26 Oct 2017

2D Theater Signal Brigade, United States Army Regional Cyber Center � Europe (RCC-E)

Type of document: Contract Notice
Country: United States

2D Theater Signal Brigade, United States Army Regional Cyber Center � Europe (RCC-E)

Agency:
Department of the Army

Official Address:
Bldg 61801, Rm 3212
Fort Huachuca AZ 85613-5000

Zip Code:
85613-5000

Contact:
Wendy S. Alameda-Clark, Contract Specialist, Phone 5205388890, Email wendy.s.alameda-clark.civ@mail.mil – Elizabeth C Woodson, Contracting Officer, Phone (520)538-6364, Email elizabeth.c.woodson.civ@mail.mil

Link:

Date Posted:
24/10/2017

Classification:
D

Contract Description:
NTRODUCTION

The Army Contract Command – Aberdeen Proving Ground (CC-APG) – Huachuca Division; 2133 Cushing St, Bldg. 61801, Greeley Hall, AZ 85613-7070 is issuing this sources sought synopsis as a means of conducting market research to identify parties having an interest in and the resources to support the requirement for Non-personal Information Technology (IT) Support Services for the 2D Theater Signal Brigade, United States Army Regional Cyber Center – Europe (RCC-E), 2D Theater Signal Brigade. The intention is to procure these services on a competitive basis. Prospective contractors shall be registered in the System for Award Management (SAM) prior to award of a contract. Contractors are encouraged to obtain further information on SAM registration at the following website:

BASED ON THE RESPONSES TO THIS SOURCES SOUGHT NOTICE/MARKET RESEARCH, THIS REQUIRMENT MAY BE SET-ASIDE FOR SMALL BUSINESSES (IN FULL OR IN PART0 OR PROCURED THROUGH FULL AND OPEN COMPETITON, and multiple awards MAY be made. All Small Business Set-Aside categories will be considered. Telephone inquiries will not be accept or acknowledged, and no feedback or evaluations will be provided regarding submissions.

DISCLAIMER

“THIS SOURCES SOUGHT IS FOR INFORMATIONAL PURPOSES ONLY. THIS IS NOT A “REQUEST FOR PROPOSAL (RFP)” TO BE SUBMITTED. IT DOES NOT CONSTITUTE A SOLICITATION AND SHALL NOT BE CONSTRUED AS A COMMITMENT BY THE GOVERNMENT. RESPONSES IN ANY FORM ARE NOT OFFERS AND THE GOVERNMENT IS UNDER NO OBLIGATION TO AWARD A CONTRACT AS A RESULT OF THIS ANNOUCEMENT. NO FUNDS ARE AVAILABLE TO PAY FOR PERPARATION OF RESPONSES TO THIS ANNOUNCEMENT. ANY INFORMATION SUBMITTED BY RESPONDENTS TO THIS TECHNICAL DESCRIPTION IS STRICTLY VOLUNTARY. RESPONSES WILL NOT BE RETURNED TO THE RESPONDER, NOT RESPONDING TO THIS NOTICE DOES NOT PRECLUDE PARTICIPATION IN ANY FUTURE REQUEST FOR QUOTE (RFQ) OR INVITATION FOR BID (IFB) OR RFP, IF ANY ISSUED. IF A SOLICITATION IS RELEASED, IT WILL BE SYNOPSIZED ON THE GOVERNMENT-WIDE POINT OF ENTRY 9GPE0. IT IS THE RESPONSILIBILITY OF POTENTIAL OFFERORS TO MONITER THE GPE FOR ADDITIONAL INFORMATION PERTAINING TO THIS REQUIREMENT.”

PROGRAM BACKGROUND –

The United States Army Regional Cyber Center – Europe (RCC-E), 2D Theater Signal Brigade, Non-personal Information Technology (IT) Support Service is designated to continuously conduct Department of Defense Information Network (DoDIN) Operations and Defensive Cyberspace Operations (DCO) – Internal Defensive Measures (IDM) on the Army’s portion of the DoDIN in both EUCOM’s and AFRICOM’s Areas of Responsibility (AOR) in order to ensure Army, Joint, and Coalition Forces’ freedom of action in cyberspace while denying the same to our adversaries. The RCC-E manages the European Theater network devices and enterprise services (to include the Domain Name Service (DNS) for USAREUR, USAFRICOM, and USEUCOM as part of the Joint Information Environment (JIE). The RCC-E routinely operates and defends NIPR/SIPR/Coalition networks for customers including SAREUR/USARAF/USAFRICOM/USEUCOM/RHCE, and provides surge capability for ad hoc coalition networks supporting various exercises, and other networks.
Types of services provided are:

Network Operations (NETOPS)
Defensive Cyberspace Operation
Mission Support Services
Exercise Support
Network Services
Enterprise Services
Enterprise Management & Information Assurance (IA) Services
Emergency Management Modernization Program (EM2P)/Web-based Emergency Operations Center (WebEOC)
Internal Services
Enterprise Configuration Management/Service Level Management (CM/SLM)

Cyber Security
New Technology and Product Insertion
Infrastructure Support
Database Administration and Storage
Network Management Systems Support
Architecture and Development
Security Monitoring, Detection and Analysis
Intrusion Detection system / Intrusion Prevention system (IDS/IPS)
Application Development and Support
System Development Support
Network Defense Penetration Testing and Evaluation
Forensic and Malware Analysis
Asset Management
Change Management
Automated Information System Management
DCO Theater Cyber Operations and Integration Center (TCOIC)/Watch Floor
Operations Support

REQUIRED CAPABILITES

The Contractor shall provide qualified personnel and all personnel administration, personnel management, training, maintenance, and services (except as otherwise provided herein and in the basic contract) to the RCC-E in support of Information Technology requirement. Tasks include Network Management; Enterprise Systems Management; Network Operations (NETOPS) and Mission Support; Cyber Security support; Network Infrastructure Security; Network Assistance Visits; Network, System and Web Assessments; Network Security Monitoring, Detection, and Analysis; Forensic and Malware Analysis; and Defensive Cyberspace Operations (DCO) Application Development, on DoD funded or managed networks as required by U.S. Army Europe (USAREUR), U.S. Africa Command (AFRICOM), to include Combined Joint Task Force – Horn of Africa (CJTF-HOA), U.S. European Command (EUCOM), and U.S. Army Cyber Command (ARCYBER) to include but not limited to Non-Secure Internet Protocol Router Network (NIPRNet), Secure Internet Protocol Router Network (SIPRNet), exercise, and designated coalition networks in support of AFRICOM, EUCOM, USAREUR, US Army in Africa (USARAF), and Regional Health Command Europe (RHCE) missions in support of the areas specified in Program Background (above). Further detail is provided in below, a draft Performance Work Statement will not be provided at this time.

Requirement – REQUIRED CAPABILITIES:

The Contractor shall support the RCC-E mission as follows:

Description of Requirements

Provide systems and process support for DoDIN and Defensive cyber Operations (DCO).

Network Operations (NETOPS)

The contractor shall use the RCC-E-provided ticketing system. Requests are received and processed in the form of trouble tickets. The contractor shall report security events within 15-minutes of detection or notification. If the ticketing system is down, trouble tickets will be submitted manually and telephonically to accommodate customer requirements. Upon system restoral, the contractor shall enter manual or telephonic requests into the ticketing system as soon as possible (within 24 hours).

