Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF FEBRUARY 29, 2008 FBO #2286
MODIFICATION

70 -- Certification and Accrediation Services (C&A)

Notice Date
2/27/2008
 
Notice Type
Modification
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Department of the Treasury, Comptroller of the Currency (OCC), Acquisition Management (AQM), 250 E Street, SW Mail Stop 4-13, Washington, DC, 20219, UNITED STATES
 
ZIP Code
20219
 
Solicitation Number
CC-08-HQ-R-0018
 
Response Due
3/5/2008
 
Archive Date
3/31/2008
 
Point of Contact
Stephanie Gorski, Acquisition Specialist, Phone 202-874-4639, Fax null
 
E-Mail Address
stephanie.gorski@occ.treas.gov
 
Small Business Set-Aside
Service-Disabled Veteran-Owned
 
Description
The purpose of this amendment is to change the response date, update the cost schedule, clarify costing issues, and post the answers to industry's questions. I. The response date of this solicitation has been extended to March 05, 2008 at 2:00 pm EST. II. Option period 4 (48 Months - 60 Months) is hereby deleted from the solicitation package. Therefore award will be for base year plus 3 options as listed in the solicitation package. III. There will be no minimum guarantee in respects to this contract. The IDIQ ceiling for this contract is $4,323,000.00. IV. Clarification: Vendors should provide firm fixed prices for CLINs 0001, 0002, 0003, 0004 & labor rates for CLINs 0005-0019. V. Only firm fixed price will be used for purpose of evaluation, however, labor rates will be reviewed for price fair & reasonableness. VI. Answers to Industry's Questions: 1. What is the current number of full time staff supporting this effort? A: There is a C&A program manager and the equivalent of one full time staff person. 2. What automated tools are used for continuous monitoring? A: The OCC Information Assurance team maintains a full suite of automated monitoring tools. 3. What, if any, automated tools are used for C&A and FISMA data collection and reporting? A: Trusted Agent FISMA (TAF) is used for FISMA reporting to the Department of the Treasury. OCC does not use automated C&A tools. 4. Is current pricing fixed price or labor rate pricing? A: The last contract was Firm Fixed Price. 5. Do you have a schedule that delineates planned C&A activity over the course of the base and 3 follow on option years? How many systems are you currently responsible for and are there plans to increase that number? What is their C&A status? Have all the systems been certified and is this a recertification contract? A: Fifteen systems and one General Support System (GSS) were accredited in 2007 and will be reviewed at least annually. We expect to add as many as five new systems during the base year. 6. What is the level of documentation available? A: Completed C&A packages (see SOO for specifics) will be provided for each monitoring task. 7. If the Service Disabled Veteran Owned Small Business (SDVOSB) does not have corporate past performance (i.e. is a new entity), can the past performance of the Service Disabled Veteran be used, if past work was performed by that individual? A: Any past performance from the offeror can be used as past performance as long as you?re past performance is relevant to the services being requested. 8. If the SDVOSB does not have corporate past performance (i.e. is a new entity), can the past performance of a sub contractor be used? A: No, this does not meet the past performance standards addressed in the solicitation. 9. Could you please provide further details of the Contractor's hosting facility. Are you anticipating that the C&A support staff will be located at the contractor site, with travel to the government facility? A: Yes, majority of work will be done at the Contractor?s site 10. Will workstations and associated peripherals be supplied by the government, or included in the fully burden rate? A: The OCC will provide laptops and a network connection for each contractor working on this contract, as specified in the solicitation. 11. Is it anticipate that government electronic data will be hosted at the contractor hosting site, and if so what is the government expectations regarding the C&A of such site? A: The OCC will provide laptops and a network connection for each contractor working on this contract. No OCC data shall be stored, processed or transmitted on non-OCC equipment. 12. With regards to CLIN 0001-0004, What FIPS 199 rating (low-moderate-high) should the contracting presume for the purpose of estimating the level of effort? A: Medium 13. Is there currently an incumbent and if so, who? A: DSD Laboratories 14. Is the government expecting a single or multiple award? A: This will be a single award contract. 15. What is the estimated start/award date? A: Estimated award date is 5/30/2008. 16. Are any positions considered ?Key?? A: In Attachment F, page six identifies key personnel. 17. Do any positions require a security clearance? If so, what level? A: No, however there will be a background check. Refer to security clauses. 