General Services Administration

 PERFORMANCE WORK STATEMENT (PWS)Defense Finance and Accounting Service (DFAS)Standard Operation and Maintenance Army Research and Development System (SOMARDS)*Note that this sample has been revised from the source document on the Government Point of Entry as necessary to align formatting and applicable FAR procedures.* GENERAL: The primary purpose of this statement of work is to obtain labor for sustainment services for the Standard Operation and Maintenance Army Research and Development System (SOMARDS) and the Data Element Management/Accounting and reporting System (DELMARS). This PWS sets forth the services required of the contractor in support of both systems and associated executive software, hosted at DECC Ogden.Background: SOMARDS is a standard financial accounting and reporting system providing an interactive mainframe system that stores all types of financial data in hierarchical databases that are readily accessible to all authorized users for query. The system provides for reimbursable customer and direct mission funds control, and reporting for labor, reimbursable billings, advances, and general operating expenses. Particular features include online and batch processing; general ledger reporting; production of daily, regulatory, and monthly reports; online and batch reject re-entry; file inquiry/maintenance capability; and month-end/year-end close and purge processes. DFAS has an urgent need to continue contract labor services due to a lack of skilled resources necessary to perform this work.Objectives: The objective of this PWS is to define the support and tasks necessary to obtain the technical information and technology support services needed to maintain and sustain DFAS Automated Information Systems (AIS) SOMARDS. Scope: The contractor shall:Provide sustainment and additional functionality services for functional and technical exchanges of information, data processing support, and programming and functional support of SOMARDS, DELMARS and associated executive software. The support will cover appropriate requirements from the financial arena, will provide system analysis, system design, software engineering, release management, security testing, code integrity testing, configuration management support, and internal controls in support of SOMARDS, and be conducted on a time and material price basis. The activities worked during the month will be identified in the Monthly Status Report, which is due on the 10th day of the following month for the prior month. The performance standard for this deliverable is on time delivery 90% of the time during the period of performance. Support the maintenance of existing repositories in the DISA environment for the following:System and software requirements Design specifications Software code as directed by existing system specific standards for SOMARDS Monitor different repository content for currency, consistency, and completeness Version management of each repository Archive and delete obsolete components Provide training in repository use and document usage procedures as currently provided in support of the SOMARDS application Provide Production Support. Production support is identified as support required due to a system or software problem that directly impacts site operations. Requests for production support are handled during normal duty hours, and will be sent to the existing “mail.mil” distribution list established by the SOMARDS System Management Office (SMO). Production support will include:Establish a liaison with the specified Government representative or activity to assist in the resolution/analysis/input of problem trouble reports Provide customer assistance via telephonic and/or electronic media to resolve customer problems/inquiries Use all available resources to resolve problems reported by user installationsProvide Production Support documentation which describes in detail the contractor’s standard operating procedure (SOP) in responding to Production Support problems. Support Environment Release Management by:Coordinating with the SOMARDS SMO on the release of software and application documentation to ensure proper authorization and protection of baselinesSupport emergency software releases and management internal control program initiatives as required by the government System Manager and/ Change Configuration Board. Deliverables from this task shall include software and documentation releases, release schedules, and configuration audit reports. Support maintenance of SOMARDS and its subsystems. Maintenance will include support of Configuration Management, Version/Standards Management, and Quality Testing to ensure continuity of service to users and maintain baseline functionality of the systems and subsystems. Provide application code/and or parametric changes to implement fiscal year changes, regulatory changes, changes to address production processing problems, external application interface changes and processing efficiency improvements.Support life cycle management as defined in the DFAS 8430. Contractor shall prepare functional descriptions, perform software modeling and design, coding and execution of test plans, software test reports, and preparation of user and system documentation. This tasking shall be accomplished using standard operating procedures developed in accordance with the DFAS 8430.Provide training and documentation usage procedures as currently being provided in support of the SOMARDS Application. Support Software Quality Assurance by:Ensuring the procedures, methodologies, and tools specified in existing system specific standards for SOMARDS are successfully implemented.Ensuring implemented Computer Software Configuration Items (CSCIs) meet the specified quality requirements. Applying the management and engineering procedures, methodologies, and tools specified in existing system specific standards for SOMARDS. Examples of procedures, methodologies, and tools include requirement specification languages; program design languages; program support libraries; internal audits, walk-through’s, and reviews; programming teams; and independent testing. Leading or participate in designated software quality assurance reviews.Provide support to maintain the integrity of all Configuration items on the development platform utilizing approved Configuration Management (CM) tools and following established change management CM processes and procedures in support of the SOMARDS application. The CM functions to be performed include but are not limited to the following: Establish and maintain release baselines for each Configuration Item (CI) on all managed processing platforms/environments. Update and maintain the current status of each Software Change Request (SCR) and CI and report the status to the System Manager on a bi-weekly basis. Ensure that all documentation (hardcopy and/or softcopy) is updated with the movement of each SCR/CI, and provide to the System Manager when requested Upon approval by the System manager, support the staging of approved SCRs/CIs on the approved processing platform/environment with DFAS Production Scheduling and Control and provide appropriate notification to the customers. Ensure that all CIs are standard/identical on all coding and test processing platforms/environments, except where specific discrepancies are approved by the Government representative (i.e. in phased implementations). The contractor shall promptly notify the Government representative of any unapproved discrepancies discovered. Perform periodic and event audits in accordance with standard processes to ensure that the correct versions of all CIs are on each project, repository and test processing platform/environment and the CM tools correctly reflect those versions. The contractor shall promptly notify the Government representative of any unapproved discrepancies discovered. Provide a configuration management plan that shall include items such as personnel, responsibilities and resources, training