• The Contractor shall assign all trouble tickets and ensure work begins on assigned trouble tickets with the current established timelines, for critical, urgent tickets as follows:

Critical = Priority 1 / Immediate Response (24/7)
Urgent = Priority 2/ 4 – hours

Routine = Priority 3/ 24 hours
Priority 4 / 3 business days
Priority 5 / 5 business days. The contractor may not be able to resolve these tickets at the RCC-E. If so, the contractor shall coordinate with the Government lead at agencies within or supported by the 2nd Signal Brigade.

• The immediate and 4 hour response times are for those sections that are manned 24 x 7. For sections that are not manned 24 x 7, the response time begins when notified by the 24 x 7 RCC-E Theater Cyber Operations Integration Center (TCOIC).

• The Contractor shall respond to the trouble ticket by initiating corrective action, providing follow up on corrective actions, and perform close out of trouble ticket by entering the required information. The Contractor shall report proper, correct and complete record entries on all assigned trouble tickets.

Defensive Cyberspace Operation

• The Contractor shall use the RCC-E-DCOD provided cyber event/incident ticketing system for reporting cyber incidents to the Army CERT Incident Database (ACID). Cyber event investigations will be initiated and processed in the form of cyber event investigation and incident tickets. The contractor shall report cyber incidents following timelines required in CJCSM 6510.01B. Cyber events and incidents that require local customer support will be processed via the NETOPS ticketing system described above. If the DCOD, Army Computer Incident Database (ACID), or NETOPS ticketing system is down, cyber incidents will be submitted manually and telephonically to accommodate ARCYBER and customer requirements. Upon system restoral, the contractor shall enter manual or telephonic requests into the ticketing system as soon as possible but not later than within 24 hours of the ticketing system restoral.

• The Contractor shall complete cyber event/incident investigations and report results in compliance with reporting requirements and timelines provided in CJCSM 6510.01B.

Tools Integration (Full RCC-E tools integration detailed in Appendix – Services and Assets

• The RCC-E current monitoring tools are NetCool, and Spectrum which generates alarms directly interfacing with NSS Remedy to open NSS incident tickets.

• Microsoft System Center Operations Manager (SCOM) feeds server alarms to Spectrum.

• NetApp, Veritas, and EMC storage devices located in APC’s send Simple Network Management Protocol (SNMP) traps to Spectrum.

• All network devices send SNMP traps, System Logs, and Netflow data (as appropriate) to collectors.

• Host, systems, router, firewall, and web proxy logs as well as intrusion prevention and intrusion detection events are ingested into Security Information and Event Management (SIEM) systems such as ArcSight for analysis by network and DCO analysts.

• Advanced data analytic platform, such as Splunk or the Army Big Data Platform, that ingests stores, processes, and visualizes data of interest ingests data from various sources such as ArcSight, Host Based Security Systems, Attack, Sensing, and Warning Sensors, router and firewall logs, Syslog data, to perform DCO functional and operational requirements.

Mission Support Services

The Contractor shall:

• Conduct incident, problem, change and release management in accordance with applicable
RCC-E procedures.

• Processes, Plans, and Procedures support during core hours (Monday – Friday (0630hrs-1800hrs), and provide call out support as required.

• Install all required upgrades and patches on managed systems, and configure systems in accordance with applicable DISA Security Technical Implementation Guides (STIGs) to ensure Information Assurance compliance. When the Contractor cannot complete such work by a required suspense date or because of configuration limitations, the Contractor shall provide a Plan of Actions and Milestones (PoAM) to the COR for submission to the Authorizing Official (AO) a minimum of 10 days before the suspense date.

• Schedule work in accordance with RCC-E procedures for service interruptions and maintenance windows. The Contractor shall perform backup and restoral operations for all managed systems in accordance with established RCC-E policies for the particular system and on the designated archives. All policies are maintained on the RCC-E SharePoint portal.

• Document all work in the current NETOPS and DCO ticketing systems.
• Provide call-out support outside core hours seven days a week.

• Assist the COR in establishing vendor support requests when a problem exceeds technical capabilities.

• Develop and tune telemetry from managed systems to report to and integrate with RCC-E management systems for example Spectrum and System Center Operations Manager (SCOM), to enable efficient and rapid diagnoses of root causes of incidents and providing data for trend analysis.

• Prepare Tactics, Techniques, and Procedures (TTP), Standard Operating Procedures (SOP), Executive Summary (EXSUMS), trip reports and white papers and submit in accordance with requirement Deliverables. Contribute in the preparation of agreements, policy, and guidance documentation such as Memorandums of Understanding / Agreement (MOU/A), Service Level Agreements (SLA). Review all SOPs and TTPs annually and update as required to ensure the SOPs and TTPs remain current and in compliance with DoD, Army, and local directives. Annual reviews shall be documented as required by local procedures.

• Synchronize DCO programs with ARCYBER personnel as required via working group participation to develop, research, publish, test, and annually update, in accordance with requirement Deliverables, Standard Operating Procedures and Tools, Tactics, Techniques and Procedures (TTTP) related to Threat Detection, Computer Defense Assistance Program (CDAP), and the Cyber Intrusion Analysis Program (CIAP). This includes providing support after core hours due to time zone differences between the RCC-E areas of operations and ARCYBER, other DCODs, RCCs.

• Support Cybersecurity Service Provider (CSSP) accreditation. Develop and maintain an automated library or repository of documentation validating compliance with CSSP accreditation requirements. CSSP evaluations are an on-site evaluation and validation of compliance with mandated CSSP requirements as outlined in DoDI 8530.1, Cybersecurity Activities support to DoD Information Network Operations and DOD O-8530.1-M, Department of Defense Computer Network Defense (CND) Service Provider Certification and Accreditation Program. The Contractor shall evaluate their compliance by using the current version of DoD Cybersecurity Services Evaluator Scoring Matrix. CSSP accreditation requirements and the scoring matrix shall be reviewed biannually and SOPs and TTPs updated within five (5) working days of review, if necessary, to ensure SOP and TTPs remain current and are in compliance with DoD, Army and local directives. Success of this task is measured through documented evidence of continuous improvement from the current maturity level to achieving the highest maturity level described in the DoD Cybersecurity Services Evaluator Scoring Metrics.
• Provide content management on web portals and web applications located on both the NIPRNet and SIPRNet. The Contractor shall ensure the information posted is relevant to the current cyberspace operations climate.
Exercise Support

The Contractor shall:

• Participate, if tasked, in exercises and assist with the development, planning and support of Combatant Commands (CCMD) and Army directed exercises such as Gaining Cyber Dominance or other cyberspace engagements. Attend exercise-planning conferences (usually two (2) to three (3) per exercise), provide expert advice for development of planning documentation, participate during exercise events, and prepare After Action Report (AAR) and lessons learned during all phases of supported exercises. A minimum of 12 exercises per year is expected to be performed in the theater. Total annual exercises is not expected to exceed 24. Exercises may be conducted in field conditions. During exercises contractor personnel may be required to billet in military barracks or tents and complete pre-deployment/theater specific plans and training to include, but not limited to the following:

1. SERE 100
2. Country Threat Brief
3. Aircraft and Personnel Automated Clearance System (APACS)
4. Anti-Terrorism Training.

• Support Cyberspace Operations (CO) and DCO mission planning, mission analysis, and technical analysis. Develop and/or provide input to Operation Orders (OPORDs), CONOPs, and Courses of Action (COA) to support the Information Operations (IO) and DCO mission. Total annual mission planning events is not expected to exceed 24. This does not include exercise planning.

