Background



Department of the NavyOnsite Risk Assessment and Program AnalysisPerformance Work Statement Mission Assurance (MA) Critical Infrastructure Support *Note that this sample has been revised from the source document on the Government Point of Entry as necessary to align formatting and applicable FAR procedures.* BackgroundThe United States Navy (USN) requires Mission Assurance (MA) assessments of utility systems, industrial control systems (ICS), and energy/utility management control systems (EMCS/UMCS). The Contractor will evaluate the existing utility systems, ICS, and EMCS/UMCS. The contractor will assess risks, and develop risk mitigation plans in support of Department of the Navy, supporting OPNAV N46. The USN operates in a hostile and uncertain environment shaped by a complex array of manmade and naturally occurring threats and hazards. Our forces face a growing number of potential adversaries with the ability to asymmetrically cripple vital force projection, warfighting, and sustainment capabilities by targeting critical military and civilian resources that support global operations. Additional challenges include catastrophic natural disasters and technological failures capable of producing high-impact second and third order effects that can disrupt its missions. MA is both a process and an integrative framework that analyzes current conditions and requirements to ensure the protection of, and the continued function and resilience of utility systems and ICS capabilities and assets - including personnel, equipment, facilities, networks, operational technologies, infrastructure, and supply chains - critical to the performance of DoD mission essential functions (MEFs) in any operating environment or condition. MA integrates mission and infrastructure.The Navy’s Mission Assurance Assessment (MAA) process was established in 2015 as a means to assess, identify, and mitigate risks to missions across the Service. These assessments create visibility for installation commanders and Higher Headquarters (HHQ) to understand where the risks to USN missions and mission-critical facility, utility system, and ICS assets exist. The MAA implements a comprehensive all-threats/all-hazards approach to managing risk to USN missions to more effectively protect the forces in fiscally austere times through efficient resource allocation and prioritization of investments. Procuring, managing and securing utility systems and ICS, supporting energy/utility ICS and communications, and water resources is a primary function of USN installations in providing the operational support necessary to ensure mission readiness. The Risk Assessment process involves the collection and evaluation of data concerning the criticality of facilities, utility and industrial control systems, and supporting infrastructure assets based on mission impacts, probable threats and hazards, and degrees of vulnerability to determine the overall risk posture of the asset. It is a systematic, rational, and defendable process for identifying, quantifying, and prioritizing risks. While some risk will always be present, Risk Management seeks to achieve an acceptable level of risk in the execution of critical missions and functions. The utility and energy infrastructure are essential to operate buildings and facilities. In alignment with Title 10 USC, Section 2688 the term “utility system” means generation and supply of electric power; treatment or supply of water; collection or treatment of wastewater; generation or supply of steam, hot water, and chilled water; supply of natural gas; and transmission of telecommunications. This also includes equipment, fixtures, structures, and other improvements utilized in connection with a system; real property, easements, and rights of way associated with utility system. These infrastructure and utilities represent a significant expense. Constrained budgets will continue to tighten, providing greater incentive to conserve energy and stabilize cost. Prudent energy management practices are critical to ensure that adequate energy is available to support the operating forces at a minimum cost and with the least environmental impact. Conserving energy and investing in energy management measures makes good business sense and will allow future financial resources to be directed towards modernization of installations and investment in improved operational capabilities. FRCS is a sub-set of Control Systems (CS), and primarily includes those systems that are used to operate and manage utilities or associated with the operation of an Installation (including the associated facilities). Examples of FRCS include, but are not limited to; Energy Management Control Systems (EMCS), Utility Control Systems (UCS) or Supervisory Control and Data Acquisition (SCADA), Building Control Systems (BCS), Fire Suppression Systems, Installation Access Control Systems, and Traffic Camera Systems.The Navy relies on commercial electric grids and fuel distribution systems to provide power for the majority of its installation energy requirements. This reality presents a potential risk to our installations’ ability to maintain critical missions, functions and assets in the event of a catastrophic disaster, whether natural or man-made.The final deliverables associated with this contract are required to be developed on SIPRnet. Government spaces, equipment and network access will be provided to support those phases of assessment preparation and post assessment activities requiring access to SIPRnet. Site locations are included in Attachment B. Scope of WorkThe Mission Assurance (MA) Assessment Program is outlined below.Mission Analysis. The mission analysis portion of the MAA is the foundational portion of the assessment that serves to develop a thorough understanding of the missions executed and/or supported by the installation and all associated host/tenant units, scope the critical infrastructure (building, utility system, and ICS assets) to be assessed, link those assets to critical stakeholder missions, and support the assessment preparation by reviewing various supporting documentation (OPLANS, CONPLANS, CAIP (critical asset identification process) results, etc.). The Mission Analysis site visit includes the initial preparations and research required before conducting the MAA. Additionally, it includes: coordinating and finalizing assessment preparations with the installation POC; validating the assessment intent and scope; reviewing and analyzing local assessment reports, conducting mission analysis, reviewing pertinent all hazard threat assessments site/asset research and confirming all POCs necessary for the on-site portion of the assessment. The Mission Analysis Site Visit will usually run simultaneously with the USA.All Hazard Threat Assessment (AHTA). The Contractor shall develop installation/facility focused All Hazard Threat Assessment (AHTA) specific to each installation/facility indicated in Attachment B. The AHTA will follow the current AHTA Methodology. The AHTA shall focus on the threats and hazards unique to the installation and the region. This information is specifically used to assess the risks to the utility systems, including energy supply sources, and ICS systems. (Deliverable 2)Utility Security Assessments (USA). The contractor shall utilize the MAA Program Guide provided by the government to establish standardized procedures for conducting USAs that are repeatable evaluation criteria for installations across the USN. These procedures will address how to identify and prioritize missions and functions and identify the supporting critical assets. Using these criteria and procedures, the contractor shall perform USAs at locations listed in Attachment B as indicated by the required deliverables. The purpose of the USA is to collect information, interview personnel, tour facilities and special areas, assess/analyze system operation, and to develop detailed findings, observations, and recommendations to be compiled in the Assessment Report. Each site visit will include an in-brief detailing the scope of the visit and an outbrief that includes the analysis of all internal and external utility systems on the installation. All site assessments must be coordinated in advance with OPNAV N46 prior to the site visit. Prior to assessments, review previous assessment documentation, plans and supporting materials to include the base plans for Public Works, and any infrastructure information needed to conduct the USA. These documents will remain internal to the DON and be used as the foundation for each USA. The Utility Security subject matter expert (SME) will coordinate, as needed, for MAA deliverables. (Deliverables 5 and 6)Perform each USA, encompassing a systematic evaluation of installation internal and external utilities and energy resources, in the following areas: Licensed/Professional Engineering (Electrical, Mechanical and/or Civil), Cybersecurity, Mission Analysis, Telecommunications both wired and wireless, Mission Criticality Index (MCI) database management and Program Support Analyst. Integrate assessment schedule and engineering data products with the MAA teams, in order to synchronize utility and mission analysis phase of the MAA. Provide MA Program support and assessment capabilities.Mission Assurance Assessment (MAA). Using the results in Sections 1.a) through 1.c) , the contractor will follow the assessment program guide and benchmarks to determine risk to missions. Service specific MA benchmarks document the standards used by the MAA assessors to gather data, providing a uniform approach to assess and assist in the management of risk across protection programs. MAA benchmarks are based on current Federal, Department of Defense (DoD), and service policies contained in orders, instructions, and requirements. The contractor shall utilize criteria provided by the government to establish standardized procedures for conducting MAA that are repeatable evaluation criteria for installations across the Navy. These procedures will address how to identify and prioritize missions and functions and identify the supporting critical assets. Using these criteria and procedures, the contractor shall perform MAAs at locations listed in Attachment B. The purpose of the site visits is to collect information, interview personnel, tour facilities, and develop detailed findings, observations, and recommendations to be compiled in the Assessment Report. Each site visit will include the build out of an in-brief and out-brief for the installation. All site assessments must be coordinated in advance with OPNAV N46 prior to the site visit. Prior to assessments, review previous assessment documentation, plans and supporting materials to include the base plans for Public Works, and all utility and ICS infrastructure information needed to conduct the MAA. These documents will remain internal to the Navy and be used as the foundation for each MAA. The MA subject matter expert (SME) will coordinate, as needed, for USA deliverables. (Deliverables 7 & 8)Perform each MAA in the following areas: Antiterrorism/Risk Management, Physical Security, and Critical Infrastructure Program Support. Emergency Management/COOP, Communications and Supporting Infrastructure Program Support. Integrate assessment schedule and All-Hazards Threat Assessments with the USA teams, in order to synchronize pre-site survey (PSS)/mission analysis phase of the MAA. Engineering (licensed/professional engineering in facility and utility system assessments), Cybersecurity (DoD regulations/standards), Mission Analysis,Airfield Operations, and Port Operations.Conduct detailed analyses to identify task critical assets for operating forces and other installation tenants based on assigned missions and ensure