1

PERFORMANCE WORK STATEMENT (PWS)

FOR

INFORMATION

SYSTEMS SECURITY SUPPORT

SERVICES

ACC/A26

11 January 2019

2

1. DESCRIPTION OF SERVICES ………………………………………………………………..4

1.1 INTRODUCTION……………………………………………………………………..…………4 1.2 BACKGROUND…………………………………………………………………………………4 1.3 SCOPE………………………………………………………………………………..…………..6 1.4 PERIOD OF PERFORMANCE…………………………………………...……………………..7 1.5 GENERAL TASKS………………………………………………..……………………………..7

2. SPECIFIC TASKS………………………………………………………………………………..7

2.1 ADMINISTRATIVE SUPPORT………………………………………………..………………..7 2.2 CYBERSECURITY PROCESS IMPROVEMENT SUPPORT……………………………..…..8 2.3 SECURITY CONTROL ASSESSMENT SUPPORT…………………………….……………10 2.4 AUTHORIZATION SUPPORT…………………………………………………..…………….11 2.5 ENGINEERING SUPPORT…………………………………………………………………….15 2.6 INTEGRATED DEFENSE SECURITY OPERATIONS SUPPORT……….....……………….17 2.7 TASK SUMMARY………………………………………………………….………………….22 2.8 SERVICE SUMMARY (SS)………………………….……………………..………………….22

3. GOVERNMENT FURNISHED PROPERTY AND SERVICES…………………………….30

3.1 SERVICES……………………………………………………………………...……………….30 3.2 FACILITIES………………………………………………………...……....…………………..31 3.3 UTILITIES……………………………………………………………………….……………..31 3.4 EQUIPMENT…………………………………………………………………………..……….31 3.5 MATERIALS…………………………………………………………………..……………….31

4. GENERAL INFORMATION……………………………………..………………..…………..31

4.1 CONTRACTOR IDENTIFICATION IN THE GOVERNMENT WORKPLACE……………..31 4.2 INDUSTRIAL SECURITY………………………………………………………..……………31 4.3 PHYSICAL SECURITY………………………………………………………………………..32 4.4 PRIVACY ACT………………………………………………….……………………..……….32 4.5 PLACES OF PERFORMANCE…………………………………………………..…………….32 4.6 HOURS OF OPERATION……………………………………………………………….……..33 4.7 CONSERVATION OF UTILITIES……………………………………………..….…………..33 4.8 RECORDS…………………………………………………………………….……….………..34 4.9 CONTRACTOR MANPOWER REPORTING…………………………………………………34 4.10 DATA RIGHTS……………………………………………………………...………………….35 4.11 SAFETY REQUIREMENTS……………………………………………………..…….……….35 4.12 SPECIAL TRAINING, CERTIFICATONS AND QUALIFICATIONS…………...……..……36 4.13 LEVEL OF EFFORT ADJUSTMENT (OPERATIONS SURGE)……………….………….…37 4.14 QUALITY CONTROL…………………………………………………..……………..……….37 4.15 CONTRACTOR DISCREPANCY REPORT (CDR)………………………...………….……..38 4.16 QUALITY ASSURANCE………………………………………………………...…….………38 4.17 KICK-OFF MEETING, PERIODIC PROGRESS MEETINGS………………………...….…..38

3

4.18 PHASE-IN/PHASE-OUT PERIODS…………………………………………………..……….38 4.19 CONTRACTOR TRAVEL………………….…………………………………………….……39 4.20 DELIVERABLES………………………………………………………………………..……..40

APPENDIX A – ACRONYMS AND ABBREVIATIONS LIST…………………………………...……42 APPENDIX B – APPLICABLE PUBLICATIONS AND INSTRUCTIONS……………..…………..….45 APPENDIX C – HISTORICAL DATA: LEVEL OF EFFORT REQUIRED………..………………….47

4

1. DESCRIPTION OF SERVICES.

1.1 Introduction.

This is a non-personal services contract. The Government will neither supervise contractor employees nor control the method by which the contractor performs the required tasks. The contractor shall manage its employees and guard against any actions that are of the nature of personal services, or give the perception of personal services. The contractor shall notify the Contracting Officer (CO) immediately if they perceive any actions constitute personal services. These services shall not be used to perform any Inherently Governmental Functions.

1.2 Background.

1.2.1 This document is the Air Combat Command (ACC) Intel System Security Division ACC/A26 Information Systems Security Support Services Performance Work Statement (PWS). The ACC/A26 is a division under the ACC/A2 Intelligence Directorate. The performance work statement describes in detail the cybersecurity services required for Air Force Intelligence Surveillance Reconnaissance (AF ISR) systems operating in the Air Force Intelligence Community (AF IC). Working within the Risk Management Framework (RMF) construct, the services fall into two major categories: (1) Cybersecurity Improvement Initiatives, and (2) Cybersecurity Support Tasks. This document describes the work to be performed, work locations, qualification requirements, deliverables, documentation standards, performance schedules, and applicable special requirements. Unless specifically identified within this work statement as supplemental provisions, the sections, clauses, and provisions of the awarded Contract will apply. In the event of a conflict between this PWS and the overarching Contract, the Contract shall take precedence unless otherwise directed by the Contracting Officer (CO). All personnel shall be TS/SCI-cleared (Top Secret/Sensitive Compartmented Information); The Industrial Security requirements are described in paragraph 4.2.

1.2.2 This is a new cybersecurity requirement for ACC/A26. Unlike past cybersecurity contracts, the Information Systems Security Support (ISSS) Services contract is scoped to emphasize mission systems cybersecurity performance outcomes, not just directives compliance. The rationale for this approach was driven by: increased cybersecurity operations tempo, expanding ACC ISR mission requirements, the need for greater cybersecurity agility, and the need to introduce process improvement measures into the ever evolving cybersecurity mission. This expanded scope precludes the utilization of past business models primarily focused on directives compliance. A balanced holistic approach to meeting both the mission systems requirements and cybersecurity requirements are critical to ensuring effective mission outcomes. In addition to performing the required directives compliance tasks; incorporating cybersecurity process improvement, maturing the 365/24/7 integrated defense operations, and integrating innovative technologies are the key foundational elements needed to effectively accomplish the ACC/A26 cybersecurity mission.

5

1.2.3 Contractor services will include direct support to the 625 ACOMS. Their mission is to provide cyberspace planning and operations for AF JWICS, ISR Security, and HQ 25AF enterprise services to enable Air Force global missions. The 625 ACOMS also supports the AF IC RMF Security Controls Assessments, the AF IC Security Coordination Center (AF IC SCC), the AF IC Incident Response Center (AF IC IRC), and AF IC Security Engineering. The PWS will specify which tasks are in direct support of the 625 ACOMS. The remaining tasks will be in direct support of ACC/A26 or will overlap to support both the ACC/26 and 625 ACOMS.

1.2.4 Contractors are expected to fully understand and focus their efforts toward meeting the ACC/A26 cybersecurity mission and goals which include:

1.2.4.1 Shift security emphasis to mission system cybersecurity performance outcomes, not just directives compliance. Establish outcome- based feedback that measures the actual state of cybersecurity and its mission impact; again, not strictly compliance with directives.

1.2.4.2 Optimize the implementation of the RMF. Ensuring the necessary plans, processes, procedures, and security measures are in-place and executable for AF ISR weapon systems, networks, and ancillary systems to attain and maintain Authorization.

1.2.4.3 Provide efficient, consistent, and quality cybersecurity support services for the AF, the Combatant commands, mission partners, and the Intelligence Community (IC).

1.2.4.4 Effectively manage the three components of cybersecurity risk: (1) minimizing vulnerabilities to systems, (2) understanding the threat to those systems, and (3) minimizing the impact to operational missions.

1.2.4.5 Facilitate development of policy, process governance, and optimize organizational structure to improve mission assurance of weapon systems, networks, and ancillary systems throughout their life cycle in the face of advanced cyber threats.

1.2.4.6 Optimize processes for implementation of fundamental principles of sound cybersecurity management.

1.2.4.7 Execute effective risk management to reduce vulnerability to intelligence exploitation and offensive cyberspace attack.

1.2.4.8 Enhance the CIO Customer Strategy to manage interactions across key touch points that improve customer satisfaction and strengthen mission partnerships. All customer touch points will consider the voice of the customer and provide deliberate, consistent, and repeatable processes.

1.2.4.9 Improve cross-functional and cross organizational task identification, assignment, and tracking via process automation technologies that promote accountability, decision support, and performance reporting.

6

1.2.4.10 Promote the use of standard Customer Relationship Management (CRM) processes. This process will optimize customer support via the use of a “front door” concept for the user and self-service incident, problem, change, review, and service level management, as project management, marketing campaign management, and service request management. This process also includes business analytics tools for a common operational picture.

1.3 Scope.

Services shall include but are not limited to the following:

1.3.1 Proactively support the foundational pillars of this requirement, which are cybersecurity improvement initiatives and cybersecurity support. The majority of work will be based out of JBSA Lackland AFB, TX. Additional on-site support locations may include Langley AFB, Warner-Robins AFB, Tyndall AFB, and Davis-Monthan AFB. TDY support for both CONUS and OCONUS shall be supported. TDY duration is typically one week; however, the contractor shall also support longer duration TDY assignments. As the AF IC continues to evolve its cybersecurity mission, the level of effort and on-site support locations requested under this PWS may change; be it increased, reduced, or eliminated at the direction of the Government.

1.3.2 This PWS describes the support services required for ISR and Intelligence Community (IC) cybersecurity. Contractor support is paramount to meeting this mission and will be accomplished through innovation, continuous process improvement, and world-class support to AF IC and AF ISR users worldwide. This shall be accomplished by highly skilled, certified, and experienced contractors who evaluate, manage, operate, problem-solve, and actively maintain cybersecurity baselines, policies, and capabilities; all the while innovating and maturing processes and support capabilities. Key skill sets will be required at the 625 ACOMS and ACC/A26 to support the Government in accomplishing this mission.