requirements, administrative meeting guidelines, including a definition of procedures and tools, base lining processes, configuration control and configuration status accounting, naming conventions, audits and reviews, and subcontractor/vendor configuration management requirements. The contractor’s configuration management plan shall support: a) Traceability of designs to requirements b) Proper identification and documentation of system elements, interfaces and interdependencies c) Timely and thorough vetting and disposition d) Control and documentation of approved changes to baseline e) Proper and timely incorporation of verified changes in all affected items and documentation f) Consistent and appropriate provisions in the Engineering Change proposal, problem report and related contract actions g) Consistency between the product and its supporting documentation h) A complete audit trail of design decisions and modifications i) Continued assurance of system supportability and interoperability Support Requirements Management by:Performing detailed evaluation of information systems requirements with the defined functional proponent Examining existing information system schematics and related supporting software documentation Examining the effects of a proposed software modification on system software reliability Verifying operational effects on SOMARDS, if possible Monitoring updates to software requirement baselines and ensure revisions are documented for future audit purposes. Identifying the impact of software updates Participating in reviews to determine the completeness and consistency of software requirements Deliverables from the support of Requirements Management will include any system requirements documentation currently maintained by the contractor, and any documents related to system requirements that may be needed to maintain system auditability.Support Requirements Analysis by:Ensuring that requirements comply with DoD and DFAS policies, plans and standards.Maintaining existing functional business requirement documentation Creating new documentation for new functional business requirementsParticipating in joint requirements work sessions with users and developers to assist in analyzing requirements Deliverables from this task include System Requirements and Software Requirements documentation, as is currently maintained by the contractor.Perform Development activities by:Coding designs for implementation and execution in tools and languages designated by existing system specific standards for SOMARDS. Coding shall be documented, unit tested, and placed in controlled libraries for further testing and implementation.Performing unit testing of software modules to ensure compliance with design specifications and applicable technical standards Conducting or participating in software code/specification reviews, as directed by the Government. Building, testing and deploying software that provides system users efficient facilities for entering transaction data and viewing stored data Assisting in refining the application design based upon experience with the suite of tools used by the applications Assisting with transforming the application design into the physical modules/technical requirements documentation Attending meeting and planning sessions to discuss design, deployment or support of systems. Provide technical support relating to applications software design and maintenance of executive software for mainframe versions to include analysis/programming of online and batch processing functions.Deliverables from this task include before and after images for the source code, executable programs, and Computer Operations Manual. Perform system software tests on products derived from the coding phase. Testing includes but is not limited to thorough unit testing of all created products in a project repository environment, system integration test (SIT) of all program components in a project repository environment in accordance with an established test plan and participation in customer acceptance testing as required by the System Manager. The contractor shall perform the following in conjunction with testing of the developed, modified, or converted system: Perform testing for each new software release Prepare Software Test Description and cases and/or Test Procedures Develop or modify Software Test Plans (STP) to conduct Design Test Evaluation and Operational Test and Evaluation. Test Data in accordance with existing system specific standards for SOMARDS for testing of each new release Design, convert, or modify system files to test or execute the modules, processes, or programs Test existing physical system databases or system files to be used for testing Perform regression testing as requiredDevelop Software Test Report upon completion of testing Assist or participate in the creation of test cases and scripts to support Management Internal Control Program and information assurance activities and compliance certifications. Assist or participate in the preparation of test discrepancy reports (defects). Assist or participate in the preparation of a final Software Test Report. Support DFAS Configuration Control Board (CCB) meetings, all integrated functional and design review sessions and application test planning sessions. Participate in Test Readiness Reviews to ensure successful turnover from application to testing and readiness for Operational Test and Evaluation. Provide overall testing status on a weekly basis. Provide documented test results of all testing performed Design or assist in developing Implementation Procedures (IP).Maintain the resources and organization to provide management oversight of performance under the Contract. Program Governance elements include administrative controls, security administration, and quality management. The contractor shall provide program management of its performance in the following areas: Maintain administrative managers, staff and other resources to provide it with oversight and control of the following areas and associated functions. Administer contract negotiation, administration and close out. Facilitate coordination, space planning and administration of Contractor space used by Contractor and subcontractor personnel. Administer subcontract negotiation, administration and close out. Perform financial administration to include planning and tracking of contract costs and related data and financial reporting as specified in Reporting section 7.4. Administer human resources to include coordination of contractor staffing requirements, solicitation of qualified resources, market research, processing new hires, and terminations. Provide qualified and competent personnel having experience with the appropriate software, technologies, and skills to support SOMARDS.Administer security to include management of personal and facility-related security in accordance with Contractor’s security policies and procedures and DoD regulations 1.5 Period of Performance: The period of performance shall be for one (1) base year of 12 months with two (2) 12 month option years.1.6 General Information1.6.1 Quality Control (QC): The contractor shall develop and maintain an effective quality control program to ensure services are performed in accordance with this PWS. The contractor shall develop and implement procedures to identify, prevent, and ensure non-recurrence of defective services. The contractor’s quality control program is the means by which it assures itself that the work complies with the requirement of the T.O. The contractor shall deliver its proposed quality control plan with their quote. When changes are made, the contractor shall submit a revised plan within 5 working days thereafter. After acceptance of the quality control plan the contractor shall receive the contracting officer’s (CO’s) acceptance in writing of any proposed change to his QC system. 