Statement of Objectives (SOO) For Cloud Migration Services



STATEMENT OF OBJECTIVES FORDepartment of Veterans AffairsEnterprise Cloud Services (ECS) for Information Technology Infrastructure Modernization[Version 1.1 April 4, 2016]Introduction and InstructionsThis Statement of Objectives (SOO) describes the objectives and tasks for VA ENTERPRISE CLOUD SERVICES (ECS) for Information Technology Infrastructure Modernization. Offerors shall use this SOO as the basis for preparing their proposal. Offerors shall ensure that all aspects of the SOO are thoroughly addressed in their proposals.Point of Contact [Point of Contact Name and Title] Phone: [(XXX) XXX-XXXX]Email: [xxxx@]Contents TOC \o "1-3" \h \z 1.Executive Summary PAGEREF _Toc446588930 \h 62.BACKGROUND PAGEREF _Toc446588931 \h 63.PURPOSE PAGEREF _Toc446588932 \h 84.PARTNERING PHILOSOPHY PAGEREF _Toc446588933 \h 105.SCOPE PAGEREF _Toc446588934 \h 116.Program/Project Management PAGEREF _Toc446588935 \h 126.1.Reporting PAGEREF _Toc446588936 \h 136.2.Veteran-focused Integration Process (VIP) Support PAGEREF _Toc446588937 \h 136.3.Period and Place of Performance PAGEREF _Toc446588938 \h 147.Current Environment: Existing/Legacy Environment PAGEREF _Toc446588939 \h 147.1.Objective 1: Implement Enterprise Cloud Services PAGEREF _Toc446588940 \h 157.2.Objective 2: Network Modernization and Convergence. PAGEREF _Toc446588941 \h 177.3.Objective 3: Unified Communications. PAGEREF _Toc446588942 \h 197.4.Objective 4: Data Center Consolidation & Hosting. PAGEREF _Toc446588943 \h 208.Approach Overview PAGEREF _Toc446588944 \h 228.1.Business Approach PAGEREF _Toc446588945 \h 228.2.Technical Approach PAGEREF _Toc446588952 \h 238.3.Security Approach PAGEREF _Toc446588972 \h 248.4.Management Approach PAGEREF _Toc446588985 \h 268.5.Administrative Approach PAGEREF _Toc446588997 \h 269.Enterprise Cloud Services (ECS) for Information Technology Infrastructure Modernization PAGEREF _Toc446589010 \h 279.1.Enterprise Cloud Services - Objective 1 PAGEREF _Toc446589011 \h 289.work Modernization and Convergence - Objective 2 PAGEREF _Toc446589019 \h 299.3.Unified Communications - Objective 3 PAGEREF _Toc446589032 \h 319.4.Data Center Consolidation & Hosting - Objective 4 PAGEREF _Toc446589043 \h 3210.Constraints PAGEREF _Toc446589053 \h 3410.1.[Access Control] PAGEREF _Toc446589054 \h 3610.2.[Authentication] PAGEREF _Toc446589055 \h 3610.3.[Personnel Security Clearances] PAGEREF _Toc446589056 \h 3610.4.[Non-disclosure Agreements] PAGEREF _Toc446589057 \h 3610.5.[Accessibility] PAGEREF _Toc446589058 \h 3610.6.[Sensitive and Embargoed Data, etc.] PAGEREF _Toc446589059 \h 3610.7.[Data isolation requirements or hardware sharing restrictions.] PAGEREF _Toc446589060 \h 36Appendix A.Service Level Agreement PAGEREF _Toc446589061 \h 37Appendix B.Measures of success (DRAFT) PAGEREF _Toc446589062 \h 39Appendix C.References PAGEREF _Toc446589063 \h 40EXECUTIVE SUMMARYThe Department of Veterans Affairs (VA) requires the ability to efficiently acquire secure cloud computing services on an ongoing basis. This acquisition will create an enterprise cloud services broker (ECSB) to manage a portfolio of cloud computing services across multiple vendor offerings, supplying VA with a flexible solution for the delivery of cloud computing services.This statement of objectives (SOO) presents a framework for moving the VA enterprise from the current state, to a future cloud enabled state. We define the current enterprise, identify key objectives, and define goals in terms of how to move forward to quickly attain the cloud benefits available. This will result in profound changes in the VA computing environment, leverage existing efforts, forge a path on how to move the enterprise to full cloud adoption, and significantly improve VA’s delivery of enhancements to Veteran health, benefits, and service delivery programs while driving down IT sustainment costs and freeing up resources to fund new and priority emerging requirements.Cloud services provide a wealth of benefits that VA can leverage to provide the right services, at the right place, at the right time in service to our veterans. Cloud services make financial sense, align with government goals and provide a sound technical platform for the future. VA needs a consistent approach to reviewing, securing, managing and procuring cloud services to ensure that coordination and integration between vendors is optimized, providing best value for the taxpayer. A partnership with an ECSB integrates portfolio management with VA processes, rapidly providing the benefits VA needs for success.The transition to enterprise cloud services:Makes Financial SenseSaves MoneyMigrates from capital expenditures (CAPEX) to operating expenditures (OPEX)Better response to supply and demandAligns with Governmental GoalsBuy FirstCloud FirstData Center ConsolidationSupport for Strategic SourcingMakes Technical SenseConsistent platform / approach for developmentTechnical refresh is handled automatically by the vendorNew technology adoption soonerPortable across endpointsSecurity consistently embedded in all cloud solutionsBACKGROUNDThe VA provides America’s Veterans, their families, and Survivors, the care and benefits they have earned through their service. The VA operates:The largest integrated health care system in the country, delivering health care to approximately 9.2 million enrolled VeteransA disability compensation benefits program for 4.4 million Veterans and 405,000 SurvivorsA pension benefits program for 297,000 Veterans and 210,000 Survivors The nation’s tenth largest life insurance program, covering both active duty Service members and enrolled Veterans An education assistance program serving nearly 1.1 million students Vocational rehabilitation and employment benefits for nearly 141,000 Veterans A home mortgage program with a portfolio of over two million active loans guaranteed by VA; and The largest national cemetery system that leads the Nation as a high-performing organization, with projections to inter 132,093 Veterans and family members in 2017 The VA Office of Information and Technology (OI&T) provides information technology support across VA to ensure that the mission, vision, and strategic objectives of VA’s Agency Priority Goals (APGs) are met. The four current VA APGs are: Improve Access to CareImprove Access to VA BenefitsImprove Veterans Experience with VAImprove the Employee ExperienceIn alignment with these goals, OI&T’s mission is to provide available, adaptable, secure, and cost effective information technology products and services to VA customers, enabling VA staff to provide mission-critical support to the Nation’s Veterans. The technology and the resources required to support the APGs underpin every aspect of the care, benefits, and services that are delivered to Veterans. Information Technology (IT) enables the VA to support critical areas such as healthcare, improved benefits processing, provision of enhanced customer care and services to Veterans, maintenance of the Department’s information security posture, and maintenance of the IT Infrastructure.The MyVA Transformation puts Veterans in control of how, when, and where they wish to be served. It is a catalyst to make VA a world-class service provider – a framework for modernizing VA’s culture, processes, and capabilities to put the needs, expectations, and interests of Veterans and their families first. A Veteran walking into any VA facility should have a consistent, high-quality experience. To accomplish this, the Department has developed five strategies that are fundamental to the transformation in VA: Improving the Veterans’ experience. At a minimum, every contact between Veterans and VA should be predicable, consistent, and easy. However, under MyVA, the Department is working to make each touch point exceptional. Improving the employee experience. VA employees are the face of VA. They provide the care, information, and access to benefits Veterans and their dependents have earned. They serve with distinction every day. Achieving support services excellence will let employees and leaders focus on assisting Veterans, rather than worry about back office issues. Establishing a culture of continuous performance improvement will apply lean strategies to help employees examine their processes in new ways and build a culture of continuous improvement. Enhancing strategic partnerships will allow the Department to extend the reach of services available for Veterans and their families. MyVA strengthens VA’s ability to consistently identify, evaluate and leverage external resources to improve the Veteran experience, while enhancing productivity and efficiency across the enterprise. This strategy drives an unprecedented demand by our Veterans and VA staff for IT services and benefits. To serve this demand, Healthcare and Benefits Access, and Veteran and Employee Experience are being explored through the lens of our Veterans. The VA is modifying underlying structures, processes and systems to increase efficiency, drive integration of internal business functions, and improve service delivery. The VA must adapt to rapid technology change and shorter planning cycles. The VA is currently attempting to move into a future state of cloud services without an overarching strategic vision. OI&T’s current methodology is siloed and project-based, focused on solving individual business problems, and relying heavily on VA-specific acquisitions. The focus of OI&T’s investment strategy has been fragmented in execution focusing on sustaining the current infrastructure with various project efforts rather than taking an enterprise approach. The two main drivers of this effort are the increasing benefits and mandates for cloud migration and data center consolidation. Cloud Migration: Produced by the Office of Management & Budget (OMB), the February 2011 Federal Cloud Strategy outlines the impetus and benefits of migrating to cloud services, including acceleration of data center consolidation and better utilization of existing infrastructure assets. Based on the December 2010 25 Point Plan to reform Federal Information Technology Management, also from OMB, each Federal agency CIO has been directed to leverage this strategy to begin planning the migration of their IT services to cloud solutions. Data Center Consolidation: The Federal Data Center Consolidation Initiative (FDCCI) was initiated by the Federal Chief Information Officer to reduce the IT footprint for agencies through the consolidation of traditional data centers to promote the use of Green IT, reduce the cost of data center hardware, increase the overall IT security posture of the government, and shift IT investments to more efficient computing platforms and technologies. These two drivers, as well as OMB mandates such as Cloud First, Three to the Cloud, Shared First, and Future First, highlight the importance of harnessing these fundamental shifts in IT investment patterns to increase IT efficiencies and cut IT costs. Prior to migrating to the cloud or consolidating data centers, it is critical to have an understanding of the current IT environment and make informed decisions about moving applications to the cloud. PURPOSE In an effort to deliver increasing value to the Veteran, the Department of Veterans Affairs (VA), Office of Information & Technology (OI&T) is modernizing its IT infrastructure across the enterprise. The purpose of this effort is to acquire professional services that the VA OI&T requires in order to adequately support the modernization of the VA Enterprise IT Infrastructure and ensure compliance with enterprise strategy and mandates for cloud migration and data center consolidation. Additionally, the Secretary’s