1.3.3 The contractor shall adhere to all applicable Intelligence Community Directives (ICD), National Institute of Standards and Technology (NIST) publications, and Committee on National Security Systems (CNSS) policies and instructions. The cybersecurity Information Technology (IT) services described in this PWS describes the critical security services required in this fast paced continuously evolving environment.

1.3.4 The contractor shall support and understand cybersecurity requirements, process improvement and life cycle management processes, daily operations, and integration of existing legacy and future systems into: (1) current ACC/A2 related mission systems and initiatives, (2) the upcoming cloud environment, and (3) transition to IC ITE. Each position requires certification/education/experience levels based on the responsibilities assigned. Each role or function shall be covered 100% of the time for the duration of the contract. Roles shall be separated between locations, functions, certification requirements, and the organizational hierarchy.

7

1.4 Period of Performance.

1.4.1 The period of performance shall be for one (1) Base Year of 12-months and four (4) 12-month option years. An option for a 6-month extension of services shall also be include in the period of performance.

1.5 General Tasks

Contractor shall attend meetings, generate and present briefings and other requested documentation, and coordinate as applicable with external entities.

2. SPECIFIC TASKS.

2.1 Administrative Support.

2.1.1 Office Coordination and Administration: Each of the subsequent PWS sections will require administrative support for both ACC/A26 and 625 ACOMS. The contractor shall perform applicable administrative support tasks pertinent to each subsection. (A008) The contractor shall:

2.1.1.1 Complete meeting minutes as defined by the COR.

2.1.1.2 Create, maintain, and dispose of Government records and supporting documentation that are cited in this Performance Work Statement (PWS) or required by the provisions of a mandatory directive.

2.1.1.3 Make edits to existing Government documents, prepare briefings to update the Government on the status of actions and coordinate with all applicable project stakeholders to meet the goals and objectives of the assigned task.

2.1.1.4 Complete trip reports. For official assessments, the SCA will be permitted to use the mandatory Security Assessment Report (SAR) as the official trip report. The contractor shall submit weekly status updates through the contractor leads for consolidation into one (1) weekly activity report to be provided to the COR.

2.1.1.5 The contractor will request all required network accounts, PKI, and Xacta accounts within 5 working days of hire. The contractor shall comply with contractor-specific requirements outlined in AFMAN 17-1303, ‘Cybersecurity Workforce Improvement Program.’

2.1.1.6 During temporary duty assignments the contractor shall present a professional appearance.

2.1.1.7 The contractor shall monitor and coordinate with functional areas to update Government-approved versions of document revisions. Rewrite, make updates, and modify documents with Government approval. (All must be done within 30 working days from date assigned). (A001)

8

2.1.1.8 The contractor shall support the government equipment custodian (EC/ITEC) in fulfilling EC/ITEC duties.

2.1.2 Document Management: The contractor shall provide document management support for both ACC/A26 and 625 ACOMS consisting of the (1) AF IC CISO and support staff, and (2) Integrated Defense Security Operations Support team. Their function shall be to gather information from SMEs in the development of applicable documents and tasks.

2.1.2.1 The contractor shall prepare, edit, and maintain policy documentation; maintain schedules; maintain accountability of various tasks; develop and process records management; maintain the AF file plan; review and edit staff created documents prior to internal and external dissemination; facilitate and participate in AF IC-level cybersecurity policy discussions and working groups; research, develop, update, and distribute branch related communications; coordinate the publication and distribution of new and revised policies; maintain accurate records and historical changes of policies and procedures.

2.2 Cybersecurity Process Improvement Support.

2.2.1 Cybersecurity Process Improvement Roadmap (CPIR): The following support services shall be provided to ACC/A26. The contractor shall develop a cybersecurity process improvement roadmap (CPIR) with the Risk Management Framework (RMF) construct integrated into the CPIR. It should be noted that the roadmap is tantamount with technical solution development for each topic. The roadmap shall identify the challenges, resource shortfalls, and constraints in making the developed plan/solution implementable. The plan shall include but not be limited to the topics listed in this section. Workload priorities, scope, and timelines will be set by the government, with regularly scheduled technical exchanges and discussions between the government, contractor, and mission stakeholders. (A001) The contractor shall:

2.2.1.1 Define an optimize cybersecurity process for Major Weapon Systems (MWS), networks, and ancillary systems within the Air Force around desired outcomes, while remaining consistent with AF IC issuances, namely the RMF.

2.2.1.2 Define implementable efficiencies in the authorization to operate (ATO) issuance process.

2.2.1.3 Define realigned functional roles and responsibilities for cybersecurity risk assessment around a balance of system vulnerability, threat, and operational mission impact and empower the authorizing official to integrate and adjudicate among stakeholders.

2.2.1.4 Define an optimized process to assign authorizing officials a portfolio of systems and ensure that all systems comprehensively fall under the appropriate authorizing official throughout their life cycles.

2.2.1.5 Define a roadmap to adopt, within the Air Force, policy that encourages program offices to supplement the required security controls with more comprehensive cybersecurity measures, including sound system security engineering and interoperability.

9

2.2.1.6 Develop an implementation plan to foster innovation and adaptation in cybersecurity by decentralizing in any new AF IC policy how system security engineering is implemented within individual programs.

2.2.1.7 Define a process to reduce the overall complexity of the cybersecurity problem by explicitly assessing the cybersecurity risk/functional benefit trade-off for all interconnections of systems in cyberspace (thereby reducing the number of interconnections by reversing the default culture of connecting systems whenever possible).

2.2.1.8 Define a process identifying any shortfalls in the ability to create a group of experts in cybersecurity that can be matrixed as needed within the life- cycle community, making resources available to small programs and those in sustainment.

2.2.1.9 Develop an implementable plan to close feedback gaps and increase the visibility of cybersecurity by producing a regular, continuous assessment summarizing the state of cybersecurity for programs in the AF IC and holding program managers accountable for a response to issues.

2.2.1.10 Identify and recommend areas to cross-leverage knowledge to improve awareness among security entities.

2.2.1.11 Develop a process, criteria, and implementation plan to create cybersecurity red teams within the Air Force that are dedicated to acquisition/life- cycle management.

2.2.1.12 Develop a process plan to hold individuals accountable for infractions of cybersecurity policies.

2.2.1.13 Develop mission thread data to support program managers and authorizing officials in assessing acceptable risks to missions caused by cybersecurity deficiencies in systems and programs.

2.2.1.14 Develop a cybersecurity risk mitigation plan addressing the three risk components: (1) minimizing vulnerabilities to systems, (2) understanding the threat to those systems, and (3) minimizing the impact to operational missions.

2.2.1.15 Using the RMF construct, develop a security migration plan and processes to get us from legacy, new systems, and integration into the cloud environment.

2.2.1.16 Develop a process to establish an enterprise-directed prioritization for assessing and addressing cybersecurity issues in legacy systems.

2.2.1.17 Develop a continuous monitoring (CM) integration plan. After studying the current ACC/A2, 625 ACOMS, AF IC, and DoD processes, develop a plan that integrates current processes into an effective process-control loop for managing cybersecurity.

10

2.2.1.18 Develop 5-7-10 year security strategic plans taking into account operations, management, and technology integration variables. The contractor shall work with government leadership and SMEs. Make recommendations based on those strategic plans.

2.2.1.19 Develop a continuous process improvement process to meeting the PWS tasks.

2.3 Security Control Assessment Support.

2.3.1 Security Control Assessor (SCA): The following SCA support services shall be provided to the 625th ACOMS. The contractor, serving as the security control assessor (SCA), shall conduct testing and evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the assigned information system and organization. (A002) The contractor shall:

2.3.1.1 Demonstrate subject matter expertise with the RMF process and apply it to meet the government’s security needs.

2.3.1.2 Generate all required reports that will support sound risk decisions to be made by the Authorizing Official (AO) or Chief Information Security Officer (CISO). These reports shall include, but not be limited to: Security Assessment Report (SAR), and Cross Domain Solutions (CDS) rule sets.

2.3.1.3 Work with the government and provide subject matter expertise with the development of a cybersecurity process improvement roadmap (CPIR) initiative at the government’s direction – reference section 2.1.

2.3.1.4 Review the System Security Plan (SSP), prior to initiating the security control assessment and ensure the plan provides a set of security controls for the information system that meet the stated security requirements.

2.3.1.5 For each assessment, the contractor shall:

2.3.1.6 Advise the Information System Owner (ISO) concerning the impact values for confidentiality, integrity, and availability for the information on a system.

2.3.1.7 Evaluate threats and vulnerabilities to information systems to ascertain the need for additional safeguards.

2.3.1.8 Review and approve the information system security assessment plan, which is comprised of the SSP, the Security Controls Traceability Matrix (SCTM), and the Security Control Assessment Procedures.

2.3.1.9 Ensure Cross Domain Solutions (CDS) assessments include the review and validation of the message types authorized, the parsing of the data utilizing rule sets implemented within

11

the Cross Domain Solutions (CDS) application to validate authorized processing of data, and elimination of the possible spillage of classified information.

2.3.1.10 Ensure security control assessments are completed for each information system, controls are working as intended, and the controls protect the confidentiality, integrity and availability of IT resources at the appropriate levels.

2.3.1.11 Prepare the final Security Assessment Report (SAR) containing the results and findings from the assessment at the conclusion of each security control assessment activity.

2.3.1.12 Evaluate security control assessment documentation and provide written recommendations for security authorization to the AO. Assemble and submit the security authorization artifacts to the AO (consisting of, at a minimum, the SSP, the SAR, the Plan of Action and Milestones (POA&M), and a Risk Assessment Report (RAR).

2.3.1.13 Submit weekly status updates through the contractor leads for consolidation into one (1) weekly activity report to be provided to the COR and section lead for the functional area.

2.3.1.14 Provide detailed assessment findings using Government-specified processes and procedures.

2.3.1.15 Provide recommendations to remedy and mitigate security vulnerabilities and threats to ultimately improve the protection of IT resources and to execute the AF ISR mission.