18. If offsite contractor teams were used to do previous C&A how many visits to Landover, MD were required? A: Two trips to Landover 19. Were there trips to any other locations to complete the previous C&As? If so, where to and how many trips? A: Two trips to Houston for a total of five working days. 20. What is the system size (small or medium) and system categorization (low, moderate, high) of the new systems under development? A: 3 small, 2 medium; categorization unknown at this time. 21. What is the operating system of the new systems under development? A: OCC is a Microsoft Environment 22. Does OCC currently have tools that can map the network? If so, what are these tools? A: No 23. Will OCC allow the contractor to use their tools to map the network? If so, will these tools need to go through a CCB process in order to be used? A: No 24. Is it expected that the contractor develop supporting documentation for security controls such as the System Security Plan, Contingency Plan, Incident Response Plan, Vulnerability Management Plan, and Configuration Management Plan for the 5 systems in development as part of their C&As? A: The contractor must provide documentation consistent with applicable NIST special publications. 25. Can the incumbent bid this RFP? A: No, the incumbent is not a SDVOSB 26. The labor categories identified cover capabilities beyond C&A work. Can this contract vehicle be used by OCC to acquire services not related to C&A support services as well as those identified in the solicitation? A: No 27. Are the current policies and documentation related to C&A considered to be current? A: Yes 28. When was the last C&A preformed on the systems in question? A: Fifteen systems and one GSS were accredited in 2007 and will be reviewed at least annually. We expect to add as many as five new systems during the base year. 29. Does the government have a reference or definition for the qualifications and experience required for the labor categories listed in CLINs 0005 ? 0019, 2005 ? 2019, 3005 ? 3019, and 4005 ? 4019? A: No, the vendor can substitute categories at their own discretion. There is no predetermined definition. Vendors are asked to proposed labor categories that meets the requirements of the C&A support. 30. Is there an OCC accreditation requirement for contractor systems that will be used for off-site analysis and storage of OCC C&A and continuous monitoring related data? A: OCC laptops will be issued and no OCC data may be stored or processed on non-OCC equipment. 31. Will the contractor contingency plans (including both disaster recovery and continuity of operation) be subject to government review? A: No. 32. Will the contractor?s facility physical security controls be subject to government review or inspection? A: Yes 33. Can more details be provided on what OCC is looking for in the Performance Measurements Plan? A: The OCC expects each offeror to propose performance measures that are in-line with industry best practices. 34. The solicitation states that each proposal shall consist to two volumes, are the two volumes the Technical Capability (20 page limit) including the Past Performance volume (10 page limit) and the Price Proposal or are there 3 distinct volumes, 1) Technical Capability, 2) Past Performance, and 3) Price Proposal? A: Volume one should contain Technical Capability and Past Performance. Volume two should contain Price. 35. As shown in the cost schedule the OCC is asking for Firm Fixed pricing for CLINs 0001 ? 0004 and Labor Rates (Labor Rates) for the following CLINs. A: Yes, as shown in the solicitation document the OCC requests firm fixed pricing for CLINs 0001 ? 0004 and Labor Rates for CLINs 0005-0019. 36. In the period of performance (Section 7 of the SOO) there are 3 one year options called out. However, in the price schedule, there appear to be 4 option years. In our response, should we propose a cost estimate for 3 or 4 option years? A: The period of performance is base year & three one-year options 37. What should be the hour basis for our cost estimate (i.e. 2000 hour man year, 1920, etc)? A: Each offeror will establish there own fixed price rates as for the labor hour CLINs, the hours will be estimated for a period of time by the OCC. 38. Please confirm that tables and exhibits can be provided in a font size less than 12 point font as long as the information is easily readable. A: No, as listed in the RFP everything must be 12 point font 39. In the SOO, Section 3.2.1 the systems are described. Does the Office of the Comptroller of the Currency (OCC) have Major Applications (MA) as defined in NIST SP 800-37? If so, how many MA exists and how many MAs are planned to be placed in production during the contract period. A: Yes. The OCC, according to NIST SP 800-37, has eight major applications and seven minor applications. 40. Under Labor Categories, please clarify the following statement: Offerors may add or substitute labor categories Is the offeror required to submit pricing for 19 CLINs? Many of personnel in our organization perform multiple roles listed by the labor categories and will be not be necessary to price all CLINs. A: No, each offeror can provide labor categories that they feel will be required to support this solicitation. 