1.6.2 Hours of Operation: The contractor shall conduct business; between the hours of 0600-1800 hours Monday thru Friday Eastern Time except Federal holidays or when the Government facility is closed due to local or national emergencies, administrative closings, or similar Government directed facility closings. The contractor must at all times maintain an adequate workforce for the uninterrupted performance of all tasks defined within this PWS when the Government facility is not closed for any of the above reasons. 1.6.3 Recognized Holidays: New Year’s DayLabor DayMartin Luther King Jr.’s BirthdayColumbus DayPresident’s DayVeteran’s DayMemorial DayThanksgiving DayIndependence DayChristmas DayIf the holiday occurs on a Saturday the holiday will be observed on Friday. If the holiday occurs on Sunday the holiday will be observed on Monday.1.6.4 Place of Performance: The work to be performed under this T.O. will be performed at the DFAS Indianapolis Government location or at other locations agreed to by DFAS and the contractor:DFAS Indianapolis3250 N. Post Rd. Bldg. 3, Suite 315Indianapolis, IN 46226The contractor will report to DFAS-IN the first week of the contract for the onboarding time needed to receive a DFAS laptop, CAC card, and orientation to the DIFMS team and projects. Other travel may be required to Contiguous United States (CONUS) locations to support SOMARDS.1.6.5 Type of Contract: The Government will award a labor hour Task Order (T.O.). 1.6.6 Security Requirements: Contractor personnel will follow the security and training requirements in DFAS 2000.1, “Force Protection Program,” DoDM 5200.01-V1-4, “DoD Information Security Program,” and DFAS 5200.1-I, “Information Security Program.” Contractor personnel will follow all host security requirements in accordance with DoD 5220.22-M, “National Industrial Security Program Operating Manual (NISPOM),” paragraph 6-105. The contractor shall immediately report any occurrences of violation of stated regulations to the CO or COR.1.6.6.1 Security Education and Training: Contractor personnel will receive initial, continuous and refresher security education training in accordance with DoDM 5200.01-V3, “DoD Information Security Program – Protection of Classified Information,” and DFAS 5200.1-I. Contractor personnel are also required to accomplish all Safety, Protection, Infrastructure, Recovery, Integration Team (SPIRIT) training courses available through the DFAS ePortal.1.6.6.2 Physical Security: The contractor shall be responsible for safeguarding all Government equipment, information and property provided for contractor use. At the close of each work day, Government facilities, equipment and materials shall be secured.1.6.7 Post Award Conference/Periodic Progress Meetings: The contractor agrees to attend any post award conference convened by the contracting activity or contract administration office in accordance with Federal Acquisition Regulation Subpart 42.5. The CO, COR, and other Government personnel, as appropriate, may meet periodically with the contractor to review the contractor's performance. At these meetings the CO will apprise the contractor of how the Government views the contractor's performance and the contractor will apprise the Government of problems, if any, being experienced. Appropriate action shall be taken to resolve outstanding issues. 1.6.8 Identification of Contractor Employees: All contractor personnel attending meetings, answering Government telephones, and working in other situations where their contractor status is not obvious to third parties shall identify themselves as contractors to avoid creating an impression they are Government officials. Contractor personnel shall ensure that all documents or reports produced by contractors are suitably marked as contractor products or that contractor participation is appropriately disclosed. The Common Access Card (CAC) used for building entrance, computer access, and other situations will identify the individual as a contractor.1.6.9 Contractor Travel: Performance under this T.O. may require travel by contractor personnel to CONUS locations. Contractors may be required (as requested by the Government) to travel for meetings, system discussions, presentations, presentation of deliveries, and task exit interviews. If travel is required the contractor shall be responsible for making all needed arrangements for their personnel. 1.6.10 Travel Policy: The Government shall reimburse the contractor for allowable travel costs incurred by the contractor in performance of the T.O. in accordance with FAR Subpart 31.205-46.All contractor travel must be approved by the COR or the Alternate COR in advance of actual travel and cannot exceed the funding amount for travel on the awarded T.O.1.6.11 Relocation: Relocation costs and travel costs incident to relocation are not allowable and will not be reimbursed hereunder.1.6.12 Data Rights: Subject to the applicable DFARS clauses. 1.6.13 Organizational Conflict of Interest: Contractor personnel performing work under this T.O. may receive, have access to, and/or participate in the development of proprietary or source selection information (e.g., cost or pricing information, budget information or analyses, specifications or work statements, etc.). Additionally, contractor personnel performing work under this T.O. may perform evaluation services. Due to the nature of the work associated with DIFMS a current or subsequent Organizational Conflict of Interests (OCI) as defined in FAR Subpart 9.5 may exist or be created. The contractor shall notify the CO immediately whenever it becomes aware that such access or participation may result in any actual or potential OCI and shall promptly submit a plan to the CO to avoid or mitigate any such OCI. The contractor’s mitigation plan shall be determined to be acceptable solely at the discretion of the CO. In the event the CO unilaterally determines that any such OCI cannot be satisfactorily avoided or mitigated, the CO may affect other remedies as he or she deems necessary, including prohibiting the contractor from participation in subsequent contracted requirements which may be affected by the OCI.1.6.14 Interaction with Contractor Personnel: The COR shall forward questions or concerns directly to the prime contractor official representative who is directly responsible for managing its own employees/subcontractor personnel. The prime contractor official representative shall coordinate with the COR a training schedule without causing undue delays to T.O. performance. The prime contractor official representative (including subcontractor’s personnel, when applicable) shall provide the COR, within 30 days after T.O. award/exercise of an option, a written report identifying: (1) Contractor employees required to take the training, (2) Contractor employees who completed the training and, (3) Contractor employees who are delinquent. Contractor personnel shall direct their questions or concerns to their contractor management chain and/or company representative. 1.6.15 Monthly Status Reports: The prime contractor official representative shall submit a monthly status update to the COR, no later than the 10th day of the following month, identifying the initial and annual SPIRIT training status of all contractor personnel. This report can be integrated with the regularly scheduled Monthly Status Reports and made available to the COR as a deliverable item on the T.O. 1.6.16 The COR is the primary point of contact for the contractor. The COR shall interface with DFAS Information and Technology (IT) Point Of Contact (POC) as well as the appropriate DFAS Site Force Protection Office POC to maintain internal monthly system updating to DoD compliance.To identify Site Force Protection Officers at each DFAS location consult the Agency Force Protection ePortal Page. Follow the link titled “Site Specific Force Protection/Security Services” in the Additional Points of Contact section near the top right side of the webpage. The COR is responsible for monitoring all technical aspects of the contract and assisting in contract administration. COR duties include:Ensure contractor performs the technical requirements of the contractPerform inspections necessary in connection with contract performanceMaintain written and oral communications with the contractor concerning technical aspects of the contractMonitor contractor's performance and notifies both the CO and contractor of any deficienciesCoordinate availability of Government furnished property and site entry of contractor personnelA letter of designation issued to the COR, a copy of which is sent to the contractor, states the responsibilities and limitations of the COR, especially with regard to changes in cost or price, or changes in delivery dates. The COR is not authorized to change any of the terms and conditions of the resulting order. 