, access, general logs, and application logs in accordance with DOT security policies.The Contractor shall support sending of logs real time or near real time to the approved Security Event and Incident Management System as directed by DOT.The Contractor shall ensure that network administration activities are coordinated through defined change management processes.The Contractor shall manage configurations and prepare bills of materials for network equipment and assist with equipment orders, including performing research.The Contractor shall document router configuration files and IP addressing schemas.The Contractor shall provide capacity-planning assistance to develop network resource requirements projections.The Contractor shall monitor and report the performance of public carriers (and other third parties) to meet defined schedules, project plans, and services to meet business needs/service levels.The Contractor shall ensure that all new circuits, devices, and software provisioned are updated in configuration management systems.The Contractor shall perform configuration backup for network and security devices.The Contractor shall implement configure, and support (including troubleshooting) wireless networks at all Government locations in accordance with Attachment J.The Contractor shall resolve user connectivity issues with the wireless network.The Contractor shall troubleshoot wireless capacity and performance issues and implement approved remediation.The Contractor shall support the use of wireless equipment.The Contractor shall provide wireless services usage monitoring and reporting.The Contractor shall manage and administer all wireless access points and troubleshoot any performance issues.The Contractor shall perform any required site surveys to evaluate potential environments before deploying wireless services.The Contractor shall deploy wireless network devices including, but not limited to, routers and access points.The Contractor shall comply with wireless security directives and guidelines.The Contractor shall support authorized device connections to the wireless network.The Contractor shall monitor and report unauthorized access to the wireless network.The Contractor shall perform 24x7x365 management and monitoring of VPN or equivalent services.The Contractor shall support VPN or equivalent remote access for all Government-furnished devices.The Contractor shall provide weekly reports of VPN and VDI (or equivalent) usage and network traffic reports.The Contractor shall perform management of security devices and configuration.The Contractor shall perform firewall configuration, rule changes, and firewall updates in accordance with Government direction.The Contractor shall perform security reviews of network configuration and firewall rules and recommend security improvements.The Contractor shall provide support to authorized third-party Contractors and Government personnel to assist with Continuous Diagnostics and Mitigation (CDM) work. The Contractor shall maintain any products, standards, baselines, tools, equipment, solutions, access levels, and processes that result from the CDM or Network Assessment and Risk Mitigation work. The Contractor shall maintain the GFE software (currently Riverbed) used to analyze the performance of the DOT networks in preparation for planned changes. The Contractor shall provide reports from this software as on an ad hoc and scheduled basis as requested by the Government. The Contractor shall maintain a complete end to end mapping of the network for both the OCIO and Modal managed networks, a complete inventory of all network devices (i.e., make/model/configs), in place monitoring tools, telecommunications infrastructure, TIC, etc. The Contractor shall facilitate the integration and operation of DOT cybersecurity shared service into the DOT network. The Contractor shall implement and perform post-implementation monitoring of network changes directed by the DOT CISO or his designees. The Contractor shall maintain network design and diagram documentation to include detailed circuit information, detailed documentation of firewall policies, groups and objects, detailed design documents for layer 2 and layer 3 devices, “as built” documentation for all infrastructure. SUB-TASK 4.4: SECURITY OPERATIONS SUPPORTThe Contractor shall perform security operations support including monitoring, remediation, implementation, configuration, planning, staffing, encryption, and tracking in compliance with FISMA and other security-related statutes, regulations, rules, and standards.The Contractor shall provide proactive and scheduled console monitoring of infrastructure and systems in read-only in near real time (e.g., hardware, network, batch schedule, interfaces, and table spaces), respond to messages, and take corrective action as required.The Contractor shall utilize, operate, maintain, configure, secure, support, and update a Government security suite for tracking compliance; and for remote support, shall implement and sustain real-time data feeds and/or access as required by the SOC or the Department of Homeland Security (DHS) for security monitoring and analysis, and will provide access to archived security data for forensics and incident discovery.The Contractor shall work with DOT IT personnel to modify and maintain firewall rule sets, implement those rule sets, and monitor the log files as well as the normal operation and maintenance of firewalls.The Contractor shall assist DOT in planning and executing the Security Assessment and Authorization of its critical systems in compliance with ITSS, Federal, and NIST guidelines and policies.The Contractor shall support both the review of information systems management, physical, and/or technical security controls and depending on the results of the review, the authorization by management for the system to operate.The Contractor shall assist DOT in fully complying with all FISMA reporting requirements and other security audits.The Contractor shall implement comprehensive set of IT security-related operational policies, procedures, and guidelines that will support DOT’s mission and ensure compliance with Federal and DOT security requirements.The Contractor shall execute encryption using the GFE backup system to comply with FIPS 140-2 standards. The Contractor shall operate and maintain a collaborative dashboard where authorized Government personnel can view security-incident data, vulnerability data, compliance data, and security reports and related data.The Contractor shall support all security audits as required by DOT.The Contractor shall enter and track security incident reports, enter service desk queue data to initiate ticketing in response to security incidents or compliance issues, and manage remediation of detected vulnerabilities by correlating scanning results against asset management data and intrusion detection system (IDS) incident reports.The Contractor shall report all security incidents to the appropriate DOT or government organization according to Federal or DOT policies and procedures. (e.g. the DOT Security Operations Center (SOC))The Contractor shall support remediation of issues identified via the Continuous Diagnostics and Mitigation program scanning process.The Contractor shall provide minimum security baseline configurations for servers, user workstations, storage devices, network devices (routers, switches, firewalls, etc.). These baselines shall align with DOT Security Compendium. SUB-TASK 4.5: FIREWALL SECURITY MANAGEMENTThe Contractor shall recommend and implement best practices for firewall management compliant with DOT policies.The Contractor shall provide services conforming to firewall policies and requirements.The Contractor shall perform firewall support and security design.The Contractor shall assess firewall security and propose alternative security designs.The Contractor shall develop and implement recommendations for improved security.The Contractor shall monitor and report firewall activities in accordance with DOT requirements for immediate escalation/notification and/or statistical reporting.The Contractor shall implement firewalls, manage firewall rules and changes within the DOT environment, and coordinate firewall access with external DOT customers.The Contractor shall maintain Access Control Lists (ACL) in accordance with DOT policies.SUB-TASK 4.6: INTRUSION DETECTION SERVICESThe Contractor shall perform both Network-Based Intrusion Detection Services (NIDS) and Host-Based Intrusion Detection Services (HIDS) if requested by the Government. The Contractor shall implement policies and standards for intrusion detection if requested by the Government.The Contractor shall provide intrusion detection services and reporting if requested by the Government.The Contractor shall develop recommendations for improved security practices and policies if requested by the Government.The Contractor shall develop procedures and standards for preventing exfiltration of data if requested by the Government.The Contractor shall provide intrusion and exfiltration detection services and reporting using GFE if requested by the Government.The Contractor shall allow for independent verification and validation of intrusion and exfiltration detection services if requested by the Government.The Contractor shall implement Government-approved intrusion detection recommendations if requested by the Government.SUB-TASK 4.7: ENTERPRISE OPERATIONS CENTER (EOC)The Contractor will provide general support to include: The Contractor shall perform day-to-day operation of the distributed computing environment, providing and supporting a stable infrastructure and effectively and efficiently performing operational and processing procedures to ensure SLAs conform to requirements and policies, and comply with security.The Contractor shall perform management and maintenance of DOT headquarters and field locations using industry standards and DOT-tailored processes to maintain network availability and ensure security accreditation; maintenance of network hardware/software configurations (UP); management of equipment/assets (AM), routers, and switches.The Contractor shall provide Infrastructure support for Storage, Server, and Mail for the EOC to support 24x7 operations.The Contractor shall conduct periodic audits and status reporting; be responsible for installation, changes, moves, disposition of surplus equipment, cabling, and disconnection services; and problem resolution.The Contractor shall provide Wide Area Network (WAN) services (including, but not limited to, provisioning, monitoring, and management of networks) that interconnect two or more separate facilities that span a geographic area larger than a campus or metropolitan area. Transmission facilities include, but are not limited to, point-to-point circuits, frame relay, dedicated Internet connections, Internet connections, ISDN, Internet-based VPNs, and MPLS.The Contractor shall work with public carriers and other circuit providers on behalf of DOT to ensure delivery of WAN services and support any infrastructure management- related work required by designated carriers to support the DOT network.The Contractor shall provide Local Area Network (LAN) services (including, but not limited to, provisioning, monitoring, and management of networks) that are usually confined to a single facility or portion of a facility. LAN components but are not limited to Dynamic Host Control Protocol (DHCP)/Domain Name Server (DNS) and Wireless LANs supporting all network traffic originating from desktop devices, local file and print servers, application servers, database servers, peripherals, firewalls/routers, other network devices, and other user premise devices.The Contractor will include Operations and Administration to include:The Contractor shall provide proactive and scheduled console monitoring of infrastructure and systems in near real time (e.g., hardware, network, batch schedule, interfaces, and table spaces), respond to messages, and take corrective action as required.The Contractor shall develop and maintain standard automated scripts to monitor the network.The Contractor shall provide troubleshooting, repair, and escalation of problems.The Contractor shall provide preventive measures for proactive monitoring and recommending redundancy or self-healing capabilities to limit outages that impact service delivery.The Contractor shall identify and report problems affecting the network.The Contractor shall resolve or assist in resolving application problems in accordance with SLAs and escalate as required.The Contractor shall provide timely data and information required for reporting, and for input and preparation of such reports, per policy.The Contractor will be responsible for Network Operations to include:The Contractor shall conduct periodic audits and frequent operational status reports; be responsible for installation, changes, moves, disposition of surplus equipment, cabling and disconnection services; and for problem resolution.The Contractor shall perform environmental monitoring, which shall be accomplished through in-place systems with alerts/alarms supplemented with new or additional devices to ensure the environment is operating within limits.The Contractor shall monitor networks and provide status and measurements for the operational environment.The Contractor shall define the escalation process for alerts.The Contractor shall use GFE automated tools to monitor networks, in near real-time, to respond to problems and perform break/fix services (physical or logical), provide 24x7x365 operational reporting of services availability, and proactively identify performance degradation.The Contractor shall continuously model networks to provide performance forecasting, and shall measure with automated tools to predict capacity and potential impact to applications and network topology.The Contractor shall manage software for all network devices to include, but not limited to, the base image, software updates, server operating system software, security software, and standard network tools.The Contractor shall manage software licensing and hardware inventory.The Contractor shall develop and document procedures for administration that meet requirements and adhere to defined policies and procedures.The Contractor shall maintain IP addressing schemes, router configurations, routing tables, VPN configurations, IPV6 allocations, etc.The Contractor shall manage user accounts as needed for access and maintaining network resources (e.g., logon user ID and password maintenance).The Contractor shall maintain and provide audit information including, but not limited to, access, general logs, and application logs in accordance with DOT security policies.The Contractor shall ensure that network administration activities are coordinated through defined change management processes.The Contractor shall prepare order-ready, turnkey configurations (e.g., including, but not be limited to, all system/component cables).The Contractor shall document router configuration files and IP addressing schemas.The Contractor shall provide capacity-planning assistance to develop network resource requirements projections.The Contractor shall monitor and report the performance of public carriers (and other third parties) to meet defined schedules, project plans, and services to meet business needs/service levels.The Contractor shall interact with public carriers (and other third parties) to troubleshoot circuit problems.The Contractor shall ensure that all new circuits, devices, and software provisioned are updated in configuration management system.The Contractor will be responsible for Security Operations to include:The Contractor shall provide security operations services, providing a full spectrum of integrated services for monitoring network and security activity throughout the ITSS environment. This center will draw upon the most current tools and processes essential for supporting Governmental security requirements, policies/standards, and regulatory mandates.The Contractor shall assume operational responsibility of the ITSS Government-furnished security software, new deployments, and integrate it within its Security Operations Center and Enterprise Operations Center including Continuous Diagnostics and Mitigation tools.The Contractor shall keep security software and appliances up-to-date with versions and patches within the timeframes directed by DOT.The Contractor shall provide proactive and scheduled console monitoring of infrastructure and systems in read-only in near real time (e.g., hardware, network, batch schedule, interfaces, and table spaces), respond to messages, and take corrective action as required.The Contractor shall provide dedicated security event analysts to manage sensors and monitor, review, and analyze reported security events and determine security incidents that would be reported to the Government’s Security Incident Manager, helpdesk, or other personnel. They may include (but not be limited to) proactive and reactive actions:Execution of countermeasures derived from IDS monitoring; Audit-log analysis tools in support of real-time monitoring of operations;Data collection in support of forensic analysis and incident handling procedures;Access to all locally and remotely accessible devices in support of DOT mission-critical operations;Develop and execute SOP for standard event types;Close coordination with DOT incident response and emergency response centers;Critical response team; andDOT Computer Emergency Response Team.The Contractor shall implement, use, and sustain a Government-furnished security suite and all Government-furnished tools in the environment for tracking compliance; and for remote support, shall implement and sustain real-time data feeds and/or access as required by the SOC for security monitoring and analysis, and will provide access to archived security data for forensics and incident discovery.The Contractor shall assist DOT in planning and executing the Security Assessment and Authorization of its critical systems in compliance with ITSS, Federal, and NIST guidelines and policies.The Contractor shall support both the review of an information systems management, physical, and/or technical security controls; and depending on the results of the review, the authorization by management for the system to operate.The Contractor shall conduct its services and support to provide and /or maintain system architecture to segment data and systems of different data classifications, per NIST standards and regulations.The Contractor shall assist DOT in fully complying with all FISMA reporting requirements and other security audits.The Contractor shall create and develop a comprehensive set of IT security-related operational policies, procedures, and guidelines that will support DOT’s mission and ensure compliance with Federal and DOT security requirements.The Contractor shall document and make available IT security operational policies, procedures, and guidelines in written form and on DOT’s security Web site.The Contractor shall make security systems and information available to Government- approved personnel and provide read-only access.The Contractor shall operate and maintain the ITSS dashboard where authorized Government personnel can view security-incident data, vulnerability data, compliance data, security reports and any other related data.The Contractor shall implement Government-furnished security-related monitoring capability and systems to provide for collection, analysis, and archival (in accordance with DOT and OS policy) of security data from, but not limited to, system security event logs, syslogs, network devices authentication and changes, firewall and VPN logs, authentication services, DNS logs, DHCP logs, IIS and other Web server logs, URL- filtering logs, and network device data. All login, logoff, system access and changes shall be logged, and the logs maintained in a secure, tamper-proof manner for a minimum of one (1) year.The Contractor shall provide two (2) certified forensics professionals to the DOT led OS Incident Response Team to support incident response activity.The Contractor shall support federal mandates, federal programs and DOT IT security projects.The Contractor will be responsible for Security Vulnerability & Penetrationto include:The Contractor shall test the susceptibility of ITSS’s network hosts to a specific attack or suite of attacks targeting all DOT Internet and Intranet address space using automated and custom methods.The Contractor shall adhere to ITSS policies for security vulnerability and penetration testing.The Contractor shall conduct periodic security vulnerability scans and penetration testing based on industry standards.The Contractor shall allow and support independent vulnerability and penetration services.The Contractor shall provide reporting on testing results.The Contractor shall develop recommendations to improve the security posture in the ITSS environment.The Contractor shall implement approved recommendations.The Contractor will be responsible for Security Incident and Audit Management:The Contractor shall implement ITSS policies for security incident management.The Contractor shall provide initial review of security incidents (level 1) and determine whether escalation to DOT Information Security (level 2, 3 support) is warranted. If so, information shall be passed within standards.The Contractor shall identify and coordinate the removal from the network any PC virus/worm infected system.The Contractor shall identify and provide countermeasures for virus/worm attacks.The Contractor shall ensure that qualified personnel are available for security audits and provide requisite technical expertise during security audits.The Contractor shall collect and review all incidents reported by all other security services (e.g. NIDS, HIDS, penetration testing, and firewall).The Contractor shall maintain a central repository of log files in accordance with DOT policies and service levels including, but not limited to, application-specific and system- specific log files per DOT policies.The Contractor shall provide, maintain, and update Security Logs documenting all security incidents for DOT review. Logs shall be updated by the Contractor no more than one (1) hour after a security incident.The Contractor shall report all intrusion attempts, whether successful or not, and the origin.The Contractor will be responsible for Documentation to include:The Contractor shall produce Network System Specifications and Topologies (for example, router configurations, firewall policies, routing diagrams/IP addressing tables, hardware/software listings, etc.).The Contractor shall produce detailed Circuit Location Information (e.g., circuit ID including, but not limited to, local exchange carrier access ID, location, speed).The Contractor shall produce detailed Firewall Documentation showing all firewall policy, group, object, etc. information.The Contractor shall produce “As-Built” Documentation for all network devices (including, but not limited to, firewalls) that are deployed in development, test, Quality Assurance (QA), production, or other technical environments.The Contractor shall produce any other network and security documentation requested by the Government.The Contractor shall recommend documentation requirements and provide standard reports.The Contractor shall produce and maintain architectural diagrams, configurations, and inventory (e.g., network routers, infrastructure, and rooms).SUB-TASK 4.8: SYSTEMS OPERATIONS AND MAINTENANCEThe Contractor shall support all requests for system modification and/or enhancements received after the system is implemented, and classified as planned software