assets are properly entered and maintained in the data management system used to store critical asset data. This will include the use of various classified and unclassified risk assessments and information repositories (Defense Readiness Reporting System (DRRS), Mission Assurance Assessment Standalone Tool (MAAST), MDI application, etc.).Objectives The Contractor must provide technical and training support for Mission Assurance in the areas of on-site assessment, analysis, and contingency support for the deliverables under this contract. The analysis efforts range from focusing on a single asset to all infrastructure/networks and protection related areas to the installation and the functions that provide protection/security to the missions being supported. The Contractor must conduct on-site program reviews, MAAs, Utility Security Assessments, in accordance with Navy Benchmarks and Team Guide. The Contractor must provide observations, discussions, and recommendations to facilitate the improvements of protection programs to include gap analyses. The Contractor must facilitate inter- and intra-service coordination efforts and identify emergent policies that impact and support these requirements. The Contractor must provide support to prepare responses to Requests for Information, Joint Staff Action Processes, and DON Tracker taskers under this contract. The Contractor must review and update formal Annual Benchmark Review reports; prepare executive summary papers and reports for MAA; and support the development of assessment of Integrated Planning Team agendas, briefs, and after action reports. The Contractor shall provide recommendations to revise policy documents; update program guides, business rules, and benchmarks; review Navy Instructions, Directives, strategic plans, manuals, and applicable DoD regulations.Requirements. The Contractor shall support the following Tasks:CLIN X001 Core Labor (FFP)Kickoff Meeting (Deliverable 1): The Contractor will conduct a one-day kickoff meeting in Arlington, VA, NLT two weeks after contract award in OPNAV N46 spaces. The kickoff meeting will review tasks, schedule, and logistical issues. The Contractor shall provide an agenda and supporting presentation to guide discussions. The presentation will be provided to the COR two days prior to the meeting. The Contractor will provide minutes of discussions to the COR within one week after conclusion of the meeting.Mission Assurance support of Navy HQ and Regional Offices: Provide regional Critical Infrastructure Protection (CIP) analyst support and assist with Mission Analysis Site Visits to develop a thorough understanding of the missions executed and/or supported by the installation and all associated host/tenant units. Contractor will support N-codes at CNIC; CNRSW; CNRMA; CNRNDW; CNRSE; CNRNW; CNRH (incl. CNRJ, CNRK, & CJR Marianas); and CNREURAFCENT when Government seating made available.Support installations and Navy regions with the completion of Corrective Action Plans (CAP), including assisting with the development of remediation courses of action, coordinating the endorsement and approval of CAPs, and tracking the status of CAP completion in the Navy Taskers system. Deliverable #9 – Draft SMIG/EMIG list. This deliverable will classified SECRET and delivered via SIPRnet.Assist with Mission Analysis site-visit at locations to be determined in coordination with OPNAV N46.Identify and tie critical infrastructure (building, utility system, and ICS assets) to identified critical assets to ensure they are assessed during the Mission Assurance Assessment (MAA).Link these assets to critical stakeholder missions and support the assessment preparation by reviewing various supporting documentation (OPLANS, CONPLANS, CAIP (critical asset identification process) results, etc.)Develop mission chains, verify identified critical assets and recommend assets that have not been identified in previous CAIP cycles for validation and assessment. Coordinate and finalize assessment preparations with the Installation POC, validating the assessment intent and scope, reviewing and analyzing the local assessment report from eMAAT, conducting mission analysis, reviewing pertinent all hazard threat assessments site/asset research and confirming all POCs necessary for the on-site portion of the assessment. CIP ANALYSTS: Mission Assurance SMEs with an emphasis on CIP and Continuity of Operations (COOP) shall support service level Mission Assurance work within the DoN at the following Navy HQ and Component Commands: OPNAV N46; PACFLT; USFF; EURAFCENT. The EURAFCENT position is located in Naples, Italy and will require DOCPER approval, per PWS Appendix A - Logistical Support Annex (European Theater)Work performed will include:Support the annual OSD directed Critical Asset Identification Process (CAIP) (Deliverable #10)– Draft CAIP List). This deliverable will classified SECRET and delivered via SIPRnet. Draft Command CAIP inputCoordinate with installation, regional and component staff to: Identify assets that meet capabilities, standards, conditions and METS to perform specific component missions. Perform TCA Analysis to determine; mission failure/degradation, time to impact, time to recoveryCoordinate with mission owners to validate TCA and evaluate consequence to missionProvide review on any Committee on Foreign Investment in the United States (CFIUS) cases or enhanced use lease agreements (e.g. solar projects) to ensure USN critical infrastructure and critical missions are not exposed to foreign investment (as required)Provide review of Navy, Congressional, or Joint Staff taskers via DON Tracker or TV5 (as required)Utilize various classified and unclassified risk assessments and information repositories (i.e. Defense Readiness Reporting System (DRRS), Mission Assurance Assessment Standalone Tool (MAAST), Strategic Mission Assurance Data System (SMADS), etc.). NAV-CAMS Data Entry and Summary (Deliverable #11). This deliverable will classified SECRET and delivered via SIPRnet.Provide SMEs to enter mission chains, baseline elements of information (BEI), and risk data into NAV-CAMS from information provided in MA briefing slides and MA reports. Update all NAV-CAMS documentation (e.g. Business rules) and diagrams with modifications and additions annually, to include an inventory. Assist in MAA mission analysis/ decomposition. The contractor shall provide a monthly status report of all CAMS record entries. Provide mission and risk data entry, and NAV-CAMS training and field support. Monthly status reports shall also be uploaded to ASSIST alongside each invoice. CLIN X002 (Core Phase 1 Assessments) (FFP) This CLIN includes support for 10 Phase 1 Assessments for each year of performance. All assessments are similar in magnitude. Historically, each assessment was 5-8 days in duration depending on the size of the base. Majority of the bases are 5 days in duration. In rare occasions, the amount of days might range 5-8. For pricing purpose, assume each location will be 5 days in duration. In those unique instances where duration will be in excess of 5 days, CLIN X006 will be utilized, with prior approval of the Navy COR.The Government will provide a list of locations when the Task Order is awarded and when Each Option Period is exercised. A Sample Site List is provided as ATTACHMENT B.Phase 1 tasks include deliverables 2-6 outlined belowAll Hazard Threat Assessment (AHTA) Report (Deliverable 2): The AHTA will follow the current AHTA Methodology and will be based on the results of Section 2.d. Each AHTA will contain an executive summary, a complete list of threat and hazard descriptive details tailored to each installation and a complete list of source documents. The executive summary will summarize the threats and hazards for each location; and provide an integrated and prioritized threat and hazard matrix. A portion of this deliverable is classified SECRET.Mission Analysis Site Visit (Deliverable 3): See Section 2.a)Mission Analysis Briefing Slides (Deliverable 4): Following the Mission Analysis, briefing slides will be prepared to include linkages between identified assets and mission owner(s). These slides will be used during the MAA to demonstrate mission degradation or failure if an asset or infrastructure is vulnerable to specific threat or hazard creating risk to the assigned mission. This deliverable will classified SECRET and delivered via SIPRnet. USA Site Visit (Deliverable 5): The Contractor will address measures to mitigate vulnerabilities and improve resiliency. Plans will depict operational concepts, frameworks, personnel, and activities required to operate and maintain the energy, ICS and utility communications infrastructure and its core functions of providing data, operational, and maintenance services. Key elements shall include:Overview of the operational energy and utility technology systems and local environmentIdentify how the operational energy and utility technology environment and infrastructure are currently managedDetermine any energy and utility operational technology related issues the end-user community may encounterProvide the analysis of a systematic review of the energy and utility networking infrastructure to support both wired and wireless networksUSA Briefing Slides (Deliverable 5): The Contractor will present an In-Brief and Out-Brief for the Installation Commander and Staff. The in-brief is designed to provide the assessed organization with information regarding the intent, objective, and focus of the assessment and the linkage between the USA and MAA. The brief will review the work performed to prepare for the assessment and assessment activities. Following the assessment, an out-brief will be prepared. The brief will consist of a minimum of four sections; Energy Security, ICS, Operational Utilities, and MDI. The briefer may add additional items of interest from OPNAV N46 or the Commanding Officer as necessary.USA Report (Deliverable 6): After each USA site visit, the Contractor shall provide engineering data gathered from the analysis and provide a report based on the findings and observations IAW the Navy MA Program Guide. The Senior Technical writer will ensure consistency with all report templates. The report will provide an energy profile of how those missions, functions, and assets are being supplied by internal and external energy sources (primarily electricity), to include a determination of gaps in providing reliable, secure and resilient power to those missions and assets. The capture and analysis of this engineering data will be supported by standardized data collection templates, mission and function category definitions and valuations of sufficient detail to allow standardized application and analysis of relevant data across Navy installations. Key elements of the report shall include:Identify and value each mission and function being executed at facilities according to Government provided criteria for MDI on an installation – whether by the installation command or the tenant commandsIdentify and provide a value for energy and utility assets in a facility that may be critical to the execution of missions or functions being executed at that facilityIdentify the average and peak loads each facility requires to sustain its missions, functions and operationsIdentify the key utility infrastructure nodes on an installation distribution network for facilities on the installation, to specifically include critical electric, ICS and utility communication infrastructure nodes that serve as single points of failure for the utility serviceIdentify the provision, or lack thereof, of redundant sources or means of providing electricity to the installation and its’ facilities, specifically to include facilities housing critical