1.7 Training1.7.1 DFAS Security Training Requirements (Dec 2014) The contractor shall ensure all employees performing under this contract that require network access complete the annual mandatory training in accordance with the modules identified below. a. All contractor personnel who require a Common Access Card (CAC) for DFAS network access while working at DFAS sites/facilities or working remotely via VPN, shall complete the required training modules listed in this clause within 30 days from receipt of the CAC as a precondition for continued admittance and/or network access. (Note: Completion of Cyber Awareness Challenge, Module 003, is required prior to requesting a new DFAS network access or VPN account.) b. In addition, these modules must be completed annually to retain accessibility. Non-compliance will negatively impact contract performance and lead to the loss of the CAC and/or network access for contractor personnel. c. The average estimated time for completion of each module is less than one hour. d. The contractor’s official representative or its assigned project manager or equivalent shall provide the COR a list of its personnel, including the subcontractor personnel, requiring completion of the security training not more than 10 days after TO award or award of the option period. The contractor shall also provide the names of any replacement personnel that will require this training during the period of TO performance immediately to the COR. e. Completion of the following training modules is required for contractor personnel who require network access: 1. Module 001: Critical Infrastructure Protection. . This training is required as per DoD Directive 3020.40, DoD Policy and Responsibilities for Critical Infrastructure, Enclosure 2, paragraph 9.m and DoDI 3020.45, Defense Critical Infrastructure Program (DCIP) Management, paragraph 5.8.1. 2. Module 002: Contingency Planning. This is mandatory per Presidential Decision Directives (PDD) 62 & 63 and Executive Orders 13229 and 13231. 3. Module 0003: Cyber Awareness Challenge. Mandatory per DoD Manual 8570.01, paragraph C6.2.2, which states, “to ensure understanding of the critical importance of IA, all individuals with access to DoD IT systems are required to receive and complete initial IA awareness training before being granted access to the system(s) and annual IA awareness training to retain access.” (a) Completion of this module is required prior to requesting a new DFAS network or VPN account. For contractor personnel unable to access the DFAS ePortal, the same training is available from Defense Information Systems Agency (DISA) Information Assurance Support Environment (IASE). The direct link to launch the training is . Contractor personnel shall complete the “Department of Defense Employees” version. (b) Upon completion of the training, contractor personnel shall retain a copy of the training certificate in PDF as proof of completion and submit a copy to the COR, attached to the request for network access. 4. Module 004: Information Security. As per DoD Instruction 5200.01, DoD Information Security Program and Protection of Sensitive Compartmented Information, Enclosure 2, paragraph 10g; DoD Manual 5200.01,Volume 3, DoD Information Security Program: Protection of Classified Information, Enclosure 5, paragraphs 3 and 7; and DoD 5220.22-M, Chapter 9, paragraph 9-302c, this training is mandatory. DFAS Instruction 5200.1-I, Enclosure 8, Security Education and Training, requires initial, continuous, and refresher security education training for all DFAS military, civilian, and both on-site and remote contractor personnel. 5. Module 005: Personnel Security. DOD 5200.2-R, Personnel Security Program, Chapter 9, paragraphs C9.2.2 and C9.2.3 require this training. 6. Module 006: Physical Security. This training is required by DoD 5200.08-R, “Physical Security Program,” paragraph C2.1.3. 7. Module 007: Safety and Occupational Health. DoD Instruction 6055.1, Safety and Occupational Health (SOH) Program, Enclosure 3, paragraph E3.3 provides the requirement for this training. 8. Module 008: Antiterrorism Level (AT) I. DoDI 2000.16, DoD Antiterrorism (AT) Standards, Enclosure 3, paragraph E3.25.1 and DFAS 52.224-9000, Information Assurance, prescribe the requirement for AT training. All other contractor personnel should take the training through the DFAS ePortal upon receipt of network access. 9. Module 009: Operations Security. DoD 5205.02-M, DoD Operations Security (OPSEC) Program Manual, Enclosure 6, paragraph 2, and Enclosure 7, paragraph 3. 10. Module 010: Privacy Act and PII. Mandatory per DoD 5400.11-R, Department of Defense Privacy Programs, C7.1 through C7.3 and DFAS 52.224-9000, Information Assurance. 11. Module 011: Counterintelligence (CI). DoDI 5240.06, Counterintelligence (CI) Awareness, Briefing, and Reporting Programs, paragraphs 2.c.4 and Enclosure 3, Awareness Training. 12. Module 012: Chemical, Biological, Radiological, Nuclear, and Explosive (CBRNE). Training is required per DoD Instruction 3020.52, paragraphs 2.b and c. The information applies to all DoD installations worldwide, including Government-owned, contractor-operated (GOCO) facilities and non-DoD activities operating in DoD installations.13. Combating Trafficking in Persons (CTIP). This training is required by the “Trafficking Victims Protection Reauthorization Act of 2008,” DoDI 2200.01, Combating Trafficking in Persons (CTIP), paragraph 1.g and FAR Clause 52.222-50, Combating Trafficking in Persons. All other contractor personnel should take the training through the DFAS ePortal upon receipt of Network access. f. Upon completion of each module, contractor personnel will receive a certificate of completion or shall print out a screen shot of the date of the completion of training. They shall provide a PDF copy of the certificate or the screen shot to the contractor’s official representative or the assigned project manager or equivalent. The contractor’s official representative, or the assigned project manager or equivalent, shall provide copies to the COR. g. Subcontract Security Training Requirement: The prime contractor shall incorporate the security training requirements into all subcontracts that support the prime contract where a CAC is required for network access. h. The COR is the primary point of contact for the contractor. The COR will interface with DFAS I&T Point Of Contact (POC) as well as the appropriate DFAS Site FPO POC to maintain internal monthly system updating to DoD compliance. Contractor personnel shall direct their questions or concerns to their management chain of command and/or company representative.1.8 Section 508 Compliance: This requirement is applicable to Section 508 Compliance EIT Requirements:1)36 CFR part 1194.21 (Subpart B) Software applications and operating systems 2)36 CFR part 1194.41 (Subpart D) Information, Documentation, and Support Unless the Government invokes an exemption, all EIT products and services proposed shall fully comply with Section 508 of the Rehabilitation Act of 1973, per the 1998 Amendments, and the Architectural and Transportation Barriers Compliance Board’s Electronic and Information Technology Accessibility Standards at 36 CFR 1194. The contractor shall identify all EIT