maintenance.The Contractor shall ensure the successful operation of the system in an accurate, efficient and timely manner. Any necessary fine-tuning and retesting will be performed following DOT organization standards and procedures.The Contractor shall operate and maintain the service delivery infrastructure, which may include, but not be limited to, network, storage, server, virtualization, operating system, platform and/middleware, and application software.The Contractor shall communicate outages, DOT-wide issues and resolutions via email and updates to designated websites.The Contractor shall perform patch management and document the implementation of patches.The Contractor shall provide the artifacts, security policies and procedures demonstrating its compliance with the Security Assessment and Authorization requirements.The Contractor shall establish and maintain systems and software configuration baseline data and documentation.The Contractor shall implement activities that modify functionality and/or produce technical improvements to enhance software and security.The Contractor shall monitor system execution and performance.The Contractor shall track and report change requests (CRs) and discrepancy reports (DRs).The Contractor shall perform incident and problem analysis and resolution.The Contractor shall prepare, test, and execute disaster recovery procedures.The Contractor shall analyze, compile and aggregate data to produce statistical trend analysis reports.The Contractor shall protect data at rest and data in transit per applicable NIST encryption standards. The Contractor shall document how their service protects data-at-rest and data-in- transit.The Contractor shall provide database administration support to include, but not be limited to, database administrators responsible for database and data dictionary design and establishment, performance monitoring and timing, database reorganization, database backup and recovery, DBMS service utilities, DBMS software maintenance, disk-space management and software planning and evaluation.The Contractor shall conduct design reviews.The Contractor shall maintain maximum availability of the production systems in accordance with SLAs.The Contractor shall assist ITSS by performing market research, identifying and defining technical requirements and specifications, and identifying and evaluating acquisition sources in support of ITSS’s capability development initiatives.The Contractor shall conduct testing of data infrastructure components.The Contractor shall ensure that the integration and implementation of the services and support involves, at a minimum, the following services:Video conferencing – video communications and bridging between 2 or more parties, leveraging desktops and video conferencing suites; leverage existing investments in existing room systems and integrate with desktop access;Instant Messaging, Desktop sharing, and Presence - collaboration and document sharing/editing; andThe Contractor shall develop a patch cycle process to guide the normal application of patches and updates to systems and to facilitate the application of standard patch releases and updates.The Contractor shall develop, collect and review information regarding both security issues and patch releases to identify security issues and software updates that are relevant to all software and systems deployed in the DOT environment.The Contractor shall develop, alert ITSS management and, upon DOT direction, end users of security issues or updates to the applications and systems in use.The Contractor shall develop and update the configuration management database as part of the patch management process.The Contractor shall develop and oversee relationships with the key operating system, network device, and application vendors to facilitate the timely release and distribution of information on product security issues and patches.The Contractor shall deploy patches in accordance with SLAs.The Contractor shall immediately test, deploy, and manage configuration of emergency patches for mitigation of security incidents.The Contractor shall consider vendor-reported criticality (e.g., high, medium, low) and the existence of a known exploit or other malicious code in recommending timing of patch releases.The Contractor shall develop, document, and execute contingency and back-out plans for patch deployment.The Contractor shall perform configuration control and management for operating system patches, updates, etc.The Contractor shall communicate outages to the DOT end user community via email or via posting to the ITSS website, as directed by ITSS. Communications shall be sent or posted no more than one (1) hour after the event is recognized.The Contractor shall perform mobile device management, utilizing the Mobile Device Management system, appropriate software and processes to manage mobile customer endpoints.The Contractor shall support all handheld GFE mobile telephone and tablet devices (e.g., tablets, wearables, smart phones, cell phones, etc.) regardless of manufacturer or operating system.At the direction of the Government the contractor shall support personally owned mobile devices that are supported by the mobile device management system.SUB-TASK 4.9: SYSTEMS DEPLOYMENT AND TESTINGThe Contractor shall perform systems deployment and testing including requirements management, specifications development, installation and operations, reporting, documentation, integration, testing, implementation, and support.The Contractor shall establish and execute deployment and testing processes using all applicable standards and procedures as required by the FIPSs, DOT requirements, other standards, and the DOT standards and policies.The Contractor shall support all activities associated with the installation and operation of the production systems.The Contractor shall develop installation test reports and the preparation of systems manuals including, but not limited to, operations and maintenance and user manuals.The Contractor shall support installation, integration, testing and implementation of the systems developed to include, but not be limited to, all activities associated with data conversion, and data collection.The Contractor shall design, develop, maintain, implement, and document quality electronic publications and applications using GFE.The Contractor shall perform testing on all developed materials prior to production.The Contractor shall participate in staff meetings and provide recommendations for solutions to design problems.The Contractor shall maintain current supporting documentation including, but not limited to, manuals (e.g., operations, system maintenance, user and training), and plans (e.g., system integration and site implementation). The documentation shall be dynamic to be modified to take advantage of new methodologies, techniques and tools. The documentation shall follow the latest approved standards for the system. The Contractor shall use GFE to execute this requirement.The Contractor shall provide support to new application systems, and maintain and/or enhance existing applications to support the core ITSS mission.SUB-TASK 4.10: SECURITY AND PRIVACYThe Contractor shall follow NIST guidelines and any DOT security policy, process, or standard provided by ITSS.The Contractor shall enhance security of data residing in data files or during transmission, assess IT risks relating to privacy, fraud and abuse, and assess the adequacy of internal controls to eliminate and/or mitigate risks to systems.The Contractor shall deliver and implement contingency plans to cover production system failure and recovery procedures. Procedures are developed in case of disaster or other conditions that may severely affect the provision of timely and efficient system services.The Contractor shall conduct risk analyses and develop recommendations and implementations, plans for new procedures and changes to existing systems.The Contractor shall execute identification and recommendation of new security related technology product versions and enhancements to existing products and services.The Contractor shall implement testing plans for installing products within the existing DOT organization technology infrastructure. The Contractor shall verify testing plans for installing products within the existing DOT organization technology infrastructure.The Contractor shall conduct formal Security Assessment and Authorization (SA&A) (and any successor processes) efforts such as SA&A Documentation Preparation and SA&A Testing for both current and new systems in accordance with all standard security requirements (e.g., NIST, FISMA, and DOT Directives, etc.).The Contractor shall conduct annual security control assessments in accordance and compliance with DOT and Federal policies and procedures.The Contractor shall develop mitigation strategies and implement mitigation activities for risks identified for specific organizations or systems, develop security policies and procedures, and assist with implementation of these policies to support additional service elements for cyber security and privacy protection.The Contractor shall perform privacy impact assessments, implement PII data security, execute monitoring, and develop mitigation strategies.The Contractor shall identify potential vulnerabilities to cyber and information security using penetration testing and red teams.The Contractor shall support technologies for identification, modeling, and predictive analysis of cyber threats.The Contractor shall perform deep analysis of viruses, malicious code, and attack techniques and methods.The Contractor shall not publish or disclose in any manner, without the CO’s written consent, the details of any safeguards either designed or developed by the Contractor under this award or otherwise provided by the Government.If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the Contractor shall immediately bring the situation to the attention of the Government.The Contractor shall safeguard any PII including, but not limited to, directory data stored in the information system in accordance with NIST SP 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)” and in accordance with M-06- 16: Protection of Sensitive Agency Information. and M- 07-16: Safeguarding Against and Responding to the Breach of PII Contractor shall obtain an adjudicated Authorization-To-Operate at the appropriate level in collaboration with the DOT Security team and the customer before fulfillment of any ordering activity.The Contractor shall maintain a security management environment that meets or exceeds the requirements based upon the latest edition of NIST Special Publication 800-53.The Contractor shall adhere to all DOT and Federal Government IT security standards, policies, reporting requirements, and Government-wide laws or regulations applicable to the protection of Government-wide information security.The Contractor shall comply with FIPS, the “Special Publications 800 series” guidelines published by NIST.The Contractor shall create, maintain and update the following SA&A documentation: System Security Plan (SSP) completed in agreement with NIST Special Publication 800-18, Revision 1. The SSP shall include as appendices required policies and procedures across 18 control families mandated per FIPS 200, ROB, and Interconnection Agreements (in agreement with NIST Special Publication 800-47);Contingency Plan (including, but not limited to, Disaster Recovery Plan) completed in agreement with NIST Special Publication 800-34;Contingency Plan Test Report completed in agreement with GSA IT Security Procedural Guide 06-29, “Contingency Plan Testing”;POA&M completed in agreement with GSA IT Security Procedural Guide 09-44, “Plan of Action and Milestones (POA&M)”; andIndependent Penetration Test Report documenting the results of vulnerability analysis and exploitability of identified vulnerabilities.The Contractor shall mitigate all security risks found during SA&A and continuous monitoring activities. All high-risk vulnerabilities must be mitigated within 30 days and all moderate risk vulnerabilities must be mitigated within 90 days from the date vulnerabilities are formally identified. The Government will determine the risk rating of vulnerabilities.The Contractor shall ensure security practices and safeguards are provided to minimize susceptibility to security issues and prevent unauthorized access.The Contractor shall ensure security practices and policies are updated and audited regularly.The Contractor shall comply with Federal and DOT security policies, regulations and procedures.SUB-TASK 4.11: INTEGRATION MANAGEMENTThe Contractor shall provide integration management support for the production system implementations and Transition new technologies into the Production environment. The infrastructure implementation will cover the DC Headquarters office and all DOT Regional offices nationwide.The Contractor shall track and control production quality, defects, performance, and compliance.The Contractor shall develop and implement a comprehensive integration management approach for ITSS programs including, but not limited to:Developing methods for process compliance and standards management;Developing methods to leverage and track metrics that will be used to direct operational improvements;Developing methods to streamline change management, incident management, and program management; andDevising and applying process maturity measures.The Contractor shall monitor the relative change of the various aspects of the production initiatives and provide thresholds for measures that signal potential problems and anomalies.The Contractor shall implement a project management and integration approach that reduces risk, error, and anticipated issues.The Contractor shall track overall complexity and implementation issues as improvements are incorporated into the assessment, design, analysis, implementation, and operational phases of projects.The Contractor shall develop and document Lessons Learned.The Contractor shall build-in iterative improvement to establish a knowledge base to allow for faster, better integrated deployments.SUB-TASK 4.12: PRINT SERVER MANAGEMENTThe Contractor shall evaluate, recommend, support, upgrade, troubleshoot, and remediate (e.g., from loss of service) the operations of all Print Servers (operating system, network, security) including, but not limited to, incorporating appropriate changes, processes and procedures.The Contractor shall coordinate, at the direction of the Government during Transition, with other Contractors to support and ensure a seamless transfer of responsibilities and functions that support the management and maintenance of file and print servers.The Contractor shall support the file and print server operating system including, but not limited to, routing, switching and security (e.g., firewalls, ports, access).The Contractor shall install printer drivers and updates to individual end user workstations using GFE.The Contractor shall perform lifecycle management for all GFE print servers. This includes installing, moving, adding, and changing print servers as directed by the Government.The Contractor shall provide Tier 1-2 support for file and print server issues.SUB-TASK 4.13: SERVICE OPERATIONSThe Contractor shall support Government administrators in disabling or enabling agency IP traffic on ports as desired or required by agency policy and/or require all traffic over SSL/TLS session supporting FIPS 140-2 encryption at a minimum.The Contractor shall support S/MIME v3 and later functions (encryption and digital signature) for both messages and calendar invites/replies.The Contractor shall support Sender Policy Framework or Domain Keys Identified Mail lookups.The Contractor shall support message threat filtering including, but not limited to, inbound and outbound Spam, Anti-phishing, Virus and email filtering capabilities. The Contractor shall support IPv4 and IPv6.The Contractor shall provide a capability to Government Administrators to define and implement filtering to strip unwanted/prohibited types of attachments, types of email, or embedded code in addition to that normally administered by the Contractor.The Contractor shall provide automatic alerting to pre-determined Government support staff in the event of service failure or degraded service.The Contractor shall provide Government administrators with Summary Reporting and Statistics periodically (i.e. monthly or quarterly) and on-demand including, but not limited to:Dashboard reporting on system performance;Real-time and historical performance against SLA;Account and Mailbox volumes;Reporting on Utilization Statistics; andEnd users approaching Mailbox Quota Limits.The Contractor shall support, at a minimum, Government-selected web and mobile browsers including, but not limited to:Internet Explorer;Mozilla Firefox;Apple Safari; andGoogle Chrome.SUB-TASK 4.14: STORAGE AND DATA MANAGEMENT OPERATIONSThe Contractor shall operate, maintain, manage, update, secure, monitor, report, and control data center storage and media regardless of form or structure.The Contractor shall monitor and control storage performance per DOT requirements and perform tuning as required.The Contractor shall continually work to improve storage resource efficiency.The Contractor shall maintain data set placement and manage data catalogs.The Contractor shall notify DOT of any data losses or potential for risk of data loss or compromise (e.g., backup failures, lost backup media, damaged backup media, operational errors, PII/PHI. Backup media includes, but is not limited to, tapes, discs, and cloud storage.)The Contractor shall perform data and file backups and restores per established procedures.The Contractor shall manage file transfers and other data movement activities.The Contractor shall provide input processing for activities such as loading third-party media (e.g., tape) and receipt and/or transmission of batch files.The Contractor shall decommission storage and backup environment in accordance with DOT policies and procedures.The Contractor shall maintain a media library of DOT-approved media type and a media management system.The Contractor shall perform quarterly and ad hoc inventories and reviews to ensure proper cataloging and quality of media (e.g., media not scratched or damaged) using Government- furnished tools.The Contractor shall decommission media in accordance with DOT policies and procedures.The Contractor shall manage backup media and perform backups.The Contractor shall develop and maintain backup schedule in accordance with DOT requirements.The Contractor shall perform data center component backups and manage to established retention periods on a quarterly basis.The Contractor shall provide monthly media testing for ability to recover data.The Contractor shall ensure ongoing capability to recover archived data from media as specified (i.e., backwards compatibility of newer backup equipment).The Contractor shall test backup media to ensure incremental and full recovery of data is possible and ensure data center component integrity, as required or requested by DOT.The Contractor shall test end-to-end system recovery process and remediate flaws.The Contractor shall recover files, file system or other data required from backup media, as required or requested by DOT.The Contractor shall provide full backup, files or other data on media (e.g., tape, optical disk) as requested and approved by DOT.The Contractor shall maintain off site backups and support data replication to the Government-designated Disaster Recovery site for requested applications. The Government will provide a location for off-site backups, but the Contractor shall ensure that off-site backups occur properly.The Contractor shall manage DOT storage area networks, network-attached storage and other storage capabilities.The Contractor shall participate in change control meetings with the DOT ITSS CCB. The Contractor shall perform capacity assessment and monitoring and submit weekly reports to the Government on the results of the assessment and monitoring and any action plans required to resolve capacity problems or limitations.The Contractor shall conduct capacity planning and performance tuning as required to make timely recommendations to DOT for acquiring infrastructure.The Contractor shall maintain any products, standards, baselines, tools, equipment, solutions, access levels, and processes that result from the Continuous Diagnostics and Mitigation (CDM) work.The Contractor shall manage all storage acquired by or allocated to the DOT CISO systems and provide services to include, but not limited to, installation and configuration, patching and account management, storage configuration maintenance, backup and recovery solutions and processes, capacity planning and management, vendor engagement and support, problem management and resolution. The Contractor shall document and maintain procedures, monitor and control storage systems and performance, manage file transfers and other data movement activities, perform backups and restores, perform backup audits and adhere to all DOT policies. The Contractor shall install, configure, maintain, and support a system to securely transfer files from outside the DOT network to inside DOT via an SFTP solution or another alternative suggested by the Contractor and approved by the Government. SUB-TASK 4.15: DATABASE ADMINISTRATIONThe Contractor shall install, configure, maintain, and support database system software to support the normal business operation of DOT applications and other software components associated with databases.The Contractor shall participate in change control meetings with the DOT ITSS CCB. The Contractor shall perform database refreshes or clones upon request.The Contractor shall support data import or export requests as required.The Contractor shall create copies of data or databases as requested.The Contractor shall create and maintain database links.The Contractor shall plan table space reorganizations.The Contractor shall execute table space reorganizations on a scheduled basis.The Contractor shall monitor and manage database space (add data files as needed).The Contractor shall maintain database inventory.The Contractor shall create database indexes as requested by DOT.The Contractor shall create and manage database and metadata profiles.The Contractor shall manage database security and permissions.The Contractor shall support database User ID administration.The Contractor shall implement database security per design.The Contractor shall configure and manage database audit profiles.The Contractor shall recommend and perform database streaming and replication procedures.The Contractor shall provide security administration including, but not limited to, service requests, managing role and end user database permissions in accordance with DOT policies.The Contractor shall perform database restores or recovery from export dumps or backups, archived logs or SAN.The Contractor shall create/refresh development/test/staging databases from production data.The Contractor shall define and execute database creation, configuration, upgrades, patches and refresh.The Contractor shall recommend and implement all operating system and database tuning and changes.The Contractor shall execute all database system level changes (e.g., initialization parameters).The Contractor shall execute all schema changes for all instances and allow for rollback of data.The Contractor shall define and provide database data definition requirements for applications (e.g., IMAC for tables, triggers, attributes).The Contractor shall execute database data definition requirements for applications (e.g., tables, triggers, attributes).The