2.3.1.16 Utilize assessment results to identify trends and improve processes, policies, and cybersecurity training.

2.4 Authorization Support.

2.4.1 Delegated Authorizing OFFICIAL (DAO) SUPPORT: The following DAO support services shall be provided to appointed DAOs. The contractor shall provide analytical and documentation support to the AF IC CISO SMEs in AF IC Risk Management. The contractor shall perform the day-to-day duties in support of the Delegated Authorizing Officials (DAOs) supporting AF IC systems and services. (A003) These duties shall include:  

2.4.1.1 Drafting and tracking Security Impact Analyses (SIAs) used in support of Continuous Monitoring.

2.4.1.2 Coordinating Discovery Meetings and ensuring updated Discovery Meeting checklists are uploaded into the A&A Workflow tool.

2.4.1.3 Drafting Interim Authorizations to Test (IATTs) and Authorizations to Operate (ATOs).

2.4.1.4 Upload the IATTs and ATOs into the workflow tool once finalized.

2.4.1.5 Provide workflow tool support to site personnel.

12

2.4.1.6 Analyze RMF workflow tasks prior to Assessment to ensure all processes are filled out as required.

2.4.1.7 Support Federal Information Security Management Act (FISMA) compliance reporting and ensure ATO dates in the workflow tool match the dates in the official ATO memorandum for records (MFRs).

2.4.1.8 Include the review of vulnerability scans and corresponding non-mitigation worksheet (this supports Continuous Monitoring requirements).

2.4.1.9 Review of software, hardware, and PPS (ports, protocols, and services) against Approved Products List (APL), Evaluated Products List (EPL), Certificates to Field, and DISA CAL.

2.4.1.10 The contractor shall evaluate software requirements as directed by the DAO. This task shall include but not be limited to: (1) interfacing with the customer to ensure information submitted is complete and make corrections as needed, (2) conduct research related to the software and the requirement, (3) interface with SMEs responsible for performing software security analysis as described in paragraph 2.4.2.

2.4.2 Software Security Analysis and Database Support: The following support services shall be provided to the 625th ACOMS and ACC/A26. The contractor shall generate queries utilizing the Open Database Connectivity (ODBC) interface on the AF IC Xacta. The contractor shall perform software security analysis, testing, and review.

2.4.2.1 The contractor shall conduct software security analysis, testing, and review to include software source, commercial-off-the-shelf (COTS) compatibility, original equipment manufacturer (OEM) source, source code availability and impact to system security, integration and operations. (A003)

2.4.2.2 The contractor shall create queries that comply with AF IC metrics requirements and customer timelines - file formats shall include but not be limited to XML, TXT, XLS, or websites. (A003)

2.4.2.3 The customer shall serve as the SME in the AF IC Xacta database schema. (A003)

2.4.3 Cybersecurity Program Management (CPM): The following CPM support services shall be provided to the ACC/A26. The contractor shall perform Cybersecurity support services to assist AF IC Cybersecurity Program Managers and Information System Security Officers/Managers (ISSO/ISSMs). The Contractor shall assist in maintaining an effective cybersecurity program that supports missions and adequately protects the confidentiality, integrity and availability of our AF IC information resources. (A003) The contractor shall:

2.4.3.1 Have a proficient working level knowledge of the AF IC workflow template and the Xacta IA Manager on day one of contract award.

2.4.3.2 Gather data, analyze compliance and report results on the condition and progress of AF IC Cybersecurity programs, security plans, Risk Assessment Reports (RARs), plan of action

13

and milestones (POA&Ms), accreditation and authorization (A&A) workflow tools data, patch management, information assurance vulnerability alerts (IAVA), DoD Directive 8140 (8570) certifications FISMA compliance requirements, and ATOs.

2.4.3.3 Conduct trend analysis on the security tools, perform root cause analysis on compliance and non-compliance, and offer recommended fix actions as required.

2.4.3.4 Interact with Unit ISSOs/ISSMs and commanders to provide cybersecurity guidance, complete cybersecurity assessment reports and provide solutions to commanders on how to improve their cybersecurity programs.

2.4.3.5 Support the Cybersecurity trainers with updated information and materials for their area of responsibility for compliance with USAF, DoD, IC and other national agency standards.

2.4.4 Governance and Management (GM) Support: The following GM support services shall be provided to the ACC/A26 and 625 ACOMS. The contractor shall provide GM support to the Integrated Defense Security Operations team and AF IC level CISO; specifically in the areas of: (a) plans and policies, (b) cybersecurity training, and (c) content management and development.

2.4.4.1 Plans and Policies: The contractor shall research, analyze, develop and provide well defined plans, policies, agreements and procedures applicable to IC and AF cybersecurity mandates and security control requirements. (A004) The contractor shall:

2.4.4.1.1 Conduct in-depth policy analysis at the Federal, DoD, ODNI, USAF, AF IC, PMO, and site levels.

2.4.4.1.2 Focus on policy development, security controls compliance policies, and update AF IC existing policies and plans as needed.

2.4.4.1.3 Coordinate with and solicit SME support as required.

2.4.4.1.4 Create a policy development process and submit it to the government for approval. Once approved, the contractor shall comply with said process. The process shall include, but not be limited to the following:

2.4.4.1.4.1 Receive request from the government.

2.4.4.1.4.2 Conduct research. Utilize all relevant resources such as existing policies, standards, instructions, directives, mission related standard operating procedures (SOP), NIST documentation, mission partners, and SMEs.

2.4.4.1.4.3 Develop draft document, citing all relevant resources, and submit to government requestor for initial review.

2.4.4.1.4.4 Coordinate and setup meeting or telecom with key stakeholders to review and solicit inputs.

14

2.4.4.1.4.5 Prepare final document. Incorporate applicable inputs, format per appropriate standards.

2.4.4.1.4.6 Submit final copy to government for approval and upload for AF and IC member access.

2.4.4.1.4.7 Provide any follow-on support to policy as required: receive any questions from customers, coordinate with SME, develop response, and submit response to customers.

2.4.4.1.4.8 Professionally interact with managers and site personnel and present oral and written process solutions.

2.4.4.1.4.9 Research, develop, review, edit, comment, analyze documents and recommend corrections and changes. Provide improvement recommendations when in regards to technologies, or processes used under this role or function supporting the organizational missions; to include lessons learned.

2.4.4.2 Cybersecurity Training: The contractor shall conduct technical and managerial level training on information system security, security tools and A&A workflow tools. Cybersecurity exercise development shall be performed in support of Integrated Defense Security Operations function (reference para 2.6). (A005)

2.4.4.2.1 The contractor shall develop additional technical and managerial cybersecurity training plans, guides, materials and curriculum to enable compliance with USAF, DoD, IC and other national agency standards.

2.4.4.2.2 This training shall familiarize AF IC IT security professionals with the applicable IT security tools, policies and procedures required to protect resources and meet standards.

2.4.4.2.3 Cybersecurity Exercise Development: Operating procedures shall be developed in coordination and review by government Integrated Defense Security Operations teams (ref para 2.6).

2.4.4.2.4 The contractor shall coordinate with appropriate contractor SMEs to provide exercise development recommendations that include test plans and procedures to ensure results support the required objectives and capabilities. (A005)

2.4.4.2.5 Training critiques shall be used to assess the instructor performance and update training materials.

2.4.4.3 Content Management and Development: The contractor shall expertly manage and maintain the AF IC cybersecurity collaborative environments for successful day-to-day business operations on networks at the UNCLASSIFIED, SECRET and TOP SECRET security levels. The contractor shall:

15

2.4.4.3.1 Maintain SharePoint and websites allowing customer access to needed cybersecurity information. The customers will include, but not be limited to the AF IC CISO, AO and their SMEs, and general customers.

2.4.4.3.2 Implement high quality, scalable, and extendable SharePoint solutions using the .NET Framework, ASP.net, SharePoint (currently using version 2013) and other advanced components of Microsoft technology.

2.4.4.3.3 Publish databases to SharePoint and develop custom forms. Expert knowledge of hypertext markup language (HTML) and JavaScript are required to create custom web parts.

2.4.4.3.4 Utilize Microsoft SharePoint Designer to customize sites and create custom workflows. The contractor shall have a solid grasp of the permissions hierarchy of the SharePoint application. The contractor shall transform customer requirements into viable SharePoint-involved solutions.

2.4.4.3.5 Address possible solutions and timeframes for completion with the customer for each tasking. Once the solution is implemented, access to the site, library, or object shall be controlled through permissions provided by the particular Government SME.

2.4.4.3.6 Test all content management solutions followed by the end user before being deployed to production.

2.4.4.3.7 Field all SharePoint-related questions concerning the sites they manage including requests for site access.

2.5 Engineering Support.

2.5.1 Cybersecurity Engineering: The following cybersecurity engineering support services shall be provided to the ACC/A26 and 625 ACOMS. The contractor shall serve as the cybersecurity engineer and provide the Government SME with recommendations and solutions for implementing AF IC cybersecurity programs, ISR systems, Integrated Defense Security Operations capabilities, and AF IC RMF implementation. (A006) The contractor shall:

2.5.1.1 Use the RMF methodology to successfully implement applicable information technologies, which shall effectively protect the element's information assets and its ability to perform its mission.

2.5.1.2 Provide program reviews, schedules, action item updates and required procedures by established deadlines.

2.5.1.3 Coordinate with the plans and policies POC, and conduct timely and in-depth research for policies and processes applicable to security engineering.

2.5.1.4 Apply IT security control requirements to address the level of security required to protect the confidentiality, integrity and availability of system data and resources. Solutions shall be compatible with system or network hardware and software configurations and shall be

16

approved by the configuration managers of the system and network. Recommendations shall include test plans and procedures to ensure results support the required objectives and capabilities.