MyVA strategy has led to the identification of the following objectives:Objective 1: Implement Enterprise Cloud Services. Identify, leverage and establish cloud services through Federal Risk and Authorization Management Program (FedRAMP) accredited “-as a Service” solutions such as: Infrastructure, Platform, Software, and Storage. This is the principal objective. Objective 2: Network Modernization and Convergence. Modernize, upgrade and re-engineering of the VA network infrastructure, to include on-going operations, maintenance, sustainment, and administration.? Objective 3: Unified Communications (UC). Converge all electronic communications onto a single, IP-based enterprise network that seamlessly accommodates all voice, video, data, and collaboration traffic establishing a unified communications capability for all the VA end-users and extending to the Veterans Objective 4: Data Center Consolidation & Hosting. Provide cloud services and mechanisms that enable consolidation of VA’s existing data centers to a target state (and number) that promotes cost savings, reduction of assets, standardization, and operational efficiency without compromising availability, reliability, business continuity, and security This SOO describes OI&T’s goals, objectives and performance requirements to aid the contractor in developing a comprehensive Statement of Work (SOW) that will achieve best-value on the total cost of ownership (TCO) related to the VA Enterprise IT Infrastructure, while maintaining the highest levels of availability, system integrity, and ability to implement commercially available enhancements. The requested contractor’s SOW covers the contractor services to fully address the primary program objectives defined as:Establish an enterprise approach to cloud servicesProvide a stable and sustainable IT infrastructure environment Decrease IT infrastructure duplication and complexityIncrease operational efficiencyImprove information security Lower operation costsIncrease OI&T’s management controls and oversight role by aligning to the Information Technology Infrastructure Library (ITIL) service modelVA requires a contractor who brings a mission focus to this program that can continuously identify methods for applying IT processes to improve VA’s Veteran-focused mission performance and execution. OI&T requires a contractor with the expertise to continuously analyze, research, identify, and recommend the most effective and efficient application of technology to meet VA’s mission requirements as well as the capability to design, engineer, install, and integrate IT infrastructure hardware, software and service components. OI&T will require the contractor to:Provide, under a performance-based contract, secure, highly reliable, and available IT infrastructure services that meet or exceed OI&T customer expectations.Continuously review, analyze, and take proactive measures to ensure that the VA IT infrastructure stays current with technological advances in the industry, while validating that infrastructure investments are aligned with the VA Strategic Plan and VA mission objectives.Improve service through the implementation of a standard service management/delivery framework and associated processes, such as ITIL.Develop and provide innovative solutions for consideration by VA.Provide transparency to customers and end-users on service cost, performance, and satisfaction, demonstrated and documented through independent third party customer satisfaction surveys.Continuously monitor cost of services and customer satisfaction for services delivered throughout the life cycle of the IT infrastructure operations and support programs as measured through third party Total Cost of Ownership (TCO) studies.Achieve predictable costs for services to enable better budgeting for the OIT and its customer base.Effectively utilize subcontract and teaming arrangements under the VA Small Business Program and Federal Acquisition Regulation (FAR) Part 19.A SOW and associated cost quotes will be accepted from a single contractor that can contribute to reducing the TCO without compromising objectives or requirements; have existing partnerships with industry leading technology vendors and service providers; and demonstrate the ability to accomplish tasks and deliverables in accordance with stated or desired service levels and performance objectives.Under a performance-based services contract, service level agreements (SLAs) and performance metrics will be used extensively to monitor the performance of this contract and tasks. The VA and the contractor will baseline and monitor progress using agreed-upon performance metrics and service level agreements. The VA expects the contractor to propose performance and quality assurance metrics and performance incentives in its SOW that will best advance the purposes of this contract on a cost-effective basis and ones which will be meaningful to the VA and the contractor.PARTNERING PHILOSOPHYA major intent of SOO is to create a "partnership" between OI&T and the contractor. Superior performance by the contractor will be determined by the extent to which its services advance superior VA mission accomplishment through the completion, use, and documented results from the VA infrastructure services and systems. This is accomplished by planning projects, keeping in mind there are times when new requirements come along causing re-prioritization according to governance processes. Within the context of this SOO, "partnership" means an interactive, mutually supportive professional relationship that is open, collaborative, agile, and customer-oriented. In addition to meeting the objectives described herein, the contractor will be expected to:Consistently take steps to understand VA’s crucial business issues and opportunities.Identify and propose improvements to frameworks, processes, and services throughout the performance period of the contract.Share the risks and responsibilities of joint implementations and initiatives.Ensure its products and services deliver tangible and meaningful business benefits.Work collaboratively with other contractors, government agencies, and business partners to ensure project success.SCOPEThe Contractor shall provide IT professional services to OI&T as directed by the Contracting Officer’s Representative (COR) through the issuance of task orders. Every year since 2010, bandwidth utilization more than doubled on VA’s wide area network core. This trend is not only expected to continue but to increase over the next decade as more staff are added to the VA, more Big Data applications come on line and use of smart devices to access Internet-hosted social media and streaming web services rises. Another driver for projected increased bandwidth utilization is the move to cloud services, whether externally or internally hosted. While the cloud architecture will provide increased security, redundancy and reliability over the current model, it can also be expected to generate more traffic on the VA wide area network.In addition the “tail circuits” connecting medical centers and regional offices are also experiencing growth. Recent data shows a 20%-25% annual growth rate. For satellite facilities (e.g. community based outpatient clinics) receiving additional telehealth endpoints, the growth rate may be significantly higher.In order increase capacity over the next decade to meet these ever rising bandwidth usage drivers, VA must re-architect and re-engineer the current network topology from core to edge to fully take advantage of next generation carrier services built on Ethernet fabrics, software defined networking (SDN) and network device function virtualization. This network modernization program will also address the transformation of OI&T’s approach to on-going operations, administration and maintenance (OA&M) and infrastructure technology acquisition re-fresh.The cloud broker will provide OI&T a technical and organizational transformation roadmap that addresses all phases including architecture, engineering, implementation and sustainment as well as strategic partner engagement services to accomplish this agenda. A critical facet of this strategic partnership agenda is to leverage new acquisition models built on cloud enablement as a way to shift from acquisition of network infrastructure technology as an asset to infrastructure technology as a service (ITaaS). The cloud broker will also engage with the carriers to ensure all service level agreements are met.Business process latency is problematic in all large organizations. VA is no exception. Business process latency stifles effectiveness. Shrinking that latency is fundamental to VA fulfilling its commitment — whether it’s the intelligent routing of a Veteran phone call to an available service representative who automatically gets a “screen pop” displaying the necessary data about the caller to promptly resolve their issue or Executive Leadership locating a key staffer in real time regardless of where they are or what mode(s) of communication they have available, who can then, regardless of device or location, access any data or resource needed.Unified communications is the integration of real-time communication services such as instant messaging (chat), “presence” information, telephony (including IP telephony), video conferencing, data sharing (including web connected electronic whiteboards or Interactive White Boards (IWBs)), call control and speech recognition with non-real-time communication services such as unified messaging (integrated voicemail, email, SMS and fax). UC is not a single product, but a set of products that provides a consistent unified user interface and user experience across multiple devices (both fixed and mobile) and media types (voice/audio, video, text). Through the use of basic UC capabilities or through the use of communication-enabled business process (CEBP), UC can optimize business processes and enhances human communications by reducing latency, managing flows, and eliminating device and media dependencies.The enterprise cloud services broker will provide OI&T a roadmap to deliver unified communication as cloud-hosted services (e.g. voice-as-a-service, conferencing-as-a-service, etc.) served from either VA’s internal cloud (consolidated Data Center locations) or via an offering from a cloud provider. These cloud services will deliver enhanced functionality and capability to all VA organizations including medical centers, outpatient clinics, Consolidated Mail Outpatient Pharmacies (CMOPs), VHA Health Administration Center (HAC), VHA Health Eligibility Center (HEC), Patient Aligned Care Teams (PACTs), national contact centers, regional benefits offices, national cemeteries, VA Central Office (VACO) and field-based program offices. The cloud broker will also provide strategic partnership assistance with planning, design, implementation and sustainment (managed services). The intent is to ensure consideration of all alternatives including the exploration of a “pay-by-the-bit” model for the entirety of the Department’s communications needs regardless of the type of communication, the device, the source or the destination and direct engagement with cloud providers to ensure the cloud provider meets all service level agreements. OI&T requires the Contractor to develop and maintain throughout the engagement, a Master Program Plan (MPP) that describes the overall target architecture, a roadmap to achieving that target architecture with major milestones, and an integrated master schedule that presents a detailed work breakdown structure and milestones for each of the five major task groups identified above. Program/Project Management The Contractor shall provide the technical