Contractor shall maintain documentation for all database instance parameters and system settings.The Contractor shall maintain consistent database parameters and system settings across all like instances in accordance with DOT-approved development.The Contractor shall execute database data definitions for applications and developer schemas.The Contractor shall define and execute database startup, shutdown, performance monitoring and tuning scripts, and keep database running at optimal performance for the required workload.The Contractor shall implement and administer appropriate database management tools across all database instances.The Contractor shall perform appropriate database sizing activities and interface with third parties as required.The Contractor shall proactively identify and remediate bottlenecks (e.g., locking conflicts, latch contention, rollback requirements) for all database instances.The Contractor shall resolve locking conflicts, latch contention, rollback requirements, problematic SQL/processes etc. for all database instances.The Contractor shall provide technical assistance and subject matter expertise to DOT applications developers and third-party vendor support.The Contractor shall proactively monitor databases and open service desk trouble tickets for database problems.The Contractor shall open, track, and manage to resolution all database incidents and problems.The Contractor shall import new versions of database code components supplied by application support and allow for rollback of data.The Contractor shall patch database software as needed in accordance with established development to QA to production life cycle, and provide one annual new version release update and unlimited minor patches and emergency releases, as necessary.The Contractor shall manage database communication software configuration, installation and maintenance.The Contractor shall perform database storage management.The Contractor shall define database backup policies, schedules, retention periods, levels (i.e., full, incremental, or differential) in accordance with DOT policyThe Contractor shall execute DOT database backup and recovery policies.The Contractor shall perform performance testing, database tuning, and threshold activities for both ongoing and project work.The Contractor shall collaborate with DOT in penetration test activities and perform database tuning to mitigate security risks identified in penetration test activities.The Contractor shall continuously operate tools to determine and validate database integrity.The Contractor shall submit and coordinate all changes through the approved change management process.The Contractor shall conduct testing of all database changes before implementing them in the production environment. All testing must be documented prior to production release.SUB-TASK 4.16: MIDDLEWARE ADMINISTRATIONThe Contractor shall operate, maintain, manage, secure, administer, monitor, control, and report on DOT middleware software that acts as a bridge between an operating system or database and applications.The Contractor shall participate in change control meetings with the DOT ITSS CCB. The Contractor shall implement middleware infrastructure level configurations.The Contractor shall create, alter and delete application object changes.The Contractor shall establish and maintain infrastructure level configuration and system parameters in a consistent manner across like environments.The Contractor shall execute processes for the proper maintenance and functioning of middleware systems (e.g., load balancing, tuning, configuration management).The Contractor shall execute middleware creation, upgrade and refresh.The Contractor shall execute all middleware system-level changes (e.g., initialization parameters) associated with underlying data center infrastructure.The Contractor shall execute all object changes for all instances.The Contractor shall maintain consistent middleware parameters and system settings across all like instances per established development to QA to production life cycle.The Contractor shall implement and administer appropriate middleware management tools across all middleware instances.The Contractor shall patch middleware software as needed, per established development to QA to production life cycle.The Contractor shall provide middleware communication software configuration, installation and maintenance.SUB-TASK 4.17: END USER ADMINISTRATIONThe Contractor shall perform end user administration including managing, controlling, accessing, adding, deleting, changing, and revoking user IDs.The Contractor shall maintain a secure environment through appropriate control of user accounts and access privileges.The Contractor shall add, change, delete, or revoke end user IDs that access operating systems or subsystems using access control software as per established security standards.The Contractor shall add, change, delete, or revoke end user IDs that access applications controlled by DOT, per the established security standards.The Contractor shall establish end user ID administrative security procedures and practices to ensure that all end user IDs are authenticated (for example, encryption, minimal level, password) for operating systems and databases (excludes applications).The Contractor shall, on a bi-weekly basis, review group membership and system level user IDs in accordance with established security guidelines and policies.The Contractor shall, on a bi-weekly basis, review and remove end user access rights when the end user is no longer employed or job responsibilities change including, but not limited to, operating system and subsystem access per established guidelines; the Contractor shall notify DOT of all such changes in accordance with established security guidelines.The Contractor shall, on a bi-weekly basis, review and revalidate system end user IDs in accordance with established security standards.The Contractor shall, on a bi-weekly basis, remove application end user IDs per DOT direction.The Contractor shall perform password resets for end users per the established security guidelines.The Contractor shall provide and implement a process to change system default passwords where capability exists.The Contractor shall provide audit trail for all end user ID activities for DOT systems (e.g., create, track, and delete IDs).The Contractor shall manage and maintain system accounts.The Contractor shall create End User ID Administration Processes and Standard Operating Procedures as new applications are introduced into the DOT environment.SUB-TASK 4.18: REMOTE MANAGEMENT & ACCESS OPERATIONSThe Contractor shall do the following in support of Remote Management:Remote Management includes the use of tools and utilities to remotely manage and administer infrastructure and end user devices. These include remote desktop services and tools, Out of Band Management (OBM) technologies, and other configuration management tools. The Contractor shall utilize, operate, maintain, configure, secure, support, and update the Government-furnished remote management tools and utilities and report on utilization of remote management capabilities. The Contractor shall diagnose incidents and problems using remote management capabilities and, when possible, implement corrective actions to resolve the incident or problem. If a resolution is not possible, the Contractor shall escalate per escalation procedures.The Contractor shall perform remote management services for DOT personnel located at DOT locations (per Attachment J), other user locationsThe Contractor shall utilize remote management tools to manage and enforce compliance with configuration management standards.The Contractor shall utilize remote management tools to manage and update desktop system software, and to maintain configuration and inventory information.The Contractor shall coordinate deskside support for those incidents and problems that cannot be resolved through remote management.The Contractor shall report monthly on remote management usage and statistics.The Contractor shall do the following in support of Remote Access:Remote Access includes tools and systems which allow for end users to work remotely from GFE or other Government approved methods. This includes, but is not limited to, Virtual Private Network (VPN) and Virtual Desktop Infrastructure (VDI). The Contractor shall install, test, utilize, and provide technical support, administration, and security administration for remote access hardware and software.The Contractor shall provide testing support for DOT systems using the Internet and other applications used for remote access.The Contractor shall develop and maintain SOPs and user guides for remote access procedures.The Contractor shall manage remote access infrastructure services to meet OMB standards (e.g., two-factor authentication).The Contractor shall provide technical assistance and subject matter expertise as required by DOT for remote access products and solutions.The Contractor shall perform system or component configuration changes necessary to support remote access services. The Contractor shall support two-factor authentication and maintain two-factor level 5 for all administrative personnel.The Contractor shall perform VPN and VDI (or equivalent) software upgrades and patch maintenance.The Contractor shall provide VPN and VDI (or equivalent) policy management from initial establishment to ongoing analysis, enforcement, and adjustments.The Contractor shall support two-factor authentication for remote access VPN and VDI (or equivalent) service.The Contractor shall support remote access services for DOT personnel in remote and home locations.The Contractor shall support multiple remote access services including, but not limited to, VPN and VDI. The Contractor shall support remote access service for DOT personnel and Contractors using PIV II badges and future technologies.The Contractor shall maintain all supporting technologies associated with Remote Access to include, but not limited to, VDI and VPN Hardware and Software, User Profiles, Application Virtualization tools, monitoring and reporting tools. SUB-TASK 4.19: WEB HOSTING SUPPORTThe Contractor shall provide hosting operations support for Web middleware application components.The Contractor shall install, configure, and support Web hosting infrastructure components (e.g., hardened servers, middleware, SSL certificates).The Contractor shall provide a single point of contact for the coordination and support of key Web hosting infrastructure components (e.g., load balancing, DMZ infrastructure, middleware, firewall).The Contractor shall manage web proxy services including, but not limited to, user support, administration, and management.The Contractor shall assist in the development of architecture and design of the web hosting environment (e.g., performance tuning, security).The Contractor shall assist with deploying and supporting web hosting hardware and software.The Contractor shall support non-functional compliance and performance testing and security assessments.SUB-TASK 4.20: IT SERVICE CONTINUITY AND DISASTER RECOVERY (DR) SUPPORTThe Contractor shall assess, recommend, notify, develop, plan, implement, track, report, and execute data center disaster recovery needs and plans.The Contractor shall continually assess the Continuity of Operations and DR readiness for IT operations and make recommendations to ITSS for infrastructure improvements that will minimize risk of failures and increase availability.The Contractor shall recommend solutions including, but not limited to, best practices for IT service continuity and disaster recovery services strategies, policies and procedures.The Contractor shall notify designated DOT and third-party contacts when a DR event occurs as required to resolve the DR event.The Contractor shall develop, maintain, and implement a detailed DR Plan to meet DOT IT service continuity and disaster recovery requirements. The DR Plan shall include, but not be limited to, plans for the specific technical solution (e.g. hardware, software, network, back up method, recovery method, third-party connectivity and communication) and procedures to be used for recovering DOT systems within established recovery requirement timeframes after a disaster affects DOT use of the services.The Contractor shall define and implement data (e.g., file system, database, flat files, etc.) replication, backup and retention procedures.The Contractor shall establish and implement processes to ensure DR plans are kept up-to- date and reflect changes in the DOT environment.The Contractor shall execute DR test (including random test) requirements.The Contractor shall perform scheduled DR tests per DOT requirements and notify DOT of any deficiencies in Contractor’s ability to successfully provide the DR services per the DR plan.The Contractor shall coordinate involvement of all actual DR test participants (e.g., DOT, third parties, and end users).The Contractor shall track and report DR test results to DOT within thirty (30) calendar days following test completion.The Contractor shall develop action plan to address DR testing results.The Contractor shall implement action plans and provide ongoing status until completion.The Contractor shall develop, execute, and report on table-top DR exercises.The Contractor shall activate and execute the DR plan in the event of a DR situation and notify DOT and third parties per DR policies and procedures.The Contractor shall coordinate with DOT and third parties during a DR situation per DR policies and procedures.The Contractor shall implement the DR plan and conduct activities required to recover services per the DR plan.The Contractor shall participate in the quarterly DR status review meeting to include, but not be limited to, review of DR strategy, technical enhancements to the DR plan and DR plan changes based on changes in the production environment.SUB-TASK 4.21: SERVER OPERATIONSThe Contractor shall perform day-to-day management of the Government-provided server environment, and effectively and efficiently performing procedures to ensure services meet regulatory requirements.The Contractor shall recommend and implement distributed server strategy, policies, architecture, standards, and requirements.The Contractor shall participate in change control meetings with the DOT ITSS CCB. The Contractor shall coordinate with application server groups (e.g., database access and rights, application ACL).The Contractor shall monitor, operate, maintain, and support operating systems installed on servers.The Contractor shall install new servers, upgrade, troubleshoot, repair, and/or rebuild existing servers.The Contractor shall implement virtualized server technologies where so requested by the Government.The Contractor shall actively monitor software release of new patches or upgrades from original equipment manufacturers and notify DOT personnel within two (12) hours of release.The Contractor shall determine whether the patch or upgrade is necessary, obtain DOT approval and direction on release, test prior to release unless otherwise directed, and implement the patch or upgrade.The Contractor shall schedule downtime and plan such that end users are notified well in advance to avoid or mitigate inconveniences in accordance with the Government-approved configuration management process.The Contractor shall provide a combination of hypervisor (VMware and/or Hyper-V), Windows and Linux server administration support including installation, configuration and securing of the operating system according to DOT gold images or approved baselines.The Contractor shall maintain the operating system, including patching and necessary configuration changes, local account management, and facilitating AD account management for cybersecurity users/personnel, The Contractor shall maintain PKI management for associated systems including the acquisition, provisioning/installation, and maintenance of necessary digital certificates in accordance with Federal and DOT standards and policies.The Contractor shall maintain document and maintain procedures that meet DOT regulations, policies, and contractor obligations.The Contractor shall maintain provide vendor coordination for issues and problem resolution; engaging, supporting, and ensuring that all systems within purview are appropriately backed up; and other server administration duties as may be expected or common within the ITSS service delivery descriptionThe Contractor shall provision, manage, administer, patch, and maintain servers, including file and print servers.The Contractor shall maintain any products, standards, baselines, tools, equipment, solutions, access levels, and processes that result from the Continuous Diagnostics and Mitigation (CDM) work. The Contractor shall conduct physical and virtual Server Builds, Application Installation and Configuration Set-up, Base Server Administration Activities (Production and Development Environments), Administration of User Accounts, Media Services, and Domain Access (FTP, etc.), Server and Application Monitoring & Reporting, management of DNS/DHCP/IP Services, and maintenance of Server diagrams and documentation. SUB-TASK 4.22: BACKUP AND RECOVERYThe Contractor shall execute backup and recovery services for all systems located at the data center.The Contractor shall participate in change control meetings with the DOT ITSS CCB. The Contractor shall perform server backups as per Government-approved scheduled.The Contractor shall implement and follow DOT operational standards for storage and data management and adhere to DOT regulations, policies, and procedures.The Contractor shall provide skilled personnel for backup and storage services (e.g., RAID array, SAN, NAS, tape, optical, etc.) in headquarters and regional office locations.The Contractor shall monitor and control storage performance per manufacturer technical specifications and storage and data management policies.The Contractor shall perform capacity assessment and monitoring.The Contractor shall conduct capacity planning and performance tuning as required to make timely recommendations to DOT for acquiring infrastructure.The Contractor shall perform data and file backups and restores per established procedures and service levels. The Contractor shall comply with requirements set forth by the DOT Task Managers which will support ITSS and other OAs supported by the COE, which may vary by system.The Contractor shall perform tests of all backups and restorations every month, with the results provided to DOT and assigned stakeholders via a Dashboard. Status of backups’ success or failure is to be made available within one (1) day and via a Backup Monthly Report. The status must include the backup that failed, the impact, and the remediation plan.The Contractor shall perform a test load to ensure proper functioning of backup scripts at each configuration change.The Contractor shall manage file transfers and other data movement activities.The Contractor shall provide input processing for activities such as loading third-party media (e.g., tape) and receipt and/or transmission of batch files.The Contractor shall manage consumables, such as tape, disks, etc., in support of the backup requirements, and coordinate acquisition of additional reimbursable materials as directed by the Government.The Contractor shall maintain a media library and management system including, but not limited to, third-party media.The Contractor shall perform periodic, simulated restores for all backed-up file services.The Contractor shall perform periodic audits to ensure proper cataloging of media.The Contractor shall provide support for data-at-rest encryption and recommend solutions for encryption to mobile media (such as backup tapes) where sensitive information is at its most vulnerable state.The Contractor shall propose storage improvements and manage the growth and availability of storage.SUB-TASK 4.23: EMAIL AND MOBILE DEVICE MANAGEMENTThe Contractor shall utilize, operate, maintain, configure, customize, support, monitor and update the GFE Email System (Currently Microsoft O365) and Mobile Device Management System (MDM – Currently GOOD for Enterprise) and any successor systems. The Contractor shall advise the Government regarding needed changes to the Email and MDM systems. The Contractor shall provide skilled personnel for Email and MDM management in DOT headquarters.The Contractor shall participate in change control meetings with the DOT ITSS CCB. The Contractor shall monitor, operate, maintain, and support the servers that support Email and MDM.The Contractor shall actively monitor software release of new patches or upgrades from the Email and MDM support vendors and notify DOT personnel within two (12) hours of release.The Contractor shall determine whether the released patches or upgrades are necessary, obtain DOT approval and direction on release, test prior to release unless otherwise directed, and implement the patch or upgrade.The Contractor shall schedule downtime, if necessary, and plan such that end users are notified well in advance to avoid or mitigate inconveniences in accordance with the Government-approved configuration management process.The Contractor shall implement and follow DOT operational standards for email maintenance retention adhere to DOT regulations, policies, and procedures.The Contractor shall perform capacity assessment and monitoring for the Email and MDM systems. The Contractor shall perform periodic audits to ensure proper archiving of Email data. The Contractor shall propose Email and MDM improvements and manage the growth and availability of these systems.SUB-TASK 4.24: CLOUD ENVIRONMENT MANAGEMENTThe Contractor shall utilize, operate, maintain, configure, customize, support, monitor and update the DO ITSS Cloud environment (Currently Microsoft Azure and Amazon Web Services) and any successor systems or future cloud environments. The Contractor shall advise the Government regarding needed changes to the Cloud environment. The Contractor shall provide skilled personnel at DOT Headquarters for managing the DOT ITSS Cloud environment.The Contractor shall participate in change control meetings with the DOT ITSS CCB. The Contractor shall monitor, maintain, and support the infrastructure that supports the DOT ITSS Cloud environment. The Contractor shall actively monitor updates and releases that impact the DOT ISS Cloud environment. The Contractor shall implement and follow DOT operational standards for the Cloud environment and adhere to DOT regulations, policies, and procedures and security requirements. The Contractor shall perform capacity assessment for the DOT cloud environment. The Contractor shall perform periodic audits to ensure proper archiving of Cloud data. The Contractor shall propose Cloud environment improvements and expansions and manage the growth and availability of these environments. The Contractor shall implement the Cloud environment improvements and expansions if approved by the Government. The Contractor shall maintain current architecture design documents, diagrams and standard operating procedures for the Cloud environment. The Contractor shall assist with performing Cloud ATO Facilitation if necessary. The Contractor shall provide recommendations for Cloud governance creation and administration, and will execute the recommendations if approved by the Government. The Contractor shall recommend and implement common patterns for automating infrastructure deployments and integrating with existing and future continuous integration/continuous deployment strategies. The solution shall be repeatable, secure, and scalable. The Contractor shall provide strategies for highly available cloud