2.5.1.5 The contractor shall perform scans of systems and architectures using AF IC -approved scanning tools during the security test and evaluation (ST&E) event. The contractor shall construct and provide ST&E reports that contain the scans, Security Technical Implementation Guide (STIG) application with issues and recommendations for delivery prior to the assessment event.

2.5.1.6 Execute all applicable Supply Chain Risk Management (SCRM) policy and procedure and create reports for all new additions of system hardware and software to determine the source from the OEM through the end supplier to ensure SCRM is followed per policy and guidelines.

2.5.1.7 Participate in meetings and program reviews and support the implementation of ISR initiatives, goals and objectives; providing reports, plans, and procedures as required.

2.5.1.8 Provide the AF IC CISO with the technical costs of protective measures so they may be weighed against requirements for mission accomplishment.

2.5.1.9 Make edits to existing Government documents, prepare briefings as required to update the Government on the status of actions and coordinate with all project members to meet the goals and objectives of the assigned task. If required to implement a cybersecurity initiative, the PM shall complete the A&A documents required to obtain an ATO.

2.5.1.10 When applicable, complete POA&Ms for the project to address security vulnerabilities.

2.5.2 Assessment Support Engineering: The following cybersecurity engineering support services shall be provided to the ACC/A26 and 625 ACOMS. The contractor shall provide support to the DAOs and SCAs by performing the tasks in section 2.5.1 and this section. (A006) The contractor shall:

2.5.2.1 Provide technical assistance to the SCA during the POA&Ms development phase of the project.

2.5.2.2 Perform applicable Assessment Engineer review and approval tasks within the A&A workflow tool.

2.5.2.3 Review Security Impact Analysis (SIA) submissions and provide recommendations to DAOs as part of the continuous monitoring stage of the RMF.

2.5.2.4 Perform technical analysis of all assessment and authorization documentation to ensure validity and accuracy as it relates to the development and operational implementation of AF IC and ISR systems and networks.

17

2.5.2.5 Review and provide cybersecurity recommendation to AO/DAO as it relates to security impact analysis of AF IC and ISR systems and networks.

2.5.2.6 Analyze and provide cybersecurity recommendations for information protection throughout the development and acquisition lifecycle as it relates to AF IC and ISR systems and networks.

2.5.2.7 Assess the security risk, research and recommend security best practices in accordance with AF IC policy and guidance.

2.5.2.8 Analyze ports, protocol, and services to ensure compliance with DoD and AF IC policy and guidance.

2.5.3 Integrated Defense Engineering: The following cybersecurity engineering support services shall be provided to the ACC/A26 and 625 ACOMS. The contractor shall serve as the cybersecurity engineer and provide the Government SME with recommendations and solutions as related to Integrated Defense Security Operations programs and projects. (A006) The contractor shall:

2.5.3.1 Have expert knowledge of professional security engineering concepts, principles, practices, standards, methods, techniques, and procedures; and ability to implement enterprise level security standards and execute sound techniques to solve complex interrelated problems.

2.5.3.2 Have a high degree of skill in applying analytical and evaluative techniques to identify, investigate, and resolve complex engineering issues or problems as they relate to security.

2.5.3.3 Have in-depth knowledge of agency, AF, DoD and national-level doctrine, regulations, policies, guidelines, requirements, and initiatives related to assigned programs and projects.

2.6 Integrated Defense Security Operations Support.

The following cybersecurity engineering support services shall be provided to the 625 ACOMS. The contractor shall provide support services to the AF IC SCC and AF IC IRC which fall under the umbrella of the Air Force Intelligence Community Information Environment (AF IC IE). Note that the AF JWICS is part of the AF IC IE. The contractor shall fulfill all requirements levied upon the AF IC SCC, AF IC IRC and associated elements by Defense Information Agency, 625 ACOMS, and other authoritative DoD elements to meet all reporting, coordination, process development, improvement and other mandated actions that support their enterprise functions. Services shall include: exercise planning (see also para 2.4), continuous network monitoring, intrusion detection, intrusion prevention, continuous improvement recommendations, and incident response services for the network, systems, applications, and infrastructure.

18

2.6.1 AF IC SECURITY COORDINATION CENTER (AF IC SCC): The contractor shall provide support to the AF IC SCC. (A007) The contractor shall:

2.6.1.1 Manage command and control (C2) services to the AF IC CISO and the Risk Executive Function (REF) and appointed Government SMEs for situational awareness, analysis and reporting on the integrated defense risk for SCI and ISR resources to ODNI, AF/A2 and AF/A6.

2.6.1.2 Provide 24/7 365 coverage. Coverage period shall be able to support 24/7 shifts in accordance with (IAW) duties and responsibility commensurate with Federal, DoD, and Air Force security policies and measures as defined by the government. The contractor shall adjust coverage as needed to account for future surges or world event driven circumstances.

2.6.1.3 Provide services that include research, development and release of AF IC Task Orders (TASKORDS) and notifications to the AF IC. The contractor shall comply with coordination processes and approvals, formats and reporting requirements as defined by the Government.

2.6.1.4 Develop and provide on-the-job training to Government, contractor and military personnel on various IT security tools, policies and procedures required to protect resources and meet standards. This is not formal training, but informal office training.

2.6.1.5 Exercise Planning: Plan, organize, manage, and coordinate the AF IC participation in cybersecurity exercises to include both IC and national-level exercises as per ODNI Concept of Operations for the Integrated Defense Security Operations of the IC Information Environment. The contractor shall provide informal training (e.g. exercise roles and responsibilities) to AF IC participants as necessary and provide status reports to include but not limited to an after action report.

2.6.1.6 Make edits to existing Government documents, prepare briefings to update the Government on the status of actions and coordinate with all project members to meet the goals and objectives of the assigned task. Provide approved situational reports to the AF IC CISO, A2 and ODNI.

2.6.1.7 Develop standard operating procedures (SOPs) and provide training on existing and new technologies to government personnel. Provide subject matter expertise necessary to drive documentation and requirements to include but not limited to AF IC SCC SOPs, workflows, appropriate process aids and frameworks, and their interdependencies to support customer’s current and future security technology implementation and sustainment.

2.6.1.8 Respond to and process task orders (TASKORDS) as directed by the 625 ACOMS.

2.6.1.9 Provide inputs for the development of Concepts of Operation, Implementation plans, and Special Instructions for various AF IC projects.

19

2.6.1.10 Support AF IC IE vulnerability management report compliance to DIA as defined by the Government.

2.6.1.11 Provide feasibility studies, quick turnaround systems analysis, and independent evaluations of contractor proposals and emerging technologies and concepts. Coordinate and report with/to applicable AF IC cyber elements as necessary for the improvement of confidentiality, integrity, and availability of related cyber and ISR capabilities. (A002)

2.6.2 AF IC INCIDENT RESPONSE CENTER (AF IC IRC): The contractor shall provide 24/7 365 services to support integrated defense security operations functions. These services include: Incident Response Infrastructure Support (IRIS), continuous network monitoring, intrusion detection and incident response services for systems within the scope of authority of the AF IC CIO, AF IC AO and AF IC CISO. (A007) The contractor shall:

2.6.2.1 Provide 24/7 365 support to monitor, protect, and maintain situational awareness of the Enterprise.

2.6.2.2 Apply the appropriate techniques and skills to protect the AF IC IE domain by containing and eradicating incidents based on the processes outlined in the current CJCSM 6510, Cyber Incident Handling Program (dated 10 July 2012 or later).

2.6.2.3 Document, track, and report incidents from initial detection through resolution using standard AF IC IE incident reporting channels and methods (IAW the CONOPS for Integrated Defense Security Operations for AF IC IE and the current CJCSM 6510.01B, Cyber Incident Handling Program (dated 10 Jul 2012 or later).

2.6.2.4 Collect and analyze network intrusion data from a variety of sources to include but not be limited to logs, system images, and packet captures to enable mitigation of network incidents within the AF IC to include AF JWICS.

2.6.2.5 Perform incident triage to determine scope, urgency, and potential operational impact by identifying the specific vulnerability and making recommendations, which enable rapid remediation or mitigation at the AF JWICS and AF IC level.

2.6.2.6 Upon resolution of network incidents, create custom signatures or correlation rules to detect future incidents as well as make AF IC IE protection recommendations to enhance resistance to future attack.

2.6.2.7 Serve as technical experts and liaisons to external incident response personnel and brief incident details as necessary.

2.6.2.8 Provide AF IC-wide incident handling support such as forensics collections, intrusion correlation tracking, threat analysis, and direct system remediation tasks to appropriate personnel.

2.6.2.9 Develop and publish incident response guidance and high quality incident reports to appropriate audiences.

20

2.6.2.10 Develop standard operating procedures (SOPs) and workflows integrating applicable new technologies. Provide training on current and new technologies to government personnel to service support. This is informal office training. Complete SCC/IRC mission qualification training; plan to establish and maintain proficiencies; provide testing results to 625 ACOMS. (A003) (A006)

2.6.2.11 Perform heuristic analysis on event data to discover subtle patterns, low-and-slow attacks, and advanced persistent threats: analyze and respond to real-time and near real-time security events. Perform real-time alerting and problem resolution.

2.6.2.12 Perform high-performance interactive searches.

2.6.2.13 Provide comprehensive drill-down reports and incident handling capabilities.

2.6.2.14 Prioritize remediation efforts using reliable threat intelligence.

2.6.2.15 Monitor and protect the security of the AF Intelligence Enterprise from internal and external computer network defense threats.

2.6.2.16 Support Enterprise vulnerability management programs and report events to the appropriate program manager for processing as defined by the Government.

2.6.2.17 Process and release task orders (TASKORDS) as directed by the 625 ACOMS Government Lead.

2.6.2.18 Provide input to vulnerability management policies and procedures as required by the Government. Provide input needed to posture the AF IC IRC to meet current and future security needs arising from leadership strategic vision/vector and environmental constraints.

2.6.2.19 Make all required edits to existing Government documents, prepare briefings to update the Government on the status of actions and coordinate with all other members to meet the goals and objectives of the assigned task.