products and services proposed, identify the technical standards applicable to all products and services proposed and state the degree of compliance with the applicable standards. Additionally, the contractor shall clearly indicate where the information pertaining to Section 508 compliance can be found (e.g., contractors or other exact web page location). The contractor shall ensure that the list is easily accessible by typical users beginning at time of award. The contractor shall ensure that all EIT products and services proposed that are less than fully compliant, are offered pursuant to extensive market research, which ensures that they are the most compliant products available to satisfy the solicitation’s requirements.If any such EIT product or service proposed is not fully compliant with all of the standards, the contractor shall specify each specific standard that is not met; provide a detailed description as to how the EIT product or service does not comply with the identified standard(s); and shall also indicate the degree of compliance.1.9 ENTERPRISE-WIDE CONTRACTOR MANPOWER REPORTINGThe contractor shall report ALL contractor labor hours (including subcontractor labor hours) required for performance of services provided under this T.O. for the DFAS via a secure data collection site. The contractor is required to completely fill in all required data fields using the following web address: . Reporting inputs will be for the labor executed during the period of performance during each Government Fiscal Year (FY), which runs October 1 through September 30. While inputs may be reported any time during the FY, all data shall be reported no later than October 31 of each calendar year, beginning with 2013. Contractors may direct questions to the help desk at Security and Privacy Act: “Information Assurance” (September 2014) - All work performed relative to the requirement identified in the Statement of Work or Performance Work Statement is unclassified and requires access to sensitive information, covered by the Privacy Act of 1974 and other Department of Defense (DoD) and DFAS regulations. Information Assurance shall be in accordance with DFAS 8500.1-R, Information Protection and Safeguards, DoD Directive (DoDD) 8500.1, (Cybersecurity). The following requirements apply to the offeror/vendor selected for contract award resulting from this solicitation. Upon notification of selection as the successful offeror/vendor, the contractor shall follow the instructions provided at (a) through (g) of this provision, as applicable.(a) Magnitude. This contract will require personnel to meet the investigative standards as outlined in DFAS 5200.9-I (Common Access Card (CAC) Program); DoD 5200.2-R (Personnel Security Program); DoD Instruction (DoDI) 1000.13 (Identification (ID) Cards for Members of the Uniformed Services, Their Dependents, and Other Eligible Individuals); DoDI 5200.08 (Security of DoD Installations and Resources and the DoD Physical Security Review Board (PSRB)); and Deputy Under Secretary Defense (Human Intelligence, Counterintelligence, and Security) memorandum, dated November 4, 2010 (DoD Standardized Investigation Request Procedures)for IT-I and IT-II access. Contractor employees must be United States citizens, in accordance with DoD 5200.2-R, Chapter 2, and specifically C2.1.1, General.IT-I Access – noneIT-II Access – all (b) Personnel Security Investigation Requirements for Information Technology (IT) Access:(1) For IT-I Access: No classified work will be required. However, the contractor will be working with sensitive information which is covered by the Privacy Act or other government regulations and is considered category IT-I. The contractor must ensure sensitive information is properly safeguarded at the work site and not removed from the work site. In addition, the contractor will be required to comply with the security requirements associated with access to the DFAS enterprise network and sensitive agency information. All contractor personnel requiring IT-I access to the DFAS information systems will be subject to a Single Scope Background Investigation (SSBI) or equivalent level investigation. An IT-I access position may be occupied upon completion of the personnel security investigation and upon a favorable local contractor fitness determination for access to IT systems and sensitive agency information. An exception waiver of pre-appointment investigative requirements can be granted in accordance with DoD 5200.2-R, if the following criteria are met: the Contracting Officer Representative (COR) has requested an exception waiver in writing, based upon a determination by the head of the requesting organization that delay in appointment would be harmful to national security [exception waiver can be requested by the COR on the DFAS Form 9019 (Request for Exception Waiver and/or Interim Clearance)], and has submitted the exception waiver request to the DFAS Personnel Security Office; andthe advanced fingerprint results are favorable; and the National Agency Check (NAC) portion of the SSBI has been completed; ora favorable determination has been made on a previously valid ANACI (Access National Agency Check with Inquiries), NACI (National Agency Check with Inquiries), NACLC (National Agency Check with Law and Credit Checks), ENTNAC (Entrance National Agency Check), NAC, BI (Background Investigation), LBI (Limited Background Investigation), MBI (Moderate Risk Background Investigation) or PTSBI (Public Trust Special Background Investigation) personnel security investigation, provided a break in service of more than 24 months has not occurred, and the personnel security investigation has been completed and favorably adjudicated (or a favorable local contractor fitness determination has been made). (2) For IT-II Access: No classified work will be required. However, the contractor will be working with sensitive information which is covered by the Privacy Act or other government regulations and is considered category IT-II. The contractor must ensure sensitive information is properly safeguarded at the work site and not removed from the work-site. In addition, the contractor will be required to comply with the security requirements associated with access to the DFAS enterprise network and sensitive agency information. All contractor personnel requiring IT-II access to the DFAS information systems will be subject to a NACLC personnel security investigation, equivalent level investigation, or higher level personnel security investigation. An IT-II access position may be occupied upon completion of the personnel security investigation and upon a favorable local contractor fitness determination for access to IT systems and sensitive agency information. An exception waiver of pre-appointment investigative requirements can be granted in application with DoD 5200.2-R, if the following are met:The COR has requested an exception waiver in writing, based upon a determination by the head of the requesting organizations that delay in appointment would be harmful to national security [exception waiver can be requested by the COR on the Contractor Request for Investigation (CRI) form (DFAS Form 9035)] and has submitted the exception waiver request to the DFAS Personnel Security Office; and the NACLC investigation has been initiated, and favorable advanced fingerprint results have been received from the investigating agency. (c) Documentation Submission. The NACLC for IT-II access, as well as the SSBI for IT-I access, requires contractor submission of the following investigative forms and documentation:Standard Form 86 (SF 86) - Questionnaire for National Security PositionsFD 258 - Applicant Fingerprint CardContractor Request for Investigation Form (CRI), DFAS Form 9035All contractor personnel requiring either IT-I or IT-II access to the DFAS information systems and/or sensitive agency information will complete a SF 86. The SF 86will be completed using the Office of Personnel Management (OPM) e-QIP system. Use of the