Network Services

Description of Services

• The RCC-E defends the European theater Networks by providing secure operation of the Top Level Architectures (TLAs) and the (JRSS). The Contractor shall provide call-out support after core hours, 24 hours a day, seven days a week, and ensure that the network and services are available 99.9 percent of the time.
Contractor Managed Services

The Contractor shall:

• Remotely manage the TLA ACL configurations on each installation according to AR 25-2, the Joint Technical Architecture (JTA).Currently there are 3 NIPRNET TLA configurations at multiple sites; such as Wiesbaden, RHN and Stuttgart – to include AFRICOM, in Germany.
• There are 4 SIPRNET and 2 CENTRIXS-ISAF (CX-I) TLA stacks. The number of TLA stacks will change (SIPRNET, NIPRNET, and CX-I) as the JIE evolves and global JRSS deployment is fully realized.

Manage Access Control Lists (ACL)

The Contractor Shall:

• Make all ACL modifications to the TLA without disruption to service. If a disruption in service is expected to occur, an authorized outage status shall be requested and posted on NSS. Authorized outages must be approved or directed by government before they are executed.

• Provide support to the RCC-E Theater Cyber Operations & Integration Center (TCOIC) 24 hours a day, seven days a week, to troubleshoot outages and other network issues according to government policy and direction. Coordinate with the NETCOM Fusion Cell to resolve higher level outages.

• Maintain Access Control Lists (ACLs) and firewalls using Deny All Permit by Exception (DAPE).

• Manage, monitor, secure, and sustain such devices as security routers, switches, firewalls, and out-of-band (OOB) managers (terminal servers).

• Resolve incidents reported via Network Operations (NETOPS) Support System (NSS) trouble ticket.
Virtual Private Network (VPN)

The Contractor Shall:

• Operate the VPN concentrators in the TLAs and the JRSS.

• Manage public key infrastructure (PKI) certificates.

• Ensure correct routing of VPN traffic.

• Install, configure, monitor, secure, and sustain VPN devices.

• Monitor, troubleshoot, and resolve VPN related trouble tickets.

• Apply software releases, updates, and updates for VPN management, as required.
Network Design

The Contractor Shall:

• Design networks that ensure proper redundancy.

• Create internal and external networks through use of the open systems interconnection (OSI) model and management of the Transmission Control Protocol/Internet Protocol (TCP/IP) stack.

• Plan and implement procedures to monitor network telecommunications links and such hardware as routers, switches, and IDS.

• Install, configure, and operate devices as routers, switches, content engine, and firewalls.

• Model and diagram networks utilizing current modeling/networking tools.

• Provide status of STIG compliancy, remediation actions and reports.

Transport Network (ATM/SONET/DWDM)

The Contractor Shall:

• Provide onsite technical support and management of the installed ATM/SONET/ Dense Wave Division-Optical Transport Node (DWDM -OTN) network.

• Manage and maintain ATM/SONET/DWDM-OTN system to achieve 99.9% operational availability, escalating problems to the appropriate 5RCC-E POC and/or vendor technical support group for assistance as necessary.

• Provide advice and assistance to the Government for troubleshooting and general system operation.

• Provide technical assistance to maintain a 99.9% level of system availability.

• Provide the system administration for the ATM/SONET/DWDM rings and optical equipment.

• Operate network management systems; provision and configure equipment, troubleshoot, and fault isolate system malfunctions.

• Provide routine network software and hardware installation and replacement.

• Provide emergency replacement of failed or upgraded network components and provide on-site support if required.

• Provide Network data base backup and restore.
Enterprise Services

Support Cyber Security Service Provider Accreditation

• Support Cybersecurity Service Provider (CSSP) accreditation. Develop and maintain an automated library or repository of documentation validating compliance with CSSP accreditation requirements. CSSP evaluations are an on-site evaluation and validation of compliance with mandated CSSP requirements as outlined in DoDI 8530.1, Cybersecurity Activities support to DoD Information Network Operations and DOD O-8530.1-M, Department of Defense Computer Network Defense (CND) Service Provider Certification and Accreditation Program.

• Evaluate their compliance by using the current version of DoD Cybersecurity Services Evaluator Scoring Matrix. CSSP accreditation requirements and the scoring matrix shall be reviewed biannually and SOPs and TTPs updated within five (5) working days of review, if necessary, to ensure SOP and TTPs remain current and are in compliance with DoD, Army and local directives. Success of this task is measured through documented evidence of continuous improvement from the current maturity level to achieving the highest maturity level described in the DoD Cybersecurity Services Evaluator Scoring Metrics.

Exchange Messaging

• While USAREUR has migrated to DISA’s Enterprise Email on NIPRNET and SIPRNET, the RCC-E still maintains a small infrastructure of legacy servers on both networks. The supported COCOM’s have not yet, but will transition to Enterprise Email, but are also expected to also have legacy infrastructure to be supported. On the exercise and mission coalition networks, the 5RCC-E provides a full range of exchange services to USAREUR. The Contractor shall manage, monitor, and secure the Enterprise Exchange e-mail system, which supports e-mail users in the USAREUR Forest. The contractor shall provide spam anti-virus protection, a public folder instance, e-mail forwarding to back end servers at installations, mailbox service, and Outlook Web Access (OWA). The Contractor shall /perform remote operation and maintenance of Exchange servers. The Contractor shall ensure the system is secure and operational 99.9 percent of the time.

The Contractor shall:

• Provide call-out support after core hours, seven days a week.
• Ensure connectivity to the Enterprise Exchange e-mail system.

• Coordinate with IA branch chief to ensure APC firewalls are configured to protect the Enterprise Exchange e-mail system.

• Monitor the Exchange e-mail systems daily to ensure consistent performance.

• Perform fault management, preventive maintenance, backup and recovery, and security administration.

• Provide Exchange application support, mobile user support, mail operation, and maintenance and service desk operations.

Active Directory

• The Active Directory Forest is comprised of approximately 160 domain controllers (DCs) (NIPR/SIPR/Coalition).

The Contractor shall:

• USAREUR and supported COCOMs’ Forests Ensure the USAREUR and supported COCOMs forests are secure and operational 00.0 percent of the time..

• Ensure network connectivity to all Domain Controllers (DCs) in AFRICOM, EUCOM, and USAREUR.

• Process configuration change requests.

• Manage, monitor, secure, and sustain the supported Active Directory Forests (NIPR/SIPR/Coalition).

• Perform initial configuration to meet the security requirements for each platform added.

• Monitor systems daily to ensure consistent performance.

• Provide weekly status reports on the operational environment to the COR.
Domain Name Service Management

The Contractor shall:

• Install, configure, manage, monitor, secure, and sustain DNS servers in accordance with existing policies and government guidance.

• Install all required operating system and security patches and scan servers, utilizing Retina, to ensure Information Assurance Vulnerability Alert (IAVA) compliance. Scans are run quarterly.

• Manage user accounts, network access control lists, and IP filter lists on DNS servers.

• Create and delegate domains, create and delegate networks, create and modify Mail Exchanger (MX), Canonical Name (CNAME), Name-to-address Mapping (A), and Address-to-name Mapping (PTR) records.

• Monitor, troubleshoot, and resolve assigned DNS related trouble tickets daily.