and functional activities necessary for the management of this SOO. The Contractor shall employ a technical approach, organizational resources and management controls to achieve cost, schedule and performance requirements throughout the engagement. The contractor, at a minimum, shall perform the following program management activities:Develop and manage Infrastructure Modernization Program Management Plan and Project Schedule, outlining the individual project WBS and resource allocation to accomplish each taskProject coordination and management support between contractor engineers, federal staff, vendors, and future customers of the various infrastructure systems to ensure integration points are in place throughout the project’s lifecycleSupport deployment planning and overall project management for the multiple locations across the VA enterprise nationwide Provide overall quality control throughout the project’s performance, and escalate issues to federal management as needed Produce briefings, program plans, and other documentation as requested for presentation to OI&T and VHA, VBA, and NCA Provide communications and outreach materials to customers on the solutionProvide executive coaching and instructional presentations regarding new functionality to OI&T customersProvide meeting support such as agenda development, minutes, and action trackingPrepare status reports, on a weekly and ad-hoc basis, to provide an update on the project’s progress and specific areas that may require management’s action6.1 Reporting At the request the COR, the contractor shall provide the COR with separate written Project Status Reports that monitor the progress, cost, schedule, and labor hours expended to date for each Task Assignment issued under this SOO. The Project Status Reports shall include a discussion of overall personnel, financial and other issues, including potential impacts on schedules or project plans and recommended actions. Where relevant, the reports shall discuss these issues for each Task Assignment. A summary of labor hours (and dollars) expended by Contractor/subcontractor employee by Task Assignment shall be included in the reports. Each report shall be submitted to the COR in accordance with the delivery schedule agreed upon by the parties. The COR may change the format and content of the reports over time to reflect the dynamic nature of the assigned activities. Although the reports are due at the request of the COR, this shall not relieve the Contractor of the responsibility to proactively keep the Government informed of issues or problems as they occur (including technical, cost or schedule issues).The contractor shall also provide weekly updates that inform the COR about the status of each Task Assignment.Veteran-focused Integration Process (VIP) SupportThe Veteran-focused Integration Process (VIP) is VA’s newly adopted framework for the development and management of IT projects to ensure Veteran-focused delivery of IT capabilities. The VIP framework unifies and streamlines IT delivery oversight and will deliver IT products more efficiently, securely and predictably. The VIP framework creates an environment delivering more frequent releases through a deeper application of Agile practices. In parallel with a single integrated release process, VIP will increase cross-organizational and business stakeholder engagement, provide greater visibility into projects, increase agile adoption and institute a predictive delivery cadence.Throughout performance on this contract, contractor shall follow the VIP process on all program work, and provide VIP lifecycle assistance to the OI&T portfolio manager responsible for the IT Infrastructure modernization effort. This support will include, but not be limited to, the, development, review, submittal, and management of all VIP required project artifacts and documentation as summarized in the below graphic, and described in detail in the Veteran Focused Integration Process Guide 1.0, Dated December 2015. Supporting documentation to be developed include:Critical Decision OneRequirements (Epics, Sub-Epics and User Stories)A signed Project CharterA Project Management Plan (PMP) including Risk LogA Financial Management Plan (FMP)Critical Decision TwoTraceability (requirements to test cases)/Test Execution/Test Results/Defect Log – entered directly into the repositoriesVersion Description Document (VDD)Production Operations Manual/Technical Manual (VistA), including Deployment, Installation, Back-out, Rollback Plan, RACI (if extensive deviations required), Troubleshooting Information, Process Flowcharts, and Key Monitoring IndicatorsAuthority to Operate (ATO) including Contracts/Licensing/SLAs /OLAsPeriod and Place of PerformanceThe base Period of Performance will be one year from date of award with four, one year options. Services will be provided at VA and contractor locations within the United States (US). The SOO will have individual task orders associated with the individual tasks within each Objective. Current Environment: Existing/Legacy Environment The current VA IT environment and methodologies have begun to pivot towards cloud adoption, but are not widespread. VA activities include:Shifting towards the Administration’s “cloud first” strategy and the OMB's "cloud-first" policy.A first-ever VA Cloud Strategy Lockdown, co-sponsored by the Associate Deputy Assistant Secretary of Architecture Strategy and Design, and Deputy Assistant Secretary for the Office of Information Security, was held in April 2015. The IT infrastructure provides the backbone necessary to meet the day-to-day operational needs of VA Medical Centers, Veteran facing systems, benefits delivery systems, memorial services, and all other IT systems supporting the Departments’ mission. It also mitigates a risk of increased frequency and severity of system outages and major incidents that may potentially result in serious harm to Veterans (patient safety) or data loss. Also, demand varies rapidly by location, depending on movement of Veterans and changes in the availability of other forms of support services. The ability to rapidly adjust capacity to meet shifting demand is critical to avoid expensive capacity-demand mismatches but does not currently exist. The VA Enterprise scope is staggering. According to the Department of Veterans Affairs FY 2014 – 2020 Strategic Plan, Veteran services and benefits are to be provided through a nationwide network of 151 Medical Centers, 300 Vet Centers, 827 Community-based Outpatient Clinics (CBOC), 135 Community Living Centers, 6 Independent Outpatient Clinics, 103 Residential Rehabilitation Centers, 139 Integrated Disability Evaluation System (IDES) sites, 131 National and 88 State or Tribal Cemeteries, 56 Regional Offices, 6 Fiduciary Hubs, 3 Pension Management Centers, 1 Insurance Center, 84 Vet Success on Campus sites, 169 benefits services offices, 4 Regional Processing Offices (RPO), and 9 loan guaranty centers. From an OI&T data center perspective further described in Section 7.4, Enterprise Operations (EO) manages the VA’s five national data centers providing standard enterprise platforms, networks, storage and facilities to operate, maintain, and support 296 IT applications. Funding to ensure the IT infrastructure platform is fully capable of providing for VA’s data storage, transmission, and communications requirements has grown steadily since 2010 and is expected to continue growing into and beyond 2016. Without consistent annual investment in lifecycle replacement, platform modernization, and infrastructure expansion, VA runs the risk of increasingly unreliable systems and services. The cost of replacing IT equipment that is “beyond useful lifecycle” is considerable and may approach $685M. Annual investments are required as part of a constant lifecycle replacement program, otherwise the accumulated cost of replacing obsolete equipment expands as a sizable “IT Debt” to be paid in the future or face increasing risk of degradation. Objective 1: Enterprise Cloud Services – CURRENT ENVIRONMENT The current VA IT Environment is federated, with many different data centers and a mixture of various technologies to enable many different systems. This approach is not sustainable. The growing cost of maintaining the complex infrastructure reduces the availability of funding for new IT capabilities needed to manage and meet health care needs. The impact to Veterans will be positive with these project-specific investments but will not garner the increasing leverage of an enterprise strategic approach to cloud services.To ensure the IT infrastructure platform is fully capable of providing for VA’s data storage, transmission, and communications requirements, funding is critical to sustain essential IT requirements which have grown steadily since 2010 and are expected to continue growing into and beyond 2016. Many cost reduction/cost avoidance strategies are currently in planning or have been fully or partially implemented. The below list is a representative sample. GSA Networx Contract Transition, Managed Trusted Internet Protocol Services (MTIPS) programMicrosoft Enterprise License Agreement (ELA)Oracle Enterprise License AgreementVMWare Enterprise License AgreementEnterprise Storage on Demand (SOD) Consolidation of Commodity Items (hardware, software, and maintenance contracts)Regionalization of Telecom Business OfficesRegionalization of Mobile Wireless contractsVery Small Aperture Terminal (VSAT) Contract ConsolidationHelp Desk consolidation and Single ToolEnterprise Development Environment (EDE)Short Term Infrastructure Contract (STIC) – FISMA High/Moderate Virtualization (By Light/Terremark)Enterprise Commercial Cloud (AWS)Veterans Point of Service (VPS) (Azure)External Development Environment (EDE) External Labs (Azure)Enterprise level Software as a Service (SaaS) Cloud Systems:Human Resource Information System (HRIS)VA Time and Attendance System (VATAS)Talent Management System (TMS) Planned or contemplated implementations include as a representative sample:???Hosted Infrastructure Virtual Environment (HIVE) – Long Term Enterprise FISMA High CloudServer VirtualizationCloud First and Virtualization First StrategiesNetworx Services 2020 (NS2020) Enterprise Infrastructure Solution (EIS) TransitionPrivate/Hybrid/Virtualized/Contracted Virtualized Infrastructure includes:TerremarkVeterans Benefit Management System (VBMS)Identity and Access Management (IAM)Chapter 33My HealthyVetVA Mobile Framework CenturyLinkMost cost reduction strategies yielded rate savings that are offset by usage increases. Business drivers for every level of the infrastructure “stack” overwhelm the cost reduction strategies. Research has shown that a successful cloud program can yield over 30% in run-rate cost savings, which can be used towards more Veteran-facing missions. These cost savings come along with significant improvement in quality or reliability of service. For example, research has shown that critical outages reduce by over 90% after migrating to the cloud.Objective 2: Network Modernization and Convergence – CURRENT ENVIRONMENTThe computing infrastructure within VA is immense. We currently track over 1.4 million devices in inventory. This reflects all IT devices and includes spares, equipment in storage as well as Items such as monitors, inventory scanners, cell phones and tablets. Endpoints such as laptops or desktops often have multiple monitors and other supporting peripherals such as docking stations and handheld devices. The following items are identified as commodity IT assets and approximate: Non-IP phones: 410,000Desktop computers: 388,000Laptops: 61,000Printers: 135,000Mobile Devices (iPads, iPhones, Android phones and tablets, Blackberry, broadband cards): 70,000Switches: 105,000 Scanners: 29,000 Physical Servers: 16,000VA also invests heavily in virtualization. 