41. Please clarify the information required in the Past Performance section of the proposal. Are these copies of the completed Attachment D, Performance Information Requests or is this the information identified in the Evaluation Factors? Is the entire Past Performance section limited 10 pages or is the 10 page limitation refers to each past performance example making this section limited to 30 pages? A: The past performance section excluding the surveys (attachment D) is limited to 10 pages 42. The RFP states the proposal due date and time is "COB 02/29/08". What is the exact time that is considered to be COB? A: COB is considered 5:00pm EST. 43. Stated in the RFP 100% Service Disabled Veteran Owned Small Business set-aside. Is a SDVOSB permitted to Sub to a non SDVOSB? A: Yes. 44. Is it possible to get more information on the average size of a Small and Medium system? For example, on average is a small system comprised of 10 servers, 20 servers, etc. A: No , refer back to Attachment A (SOO) for description 45. What type of network equipment comprises the WAN? A: The OCC maintains a Cisco Environment. 46. If the WAN components are ?stacked? how many stacks are there? A: n/a 47. What type of components comprise each stack (Routers, switches, IDS, etc.)? A: n/a 48. What operating system comprises the Web component? A: The OCC maintains a Microsoft environment. 49. What type of equipment comprises the LAN component? A: The OCC maintains a Microsoft environment. 50. Where is the production server farm located? A: n/a 51. How many servers are in the server farm? A: n/a 52. What is the operating system of the mainframe? A: n/a 53. What type of security software is used on the mainframe (e.g. RACF, ACF2, etc.)? A: n/a 54. Where is the mainframe located? A: n/a 55. How many end-user workstations are included in scope for this effort? A: approximately 3500 56. What type of solution is in place now to monitor the end-user environment for security violations? A: The OCC Information Assurance team maintains a full suite of automated monitoring tools. 57. How many of the medium systems have multiple operating platforms? A: As many as five systems rely on more than one platform for data storage, manipulation or reporting. 58. Are these multiple operating platform systems all housed in the same datacenter? A: Yes 59. Does each multiple operating platform system support only one application? A: No 60. After the 10-day government review, does the contractor have 10 days to incorporate the government-requested changes into the artifact? & If not, how many days are allowed for the contractor to incorporate the government-requested changes? A: This is up to the offeror to propose in the PWS 61. Will the OCC provide workspace for the contractor when the contractor must come on site for data collection, review, and testing? A: The OCC will provide laptops & network access. While the contractor is at an OCC location, temporary space will be provided during their visit. 62. What type of equipment (number of small/medium systems , WAN, LAN, MF, end-user components) is located in: Landover, MD Houston, TX Denver, CO Chicago, IL New York, NY Dallas, TX A: The OCC has approximately 140 sites nationwide. The OCC data center is located in Landover, Maryland. The other sites listed above are district offices, and the Office of the Ombudsman (Houston, Texas.) Systems, as described herein, are located in Landover, or Houston. 63. What type of BC/DRP repository software/system is used to store the plans? A: None 64. How many systems have a FIPS 199 Availability impact at HIGH? A: None 65. What type of CP tests are HIGH availability systems subject to? (e.g. functional, table top, doc review/update?) A: N/A 66. Is each of these HIGH availability systems tested annually? A: N/A 67. Will the contractor staff be required to complete this training in the OCC offices in WDC or can the contractor staff complete the training over the Internet from their offices? A: The OCC will provide this information electronically to the contractor after award. 68. Will the OCC send the ?Information Request: Past Performance? document to the contracting officer or should the contractor send it? A: The contractor should send this document. 69. Will the contracting staff be issued access cards for OCC sites? A: No, only visitor badges and they will require govt. escort while on OCC locations. 70. Do all contracting staff need to be physically present in WDC to meet with the CIPS office in order to have an access card issued to them? A: All contractor personnel must report to the OCC HQ or District Office for security clearance & personal identity verification. 71. Are there regional CIPS offices (i.e. in major metropolitan areas) that can fulfill the OCC?s identity verification requirements? A: Yes, the District Offices include: NYC, Dallas, Denver & Chicago. 72. Will the contractor be able to establish logical access to the OCC network via VPN connection? A: The contractor will be issued an OCC laptop and receive network access. 73. If not, what FIPS 140-2 compliant encryption product does the OCC prefer? A: N/A 74. Why was the NAIC code and size standard changed from 519190 to 541519? A: Because this NAIC code fit the requirement 75. 