assetsIdentify the key regional commercial electric generation and transmission nodes and pathways leading to the installation, to specifically include critical electric infrastructure nodes that serve as single points of failure for the provision of commercially supplied electricityIdentify other installation utility (e.g., water, natural gas and fuel infrastructure) and communication networks, to include any critical assets supporting those networks, along with the energy usage, if available, and redundancy profiles for provision of electricity for each of these assetsIdentify and document current load shedding plans and prioritiesIdentify and document current back-up generator refueling plans and priorities, along with type of back-up generator, capacity for fuel, and maximum run time for generatorsIdentify and document estimated times organizations can continue their missions or functions without the provision of electricity before the mission or function is significantly impacted. Document an organizations existing plan for conducting missions at alternate on-base or off-base sites, if anyIdentify and document use of ICS/SCADA that support the monitoring and control of utility network operations CLIN X002a: Optional Phase 1 Assessments in support of All Branches of the Armed Forces (Task e-j) (FFP Per Unit) (OPTIONAL CLIN)During the duration of the Task Order, it is possible that US Navy may require the Contractor to support Task e-j in support of additional assessments. These assessments will be in support of United States Navy, as well as all Branches of the Armed Forces. For pricing purposes, the quotes should assume that the completion of each assessment should take 5 days, similarly to CLIN X002. Base PeriodOption Year 1Option Year 2Option Year 3Option Year 455555The Government reserves the unilateral right to exercise optional assessment(s) in all or in part as needs arise. The support for optional assessment described above will be invoked through award of a task order modification issued by the GSA Contracting Officer (CO). At the time of exercising the option(s) the Government will identify the location(s) to be supported and the amount of optional assessments exercised. The Contractor shall be able to support the stations NLT than 30 days after Task Order Modification.CLIN X003: Core Phase 2 AssessmentsThis CLIN includes support for 10 Phase 2 Assessments for each year of performance. All assessments are similar in magnitude. Historically, each assessment was 5 days in duration. The Government will provide a list of locations when the Task Order is awarded and when Each Option Period is exercised. A Sample Site List is provided as ATTACHMENT BPhase II tasks include deliverables 7 and 8 outlined below.MAA Site Visit (Deliverable 7): See Section 2.dMAA Briefing Slides (Deliverable 7): The Contractor will present an in-brief and out-brief for the Installation Commander and Staff. The in-brief is designed to provide the assessed organization with information regarding the intent, objective, and focus of the assessment and the linkage between the USA and MAA. The brief will review the work performed to prepare for the assessment and assessment activities. Following the assessment an out-brief will be prepared. The Contractor will conduct an out-brief to present the initial assessment observations and recommendations. The MAA Out-brief shall identify potential hazards/threats, vulnerabilities, risk, and remediation factors. The out-brief is a key step toward ensuring Commanders understand the Installation’s vulnerabilities and the associated risks. The out-brief is the initial analysis of the assessment observations and recommendations to the Command. This deliverable will classified SECRET and delivered via SIPRnet. MAA Report (Deliverable 8): After each MAA site visit, the Contractor shall provide a draft and final MAA Report based on the findings and observations IAW the MAA Program Guide. The report will provide an analysis or energy profile of how those missions, functions and assets are being supplied by internal and external energy sources (primarily electricity), to include a determination of gaps in providing reliable, secure and resilient power to those missions and assets. The capture and analysis of this data will be supported by standardized data collection templates, mission and function category definitions and valuations of sufficient detail to allow standardized application and analysis of relevant data across Navy installations. The Senior Technical writer will ensure consistency with all report templates. The report will be supported by full documentation and, as applicable, include graphics, photographs, and maps The report will be provided in electronic format, classified and marked in accordance with the appropriate classification guidance. This deliverable will classified at least SECRET and delivered via SIPRnet.CLIN X003a: Optional Phase 2 Assessments in support of All Branches of the Armed Forces (Task k-m) (FFP Per Unit) (OPTIONAL CLIN)During the duration of the Task Order, it is possible that US Navy may require the Contractor to support Task k-m in support of additional assessments. These assessments will be in support of United States Navy, as well as all Branches of the Armed Forces. For pricing purposes, the quotes should assume that the completion of each assessment should take 5 days, similarly to CLIN X003. Base PeriodOption Year 1Option Year 2Option Year 3Option Year 455555The Government reserves the unilateral right to exercise optional assessment(s) in all or in part as needs arise. The support for optional assessment described above will be invoked through award of a task order modification issued by the GSA Contracting Officer (CO). At the time of exercising the option(s) the Government will identify the location(s) to be supported and the amount of optional assessments exercised. The Contractor shall be able to support the stations NLT than 30 days after Task Order Modification.CLIN X004: Core Mobile Training Team EventsThis CLIN includes support for 5 Events for each year of performance. All events are similar in magnitude. Historically, each assessment was 5 days in duration. The Government will provide a list of locations when the Task Order is awarded and when Each Option Period is exercised. A Sample Site List is provided as ATTACHMENT C.MA Mobile Training Team (MTT) –Deliverable #12 – (see attachment C)Provide SMEs to provide OPNAV N46 MA program overview, risk management process, introduction, demonstration, and exercises in NAV-CAMSDevelop and administer user training that directly supports the end users’ ability to operate each system to meet daily work requirements. Field a Mobile Team Training (MTT) for NAV-CAMS Training at Regional Commands.Review Corrective Action Plans from MA reports with Regional Staff. CLIN X004a: Mobile Training Team Events (Task n) (FFP Per Unit) (OPTIONAL CLIN)During the duration of the Task Order, it is possible that US Navy may require the Contractor to support Task n in support of additional events. These events will be in support of United States Navy, as well as all Branches of the Armed Forces. For pricing purposes, the quotes should assume that the completion of each even should take 5 days, similarly to CLIN X004. Base PeriodOption Year 1Option Year 2Option Year 3Option Year 433333The Government reserves the unilateral right to exercise optional event(s) in all or in part as needs arise. The support for optional events described above will be invoked through award of a task order modification issued by the GSA Contracting Officer (CO). At the time of exercising the option(s) the Government will identify the location(s) to be supported and the amount of optional events exercised. The Contractor shall be able to support the stations NLT than 30 days after Task Order Modification. CLIN 005: Facility Related Control Systems (FRCS) OPTIONAL CLINFacility Related Control Systems (FRCS). This deliverable will classified SECRET and delivered via SIPRnet.The contractor shall develop the assessment methodology so that the processes are repeatable but tailorable to the USN control systems. The methodology must specifically identify, link and map control systems to infrastructure, utilities, assets, supported missions, and provide the ability to assess corresponding mission risks.The control systems vulnerability methodology will apply the results of data collected from the control system research and field assessments to design control system test plans. The contractor shall design the test plans to include non-intrusive control system network traffic capture and analysis (as available from the sample installations or via a test laboratory environment). Data shall be collected at each location regarding the cybersecurity posture of the control systems. Following analysis of the control system data and Government approval of the control system test plans, the contractor shall conduct the test plans at the sample locations where the control system cybersecurity data was collected. The tests shall evaluate and report the effectiveness of the control system vulnerability methodology to identify the linkages between control system cybersecurity vulnerabilities and potential control system failures or compromises impacting critical operations and missions. A final report will be developed along with consolidated findings of vulnerabilities and mitigation recommendations (Deliverable 13; The Government anticipates the following:Base PeriodOption Year 1Option Year 2Option Year 3Option Year 433333The Government reserves the unilateral right to exercise optional assessment(s) in all or in part as needs arise. The support for optional assessment described above will be invoked through award of a task order modification issued by the GSA Contracting Officer (CO). At the time of exercising the option(s) the Government will identify the location(s) to be supported and the amount of optional assessments exercised. The Contractor shall be able to support the stations NLT than 30 days after Task Order Modification.CLIN006X Government Directed Overtime/Surge Support (OPTIONAL) (Labor Hours)It is anticipated that the Government may require the Contractor to work overtime or surge resources to support additional Government requirements while continuing to provide standard contracted services. It should be noted that optional Government directed overtime or surge may apply to any mandatory tasks or exercised options for this Task Order. The Contracting Officer Representative (COR) will ensure sufficient funds exist to support the requirements prior to execution of support. The Contractor shall not incur costs under this CLIN unless approved by the COR.For quote purposes, the Not-to-Exceed (NTE) value of this unburdened option is $2,000,000.00 per year. Within the quote based on the descriptions of this CLIN, the quoters shall quote anticipated labor categories and the amount of hours for these labor categories with the total CLIN value not exceeding the identified NTE amount. The value of this option includes OT/Surge (Labor) support.Typical examples of overtime/surge support that could be exercised include, but are not limited to:Exercise support when adjusting the normal work schedule; minimizing/prohibiting leave of individual contractor employees; adjusting service level agreements DOES NOT achieve the required coverage. Real World Operations when adjusting the normal work schedule; minimizing/prohibiting leave of individual contractor employees; adjusting service level agreements DOES NOT achieve the required coverage. Crashing project schedule(s) to achieve Government directed completion dates.Short term projects, as directed by the GovernmentUtility Security Assessments CONUS and OCONUSMission Assurance Assessments CONUS and OCONUSIncorporating changes into the All Hazard Threat AssessmentsImmediate Benchmark ReviewsDoD and DON Working GroupsSecurity Classification Guide SupportCritical Infrastructure Review for Military Construction and ?Energy Resiliency ProjectsProvide surge support for OPNAV N46 initiativesGovernment directed overtime should only be used when all other possibilities have been exhausted. It should not be used to support normal maintenance such as outages requiring Contractor employees to work after hours or weekends. Overtime costs shall not be incurred unless authorized by the Contracting Officer (CO) or the Contracting Officer’s Representative (COR) and unless funding is available to cover incurred expenses.At the time of exercising this optional support, the Government will issue a guidance, which at a minimum shall include:Identify the event (exercise/operation/project) which is driving the overtime requirement.Identify the specific services where overtime or surge is authorized.Define level of effort expectations (i.e. 12-hour days, 6 days per week).Identify duration or end date when overtime is no longer required.Provide an estimate on the number of overtime or surge hours required.DeliverablesThe following table outlines the product deliverables for the SOW. All deliverables will be submitted to the OPNAV N46 designated Activity POC. It is anticipated that all deliverables will be submitted via email or other electronic method (e.g., Inteldocs). *Deliverable dates may be adjusted based on information available in coordination with OPNAV N46. Each deliverable shall be submitted to ASSIST using the Post-Award Collaboration Tool.