72% of application servers are virtualized. In 2015, VA implemented 195 converged virtualization solutions to deal with site based applications and storage.The VA performs systems monitoring [status (up/down)] for performance issues. Monitoring covers: Performance monitoring of resource use, all EO systems and VA-wide applications, storage, and middleware OS and hardware performance review Mainframe performance monitoring and tuning including: analysis and reporting of response times, throughput, use of computing resources, availability, communications, and I/O throughput Application performance monitoring, performance optimization, and document changes for stability Agent-based monitoring for customer applications hosted in the EO computer rooms Server-based monitoring is a shared infrastructure used to monitor customer applications hosted in EO computer rooms Reporting on performance and availability of systems and customer applications The VA also operates a wide area network (WAN) infrastructure that includes: Routing Circuit Provisioning WAN Acceleration WAN Encryption Network Contract SupportVoIP Services Wireless Services Radio Frequency (RF) and Bridging Services Network engineering and design consultation Network utilization monitoring and capacity planning Network load balancing and high availability solutions Firewall and DMZ Management Multiprotocol Label Switching (MPLS)Dual Connections to Critical Locations (most medical centers)TIC gatewaysActive DirectoryDomain Controller InfrastructureIPv4, with initial efforts to prepare for IPv6The VA operates a local area network (LAN) infrastructure which includes:Layer 3 Switching Wireless Access VM, Storage, Backup, and Disaster Recovery network-based support Switchport Security IP Address Management The VA also operates a campus LAN infrastructure that includes:Campus LAN primarily hub and spoke / star modelCentral Core redundancy at many locationsIn migration from sites having direct connections to remote clinics, to MPLSPrimarily Cisco Devices for CORE Switches, Routers, Access Points and Access SwitchesCisco Enterprise Service Agreement in place for supportCisco Network Collector used to track network equipment lifecycleMany access switches and routers nearing or past end of supportOver 85% of switches are within 3 versions of the same OSLocations are wired for Ethernet to the jack, augmented in clinical areas by wirelessMigration from 1gb in computer rooms to 10gbFiber from computer room CORE switches to closetsPrimarily CAT5 from closet to jackSeparate “air gapped” vendor operated “Patient WiFi / Guest Networks”Separate Industrial Control networks supported by Biomedical EngineeringAccess to internet for Industrial Control networks managed thorough Access Control ListsPort security enabled outside computer roomsVirtual LANs (VLANs) not standardized across locationsMedical Device Isolation Architecture (MDIA) Objective 3: Unified Communications – CURRENT ENVIRONMENT VA does not currently have a unified communications and collaboration infrastructure. There are stand-alone or stovepipe implementations of video conferencing, audio conferencing, Microsoft Lync messaging with a prevalence of a CAPEX model. There are at least two types of unified communications users within VA: Casual users and Registered users. Casual users are those users who are not assigned a permanent communication device or communication end-point. Examples of casual users include patients, facility visitors, and others who will not have a permanent telephone number or communication devices assigned to them except for a temporary period (i.e. length of hospital stay). Registered users are those who will have a permanent identify assignment within the agency and will be assigned specific identification means within a unified communications environment. Examples of Registered users are employees and contractors who will receive communications as part of the normal business operation of VA. For decades, the VA has furnished local voice communication capabilities by purchasing and installing dedicated private branch exchange (PBX) systems at each medical center, regional office, or other “major” facility. Associated satellite facilities have typically received their voice functionality via a connection to the PBX at their parent facility. This is a costly and highly duplicative approach in terms of equipment, software, and support. In current state, the VA Technical Reference Model (TRM) does not include a Standard Profile (SP) for enterprise contact center (ECC) architecture or voice components other than an approved standard for dialing using a 10 digit North American numbering plan. Newer technologies related to telephony and the supporting infrastructure, such as the transport network, make it possible to transition from a site-based approach to a strategy that will improve voice service and reduce costs. The cloud telephony approach is being used or pursued by many large organizations and is consistent with OI&T core principles of eliminating duplication in support and infrastructure, fostering enterprise standards and interoperability, and containing costs.Example categories for unified communications are:Productivity Suite/Collaboration Tools Email provided is Exchange 2003, primary client is OutlookLync used for instant messaging, small group conferences, desktop sharing, presence informationCalendar Management provided via OutlookContact Management provided via OutlookHeavy use of share point (various revision levels) for collaboration tools document review and editing, team collaboration repositoryMinimal presence information availableProductivity suite is Microsoft Office Professional Plus 2007SharePoint – versions varyTeleconferencing/Video ConferencingUse of VANTS for teleconferencing Single group supports Video Conferencing Lifecycle Centrally – EVTNMixed VTC environment with both medical and administrative devicesInconsistent application of VTC scheduling solutionsMobile Device Management (MDM)Telephony systemsWide variety of call center solutions Wide variety of IP Phone productsNo single vendor providing hardware / software VOIP solutionsMany vendor solutions for telephonyVistAProvides email servicesElectronic Medical RecordsVPN SolutionsRESCUE VPN - Government Furnished Equipment (GFE) Secure Mobility Client (Non-GFE)Cellular servicesMultiple contract providers Objective 4: Data Center Consolidation & Hosting – CURRENT ENVIRONMENTIn compliance with the Federal Information Technology Acquisition Reform Act (FITARA), the VA is currently reporting 354 independent data centers. According to definitions (below) established in OMB’s Data Center Optimization Initiative (DCOI), VA consists of 263 tiered data centers and 91 non-tiered data centers.Tiered data centers are defined as those that utilize each of the following: A separate physical space for IT infrastructure; An uninterruptible power supply (UPS); An independent cooling system; and A backup power generator for prolonged power outages. Non-Tiered data centers are those that host IT equipment, but do not meet the tiered data center criteria.While DCOI simplifies data center categorization, the gathering of reportable data center information such as capacity, capability, hosted IT assets, and site specific provided services is largely a manual effort that continues to be a significant challenge.Data Centers in respect to DCOI and FITARA represent facilities that host government owned IT systems providing enterprise and site specific IT services. Within this document, the term data center excludes cloud services in which the vendor is the sole provider of the IT infrastructure excluding security and compliance equipment. VA data center space is either agency owned, contracted through GSA, or independently contracted. While VA support staff fall under a common leadership chain, the sites are widely differentiated in respect to management, service levels, age and repair, contract model and cost profiles without regard to the criticality of the hosted applications and services. Of the VA tiered data centers, 83% (217) are owned by the VA, 13% (33) are independently contracted, 4% (10) are obtained through GSA contracts, and 1% (3) are hosted by another federal agency. In respect to non-tiered data centers, 59% (54) are housed at a VA owned facility, 30% (27) are GSA provided, and 11% through independent commercial contracts. Applications HostingThe expansion of Veteran services has driven a rapid increase in the number of IT applications developed inside the organization. VA Systems Inventory (VASI) is the authoritative inventory of all business-oriented IT systems. This resource provides an updated, comprehensive enterprise-wide view of our entire IT portfolio – including system name, acronym, hosting location, security accreditation, stakeholders, and much more. Presidential and Federal guidance demand a significant transition of legacy hosting options to a cloud model where government becomes a consumer of resources instead of a provider. Financial management and information consolidation remains a challenge. While VA has committed to data center consolidation and cloud adoption, little progress has been made to unify the organization and consolidate efforts to modernize delivery and hosting of VA requirements. VA requires standardized destinations for enterprise services to enable data center reduction as well as common cloud implementations that can be described in such a way that legacy applications can be modernized and new applications can be developed in methods compatible with VA hosting options. Approach OverviewThe tasks listed in Section 8.1 to 8.5 collectively apply to the four objectives described in Section 3. To summarize, the contractor will provide end-to-end advisory services that analyze requirements, available resources and capability, and makes knowledgeable recommendations regarding the most effective option for the processing, provisioning and implementing of cloud services, to include providing the services themselves. Additional tasks specific to each of the four objectives are provided in Sections 9.1 to 9.4.Business Approach Provide all support necessary to analyze options and select the most cost effective service provider for a given requirement, and support planning of the migration and deployment of the VA target applications and services. Create presentations, budget plans and projections, strategic roadmaps and project plans to provide recommendations. Provide communications plan for all affected parties of the migration(s) to ensure end-user adoption, customer satisfaction, successful organizational process changes, and alignment with VAs policies, requirements and goals.Provide maximum alignment to FDCCI requirements and cloud migration mandates and requirements, amplifying VA ability to achieve its management objectives.Provide recommendations for services within the enterprise and specified geographic locations for the target applications and services.Provide cloud migration support services that accommodate considerations from an enterprise perspective including impact on VA business units, contracts, management, and technical components, including application, infrastructure, and security. The contractor shall tie cloud migration recommendations to the purpose of the applications or services being migrated and should include users, stakeholders, business hours, and related input and output processes based on the role and business function of the affected VA systems.Technical ApproachProvide recommendations for