OPM e-QIP system is mandated by DoD and hardcopy submissions using the SF86 will not be accepted.The COR personnel will complete a CRI containing, but not limited to: the full name of the contractor applicant; the contract number and expiration date; the name(s) of the designated COR; and level of IT access required as determined previously in the Statement of Work or Performance Work Statement. All CRIs must be accompanied by the FD 258, Applicant Finger Print Card. The FD258 and CRI will be forwarded to DFAS Personnel Security Office for review and request of the SF86, if applicable. Upon review of the material provided by the COR/GPOC, if it is determined that the contractor applicant is required to complete the SF86, a staff member from the DFAS Personnel Security Office will build an OPM e-QIP account for the applicant and e-mail the applicant instructions to complete the SF86. The Personnel Security Office will notify the COR/GPOC when the contractor applicant has been approved for access to sensitive information. The appropriate personnel security investigation (NACLC (IT-II) or SSBI (IT-I)) must be completed or an exception waiver of pre-appointment investigative requirements approved, in accordance with DoD 5200.2-R, before the contractor personnel applicant begins work on a DFAS contract. In accordance with DoDI 1000.13, DoDI 5200.08, and DFAS 5200.9-I individuals must have favorable fingerprint results completed prior to the issuance of an interim Personnel Identity Verification (PIV) credential (DoD Common Access Card (CAC)). (d) Findings. All contractor personnel applicants must receive a favorable local contractor personnel fitness determination (or favorable adjudication) to work on sensitive, but unclassified DFAS contracts. Unfavorable local fitness determinations (or unfavorable adjudications) will require the removal of the contractor employee from an IT-I or IT-II designated DFAS contract. An unfavorable local fitness determination only precludes the contractor employee from having access to sensitive DFAS IT systems or sensitive agency data. The local contractor fitness determination is not security adjudication. Therefore, the contractor personnel applicant is not afforded administrative due process by the agency for this local determination.(e) Continuous Evaluation. All contractor personnel in receipt of a favorable local fitness determination (or favorable adjudication) and working on a sensitive, but unclassified DFAS contract are subject to a continuing evaluation of their eligibility to access sensitive information, DFAS IT systems, and eligibility to perform sensitive duties on behalf of DFAS. It is not possible at a given point to establish with certainty that any person will remain trustworthy. Therefore, no assessment can be considered final and contract personnel are subject to continuing security responsibilities as outlined in DoD 5200.2-R, Chapter 9 (Continuing Security Responsibilities).(f) Reinvestigation. DoD policy prohibits unauthorized and unnecessary investigations. However, there are specific situations and requirements that necessitate reinvestigation of an individual who has previously been investigated. Reinvestigations may be conducted for the following reasons:To prove or disprove an allegation that calls into question a contractor’s trustworthiness.Contractors performing IT-I duties shall be subject to a periodic reinvestigation on a five year recurring basis. Periodic Reinvestigations will be conducted on the SF86 for initiation of a Single Scope Background Investigation – Periodic Reinvestigation (SSBI-PR) or Phased Periodic Reinvestigation (PPR).PART 2DEFINITIONS & ACRONYMS2. DEFINITIONS AND ACRONYMS:2.1 DEFINITIONS: 2.1.1 CONTRACTOR. A supplier or contractor awarded a contract/T.O. to provide specific supplies or service to the Government. The term used in this T.O. refers to the prime unless otherwise stated.2.1.2 CONTRACTING OFFICER (CO). A person with authority to enter into, administer, and /or terminate contracts/T.O., and make related determinations and findings on behalf of the Government. Note: The only individual who can legally bind the Government.2.1.3 CONTRACTING OFFICER'S REPRESENTATIVE (COR). An employee of the U.S. Government appointed by the CO to administer the contract/T.O. Such appointment shall be in writing and shall state the scope of authority and limitations. This individual has authority to provide technical direction to the contractor as long as that direction is within the scope of the contract/T.O., does not constitute a change, and has no funding implications. This individual does NOT have authority to change the terms and conditions of the contract/T.O. 2.1.4 DEFECTIVE SERVICE. A service output that does not meet the standard of performance associated with the Performance Work Statement.2.1.5 DELIVERABLE. Anything that can be physically delivered, may include non-manufactured things such as meeting minutes or reports.2.1.6 PHYSICAL SECURITY. Actions that prevent the loss or damage of Government property.2.1.7 QUALITY ASSURANCE. The contractor’s methodology to ensure that the services performed are completed according to acceptable standards.2.1.8 QUALITY ASSURANCE SURVEILLANCE PLAN (QASP). An organized written document specifying the surveillance methodology to be used for surveillance of contractor performance by the Government. 2.1.9 SUBCONTRACTOR. One that enters into a contract with a prime contractor. The Government does not have privity of contract with the subcontractor.2.2. ACRONYMSCACCommon Access CardCLINContract Line Item NumberCOContracting OfficerCONUSContinental United StatesCOOPContinuity of OperationsCORContracting Officer RepresentativeCOTSCommercial-Off-The-ShelfCPRContractor Performance ReportDECCDefense Enterprise Computing CentersDISADefense Information Systems AgencyDISNDefense Information Systems NetworkDFARSDefense Federal Acquisition Regulation SupplementDFASDefense Finance and Accounting ServiceDoDDDepartment of Defense DirectiveDoDIDepartment of Defense InstructionDSSRDepartment of State Standardized RegulationsEITElectronic and Information TechnologyFARFederal Acquisition RegulationGFEGovernment Furnished EquipmentGFIGovernment Furnished InformationGFPGovernment Furnished PropertyIAInformation AssuranceIAWIn accordance withIPInternet ProtocolITInformation TechnologyITILInformation Technology Infrastructure LibraryJTRJoint Travel RegulationLANLocal Area NetworkNIPRNETNon-secure Internet Protocol Router NetworkMSRMonthly Status ReportNACNational Agency CheckNTENot to ExceedOCIOrganizational Conflict of InterestOCONUSOutside the Continental United StatesPMProject ManagerPO&MPlan of Actions and MilestonesPWSPerformance Work StatementQASPQuality Assurance Surveillance PlanQCQuality ControlQCPQuality Control PlanQ&AQuestions and AnswersSIPRNETSecret Internet Protocol Router NetworkSMESubject Matter ExpertSOPStandard Operating ProcedureSOWStatement of WorkSPISchedule Performance IndexSSBISingle Scope Background InvestigationSSLSite Security LiaisonSTIGSecurity Technical Implementation GuideTCOTotal Cost of OwnershipTOSTracking and Ordering SystemTPOCTechnical Point of ContactVPNVirtual Private NetworkWANWide Area NetworkPART 3GOVERNMENT FURNISHED PROPERTY, EQUIPMENT (GFE), INFORMATION (GFI) AND SERVICES 3. GOVERNMENT FURNISHED INFORMATION, EQUIPMENT, SPACE OR FACILITIES.3.1 Government Furnished Equipment: All facilities and services (i.e., computer products-PCs, printers, telephones, software and Government provided developmental platforms) shall be furnished by the DFAS Indianapolis for use within the DFAS-IN Center. DFAS will furnish office space, desks, chairs, and supplies for contractor personnel working on this T.O., at Indianapolis. The office space, furnishings, supplies and equipment will be of the type found in DFAS. All software resident on the computers required to complete the tasks will be made available to the contractor.Desktop Management Initiative (DMI) is the DFAS Standard for