2.6.2.20 Review and edit documents and recommend corrections and changes to existing Government documents.

2.6.2.21 Provide AF IC SCC situational reports as approved by the AF IC CISO to ODNI and A2.

2.6.2.22 Utilize computer network defense (CND) and Security Information and Event Management capabilities and mapping, and host based systems to correlate and analyze events, respond to anomalous activities on AF IC IE network and information resources, and defend the networks from threats.

2.6.2.23 Evaluate the security posture of infrastructure to include but not be limited to firewalls, intrusion detection system (IDS), network intrusion detection/prevention system (NIDS/NIPS), routers, crypto equipment, and switches.

21

2.6.2.24 Provide comprehensive drill-down vulnerability analysis reports. (A002)

2.6.2.25 Document network security procedures: prepare status reports, maintain status reports, and brief the information to inform leadership.

2.6.2.26 When directed by the Government Lead, mitigate/remediate system vulnerabilities and report compliance status to applicable personnel. Also ensure appropriate notifications and mission impact assessments are accomplished.

2.6.2.27 Create/execute security related scripting and perform performance assessments.

2.6.2.28 Provide technical support in the evaluation, testing, installation, and integration of AF IC ITE CND software and hardware capabilities.

2.6.2.29 Remain abreast of the IC IE in order to integrate network information systems security with other security disciplines.

2.6.2.30 Maintain a thorough understanding of NIST Risk Management Framework (RMF) processes to certify systems or network accreditation.

2.6.2.31 Respond to, draft, and process task orders (TASKORDS) as directed by the 625 ACOMS Government Lead. Send TASKORDS to the AF IC SCC for release.

2.6.2.32 Provide input to vulnerability management policies and procedures.

2.6.2.33 Develop documentation that describes AF JWICS CND cyber security posture, techniques, and procedures.

2.6.2.34 Correlate, analyze, and report audit results. Process, format, filter, and share the auditable event data with incident responders.

2.6.2.35 Implement modifications to the Intelligence Community Information Technology Enterprise (IC ITE) to generate, collect, share, store and retain audit data.

2.6.2.36 Provide recommendations to modify and enhance existing CND capabilities to augment and complement AF IC SCC CND program. Implement approved modifications to CND systems. Implement the Enterprise Audit Conceptual Framework as defined by ICS 500-27.

2.6.2.37 Perform CND system health checks IAW operational guidance and policy.

2.6.2.38 The contractor shall prepare and present briefings as subject matter expert as required.

22

2.7 Task Summary.

The figure below summarizes the tasks described in sections 2.1-2.6 by showing functional requirements for ACC/A2 and 625th ACOMS. This is not a manning matrix.

TABLE 2.7.1 TASK SUMMARY TABLE

 

2.8 SERVICES SUMMARY (SS)

The contract service requirements are summarized in performance objectives that relate directly to mission essential items. The performance threshold briefly describes the minimally acceptable levels of service required for each requirement. The Services Summary (SS) provides information on contract requirements and the expected level of contractor performance to be

PWS Para 

No.          DESCRIPTION ACC/A26 625 ACOMS

2.1 ADMINISTRATIVE SUPPORT                                        

2.1.1 Office Coordination and Administration X X

2.1.2 Document Manager X

2.2 CYBERSECURITY PROCESS IMPROVEMENT SUPPORT             

2.2.1 Process Improvement Development and Engineering X

2.3 SECURITY CONTROLS ASSESSMENT (SCA) SUPPORT                 

2.3.1 Security Control Assessor   X

2.4 AUTHORIZATION SUPPORT                                     

2.4.1 Designated Authorizing Official (DAO) Support  X  

2.4.2 DAO Software Security Analysis and Database Support X X

2.4.3 Cybersecurity Program Manager (CPM)  X  

2.4.4 Governance and Management (GM) Support:      

2.4.4.1      Plans and Policies X X

2.4.4.2      Cybersecurity Training X X

         Cybersecurity  Exercise Development   (for Integrated Defens   X

2.4.4.3      Content Mgmnt and Development X  

2.5 ENGINEERING SUPPORT                                             

2.5.1 Security Engineering   X X

2.5.2 Assessment Support Engineering   X X

2.5.3 Integrated Defense Engineering X X

2.5.3 Security Integration Engineering   X

2.5.3 Senior Security Developer   X

2.6 INTEGRATED DEFENSE SECURITY OPERATIONS SUPPORT                            

2.6.1 AF IC Security Control Center (AF IC SCC)    X

2.6.2 AF IC Incident Response Center (AF IC IRC)  X

23

successful. These thresholds are critical to mission success. Procedures as set forth in the applicable Inspection clause in the contract will be used to remedy all deficiencies. The Government retains the right to inspect any item included in the contract.

Performance Objective PWS PARA

Performance Threshold

SS #1 - Provide Administrative Support:

1. Reports and Document Management

2.1 1. Status Reports: The contractor shall submit status reports weekly. The reports shall include but not be limited to: (1) current status of given subject matter, (2) trending analysis/data, (3) programmatic data; cost-schedule-performance. No more than one re-submission based on government comments.

2. Technical Reports: The contractor shall submit technical reports NLT 10 working days after assignment by COR or government POC. The reports shall include but not be limited to: (1) technical solution, (2) bullet background paper (BBP), (3) technical white paper. No more than one re-submission based on government comments.

3. Trip Reports: The contractor shall submit a trip report NLT 5 working days after return from TDY. The trip report shall include but not be limited to: (1) location, duration of trip, (2) purpose, (3) recommendations, way-ahead, and follow-on actions required. No more than one re-submission based on government comments.

24

Performance Objective PWS PARA

Performance Threshold

SS #2 - Provide Cybersecurity Process Improvement Roadmap and Technical Solutions (CPIR/TS)

2.2 1. Plan of Action (POA): The contractor shall submit a POA NLT 14-days after the initial contract kick-off meeting. The POA shall include but not be limited to: (1) contractors approach and methodology to solution development for each of the topics listed in section 2.2, (2) contractors approach to setting the scope for each topic (accounting for parameters such as priority, timeline, short-term, long-term impact, etc). The scope and priority may be adjusted at the government’s discretion, (3) programmatic data; cost-schedule-performance. No more than one re-submission based on government comments.

2. CPIR/TS Topics: The contractor shall submit individual topic reports. Due to the varying scope, required level of effort, and complexity, the due dates will be based on feedback from the COR and Government POCs during the POA discussion. The reports shall be technically substantive and presentable to AF and AF IC leadership. No more than one re-submission based on government comments.

25

Performance Objective PWS PARA

Performance Threshold

SS # 3 - Provide Security Control Assessor (SCA) Support

2.3 1. Accreditation Documentation and Security Authorization Artifacts: The contractor shall provide quality documentation and artifacts NLT 10 working days after completion of system accreditation. The documentation shall include but not be limited to:

SSP System Security Plan SAR Security Authorization Report CDS Cross Domain Solution [rule set] SCTM Security Controls Traceability Matrix RAR Risk Assessment Report POA&M Plan of Action & Milestone WSR Weekly Status Report No more than one re-submission based on government comments.

2. Technical Recommendations: The contractor shall submit technical reports NLT 5 working days after assignment by COR or government POC. The reports shall include but not be limited to: (1) security impact values to information system owners regarding confidentiality, integrity, and availability (CIA), (2) security documentation supporting AO and CISO risk decision. No more than one re-submission based on government comments.

26

SS #4 – Provide Authorization Support

2.4 1. DAO Support [2.4.1]: The contractor shall provide day-to-day support, producing DAO support documentation and artifacts NLT 5 working days after notification by DAO, sooner if dictated by mission need. The documentation shall include but not be limited to:

SIA Security Impact Analysis IATT Interim Authorization to Test ATO Authorization to Operate MFR Memorandum for Record A&A Assessment and Authorization workflow RMF Risk Management Framework workflow Vulnerability scan reports evaluation. Set-up and document Discovery Meetings. PPS (ports, protocols, services) evaluation. Software (SW) requirements evaluation. No more than one re-submission based on government comments.

2. SW Security Analysis Support [2.4.2]: The contractor shall submit technical analysis reports NLT 5 working days after assignment by COR or government POC. The reports shall include but not be limited to: (1) SW security analysis, (2) test procedures (3) impact to system security, integration, and operations. No more than one re-submission based on government comments.

3. Cybersecurity Program Management (CPM) [2.4.3]: The contractor shall coordinate and interface with: ISSO/Ms, (cont’d on next page)

27

Performance Objective PWS PARA

Performance Threshold

SS #4 – Provide Authorization Support (cont’d)

2.4 (cont’d) (continuation) AF IC CPMs, DAOs, SCAs, and other cybersecurity stakeholders in fulfillment of CPM duties. The contractor shall submit technical analysis reports NLT 10 working days after assignment by COR or government POC. The reports shall include but not be limited to: (1) cybersecurity trend analysis, (2) compliance reporting, (3) cybersecurity guidance. No more than one re-submission based on government comments.

4. Plans and Policies [2.4.4.1]: The contractor shall submit cybersecurity plans and policies in accordance with paragraph 2.4.4.1 NLT 10 working days after assignment by COR or government POC. No more than one re-submission based on government comments.

5. Cybersecurity Training [2.4.4.2] and Exercise Development [2.4.4.3]: The contractor shall fulfill the cybersecurity training and exercise development requirement in accordance with paragraph 2.4.4.2 and 2.4.4.3. Training and exercise plans shall be submitted NLT 10 working days after assignment by COR or government POC. No more than one re-submission based on government comments.

28

Performance Objective PWS PARA

Performance Threshold

SS #4 – Provide Authorization Support (cont’d)

2.4 (cont’d) 6. Content Management and Development [2.4.4.4]: The contractor shall fulfill the cybersecurity content management and development requirement in accordance with paragraph 2.4.4.4. As part of the management responsibilities, the contractor shall submit a content management and development process/plan NLT 14 working days after the initial kick-off meeting. After government review and approval, the contractor shall execute the tasks in paragraph 2.4.4.4 in accordance to the plan. No more than one re-submission based on government comments.