commercial cloud environments for production, integration, development and sandbox purposes to support the complete systems lifecycle.Provide post-deployment evaluation of cloud service providers to assure compliance with SLAs, and make recommendations about competition among cloud providers where cloud provider performance is less than required.Provide recommendations for open-standards based technologies whenever possible to provide interoperability. Recommend specific standards that should be utilized including:Open Virtualization Format (OVF) – applicable only to IaaS virtual machinesCloud Data Management Interface (CDMI)Open Cloud Computing Interface (OCCI)Other standards as requiredProvide capacity planning recommendations for additional resources for bandwidth, storage, software licenses, etc. as required supporting the migration and on-going operations beyond the initial amount planned for operations.Provide migration status including milestones and support or implement specified migration testing plans and related rollback capabilities.Provide all technical advisory services and tools necessary to fully migrate the VA target applications and services to the cloud.Provide recommendations, standards, and associated SLAs to maintain sufficient and cost effective continuity of operations. Develop and contribute relative details to VA business continuity plans (BCP) that satisfy the cloud service layers and components. Provide recommendations for standardized backup, and disaster recovery procedures and processes in the cloud environment for the target applications and services meet or exceed the identified: Recovery Point Objectives (RPO) – Ability to recover files for any specific day Recovery Time Objectives (RTO) – Ability to recover files within stated hours of requestAny other relevant guidance in respect to data retention, recovery, and availabilityService TierRTORPOElite<5 MinutesVirtually no data lossPremium15 Minutes15 MinutesHigh12 Hours2 HoursMedium48 Hours24 HoursProvide cloud solution requirements that maintain static, replicated, or live data at a site geographically disparate from the production site, when appropriate, such that the loss of one data center does not prohibit recovery of data within the prescribed RTO. Provide market research and requirements gathering approaches for efficient usage of cloud elements such as processor, RAM and data storage tiers, network capability and availability as needed within the target applications and services.Provide software license recommendations consistent with VA target environment.Be responsible for recommending and supporting the development, organizational transformation, and implementation of modernized, cloud-minded IT service management plans, practices, infrastructures and systems using industry best practices.??Security Approach Provide recommendations for support and cloud services in compliance and alignment with Federal statutory requirements (e.g. 38 U.S.C. 5725) governing the protection of Personally Identifiable Information (PII) and Patient Medical Information (PMI), Federal Risk and Authorization Management Program (FedRAMP) standardized security assessment, authorization, and continuous monitoring policies as required by the scope of the project. Assessment and Authorization (A&A) activities will be included as part of the migration recommendations.Provide cloud migration recommendations regarding security and privacy that are consistent with the NIST Special Publication 800-144 – “Guidelines on Security and Privacy in Public Cloud Computing” or other applicable standards and guidelines.Provide a draft security plan to VA management authentication (PIV card), and physical and logical security and certification (e.g. FedRAMP), such that cloud providers can deliver a single comprehensive solution that can be leveraged across the organization reducing end user confusion and security management complexity. Provide recommendations for a trusted secure communication channel for management of multiple cloud environments to support VA PIV Card authentication (or other forms of 2 factor authentication) for remote access in accordance with OMB M-11-11.Provide recommendations for security for non-standard data transfers both in transit and at rest resulting from the migration of the applications or services to the cloud. Provide recommendations for specified auditable events related to the applications or services.Provide recommendations for number, skill level, and number of government support personnel who need have appropriate level of Background Investigation or security clearance.Identify any additional Security and Privacy standards to which cloud service providers should conform their services/solutions. For example: Properly securing connections between formerly co-located systems, including systems not migrated for business or other reasons.Ensure information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, Contractors/Subcontractors are fully responsible and accountable for ensuring compliance with all HIPAA, Privacy Act, FISMA, NIST, FIPS, and VA security and privacy directives and handbooks. The Contractor’s security control procedures must be equivalent, to those procedures used to secure VA systems. A Privacy Impact Assessment (PIA) must also be provided to the COR and approved by VA Privacy Service prior to operational approval. Create associated recommendations for the creation of the most effective compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for cloud service. Implementation of VA specific intellectual property rights policy.Provide recommendations for security documentation review services to make sure that FedRAMP approved security controls are compatible with VA 6500. Provide broker services that emphasis the use and re-use of not only FedRAMP approved Cloud Service Offerings but Cloud Service Offerings that have a VA ATO.Provide recommendations for pre procurement analysis to verify that the cloud service provider is equipped to adhere to Appendix H of the Trusted Internet Connections (TIC) Reference Guide which details logical separation of customer systems and encryption for data transfers. Provide pre-acquisition verification that all data transfers will go through 1 of the 4 VA TICs.Provide recommendations for contract support to verify that VA security requirements are documented in the contract between the cloud service provider and the VA.Provide recommendations for administration support services to VA project system administrators to make sure that security controls not implemented by the Cloud Service Provider are available to the project administrators. Each Cloud Service Provider should publish a worksheet in their security documentation package that details security control responsibility for the particular type of cloud service offering (IaaS, PaaS, or Saas).Management Approach Provide recommendations to VA to establish relationships with cloud service providers that allow the providers maximum flexibility to innovatively manage program cost, schedule, performance, risks, warranties, contracts and subcontracts, and data required to deliver effective migration services and operations. Provide recommendations to VA to establish and maintain clear, near real-time government visibility into program cost, schedule, technical performance, and risk, including periodic reporting. Provide meaningful reporting and analytic tools and techniques that allow the VA to have with up-to-date, comprehensive information regarding technical and management performance of cloud providers.Provide a Change Control Board, and comply with all Change and Configuration Management plans and policies.??Such changes shall include testing and release processes. The Contractor shall develop and maintain Software Configuration Management documentation and institute required change management processes.Coordinate between the VA OI&T, VA administrations, contractors and vendors the design, refactoring, procurement, implementation, migration, security, ongoing provisioning, operations and maintenance of applications within the cloud services portfolio.Provide recommended transition plans detailing milestones, activities, and timelines for the migration of VA applications and services to the cloud.Provide a recommended cloud vendor management plan including risk analysis, evaluation, performance, auditing, and dispute resolution approaches to use with cloud providers.Provide operational expertise and support for the business implementation as well as the user support required to ensure a successful implementation and rollout of the new cloud solutions.??This includes but is not limited to communications to the workforce and external stakeholders, organizational change management, training, and documentation.?Develop, maintain and support an organizational change management strategy focused on optimizing user acceptance and technology adoption.? The organizational change strategy shall address preparation for the change(s), and any impacts and steps for execution associated with changes needed to implement cloud services. That strategy shall include a plan for mitigation of any apparent conflicts of interest presented by performance of both the advisory aspects of this effort, which involve submitting recommendations to VA regarding the strategic path forward, and the actual execution of those recommendations. Administrative Approach Provide end-to-end monitoring capability and reporting for service level agreement (SLA) requirements and metrics compliance by cloud service providers. Provide proposed SLA and associated terms and conditions that describe methods of compliance with solicitation objectives and requirements for VA use in establishing cloud provider relationships. Key elements covered in the SLA include:Metrics for the services provider as measured at the end user device.Metric Time Objectives for tasks.Methods for ensuring that the Service Level Agreements are met.Provide configuration management recommendations for cloud virtual environments that integrate with VA configuration management system.Provide recommendations for archived and deleted record data retention consistent with VA data retention policy. Establish a centralized decision making portal that maintains, at a minimum, a catalog of active, available cloud services, associated contract information, SLA metrics, costs, real-time capacity and trending reports, and accounting information such as responsible VA parties such as the system owner, VASI applications, etc. The portal, at a minimum, shall provide:A built-in analytics engine and enable functionality, such as "the ability to recommend providers based on pricing"A billing engine and interface itself, that enables "the ability to consolidate billing across providers"Reporting capabilities such that allow administrators to easily view consumption, such as "the ability to report planned versus actual spend"The ability to use custom, user-defined metadata, such as "the ability to search/query bills by custom tags like by application, group, line of business, project, region or provider"Provide a draft Quality Assurance Surveillance Plan (QASP) and/or Quality Control Plan (QCP) that includes details for measuring performance and deliverables with metrics that may include data availability, storage capacity, uptime, etc. These documents are to be correlated with the “as-is” and “to-be” environments. Enterprise Cloud Services (ECS) for Information Technology Infrastructure ModernizationCloud services must support the entire VA Enterprise; therefore, internal users, mission partners, and Veterans must be provided a robust, agile, interoperable infrastructure that