solutions to support continuous operations.The Contractor shall develop, document, and execute backup strategies to protect the cloud resources.The Contractor shall develop a disaster recovery requirements plan to include restoration of the cloud infrastructure in the event of a catastrophe. The plan should include but not limited to backup and restore strategy for cloud resources and services, remote access, escalation plan process, and disaster recovery procedures.The Contractor shall identify associated risks with the cloud initiatives put forth, and provide a management process that identifies, monitors and mitigates said risks.The Contractor shall provide a solution for service request management including a self-service interface (self-service portal and a service catalog) used by users and administrators to request for configurable and consumed cloud services.The Contractor shall provide documentation, diagrams, code artifacts, etc. with DOT staff with opportunity for DOT to request additional documentation to fill any gaps found. DOT will own all code artifacts produced by the Contractor.The contractor shall provide evidence on demand and as requested by the Government as specified by the Government to indicate compliance with controls specified in NIST 800-53 rev 4. The contractor shall evaluate the application of controls applied to the operating system, authentication mechanisms, databases, email, and web based services against the DOT Enterprise baseline in the application of DISA STIGS and NIST 800.53. The contractor must report all findings of compliance, non-compliance, and conflicts in controls with recommendations for remediation in writing to the DOT. The contractor shall provide best practices and guidance on maintaining a manageable, secure, regulated, and policy compliant environment on AWS Services to include the protection of internal and external network operations (IaaS, PaaS, SaaS). Ensure security for servers and applications from threats (PaaS, SaaS). Providing data protection controls for safeguarding data (SaaS).The contractor shall provide continuous monitoring and diagnostics feeds to include vulnerability assessments within a 24-hour cycle in a mechanism, at a frequency, and by a means as determined by the Government. The contractor shall ensure DOT instrumentation and remote scanning tools are accessible on all DOT managed endpoints (operating systems managed by DOT under IaaS) and can communicate as necessary with the DOT security infrastructure to include Big Fix relays, SCCM relays, Nessus Agents, Nessus scan engines, Micro Focus Web Inspect, DB Protect, and any other DOT operated security assessment tools. The contractor must ensure that the cloud provider submits to scans.The contractor shall provide vulnerability assessments in a format approved by the governmentThe contractor shall retain vulnerability assessment results for 366 days. The contractor shall receive government approval prior to changing reporting frequency or format in writingThe contractor shall make recommendations and agree to follow the DOT Incident Response Plan (IRP) as approved by DOTThe contractor shall agree to support and facilitate all cybersecurity incident activities as carried out by DOT within the cloud environmentThe contractor shall report any security events within one hour of an occurrence. The contractor shall continue notification once every 30 minutes during DOT business hours to include escalations as indicated in the DOT IRP until confirmed received by SOTThe contractor shall make an initial report of any security event that occurs outside of DOT business hours within one hour with appropriate notification escalation based on the IRP until acknowledged by DOT. If there was no acknowledgement from DOT prior to the start of the DOT business day, the contractor will follow the during DOT business hours notification process until acknowledged by DOTThe contractor shall collect, retain, and release to DOT any and all digital forensics information to include log data, forensics images, and any other related indications of a cyber incident immediately at the direction of the DOT incident response team. The contractor shall designate specific individuals that will integrate into the DOT incident response team as a cloud expertThe contractor shall execute an exercise within 90 days of award to demonstrate capabilities and understanding of the DOT IRP during DOT business hours as scheduled with the DOT IRP team. Task 5: Data Center OperationsSUB-TASK 5.1: GENERAL DATA CENTER SUPPORTThe Contractor shall manage and resolve incidents and problems across all data center platforms and applications. ITSS Data Centers are present at the DOT Headquarters facility, Frederick, MD, Stennis, MS, and multiple regional offices. The Contractor shall provide technical support for all hardware/equipment in the data center computing infrastructure.The Contractor shall support current and future data center infrastructure system software (e.g., operating systems, utilities, databases, middleware).The Contractor shall support data center networks (e.g., LAN, WAN connection) and related operations (e.g., procure, design, build, systems monitoring, incident diagnostics, troubleshooting, resolution and escalation, security management, and capacity planning/analysis) as required to meet service requirements.The Contractor shall coordinate changes to the data center infrastructure. but other stakeholders will be involved in the execution as well. The Contractor shall implement infrastructure components in compliance with DOT infrastructure architecture standards and plans.The Contractor shall tag equipment for changes and moves in accordance with DOT Change Management policies and procedures.The Contractor shall assign physical device locations based upon power and space audits.The Contractor shall support a Data Center Infrastructure Management toolset that is in compliance with DCOI specifications.The Contractor shall provide input to DCOI reporting, to include utilization, PUE, and other values.The Contractor shall coordinate facilities requirements so that they do not interrupt operations.The Contractor shall coordinate changes to cable plant to accommodate upgrades and initiatives within the Data Center.The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. SUB-TASK 5.2: DATA CENTER ACCESS CONTROLThe Contractor shall comply with all data center physical and logical access requirements.The Contractor shall comply with Government provision and decommission of badges for their employees.The Contractor shall comply with physical security access requirements.The Contractor shall comply with data center access lists.The Contractor shall comply with data center access zones per DOT direction.The Contractor shall comply with DOT Access Reports.The Contractor shall comply with DOT standards for 24x7x365 data center access.The Contractor shall document and maintain standard operating procedures as required for all data center facility responsibilities.SUB-TASK 5.3: DATA CENTER OPERATIONS AND ADMINISTRATIONThe Contractor shall perform operations and administration of in-scope DOT data centers including monitoring, scripting, troubleshooting, escalation, reporting, scheduling, implementation, administration, and decommissioning.The Contractor shall provide infrastructure staff at remote data centers or field sites if requested by the Government. The remote data center or field infrastructure staff would be required to provide standard infrastructure support for server, storage, network, mail, and other infrastructure services if requested by the Government. The Contractor shall provide proactive and scheduled console monitoring of data center infrastructure and systems (e.g., hardware, batch schedule, interfaces), respond to messages and take corrective action as required.The Contractor shall develop and maintain standard automated scripts to perform monitoring of DOT applications and systems software.The Contractor shall provide troubleshooting and escalation of problems in the data center computing environment.The Contractor shall provide preventative measures, proactive monitoring and system self- healing capabilities to limit outages that impact service delivery.The Contractor shall identify and report problems including, but not limited to, system, file, disk and application problems, and network printer servers.The Contractor shall resolve or assist in resolving system problems and escalate to third parties and/or DOT as required.The Contractor shall recommend standard job scheduling and execution operations procedures including, but not limited to, ETL (extract, transform and load), procedures relating to application interdependencies and rerun requirements for all processing jobs (e.g., batch jobs, file transfers to third parties).The Contractor shall implement and manage scheduling tools for managing/automating job execution (e.g., job lists, automated job workflow processes and interdependencies).The Contractor shall define scheduling requirements including, but not limited to, period processing (e.g., month end, quarterly, year-end) and special processing (e.g., ad hoc processing requests, blackout periods).The Contractor shall comply with job and processing schedules.The Contractor shall provide job and processing monitoring and scheduling (including, but not limited to, reruns), job execution, cancellations and daily metrics reporting.The Contractor shall execute production, test and demand batch jobs on required systems per DOT approved schedules.The Contractor shall monitor progress of scheduled jobs, confirm job completion and identify, escalate if necessary and resolve, per procedures, jobs that do not complete successfully.The Contractor shall provide job scheduling interface for ad hoc job submission and status.The Contractor shall maintain database of job scheduling, contact, rerun and interdependencies.The Contractor shall provide quality control for processing and reprocessing activities (e.g., batch reruns).The Contractor shall perform system administration activities (e.g., Active Directory, access control, manage files and disk space, manage transactions).The Contractor shall perform system administration changes necessary to support computing services in conformance with change management requirements.The Contractor shall document Active Directory requirements and perform Active Directory group design.The Contractor shall implement, configure, manage and administer Active Directory (e.g., accounts, groups and domains, replication schedules, database corruption, inter-regional issues, group policies, domain trusts, DNS registration, LDAP, and IP address ranges).The Contractor shall decommission servers in accordance with DOT Asset Life Cycle Management process.The Contractor shall proactively evaluate servers, identifying candidates for reduction, consolidation and virtualization.The Contractor shall perform remote travel support services to Data Center and Field Site Locations as directed by the Government. Contractor support performing the remote travel must be U.S. Citizens with a Public Trust Background or higher. Travel will be coordinated in advance to ensure that there is no significant impact to ongoing daily operations. Travel rates will be in accordance with the Joint Travel Regulations. Hours and Level Of Effort will be submitted to the Federal Leads for approval prior to any travel coordination’s. Additional coordination may be required with the Government Data Center Manager to allow access to the Stennis Data Center, and further approvals by the Stennis Data Center personnel. While on site at the Stennis Data Center, all DOT contract personnel will adhere to all Stennis Data Center rules and regulations.SUB-TASK 5.4: DATA CENTER SECURITYThe Contractor shall maintain a secure computing environment in compliance with Federal and DOT policies.The Contractor shall perform information security compliance, auditing, and reporting per DOT requirements.The Contractor shall protect sensitive information, logically and physically, in storage and during transmission, against unauthorized access or modification.The Contractor shall execute security policies and provide and operate security monitoring tools including, but not limited to, documentation demonstrating adherence to the process.The Contractor shall utilize GFE security analysis and monitoring tools.The Contractor shall ensure compliance with patch management policy.The Contractor shall proactively monitor current IT security trends, threats, common exploits and security best practices and notify DOT of same.The Contractor shall support DOT SOC program to resolve security incidents.The Contractor shall participate in the DOT SOC program and document corrective actions.The Contractor shall document Security Plans, Security Remediation Plans, Programs, and Security Infrastructure.The Contractor shall maintain controlled access to the Government-designated computing areas in the data center.The Contractor shall develop and maintain list of Contractor and DOT individuals with global security clearance, and provide reporting on what individuals have access to what locations.The Contractor shall establish access profiles and policies for adding, changing, enabling/disabling and deleting log-on access for DOT and third parties.The Contractor shall manage authority/privileges for end user IDs per the established security standards.The Contractor shall manage application infrastructure authority / privileges and periodically validate the business need of user’s access.The Contractor shall disable terminated users (privileged and standard) or inactive accounts using automated processes, per DOT policies.The Contractor shall monitor the events of administrative IDs for policy violations and events attempting avoidance of detection.The Contractor shall define and maintain logging controls for user resources, in accordance with the established security standards.Task 6: Application HostingSUB-TASK 6.1: APPLICATION HOSTING GENERAL TASKSThe Contractor shall be responsible for the full provisioning, engineering, operations and administration of current and emerging application hosting services.The Contractor shall perform application migrations, builds, installation, and configuration set-up. This does not include compilation and deployment of source code.The Contractor shall perform base server administration activities including console monitoring, BIOS, Operating System (O/S) management and network connectivity management. The Contractor will provide OS images and the Government will provide configuration requirements for the Applications.The Contractor shall perform managed security services including monthly audits, anti-virus updates, firewall management, virtual private network (VPN) administration, host-based intrusion detection, intrusion prevention system management and any other Government or DOT mandated security instrumentationThe Contractor shall perform 24x7x365 server monitoring and reporting (hardware and bandwidth). The Contractor shall provide backup, restore and offsite storage services.The Contractor shall execute migration of hardware, software, data tapes, etc., as applicable, to a different facility at DOT request and/or end of contract. The Contractor shall provide the network capabilities for on-demand scalable bandwidth and load balancing services for DOT customers. The Contractor shall execute administration of hosting accounts, media services, and domain access (SFTP, etc.).The Contractor shall perform full service patch management for server, O/S, security, application, etc.The Contractor shall provide full development, testing, and production environments, integrated with change, configuration and release management procedures.The Contractor shall provide server and application monitoring, and reporting.The Contractor shall provide Domain Name Server/System (DNS) and Internet Protocol (IP) services.The Contractor shall perform life-cycle support services to include planning and analysis; requirements definition; design specifications; engineering; and availability, capacity, performance, service level monitoring, incident, problem, configuration, change, release, image, testing and account management.The Contractor shall comply with all Federal and DT policies and standards and regulations applicable to DOT for information systems (personnel, physical, and technical security) which includes but is not limited to regulations by FISMA, NIST, FIPS and OMB memos.The Contractor shall permit and support third party audits (e.g., technical, management, security) approved by DOT authorized/designated personnel per the government’s direction.The Contractor shall provide technical support for all hardware/equipment of the computing infrastructure.The Contractor shall provide and support environmental elements (e.g., dual redundancy, power supplies, and conditioning) that meet the requirements of a Tier 3 Level facility.The Contractor shall support applications test-to-production migration activities in accordance with the Quality Assurance Surveillance Plan (QASP) and release management guidelines.The Contractor shall implement and coordinate all changes to the infrastructure.The Contractor shall create, maintain, and provide all appropriate project administration documentation including project plans, project time and cost estimates, technical specifications and proposals, design documentation, management documentation, and management reporting in a form/format that is acceptable to and approved by DOT.The Contractor application platforms shall be certified and accredited in compliance with all Federal and DOT policies including but not limited to FISMA and OMB circulars and guidelines. The current portfolio of applications receive agency ATOs.The Contractor shall receive, track, coordinate, and execute administrative account creation, modification, deletion, and general administration per service requests in accordance with DOT security policies and procedures.The Contractor shall utilize DOT tools wherever furnished by the Government.The Contractor shall host Government-furnished non-application servers and appliances when requested.In accordance with FAR 52.227-14 DOT has unlimited rights in computer software, including source code, developed under the contract.The Contractor shall provide for a dedicated enclave for ITSS applications, segregated from applications of other Contractor customers. The Government is not mandating a physical site; Cloud solutions will be considered.The Contractor shall monitor systems 24x7x365.The Contractor shall monitor and report on hardware status and system performance (e.g., CPU, memory, disk space utilization, services, selected ports and processes).The Contractor shall utilize and implement standard DevOps best practices to increase efficiencies and improve quality of service for endpoint management. SUB-TASK 6.2: HOSTING PLANNING AND ANALYSISThe Contractor shall perform technical and service planning and analysis based on DOT requirements (e.g., availability, capacity, performance, backup and IT continuity, and DR services).The Contractor shall provide recommendations for new applications, infrastructure, tools, upgrades, and services based on planning and analysis results. The Government will approve the recommended applications, infrastructure, and services.The Contractor shall provide Quarterly Management Reports required for planning and analysis activities (e.g., utilization and capacity trend reports, rollout plans).The Contractor shall continuously monitor technical trends through independent research, and document and report on products and services for potential DOT use as they align with DOT’s business and technology strategy.The Contractor shall participate in technical and business planning sessions to establish standards, architecture, and project initiatives.The Contractor shall conduct regular planning for technology refreshes and upgrades.The Contractor shall conduct technical reviews and provide recommendations for improvements that increase efficiency and effectiveness and reduce costs per the planning and analysis results.The Contractor shall provide quarterly cost savings options for application hosting offerings.SUB-TASK 6.3: HOSTING REQUIREMENTS AND DESIGNThe Contractor shall conduct interviews, group workshops, and surveys to determine user performance, availability, maintainability, IT continuity, and other requirements.The Contractor shall facilitate requirements-gathering activities (e.g., focus groups, interviews). The periodicity of these requirements sessions will be determined by the Government,The Contractor shall ensure requirements address DOT security policies.The Contractor shall define Migration Acceptance Test Criteria and test criteria for configuration changes for approval by the Government.The Contractor shall provide documented Requirements and Acceptance Test Criteria per approved requirements standards.The Contractor shall develop, document, and maintain Technical Design Plans and Environment Configuration based on DOT design specifications standards and requirements, including IT architecture, virtualization architecture (including active-active, active-passive, load balancing or other proposed virtualization methods), function, performance, availability, maintainability, security, and IT continuity and DR requirements. The Government will approve technical design plans and environment configuration.The Contractor shall maintain and make readily available to DOT all design specifications and requirements documentation in a form/format that is acceptable to and approved by DOT.The Contractor shall review and coordinate design plans through coordination with the appropriate DOT technology standards group and design architects.SUB-TASK 6.4: NETWORK HOSTINGThe Contractor shall conduct periodic audits and status reporting and shall be responsible for coordinating the installation, making changes, moves, disposition of network equipment, and coordinating the cabling and disconnection services and problem resolution.The Contractor shall perform network monitoring through systems with alerts/alarms supplemented with new or additional devices to ensure the network is operating within limits.The Contractor shall monitor networks (including QoS) and provide status and measurements for the operational environment.The Contractor shall execute an escalation process for alerts.The Contractor shall use automated tools to monitor networks, to respond to problems, and perform break/fix services (physical or logical), patch systems, provide 24x7x365 operational reporting of services availability, and proactively identify performance degradation in real time or near real time where appropriate.The Contractor shall continuously model networks to provide performance forecasting and measure networks with automated tools to predict capacity and potential impact to applications and network topology.The Contractor shall be responsible for coordinating the installation and removal of hardware and software, as well as making routine moves, adds, and changes. Such activities will be subject to change control procedures and require maintenance of the asset records.The Contractor shall manage license compliance for installed software provided by the Government, and report instances of installed software not part of the standard configuration.The Contractor shall provide a software release process for DOT and provide visibility into original equipment manufacturer (OEM) software releases.The Contractor shall maintain IP addressing schemes, router configurations, routing tables, VPN configurations, and IPV6 allocations, etc.The