• Register and update network assignments with the Department of Defense (DOD) Network Information Center (NIC) and ensure that all networks being used by the 5RCC-E and its customers are properly registered.

• Assign and reclaim unused IP addresses for Army units and organizations in the USAREUR AOR.

• Interface with public sector Internet service providers (ISP) to answer questions regarding Army-managed IP addresses.

• Provide IP address usage statistical reports as required by mission needs and provide to the COR and section lead.

Area Processing Centers (APCs).

This enterprise establishes three APCs at key locations within USAREUR which provide support for consolidated applications to users across the theater, data warehousing, remote end-user IT services, and disaster recovery. All servers that provide an enterprise function are being consolidated at APCs or the installation level (bandwidth dependent) and placed in a server protected by an enterprise firewall.

The Contractor shall:

• Perform Capacity and Performance Management

• Perform access control and manage user accounts, passwords, and virtual local area networks (VLAN).

• Perform daily backups, implement system upgrades, and provide CM on all APC system and network devices.
• Install all required patches and scan servers, utilizing Retina, to ensure Information Assurance Vulnerability Alerts (IAVA) compliance on all APC systems and network devices. Scans are run quarterly.

• Manage and Monitor Trouble Tickets Daily

• Provide weekly status reports on the operational environment to the COR.

• Provide expertise to maintain and expand the cluster management and Storage Area Network (SAN) technologies implemented in the APC to meet the evolving missions and requirements for USAREUR and supported COCOMs.

System Management (SysMan)

The Contractor shall:

• Configure, maintain, and monitor general purpose and critical computing assets through System Center Configuration Manager (SCCM) and System Center Operations Manager (SCOM).

• Monitor, operate, secure, and maintain 75 SYSMAN servers on the NIPR, SIPR, and CENTRIXS-ISAF networks. The Contractor shall monitor, operate, and maintain SCOM agents on over 200 Enterprise Servers.

• Maintain the Enterprise SCOM and SCCM application and Structured Query Language (SQL) databases.
• Troubleshoot and maintain connectivity between the Tier I Roll-Up server and the APC Tier II servers and the Enterprise Packaging Repository/Data Warehouse Reporting Tier 0 server.

• Provide support for troubleshooting SCCM Server Infrastructure issues, for example connectivity between sites, backlog of inboxes, management point issues, and distribution point issues.

• Schedule with RCC-E Network and Active Directory Teams to maintain proper Active Directory and subnet Site Boundaries for each site.

• Develop Custom Software Packages.

• Create, maintain, and deploy Army Gold Master (AGM) Desktop deployment images across the theater using the current Army/DOD Enterprise system (currently SCCM) Operating System Deployment.
• Identify unhealthy clients and create processes to self-heal clients (for example; Cache size too small, assigned to wrong site, WUA errors).

• Develop and deliver pre-formatted and ad hoc reports, per mission requirements or the government Quality Assurance Evaluator through the COR, as supported by the GNEC tools administration interface(s).

Enterprise Management & Information Assurance (IA) Services

Enterprise Directory Services (EDS)

The Contractor shall support the mission of managing the EDS. The Contractor shall provide call-out support after core hours, seven days a week, and shall:

• Network connectivity Ensure network connectivity and that TLA firewalls are configured to Enterprise Directory servers.

• Perform daily monitoring to ensure consistent, optimal performance.

• Monitor and review all event logs.

• Provide Configuration Management support for Enterprise Directory Services.

• Install all required patches and scan servers, utilizing Retina, to ensure IAVA compliance. Scans are run quarterly.

• Manage, monitor and sustain SQL and Hub Active Directory.

• Provide weekly status reports on the operational environment to the COR.

Enterprise Security Monitoring

• Install and maintain network intrusion detection system components.

• Use/Operate current Intrusion Detection System’s and Intrusion Prevention System’s (IPS) tools to be identified in Appendix – Services and Assets.

• Use a Security Information Event Management (SIEM) tool (Government provided, see Appendix – Services and Assets) to aggregate approximately 16 million security events per day from multiple sources, to include Snort, Firewalls, proxies, router, and system logs.

• Monitor real-time, correlated events for in-depth investigation and analysis.

• Monitor SIEM server status, and initiate necessary corrective action, for any problem identified.

• Provide systems backups. Full and incremental backups of operating systems and configurations are required on SIEM devices.

Emergency Management Modernization Program (EM2P)/Web-based Emergency Operations Center (WebEOC)

The Contractor shall provide all operation and maintenance services necessary to sustain the EM2P and/or WebEOC infrastructure and end user capability within the OCONUS Theater of operations. The Contractor shall install, operate, administer, and maintain the various network management and security monitoring systems, operating systems and network application systems related to EM2P and/or WebEOC and supporting infrastructure. The Contractor shall be fully knowledgeable and capable of providing operation and maintenance support for EM2P and/or WebEOC infrastructure to include managing the Information Assurance requirements. The Contractor shall perform all activities necessary to sustain user access and enclave capability.

Internal Services

The Contractor shall manage, monitor, and secure all internal systems of the Command and use the internal tools to be described in Appendix – Services and Assets.

Server and Workstation Support.

The Contractor shall provide support for internal servers and workstations within the RCC-E for which they have administrative responsibilities. This support includes hardware and software installation, Common Office Environment configurations, troubleshooting, scanning, patching, and backup and restoration of internal servers and workstations.

 

The Contractor shall:

• Perform hardware upgrades, software upgrades, apply security patches, apply recommended operating system (OS) patches, test and install desktop software, add user accounts, remove user accounts, provide system performance tuning, and perform backups and restorals.

• Scan workstations, utilizing Assure Compliance Assessment Solution (ACAS), for IAVA compliance and general vulnerabilities monthly and after patch installation. Scans are run quarterly.

• Monitor, troubleshoot, and resolve server and workstation related trouble tickets.

• Monitor and maintain Exchange(c) administrative/user groups for the RCC-E.

• Manage user accounts for NIPRNET and SIPRNET servers, systems, and Installation Support Module (ISM) applications.

• Provide a Subject Matter Expert (SME) for implementing, administering, and providing user guidance for Citrix applications and Thin Client architecture.

Enterprise Configuration Management/Service Level Management (CM/SLM)

The RCC-E manages identified configuration items (CI) throughout the theater and addresses all aspects of CM, to include configuration identification, configuration status accounting, and configuration audits. The Contractor shall update/modify the existing CM/SLM Plan. The Contractor shall support the CM process identified in the RCC-E C M/SLM Plan and shall make only approved changes to the RCC-E-managed network and associated devices. The Contractor shall document and track 99.9 percent of modifications using established tools..

The Contractor shall:

• Follow Government-established software/hardware baseline configurations to set up, maintain, and configure RCC-E mission support servers, associated client workstations, and peripherals.

• Operate and maintain the Configuration Management Database (CMDB) and prepare approximately 5 to 15 ad hoc reports per month to supported customers, or reflecting the status of the CMDB to the COR.

• Monitor requests for change (RFC) to identify potential new CIs or major changes to existing CIs.

• Provide COR accurate, timely information on CIs associated with the RCC-E mission.

• Maintain the RCC-E IP Address Space Management database.

• Recommend and implement changes to internal CMSLM SOPs.

Cyber Security

The Contractor shall confirm to Cyber Security requirements set forth in AR 25-2, AR 380-5, DOD Instruction 5200.40, and DOD Risk Management Framework (RMF) to reduce the risk of security compromise to RCC-E systems and physical workspaces.