provides connectivity and computing capability to deliver integrated services to Veterans. The overall objective is to perform as an enterprise cloud services broker (ECSB) and to continuously improve such performance based on lessons learned by execution of cloud brokerage responsibilities. The scope includes all cloud options, such as EaaS, IaaS, DaaS, PaaS, and SaaS, as most appropriate to the requirement, depending on the uniqueness of the requirement to the VA versus commodity IT services needed by all Federal Agencies. The overall objectives are to:Optimize selection of the most appropriate cloud provider for a given business requirementReduce risk of consuming services (e.g., via federated security and compliance) Integrate diverse cloud services, including software as a service (SaaS) Add significant value to services (e.g., context and analytics) Provide subject matter expertise (e.g., best procurement practices consistent with the FAR) Achieve transparency in cost and performance of cloud providersCentralize cloud services functionality (e.g., service aggregation, archival and auditability) Provide a central point for governance according to U.S. federal government mandates Offer various IT services to help consumers with cloud service broker-related project implementations, ranging from managed services to business process utility (BPU) Streamline and simplify the IT services acquisition processEstablish processes and tools to assure on-going, viable competition among selected cloud providers by assuring easy migration of all VA intellectual property and data from one cloud provider to another, under contract terms and conditions agreed to by all VA cloud providers as a condition of entering into a contract with the VA.The VA ECSB will enable: Emerging Technology. New doors open to opportunities for service and benefits delivery that currently do not exist will give VA staff and Veterans to access information via a multitude of devices that may not be hardwired into VA’s network. Interoperable Applications. Enterprise and external systems use enterprise shared services to exchange, process and present information to improve interoperability, reduce system development costs and accelerate delivery. Better Value Modern Applications. VA makes more cost effective investments in technology and interfaces that are understandable to end users. Enterprise applications are built as dynamic websites that adapt to how various browsers need to translate and display information. The most suitable COTS/GOTS are used. Flexible and Scalable Infrastructure. VA uses technologies that provide elasticity, scalability such as cloud technologies to allow the sharing of capacity and support mobility, data analytics, and authoritative data. Secure Information and Networks. Information is encrypted as it traverses through the network. Devices, processes and people are authenticated as they move between functions and are authorized based on their functional role. Identify economies of scale, increase productivity and gain operational efficiencies. Ultimately seeks to drive out redundancies; replicate support service best practices; reengineer processes across the enterprise; establish service level agreements with clearly defined performance measures and targets; establish customer-driven frameworks; enable technology; manage performance; and apply common standards. OBJECTIVE 1 – IMPLEMENT Enterprise Cloud Services The VA requires an enterprise class hybrid cloud environment that leverages the use of hyper-scale cloud services, maintains a minimal private cloud presence, protects sensitive data and modernizes our IT services providing cost savings and improved services to the Veteran.Presidential and Federal guidance demand a significant transition of legacy hosting options to a cloud model where government becomes a consumer of resources instead of a provider. Financial management and information consolidation remains a challenge. While VA has committed to data center consolidation and cloud adoption, little progress has been made to unify the organization and consolidate efforts to modernize delivery and hosting of VA requirements. VA requires standardized destinations for enterprise services to enable data center reduction as well as common cloud implementations that can be described in such a way that legacy applications can be modernized and new applications can be developed in methods compatible with VA hosting options. The ECSB will analyze existing VA applications and develop an implementation plan, consisting of a transition plan from the current state to the end-state, a change management plan, and an OIT capability assessment, deployment, and transition strategies. Specifically, the Contractor shall confirm adequacy of the transition plan and change management plan, by monitoring and measuring for success.???The ECSB will actively participate in strategy sessions and make recommendations and contributions in to VA strategic management process. Expected tasks within strategic management include but are not limited to: strategy development, work sessions and planning, integrated enterprise planning, transition, and change management.The ECSB will identify all existing VA cloud service and external hosting contract expiration dates and provide cloud migration support services to ensure no interruption of service of VA hosting or applications that accommodate considerations from an enterprise perspective including impact on VA business units, contracts, management, and technical components, including application, infrastructure, and security. The ECSB shall tie cloud migration recommendations to the purpose of the applications or services being migrated and should include users, stakeholders, business hours, and related input and output processes based on the role and business function of the affected VA systems. The ECSB will conduct service orchestration utilizing the ITIL service delivery model. Service orchestration refers to the arrangement, coordination, and management of cloud infrastructure to provide the optimizing capabilities of cloud services, as a cost-effective way of managing IT resources, as dictated by strategic business requirements. The ECSB will also coordinate current and future services, such as engineering and operations support, as well as federal agencies lessons learned, to provide an enterprise wide approach, to include tactical and strategic functionality that ensures cohesive and cost effective VA utilization of cloud services. The ECSB will develop and establish a Cloud Management Platform that enables full-stack service provisioning across cloud and on-premise platforms that ensures factual reporting and appropriate governance and compliance policies. Ultimate delivery will ensure that the VA owns the cloud service accounts and all VA data stored via any of the cloud services procured. OBJECTIVE 2 - Network Modernization and ConvergenceWithin the designated period, the ECSB will support the VA to modernize our network infrastructure to maximize and leverage the use of vendor operated, owned and maintained equipment ensuring consistent security, availability of information, stability, and tools that improve services and support of our veterans.The ECSB will provide a comprehensive approach for network modernization and convergence for VA LAN, WAN and VPN that encompasses existing and future VA, vendor, veteran and staff locations within the US. The ECSB will analyze the VA and Industry environments for LAN, WAN and VPN. They will develop presentations, budget plans and projections, strategic roadmaps and project plans to provide recommendations to the VA Cloud Services Team for network modernization and convergence cloud services portfolio. After VA Cloud Services Team approval, the ECSB will coordinate between the VA Cloud Services Team, VA OI&T, VA administrations and vendors the design, procurement, implementation, migration, security, ongoing provisioning, operations and maintenance of cloud services within the network modernization and convergence portfolio.Primary attributes include: Not vendor lockedElasticMonitored and loggedHigh performanceEncompasses all VA network business cases – replaces current production, Industrial Control, VPN and Patient Access solutionsSecureTransparentFast provisioningProvides ubiquitous access to support a wide variety of business cases:Internal and external mobile computingStationary and mobile medical devicesPatient / Guest AccessEmployee AccessContractor AccessLaptop / desktops / cell phones / tablets / BYODPeripheral devices – scanners, printers, copiers, MFDsIndustrial Control SystemsMedical devicesComplementing the services provided in Sections 8.1 to 8.5, it is the VA’s expectation that the services provided will enable the VA to succeed in its network modernization mission by providing solutions for managing a reliable, available, and technologically current information technology infrastructure.? The Government expects to achieve the following objectives under Network Modernization and Convergence: Deliver high availability, reliability, scalability, maintainability, and strong security that exceed customer expectation. Implement industry best practices for network design and deployment methodologies that mitigate the likelihood of disruption to operations. Develop procedures and connectivity designs and requirements that ensure appropriate connectivity implementations of Trusted Internet Connections and similar mandates. All external Internet connections to VA network involving VA information must be reviewed and approved by VA prior to implementation.?Normalize and standardize network service delivery definitions and levels that enable a consolidated accounting of all network services to provide financial and technical decision making through a unified reporting portal.Advance the capabilities of existing information and network technology infrastructure and services that enable near seamless integration inside VA and with external partners and cloud service providers. Provide a flexible portfolio of network infrastructure services based upon business and technical requirements. Deploy technologies and tools that simplify network management, end-to-end application performance management, root cause analysis and problem resolution. Achieve high portability and security for mobile computing (Primarily iPad, iPhone and Android) and remote access using VPN technologies. Lower operating costs through better asset utilization and increased efficiency. Decrease risk through the use of tested industry-standard technologies and intelligent design to secure the network against attacks and malicious intrusions. Continuously improve the implementation of UC as well as Quality of Service (QOS) grooming on the VA network Serve as a liaison with VA National Security Operations Center (NSOC) for VA WAN related issues Deliverables: Initial in-process review (IPR) for the initial operational processes for Network Modernization and ConvergenceUpdated IPR for the initial operational processes for Network Modernization and ConvergenceInitial operational processes for Network Modernization and ConvergenceFinal operational processes for Network Modernization and ConvergenceInitial IPR for the initial outcomes for Network Modernization and ConvergenceUpdated IPR for the initial outcomes for Network Modernization and ConvergenceInitial outcomes for Network Modernization and ConvergenceFinal outcomes for Network Modernization and ConvergenceOBJECTIVE 3 - Unified CommunicationsVA will modernize our unified communication and collaboration portfolio to improve communications, enhance productivity, reduce costs, and integrate applications