Contractor shall manage network accounts as needed for remote access and application maintenance and test.The Contractor shall maintain and provide audit information including access, general logs, and application logs in accordance with DOT security policies.The Contractor shall ensure that network administration activities are coordinated through defined change management processes.The Contractor shall prepare locations and coordinate inside-plant cabling at Government facilities.The Contractor shall accommodate access to Government-selected public carriers.The Contractor shall ensure that all new circuits, devices, and software provisioned are updated in configuration management system.SUB-TASK 6.5: HOSTING HARDWARE AND SOFTWARE SUPPORTThe Contractor shall be responsible for installation and configuration of all base server and O/S software, and for any updates and patches that become available during the server’s lifetime.The Contractor shall provide both remote and physical access to customers and authorized third parties.The Contractor shall provide hardware break/fix and Tier 2/3 support for in-scope hardware.The Contractor shall perform ongoing administration including management of user accounts and management of storage on the equipment provided.The Contractor shall perform timely diagnosis and resolution of hardware and system software problems.The Contractor shall contact the customer, as per the customer requirements, if an adverse incident is detected by system monitors.The Contractor shall ensure OS and supported utility software is installed and configured following DOT standards.The Contractor shall install OS upgrades and patches to versions fully supported by the Contractor and compatible with application software. Upgrades shall be done on a schedule acceptable to DOT.The Contractor shall perform regular updates and upgrades of other DOT-provided software at times which are coordinated with the customer.The Contractor shall implement security patches applied to DOT-provided software in a timely manner coordinated with the customer.The Contractor shall perform mid-tier software installation and configuration to customer requirements.The Contractor shall perform mid-tier installations of upgrades and patches to versions fully supported by the Contractor and compatible with the OS. Upgrades shall be done on a schedule acceptable to DOT. This installation service will be included at all service levels by default. Upgrade and patching coordination will occur in one standard maintenance window.The Contractor shall perform security implementations and apply patches to mid-tier software in a timely manner coordinated with the Customer.The Contractor shall perform timely diagnosis and resolution of mid-tier system-level problems.The Contractor shall support (install, configure, troubleshoot, patch, etc.) commercial software applications (including, but not limited to, those under an existing ATO) and any new software applications added to the Government’s ‘Approved Software List’ (ASL) (as provided in Attachment J) over the life of the contract due to refresh, change to base images, patches, policy change, or other DOT need. The Contractor shall support all new commercial software applications that are added to the ASL. This support shall begin immediately as the application is added to the ASL and the DML.SUB-TASK 6.6: HOSTING BACKUP AND RESTOREThe Contractor shall administer and manage backups and restores in accordance with DOT standards and customer requirements. Backups of customer-managed applications may require additional coordination with the customer. Contractor shall utilize backup software with the capability to encrypt backups. All backups are retained for 90 calendar days unless otherwise specified by the customer or the GovernmentIn the event of a system problem causing loss of data, Contractor shall restore data from the most recent backup. In the event of an accidental deletion or corruption of data by the customer, The Contractor will restore data from the customer requested backup date.The Contractor shall perform daily incremental backups of system data and full monthly backups of system data taken offsite or to object storage at the remote site.The Contractor shall provide an onsite backup library data which is copied across private network to an offsite library located in DOT-approved secure location.The Contractor shall perform application data backup as coordinated with application owner. Database backups are performed only as coordinated with database administrators. Other data is backed up by default.The Contractor shall ensure default backup retention is such that the current copy will remain in the backup system as long as it remains current. The length of time prior versions are maintained and the number of prior versions that are kept will be approved by the Government.The Contractor shall perform restores at customer request from the most recent version of the data available on-site or offsite.The Contractor shall purge or overwrite, degauss, destroy information or media when disposed of or used elsewhere, in accordance with DOT and Federal requirements/guidelines.The Contractor shall implement replication between sites. A schedule of replication and the associated requirements will be determined by the Government during performance. Frequency and capacity will depend on the specific requirements of each application owner. Today there is no data replication but under EITSS the Government will require data replication. Frequency and capacity will be determined during performance.SUB-TASK 6.7: HOSTING CONTINUITY PLANNING AND EXECUTIONFor select systems, the Contractor shall identify the facilities and platforms supporting primary essential functions and mission-essential functions necessary for continuity or restoration of in-scope services and shall complete a business impact assessment on the services in scope for this contract, per NIST SP800-34 rev1 ().The Contractor shall regularly optimize all data schemas and execute all schema changes for all instances.The Contractor shall assist in the identification of application programs and data restoration processes.The Contractor shall define and execute procedures for providing users at DOT sites with access to required systems during disasters.The Contractor shall review policies and procedures for providing users with access to required applications during disasters and make recommendations for their improvement.The Contractor shall provide for data recovery of all in-scope systems, components, and applications, using the backup procedures defined by DOT policy and procedure.The Contractor shall recommend backup and retention requirements to support and/or comply with DOT policies and Continuity of Operations (COOP)/Disaster Recovery (DR).The Contractor shall identify restoration requirements for in-scope systems, including recovery of log files to provide recovery to the latest available checkpoint.The Contractor shall maintain and publish DR plans and related procedures for notification and mobilization of appropriate personnel to the recovery facilities in accordance with the Department’s standards. The Contractor shall work with the Government to prioritize and sequence recovery. The Government will approve the DR Plan.The Contractor shall update the DR plan as requested, integrating modifications to DR plans for individual areas of service and in accordance with DOT standards.The Contractor shall support development of special communications lines.The Contractor shall provide DR services and facilities in accordance with the DR plan and as approved by the Government. Application owners may elect to not to backup Dev and Test to the DR facility. The Contractor shall, in accordance with the Department’s standards, procure and manage secure offsite storage of in-scope data, system software, application software, and documentation.The Contractor shall ensure storage facilities are secure from fire, flood, and other disasters capable of destroying stored data.The Contractor shall identify, document, and maintain a record of required in-scope system data, libraries, and databases to recover system software and the operating environment at the recovery site.The Contractor shall create, test, and maintain restore jobs to recover all in-scope system data, libraries, and databases at the recovery site according to the DR plan.The Contractor shall perform in-scope backups. Such backups must be sufficient to provide recovery of in-scope systems according to the schedules in the DR plan.The Contractor shall identify and document DR success criteria.The Contractor shall schedule in-scope DR tests in accordance with the DR plan. The tests shall simulate various disaster conditions. The tests and test dates shall be coordinated with the other platforms in the DOT environment, allowing for the integrated testing of applications in a coordinated fashion.The Contractor shall conduct DR testing as specified in the plan and when initiated by DOT.The Contractor shall provide all required in-scope backup tapes and make them available at the DR facility.The Contractor shall ensure that knowledgeable personnel from the Contractor are available to recover in-scope operations and operate the systems and applications according to the DR plan.The Contractor shall inform all parties that must participate in a test in advance of the scheduled test.At the conclusion of each test, Contractor shall make all in-scope systems job output and system log information, created during the test, available to DOT for problem analysis and process improvement as specified in the test plan.The Contractor shall analyze test results of in-scope systems and system restoration utilities and conduct root cause analyses on failures.The Contractor shall prepare and deliver a report of the test results NLT 30 calendar days after test completion including performance against defined service levels when simulating “Business As Usual” recovery, as described in the DR plan.The Contractor shall provide recommendations and proposals for resolving operating systems failures of in-scope systems and preventing future failures.The Contractor shall review solutions to application and application data failures.If the test is not fully successful, the Contractor shall retest failing networks, components, and software in accordance with the DR plan. Any in-scope operations that fail a test shall be retested to the extent that test time remains available, until such failure is resolved in accordance with the DR plan. Following testing, Contractor shall provide recommendations for modifications to the DR plan as relates to restoration of in-scope systems and operations in the event of an actual disaster.The Contractor shall assist in the creation of retest procedures and the Government will approve retest plans.DOT will be responsible for declaring a disaster in accordance with policy, by process and procedures, and by parameters of authorization within the DR plan.The Contractor shall identify a hierarchy list of a minimum of three (3) contact points for DR activities for each party, including 24x7x365 telephones, email, and home phone contact information. Each designated individual shall have authority to make all decisions on his or her party’s behalf if those higher on the list are unavailable, in the event declaration of a disaster is sought by either party.The Contractor shall manage the recovery process in accordance with the DR plan.The Contractor shall establish the recovery environments and steps, and define them in the DR plan.The Contractor shall manage the in-scope operating environments and provide all operating system functions in accordance with the DR plan.The Contractor shall provide resources assigned to services for which a disaster has been declared to continue in-scope operations at the DR location during a declared disaster.The Contractor shall re-deploy resources and responsibilities for services at a DR location to a restoration site.The Contractor shall restore operations and records at locations where operations had been disrupted by a declared disaster. If the original location cannot be restored, Contractor shall restore operations at an alternate location.The Contractor shall report all COOP/DR application issues to the DOT point of contact.The Contractor shall provide a recommended infrastructure design that aligns with the Government’s requirement for Recovery Point Objective (RPO) and Recovery Time Objective (RTO). After the Government has approved the design, the Contractor shall deliver a solution with a Recovery Point Objective (RPO) and Recovery Time Objective (RTO) that aligns with the Government’s requirement.SUB-TASK 6.8: HOSTING DATABASE MANAGEMENTThe Contractor shall develop, document, maintain, and implement database administration procedures that meet requirements and adhere to defined policies. Current databases include: MS Access, MS SQL Server, MySQL, Oracle..The Contractor shall provide security administration including managing role and database permissions in accordance with DOT policies.The Contractor shall perform database restores from export dumps or backups.The Contractor shall create, refresh, develop, test, and QA databases from production data.The Contractor shall execute database creation, configuration, upgrades, patches, and refreshes.The Contractor shall execute all database system-level changes (initialization parameters).The Contractor shall ensure all data schemas are optimal and execute all schema changes for all instances.The Contractor shall maintain documentation for all database instance parameters and system settings.The Contractor shall maintain consistent database parameters and system settings across all like instances; consistency must be maintained per established development to QA to production lifecycle.The Contractor shall execute database data definitions for applications and developer schemas.The Contractor shall define and execute database performance and tuning scripts, and keep database running at optimal performance for DOT’s workload.The Contractor shall implement and administer appropriate database management tools across all database instances. Performance metrics and historical data must be available for trending and reporting over a minimum of six (6) months.The Contractor shall identify and resolve locking conflicts, latch contention, rollback requirements, etc., for all database instances.The Contractor shall provide technical assistance and subject matter expertise to DOT application developers and third party contractor support.The Contractor shall monitor database and generate automatic trouble tickets for problems. The Contractor shall exclusively use the Government-furnished service management system, Remedy, and any other successor system. The Contractor shall open, track, and manage to resolution all database problems.The Contractor shall patch database software as needed per established development to QA to production lifecycle.The Contractor shall manage database communication software configuration, installation, and maintenance.The Contractor shall provide database storage management.The Contractor shall execute DOT’s database backup and recovery policies.SUB-TASK 6.9: HOSTING SECURITYThe Contractor shall follow Federal and DOT security requirements, standards, procedures, and policies including but not limited to requirements per FISMA, NIST, FIPS, and OMB memos.The Contractor shall follow and support DOT’s Security Assessment and Authorization of its systems in compliance with ITS, Federal, and National Institute of Standards and Technology (NIST) guidelines and policies. This shall include development of SA&A documentation.The Contractor shall provide and implement a security plan based on security requirements, standards, procedures, policies, DOT’s Federal, state, and local requirements and risks.The Contractor shall support both the review of information systems management, physical, and/or technical security controls, and depending on the results of the review, management authorization for the system to operate.The Contractor shall assist DOT in fully complying with all FISMA requirements.The Contractor shall comply with all security controls and requirements of FISMA Low, Moderate and High. The data center/hosting facility shall be FISMA High. The offeror needs to provide evidence of meeting FISMA High requirements. DOT will perform the assessment to issue the ATO after award.The Contractor shall create and develop a comprehensive set of operational processes, procedures, and guidelines that will support DOT’s mission and ensure compliance to Federal and DOT security requirements.The Contractor shall remain up to date with, and apply, current security trends, threats, common exploits, security policies and procedures, and best practices.The Contractor shall meet with DOT weekly and provide a report of current threats and vulnerabilities.The Contractor shall perform penetration testing in accordance with Government requirements. Penetration testing is performed upon request. Typically Penetration Testing occurs approximately once per year per application. DOT intends that a Contractor-provided third party will perform penetration testing.The Contractor shall implement physical and logical security plans consistent with DOT security policies and industry standards (e.g., ISO 27001).The Contractor shall provide physical security and access control for Contractor’s facility.The Contractor shall perform log-on, security-level access changes as detailed in profiles and policies for all in-scope support of hosting services.The Contractor shall report security violations to DOT in accordance with DOT policies.The Contractor shall work with DOT IT personnel to develop firewall rule sets, implement those rule sets, and monitor the log files, as well as the normal operation and maintenance of those firewalls. Network tools must automatically review firewall alarms and report them to the DOT IT security and network engineering teams.The Contractor shall ensure their systems allow DOT and Contractor security personnel to enter and track security incident reports, enter service desk queue data to initiate ticketing in response to security incidents or compliance issues, and manage remediation of detected vulnerabilities by correlating scanning results against asset management data and intrusion detection system (IDS) incident reports.The Contractor shall resolve security violations that originate outside of the hosted network(s) (e.g., denial-of-service attacks, spoofing, Web exploits) and notify DOT of any security violations or vulnerabilities to allow DOT time to report in keeping with US-CERT reporting requirements (i.e. DOT must report potential or suspected PII incidents within 1 hour; report denial of service (DoS) incidents within 2 hours of identification)The Contractor shall review all security patches relevant to the environment and classify the need and speed in which the security patches should be installed as defined by security policies.The Contractor shall notify the Government within twelve (12) hours of release of a critical security patch and shall release to production within two (2) days of Government approval.The Contractor shall maintain all documentation required for security assessments, audits, and internal control and control testing and permit DOT and third party review.The Contractor shall maintain a security awareness program and, where applicable, comply with DOT’s security awareness program.For remote support, Contractor shall implement and sustain real time data feeds and/or access as required by the DOT Security Operations Center (SOC) or the Department of Homeland Security (DHS) for security monitoring and analysis, and will provide access to archived security data for forensics and incident discovery.The Contractor shall conduct its services and support to provide and maintain a system architecture to segment data and systems of different data classifications, per NIST standards and regulations. For example, high systems and data shall not co-reside on systems with low and moderate data. High systems should be protected from the general network access via appropriate network-level controls, with high system maintenance and management separate from other systems.The Contractor shall implement and report on security-related monitoring capability and systems to provide for the collection, analysis, and archival (six (6) months minimum) of security data from but not limited to Microsoft Windows-based system security event logs, Unix syslogs, network devices authentication and changes, firewall and VPN logs, authentication service, domain name server (DNS) logs, dynamic host control protocol (DHCP) logs, IIS and other Web server logs, WebSense (or other URL-filtering) logs, and network device data. All login, logoff, system access, and changes shall be logged and logs maintained in a secure, tamper-proof manner for a minimum of one (1) year.The Contractor shall, at a minimum, follow NIST Special Publication 800-53 – “Recommended Security Controls for Federal Information Systems” and DOT requirements for securing DOT platforms and applications.The Contractor shall develop procedures and standards for preventing exfiltration of data.The Contractor shall provide intrusion and exfiltration detection services and reporting.The Contractor shall allow for independent verification and validation of intrusion and exfiltration detection services.The Contractor shall implement and/or support exfiltration prevention systems.The Contractor shall participate in Security Incident Response Conference Calls with the Government and other Contractors in the event of any critical security incident as deemed appropriate by the Government on a 24x7x365 basis.The Contractor shall participate in such conference calls for whatever duration is required and shall have access to systems and component status for those elements of the infrastructure that are specific to their area of responsibility.The Contractor shall be available to attend such Security Incident Response Conference Calls after Email or phone request by the Government and shall have access to systems and component status at that time.The Contractor shall support Identity and Access Management (IAM) to control access to services and resources.The Contractor shall notify ITSS representatives in writing (via email) of a security event (as defined by DOT) within thirty (30) minutes of identification of the event.The Contractor shall push anti-virus/spyware/malware update files to all application servers no more than twenty-four (24) calendar hours after approval from DOT.The Contractor shall serve as liaison with DOT’s Cyber Security Management Center (CSMC) and the DOT CISO’s office on all COE cyber security related incidents. The Contractor shall assist with collecting data in support of forensic analysis and incident handling procedures, to include following up with DOT and Modal Information System Security Managers (ISSM) and Officers (ISSO) and other Modal partners. The Contractor shall maintain access to all locally and remotely accessible devices in support of DOT mission-critical operationsThe Contractor shall consult with law enforcement as directed, and participate in relevant Cyber Security exercisesThe Contractor shall create and develop a comprehensive set of operational procedures, and guidelines that will support DOT mission and ensure compliance to Federal and DOT security requirements for approval by DOT COE ITSS ISSM.The Contractor shall provide remediation response, quarantine, and remediation of compromised personal computers for security compliance.The