SS #5 – Engineering Support 2.5 1. Cybersecurity Engineering [2.5.1]: The contractor shall fulfill the cybersecurity engineering requirement in accordance with paragraph 2.5.1. Technical solutions, reports, reviews, and documentation shall be submitted NLT 5 working days after assignment by COR or government POC. No more than one re-submission based on government comments.

2. Assessment Support Engineering [2.5.2]: The contractor shall fulfill the cybersecurity engineering requirement in accordance with paragraph 2.5.2. Technical solutions, reports, reviews, and documentation shall be submitted NLT 5 working days after assignment by COR or government POC. No more than one re-submission based on government comments.

29

Performance Objective PWS PARA

Performance Threshold

SS #5 – Engineering Support (continuation)

2.5 (cont’d) 3. Integrated Defense Engineering [2.5.3]: The contractor shall fulfill the cybersecurity engineering requirement in accordance with paragraph 2.5.3. Technical solutions, reports, reviews, and documentation shall be submitted NLT 5 working days after assignment by COR or government POC. No more than one re-submission based on government comments.

SS # 6 – Integrated Defense Security Operations Support

2.6 1. AF IC SCC [2.6.1]: The contractor shall fulfill the AF IC SCC support requirement in accordance with paragraph 2.6.1. Reports shall be submitted NLT 1 hour after requested by COR or government POC. Depending upon scope and complexity of the assigned task, additional time may be requested with approval granted by COR or government POC contingent upon mission need. The reports shall include but not be limited to:

(1) Status reports/briefs (2) Technical reports (3) TASKORDS (4) Training documentation (5) Government documentation edits (6) Operation procedures (7) Trend analysis (8) Vulnerability analysis (9) Concept of operations (CONOPS) No more than one re-submission based on government comments.

30

Performance Objective PWS PARA

Performance Threshold

SS # 6 – Integrated Defense Security Operations Support (continuation)

2.6 (cont’d) 2. AF IC IRC [2.6.2]: The contractor shall fulfill the AF IC IRC support requirement in accordance with paragraph 2.6.2.

Reports shall be submitted NLT 1 hour after requested by COR or government POC. Depending upon scope and complexity of the assigned task, additional time may be requested with approval granted by COR or government POC contingent upon mission need. The reports shall include but not be limited to:

(1) Status reports/briefs (2) Technical reports (3) TASKORDS (4) Training documentation (5) Government documentation edits (6) Operation procedures (7) Trend analysis (8) Vulnerability analysis (9) Concept of operations (CONOPS) (10) Intrusion data (11) Incident handling data (12) Intrusion and incident analysis No more than one re-submission based on government comments.

3. GOVERNMENT FURNISHED PROPERTY AND SERVICES.

3.1 Services.

The Government will provide the contractor the appropriate security identification badges in accordance with the PWS and issue each individual contractor a Common Access Card (CAC) to gain access into spaces in which they can perform their assigned tasking. The contractor will

31

already need to be cleared prior to receiving badges. The CAC will allow the individual entrance to the base and access to the unclassified network. Any additional service requirements will be addressed upon notification of contract award.

3.2 Facilities.

The Government will provide the necessary workspace for the contractor’s staff to provide the support outlined in this PWS to include desk and chair and other items necessary to maintain an office environment.

3.3 Utilities.

The Government will make available all utilities in the facility for the contractor’s use in performance of tasks outlined in this PWS.

3.4 Equipment.

The Government will provide the contractor access to printers, unclassified and classified if properly cleared networks, copy machines, classified destruction equipment, facsimile machines (secure, DSN, and commercial access), and basic office supplies.

3.5 Materials.

The Government will provide the contractor access to all Government Standard Operating Procedures (SOPs) and Policies pertaining to the execution of the assigned taskings.

4. GENERAL INFORMATION.

4.1 Contractor Identification in the Government Workplace.

When conversing with Government personnel during business meetings, over the telephone, or via electronic mail, the contractor shall identify themselves as such to avoid situations arising where sensitive topics might be better discussed solely between Government employees. The contractor shall identify themselves on any attendance sheet or any coordination documents they may review. Electronic mail signature blocks shall identify their company affiliation and Contractor status.

4.2 Industrial Security.

The contractor shall have and maintain a final US Government issued Top Secret/Sensitive Compartmented Information SCI (TS/SCI) security clearance. The contractor shall follow the security requirements outlined in the contract DD Form 254, Department of Defense Security Classification Specifications.” The contractor shall be subject to random drug testing. Documents shall be maintained and protected as required by the classification of the information. The contractor shall safeguard Government information as required by the classification of the information.

32

DD Form 254. Overarching security requirements and contractor access to classified information will be as specified in the DD Form 254, Department of Defense Security Classification form attached to the contract. The contractor shall have a final U.S. Government-issued TOP SECRET security clearance and be DCID 6/4 eligible with a current SSBI.

4.3 Physical Security.

4.3.1.1 The contractor shall safeguard all Government property provided for contractor use. At the close of each work period, Government facilities, property, and materials shall be secured.

4.3.1.2 Combinations and Codes. The contractor shall establish and implement methods of ensuring that all combinations and codes are not revealed to unauthorized persons. The contractor shall ensure that lock combinations are changed when personnel having access to the combinations no longer have a need to know such combinations.

4.3.1.3 Access lock combinations are “For Official Use Only” and shall be protected from unauthorized personnel.

4.3.1.4 Combinations to security containers, secure rooms, or vaults are classified information and shall be properly safeguarded. Only the contractor employees with proper security clearances and need-to-know will be given combinations to security containers, secure rooms, or vaults.

4.3.1.5 Security alarm access codes are “For Official Use Only” and shall be protected from unauthorized personnel. Security alarm access codes will be given to contractor employees who require entry into areas with security alarms. The contractor shall properly safeguard alarm access codes to prevent unauthorized disclosure.

4.4 Privacy Act.

Work on this contract requires the contractor to have access to Privacy Information. The contractor shall adhere to the Privacy Act, Title 5 of the US Code, Section 552a and applicable Agency rules and regulations.

4.5 Places of Performance.

As the AF IC continues to evolve its cybersecurity mission, the level of effort and geographical locations required under this PWS may change; be it increased, reduced, or eliminated at the direction of the Government.

The geographical work locations are:

33

1) ACC/A26, Joint Base San Antonio – Lackland AFB

2) 625th ACOMS , Joint Base San Antonio – Lackland AFB

3) CONUS and OCONUS sites [durations range from 2 days to 3 weeks]

Historically, past work locations for similar efforts have included:

1) Langley AFB, VA

2) Robins AFB, GA

3) Tyndall AFB, FL

4) Davis-Monthan AFB, AZ

5) Randolph AFB, TX

The contractor shall present a professional appearance during normal duty and temporary duty assignments.

4.6 Hours of Operation.

Normal Hours of Operation.

The contractor, with the exception of AF IC SCC and AF IC IRC support, shall perform the services required under this contract during the following core hours: Mon - Fri, 0700-1700, except Federal holidays. The AF IC SCC and AF IC IRC support contractors shall provide support 24 hours a day, seven (7) days a week, for the duration of this contract with a minimum of two contractors per shift. On-call support requirements will apply as required to ensure services and operations remain operational. On-call support shall be coordinated with the Government COR prior to the performance of all after hours work. The contractor shall present a professional appearance.

Recognized Holidays.

With the exception stated previously in Normal Hours of Operation for the AF IC SCC and AF IC IRC, the contractor is not required to provide service on the following days:

New Year’s Day Labor Day Dr. Martin Luther King’s

Birthday Columbus Day

Presidents’ Day Veterans Day Memorial Day Thanksgiving Day

Independence Day Christmas Day

4.6.1.1 If the holiday falls on Saturday, it is observed on Friday. If the holiday falls on a Sunday, it is observed on Monday.

4.7 Conservation of Utilities.

34

The contractor shall operate under conditions which prevent the waste of utilities which include the following:

1) Lights shall be used only in areas where and when work is actually being performed.

2) Mechanical equipment controls for heating, ventilation, and air conditioning systems shall not be adjusted by the contractor unless authorized by the COR or designated Government representative.

3) Water faucets or valves shall be turned off after the required use has been accomplished.

4) Government telephones shall be used only for official Government business.

 

4.8 Records.

The contractor shall create, maintain and dispose of only those Government required records that are specifically cited in this PWS or required by the provisions of a mandatory directive listed in Appendix B, Applicable Publications & Instructions. If requested by the Government, the contractor shall provide the original record, or a reproducible copy of any such record, within five (5) workdays of receipt of the request. No later than three (3) weeks before the conclusion of this contract, the contractor shall turn-over to the Government all appropriate and requested documentation to include but not be limited to: processes, policies, handbooks, SOPs, build guides, technical solutions, configuration guides, and any work products produced during term of employment. In the event of a follow-on contract, the contractor shall provide the incoming contractor with no less than three (3) weeks of transitional turnover on-the-job training. All documentation and records generated by the contractor are the sole property of the Government.

4.9 Contractor Manpower Reporting.

Overview.

In accordance with Section 8108 of the National Defense Appropriations Act of Fiscal Year 2011, the contractor shall report, annually, for performing services on Department of Defense installations in support of this contract, all required prime contract and subcontract data, or require any subcontractors to report separately using the Enterprise-wide Contractor Manpower Reporting Application (eCRMA). There are four separate eCMRA tools: Army, Air Force, Navy, and All Other Defense Components. The appropriate eCMRA reporting tool to use is determined by the requiring activity being supported (e.g., if DISA awards a contract for an Air Force requiring activity, the contractor shall load the required reporting data in the “Department of Air Force CMRA” tool). The contractor shall report ALL contractor direct labor hours and direct labor dollars (including subcontractor labor hours) required for performance of services provided under this contract. The contractor is only responsible for entering the Order, Contact, and Location Data.