#SectionTitleDue Date12.a)Kickoff MeetingNLT 2 weeks after contract award 22.b)AHTA ReportDraft due 7 days prior to each MAA Phase 1; Final 2 weeks after MAA Phase 2. See Attachment B32.c)Mission Analysis Site VisitSee Attachment B 42.d)Mission Analysis Briefing Slides30 days after completion of mission analysis site visit52.e) & f)USA Site Visit & USA Out-briefSee Attachment B62.g)USA Report60 days after completion of site visit 72.h) & i)MAA Site Visit & MAA Out-briefSee Attachment B82.j)MAA Report90 days after completion of site visit92.k)Regional SMIG/EMIG ListAnnual draft102.l)Draft CAIP listAnnual draft112.m)NAV-CAMS Data Entry & SummaryMonthly122.n)MA Mobile Training TeamsSee Attachment C132.o)FRCS ReportSee Attachment BInspection and Acceptance/FOBInspection of all work performance, reports, and other deliverables under this Contract shall be performed by the Technical Points of Contact (TPOCs) designated post award. Acceptance of all work performance, reports, and other deliverables under this Contract shall be performed by the COR designated post award.Reports, documents, and narrative type deliverables will be accepted when all discrepancies, errors, or other deficiencies identified in writing by the government have been corrected. The general quality measures, set forth below, will be applied to each deliverable:Accuracy – deliverables shall be accurate in presentation, technical content, and adherence to accepted elements of style.Clarity – deliverables shall be clear and concise; engineering terms shall be used, as appropriate.All diagrams shall be easy to understand, legible, and relevant to the supporting narrative. All acronyms shall be clearly and fully specified upon first use.Specifications validity – all deliverables must satisfy the requirements of the government.File editing – where directed, all text and diagrammatic files shall be editable by thegovernment.Format – deliverables shall follow OPNAV guidance. Where none exists, the contractor shall coordinate approval of format with the COR.Timeliness – deliverables shall be submitted on or before the due date specified.Draft DeliverablesThe Government will provide written acceptance, comments and/or change requests, if any, within ten (10) work days from Government receipt of the draft deliverable.Upon receipt of the Government comments, the Contractor shall have ten (10) work days to incorporate the Government's comments and/or change requests and to resubmit the deliverable in its final form.6.2 Basis of AcceptanceThe basis for acceptance shall be compliance with the requirements set forth in the task order(s), the Contractor’s quote and other terms and conditions of the contract. Deliverable items rejected shall be corrected in accordance with the applicable clauses.Reports, documents and narrative type deliverables will be accepted when all discrepancies, errors or other deficiencies identified in writing by the Government have been corrected. If the draft deliverable is adequate, the Government may accept the draft and provide comments for incorporation into the final version.All of the Government's comments to deliverables must either be incorporated in the succeeding version of the deliverable or the Contractor must demonstrate to the Government's satisfaction why such comments should not be incorporated.If the Government finds that a draft or final deliverable contains excessive spelling errors, grammatical errors, improper format, or otherwise does not conform to the requirements stated within this Task Order, the document may be immediately rejected without further review and returned to the Contractor for correction and resubmission. If the Contractor requires additional Government guidance to produce an acceptable draft, the Contractor shall arrange a meeting with the TPOC/COR.6.3 Non-Conforming Products OR ServicesNon‐conforming products or services will be rejected. Deficiencies will be corrected, by the Contractor, within ten (10) work days of the rejection notice. If the deficiencies cannot be corrected within ten (10) work days, the Contractor will immediately notify the COR of the reason for the delay and provide a proposed corrective action plan within ten (10) work days.Performance MeasuresPerformance measures for satisfactory completion of the task order shall be measured by completion of the tasks and deliverables identified in this SOW. The following metrics shall be applied:Requirement(1)Standards—Criteria for Acceptance(2)Acceptable Quality Level(3)Methodof Surveillance(4)Incentive/Disincentive(5)Quality of Task CompletionTask support meets stated objectives.Work yields acceptable recommendations.There are no oversights in the review and analysis performed by the contractor that result in incorrect or inadequate assumptions, which, in turn, result in unacceptable recommendations. There are no oversights in the development of reports, documents, or functional requirements, which could result in delays in meeting established timelines.Customer feedbackPositive Past Performance EvaluationTimeliness of Task CompletionMeets delivery dates specified in approved PMP or as mutually agreed100% Compliance, unless forbearance granted by OPNAV PM or GSA CORCustomer feedbackContractor reportsPositive Past Performance EvaluationDeliverable Submissions listed in the Table at Section 5Deliverables adhere to General Acceptance Criteria defined in Section 5Contractor’s performance consistently yields work products that conform to the General Acceptance CriteriaCustomer feedbackContractor reportsPositive Past Performance EvaluationContract Administration Government Points of Contact The identified individuals are responsible to oversee contract performance and the Contractor is responsible to coordinate with the identified individuals.Post Award Conference The Contractor shall participate in a Government‐scheduled post‐award orientation TaskOrder award or in accordance with Federal Acquisition Regulation Subpart 42.5. Within 7 work days of award the Contractor shall conduct an orientation briefing for the Government. The intent of the briefing is to initiate the communication process between the Government and Contractor by introducing key task participants and explaining their roles, reviewing communication ground rules, and assuring a common understanding of subtask requirements and objectives. The Orientation Briefing’s place, date and time shall be mutually agreed upon by both parties within a week from the date of award. The completion of this briefing will result in the introduction of both Contractor and Government personnel performing work under this contract. The Contractor will demonstrate confirmation of their understanding of the work to be accomplished under this PWS.Contract TypeThis is a Hybrid Contract, consisting of firm fixed price and labor hour CLINs. Period of PerformanceThe period of performance is one (1) 12-month base plus four (4) 12-month option periods. Option periods will be exercised at the Government’s unilateral right in accordance with FAR 52.217-9 - Option to Extend the Term of the Contract (Mar 2000). The government may extend the term of this contract by written notice to the contractor within thirty (30) calendar days before the contract expires; provided that the government gives the contractor a preliminary written notice of its intent to extend at least sixty (60) calendar days before the contract expires. The preliminary notice does not commit the government to an extension. If the government exercises an option, the extended contract shall be considered to include this option clause. The total duration of this contract, including the exercise of any options under this clause, shall not exceed sixty (60) months. Location of WorkSite Visit and Schedule will identify the site visit locations and be provided by the Government. Government provided spaces, equipment, and network access will only be available to support activities requiring SIPRnet usage. All other work performed under this task order shall be performed at the contractor’s office. PWS Task one identifies locations for CIP analysts. TelecommutingThe Government may permit telecommuting by contractor employees when determined to be in the best interest of the Government in meeting work requirements. The Contractor must have an established program, subject to review by the Government. All telecommuting agreements must be authorized and approved by the COR and include the date, time, and description of the tasks to be performed. Telecommuting will be at no additional cost to the Government. Required travel to the Government site will be the expense of the Contractor. The Contractor shall provide adequate oversight of work products to ensure contract adherence. Contractors shall have formal telework policies in place if telework is employed. Telework arrangements on individual task orders shall be approved by the Contracting Officer and the COR prior to commencement. The Contractor shall provide services from their authorized telework worksite location IAW Department of Defense Instructions (DoDI) 1035.01, Telework Policy. The Contractor shall: Develop, implement and operate telework programs IAW DoDI 1035.01. Delegate authority for telework implementation to subordinate authorities as deemed appropriate. Designate a Program Manager to oversee implementation of the telework program. Track contractor personnel participation and provide usage data to the COR at the end of each calendar year as an Annual Telework Report. Fully train all telework contractor personnel on the telework procedures including information technology and data security, and safety requirements consistent with:the guidance in DoD Directive (DoDD), reference (g) through (j)DoDD 8000.01, Management of the Department of Defense (DoD) Information Enterprise DoDD 8100.02, Use of Commercial Wireless Devices, Services, and Technologies in the DoD Global Information Grid (GIG) DoDD 8500.01E, Information Assurance (IA) DoDD 5400.111, DoD Privacy Program The Contractor shall account for and report the teleworkers time spent in the telework status in the same manner as if the employee reported for work at a traditional worksite and track teleworkers time spent in a travel mode away from the alternate worksite during a period that is scheduled for telework. TravelTravel will be required to various locations CONUS and OCONUS, as directed by the Government on a cost-reimbursable basis. The Contractor shall adhere to the following travel regulations (see FAR 31.205-46):(1) Federal Travel Regulations (FTR) – prescribed by the General Services Administration, for travel in the contiguous United States.