Contractor shall respond to alerts and advisories from the CSMC as directed within the alert or advisory.The Contractor shall manage and maintain security services specific to collaboration systems (e.g., SPAM filtering) utilizing available technologies within the environment (IronPort)SUB-TASK 6.10: HOSTING INITIATIONThe Contractor shall conduct a Kickoff Meeting to initiate the migration process. This meeting will set the stage for the migration, and should include all members of the project team. DOT stakeholders must be included to ensure they understand the scope, duration, resources, and to discuss the success factors and the success criteria that will be used at the end of the entire migration process.The Contractor shall gather technical discovery data to inform migration planning. Discovery shall be conducted through interviews, data calls and any other method deemed appropriate by the Contractor and approved by the Government. Data gathered shall include amounts of data to migrate, the required availability of the systems during migration, and network performance targets, at a minimum.The Contractor shall identify user load parameters. Contractor shall consider Federal Government and Contractor use of applications, application requirements, application usage patterns, periods of heavy application usage, etc.The Contractor shall implement trouble ticketing and issue resolution systems and processes. The Contractor shall use the GFE Service Management System which will serve as the trouble ticketing system for application migration.The Contractor shall deliver a Migration Plan describing the process to be used for migration of applications, the resourcing to be utilized, the risks identified and mitigation plans for said risks.SUB-TASK 6.11: DESIGN THE PRODUCTION ARCHITECTUREThe Contractor shall identify integration requirements and determine how each interdependency between the migrated applications and Contractor’s systems will be supported. The Contractor shall provide subject matter expertise to evaluate and document these integrations.The Contractor shall evaluate the database architecture and prepare for migration. The Contractor shall specify the version level and operational information for the database core to include data currency, replication and security control.The Contractor shall evaluate the network architecture. The Contractor shall consider wide- area network and local-area network performance characteristics relative to the current and future positioning of server and storage assets. The Contractor shall evaluate hop counts, latency and reliability of network links, and targets for post-migration performanceThe Contractor shall document production architecture details and produce a complete architecture document that will serve in later stages as a guidebook for any migration.SUB-TASK 6.12: DEPLOY THE ENVIRONMENTThe Contractor shall provision virtual infrastructure and provision the edge firewalls.The Contractor shall provision storage and create the logical units on the Storage Area Network (SAN) in accordance with the architecture documents.The Contractor shall deploy virtual machines and create individual virtual machines and attach them to their respective storage units.The Contractor shall reconfigure the Domain Name Service (DNS) and update the name servers to resolve the newly created Virtual Machines through the network gateways.The Contractor shall test network and server connectivity, noting performance characteristics and measuring them against the desired targets from the architecture.The Contractor shall update the documentation with the test results and any modifications made from the initial architecture.The Contractor shall configure directory service connectivity and implement and test the connections between the datacenter and the DOT directory service (LDAP).SUB-TASK 6.13: INSTALL AND CONFIGURE SERVERSThe Contractor shall install server software and install and configure the application server software on the datacenter servers.The Contractor shall implement the database architecture.The Contractor shall configure the application servers and tools as specified, including the application of any customizations or templates.The Contractor shall implement all integrations between the migrated application and on- premises resources.The Contractor shall implement and test all monitoring solutions, including SNMP services and other add-on monitoring tools.SUB-TASK 6.14: HARDEN THE PRODUCTION ENVIRONMENTThe Contractor shall install and configure anti-virus and malware protection in accordance with Government requirementsThe Contractor shall configure database backups and implement any specific procedures or servers used to back up application data.The Contractor shall obtain and install SSL certificates for any access secured through SSL (secure browsing or SSL VPN) and install the signed certificates. The hosting provider shall assume responsibility for the SSL certificate procurement process.The Contractor shall establish management IDs and issue to all project team members their initial credentials for access, per their role in the project or ongoing operation.The Contractor shall establish User IDs and load user IDs and initial passwords into the directory.SUB-TASK 6.15: SIMULATED MIGRATIONThe Contractor shall set migration date and schedule a “simulated migration” to uncover unintended results or unnoticed issues during the planning phase. The Contractor shall ensure the date is sufficiently distant from the desired final implementation/cutover date to have time to rectify problems. The Contractor shall involve the DOT stakeholders in the migration date selection. The Government will approve the final schedule.The Contractor shall capture database backups and make complete backups of the on- premises databases that will be migrated. The Contractor shall execute validation scripts to ensure the integrity of the backed-up databases.The Contractor shall export application configurations and export configurations and customizations from the servers that will be migrated.The Contractor shall import application configurations and apply the exported configurations and customizations to the target application servers.The Contractor shall configure manual settings and apply any additional settings that did not migrate in the earlier configuration export/import.The Contractor shall restore databases and create the databases by restoring the validated backups of production data created earlier.The Contractor shall restart the application servers and test for integrity and access to data.The Contractor shall run database validation jobs and run a validation of the database to ensure integrity.The Contractor shall perform customer validation and user acceptance test (UAT) by granting a pre-selected group of test users access to the system to validate that their work environments and systems are functional.The Contractor shall test all user access methods (Web, mobile, etc.) and locations for connectivity and performance.The Contractor shall test authentications and test samples of all roles and authentication mechanisms for accessibilityThe Contractor shall document migration duration and metrics and document all migration steps and performance characteristics.SUB-TASK 6.16: PRODUCTION MIGRATIONThe Contractor shall formalize and execute the cutover schedule and establish and communicate a formal cutover schedule, as part of the change management process, that incorporates lessons learned from the simulated migration. The Contractor shall include the scheduling of all necessary resources from DOT. The Government will approve the schedule.The Contractor shall communicate changes to users and communicate the migration steps, timeline and impact to users, including instructions for day-one steps that individual users must perform to access services. Contractor shall inform users of the procedure to report issues, and train the Service Desk on the new trouble ticket types and escalation rules for migration related issues.The Contractor shall notify users of outage for the final migration in advance and schedule downtime for the existing systems during the time required to make the move to the service.The Contractor shall capture database backups and make complete backups of the on- premises databases that will be migrated. The Contractor shall execute validation scripts to ensure the integrity of the backed-up databases.The Contractor shall export application configurations and export configurations and customizations from the servers that will be migrated.The Contractor shall import application configurations and apply the exported configurations and customizations to the target application servers.The Contractor shall migrate virtual instances from incumbent to the Contractor’s infrastructure.The Contractor shall configure manual settings and apply any additional settings that did not migrate in the earlier configuration export/import.The Contractor shall restore databases and create the databases by restoring the validated backups of production data created earlier.The Contractor shall restart the application servers and test for integrity and access to data.The Contractor shall run database validation jobs and run a validation of the database to ensure integrity.The Contractor shall perform customer validation and UAT by granting a pre-selected group of test users access to the system to validate that their work environments and systems are functional. The Contractor shall test all user access methods (Web, mobile, etc.) and locations for connectivity and performance.The Contractor shall test authentications and test samples of all roles and authentication mechanisms for accessibilityThe Contractor shall document migration duration and metrics and document all migration steps and performance characteristics in the project plan.The Contractor shall open a Migration Hotline for five (5) business days after migration and proved staff to triage and solve issues.The Contractor shall facilitate a formal rollback/proceed decision meeting between all DOT stakeholders, including the users affected by the migration.The Contractor shall perform the license monitoring for the production services.The Contractor shall monitor licenses for the life of the application or the duration of the contractor whichever ends earlier.The Contractor shall configure application monitoring and begin application and database monitoring for the production service.The Contractor shall conduct a first formal checkpoint meeting shortly after migration to assess any large-scale issues that need additional project plans and resources. The Contractor shall recommend whether the system reached sufficient stability and productivity that is “business as usual.”The Contractor shall archive all relevant documents, release any temporary resources assigned to the migration, and document lessons learned.The Contractor shall identify, manage, monitor, and remediate any issues that arise during migration and shall report these issues to the Government in a weekly Status Report.DeliverablesAll deliverables identified in, but not limited to, the table below and in the PWS shall be submitted 508- compliant and in electronic draft format for the COR’s review and feedback. Final copies shall be delivered to the COR five business days after receipt of the Government’s comments. Electronic copies will be submitted in Microsoft Office format unless prior approval for another format has been obtained from the COR. Deliverables shall be submitted as an attachment to an accompanying email describing the deliverable product and delivered to the TO COR.IDNAMEPWS REF.DESCRIPTIONTIMING1Written Monthly Status ReportA summary of work performed in the preceding month for each task area which includes major milestones achieved or missed, deliverables, upcoming activities, and any anticipated issues that will prevent attainment of milestones and/or deliverablesA summary of project financial status for each task area including funded amount, expended to date, funding remaining, and estimate to complete.A summary of all deliverables submitted from task inception to date showing the date submitted, and the status of the deliverable (i.e. accepted, rejected). For rejected deliverables, the Contractor shall provide an explanation why the deliverable was rejected, the corrective action charged.An attachment providing data, analysis, and reporting of performance against each contractual SLA; the Contractor shall include an improvement plan for any missed SLAs. plan, and the revised delivery date.A summary of funding status (e.g., funded amount, expended amount, planned burn percent, and actual burn percent) and burn chart (for T&M tasks only).A summary of the personnel who performed work (i.e., charged direct labor hours) during the month by task area to include their name, job title, task area worked, labor category, and hours.Due monthly on the first business day of each month throughout the TO POP.PERIODS:BASEOP1OP2OP3OP4OP5Service Level Monitoring and Reporting ProceduresDocumented SLA performance across all SLAs with any improvement results coming from Contractor action.Monthly PERIODS:BASEOP1OP2OP3OP4OP52SLAPerformance and Improvement ResultsDocumented SLA performance across all SLAs with any improvement results coming from Contractor action.Monthly PERIODS:BASEOP1OP2OP3OP4OP53Meeting MinutesMeeting minutes including, but not limited to, all major discussion topics, decisions, and action items.Delivered on the following business day by close of business.PERIODS:BASEOP1OP2OP3OP4OP54Canned, Custom, and Ad Hoc ReportingCanned, custom, and ad hoc reporting at government direction. As required by the GovernmentPERIODS: BASE OP1 OP2 OP3 OP4 OP55Technical Design Plans and Environment ConfigurationBased on DOT design specifications standards and requirements, including IT architecture, virtualization architecture including active-active, active-passive, load balancing or other proposed virtualization methods, function, performance, availability, maintainability, security, and IT continuity and DR requirements.Quarterly and at Government direction PERIODS: BASE OP1OP2 OP3 OP4 OP56Design Specifications and Requirements DocumentationDesign specifications and requirements documentation for application specified by the Government.At Government directionPERIODS: BASE OP1OP2 OP3 OP4 OP57Availability Management ProceduresDescribes processes, procedures, governance, roles and responsibilities for managing the availability of applications. Includes appropriate tools and methods that support DOT’s availability management requirements.Quarterly and at Government direction PERIODS: BASE OP1OP2 OP3 OP4 OP58Forward-looking Availability PlanCoordinates, prioritizes, and plans approved IT availability improvements. QuarterlyPERIODS: BASE OP1OP2 OP3 OP4 OP59Capacity Management ProceduresDocumented procedures for capacity management.Quarterly and Government direction PERIODS: BASE OP1OP2 OP3 OP4 OP510Capacity Impacts When Adding, Removing or Modifying ApplicationsDescribes the impact on capacity when adding, removing, or modifying applications from the hosting environment.Due 15 business days prior to execution of the change throughout the TO PoPPERIODS: BASE OP1OP2 OP3 OP4 OP511Trade-Off Analysis and Business CaseAssesses impact/risk and cost of capacity changes, reflecting impact on other applications.At Government directionPERIODS: BASE OP1OP2 OP3 OP4 OP512Incident Management Processes including service outages and degradationsDocumented procedures for Incident Management Processes including service outages and degradationsQuarterly and at Government directionPERIODS: BASE OP1OP2 OP3 OP4 OP513Root Cause Analysis DocumentFor each Severity 1 incident resolution. The Government may also request Root Cause Analysis Documents for specific Severity 2 incidents as well. Due in 2 business days after the incident or 2 business days after the government request PERIODS: BASE OP1OP2 OP3 OP4 OP514Solutions to Resolved IncidentsSolutions to resolved incidents in a central knowledge database with all information pertinent to trouble tickets including general verbiage, codes, etc.Ongoing throughout the TO PoPPERIODS: BASE OP1OP2 OP3 OP4 OP515Status and Resolution of IncidentsReport of all incidents and their status.Monthly at the management meeting throughout the TO PoPPERIODS: BASE OP1OP2 OP3 OP4 OP516Problem Management ProcessesDocumented procedures for problem management.Quarterly and at Government direction PERIODS: BASE OP1OP2 OP3 OP4 OP5Documented and Updated ProblemIncludes information regarding problem resolution actions, activities,Ongoing throughout the TO17Management Knowledge-baseand status (e.g., root cause, known errors, workarounds, etc.).PoPPERIODS: BASE OP1OP2 OP3 OP4 OP518Problem Management ReportingReports on existing and anticipated problems including recommended solutions and action plans for resolving the problems. Monthly on the 1stbusiness day of each month throughout the TO PoPPERIODS: BASE OP1OP2 OP3 OP419Quality PlansDescribes how the Contractor will embed quality into processes and procedures.Annually at Government direction throughout the TO POPPERIODS: BASE OP1OP2 OP3 OP4 OP5 20System Security PlanCompliant with the NIST SP 800-18 , Guide for Developing Security Plans for Federal Information Systems ( ubs/800-18-Rev1/sp800-18-Rev1- final.pdf), the Federal Information Processing Standard (FIPS) 200, Recommended Security Controls for Federal Information Systems ( ips200/FIPS-200-final-march.pdf), and NIST SP 800-53 (latest revision) (), Security and Privacy Controls for Federal Information Systems and Organizations and other applicable NIST guidance.As required by the GovernmentPERIODS: BASE OP1 OP2 OP3 OP4 OP521Endpoint Engineering Technical PlanA written top-level plan for managing the endpoint engineering effort to produce a final operational endpoint solution from initial requirements. It describes how the efforts of endpoint team (e.g., designers, test engineers, and other engineering and technical disciplines) will be integrated, monitored, and controlled during the complete life cycle.Draft not later than (NLT) 20 business days after TO awardFinal NLT 5 business days after receipt of government feedback on the draft.22Endpoint Engineering Design and Development SOPsWritten SOPs for Endpoint Engineering Design and Development.Draft not later than (NLT) 40 business days after TO awardFinal NLT 5 business days after receipt of government feedback on the draft.23Endpoint Technical Market Research ReportsA written document providing the results of independent research on endpoint market developments and technical trends to include recommendations on products, solutions, and services with potential use for DOT.NLT quarterly commencing from the date of Task Order award.24Endpoint Solution Requirements & Acceptance Testing CriteriaA representation of endpoint solution requirements (e.g., system requirements specifications, data models, upgrade requirements) in agreed-to formats.Per Endpoint Engineering project as defined in the baseline project schedule.25Endpoint Image Build ProceduresDocumented procedures for endpoint image builds that meet DOT requirements and adhere to defined policies.Draft not later than (NLT) 40 business days after TO awardFinal NLT 5 business days after receipt of government feedback on the draft.26Endpoint Image Build Technical SpecificationsA written document containing detailed technical specifications that define and support the build and testing plans for all endpoint image builds.Draft NLT 40 business days after TO awardFinal NLT 5 business days after receipt of government feedback on the draft.27Endpoint Image Build Project PlanA written plan providing the tasks, activities, timeline, and milestones to complete a new endpoint image project.As new endpoint image build projects are approved by the COR.28Endpoint Image BuildsA notification from the Contractor to the COR that the master endpoint image as well as an endpoint image build for each DOT Operating Administration, is complete and ready for testing.Per endpoint image build cycle; NLT 30 business days of receipt of endpoint image software.29Endpoint Tier 3 Trend ReportA report providing monthly Endpoint Tier 3 support trends to include, but not limited to, number of support requests; nature of support requests; DOT customer (if applicable) source of support request; mean time to resolution; top 5 support requests; and recommendations for addressing the top 5 support requests proactively.NLT 5 business days following the conclusion of each month30Endpoint Patch Cycle ProcessA written document describing the standard process for the endpoint patch cycle that guides the normal application of patches and updates to endpoint devices and to facilitate the application of standard patch releases and updates.Draft NLT 40 business days after TO awardFinal NLT 5 business days after receipt of overnment feedback on the draft.31Endpoint Patch ReportA written report documenting the status of Endpoint patches. The report should include the status of Microsoft and third-party patching, including patches released, patches tested (engineering team), patches tested (3rd party independent tested), patches deployed. The report should specifically identify patches or updates released from the manufacturer but not applied and why. The Patch Report shall include a breakout of patch status by DOT Operating Administration/Mode/Cusotmers.NLT 5 business days following the conclusion of each month32Endpoint Research and Technology Innovation ReportA written report accompanied with recommendations analyzing relevant endpoint engineering and solution topics that assess their potential for meeting ITSS and DOT standards and business needs, alternative technical solutions, emerging technologies and innovations, and potential and feasibility for augmenting and/or replacing existing endpoint capabilities.NLT 10 business days prior to the end of each calendar quarter.33System Security PlanCompliant with the NIST SP 800-18 , Guide for Developing Security Plans for Federal Information Systems ( ubs/800-18-Rev1/sp800-18-Rev1- final.pdf), the Federal Information Processing Standard (FIPS) 200, Recommended Security Controls for Federal Information Systems ( ips200/FIPS-200-final-march.pdf), and NIST SP 800-53 (latest revision) (), Security and Privacy Controls for Federal Information Systems and Organizations and other applicable NIST guidance.As required by the GovernmentPERIODS: BASE OP1 OP2 OP3 OP4 OP534SecurityAssessmentPlan/Report(SAP/SAR)Conducted by an independentassessor and consistent with NIST SP800-53A, NIST SP 800-30 (latestrevisions) and any additions oraugmentations described in the DOTIS2P. The assessor will document theassessment results in the SAR. TheContractor shall update the SAR atleast annually thereafter.As required by theGovernmentPERIODS:BASEOP1OP2OP3OP4OP535Plan of Actionsand Milestones(POA&M)Plan for mitigating all security risksfound during continuous monitoringand security reviews.As required by theGovernmentPERIODS:BASEOP1OP2OP3OP4OP536Contingency Planand ContingencyPlan TestDeveloped in accordance with NISTSP 800-34, latest revision, DOTAR,and DOT IS2P.As required by theGovernmentPERIODS:BASEOP1OP2OP3OP4OP537Security ReviewIndependent security control assessment and review of all applicable security requirements are conducted at least annually and provide to the COR and/or Contracting Officer verification that the system ATO remains valid.As required by theGovernmentPERIODS:BASEOP1OP2OP3OP4OP538Standards andProceduresManualAddresses the implementation ofcontract security requirements (e.g.,SOP for audit log reviews,vulnerability and patch