so that staff, contractors and veterans are able to interact to solve problems quickly and efficiently.The ECSB will conduct specialized assessments, analysis, design, and implementation and migration, to a cloud service. The recommended solutions will modernize communications to focus more on Veterans with scalability to extend services such as mobility to consolidate systems, eliminate duplication, standardize the systems, resulting in consistency in baseline configurations, training, and support contracts, which drive down recurring costs to more sustainable levels.The ECSB will assist the VA in driving modernization and efficiency and be expected to:Develop a strategy to scale voice services to an enterprise level where they can be offered to all VA facilities from a “cloud” environment to which all sites would subscribe.Establish a centralized and consolidated service offering with a “core” that would reside in robust, highly redundant?cloud data centers with vendor provided equipment. Extend unified voice communications to all VA premises and providing all required voice features and functions, including those for call centers. Develop and maintain a near real-time reporting interface for unified voice communications that support financial and technical decision making processes.Establish a Standard Profile (SP) for an enterprise contact center (ECC) architecture or voice components other than an approved standard for dialing using a 10 digit North American numbering plan.Provide planning and execution materials that offer capabilities to registered users various means of technology to communicate and collaborate with others, both inside and outside the agency through the use of cloud-based technologies as well as preserve communications were appropriate. Registered users (those with permanently assigned communications endpoints) shall have the capability for mobile communications. That is, a registered user shall have the capability to use multiple modalities to communicate through a single assigned phone-number or other identifying characteristic.Develop solutions that enable the selection most cost effective communications carriers, whether traditional or cloud-based carriers. Provide solutions that provide the capability to reuse current equipment where unified communication solutions have already been implemented.Identify mechanisms and solutions that provide all monitoring and management of the solution as well as timely means for expansion.Deliverables: Initial IPR for the initial operational processes for Unified CommunicationsUpdated IPR for the initial operational processes for Unified Communications Initial operational processes for Unified CommunicationsFinal operational processes for Unified CommunicationsInitial IPR for the initial outcomes for Unified CommunicationsUpdated IPR for the initial outcomes for Unified CommunicationsInitial outcomes for Unified CommunicationsFinal outcomes for Unified CommunicationsOBJECTIVE 4 - Data Center Consolidation & HostingVA seeks an Enterprise Cloud Services Broker (ECSB) to lead data center consolidation and overall reduction of VA owned and managed data center footprint through vendor managed cloud services. Where cloud services are not applicable, VA continues to principally reduce application, system, and database inventories to essential enterprise levels by increasing the use of virtualization. Leveraging cloud services and on premise, traditional virtualization, VA is committed to deriving efficiency through the pooling of storage, network and compute resources, and dynamic resource allocation on-demand. As of March 2, 2016, Office of Management and Budget (OMB) released a draft memorandum titled, ‘‘Data Center Optimization Initiative’’ (DCOI) that will supersede the 2010 Federal Data Center Consolidation Initiative (FDCCI) on the day it is published in the Federal Register on April 1, 2016.Both FDCCI and DCOI promote the use of Green IT by reducing the overall energy and real estate footprint of government data centers, reduce the cost of data center hardware, software and operations, increase the overall IT security posture of the Federal government, and shift IT investments to more efficient computing platforms and technologies.The December 2014 Federal Information Technology Acquisition Reform Act (FITARA), which enacts and builds upon the requirements of the FDCCI, requires that agencies submit annual reports that include: comprehensive data center inventories; multi-year strategies to consolidate and optimize data centers; performance metrics and a timeline for agency activities; and yearly calculations of investment and cost savings. The VA National Data Center Program (NDCP) was established as an organizational commitment to support these OMB mandates. This group has conducted extensive research and coordination of data center consolidation efforts to satisfy OMB requirements.Per Federal guidance, through aggressive utilization cloud hosting and the consolidation of data centers, VA will modernize our IT infrastructure to reduce cost, address material weaknesses, protect data and ensure availability of applications to our staff, contractors and veterans in alignment with Guidance.The ESCB will perform ongoing analysis of existing and future VA applications cloud hosting to provide VA recommendations on application hosting. The overarching VA objectives for data center consolidation are to:Maintain cross-agency goals for a highly available, scalable, and redundant data center infrastructure that will substantially reduce the Governments risk and provide for fiscally-responsible future IT growth. Optimize space and IT asset utilization and processing capacity to minimize environmental impacts and achieve cost savings through energy consumption reductions and economies of scale for purchasing and operational resources. Increase the IT security posture of VA enterprise IT systems through implementation of standardized processes and monitoring tools across all systems located in the consolidated and existing data centers. Provide automated and standardized security hardening of hardware and software platforms in accordance with NIST 800-53 and Federal Information Security Management Act (FISMA) guidelines to ensure the integrity and confidentiality of protected Veterans privacy and health records as required. Provide automated and standardized monitoring of IT systems for availability and performance to improve service levels across the agency. Ensure continuous IT system availability and performance through implementation of redundancy, load balancing, and disaster recovery measures. The ECSB shall be required to provide advisory services and solutions that will:Satisfy FITARA reporting requirements and DCOI information gathering mechanisms while expanding information to incorporate cloud hosting and relate all VA hosting to VASI.The ECSB shall replace manual collections and reporting of systems, software, and hardware inventory housed within data centers with automated monitoring, inventory, and management tools (e.g., data center infrastructure management). By the end of fiscal year 2018, agencies shall close at least 25% of tiered data centers government-wide, excluding those approved as inter-agency shared services provider data centers. Furthermore, agencies must close at least 60% of non-tiered data centers government-wide.ECSB shall track and report using DCOI mandated optimization metrics: Energy Metering (applies only to tiered data centers)PUE (applies only to tiered data centers)Virtualization (applies only to tiered data centers)Server Utilization & Automated Monitoring (applies to tiered and non-tiered data centers)Facility Utilization (applies only to tiered data centers)Inventory and Capacity Analysis and Collection of data centers including services provided and applications hosting beyond FDCCI/DCOI to include vendor hosting such as Exchange at the TIC, the Terremark apps, CRM at CenturyLink, etc.Identify current data center services that are candidates for cloud or consolidate solutions such as Productivity Suite & Collaboration Tools?(Email, Word Processing, Spreadsheet, File Storage, and Collaboration).Catalog, standardize, and consolidate data center and cloud hosting contracts.Standardize, catalog and centralize the consumption and deployment of cloud services in both process and technology. Develop a storefront for intake of development requests, create presentations, budget plans and projections, strategic roadmaps and project plans to provide recommendations to the VA Cloud Services Team for cloud service offerings to address new requests for services, modernize our current cloud service portfolio, and determine which non-cloud offerings are migrated to the cloud and integrated into the cloud services portfolio.Provide a method to transition and/or migrate legacy applications to enterprise cloud solutions.Perform ongoing analysis of existing and future VA applications cloud hosting to provide the VA Cloud Services Team recommendations on application hosting.Establish fundamental criteria for new applications that ensure compatibility with VA enterprise cloud solutions.Develop and implement solutions, procedures, communications and strategies that enforce cloud adoptions.Deliverables: For each Initial, Updated, and Final Plan:??Assessment and Identification:??Classification, locations, contracts and services and VA Services (Applications) provided?(include internal as reported to OMB, and External:??CenturyLink, Terremark, AT&T)Reporting MechanismCloud and Service Target RecommendationsMigration PlansClosure and Equipment Disposal (Full Shutdown of closed Hosting Spaces)Data Center Contracting requirements standards, SLA, creation of common compliance languageContract Consolidation Plan for facility lifecycleCoordination and Communication PlanCompliance Management PlanConsumer Management PlanSoftware Licensing PlanConstraints Costing/Financial Assumptions and Constraints:The VA delivers services agreed to within a budget. Service delivery level attainment focuses on the amount of work product, availability, or other service delivery unit delivered successfully in a given time period; business value focuses on the measurement of the attainment of the outcomes described in service provider objectives; process conformance focuses on the execution of the agreed to processes for delivering the service; and IT infrastructure focuses on the availability, threat, and event management of the IT infrastructure that supports the service delivery. The present constrained programming levels will force trade-offs which could be risk prohibitive. The identification of optimal program mixes within available resources (constraint) will create rebalancing within the VA. Risks to Veteran-facing initiatives could be unacceptable. New Veteran-facing program initiatives and activities must be absorbed within existing resources which could present unacceptable level of risk.OI&T's large fixed-cost and must-pay spend amounts critically limits OI&T's ability to adjust supply to meet demand and does not allow for OI&T customers to optimize their consumption of IT services. If this continues, the challenges of linking IT costs to business outcomes will remain elusive for cloud services without an ECSB. In this type of constrained environment, the drawback remains an inability to deliver a multi-year view of resource reallocation by reprioritization or combining; additionally, reprioritizing or combining is not comprehensive and cannot be linked to programmatic activities. The preferred alternative is to acquire and utilize an ECSB which maintains a clear link to IT investments. With rising customer