(2) Joint Travel Regulation (JTR) – prescribed by the Defense Travel Management Office(3) Department of State Standardized Regulations (DSSR) (Government Civilians, Foreign Areas), Section 925, “Maximum Travel Per Diem Allowances for Foreign Areas”, prescribed by the Department of State, for travel in areas not covered in the FTR or JTR.The Contractor shall use only the minimum number of travelers and rental cars needed to accomplish the task(s). Travel shall be scheduled during normal duty hours whenever possible.Travel RequestsBefore contractor travel is executed, the Contractor shall have travel approved by, and coordinated with the COR. The Contractor’s travel notification shall include, at a minimum, the number of persons in the party, traveler name, destination, duration of stay, purpose, and estimated cost. Prior to any long distance travel, the Contractor shall prepare a Travel Request Form for Government review and approval. The Government shall approve all travel in writing. Long distance travel will be reimbursed for cost of travel comparable with the FTR, JTR, and DSSR.Requests for travel approval shall:Be prepared in a legible manner;Include a description of the travel proposed including a statement as to purpose;Be summarized by traveler;Identify the travel request/travel authorization number associated with the travel;Be submitted in advance of the travel with sufficient time to permit review and approval.Not be considered approved until written approval is received from the COR (email shall suffice in limited circumstances).The Contractor shall propose and utilize an organized method and format for the tracking and approval process associated with all Travel Requests. The method and format will be reviewed and approved by the COR post award.Trip ReportsThe Government will identify the need for a Trip Report (if required) when the request for travel is submitted. The Contractor shall keep a summary of all long-distance travel, to include, at a minimum, the name of the employee, location of travel, duration of trip, and POC at travel location. Trip Reports will be fully documented within five business days of return for Government review. Trip Reports shall be provided for all conferences, IPRs, and travel, unless forbearance is granted by the GSA or NAVY COR.Key Personnel The following positions have been identified as Key Personnel and are considered the primary technical representatives for their respective MAA area. The Contractor shall ensure these positions are filled throughout the performance of the Contract. All personnel assigned under Key Personnel shall meet the specific minimum requirements of that category. Security clearances must be active at the time of award and sustained throughout the life of the Task Order. Senior Critical Infrastructure SpecialistMinimum 10 years of DoD service in Critical Infrastructure and MA Programs at Service HQ levelMaster’s Degree in International Studies or Political Science Experience with the DoD Joint Capability Areas (JCA) and implement the Unified Joint Task List (UJTL), Joint Mission Essential Tasks (JMET), and Mission Essential Tasks (MET) in support of military requirementsMinimum of five (5) years of experience in executing Committee on Foreign Investment in the United States (CFIUS) review and investigationNAV-CAMS training or equivalent Asset and Risk Management Program ExperienceDemonstrated understanding of DON Risk MethodologiesNAV-CAMS training or equivalent Asset and Risk Management Program ExperienceActive SECRET security clearance with the ability to attain TOP SECRET clearance with the ability to attain Sensitive Compartmented Information (SCI)Hazard Threat Assessment Senior AnalystMinimum 10 years of experience in military intelligenceMinimum five (5) years of experience in Mission AssuranceMinimum five (5) years of experience executing threat and hazard assessments at the Service Headquarters and experience developing analytic methodologies and assessment program guidesKnowledge of current domestic and international threats and hazards to the U.S. national security interestsKnowledge and use of intelligence community IT programs, systems, and applicationsBachelor’s degree or higher from an accredited universityActive SECRET security clearance with the ability to attain TOP SECRET clearance with the ability to attain Sensitive Compartmented Information (SCI)Senior Utility Assessment Project Manager: Minimum 15 years of DoD experience in executing DoD Telecommunications and mission planning; active duty, civilian or contractorMinimum five (5) years of experience executing higher headquarters MA program reviews and installation level Utility Security assessmentsExperience developing analytic methodologies and assessment program guidesCertifications in CISSP, ITIL Foundations Certification, Network+ Comptia Certification.Experience in Project Management, Computer Science, Telecommunications of related experience with Telcom (CBX/PBX) microcode programming experience, or an equivalent combination of education and experience.Candidate must have expertise in Infrastructure, utilities, electrical systems, mission assurance/analysis. This position requires a minimum of a SECRET personnel security clearance.Industrial Control System (ICS) Cybersecurity Project ManagerMinimum 15 years of experience leading cybersecurity organizations including 5 years leading MA Cyber teams Master’s degree in Cybersecurity, Information Assurance or related field; Undergraduate degree in Computer Science or related fieldMinimum seven (7) years of control system cybersecurity experience; 15 years cybersecurity experience with traditional computer systems (Server/desktop OS, Databases security, webserver security, encryption);Minimum five (5) years’ experience executing Service Headquarters MA Cyber program reviews and installation level MA Cyber assessments; Cybersecurity certification at IAM level III and control system cybersecurity specific certification like GICSP and DHS ICS-CERT Training. 5 years of Cybersecurity assessments on airfield systems, DDC, BCS, ICS, UCS, EMCS, and control system networks; mitigation experience for most significant DoD control system cybersecurity concerns; leading Computer Network Defense (CND) organizations or Cyber Blue Teams.Experience conducting control system validations for DoN; USMC Control System Platform Enclave (CS-PE) or the USN CS-PE; experience supporting OSD with control system cybersecurity policy reviews; Clearable to TS/SCI level.Mission Assurance Project Manager. Minimum 10 years of Risk Management and Supporting Infrastructure ExperienceMinimum 10 years of experience executing higher headquarters MA program reviews and installation level MA assessmentsMinimum five (5) years of experience developing risk management methodologies, and managing Department of Navy contracts related to Mission Assurance; Minimum of two (2) years leading and organizing mission assurance assessment teamsNAV-CAMS training or equivalent Asset and Risk Management Program ExperienceMust be certified as a Project Management Professional (PMP) or Master Project Manager (MPM) TOP SECRET clearance with the ability to attain Sensitive Compartmented Information (SCI)Bachelor’s Degree: Business, Operations, Political Science, Security, Security Studies, TechnicalDesired qualifications include Certified Protection Professional and DHS training in Critical Infrastructure Security and ResilienceReplacement of Key Personnel The Contractor is expected to minimize employee turnover with respect to personnel performing under this Task Order. The Contractor shall not remove or replace any personnel designated as key personnel under this TO without the written concurrence of the CO. Prior to utilizing other than personnel specified in the task order proposal submitted in response to this requirement, the Contractor shall notify the Government CO and the COR. This notification shall be no later than ten (10) calendar days in advance of any proposed substitution and shall include a resume for the proposed substitution and justification in sufficient detail to permit evaluation of the impact of the change on TO performance.The request shall be written and provide a detailed explanation of the circumstances necessitating the proposed substitution. The Contractor shall submit a resume for the proposed substitute and any other information requested by the COR needed to approve or disapprove the substitution. The COR will evaluate such requests and promptly. The replacement key personnel shall possess skills of equal or greater qualifications to those being replaced. The CO will notify the Contractor of approval or disapproval thereof in writing.If the Government CO and the COR determine that the proposed substitute personnel is unacceptable, or that the reduction of effort would be so substantial as to impair the successful performance of the work under the TO, the substitution will be denied and the Contractor shall propose an alternate ernment Furnished Property, Equipment, and Information (GFP/E/I)GFP will be identified and provided at the individual task order level. The Government will provide all Government Furnished Property (GFP) in accordance with FAR Part 45 guidelines. Government Furnished Material (GFM) and Government Furnished Equipment (GFE) may be provided to support individual task orders under this IDIQ. Contractors shall be responsible for preventing damage to all GFM/GFE. Contractors shall be responsible for conducting all necessary examinations, inspections, maintenance and tests of all GFE. Contractors shall be responsible for reporting all inspection results, maintenance actions, losses and damage to the Government. If a Contractor loses or damages the equipment, it will be the Contractor’s responsibility, in accordance with the contract clauses, to replace or repair the equipment to original or better condition at no additional cost to the Government.Contractors shall dispose, recycle, or salvage components as directed by the Government. Contractors shall, at a minimum, meet the requirements in accordance with MIL-STD-882E and DoD 5000.02. At the conclusion of each task order PoP, the Contractor shall account for, return, and/or dispose of all GFP within thirty (30) calendar days from completion of the ernment Furnished Information (GFI)The Contractor shall protect Government data and information, by treating the information as sensitive. Sensitive but unclassified information shall only be disclosed to those authorized personnel described in the task order. The Contractor shall keep the information confidential and use appropriate safeguards to maintain its security in accordance with minimum Federal standards. When no longer required, information shall be returned to Government control, destroyed, or held until otherwise directed by the Ordering CO. GFI will be identified and provided at the individual task order level. The Government will make available to contractors, GFI to include Government forms, publications and documents and access to manuals and materials necessary to perform work under the individual task orders. The