Initial Contract/Order Creation.

35

The contractor shall enter initial data (Order and Contact Data only) into the appropriate eCMRA tool to establish the basic contract record no later than 30 calendar days after receipt of contract award. The contractor shall notify the COR and the CO when the basic contract record has been established in the appropriate eCMRA tool.

Annual Reporting.

Reporting inputs will be for the direct labor executed during the period of performance (PoP) for each Government fiscal year (FY), which runs 1 October through 30 September. While inputs may be reported any time during the FY, all data shall be reported no later than 31 October of each calendar year. The contractor shall provide reporting inputs for the final PoP of this contract no later than 30 calendar days after contract expiration. The contractor may direct technical questions about the eCMRA tool to the CMRA help desk.

Uses and Safeguarding of Information.

Information from the secure website is considered to be proprietary in nature when the contract number and contractor identity are associated with the direct labor hours and direct labor dollars. At no time will any data be released to the public with the contractor name and contract number associated with the data.

4.10 Data Rights

4.10.1.1 The Government and contractor rights and obligations regarding the use, disclosure, or reproduction of data to be produced, furnished, acquired, or used in meeting contract performance requirements are delineated in FAR Clause 52.227-14, Rights in Data - General. All materials supplied to the Government shall be the sole property of the Government and may not be used for any other purpose. This right does not abrogate any other Government rights.

4.11 Safety Requirements.

In performing work under this contract, the contractor shall:

4.11.1.1 Conform to the safety requirements contained in the contract for all activities related to the accomplishment of the work.

4.11.1.2 Take such additional immediate precautions as the CO may reasonably require for safety and mishap prevention purposes.

4.11.1.3 Record and report promptly (within one hour) to the CO or COR, all available facts relating to each instance of damage to Government property or injury to either contractor or Government personnel.

4.11.1.4 In the event of an accident/mishap, take reasonable and prudent action to establish control of the accident/mishap scene, prevent further damage to persons or property, and preserve evidence until released by the accident/mishap investigative authority through the CO.

36

4.11.1.5 If the Government elects to conduct an investigation of the accident/mishap, the contractor shall cooperate fully and support Government personnel conducting the investigation.

4.12 Special Training, Certifications and Qualifications

4.12.1 The contractor shall develop a workforce qualifications plan (WQP) for the personnel hired to complete the tasks in this performance work statement (PWS). The plan shall be presented at the kick-off meeting. The plan shall describe the contractors approach to sustaining and maintaining a qualified workforce capable of fulfilling the requirements of this PWS – experience, certifications, education, and other relevant qualification factors per skill set shall be addressed.

4.12.1.1 Certifications required for the workforce shall include but not be limited to:

CASP CompTIA Advanced Security Practitioner

CISSP Certified Information Systems Security Professional

CCSP Certified Cloud Security Professional

CSSP Cyber Security Service Provider

CAP Certified Authorization Professional

GCUX GIAC Certified Unix Security Administrator

MCSA+ Microsoft Certified Solutions Associate Plus

PMP Program Management Professional

CCNA Security Cisco Certified Network Associate Security

IAM Levels 2 and 3 Information Assurance Management

IAT Levels 2 and 3 Information Assurance Technical

4.12.2 Contractor personnel requiring access to a DoD Information System shall receive initial IA awareness orientation as a condition of access and thereafter must complete annual IA refresher awareness, as required by DoD Directive 8140.1, “Cyberspace Workforce Management.” Note that DoD 8140 has replaced DoD 8570.

4.12.3 IAW DoD 8140, contractor personnel shall obtain the appropriate DoD-approved IA certification prior to being engaged.

4.12.4 The contractor shall receive initial IA awareness orientation as a condition of access and thereafter shall complete annual IA refresher awareness, as required by DoD Directive 8140.1, "Cyberspace Workforce Management."

4.12.5 The contractor shall register all DoD 8140 certifications into the Defense Workforce Certification Application (DWCA) website.

37

4.13 Level of Effort Adjustment (Operations Surge).

4.13.1 As stated in paragraph 1.3.2, as the AF IC continues to evolve its cybersecurity mission, the level of effort for services requested under this PWS may be increased, reduced, or eliminated at the direction of the Government. The contractor shall develop a level of effort adjustment plan and present it at the kick-off meeting for review and evaluation.

4.13.2 In the event the Office of Director of National Intelligence or AF/A2 directs a surge requirement, contractor shall be prepared to provide added support to each functional area and/or location within 48 hours upon notification of Government intent. Once a surge has been implemented it will remain in effect until the end of period of performance for that year. Government will notify contractor of option year surge requirement at the same time option years are executed.

4.14 Quality Control

4.14.1.1 Quality Control is the responsibility of the contractor. The contractor is responsible for the delivery of quality services/supplies to the Government (see FAR 52.246-1, Contractor Inspection Requirements).

4.14.1.2 Quality Control Program: The Government is committed to a highly interactive relationship between quality control by the contractor and quality assurance by the Government recipient of services. This relationship shall be achieved through an effective Prevention Based Quality Control Program dedicated to ensuring the best possible products and services to end users. The contractor shall provide their final written Quality Control Plan (QCP) NLT 10 working days after contract award to the COR and CO.

4.14.1.3 The contractor’s quality program shall demonstrate its proactive prevention-based outlook by meeting the objectives stated in this PWS throughout all areas of performance. The QCP shall be developed to specify the contractor’s responsibility for management and quality control actions to meet the terms of the contract. The QCP at a minimum, shall address continuous process improvement; procedures for scheduling, conducting, and documentation of inspection; discrepancy identification and correction; corrective action procedures, to include procedures for addressing Government discovered non-conformances; procedures for root cause analysis to identify the root cause and root cause corrective action to prevent re-occurrence of discrepancies; procedures for trend analysis; and procedures for collecting and addressing customer feedback/complaints.

4.14.1.4 Within 24 hours via e-mail, the contractor shall provide all reports generated as a result of the contractor’s quality control efforts. This shall include any summary information used to track quality control, including any charts/graphs.

4.14.1.5 The contractor’s QCP shall be incorporated into and become part of this contract after the plan has been accepted by the CO. Proposed changes made after CO acceptance shall be submitted in writing through the COR to the CO for review and acceptance prior to implementing any revision. The contractor’s QCP shall be maintained throughout the life of the contract and shall include the contractor’s procedures to routinely evaluate the

38

effectiveness of the plan to ensure the contractor is meeting the performance standards and requirements of the contract.

4.15 Contractor Discrepancy Report (CDR):

4.15.1 When the contractor's performance is unsatisfactory, a CDR will be issued. The contractor shall reply in writing within five (5) work days from the date of receipt of the CDR, giving the reasons for the unsatisfactory performance, corrective action taken, and procedures to preclude recurrence.

4.16 Quality Assurance:

4.16.1 The Government will evaluate the contractor’s performance under this contract in accordance with the Quality Assurance Surveillance Plan (QASP). This plan is primarily focused on what the Government must do to ensure that the contractor has performed in accordance with the performance standards. It defines how the performance standards will be applied, the frequency of surveillance, and the minimum acceptable defect rate(s).

4.17 Kick-off Meeting, Periodic Progress Meetings.

4.17.1.1 The contractor shall attend an initial kick-off meeting (within 5 working days) after contract award. The CO, COR, and other Government personnel, as appropriate, may meet periodically with the contractor to review the contractor's performance. At these meetings, the CO will apprise the contractor of how the Government views the contractor's performance and the contractor will apprise the Government of problems, if any, being experienced. Appropriate action shall be taken to resolve outstanding issues. The contractor shall provide minutes of these meetings to the Government.

4.18 Phase-In/Phase-Out Periods:

4.18.1.1 PHASE IN /PHASE OUT PERIOD: To minimize any decreases in productivity and to prevent possible negative impacts on additional services, the contractor shall have a phase-in transition team 30-days prior to the contract start date. The team shall consist of a transition lead and transition SMEs.

4.18.1.2 PHASE IN: During the phase in period, the contractor shall become familiar with performance requirements in order to commence full performance of services on the contract start date.

4.18.1.3 PHASE OUT: Prior to the completion of this contract, an observation period shall occur, at which time team management personnel of the incoming contractor may observe operations. This will allow for orderly turnover of facilities, equipment, and records and will help to ensure continuity of services. The contractor is ultimately responsible for performing full services IAW the contract, during the phase-out period, and shall not defer any requirements for the purpose of avoiding responsibility or of transferring such responsibility to the succeeding contractor. The outgoing contractor shall fully cooperate

39

with the succeeding contractor and the Government, so as not to interfere with their work or duties.

4.18.1.4 To minimize any decreases in productivity and to prevent possible negative impacts on additional services, the contractor shall have all personnel on board during the phase-out period. The contractor shall be prepared to transition the work load to the newly-selected contractor at the end of the fifteen (15) business day phase-out period, which will occur at the end of the period of performance of the contractual effort.

4.19 Contractor Travel.

4.19.1.1 The contractor shall travel to other locations in support of the tasks described in this PWS. They shall travel to various locations CONUS and OCONUS. All travel requirements (including destination, purpose, plans, agenda, itinerary, number and names of personnel, and dates) shall be pre-approved by the COR. Contractor shall submit a trip report upon completion of travel. Costs for travel shall be billed on a strictly cost reimbursable basis IAW, the regulatory implementation of Public Law 99-234, FAR subpart 31.205-46 entitled Travel Costs, and FAR 52.232-22 Limitation of Funds, specified in this contract.

 

40

4.20 Deliverables.

4.20.1 Reports and other data required in this PWS shall be submitted IAW the Contract Data Requirements List (CDRL DD1423) in Exhibit A of the contract.

CDRL # Format Data Item Description

PWS Para. Delivery Schedule

A001 Guidance provided by COR after Kick-off meeting.

Technical Report:

(1) Study/White Paper

(2) CPIR Component

2.2 (a) After task assignment: NLT 10 Working Days.