expectations, increased requirements, constrained budgets, and growth of innovation in technologies, the resulting cost comparisons will form the financial basis of this BCA to inform leadership on whether or not to proceed with an ECSB strategy. Ultimately, the ECSB strategy that the VA will embark upon and implement to support the execution of our mission will be based upon and address the what, when, and how to move business capability and its transition to use of cloud services. An outstanding IT cloud service is guided by the performance and quality it delivers to end-users to include a comparison of service costs. In transitioning to an ECSB, costs may be higher as legacy and shared services are carefully consumed into an ECSB environment. In the out-years, cost savings are to accumulate. If all resources relating to transition and migration are identified early those costs savings would increase. In addition, the old environment must also continue to operate until successful cutover and decommissioning of the old environment is complete.For example, in May 2012, OMB released the Federal IT Shared Services Strategy to provide agencies with guidance for identifying and operating shared services for commodity, support, and mission IT functions. That strategy recommended a phased approach for implementing shared services, (e.g., “crawl-walk-run”) beginning with intra-agency commodity IT to allow agencies to gain proficiency, and then evolving to support and mission IT areas. The CIO Council noted that operating and transition costs may be higher than expected while benefits such as cost avoidance and cost savings may be lower. Non-costing/Non-financial Assumptions and Constraints: Interoperable infrastructure: Cloud services must support the entire VA Enterprise; therefore, internal users, mission partners, and Veterans must be provided a robust, agile, interoperable infrastructure that provides connectivity and computing capability to deliver integrated services to Veterans. The VA Enterprise scope is staggering. According to the Department of Veterans Affairs FY 2014 – 2020 Strategic Plan, Veteran services and benefits are to be provided through a nationwide network of 151 Medical Centers, 300 Vet Centers, 827 Community-based Outpatient Clinics (CBOC), 135 Community Living Centers, 6 Independent Outpatient Clinics, 103 Residential Rehabilitation Centers, 139 Integrated Disability Evaluation System (IDES) sites, 131 National and 88 State or Tribal Cemeteries, 56 Regional Offices, 6 Fiduciary Hubs, 3 Pension Management Centers, 1 Insurance Center, 84 Vet Success on Campus sites, 169 benefits services offices, 4 Regional Processing Offices (RPO), and 9 loan guaranty centers.VA Cloud Security Issues: Cloud services must address all of the numerous security constraints. There are multiple cloud security constraints that limit the analysis, possible solutions and/or expected outcomes of cloud services. They include:VA System Categorization (i.e. FISMA Level) - over categorization of VA data limits solution options and increases costs. Over categorization (i.e. FISMA Level) of VA systems impact the cost of deploying security controls limits cloud options VA Legacy System Re-Categorization – re-categorization of over-categorized legacy applications could increase options and reduce costsDefinition of “sensitive” information drives higher categorizationIG findings resulted in material weaknesses in regards to the lack of a formal VA cloud strategy and standardized implementation across the organizationLack of specific enterprise strategy and governance approachLack of policy for cloud implementation and strategyLack of formal interpretation and Procedures for cloud implementations not defined for VA needs, relies on government-wide publicationsCase by case solutions - General requirements interpreted on a case-by-case basis (instead of based on enterprise guidance) results in , so actual baseline requirements that can vary project-by-projectConflicting guidance Federal Guidance – There are significant conflicts between Department of Homeland Security (DHS), FedRAMP, Federal Cloud First Policy regarding implementation of DHS Trusted Internet Connection Reference Architecture 2.0 (TIC 2.0) that must be addressed.Sections 10.1 through 10.7 will be prepare in collaboration with the acquisition agency. [Access Control][Authentication][Personnel Security Clearances][Non-disclosure Agreements][Accessibility][Requirements for accessibility based on Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d) are determined to be relevant. Information about the Section 508 Electronic and Information Technology (EIT) Accessibility Standards may be obtained via the Web at the following URL: .][Sensitive and Embargoed Data, etc.][Data isolation requirements or hardware sharing restrictions.][Government owns all data and is to be exportable in a usable format upon termination.]Service Level Agreement This network solution shall meet the requirements of the applicable SLAs such as customer satisfaction, performance management, services migration, contractor staff clearances, etc. Table 1: Cloud Computing Service Level Agreements Roles and responsibilities1. Specify roles and responsibilities of all parties with respect to the SLA, at a minimum, include agency and cloud providers. 2. Define key terms, such as dates and performance. Performance measures 3. Define clear measures for performance by the contractor. Include which party is responsible for measuring performance. Examples of such measures would include ? Level of service (e.g., service availability—duration the service is to be available to the agency). ? Capacity and capability of cloud service (e.g., maximum number of users that can access the cloud at one time and ability of provider to expand services to more users). ? Response time (e.g., how quickly cloud service provider systems process a transaction entered by the customer, response time for responding to service outages). 4. Specify how and when the agency has access to its own data and networks. This includes how data and networks are to be managed and maintained throughout the duration of the SLA and transitioned back to the agency in case of exit/termination of service. 5. Specify the following service management requirements: ? How the cloud service provider will monitor performance and report results to the agency. ? When and how the agency, via an audit, is to confirm performance of the cloud service provider. 6. Provide for disaster recovery and continuity of operations planning and testing, including how and when the cloud service provider is to report such failures and outages to the agency. In addition, how the provider will remediate such situations and mitigate the risks of such problems recurring. 7. Describe any applicable exception criteria when the cloud provider’s performance measures do not apply (e.g., during scheduled maintenance or updates). Security 8. Specify metrics the cloud provider must meet in order to show it is meeting the agency’s security performance requirements for protecting data (e.g., clearly define who has access to the data and the protections in place to protect the agency’s data). 9. Specifies performance requirements and attributes defining how and when the cloud service provider is to notify the agency when security requirements are not being met (e.g., when there is a data breach). Consequences 10. Specify a range of enforceable consequences, such as penalties, for non-compliance with SLA performance measures. OMB and VA Policy and Guidance, to include OIG/OGC Concerns 11. Provide the CO, COR, VA Project Manager, and representatives of the agency's OIG, full and free access to the Contractor's (and Subcontractors') facilities, installations, operations documentation, databases, and personnel used for contract hosting services.??This access shall be provided to the extent required to carry out audits, inspections, investigations, or other reviews to ensure compliance with contractual requirements for IT and information security, and to safeguard against threats and hazards to the integrity, availability, and confidentiality of agency information in the possession or under the control of the Contractor (or Subcontractor).12. Fully cooperate with all audits, inspections, investigations, or other reviews conducted by or on behalf of the CO or the agency OIG as described in subparagraph (a).??Full cooperation includes, but is not limited to, prompt disclosure (per agency policy) to authorized requests of data, information, and records requested in connection with any audit, inspection, investigation, or review, making employees of the Contractor available for interview by auditors, inspectors, and investigators upon request, and providing prompt access (per agency policy) to Contractor facilities, systems, data and personnel to the extent the auditors, inspectors, and investigators reasonably believe necessary to complete the audit, inspection, investigation, or other review.??The Contractor's (and any Subcontractors') cooperation with audits, inspections, investigations, and reviews conducted under this clause will be provided at no additional cost to the Government.Measures of success (DRAFT)* High Usability – ability to meet business requirements of VA offices through a built-in capacity to accommodate new applications & COTS tools (e.g., unified communications (UC) & collaboration) without necessitating wholesale changes in infrastructure architecture or technology * High Availability – 24x7 user access to data and systems (as appropriate), providing higher productivity; secured and proactively monitored infrastructure governed by formal change and problem management leading to lower system downtime and the elimination of single points of failure * High Reliability – secured and proactively monitored infrastructure governed by formal change and problem management leading to lower system downtime * Maintainability – a standard, simplified technical architecture through a low number of configurations, standardization of the environment, release management, and re-alignment of technical capabilities with VA business functions * Security – ability to confirm with a high level of assurance that the VA infrastructure, information and assets are protected from malicious attack, corruption or destruction without the loss of confidentiality, availability or integrity. The contractor shall support all Federal Information Security Management Act (FISMA) ratings to include low, moderate and high.??? * Sustainability – technology refresh, on-going maintenance, and capacity planning driven by business requirements * Scalability – ability to increase capacity to meet changing requirements and mission objectives (this includes, but is not limited to monitoring, system administration, user support, and timely provisioning) * Maximum Flexibility and Agility – adaptive to new business requirements or surges without requiring wholesale technology changes * Portability – secure mobile computing and remote access to corporate data * High Efficiency – achieve high capability and service delivery at lowest cost practical * Easy Manageability – electronic executive dashboards, easily accessible performance reporting, streamlined invoicing, and benchmarking of performance and measurements References9GSA OGP will coordinate with OMB to define thresholds for what constitutes "significant" expansion within 60 days of publication of this memorandum.?10This requirement does not apply to GSA OGP designated inter-agency shared services data centers. ?11Federal Cloud Computing Strategy, February 8, 2011, M ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download