software/hardware. All computers connected at DFAS sites must be configured under DMI.For contractor personnel working at alternate locations agreed upon by DFAS and the contractor, logon ids will be provided access to the required platforms. The contractor shall provide the access network connection, via the Pulse Secure-Indianapolis for any personnel not working at the DFAS site. The contractor shall be provided approximately four (4) laptop computers in the form of GFP IAW FAR Clause 52.245-1. The specific brand, model, and serial numbers of the laptop to be issued will be provided after award via coordination with the COR of record.3.2 DFAS IT Policy Concerning Contractor Furnished Equipment (CFE).3.2.1 In Accordance With (IAW) Chapter 3 of DFAS Regulation 8400.1-R, personally owned workstations, laptop computers, software and printers, including computers connected remotely will not be connected to the DFAS Enterprise Local Area Network (ELAN). This prohibition is a security requirement to protect the ELAN from the spread of malicious logic (viruses and Trojan Horse programs) and to protect sensitive but unclassified (SBU) information from being compromised. Contractors performing duties in a DFAS facility will be provided with DFAS owned workstations and printers. PART 4SPECIFIC TASKSSee Sections 1 and 6.PART 5APPLICABLE PUBLICATIONS5. APPLICABLE PUBLICATIONS (CURRENT EDITIONS) Applicable publications will be provided after T.O. award as required:5.1 Global Software Development Plan (GSDP) 5.2 Configuration Management Information System (CMIS) User’s Guide 5.3 Software Configuration Management Plan (SCMP) 5.4 DFAS 8430.1-R, December 2007 (Automated Information Systems)5.5 DFAS 8430.01-I “System Life Cycle (SLC) Management” 5.6 Department of Defense Financial Management Regulation (DoD FMR) 7000.14-R, Vol. 5 – see 5.7 Various Treasury Management Regulations-see . 6.1 - ATTACHMENT 1Performance Requirements Summary TaskWork ObjectiveOutcome/ResultAcceptable Performance LevelSurveillance Method - Monitoring4.1 Contract Program Management4.1.1Schedule Report All contractor personnel shall be required to input/submit project data and time in a format that can be loaded in eBiz—the DFAS standard labor reporting, tracking and accounting system—on an individual and daily basis.eBiz data is timely submitted.Not returned more than once during any reporting period. Submissions are on time 95% of the time. Review of submissions.4.1.2Weekly Status ReportsThe contractor shall provide weekly status reports (by email on Wednesday) to the DFAS COR. This status report shall detail what projects contractor resources are currently working on and any problems or other issues encountered. It shall also include the course of action taken in resolving problems, potential problems anticipated, significant activities, project schedules, SDLC procedures, and planned upgrades/changes.Weekly Status Reports are timely received and contain accurate and complete information.Not returned more than once to correct errors or inaccurate information. Review of Reports delivered. 4.1.3Monthly Performance and Cost ReportThis report shall provide data on the acceptable levels of performance (ALP) for all tasks under the T.O. that are monitored against ALP. This report shall also reflect each resource’s rate, actual hours used, accumulated hours, allocated hours and total hours. It shall also include any extended hours for the previous month. It shall include a log showing whether any resource was traveling, cost of travel and the date(s) of the travel. The contractor shall prepare and deliver to the COR a monthly Status Report describing the current status of ongoing contract activities, problem areas and course of action taken in their resolution, potential problems anticipated, significant activities, SOMARDS system audit readiness, work progress, and contract costs. The contractor shall submit a monthly Status Report to the COR no later than the 15th working day of the month and be available to discuss with the GPOC as necessary. Monthly Performance and Cost Reports are timely received and contain accurate and complete information. Not returned more than once to correct errors or inaccurate information. Reports are delivered on time 85% of the time. Measurements will be monitored monthly.Review of Reports delivered. 4.1.4Monthly Accrual Estimate ReportThe contractor shall submit a monthly accruals report that projects the next month’s costs and the expenses that will be delivered. Accruals reports are timely delivered and contain accurate cost estimates for the next months expected costs. Not returned more than once to correct errors or inaccurate information. Reports are delivered on time 90% of the time. Review of Reports delivered. 4.1.5Management ReviewsThe contractor shall prepare and provide Management Reviews (MRs) to identify and address progress, problems, and other pertinent information.Management Reviews are timely and delivered as needed. Not returned more than once to correct errors or inaccurate informationReview of Reports delivered. TaskObjectiveOutcome/ StandardAcceptable Level of Performance Surveillance Method/ Measure4.2 Requirements Management4.2.1 Requirements Management.Work with stakeholders from the system user community and Enterprise Solutions & Standards (ESS) to elicit, draft, review, and finalize new and modified requirements for SCR.New and modified requirements created that align with the format and standards of current DIFMS requirements documents.Deliverables received at least 95% of time on schedule.Not returned more than once for revisions.Review of schedule and requirements to assess whether completed to the necessary level of detail. 4.2.2Functional Analysis.Review requirements provided within system change requests and ensure all are legible, understandable, and align with the format present in the current DIFMS requirements documents. Identify all business process impacts and use case scenarios that apply to a given change request. Identify customer points of contact to assist with testing activities.All system and requirements impacts should be successfully identified and scoped within the Functional templates to present the complete impact of the change request.Work completed within schedule 95% of time.Not returned more than once for revisions.Review of schedule and requirements to assess whether activity completed to the necessary level of detail. 4.2.3Critical (Functional) Design Review.Meeting to review, discuss, and approve the requirements and Functional Analysis for a given SCR with the relevant stakeholders.Functional analysis is developed and complete, and is loaded into CMIS (Configuration Management Information System) prior to the meeting.Assist functional management staff to ensure all material and relevant details necessary for successful programming have been addressed to ensure requirement is complete. Checklist is completed with input from all attendees.Work follows the standard operating procedures outlined in DIFMS documentation.Work completed within schedule 95% of time.Review of gate meeting minutes to verify the level of preparedness and questions asked during the gate meeting. 4.3 Technical Analysis & Design Activities4.3.1Technical Analysis.Take requirement (s) (provided in the Functional analysis) and perform analysis of how to execute requirement, program code to meet requirement, and unit test to determine understanding of the functional analysis.All source code and system configuration impacts, as well as unit test plan activities, are successfully identified and scoped within DIFMS templates to present the complete production baseline modification impact of the change request.Technical analysis artifacts are provided to I&T team within timeframes established.Work follows the standard operating procedures outlined in SOMARDS documentation.Deliverables received at least 95% of time on schedule.Analysis not returned more than once for revisions.Review of schedule, TA and requirement to assess whether technical analysis is completed to the necessary level of detail. 