Contractor shall ensure that appropriate administrative, technical, and physical safeguards are established to ensure the security and confidentiality of information is properly protected. The Contractor shall be responsible for properly protecting all information used, gathered, or developed as a result of work under the task order.Work under specific task orders may require that the Contractor’s personnel to have access to Privacy Information. Contractor personnel shall adhere to the Privacy Act, Title 5 of the U.S. Code, section 552a and applicable agency rules and regulations. Records and DataThe Government will be sole owner of all technical data, software developed, and infrastructure designed under this project. The Contractor shall deliver to DMDC all software, software licenses, data, form, fit and data first produced (including source code), written documents and reports to include, at a minimum, system change plans, various operations procedures and planning documents, meeting minutes, reports, manuals, training text, program management reviews, financial status reports, and any other documents created in support of this agreement or task orders. All system documentation shall be updated to remain current with each software development activity/phase. The Government will include the actual requirements, formats, delivery schedules and points of contact in each order. DMDC will have unlimited rights as allocated under FAR 52.227-14(b) in all data delivered under the orders. Unless otherwise stated in the orders, the Contractor shall submit deliverables to the COR or his or her designee. The Government will include review times and response to review comments in the orders. The COR will serve as DMDC’s focal point for accepting the deliverables unless an order provides for other procedures. Data Rights The Government requires unlimited rights in any material first produced in the performance of this contract or any task order, in accordance with the FAR clause at 52.217-14. In addition, for any material first produced in the performance of a task order, the materials may be shared with other agencies or contractors during the period of performance of the task order, or after its termination. For any subcontractors or teaming partners, the Contractor shall ensure at proposal submission that the subcontractors and /or teaming partners are willing to provide the data rights required under the task order. Limited Use of Data Performance of this effort may require the Contractor to access and use data and information proprietary to a Government agency or Government Contractor which is of such a nature that its dissemination or use, other than in performance of this effort, would be adverse to the interests of the Government and/or others. Contractor and/or Contractor personnel shall not divulge or release data or information developed or obtained in performance of this effort, until made public by the Government, except to authorize Government personnel or upon written approval of the Contracting Officer (CO). The Contractor shall not use, disclose, or reproduce proprietary data that bears a restrictive legend, other than as required in the performance of this effort. Nothing herein shall preclude the use of any data independently acquired by the Contractor without such limitations or prohibit an agreement at no cost to the Government between the Contractor and the data owner which provides for greater rights to the Contractor. Disclosure of Information Information made available to the Contractor by the Government for the performance or administration of this effort shall be used only for those purposes and shall not be used in any other way without the written agreement of the Contracting Officer. The Contractor agrees to assume responsibility for protecting the confidentiality of Government records, which are not public information. Each Contractor or employee of the Contractor to whom information may be made available or disclosed shall be notified in writing by the Contractor that such information may be disclosed only for a purpose and to the extent authorized herein. Breach Response DoD 5400.11-R, "DoD Privacy Program," May 14, 2007, defines a breach as the "actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected." The Contractor shall establish appropriate administrative, technical, and physical safeguards to protect any and all Government data. The Contractor shall also ensure the confidentiality, integrity, and availability of Government data in compliance with all applicable laws and regulations, including data breach reporting and response requirements, in accordance with DFAR Subpart 224.1 (Protection of Individual Privacy), which incorporates by reference DoDD 5400.11, "DoD Privacy Program," May 8, 2007, and DoD 5400.11-R, "DoD Privacy Program," May 14, 2007. The Contractor shall also comply with federal laws relating to freedom of information and records management. Upon discovery of any known or suspected security/privacy incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the contractor/subcontractor has access, the contractor/subcontractor shall immediately and simultaneously notify the COR, the designated Cyber Security Officer, and Privacy Officer for the contract within one (1) hour. The term "security incident" means an event that has, or could have, resulted in unauthorized access to, loss or damage to DMDC assets, or sensitive information, or an action that breaches DMDC security procedures. The Contractor shall adhere to the reporting and response requirements set forth in the Office of the Secretary of Defense (OSD) Memorandum 1504-07, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information," June 5, 2009; DoD 5400.11-R, and applicable DMDC Privacy Office guidance. The Contractor shall, at their own expense, take action to mitigate, to the extent practicable, any harmful effect that is known to the Contractor of a use or disclosure of Protected Information by the Contractor in violation of the requirements of this Clause. In the event of a data breach or privacy incident involving contractor processes under this contract, the Contractor shall be liable to DMDC for liquidated damages for a specified amount per affected individual to cover the cost of providing credit protection services to those individuals. Invoicing The following clauses are incorporated into the task or contract. A monthly status report shall accompany each invoice submitted in ITSS.Clause #1 – InvoicesThe Period of Performance (POP) for each invoice shall be for one calendar month. The contractor shall submit only one invoice per month per order/contract. The appropriate GSA office will receive the invoice by the twenty-fifth calendar day of the month after either:The end of the invoiced month (for services) orThe end of the month in which the products (commodities) or deliverables (fixed-priced services) were delivered and accepted by the Government.For Cost Type, Labor Hour and Time and Material orders/contracts each invoice shall show, the skill level category, the hours worked per skill level, the rate per skill level and the extended amount for that invoice period. It shall also show the total cumulative hours worked (inclusive of the current invoice period) per skill level, the hourly rate per skill level, the total cost per skill level, the total travel costs incurred and invoiced, and the total of any other costs incurred and invoiced, as well as the grand total of all costs incurred and invoiced.For Cost Type, Labor Hour and Time and Material orders/contracts each invoice shall clearly indicate both the current invoice’s monthly “burn rate” for hours and dollars. Total average monthly “burn rate” may be provided in the Monthly Status Report that accompanies the invoice. The invoice shall also include running totals for both hours and dollars.The contractor shall submit all required documentation (unless exempted by the contract or order) as follows:For Travel: Submit the traveler's name, dates of travel, location of travel, and dollar amount of travel.For ODCs: Submit a description of the ODC, quantity, unit price and total price of each ODC.Note: The Government reserves the right to audit, thus; the contractor shall keep on file all backup support documentation for travel and ODCs.Note: For Firm Fixed Price, Labor Hour, and Time and Material fiscal task items:Charges:All invoice charges must be task item specific (only one task item) unless concurrent task item periods of performance exist.For invoices with concurrent task item periods of performance all invoice charges must be service month specific (that is one service month only).Credits:If the credit invoice is for the same year of a particular ACT#, the contractor shall include that credit on a subsequent invoice submission against that same ACT#. If the contractor is unwilling to offset a subsequent invoice then they must submit a refund check.When the credit invoice is for a different year, the contractor shall submit a refund check for that credit invoice.Invoices that net to a credit balance SHALL NOT be accepted. Instead a refund check must be submitted by the contractor to GSA accordingly. The refund check shall cite the ACT Number, task item, and the period to which the credit pertains. The contractor shall provide the credit invoice as backup documentation. Do not attach credit invoice in ITSS or on the Finance website. It must be attached to the refund check. The refund check shall be mailed to:General Services AdministrationP.O. Box 6200-29Portland, OR 97228-6200Posting Acceptance Documents: Invoices shall be submitted monthly through GSA’s electronic Web-Based Order Processing System, currently ITSS, to allow the client and GSA COTR to electronically accept and certify services received by the customer representative (CR). Included with the invoice will be all back-up documentation required such as, but not limited to, travel authorizations and training authorizations (including invoices for such).Receiving Agency’s Acceptance: The receiving agency has the following option in accepting and certifying services:Electronically: The client agency may accept and certify services electronically via GSA’s electronic Web-Based Order Processing System, currently ITSS, by accepting the Acceptance Document generated by the contractor. Electronic acceptance of the invoice by the CR is considered concurrence and acceptance of services.Content of Invoice: The contractor’s invoice will be submitted monthly for work performed the prior month. The contractor may invoice only for the hours, travel and unique services ordered by GSA and actually used in direct support of the client representative’s project. The invoice shall be submitted on official letterhead and shall include the following information at a minimum.GSA Task Order NumberTask Order ACT NumberRemittance AddressPeriod of Performance for Billing PeriodPoint of Contact and Phone NumberInvoice AmountSkill Level Name and Associated Skill Level NumberActual Hours Worked During the Billing PeriodTravel Itemized by Individual and Trip (if applicable)Training Itemized by Individual and Purpose (if applicable)Support Items Itemized by Specific Item and Amount (if applicable)Final Invoice: Invoices for final payment must be so identified and submitted within 60 days from task completion and no further charges are to be billed. A copy of the written acceptance of task completion must be attached to final invoices. The contractor shall request from GSA an extension for final invoices that may exceed the 60-day time frame.The Government reserves the right to require certification by a GSA COTR before payment is processed, if necessary.The Government reserves the right to modify invoicing