The Contractor shall:

• Verify personnel clearances through 2nd Signal Brigade, Deputy Chief of Staff, Intelligence (G2).

• Perform vulnerability scans monthly.

• Provide updates to the Government’s Alert and Vulnerability Tracking compliance database (currently VMS (Vulnerability Management System)), and enter data no later than prescribed suspense dates.

• Accredit new equipment in accordance with Defense Information Assurance Certification and Accreditation Process (DIACAP) procedures and develop Systems Security Authority Agreements (SSAA) and Authority to Operate (ATO).

• Develop and maintain RCC-E security SOPs per Army regulations/directives.

New Technology and Product Insertion

The Contractor shall maintain proficiency with current Information Technology (IT) as utilized with Army initiatives and standards.

The Contractor shall:

• Research candidate IT products for suitability and possible implementation. Determine availability through existing Government contracts.

• Present results of evaluation, which shall address cost and performance, to COR.

 

Infrastructure Support

The Contractor shall perform IT services that support the RCC-E IT infrastructure and Army Enterprise NETOPS Integrated Architecture (ANEIA).

The Contractor shall:

• Perform systems engineering for new RCC-E IT infrastructure systems.

• Participate in surveys for short- and long-term facilities requirements and provide draft implementation plans to COR.

• Maintain automated master RCC-E network physical and logical diagrams and associated databases.

• Provide internal hardware and software accountability support.

• Track scheduled outages for internal IT equipment and ensure adherence to 5RCC-E CM and authorized service interruption (ASI) policies.

• Research and recommend procurement of hardware and software to COR, and follow Government-established hardware baseline configurations.

Database Administration and Storage

The Contractor shall:

• Administer and maintain the Oracle and SQL Servers that support the RCC-E applications refer to Appendix – Services and Assets.

• Provide SME in the design and maintenance of Oracle and SQL Databases to support the existing and future applications.

• Provide SME to manage EMC and NETAPP SAN and Network Attached Storage (NAS) Storage/archiving devices, replication, storage allocation, fabric configuration and fiber channel switches.

Network Management Systems Support

The contractor shall:

• Administer and maintain the network monitoring systems refer to Appendix – Services and Assets.

• Provide SME in the design, maintenance, and modeling techniques and procedures (tools identified in Appendix – Services and Assets) to support the existing and future applications.

• Utilize the RCC-E’s Spectrum Network Management system and other related network tools to model and manage all networks within the RCC-E Area of Responsibility (AOR).

• VoIP/VoSIP Support. The contractor shall: Conduct Voice over Secured Internet Protocol (VoSIP) and Voice over Internet Protocol (VoIP) management to support NETCOM, 2nd Signal Brigade mission and its supported customers. The Contractor shall provide IT support for the RCC-E currently located at Funari Barracks, Mannheim Germany, Wiesbaden, Germany, APC Kaiserslautern and Grafenwoehr, and where 2nd Signal Brigade’s mission dictates. The Contractor shall provide professional, competent, and dedicated on-site, off-site, and remote administration of the CallManager suites to sustain VoSIP and VoIP theater network services. CallManager Suites for the VoSIP and VoIP are located at Wiesbaden, APC Kaiserslautern, and APC Grafenwoehr. The number of CallMangers for each VoSIP and VoIP will be dictated based on the customer base and AOR. This IT support shall consist of remote Operations and Maintenance (O&M) of the CallManager suite systems, components, network configuration, troubleshooting and maintenance of the systems. The Contractor shall provide personnel with requisite training, experience, and skills to perform monitoring, operations, troubleshooting and maintenance of assigned telecommunications, networking devices and information systems.

Architecture and Development

The Contractor shall

• Provide DCO Network Defense Architecture and Development during core hours (Monday – Friday, 0630hrs-1800hrs), and provide call out support as required.

• Make recommendations for software tool development or upgrade (may include supported hardware) in support of internal defensive measure to narrow gaps within existing enterprise solutions. Develop software tools through computer programming and reverse engineer software provided by other sources for possible re-utilization. Document all developed software tools, support, maintain, and improve tools developed and existing Government off the Shelf (GOTS) tools. Documentation shall include the identification of the attributes, capabilities, and characteristics of the application; architecture and design documentation used in the design of application and components; technical documentation such as source code, interfaces, APIs; and manuals for end-users, system administrators and support staff.

• At least twice annually, define current DCO posture and capabilities for supported networks, identify gaps with current DCO posture, generate a detailed analytical report for gaps found, and provide input to implementation plans. DCO posture and capabilities shall be based on event analysis, assessments, incident handling, and third party reporting. Design, document, and maintain the supported production, test, and laboratory networks.

• Upon request from RCC leadership, or for the purpose of meeting a specific content requirement, assess new technologies and devices relevant to DCO. Determine if the technology or device will support, satisfy new threat defense requirements, positively enhance the analysis process and security posture of the network, integrate into existing DCO architecture tools sets, and be properly accredited and authorized for use in the AOR. Upon completion of the assessment, information briefs, white papers, and recommendations shall be provided to RCC leadership for final evaluation and determination of a course of action.

Security Monitoring, Detection and Analysis

Cyber Threat Analysis and Support

The Contractor shall:

• Provide Cyber Threat Analysis and Support during core hours (Monday – Friday, 0630hrs-1800hrs), and provide call out support as required. When notified of a requirement after core hours, the Contractor shall report to their designated place of duty and be prepared to support the requirement within two (2) hours of notification.

• Conduct cyber threat analysis and hunting utilizing proactive and iterative approaches to search all supported networks to detect and isolate advanced threats that may evade existing security solutions. Examine threat intelligence from DoD and public sources to identify threats that are relevant within the USAFRICOM and USEUCOM areas of operations. The information collected from research and cyber hunt missions shall be utilized to increase the likelihood of identifying advanced intruders and malicious software in supported networks. Cyber hunt missions shall include but not limited to examining information systems, network devices, and endpoints for indicators of compromise and network activity via a plethora of network artifacts including but not limited to network flow, packet analysis, and network device logs. The Contractor shall consolidate the research and results of the cyber hunt missions and produce cohesive products in accordance requirement Deliverables. Cyber hunt research and mission results shall also be incorporated into Persistent Penetration Testing (PPT) missions and shared with RCC leadership, subscribers, and stakeholders.

• Provide DCO Network Security Monitoring, Detection, and Analysis 24 hours per day, seven (7) days per week.

• Analyze and correlate anomalous events identified in, Security Information Event Management (SIEM) systems, Big Data Analytics, and supporting devices/applications. Conduct open source research to identify commercial exploits or vulnerabilities (such as Zero – Day) requiring DCO actions. Produce concise analytical products, assessments, reports, and briefings to identify cyber threats, emerging trends, provide situational awareness, and status of DCO systems and tools. Identify current Army detection capabilities, Host Base Security System (HBSS), IDS/IPS for new or potential threat activity. Develop host and network base signatures and coordinate with ARCYBER for global implementation. Report and facilitate the correction of issues with correlation tools and data feeds. Participate in the ARCYBER signature working groups and upload to the portal allowing for signature development and standardization across all RCCs. Create, recommend or refine TTPs in accordance with requirement Deliverables. The devices, applications, tools, and data include, but are not limited to the following:

ESM SIEM solutions (for example ArcSight)

Army Computer Incident Database (ACID) and Joint Incident Management System (JIMS) Incident Management Systems

HBSS (Host Based Security Systems)

TCP (Transmission Control Protocol) Dump

Attack, Sensing, & Warning Sensors (Snort, Full Packet Capture (PCAP), Flow data, Pipeline and Super Mediator)

Intrusion Prevention Systems active, passive, anomaly or behavioral based

Router and firewall logs, Syslog data

Forward / Reverse Web Proxy logs

Analytics Application (example Splunk)

Netflow Data

• Analyze, correlate, and trend anomalous events and incidents to identify and characterize the threat or incident in such a manner that will:

• Identify the cause, source, and methodology of compromises and incidents.