6(a) Is the PMP required at time of proposal submission? A: Yes 76. 6(b) If so, is it included in the 20 page limit for Technical Capability or can it be Submitted as an appendix? If an appendix, is there a page limit? A: The PMP should be an appendix and not count against the page limit 77. Who is performing C&As on OCC Large Systems? A: No large systems 78. Does OCC want vendors to only bid firm fixed prices for CLINS 001 thru 004 or can vendors bid CLINS 001 thru 004 as time & material labor rates? If labor rates are used, should proposed hours be provided per labor category for CLINS 0001 thru 004 A: In order to have your proposal considered for award, please comply with the requirements specified in the solicitation. 79. Will task orders be placed on this IDIQ in FY08? A: Yes 80. Could the task orders be awarded as a mix of FFP and T&M? A: Yes 81. Please define a ?Contractor Hosting Facility? as referenced in the FedBizOps posting? A: The facility the contractor will use to house its employees working on this contract. 82. How often are the systems changed such that an updated C&A package is required (e.g., monthly, quarterly, annually) A: When changes are made that materially impact the effectiveness of security controls, but at least annually. 83. The directions state that vendors are to propose a fixed price or labor hours, but we assume bidders must provide both. If not please clarify. A: Please refer to question 42. 84. The instructions state that proposal pages must be numbered sequentially. Is it permissible to number pages sequentially within Factors? A: No, there are no factors associated with this requirement. 85. What is the level incident response testing expected (Attachment A, SOO, 3.2.7) A: The OCC will be responsible for incident response testing. 86. Since Continuous Monitoring requires involvement in monitoring Configuration Management (CM), will the contractor be provided copies of the CM change forms and/or be required to attend CM meetings? A: OCC will provide configuration management information. 87. What does Treasury currently use for transmission of encrypted information that is FIPS 140-2 compliant? A: The OCC uses ZixMail to secure electronic mail over the Internet. 88. Will the contractor be given VPN access to OCC? A: The OCC will provide laptops and a network connection for each contractor working on this contract. 89. What other practices/procedures are currently in-place for continuous monitoring of the certified and accredited GSS and 15 OCC systems? A: Periodic customer meetings 90. Is there already a schedule of testing for selected management, operational and technical security controls from the accredited systems? A: No 91. How are annual security assessments currently done at OCC? A: 2008 will be the first year for systems accredited in 2007. 92. Does Treasury have a preferred template for the Performance Monitoring Plan? A: No 93. Is there currently an approved list of common controls for the OCC common operating environment? (SOO; 9.0) By whom is the list of common controls approved? A: Yes. This list was developed by the office of the Chief Information Security Officer. 94. Will training be provided for the contractor for any in-house or organizational procedures/processes/continuous monitoring software currently being used by OCC (Trusted Agent FISMA; CSAM, etc.)? A: No training will be required. 95. How much access will be given to the project and program managers if a PMO is not established? Will this access be direct or will contractors be required to communicate through an OCC liaison? A: Appropriate access to system owners will be provided by the Information Security Office. 96. What templates and checklists currently exist for security documentation development? What component within the organization controls development and update of the C&A templates? When were the templates and checklists last updated? A: Yes. The office of the Chief Information Security Officer developed and maintains all templates and checklists. 97. The Statement of Objectives in section 3.2.b defines one GSS, ten medium, and five small systems. The requested pricing addresses Small and Medium systems but not the GSS. The GSS appears to be a significant element of the OCC architecture - is there consideration for pricing the one GSS separately? A: No 98. Can the FIPS?199 categorization of the GSS, Small, and Medium systems be provided? The categorization of the system is an important factor in determining the level of effort for a C&A. A: All systems are moderate NOTE: THIS NOTICE WAS NOT POSTED TO FEDBIZOPPS ON THE DATE INDICATED IN THE NOTICE ITSELF (27-FEB-2008); HOWEVER, IT DID APPEAR IN THE FEDBIZOPPS FTP FEED ON THIS DATE. PLEASE CONTACT fbo.support@gsa.gov REGARDING THIS ISSUE.
 
Web Link
Link to FedBizOpps document.
(http://www.fbo.gov/spg/TREAS/OCC/ASDMS413/CC-08-HQ-R-0018/listing.html)
 
Place of Performance
Address: 250 E St. SW Washington, DC
Zip Code: 20219
Country: UNITED STATES
 
Record
SN01518783-F 20080229/080228020623 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.