requirements at its discretion. The Contractor shall comply with any revised invoicing requirements at no additional cost to the GovernmentClose-out ProceduresGeneral: The contractor shall submit a final invoice within sixty (60) calendar days after the end of the Performance Period. After the final invoice has been paid the contractor shall furnish a completed and signed Release of Claims (GSA Form 1142) to the Contracting Officer. This release of claims is due within fifteen (15) calendar days of final payment.Acceptable Skill Level Variation in Severable Labor Hour and Time and Material Orders/Contracts (July/2005)The contractor may exceed the total number of labor hours per awarded skill level per base or option period, to a limit of 15% as long as the total task order obligated dollar amount per that base or option period is not exceeded, and as long as the contractor maintains an acceptable level of effort throughout the required period of performance.The contractor is not authorized to add new skill level categories or vary between levels within the same labor category without approval of the Government, formalized in a signed modification by the contracting anizational Conflict of Interest Contractor and subcontractor personnel performing work under this contract may receive, have access to, or participate in the development of proprietary or source selection information (e.g., cost or pricing information, budget information or analyses, specifications or work statements, etc.), or perform evaluation services which may create a current or subsequent Organizational Conflict of Interests (OCI) as defined in FAR Subpart 9.5. The Contractor shall notify the Contracting Officer immediately whenever it becomes aware that such access or participation may result in any actual or potential OCI and shall promptly submit a plan to the Contracting Officer to avoid or mitigate any such OCI. The Contractor’s mitigation plan will be determined to be acceptable solely at the discretion of the Contracting Officer and in the event the Contracting Officer unilaterally determines that any such OCI cannot be satisfactorily avoided or mitigated, the Contracting Officer may affect other remedies as he or she deems necessary, including prohibiting the Contractor from participation in subsequent contracted requirements which may be affected by the OCI. Non-Disclosure Requirements All contractor personnel (to include subcontractors, teaming partners, and consultants) who will be personally and substantially involved in the performance of the contract issued which requires the contractor to act on behalf of, or provide advice with respect to any phase of an agency procurement, as defined in FAR 3.104-4, shall execute and submit a Contractor Non-Disclosure Agreement” Form. This is required prior to the commencement of any work on such task order and whenever replacement personnel are proposed under an ongoing task order. Any information obtained or provided in the performance of this contract is only to be used in the performance of the task order. The Contractor shall take the necessary steps in accordance with Government regulations to prevent disclosure of such information to any party outside the Government and to indoctrinate its personnel who have access to sensitive information and the relationship under which the Contractor has possession of or access to the information. Contractor personnel shall not engage in any other action, venture or employment wherein sensitive information will be used for the profit of any party other than those furnishing the information. The Nondisclosure Agreement for Contractor Employees shall be signed by all indoctrinated personnel and forwarded to the Contracting Officer Representative (COR) for retention, prior to work commencing. The Contractor shall restrict access to sensitive/ proprietary information to the minimum number of employees necessary for contract/Task order performance. Section 5.8 Compliance Unless the Government invokes an exemption, all EIT products and services proposed shall fully comply with Section 508 of the Rehabilitation Act of 1973, per the 1998 Amendments, and the Architectural and Transportation Barriers Compliance Board’s Electronic and Information Technology Accessibility Standards at 36 CFR 1194. The Contractor shall identify all EIT products and services proposed, identify the technical standards applicable to all products and services proposed and state the degree of compliance with the applicable standards. Additionally, the Contractor must clearly indicate where the information pertaining to Section 508 compliance can be found (e.g., Vendor’s or other exact web page location). The Contractor must ensure that the list is easily accessible by typical users beginning at time of award. Special Provisions Under this Task Order General Theater Requirements All DoD and DoD-sponsored personnel, including DoD-sponsored Contractors, will ensure personnel entrance requirements for country, theater, and/or special area clearance are met IAW Department of Defense Foreign Clearance Guide (DoD 4500.54-G)(FCG). DoD-sponsored Contractors shall provide all required personnel data to the QAE The Contractor shall ensure all deployed personnel are medically qualified to deploy and perform in austere environments where medical services are at a minimum. The Contractor shall provide approved deployment physical examination results for all personnel. The inability to comply with this requirement is grounds for dismissal. Combatting Trafficking in PersonsFAR 52.222-50 The United States Government and the United States Department of Defense (DOD) has adopted a zero tolerance policy regarding trafficking in persons. Contractors, subContractors and their employees shall not: Engage in severe forms of trafficking in persons during the period of performance of the contract; procure commercial sex acts during the period of performance of the contract or use forced labor in the performance of the contract.Facilities The government will provide office facilities. The Contractor shall use Defense Service Network (DSN) to the maximum extent possible. The installation, maintenance, repair and removal of all Government furnished telephone/fax instruments will be the responsibility of the Government. The Contractor personnel shall not relocate the Government furnished telephone or fax equipment unless approved or directed by the functional area QAE. Unless otherwise noted, the Government will furnish essential day-to-day consumable operating supplies required for the performance of this task order.The Contractor shall be responsible for keys and access cards provided by the Government. Keys will not be duplicated nor used by unauthorized personnel. The Contractor shall develop and implement procedures to ensure that keys issued to the Contractor are safeguarded and controlled in accordance with these regulations. Procedures implemented will be documented in the physical security plan. The government will furnish keys and locks required for the performance of the contract. The Contractor shall inventory all Government issued keys IAW with applicable guidance. TransportationAs authorized by the Contracting Officer’s Representative (with specific authority), Contractors may utilize military, leased or rented vehicles, in lieu of base shuttles, when necessary to provide timely support to military units supported by this task order.FuelIn situations that dictate under this task order, fuel is authorized to be obtained from Government or military sources in accordance with processes defined by applicable regulation and policy with the supporting documentation and approval authorities required by Department of Defense, the United States Navy and local Navy commands.Logistical Support and Privileges in Host Country United States citizen Contractor employees who are authorized entry to the overseas command may be authorized by the discretion of local command policy, the Logistical Support Services defined in Appendix A, in accordance with DA PAM and AR 715-ernment Furnished Logistics Support for Deployed ContractorsThe QAE at each site may identify certain equipment items as critical to mission operations. Systems using critical equipment must be returned to operational status within the times established by the QAE. If a critical equipment item spare is installed to replace a failed critical equipment item and installation of the spare returns the system to its full operational capability, then the critical equipment removed for repair shall be subject to the routine repair TAT. In no event shall the system be disrupted in excess of the time established for that particular system. Critical equipment shall be annotated as critical in the inventory management system.The Government shall provide field living conditions and amenities, equivalent to that available to military and/or Government civilians, to deployed Contractor personnel.The Government is responsible for providing information on all requirements necessary for deployment.The COR will provide the Contractor with the anticipated work schedule. The COR may alter the work schedule to ensure the Government's ability to continue to execute its mission. The COR will provide the Contractor with the anticipated duration of the deployment.At no cost to the Contractor, the Government will provide adequate force protection training for Contractor personnel subject to deployment.The COR will inform the Contractor of all Nuclear, Biological, and Chemical (NBC) equipment and Chemical Defensive Equipment (CDE) training requirements and standards.The Government shall provide the Contractor employees with CDE familiarization training for the performance of mission essential tasks in designated high threat countries. This training shall be commensurate with the training provided to Department of Defense civilian employees. The COR shall identify to the Contractor all identification cards and tags required for deployment and shall inform the Contractor where the identification cards and tags are to be issued. Upon redeployment, the Contractor shall ensure that all issued controlled identification cards and tags are returned to the Government.Unless authorized by the theater commander or his designee, Contractors accompanying the force are not authorized to wear military uniforms, except for specific items required for safety and security. If required, the Government will provide the Contractor all military unique organizational clothing and individual equipment. (Types of organizational clothing and individual equipment may include Nuclear, Biological, and Chemical defensive equipment and/or heavy winter clothing)The CO may direct the Contractor, at the Contractor's expense, to remove or replace any Contractor employee failing to adhere to instructions and general orders issued by the COR. If a Contractor employee departs an area of operations without permission, the Contractor shall ensure continued performance in accordance with the terms and conditions of the contract. Ifthe Contractor replaces an employee who departs without permission, the replacement is at Contractor expense and must be in place within five days or as directed by the CO.Contractor personnel may be authorized by the Government to travel in military vehicles.Contractor Furnished Logistical Support for Deployed ContractorsContractor personnel subject to deployments shall have all passports, visas, and/or other documents, as well as inoculations necessary to enter and/or exit any area(s) identified by the COR. The Contractor shall register all personnel with the appropriate US Embassy or Consulate.Contractor employees shall be subject to the customs processing procedures, laws, agreements, and duties ofthe