• Identify and recommend network configuration changes in order to deter the existing threat.

• Configure and fine tune detection and prevention capabilities devices and applications.

• Facilitate reporting and situational awareness to ARCYBER, DISA, CCMDs, and respective regional Theater Signal Commands.

• Facilitate reporting to Law enforcement and Counter-Intelligence investigation agencies.

• Follow ARCYBER Forensic & Malware Analysis (F&MA) Cyber Intrusion Analysis Program (CIAP) Forensic and Malware procedures for maintaining handling of media during analysis and incidents investigation activities. Ensure chain of custody is documented in accordance with established procedures.

• Update Incident Handling procedures, response guidelines, and checklists based on findings and lessons learned.

• Conduct exploratory and in-depth analysis of network traffic from security devices, analysis of host based audit logs, malware analysis, trending of incident reports, correlation of classified and open source threat reporting, and linkages/integration with other DCO agencies. Documentation shall include any identified advanced persistent threat that is currently not being detected through traditional means. Document the process (analysis techniques, tools, scripts used) identified, and develop a definable and repeatable process to facilitate further triage efforts and situational awareness.

Intrusion Detection system / Intrusion Prevention system (IDS/IPS)

The Contractor shall:

• Implement, administer, maintain, and configure approximately 50 threat sensors for example IDS/IPS, and five (5) sensor managers. Review current threat directives and recommendations. Support 24x7x365 threat sensors operations. Develop, test and distribute threat sensor baseline signatures. Update baselines as necessary to minimize false positives. Review sensor signatures weekly for relevance and effectiveness.

• Validate signatures for proper syntax. Conduct all development and testing on Government provided isolated networks. The contractor shall ensure 95 percent of all systems are monitored for operational status by Spectrum or current system and system failures are identified and reported to the Government Technical Monitor within two (2) hours, and system failures are analyzed, mitigated, and restored within 12 hours of system failure or degradation.

Incident Response

Security Incident Response and Mitigation

The Contractor shall:

• Provide DCO Incident Response and Mitigation 24 hours per day, 7 days per week.

• Implement mitigation measures in response to general or specific Advanced Persistent Threats (APT), (attempted exploits/attacks, and malware delivery) on the respective networks. This includes blocking / denying access by hostile sites or restricting access by specific ports / protocols and/or applications. Where the DCOD does not administratively control the sensor grid, make recommendations to the supporting operations and maintenance organization to take necessary action. If the mitigation action (internal defensive measure) requires approval by a Configuration Control Board (CCB) and /or Authorizing Official (AO), provide justification of internal defensive measure and / or operational impact (employed or accepted risk). If deemed appropriate (or as requested by the COR) the internal defensive measure may involve coordination of a Network Damage Assessment (NDA), Network Assistance Visit (NAV), or other version of Computer Defense Assistance Program CDAP. Conduct coordination with the appropriate team to support that effort.

• Execute critical blocks (within 2 hours of notification or detection “as determined based on the critical nature of the event”), to mitigate ongoing threat activity within respective AOR.

• Execute immediate (within 24 hours) action steps, “as determined based on the critical nature of the event”, to mitigate threat to networks.

• Coordinate with the appropriate RCC-E work centers, Theater Signal Command (TSC), Department of Defense Information Networks (DODIN-A) staff as required for network configuration changes such as IP Blocking.

• Enhance detection capabilities for the threat and enable Intrusion Prevention Sensors in blocking mode to deter threats.

• Develop, staff, coordinate, and execute Incident Response investigations for the operational environments (unclassified and classified), based on guidance provided by DCO-D and ARCYBER leadership. Investigations shall address each pre-determined category of incident (in accordance with Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510) detected (internally or externally reported); Address priorities and types of internal defensive measures and potential mitigation strategies to be employed (acceptable level of risk); include applicable aspects of the most current Cybersecurity Services Evaluator Scoring Matrix. The average number of incident response investigation opened on a monthly basis is 65.

Application Development and Support

DCO Application Development and Support

• Provide DCO Application Development and Support during core hours (Monday – Friday, 0630hrs-1800hrs), and provide call out support as required. When notified of a requirement after core hours, the contractor shall report to their designated place of duty and be prepared to support the requirement within 2 hours of notification.

• Develop and maintain a test lab environment isolated from production and exercise networks. The intent of the test lab is for malware analysis and Open Source Intelligence gathering on threats.

• Analyze on an average five (5) to seven (7) daily cyber threat reports and recommend internal defense measure for the respective theater. Develop, test, and distribute threat sensors baseline signatures. Update baselines as necessary, validated for proper syntax and minimizing false positives. Review, activate, modify, or deactivate on average 100 sensor grid signatures monthly. Conduct all development and testing on isolated networks. Document and conduct test plan with procedures, results, operational procedures, and maintenance plan annually or as signatures are developed or updated.

• Develop and/or maintain software applications as required to meet internal organization requirements. Tools may be located on the following networks: NIPRNET, SIPRNET, or Joint Worldwide Intelligence Communications System (JWICS). The intent is to ensure integration of analyst tools in order to improve processes, communication, and information sharing within the respective Area of Responsibility (AOR) and across DCO stakeholders for example, combatant command (CCMD), Army Service Component Commands (ASCC), Theater Signal Commands, Signal Brigades, and Signal Battalions.

• Create and/or maintain an Incident Application used to document all incident investigation requirements and facilitate incident reporting through ARCYBER. The application must meet CJCSM 6510.01band contain Army CERT Incident Database (ACID) data dictionary fields. The application must have query capabilities and output to facilitate reporting within the respective AOR.

• Develop and maintain up to three dashboards displaying all active incidents within each respective AOR as designated by the COR.

• Develop and maintain dashboards displaying specific Defensive Cyberspace Operations (DCO) items of interest (such as top 10 attackers, top 10 destinations, and top attack vector) in near real time.

• Provide, on internal analyst tools, at least the following capabilities:

1. Consolidate different data sources into a single view used to assess the status of a specific threat on the network.

2. Macros to support various tasks for example, log analysis, updating of SNORT rules.

3. Maintain a Master station log to document high visibility incident with most current status, discuss DCO topics, share internal tasks between shift, document call outs, and share any additional relevant instructions between shifts.

4. Where an enterprise solution (for example Remedy, ITSM, ArcSight, and SharePoint) is fielded and can meet DCO requirements the utilization of the enterprise solution is required. Development of applications within enterprise solutions may be required to meet DCP requirements.

5. Forensic & Malware Analysis (F&MA) Case Tracking database.

6. Malware Artifact Catalog interfaces/customization.

7. Rapid script development for various tools/OS/products.

8. Ticketing system integration with external ticketing systems.

System Development Support

The Contractor shall:

• Apply software engineering efforts and programming support required to develop, implement, and maintain DCO custom software applications and hardware that will support diverse sets of disparate data and information sources.