4.3.2 Testing Analysis.Take requirement (s) (provided in the Functional analysis) and perform analysis to define the scope and level of testing activities required to validate that the programmed changes will satisfy the modified functional requirements. All use cases, data configurations, and associated testing requirements should be successfully identified and scoped within the SOMARDS test plan templates to present the complete testing impact of the change request.Test plan document is provided to I&T team within timeframes established.Work follows the standard operating procedures outlined in SOMARDS documentation.Deliverables received at least 95% of time on schedule.Analysis not returned more than once for revisions.Review of schedule, work product and requirement to assess whether testing analysis is completed to the necessary level of detail. 4.3.3Analysis/Design Peer Review.Perform peer review of technical analysis and/or testing analysis work products completed by development and/or testing staff peers to verify completeness and accuracy of contained plete reviews of work products and provide feedback as necessary for suggested changes.Identify potential missed impacts and/or clarifications of included items.Reviews performed prior to assigned due date with accurate feedback provided.Review of provided feedback to ensure peer review was completed with accurate feedback. 4.4 Software Programming4.4.1Code Programming.Program code using current SOMARDS languages depending on changes needed. Coding shall be segregated to assigned source code branch and development environment.Code changes are produced and are able to be compiled in packages and procedures or builds depending on programming language utilized.Work follows the standard operating procedures outlined in SOMARDS software development life cycle policy documentation.Code completed with minimal rework 95% of the time.Review of schedule for timeliness and routine review of test defect report (TDRs) generated per SCR.4.4.2Unit Testing.Individual units of source code, sets of one or more program modules together with associated control data, usage procedures, and operating procedures, are tested to determine if functionality executes as expected and fulfills the requirements of the change request.Defects are uncovered and immediately fixed and retested to validate correctness.Work follows the standard operating procedures outlined in DIFMS software development life cycle policy documentation.Test defects are discovered and fixed within schedule for unit test.Development team lead review of unit testing plan and results.4.4.3Peer Reviews.Software review in which a work product (document, code, or other) is examined by its author and one or more colleagues, in order to evaluate its technical content and ments/Feedback on content and quality as well as suggestions is provided.Work follows the standard operating procedures outlined in DIFMS software development life cycle policy documentation.Content and Quality are accurate 95% of the time.Review of comments resulting from peer review. Routine review of test defect report (TDRs) generated per SCR.4.4.4Test Script Development.Develop test script(s) to be utilized during formal test events that exercise the integration and execution of modified source code along with the use case and data setup requirements involved with a change request.Test scripts utilized in test events are able to successfully validate integrated functionality as well as uncover defects within modified code components and environment configuration.Work follows the standard operating procedures outlined in DIFMS software development life cycle policy documentation.Content and Quality are accurate 95% of the time.Review of schedule for timeliness and routine review of test defect report (TDRs) generated per SCR.4.5 Testing 4.5.1Test Script Execution.Execute developed test scripts during designated test events. Monitor and measure completeness as well as manage identified defects from inception through resolution. All scripts designated to each test event are completely executed and all identified defects are successfully resolved within the planned timeframe of the project schedule.100% script execution completed per project schedule.100% of defects resolved prior to end of test event.Review script execution reports and TDR resolution reports to validate completion percentages. 4.5.2Test Deficiency Report (TDR) Management.Document defects discovered during test script execution within identified testing management software products.Review defects with functional and technical resources to analyze issues and design a resolution.Resolve defects utilizing necessary requirements updates and/or source code configuration changes.Retest defect resolutions by re-executing appropriate test scripts.All defects are reviewed, analyzed, and resolved prior to the completion of every test event.100% of defects resolved prior to end of test event.Every TDR fixed and retested within 3 days 95% of the time.Review TDR completion report and documentation archives4.5.3Test Readiness Review (TRR) Milestone Meetings.Attend TRR meetings to review environment configuration preparedness and ensure release baseline is ready for the start of the subject test event.Test event dependencies have been sufficiently completed and/or resolved and the test event is ready to proceed as scheduled.Work completed within schedule 95% of time.Review attendance to meetings and review of schedule updates. 4.5.4System Acceptance Test (SAT).SAT events either take on the form of a formal test event with script execution performed by customers, or a demonstration of testing results performed by technical resources to a broad customer audience.Support will be provided to customer participants in either format, specifically with the identification and analysis of any potential defects.All scripts designated to each test event are completely executed and all identified defects are successfully resolved within the planned timeframe of the project schedule.100% of defects resolved prior to end of test event.Review script execution reports and TDR resolution reports to validate completion percentages.4.6 Production Implementation 4.6.1Production Readiness Review (PRR) Milestone Meeting.Ensure that all requirements and dependencies that impact stakeholders and customers have been fulfilled to receive permission for a project release production implementation to proceed. Permission received from customer stakeholders to proceed with release implementation or address action items first.Checklist completed with or without action items 100% of the time. Exception if event is cancelled by PMO or Management.Review of gate meeting minutes to verify the level of preparedness and questions asked during the gate meeting. 4.6.2Implementation Readiness Review (IRR) Milestone Meeting.Ensure that all technical requirements and dependencies have been fulfilled, and technical stakeholders are prepared, to proceed with a project release production implementation. Approval obtained from technical stakeholders to proceed with release implementation or address action items first.Checklist completed with no action items 100% of the time. Attendance at or review of gate meeting minutes to verify the level of preparedness and questions asked during the gate meeting. 4.6.3Post-Implementation Review (PIR) Milestone Meeting.Review held within 30 to 90 days after the release was implemented. Provide information on any resulting PTRs and lessons learned if necessary. Release certified in CMIS as complete.Documentation on lesson learned uploaded to the SOMARDS repository for future reference.Work completed within schedule 100% of time.Attendance or review of gate meeting minutes to verify the level of preparedness and questions asked during the gate meeting. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download