managementprocesses, etc.)As required by theGovernmentPERIODS:BASEOP1OP2OP3OP4OP539Network System Specifications and TopologiesNetwork system specifications and topologies (for example, router configurations, firewall policies, routing diagrams/IP addressing tables, hardware/software listings, etc.).Draft not later than (NLT) 120 business days after TO award Final NLT 5 business days after receipt of government feedback on the draft.PERIODS:BASEOP1OP2OP3OP4OP540Circuit Location InformationCircuit location information (e.g., circuit ID including, but not limited to, local exchange carrier access ID, location, speed).Draft not later than (NLT) 120 business days after TO award Final NLT 5 business days after receipt of government feedback on the draft.PERIODS:BASEOP1OP2OP3OP4OP541Firewall DocumentationDetailed firewall documentation showing all firewall policy, group, object, etc. information.Draft not later than (NLT) 120 business days after TO award Final NLT 5 business days after receipt of government feedback on the draft.PERIODS:BASEOP1OP2OP3OP4OP542“As-built” Documentation“As-built” documentation for all network devices (including, but not limited to, firewalls) that are deployed in development, test, Quality Assurance (QA), production, or other technical environments.Draft not later than (NLT) 120 business days after TO award Final NLT 5 business days after receipt of government feedback on the draft.PERIODS:BASEOP1OP2OP3OP4OP543User ManualsUser manuals in the operation of the production systems as specified in Attachment J.At Government request. [Note: Section 508 compliance required]PERIODS:BASEOP1OP2OP3OP4OP544Lessons LearnedLessons learned from integration efforts conducted by the Contractor.Quarterly on January 1, April 1,July 1, October 1PERIODS:BASEOP1OP2OP3OP4OP545Summary Reporting and StatisticsOn-demand including, but not limited to:Dashboard reporting on system performance;Real-time and historical performance against SLA;Account Mailbox and volumes;Reporting on Utilization Statistics; andEnd users approaching Mailbox Quota Limits.At Government request. [Note: Section 508 compliance required]PERIODS:BASEOP1OP2OP3OP4OP546Final User Guides, Source Code, Manuals, Drawings, Diagrams, Design Documents, Equipment Lists, and Warranty InformationFinal User Guides, Source Code, Manuals, Drawings, Diagrams, Design Documents, Equipment Lists, and Warranty Information for all systems noted in Attachment J.Prior to system delivery (Note: Section 508 compliance required)PERIODS:BASEOP1OP2OP3OP4OP547Disaster Recovery PlanDocumented process or set of procedures to recover and protect the application portfolio in the event of a disaster. Specifies procedures to follow in the event of a disaster.Annually at Government direction throughout the TO POPPERIODS: BASE OP1OP2 OP3 OP4 OP548Record of Required In- Scope System Data, Libraries, And DatabasesAs required to recover system software and the operating environment at the recovery site.At Government requestPERIODS: BASE OP1OP2 OP3 OP4 OP549Network Administration ProceduresDocumented procedures for administration of network devicesQuarterly and at Government direction throughout the TO POPPERIODS: BASE OP1OP2OP3OP4OP550Database Administration ProceduresDocumented procedures for database administration.Quarterly and at Government direction throughout the TO POPPERIODS: BASE OP1OP2OP3OP4OP551Email and Mobile Device Management Administration ProceduresDocumented procedures for Email and Mobile Device Management Administration ProceduresQuarterly and at Government direction throughout the TO POPPERIODS: BASE OP1OP2OP3OP4OP552Server Administration ProceduresDocumented procedures for server administration.Quarterly and at Government direction throughout the TO POPPERIODS: BASE OP1OP2OP3OP4OP553Service Management System Administration ProceduresDocumented procedures for SMS administration Quarterly and at Government direction throughout the TO POPPERIODS: BASE OP1OP2OP3OP4OP554End User ID Administration Processes and Standard Operating ProceduresEnd User ID Administration Processes and standard operating procedures as new applications are introduced into the DOT environment.Quarterly [Note: Section 508 compliance required]PERIODS:BASEOP1OP2OP3OP4OP555Security Plans, Security Remediation Plans, Programs, and Security Infrastructure.Security plans, security remediation plans, programs, and security infrastructure for the datacenter environment and facility.At Government requestPERIODS:BASEOP1OP2OP3OP4OP556Backup ReportsStatus of backup success or failure and remediation plan to resolve the issueWeeklyreport.PERIODS: BASE OP1 OP2 OP3 OP4 OP557Physical and Logical Security PlansPhysical and logical security plans consistent with DOT security policies and industry standards (e.g., ISO 27001).At Government requestPERIODS: BASE OP1OP2 OP3 OP4 OP558Software and Source CodeIAW FAR 52.227-14 DOT hasunlimited rights in computer software, including source code, developed under the contract.At Government directionPERIODS: BASE OP1OP2 OP3 OP4 OP559Migration PlanDescribes the process to be used for migration of applications, the resourcing to be utilized, the risks identified and mitigation plans for said risks.Due 30 calendar days after TO awardPERIODS: BASE60Migration Duration, Metrics and Migration StepsMigration duration and metrics and documented migration steps and performance characteristics.Due 30 calendar days after TO awardPERIODS: BASE61Weekly Migration Status ReportWeekly report of the status of all migration efforts.Weekly at Government direction throughout the TO POPPERIODS: BASE OP1OP2 OP3 OP4 OP5Task Service Level Agreement28314658855710002831465885571000sEndpoint Image Build Timelines1. SLA SUMMARY1A. TASK Endpoint Engineering1B. SUB-TASKEndpoint Image Build Support1C. SLA # Infrastructure – SLA 11D. SLA NAMEEndpoint Image Build Timelines2. SLA OVERVIEW2A. SLA DESCRIPTIONContractor shall build a master endpoint image, as well as an endpoint image build DOT Operating Administration, and shall maintain the images consistent with DOT licensing and security standards. The Contractor shall complete endpoint image builds within thirty (30) business days of Contractor receipt of image software.This SLA applies only to image builds leveraging the current operation system. The timeline includes not more than 5 business days for independent testing by the testing team. Image builds and testing by the Endpoint Engineering team shall be completed within 20 business day of receipt of requirements. The EITSS independent testing team shall have up to 5 business days to complete independent testing. The Endpoint Engineering Team shall have the build through testing and certified as ready for deployment not later than 30 business days of receipt of requirements.2B. RATIONALETimely Contractor delivery of high-quality master and DOT OA’s unique endpoint image builds is essential to ITSS success.2C. ANTICIPATED CUSTOMER OUTCOMESCurrent, up-to-date, and quality endpoint images is a core service delivery feature for ITSS and will improve customer satisfaction.2D. PERFORMANCE WORK STATEMENT REFERENCEEndpoint Image Build Support2E. PERFORMANCE PERIODThis SLA is in effect on a continuous basis without interruption throughout the Task Order Period of Performance upon Assumption of Responsibility (AOR).3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil AOR.3B. TARGET SERVICE LEVEL OBJECTIVE95 % of all image builds leveraging the current operating system (master and DOT OA’s unique) are ready for deployment within 30 business days of receipt of requirements.100 % of all image builds leveraging the current operating system (master and DOT OA’s unique) are ready for deployment within 45 business days of receipt of requirements.3C. DISINCENTIVEFailure to attain this SLA would result in a 5% percent reduction in theWEIGHTING (POINTS)contractor’s invoice for Task 2.4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe measurement interval is monthly4B. MEASUREMENT PERIODThe Measurement Period begins at 00:01 on the first calendar day of the month and ends at 24:00 on the last calendar day of the month.4C. SOURCE OF MEASUREMENT DATAStart: COR notification to the Contractor via email that image software is ready for image build.End: Contractor submission of a Test Results Report to the COR via email that the image build is complete (to include successful engineering and independent testing completion) and free of defects.4D. METHOD OF MEASUREMENTThe COR will log the date and time of notification to the Contractor that image software is available for a new image build. The Contractor will notify the COR that the image build is complete (to include successful engineering and independent testing completion) and free of defects as evidenced by submission of a final Test Results Report certifying that no image build defects exist.4E. TIMING OF MEASUREMENTMeasurements are taken within 5 calendar days of the end of the Measurement Period.4F. METHOD OF GOVERNMENT SURVEILLANCEPeriodic Inspection. Monthly report on SLA attainment section of the Task Order Monthly Status Report providing the total number of image builds completed, and, for each, the build start date and build completion date. The SLA attainment section shall calculate whether the SLAs was achieved or not.4G. ASSUMPTIONS/ CONDITIONSApplies only to image builds leveraging the current operating systemEngineering Test Lab is available for image build testing.EITSS Program Management and Task Order Integration service provider completes independent testing within their specific timeframe (i.e., 5 business days).4H. EXCEPTIONSImage builds requiring a new or updated operating system.If the Engineering Test Lab is unavailable at any point when image build testing is planned, the period of unavailability may be subtracted from the calculation.The EITSS Program Management and Task Order Integration contractor fails to complete independent testing within their specific timeframe (i.e., 5 business days).4I. POLICYN/A5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Total Survey Image Builds Leveraging the Current Operating System (master and DOT OA’s unique) Ready for Deployment within the Target Service Level Objective ÷ (DENOMINATOR) Total Image Builds Requested * 100 = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAContractor image builds are high quality and completed within SLA- designated timeframe.5C. DEFINITIONSNone.6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting to commence upon Contract Award and continue throughout the Period of Performance.Monthly reporting of SLA attainment in Task Order Monthly Status Report.6B. NOTES AND COMMENTSNone.On Schedule Delivery1. SLA SUMMARY1A. TASKManagementEndpoint EngineeringInfra. EngineeringInfra. OperationsData Center Op.Application Hosting1B. SUB-TASKMultiple1696085917575009144008299450001C. SLA # Infrastructure – SLA 21D. SLA NAMEOn Schedule Delivery2. SLA OVERVIEW2A. SLA DESCRIPTIONThis SLA measures the timeline delivery of engineering projects per agreed upon and baselined project schedules based on the percentage of completed milestones by the agreed-upon due date.2B. RATIONALEIncentivizes the Contractor to meet project schedule commitments.2C. ANTICIPATED CUSTOMER OUTCOMESTimely delivery against project schedules will help ensure customer satisfaction and is critical to ITSS success.2D. PERFORMANCE WORK STATEMENT REFERENCEMultiple, including: TBD2E. PERFORMANCE PERIODThis SLA is in effect on a continuous basis without interruption throughout the Task Order Period of Performance upon Assumption of Responsibility (AOR).3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil AOR.3B. TARGET SERVICE LEVEL OBJECTIVE90 % of all milestones are completed by the planned completion date in the baselined schedule.100 % of all milestones are completed not later than 10 business days past the planned completion date in the baselined schedule.3D. DISINCENTIVEFailure to attain this SLA would result in a 2.5% percent reduction in the contractor’s invoice for Tasks 1 – 6.1.Management2.Endpoint Engineering3.Infrastructure Engineering4.Infrastructure Operations5. Data Center Operations6.Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe measurement interval is monthly4B. MEASUREMENT PERIODThe Measurement Period begins at 00:01 on the first calendar day of the month and ends at 24:00 on the last calendar day of the month.4C. SOURCE OF MEASUREMENT DATACO and COR verify completion of planned milestones against contractor reported completion as reported in the Monthly Status Report.4D. METHOD OF MEASUREMENTThe Contractor submits a SLA Report identifying schedule adherence results against project milestones. The COR verifies Contractor reporting with appropriate government technical representatives. On-Schedule Delivery means that a milestone is completed to acceptable quality standards on or before the planned due date in the baseline project schedule.4E. TIMING OF MEASUREMENTSLA attainment is calculated at the end of each Measurement Period (Monthly) and applies to all approved Contractor projects requiring submission of a formal project plan that is baselined by the government.4F. METHOD OF GOVERNMENT SURVEILLANCEPeriodic Inspection. Monthly report on SLA attainment section of the Task Order Monthly Status Report providing the total number of applicable milestones from baselined project schedules and whether or not the milestone was completed satisfactorily on or before the due date. The SLA attainment section shall calculate whether the SLAs was achieved or not4G. ASSUMPTIONS/ CONDITIONSContractor inability to meet milestone deadlines due to government delays will require a re-baselined schedule.4H. EXCEPTIONSNone.4I. POLICYN/A5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Number of Milestones Completed within the Target Service Level Objective ÷(DENOMINATOR) Total Number of Milestones Planned to be Completed* 100 =(RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAThe Contractor achieves completion of milestones in approved and baselined project plans.5C. DEFINITIONSNone.6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting to commence upon Contract Award and continue throughout the Period of Performance.Monthly reporting of SLA attainment in Task Order Monthly Status Report6B. NOTES AND COMMENTSNone.Tier 3 Support Responsiveness1. SLA SUMMARY1A. TASKManagementEndpoint EngineeringInfra. EngineeringInfra. OperationsData Center Op.Application Hosting1B. SUB-TASKMultiple1C. SLA #Infrastructure – SLA 31D. SLA NAMETier 3 Support Responsiveness2. SLA OVERVIEW2A. SLA DESCRIPTIONThis SLA measures the timeliness of Contractor Tier 3 support as indicated by their acknowledgement of receipt of escalated tickets and regularly updates on the status through successful resolution.2B. RATIONALEThis SLA incentivizes effective handling of escalated tickets and regular communications with customers on the status of incident and problem resolution at the Tier 3 level.2C. ANTICIPATED CUSTOMER OUTCOMESImproved ITSS handling of escalated tickets and communications on resulting status resulting in enhanced customer satisfaction.2D. PERFORMANCE WORK STATEMENT REFERENCEMultiple, including: TBD2E. PERFORMANCE PERIODThis SLA is in effect on a continuous basis without interruption throughout the Task Order Period of Performance upon Assumption of Responsibility (AOR).3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil AOR.3B. TARGET SERVICE LEVEL OBJECTIVEBoth 95% acknowledgement of receipt of relevant tickets escalated by the Help Desk to relevant Tier III queues not later than two hours following routing to a relevant queue; and status updates within the ticket not less than every two hours through incident or problem resolution.Both 100% acknowledgement of receipt of relevant tickets escalated by the Help Desk to relevant Tier III queues not later than four hours following routing to a relevant queue; and status updates within the ticket not less than every four hours through incident or problem resolution.3C. DISINCENTIVE WEIGHTING (POINTS)Failure to attain this SLA would result in a 2.5% percent reduction in the contractor’s invoice for Tasks 1 – 6.1.Management2.Endpoint Engineering3.Infrastructure Engineering4.Infrastructure Operations5. Data Center Operations6.Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe measurement interval is monthly4B. MEASUREMENT PERIODThe Measurement Period begins at 00:01 on the first calendar day of the month and ends at 24:00 on the last calendar day of the month.4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the ITSS service desk ticking system.4D. METHOD OF MEASUREMENTThe Contractor submits a SLA Report calculating SLA results against targets. The COR verifies Contractor reporting against data in the ITSS service desk ticketing system.4E. TIMING OF MEASUREMENTMeasurements are taken within 5 calendar days of the end of the Measurement Period.4F. METHOD OF GOVERNMENT SURVEILLANCEPeriodic Inspection. Monthly report on SLA attainment section of the Task Order Monthly Status Report providing the total number of relevant tickets escalated to Tier 3 and contractor performance against the SLA targets. The COR will verify Contractor reporting on SLA attainment against data in the ITSS service desk ticketing system.4G. ASSUMPTIONS/ CONDITIONSNone.4H. EXCEPTIONSNone.4I. POLICYN/A5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Number Relevant Tickets Acknowledged and Status within the Target Service Level Objective ÷(DENOMINATOR) Total Number of Relevant Tickets * 100 = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAContractor provides Tier 3 ticket responsiveness at desired levels to ensure customers are responded to and updated as incidents and problems are being addressed and through resolution.5C. DEFINITIONSNone.6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting to commence upon Contract Award and continue throughout the Period of Performance.Monthly reporting of SLA attainment in Task Order Monthly Status ReportNetwork and System Availability1. SLA SUMMARY1A. TASKInfra. EngineeringInfra. OperationsApplication Hosting1B. SUB- TASK Multiple1C. SLA#Infrastructure – SLA 41D. SLA NAMENetwork and System Availability2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the availability of the production network and systems.2B. RATIONALEIncentivizes the Service Provider to maintain a highly available network and production systems.2C. PERFORMANCE WORK STATEMENT REFERENCEThe Contractor shall maintain maximum availability of the production systems in accordance with SLAsThe Contractor shall maintain maximum availability of the production network in accordance with SLAs.2D. PERFORMANCE PERIODThis SLA is in effect on a continuous 24x7x365 basis throughout the TO POP.3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVE99.9%3C. DISINCENTIVEIn the event of SLA failure in a given period 10% of the Contractor’s invoice for Task 3: Infrastructure Engineering and Task 6: Application Hosting and Task 4: Infrastructure Operations shall be deducted from the invoice for that period4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the contract month and ends at 23:59:59 on the last day of the contract month4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the Government’s measurement system4D. METHOD OF MEASUREMENTSLA attainment is measured by the Contractor utilizing existing availability measurement tools to capture and report on availability.4E. TIMING OF MEASUREMENTSLA attainment is calculated throughout the Measurement Period.4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third-party designee4G. ASSUMPTIONS/ CONDITIONSNone4H. EXCEPTIONSDowntime in response to planned maintenance at Government direction is excluded from the calculationDowntime that results from action to address a Government security issue is excluded from the calculationDowntime that results from a Government-directed application or database upgrade is excluded from the calculationDowntime that results from unavailability of spare GFE is excluded from the calculation5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Available time ÷ (DENOMINATOR) Total time * 100 = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAAvailable time is defined as time when the user can successfully access the network and production systems5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting planning and preparation to commence during Transition; reporting to commence at start of Option Period 1Daily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNoneNetwork Install, Move, Add, Change (IMAC)1. SLA SUMMARY1A. TASKEndpoint EngineeringInfra. EngineeringInfra. OperationsData Center Op.Application Hosting1B. SUB- TASKMultiple1C. SLA#Infrastructure – SLA 51D. SLA NAMENetwork Install, Move, Add, Change2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the timely completion of network installs, moves, adds, and changes of hardware, software, peripherals, etc.2B. RATIONALEIncentivizes the Service Provider to staff their network IMAC capability with sufficient, qualified resources to effect timely resolution.2C. PERFORMANCE WORK STATEMENT REFERENCEThe Contractor shall perform network operations support including installation/removal, changes, moves, adds, audits, disposition of equipment, cabling and disconnection services, status reporting, environmental monitoring, operations, maintenance, and problem resolution.2D. PERFORMANCE PERIODThis SLA is in effect during Operating Hours3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVE95% in less than one (1) business day for 1-5 approved IMACs; 100% in less than two (2) business days95% in less than three (3) business days for 6-15 approved IMACs; 100% in less than five (5) business days95% in less than five (5) business days for 16+ approved IMACs; 100% in less than seven (7) business days3C. DISINCENTIVEIn the event of SLA failure, 2% of the Contractor’s invoice shall be deducted for that period for the following tasks:Task 2: Endpoint EngineeringTask 3: Infrastructure EngineeringTask 4: Infrastructure OperationsTask 5: Data Center OperationsTask 6: Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 7:00:00 AM on the first day of the contract month and ends at 7:00:00 PM on the last day of the contract month4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the GFE SMS4D. METHOD OF MEASUREMENTSLA attainment is measured by calculating the elapsed time from the creation of a network IMAC ticket to closure of the ticket in the GFE SMS4E. TIMING OF MEASUREMENTSLA attainment is calculated after the Measurement Period has expired4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third-party designee4G. ASSUMPTIONS/ CONDITIONSNone4H. EXCEPTIONSTickets generated while during downtime of the GFE SMS due to a network outage or network performance degradation outside the control of the Contractor are excluded from the calculationContacts that occur during the following periods are excluded from the Numerator and Denominator for calculation purposes:GFE SMS downtime approved by the Government (e.g., for scheduled maintenance)GFE SMS downtime due to events outside Contractor control and approved as such by the GovernmentFailure of Monitoring Tools5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Number of network IMACs completed in less than the Target Service Level Objective ÷(DENOMINATOR) Total network IMACs * 100 = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAA successful network IMAC is one completed in less than the Target Service Level Objective5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting planning and preparation to commence during Transition; reporting to commence at start of Option Period 1Daily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNoneManaged Security Services (Firewall)1. SLA SUMMARY1A. TASKInfra. EngineeringInfra. OperationsApplication Hosting1B. SUB- TASK Multiple1C. SLA#Infrastructure – SLA 61D. SLA NAMEManaged Security Services (Firewall)2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the effective management of firewalls and firewall rule sets.2B. RATIONALEIncentivizes the Service Provider to staff their security operations support team with sufficient qualified staff.2C. PERFORMANCE WORK STATEMENT REFERENCEThe Contractor shall work with DOT IT personnel to modify and maintain firewall rule sets, implement those rule sets, and monitor the log files as well as the normal operation and maintenance of those firewalls. Network tools must automatically review firewall alarms and report them to the IT security team and network engineering team.2D. PERFORMANCE PERIODThis SLA is in effect 24x7x3653. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVE100% of required firewall rule sets modified and implemented within twenty-four (24) hours of request.3C. DISINCENTIVE SERVICE LEVEL OBJECTIVEIn the event of SLA failure, 5% of the Contractor’s invoice shall be deducted for that period for the following tasks:Task 3: Infrastructure EngineeringTask 4: Infrastructure OperationsTask 6: Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the contract month and ends at 23:59:59 on the last day of the contract month4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the GFE SMS4D. METHOD OF MEASUREMENTSLA attainment is measured by calculating the elapsed time from the request from DOT to closure of the associated ticket in the GFE SMS.4E. TIMING OF MEASUREMENTSLA attainment is calculated after the Measurement Period has expired4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third-party designee4G. ASSUMPTIONS/ CONDITIONSNone4H. EXCEPTIONSTickets generated while during downtime of the GFE SMS due to a network outage or network performance degradation outside the control of the Contractor are excluded from the calculationContacts that occur during the following periods are excluded from the Numerator and Denominator for calculation purposes:GFE SMS downtime approved by the Government (e.g., for scheduled maintenance)GFE SMS downtime due to events outside Contractor control and approved as such by the GovernmentFailure of Monitoring Tools5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Number of firewall rulesets modified and implemented in less than the Target Service Level Objective ÷(DENOMINATOR) Total number of firewall rulesets modified and implemented * 100 =(RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAA successful firewall ruleset modification and implementation is one completed in less than the Target Service Level Objective.5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting planning and preparation to commence during Transition; reporting to commence at start of Option Period 1Daily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNoneDeliverable Quality and Timeliness1. SLA SUMMARY1A. TASKAll1B. SUB-TASKAll1C. SLA #Infrastructure – SLA 71D. SLA NAMEDeliverable Quality and Timeliness2. SLA OVERVIEW2A. SLA DESCRIPTIONTracks and records the number of times Contractor deliverables submitted to the COR that require rework and resubmission prior to Government acceptance of the deliverable. Tracks and records the timeliness of Contractor deliverable submission against approved schedules and timelines.2B. RATIONALEIncentivizes the Service Provider to produce professional, high-quality deliverables on initial delivery and to meet agreed upon timeframes for deliverable submissions.2C. PERFORMANCE WORK STATEMENT REFERENCEAll (as documented in Section 7: TASK ORDER DELIVERABLES)2D. PERFORMANCE PERIODThis SLA is in effect on a continuous 24x7x365 basis throughout the TO period of performance.3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVE95% of the deliverables receive sign-off that they have met Government requirements for the deliverable by the second submission100% of the deliverables receive sign-off that they have met Government requirements for the deliverable by the third submission95% of all deliverables are received either before or on the mutually agreed due date of the deliverable.100% of all deliverables are received no later than five (5) business days after the mutually agreed due date of the deliverable.3C. DISINCENTIVEFailure to attain this SLA in a given period would result in a 5% percent reduction in the contractor’s invoice for Tasks 1 – 6.1.Management2.Endpoint Engineering3.Infrastructure Engineering4.Infrastructure Operations5. Data Center Operations6.Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the contract month and ends at 23:59:59 on the last day of the contract month4C. SOURCE OF MEASUREMENT DATACO and COR delivery log and acceptance documents for deliverables.4D. METHOD OF MEASUREMENTFor Quality:The COR logs each deliverable submitted and, for each deliverable, tracks914400698754000and records the number of times Contractor deliverables submitted require rework and resubmission prior to Government acceptance of the deliverable. The Government COR will respond via email to the Contractor not later than 15 business days after receipt of a deliverable with an accepted or unaccepted status. If the status is unacceptable, the Government will provide an explanation of the deficiencies in their response to the contractor. The Contractor shall provide a revised deliverable document not later than 5 working days after receipt of the Government response.For Timeliness:The COR logs the date and time of each deliverable submitted and compares it to the due dates specified in this TO PWS and subsequent baselined project schedules approved by the COR.4E. TIMING OF MEASUREMENTMeasured weekly on an on-going basis throughout the contract period.4F. METHOD OF GOVERNMENT SURVEILLANCE100 Percent Inspection. Complete inspection of all Contractor deliverables.4G. ASSUMPTIONS/ CONDITIONSN/A4H. EXCEPTIONSN/A5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Total Deliverables accepted within the Target Service Level Objective ÷(DENOMINATOR) Total Deliverables required = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAContractor deliverables submitted to the Government consistently meet or exceed TO requirements and require minimal to no rework and resubmission prior to Government approval.5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting planning and preparation to commence during Transition; reporting to commence at start of Option Period 1Daily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNone.Patch Management1. SLA SUMMARY1A. TASKEndpoint EngineeringInfra. EngineeringInfra. OperationsData Center OperationsApplication Hosting1B. SUB- TASKMultiple1C. SLA#Infrastructure – SLA 81D. SLA NAMEPatch Management2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the timely application of operating system, security, network devices, servers, and application patches.2B. RATIONALEIncentivizes the Service Provider to execute patch management in a timely manner2C. PERFORMANCE WORK STATEMENT REFERENCEThe Contractor shall deploy patches in accordance with SLAs.2D. PERFORMANCE PERIODThis SLA is in effect on a continuous 24x7x365 basis throughout the TO period of performance.3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVE100% of emergency patches released to production within four (4) calendar hours of approval by the Government to distribute100% of critical patches released to production within two (2) calendar days of approval by the Government to distribute100% of routine, non-security functionality patches released to production within fifteen (15) business days of approval by the Government to distribute3C. DISINCENTIVEIn the event of SLA failure in a given period 3% of the Contractor’s invoice shall be deducted for that period for the following Tasks:Task 2: Endpoint EngineeringTask 3: Infrastructure OperationsTask 4: Infrastructure OperationsTask 5: Data Center OperationsTask 6: Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the contract month and ends at 23:59:59 on the last day of the contract month4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the GFE SMS4D. METHOD OF MEASUREMENTSLA attainment is measured from the time the patch is approved by the Government to distribute to the time it is deployed to production4E. TIMING OF MEASUREMENTSLA attainment is calculated throughout the Measurement Period.4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third-party designee4G. ASSUMPTIONS/ CONDITIONSNone4H. EXCEPTIONSNone5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Timely patches ÷ (DENOMINATOR) Total patches = (RESULT) Service Level (%) AttainedResults will be reported by patch type: Emergency, Critical, Other5B. SUCCESS CRITERIATimely patches are patches deployed to production within the Target Service Level Objective.5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReport on infusion percentages daily for emergency and critical patchesReport on infusion percentages weekly for other (routine) patchesResults will be reported by patch type: Emergency, Critical, OtherReporting planning and preparation to commence during Transition; reporting to commence at start of Option Period 1Daily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNoneApplication Availability1. SLA SUMMARY1A. TASKEndpoint EngineeringInfrastructure EngineeringInfrastructure OperationsApplication Hosting1B. SUB- TASKMultiple1C. SLA#Infrastructure – SLA 91D. SLA NAMEApplication Availability2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the availability of the application portfolio hosted by the Contractor.2B. RATIONALEIncentivizes the Service Provider to maintain a highly available infrastructure, server, and hosting capability.2C. PERFORMANCE WORK STATEMENT REFERENCEThe Contractor shall maintain high availability of each application in accordance with SLAs.2D. PERFORMANCE PERIODThis SLA is in effect on a continuous 24x7x365 basis throughout the TO period of performance.3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVESilver = 99.9% availability Gold = 99.95% availability Platinum = 99.99% availability9144007693660003C. DISINCENTIVEIn the event of SLA failure in a given period 10% of the Contractor’s firm fixed price for application hosting of that specific application shall be deducted from the invoice; failure to meet SLAs for 3 or more applications in a given period results in 10% reduction of the entire invoice for that period covering all applications. This SLA applies to the following Tasks:Task 2 - Endpoint EngineeringTask 3 - Infrastructure EngineeringTask 4 - Infrastructure OperationsTask 6 - Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the month and ends at 23:59:59 on the last day of the month4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is Contractor’s measurement system4D. METHOD OF MEASUREMENTSLA attainment is measured by the Contractor utilizing existing availability measurement tools to capture and report on availability across the portfolio of applications. Availability is measured at the application server.4E. TIMING OF MEASUREMENTSLA attainment is calculated throughout the Measurement Period.4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third party designee4G. ASSUMPTIONS/ CONDITIONS1.Applications are designated as Silver, Gold, or Platinum Tier. The target SLA is defined based on the tier selected.4H. EXCEPTIONSDowntime in response to Government direction is excluded from the calculationDowntime that results from a Government-directed application or database upgrade or activity is excluded from the calculation.Downtime that results from maintenance performed by an external vendor.5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Actual available time for each application ÷ (DENOMINATOR) Total time less authorized downtime = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAAvailable time is defined as time when the user can successfully access the application.5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting of application performance will be for each specific applicationReporting to commence at Assumption of ResponsibilityReal-time reportingDaily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNoneAnti-virus/Spyware/Malware Update1. SLA SUMMARY1A. TASKEndpoint EngineeringInfrastructure EngineeringInfrastructure OperationsApplication Hosting1B. SUB- TASKMultiple1C. SLA#Infrastructure – SLA 101D. SLA NAMEAnti-virus/Spyware/Malware Update2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the timely push of anti-virus/spyware/malware patches to application servers.2B. RATIONALEIncentivizes the Service Provider to staff their Security Services team with sufficient qualified staff.2C. PERFORMANCE WORK STATEMENT REFERENCEThe Contractor shall push anti-virus/spyware/malware update files to all application servers no more than twenty-four (24) calendar hours after approval from DOT.2D. PERFORMANCE PERIODThis SLA is in effect 24x7x3653. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVE100% of anti-virus/spyware/malware updates pushed to application servers no more than twenty-four (24) calendar hours after approval from DOT.3C. DISINCENTIVE SERVICE LEVEL OBJECTIVEFailure to meet this SLA in a given period results in 2% reduction of the entire invoice for that period. This SLA applies to the following Tasks:Task 2 – Endpoint EngineeringTask 3 – Infrastructure EngineeringTask 4 – Infrastructure OperationsTask 6 – Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the month and ends at 23:59:59 on the last day of the month4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the Contractor’s measurement system and the GFE Service Management System4D. METHOD OF MEASUREMENTSLA attainment is measured by calculating the elapsed time from the approval from DOT to closure of the associated ticket in the GFE Service Management System.4E. TIMING OF MEASUREMENTSLA attainment is calculated after the Measurement Period has expired4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third party designee4G. ASSUMPTIONS/ CONDITIONSNone4H. EXCEPTIONSNone5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Number of anti-virus/spyware/malware updates pushed in less than the Target Service Level Objective ÷(DENOMINATOR) Total anti-virus updates pushed * 100 = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAA successful anti-virus/spyware/malware push is one completed in less than the Target Service Level Objective.5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting to commence at Assumption of ResponsibilityDaily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNoneAdministrative Account Disablement 1. SLA SUMMARY1A. TASKInfrastructure OperationsData Center OperationsApplication Hosting1B. SUB-TASK Multiple1C. SLA# Infrastructure – SLA 111D. SLANAMEAdministrative Account Disablement 2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the Contractor’s timely disablement of administrative accounts. 2B. RATIONALEIncentivizes the Service Provider to provide sufficient staff to disable administrative accounts in a timely manner. 2C. PERFORMANCE WORK STATEMENT REFERENCE The Contractor shall receive, track, coordinate, and execute administrative account creation, modification, deletion, and general administration per service requests in accordance with DOT security policies and procedures. 2D. PERFORMANCE PERIODThis SLA is in effect on a continuous 24x7x365 basis throughout the TO POP. 3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR) 3B. TARGET SERVICE LEVEL OBJECTIVE95% of approved requests fulfilled in less than one (1) calendar hour 100% of approved requests fulfilled in less than two (2) calendar hours 100% of approved security-driven disablement fulfilled in less than thirty (30) minutes 3C. DISINCENTIVEFailure to meet this SLA in a given period results in 4% reduction of the entire invoice for that period. This SLA applies to the following tasks:Task 4 – Infrastructure OperationsTask 5 – Data Center OperationsTask 6 – Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month 4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the month and ends at 23:59:59 on the last day of the month 4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the Contractor’s measurement system and the GFE Service Management System 4D. METHOD OF MEASUREMENTSLA attainment is measured by calculating the elapsed time from the initiation of a service request ticket for account disablement to the closure of the ticket 4E. TIMING OF MEASUREMENTSLA attainment is calculated after the Measurement Period has expired 4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third party designee 4G. ASSUMPTIONS/ CONDITIONSNone4H. EXCEPTIONSNone5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Number of requests completed in less than the Target Service Level Objective ÷(DENOMINATOR) Total requests * 100 = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIASuccessful account disablement is one completed in less than the Target Service Level Objective5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting to commence at Assumption of ResponsibilityDaily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNoneRoot Cause Analysis1. SLA SUMMARY1A. TASKAll1B. SUB- TASKAll1C. SLA#Infrastructure – SLA 121D. SLA NAMERoot Cause Analysis2. SLA OVERVIEW2A. SLA DESCRIPTIONMeasures the efficiency and timeliness of Infrastructure operations as indicated by the proportion of root cause analyses performed in a timely manner.2B. RATIONALEIncentivizes the Service Provider to staff the contract with sufficient number of qualified personnel to complete root cause analyses.2C. PERFORMANCE WORK STATEMENT REFERENCEThe Contractor shall deliver a root cause analysis document for each Severity 1 incident resolution in accordance with SLAs.2D. PERFORMANCE PERIODThis SLA is in effect during Operating Hours3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODUntil Assumption of Responsibility (AOR)3B. TARGET SERVICE LEVEL OBJECTIVE95.0% of Root Cause Analysis reports are submitted to the Government within two (2) business days3C. DISINCENTIVEFailure to meet this SLA in a given period results in 2% reduction of the entire invoice for that period. This SLA applies to Task 1 - Management4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is one (1) month4B. MEASUREMENT PERIODThe Measurement Period begins at 07:00:00 on the first day of the month and ends at 19:00:00 on the last day of the month4C. SOURCE OF MEASUREMENT DATAThe source of measurement data is the GFE Service Management System4D. METHOD OF MEASUREMENTSLA attainment is measured by:A severity 1 incident is resolved in the GFE SMSThe Contractor prepares a Root Cause Analysis document describing the root cause of the incident and techniques for preventing re-occurrenceThe Contractor submits the deliverable to the Government COR4E. TIMING OF MEASUREMENTSLA attainment is calculated after the end of the Measurement Period.4F. METHOD OF GOVERNMENT SURVEILLANCESubject to random or planned audit by the Government or its third party designeeSURVEILLANCE4G. ASSUMPTIONS/ CONDITIONSThis SLA measures the elapsed time from the moment of incident resolution to Root Cause Analysis deliverable submission4H. EXCEPTIONSIssues that are beyond the control of the Contractor are excluded from this calculation. Exceptions must be approved by the COR.5. SLA CALCULATION5A. CALCULATION(NUMERATOR) Number of root cause analysis deliverables submitted in a timely manner during the Measurement Interval ÷(DENOMINATOR) Total number of Severity 1 Incidents * 100 = (RESULT) Service Level (%) Attained5B. SUCCESS CRITERIAA successful instance is when the Contractor submits the Root Cause Analysis deliverable within the Target Service Level Objective.5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYReporting to commence at Assumption of ResponsibilityDaily reporting of results from prior dayWeekly reporting of results from prior weekMonthly reporting of results from prior monthQuarterly reporting of results from prior quarterMonthly reporting of SLA attainment and root cause of SLA failures at the Monthly Status Meeting6B. NOTES AND COMMENTSNonePerformance Satisfaction 1. SLA SUMMARY1A. TASK All1B. SUB-TASKAll1C. SLA #Infrastructure – SLA 131D. SLA NAMEPerformance Satisfaction2. SLA OVERVIEW2A. SLA DESCRIPTIONThe purpose of this SLA is to incentivize a high level of ITSS and other stakeholder satisfaction with Contractor service delivery.2B. RATIONALEIncentives the Service Provider to continuously focus on high customer satisfaction through service delivery excellence.2C. ANTICIPATED CUSTOMER OUTCOMESHigh satisfaction with contractor performance is indicative of customer-focused and high-quality service delivery.2D. PERFORMANCE WORK STATEMENT REFERENCEAll2E. PERFORMANCE PERIODThis SLA is in effect on a continuous basis without interruption throughout the Task Order Period of Performance. 3. SERVICE LEVEL OBJECTIVE3A. HOLD HARMLESS PERIODThirty (30) calendar days after Task Order award.3B. TARGET SERVICE LEVEL OBJECTIVEGreater than or equal to 85% of all survey respondents are Satisfied, More Than Satisfied, or Very Satisfied with Contractor service delivery.3C. DISINCENTIVE Failure to attain this SLA would result in a 2.5% percent reduction in the contractor’s invoice for Tasks 1 – 6.1.Management2.Endpoint Engineering3.Infrastructure Engineering4.Infrastructure Operations5. Data Center Operations6.Application Hosting4. SLA MEASUREMENT4A. MEASUREMENT INTERVALThe Measurement Interval is every 3 months for first year and then every 6 months thereafter.4B. MEASUREMENT PERIODThe Measurement Period begins at 00:00:00 on the first day of the month and ends at 23:59:59 on the last day of the month.4C. SOURCE OF MEASUREMENT DATAThe source of measurement is survey responses.4D. METHOD OF MEASUREMENTThe COR (or designee) will issue customer satisfaction surveys to designated Government customers / stakeholders with direct experience with the contractor’s service delivery. The COR (or designee) will tabulate Survey responses to determine overall satisfaction with Contractor service delivery. 4E. TIMING OF MEASUREMENTMeasurements are taken within 5 days of the end of the Measurement Period.4F. METHOD OF GOVERNMENT SURVEILLANCESampling of Customers for Surveys. The COR will identify a targeted set of customers / stakeholders with direct experience and interaction with the contractor and request completion of a survey.4G. ASSUMPTIONS / CONDITIONSN/A4H. EXCEPTIONSA minimum of 20% response rate is required for the survey to be valid. 4I. POLICYFailure to meet the Target Service Level Objective requires contractor submission of a Service Improvement Plan for COR approval identify specific and measurable actions the Contractor will take to improve customer satisfaction with delivered services.5. SLA CALCULATION5A. CALCULATIONThe number of survey respondents who were Satisfied, More Than Satisfied, or Very Satisfied divided by the total number of completed surveys returned. 5B. SUCCESS CRITERIAHigh satisfaction with contractor performance5C. DEFINITIONSNone6. SLA ADMINISTRATION6A. REPORTING FREQUENCYThe COR or designee will provide:Reporting planning and preparation to commence during Transition; reporting to commence at start of Base Period, Year 2.Monthly reporting of SLA attainment for periods surveyed. Quarterly survey reporting during first year, semi-annual thereafter.6B. NOTES AND COMMENTSNone ................
................

In order to avoid copyright disputes, this page is only a partial summary.

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Background - GovCon Wire

To fulfill the demand for quickly locating and searching documents.

Related download

Related searches