• The contractor shall support the building, testing, evaluation, operation, and security of hardware and software system prototypes that demonstrate potential design solutions to satisfy operational and functional requirements for Army Cyber Command. Also included is the performance of systems hardware and software integration and testing, to ensure total operational and functional compatibility with interfacing/interacting systems, subsystems, equipment, and computer programs.

 

 

 

 

Network Defense Penetration Testing and Evaluation

Conduct DCO CDAP Missions

The Contractor shall:

• Conduct Computer Defense Assistance Program (CDAP) missions in accordance with AR 380-53, Communications Security Monitoring. CDAP missions can be requested by the unit commander or the designated approving authority or can be directed by the ARCYBER DCS, G-3/5/7 or Cyber Security Service Provider (CSSP). CDAP consists of three mission types – Network Assistance Visits (NAV), Network Damage Assessments (NDA), and Persistent Penetration Testing (PPT).

• Network Assistance Visits. The Contractor shall assess a Post/Camp/Station (P/C/S) security enclave, by means of trends and analysis to assist in prioritization in NAV visits. Conduct NAVs in accordance with established Best Business Practices (BBP), regulations, policies and procedures and as requested and approved by the COR. The contractor shall conduct approximately 24 NAVs annually based on the COR prioritization. A NAV consists of four phases:

a. Phase 1: Pre-coordination, Rules of Engagement, and in brief.

b. Phase 2: Network survey, technical support, custom training and assistance, and organizational repairs.

c. Phase 3: Penetration testing and verification.

d. Phase 4: Executive summary, out-brief, and final report. Findings from the NAV shall be used to produce follow-on information briefs, white papers, training requirements, and recommendations to the requesting command. Findings which indicate the current presence of an adversary shall be reported to government leadership immediately, with formal write up within 2 hours. Findings which could lead to a potential CAT I/CAT II shall be formally documented and reported in accordance with CJCSM 6510.01b and Commanders Critical Information Requirement (CCIR) requirements. Final report shall be provided within 30 days of the completion of the NAV.

e. At the request of the COR, prepare a NDA team to travel to the incident location within four (4) hours of notification. The Contractor shall validate suspected compromises and identify the depth of intrusions to gain knowledge for use in mitigation, recovery, and future prevention of possible compromises. The Contractor shall use the results of each assessment (on-going) to determine the best method of mitigation or continued monitoring. The Contractor shall report findings which indicate the current presence of an adversary to government leadership immediately, with formal write up within two (2) hours. Findings which could lead to a potential CAT I or CAT II shall be formally documented by the Contractor and reported in accordance with CJCSM 6510.01b and CCIR requirements. During an NDA, the Contractor shall provide verbal updates to the Government Lead every two (2) hours that cover the progress, immediate findings, or issues. The Contractor shall provide a formal report to the network/systems owner or the Authorizing Official (AO) and the Information Systems Security Manager within 5 business days of the completion of an NDA. The assessment shall consist of:

(1) Gathering host logs from compromised system(s)

(2) Conducting on-site scans with an anomaly detection tool to determine width of incident

(3) Incident handling on-site for newly identified compromised systems

(4) Assist on-site administrators with securing affected network(s)

(5) Assist in clean up as required

(6) Provide daily updates on situational awareness to
leadership/pertinent agencies

(7) Prepare final Network Damage Assessment report

(8) Publish and maintain Network Damage Assessment TTPs in accordance with requirement Deliverables.

(10) Coordinate Network Damage Assessment efforts with Army Cyber Command and affected organizations.

(11) Persistent Penetration Testing (PPT). The Contractor shall conduct PPTs at least monthly, or more frequently as required by the COR on all supported networks. PPTs shall be used as a tool to increase awareness of security issues or to test intrusion detection and response capabilities to include but not limited to verifying deployed signatures are functioning properly. PPTs shall use attacking methods, such as adversary TTPs that are similarly used by hostile intruders or hackers. The Contractor shall execute tactical overwatch operations and network surveillance of the Department of Defense Information Network – Army to conduct open network testing. Verify network deficiencies by identifying potential weaknesses and circumventing the defensive posture to gain access onto the network and recommending mitigation actions. Contractor personnel conducting penetration testing are required to have a thorough understanding of Federal Information Processing Standards Publication (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. Evaluate new Penetration Testing TTPs (new tool usage or adversary TTP) as required for inclusion on approved Penetration Tools list. Maintain and document training and use of all vetted Penetration Testing (PT) Tools. Results and outcomes shall be documented and reported in accordance with requirement Deliverables.

(12) Conduct Web Assessment of all registered public facing web sites, approximately five (5) in the theater. The Web Assessment shall be conducted at least annually or as required by the COR, using approved CDAP tools. The contractor shall analyze the results to rule out false positives prior to sending to the web assessment report to the site for remediation. The contractor shall ensure maximum number of adversary attack vectors are addressed but at a minimum address Cross-Site Scripting, SQL inject, embedded passwords and common port vulnerabilities. The Contractor shall provide site owners with remediation assistance if necessary.

Forensic and Malware Analysis

Forensic and Malware Analysis in Support of DCO

The Contractor shall:

 Provide DCO Forensic & Malware Analysis support during core hours (Monday – Friday, 0630hrs-1800hrs), and provide call out support as required. When notified of threat activity after core hours, the contractor shall report to their designated place of duty and be prepared to support the threat within two (2) hours of notification.

 Conduct tactical live box and memory forensics analysis to acquire RAM, unencrypted files, and other pertinent data in support of incident response and cyber hunt operations. Create and edit custom forensic surveys to adapt to terrain and adversaries. Additionally provide dead box analysis support as required by ARCYBER.

 Examine malicious software / capabilities to identify the nature of the threat; Reverse-engineer the compiled executable code to examine how the program interacts with its environment. Analyze collected media for DCO value to understand adversary technical capabilities and Tactics, Techniques and Procedures (TTP) methods of employment. Analyze the attack/exploit capability of the software, document, and catalog findings for future correlation. Provide all pertinent finding to personnel responsible for the development of signatures capable of detecting the analyzed malware as it propagates on infected systems. Contractor employees must be able to obtain forensically sound images to identify suspicious / malicious files, all intrusion related artifacts, and entry points / attack vectors. Contractor employees shall possess strong experience with obtaining forensically sound images of, but not limited to, workstations, servers, laptops, flash devices, removable media, cell phones, Redundant Array of Independent Disks (RAID), virtual systems. Develop necessary procedures or scripts to identify such data. Works and interacts with other DCO professionals internal to Army Cyber Command, with Law Enforcement and Counter Intelligence LNOs, and intelligence professionals as a technical specialist to understand higher-level adversary capability.

 Collect, preserve and transfer forensic evidence of unauthorized access on a military/partner network, device or information systems. Analyze forensically sound images to identify suspicious/malicious files, all intrusion related artifacts, and entry points/attack vectors. Develop necessary procedures or scripts to identify such data. Works and interacts with other DCO professionals internal and external to Army Cyber Command, with Law Enforcement and Counter Intelligence LNOs, and intelligence professionals as a technical specialist to understand higher-level adversary capability. Document, update and enhance processes and procedures by producing training materials, standards documents and reports. Contractor employees shall possess exceptional knowledge, experience, and certifications with commercial computer forensic tools including but not limited to: EnCase Forensic, EnCase Enterprise / Cybersecurity, AccessData Forensic Tool Kit (FTK), AccessData Lab, or current forensic tool. Contractor employees shall have strong working knowledge and experience with all Windows OS platforms including but not limited to: Windows 7, Windows 8, Windows 10, Windows 2008 Server, Windows 2012 Server or current OS platform. Contractor employees shall have working knowledge and experience with varying flavors of Unix/Linux platforms, and Apple based operating systems. Contractor employees shall possess strong experience with obtaining forensically sound images of, but not limited to, workstations, servers, laptops, flash devices, removable media, cell phones, RAID, virtual systems.