Or

(b) Depending upon scope of assignment, a mutually agreed upon date between the COR and assignee.

A002 See A001. Cybersecurity Documentation and Reports:

(1) SAR

(2) RAR

2.3 After completion of security assessment: NLT 5 working days.

A003 See A001. Authorization support documentation:

(1) DAO support

(2) SW vulnerability analysis

(3) SQL queries; Database support

(4) CPM support

2.4.1 2.4.2 2.4.3

After task assignment: NLT 1 Working Days.

A004 See A001. Cybersecurity Documentation:

Plans and Policies

2.4.4.1 After task assignment: NLT 5 Working Days.

A005 See A001. Training and Exercise Development

2.4.4.2 After task assignment: NLT 10 Working Days.

41

A006 See A001. Engineering Technical Documentation

2.5

After task assignment: NLT 5 Working Days.

A007 See A001. Integrated Defense Security Operations Documentation

(1) AF SCC Reports

(2) AF IRC Reports

(3) Security Vulnerability Analysis

2.6.1 2.6.2

(a) Weekly reports: Every Friday.

(b) In the event of an incident, NLT 1 hour after incident.

A008 See A001. Status Reports 2.1 (a) Kick-off meeting: NLT 5 Working Days after meeting.

(b) Weekly reports: Every COB Friday.

(c) Monthly reports: Last Friday of the month.

(d) Meetings/conferences: NLT 2 Working Days after event.

 

42

APPENDIX A - ACRONYMS AND ABBREVIATIONS LIST

Acronym/Abbreviation Definition

A2 Intelligence Directorate ACC Air Combat Command A2 Intelligence Directorate A26 Intel System Security Division ACS Access Control Server AD Active Directory AF Air Force AFB Air Force Base AFI Air Force Instruction AF JWICS Air Force Joint Worldwide Intelligence Communications System C2 Command and Control CAC Common Access Card CCMP Configuration and Change Management Plan CCNA Cisco Certified Network Associate CCNP Cisco Certified Network Professional CDRL Contract Data Requirements List CIPS Cyberspace Infrastructure Planning System CISM Certified Information Security Manager CISSP Certified Information Systems Security Professional CM Configuration Management CMDB Configuration Management Database CNSSI Committee of National Security Systems policy and Instructions CO Contracting Officer COA Course of Action CONOPS Concept of Operations CONUS Continental United States COOP Continuity of Operations Plan COR Contracting Officer’s Representative C&A Certification and Accreditation DAS Directly Attached Storage DCID Director of Central Intelligence Directives DFS Distributed File System DHCP Dynamic Host Configuration Protocol DNI Director of National Intelligence DNS Domain Name System DoD Department of Defense DRA Directory and Resource Administrator DRP Disaster Recovery Program DRU Direct Reporting Unit DTE Desktop Environment EC-ESC Eastern CONUS Enterprise Service Center

43

ECCB Enterprise Configuration Control Board ECM Enterprise Change Manager ESC Enterprise Service Center ESD Enterprise Service Desk EU-ESC European Enterprise Service Center FAR Federal Acquisition Regulation FISMA Federal Information Security Management Act FOA Field Operating Agency FOC Full Operational Capability GCUX GIAC Certified Unix Security Administrator GIAC Global Information Assurance Certification GPO Group Policy Object GSLC GIAC Security Leadership Certificate HBSS Host Based Security System IA Information Assurance IAW In accordance with ICD Intelligence Community Directive IC ITE Intelligence Community Information Technology Enterprise ICVA Intelligence Community Vulnerability Alerts ICVB Intelligence Community Vulnerability Bulletins IOC Initial Operational Capability ISO Enterprise Chief Information Security Officer IT Information Technology ITIL Information Technology Infrastructure Library ITSM Information Technology Service Manager JEC Joint Enterprise Council KB Knowledge Base MAJCOM Major Command MCSE Microsoft Certified Systems Engineer MCITP Microsoft Certified Information Technology Professional MOF Microsoft Office Framework MS Microsoft NAS Network Attached Storage NCM Network Configuration Manager NLT No later than NDA Non-Disclosure Agreement NPM Network Performance Monitor NIST National Institute of Standards and Technology OSHA Occupational Safety and Health Act OU Organizational Unit PA-ESC Pacific Enterprise Service Center PKI Public Key Infrastructure PBSA Performance Based Service Acquisition PMO Program Management Office

44

PM Program Manager PMP Project Management Professional PWS Performance Work Statement QA Quality Assurance QASP Quality Assurance Surveillance Plan RMF Risk Management Framework SAN Storage Area Network SCI Sensitive Compartmented Information SCCM Systems Center Configuration Manager SCOM System Center Operations Manager SNMP Simple Network Management Protocol SME Subject Matter Expert SOP Standard Operating Procedure SS Services Summary TEM Technical Exchange Meeting TMT Task Management Tool TWG Technical Working Group USAF United States Air Force VTC Video Teleconference WAN Wide Area Network WBS Work Breakdown Structure WC-ESC Western CONUS Enterprise Service Center WSUS Windows Server Update Service

45

APPENDIX B - APPLICABLE PUBLICATIONS & INSTRUCTIONS

The contractor shall comply with all publications, regulations and operating instructions provided by the Government when they pertain to the procedures for materials expediting herein and where the contractor is authorized by the PWS to accomplish the work specified in the publication, regulation or operating instructions. The publications prescribe USAF policies, use of materials, procedures and processes applicable to the work requirements. The contractor shall acquire and work on the latest version of the publication.

Publication/Instruction - Title Applicable

Paragraph/Chapter PWS

Paragraph AFI 33-332, “Privacy Act Program.” 1.1.8, 7.3, 9.1, 11.1, Section

4, 7, 8, 9, Appendix A-D, Entire Document(s)

5.10, 2.0 5.0, 2.1-2.15

IAW AFI 33-364, “Records Disposition – Procedures and Responsibilities”

Chapter 2, para 2.10 5.10

DoD Directive 8140, “Cyberspace Workforce Management.” (ref DoD 8570)

Entire Document 4.12

Department of Defense Intelligence Information System (DoDIIS) – Joint Security Implementation Guide (DJSIG)

1.5.12, 1.5.13, 1.5.14, 3.1-17

2.4.1-2.4.17

Committee on National Security Systems 1253, Security Categorization and Control Selection for National Security Systems

Entire Document 2.1-2.15

Committee on National Security Systems 1253, Security Control Overlays Template Version 1

Entire Document 2.1-2.15

National Institute of Standards and Technology Special Pub 800-33, Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations

Entire Document 2.3, 2.4, 2.6

National Institute of Standards and Technology Special Pub 800-37, Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems

Entire Document 2.4 2.11

National Institute of Standards and Technology Special Pub 800-53, Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations

Entire Document 2.3, 2.4, 2.5

National Institute of Standards and Technology Special Pub 800-53A, Rev 4, Assessing Security and Privacy Controls for Federal Information Systems and Organizations: Building Effective Assessment Plans

Entire Document 2.3, 2.4, 2.5

46

National Institute of Standards and Technology Special Pub 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations

Entire Document 2.3, 2.4, 2.5

Intelligence Community Directive (ICD) 502 – Integrated Defense of the Intelligence Community Information

Entire Document 2.5, 2.6

Intelligence Community Directive (ICD) 503 – IC Information Technology Systems Security Risk Management

Entire Document Entire Document

47

APPENDIX C – HISTORICAL DATA: LEVEL OF EFFORT REQUIRED

PWS 

para # PWS TASK LIST  and LCAT                     FUNCTIONAL ORG(S) SUPPORTEWORK LOCATION

2.xx   A26 625 ACOMS

Skillset 

Count

1 ADMINISTRATIVE SUPPORT                                           ACC/A2 and 625th 2

Office Coordination and Administration 1

Document Manager 1

2 CYBERSECURITY PROCESS IMPROVEMENT SUPPORT               ACC/A2 4

Process Improvement Manager 1

Process Improvement Engineer 3

3 SECURITY CONTROLS ASSESSMENT (SCA) SUPPORT                     625th 29

Lead Security Control Assessor   1

Security Control Assessor               [et 3‐4]   28

4 AUTHORIZATION SUPPORT                                  ACC/A2  and  625th 17

Designated Authorizing Official (DAO) Support    [et  0‐1] 3  

DAO Software Security Analysis and Database Support 1 1

Cybersecurity Program Manager (CPM)                 [et  1‐2] 4  

Governance and Management (GM) Support:      

     Plans and Policies 1 1

     Cybersecurity Training 1 1

        Cybersecurity  Exercise Development (for Integrated Defense) 1 2

     Content Mgmnt and Development 1  

5 ENGINEERING SUPPORT                                       ACC/A2  and  625th   10

Security Engineering   3 1

Assessment Support Engineering   1 1

Integrated Defense Engineering 1 1

Security Integration Engineering 1

Senior Security Developer 1

6 INTEGRATED DEFENSE SECURITY OPERATIONS SUPPORT        625th 44

     AF IC Security Coordination Center (AF IC SCC) 

Cybersecurity Auditor 4

Cybersecurity Threat Controller 5

Cybersecurity Machine Data Analyst 1

Cybersecurity Threat Analyst 1

Cybersecurity Risk Auditor 1

     AF IC Incident Response Center (AF IC IRC) 

Cybersecurity Incident Handler   [Senior] 5

Cybersecurity Incident Handler   [Intermediate] 6

Cybersecurity Host Based Analysis Specialist 5

Cybersecurity Network Based Analysis Specialist 

5

Cybersecurity Indications and Warnings Specialist

1

Cybersecurity Enterprise Traffic Analysis Specialist

1

Cybersecurity Threat Hunter 1                                  * Incident Response Infrastructure Support (IRIS)

Cybersecurity Systems Administrator 3

Cybersecurity Sensor Technician 3

Cybersecurity Signature Implementor 1

Cybersecurity Capabilities Developer 1

Skillset Count ‐‐‐‐‐‐‐>  22 84 106