country in which they are assigned to work and/or deploying to and the procedures, laws, and duties of the United States upon re-entry.When Contractor personnel are required to deploy with users, Contractor personnel shall perform under policies established by the Theater Commander. Contractor personnel shall meet theater personnel clearance requirements and obtain necessary personnel clearance prior to entering the AOR.In the event Contractor personnel are not allowed to deploy to support a mission, Contractor personnel will provide familiarization and instruction to Government personnel on basic maintenance techniques for the equipment items deployed. TAT for repair of any deployed equipment shall be on a "best effort" basis as dictated by the deployed operational environment.For equipment that may be deployed, as identified by COR, the Contractor shall maintain a spares kit to ensure that adequate spare parts are available to support deployable equipment in the event of a training or crisis situation and to support all other deployments. The COR will authorize purchase of parts to support spares kits.The Contractor shall brief employees regarding the potential danger, stress, physical hardships, and field living conditions that are possible if the employee deploys in support of military operations.The Contractor, at no cost to the Government, may rotate Contractor employees into and out of the theater provided there is no impact to the mission. The Contractor shall coordinate personnel changes with the COR.At the request of the COR, the Contractor shall report its employees, including third country nationals, entering, located within, and/or leaving the area of operations by name, citizenship, location, Social Security number (SSN), or other official identity document number. These reports shall be furnished to the COR at both the departing location and the receiving locationAll deployed Contractor employees and agents shall comply with pertinent Service and Department of Defense directives, policies, and procedures as provided by the COR. The Contractor shall also ensure compliance with federal statutes, judicial interpretations, and international agreements (e.g., SOFAs, Host Nation Support Agreements, etc.) applicable to US Armed Forces or US citizens in the area of operations. Host Nation laws and existing SOFAs may take precedence over contract requirements.The Contractor shall ensure that Contractor employees possess the necessary and appropriate personal clothing and safety equipment to execute contract performance in the theater of operations in accordance with the task order. Clothing should be distinctive and unique and not imply that the Contractor is a military member, while at the same time not adversely affecting the Government's tactical position in the field.The Contractor employee shall sign for all issued organizational clothing and individual equipment, thus, acknowledging receipt and acceptance of responsibility for the proper maintenance and accountability of issued organizational clothing and individual equipment. Upon completion of the deployment, the Contractor shall ensure that all Government-issued clothing and equipment provided to Contractor personnel is returned to the Government issuing office.Upon notification by the COR, the CO will require the Contractor to reimburse the Government for organizational clothing and individual equipment lost or damaged due to Contractor negligence.Defense Base Act (DBA) Insurance. DBA Insurance, Contractors shall obtain commercially available DBA insurance from a Department of Labor (DOL) authorized insurance carrier unless the Contractor is under a self-insurance program approved by the DOL or subject to a waiver. The DOL approved carriers and self-insured employers are available at . The DBA insurance premium amount varies with payroll and the nature of services. The actual amount paid by the Government under this CLIN will be based on the actual paid amount for DBA and submitted by the Contractor after contract award. The Government agrees to reimburse the Contractor when in a hazardous duty state or hostile area. The reimbursement rate of pay is only authorized when deployed to a hazardous duty area, defined by the Government through State Department designations as appropriate. In the event of recalculation of the premium by the DBA Insurer based on actual payroll amounts, the Contracting Officer will adjust this CLIN by contract modification to reflect the actual premium amount paid. The vendor shall obtain DBA Insurance prior to any work performed under this contract.Before deployment, the Contractor shall ensure that each Contractor employee completes a DD Form 93, Record of Emergency Data Card, and returns the completed form to the COR. The Contractor shall provide employees who are medically fit and capable of enduring the rigors of deployment in the designated theater of operations. Contractor personnel may be required to undergo medical screening, which may include DNA sampling. Medical screening requirements will be detailed by the host site. Any personnel deemed unsuitable to deploy during the deployment process, due to medical or dental reasons, will not be authorized to deploy with the military force.Deploying civilian Contractor personnel shall carry with them a minimum of a 90-day supply of any medication they require.The Contractor shall perform the requirements of this contract notwithstanding the fitness for duty of deployed employees, the provisions for care offered under this section, and redeployment of individuals determined to be unfit.The Contractor bears the responsibility for ensuring all employees are aware of the conditions and medical treatment available at the performance location. The Contractor shall include this information and requirement in all subcontracts with performance in the theater of operations.Whether Contractor personnel will be permitted to carry a government furnished weapon for self-defense purposes in the Area of Operations (AO) is at the discretion of the Theater Commander. However, Contractor personnel will not possess personally owned firearms in the AO. The government may choose to issue military-specification personal weapons and ammunition (M9 Pistols) for self-defense to the Contractor employees. Acceptance of weapons by Contractor employees is at the discretion of the Contractor and the Contractor employees. When accepted, the Contractor employee is responsible for using the weapon in accordance with the applicable rules governing the use of force. The Contractor employee must be aware they may incur civil and criminal liability, both under host nation law or U.S. criminal and civil law, for improper or illegal use of the weapons. Also, only military issued ammunition may be used in the weapons.Occupational Safety and Health Administration (OSHA)The Contractor shall be in compliance with applicable state and federal safety standards. Special safety requirements will be identified in the individual tasks, when required. The Contractor must ensure that they are in compliance with all applicable OSHA standards.Enterprise-Wide Contractor Manpower Reporting Application (eCMRA)The contractor shall report ALL contractor labor hours (including subcontractor labor hours) required for performance of services provided under this contract via a secure data collection site. The contractor is required to completely fill in all required data fields using the following web address: . Reporting inputs will be for the labor executed during the period of performance during each Government fiscal year (FY), which runs October 1 through September 30. While inputs may be reported any time during the FY, all data shall be reported no later than October 31 of each calendar year, beginning with 2013. Security Clearance and Requirements: Refer to the attached DD254 (Attachment A)The work to be performed under this task order requires that selected contractor personnel possess a DoD SECRET security clearance. This work will require access to classified material up to and including the TOP SECRET level. All final Assessment reports will be compiled at a SECRET level. The contractor shall possess and maintain a TOP SECRET facility clearance from Defense Security Services. This task order requires the contractor obtain government CACs and NIPR e-mails. Obtaining these items will be coordinated with the Contracting Officer and/or the COR. The contractor shall be responsible for safeguarding all government equipment, information and property provided for contractor use. At the close of each work period, government facilities, equipment, and materials shall be secured.The contractor shall establish and implement methods of making sure all key cards or tokens issued to the contractor by the Government are not lost or misplaced and are not used by unauthorized persons. The contractor shall immediately report any occurrences of lost key cards or tokens to the Contracting Officer.SafetyThe contractor shall provide the COR a copy of the signed Accident Prevention Plan (APP) prior to the start of site visits. An APP shall be developed for each site the contractor will be visiting. Reference Documents:MAAT Program Guide Final 2019 (or latest)AHTA Methodology (U-FOUO) 26AUG2019 (or latest)Navy MA Team Guide (or latest)FY20 Navy CNO MAA Benchmarks (or latest)NAV-CAMS Business RulesAppendicesAppendix A: Appendix A - Logistical Support Annex (European Theater)Clauses18.1 Federal Acquisition Regulations (FAR) ClausesCLAUSE NO.CLAUSE TITLEDATESECTION 9.5ORGANIZATIONAL CONFLICT OF INTEREST52.203-11CERTIFICATION AND DISCLOSURE REGARDING PAYMENTS TO INFLUENCE CERTAIN FEDERAL TRANSACTIONS(SEP 2007)52.204-2SECURITY REQUIREMENTS(AUG 1996)52.204-9PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL(JAN 2011)52.227-21TECHNICAL DATA DECLARATION REVISIONAND WITHHOLDING OF PAYMENT – MAJOR SYSTEMS(DEC 2007)52.237-3CONTINUITY OF SERVICES(JAN 1991)52.244-6SUBCONTRACTS FOR COMMERCIAL ITEMS(JUL 2013)52.245-1GOVERNMENT PROPERTY(APR 2012)52.245-1GOVERNMENT PROPERTY(JUN 2007)52.237-3CONTINUITY OF SERVICES(JAN 1991)18.2 Defense Federal Acquisition Regulation SupplementCLAUSE NO.CLAUSE TITLEDATE252.227-7013RIGHTS IN TECHNICAL DATA - NONCOMMERCIAL ITEMS(JUN 2013)252.227-7014RIGHTS IN NONCOMMERCIAL COMPUTER SOFTWARE AND NONCOMMERCIAL COMPUTER SOFTWARE DOCUMENTATION(MAY 2013)252.227-7015TECHNICAL DATA- COMMERCIAL ITEMS(JUN 2013)252.227-7016RIGHTS IN BID OR PROPOSAL INFORMATION(JUN 2011)252.227-7013RIGHTS IN TECHNICAL DATA - NONCOMMERCIAL ITEMS(JUN 2013)252.227-7019VALIDATION OF ASSERTED RESTRICTIONS -COMPUTER SOFTWARE (SEP 2011)252.227-7028TECHNICAL DATA OR COMPUTER SOFTWARE PREVIOUSLY DELIVERED TO THE GOVERNMENT(JUN 1995)252.232-7007LIMITATION OF GOVERNMENT’S OBLIGATION(MAY 2006)252.246-7001WARRANTY OF DATA(DEC 1991)Attachment A: DD Form 254 (Will be provided to awardee post award)Attachment B: SAMPLE Site list and site visit scheduleUSN Sites – BASENo.DeliverableLocationDatesU&MA DaysMAA Days2, 3, 4, 5, 6, 7, 8NAS PensacolaQ4 2020Q1 2021552, 3, 4, 5, 6, 7, 8NAS Whiting FieldQ4 2020 Q1 2021552, 3, 4, 5, 6, 7, 8NAS MeridianQ4 2020 Q1 2021552, 3, 4, 5, 6, 7, 8CBC GulfportQ4 2020 Q1 2021552, 3, 4, 5, 6, 7, 8NSA Souda BayQ4 2020 Q1 2021852, 3, 4, 5, 6, 7, 8CFA Okinawa/NRTF AwaseQ4 2020 Q1 2021452, 3, 4, 5, 6, 7, 8, 13NSA Hampton RoadsQ4 2020 Q1 2021552, 3, 4, 5, 6, 7, 8CBC GulfportQ4 2020 Q1 202155MiscellaneousNo.DeliverableTitle / LocationDatesDays141Kickoff Meeting (Washington DC, 20350)19Regional SMIG/EMIG ListTBD10Draft CAIP listTBD11NAV-CAMS Data EntryMonthlyAttachment C: SAMPLE Mobile Training Team schedule USN Sites –– By RegionNo.DeliverableLocationDatesDays12CNRJ5CNRMA5CNRNDW5CNREURAFCENT5 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download