 Document, update and produce final forensic and malware report, submit to ARCYBER FM&A for substantiation prior to final and official declaration. Contractor employees shall possess exceptional knowledge and experience with commercial binary analysis tools including but not limited to: IDA PRO disassembler, Ollydbg. Contractor employees shall have familiarization with additional analysis tools including, but not limited to, IceSword, Procmon, Analyst Notebook. Contractor employees shall be proficient and have experience with computer languages including but not limited to: Assembly, C, C++, Perl, Java, Python.

 Asset Management

Service Asset and Configuration Management (SACM)

The Contractor shall:

 Apply engineering and analytical disciplines to identify, document, and verify the functional, performance, and physical characteristics of systems and associated systems, to control changes and nonconformance, and to track actual configurations of systems and platforms. The contractor shall provide support that includes all activities related to configuration management (CM) planning, baseline management, configuration identification, configuration audits, formal reviews, engineering changes, and configuration management records and reports; and the use of automated tools to perform these functions. TTPs and SOP documentation shall be synchronized and incorporated into the CM process. CM records shall be maintained in compliance with supported network architecture. Installation, changes, and repair history shall be tracked via Remedy Information Technology Service Management (ITSM) or as required in accordance with approved SACM Process Plan and SOP. The contractor shall configure and maintain lab environments to support testing for Computer Network Defense (CND) applications, device configuration, and training analysts. The contractor shall ensure 95 percent of DCOD hardware, software, and network infrastructure are covered by a valid accreditation in accordance with DoD Risk Management Framework and input into the Configuration Management Database (CMDB). The contractor shall maintain a 95 percent uptime rate of CND Lab environments used for testing, training, and other CM functions. C Coordinate with peer DCODs to develop and maintain tool standardization in accordance with U.S. Army Network Enterprise Technology Command (NETCOM) policies.

 The Contractor shall conduct SACM activities within the scope of the RCC SACM Management Policy, Plan, and SOP. The objective of SACM is to define and control the infrastructure and maintain accurate configuration information on the historical, planned, and current state of service assets and configuration items. The SACM process covers service assets across the whole service lifecycle, provides a complete inventory of assets, and in conjunction with Change Management is responsible for their control. This includes full lifecycle management of IT, from the point of planning, acquisition, deployment, maintenance, through to retirement or disposal. There are approximately 500 assets which require service asset and configuration management.

 Draft biannually, for Government approval, a technology refresh plan which contains equipment that is six months from End of Life (EOL) or End of Support (EOS). Submit to the COR in accordance with requirement Deliverables.

 Perform at least a 10% monthly audit of DCOD assets, compare configuration records against the infrastructure, and resolve discrepancies. Report any discrepancies that cannot be resolved without investigation to the COR.

 Provide the RCC all DCO managed hardware/software assets for inclusion in the RCC NIPRNet and SIPRNet CMDB. Provide updates to assets in accordance with the local Change Management process plan.

 4 Provide the RCC with software assets for inclusion in the Definitive Software Library (DSL) in accordance with the CM or SACM plan.

Change Management

The Contractor shall:

• Conduct Change Management activities within the scope of the Change Management Policy, Plan, and SOP. Approximately 50 changes are made annually.

• Record and accept all Requests for Changes (RFC), and review records for completeness. Relate RFCs to Configuration Items (CI).

• Properly schedule and coordinate each RFC. Build, test, implement, and verify each RFC.

• Analyze all changes and identify areas for improvement with unsuccessful RFCs.

Automated Information System Management

• Maintain baseline images for all Automated Information Systems (AIS) and Network devices in accordance with DoD/Army baseline configuration. The Contractor shall ensure all systems are configured to the minimum-security baseline in accordance with AR 25-2 and local policy. All systems shall be built using the Army Gold Master baseline image provided by the local Regional Cyber Center (RCC) or supporting Theater Signal Command (TSC) / Signal Brigade. The Contractor shall operate and maintain servers; perform log analysis, error detection, fault correction, backups, and restoration procedures. The Contractor shall perform startup and shutdown of the systems as required; and with prior Government coordination, build, configure, patch, and upgrade servers, network devices, workstations, portable desktops, laptop computers, operating systems, and server applications as required, following Security Technical Information Guides (STIG). The Contractor shall maintain all systems with current antivirus, vendor patches, and comply with Defense Systems Information Agency (DISA) Vulnerability Management System (VMS) or equivalent reporting requirements. The Contractor shall ensure compliance with STIGs and ensure applicable Information Assurance Vulnerability Management (IAVM) alerts and bulletins are applied prior to the suspense date. System Center Configuration Manager or current equivalent shall be used to apply patches and IAVM fixes to computers attached to the network. The Contractor shall assist with the preparation of the documentation required to accredit all Information Systems in accordance with AR 25-2 and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), and shall submit that documentation to the Information Systems Security Manager (ISSM).

• Scan or coordinate scanning on at least 95% of the systems using Assured Compliance Assessment Solution (ACAS) or DoD approved equivalent on a monthly basis or as directed to meet Army/DoD requirements. The contractor shall conduct bi-annual Security Content Automation Protocol scans on 100% of the systems. The Contractor shall remediate Category (CAT) 1 vulnerabilities within seven (7) working days of discovery and CAT 2 findings within 30 working days of discovery or as required by the COR. The Contractor shall prepare a Plan of Actions and Milestones (POA&M) within one (1) business day of discovery for remediation of findings that cannot be completed within the specified timeframes. Record all scans and actions taken, including POA&Ms and mitigation plans, in VMS (or equivalent).

DCO Theater Cyber Operations and Integration Center (TCOIC)/Watch Floor Operations Support

This work is required to be performed from 0630 to 1800 hrs. Monday to Friday.
When notified of a requirement after core hours, the contractor shall report to their
designated place of duty and be prepared to support the requirement within two
(2) hours of notification.

The Contractor shall:

• Be experienced in security or network technology (Unix/Windows OS, Cisco/Juniper Routing-Switching) within a hands-on design / Implementation / Administration role. The Contractor shall demonstrate in-depth knowledge of TCP-IP protocol implementations for all common network services in addition to demonstrated capability to perform network packet analysis and anomaly detection.

• Provide situational awareness between the TCOIC Watch Floor leadership and DCOD leadership to include but not limited to incident management, authorized service interruptions, DCOD activities, and DCOD policy or process development. Provide reporting to maintain situational awareness of DCOD operations as required by TCOIC and DCOD leadership.

• Coordinate CCIR / Friendly Forces Information Requirements (FFIR) in response to IT security incidents and events within a tiered Regional Cyber Center following TCOIC / Watch Floor guidelines and processes. The Contractor shall analyze, resolve, and report security incidents and events to the TCOIC in accordance with established RCC-E policies and procedures.

• Provide liaison support to the TCOIC Watch Floor leadership for all DCO missions. The Contractor shall research, analyze, and create products/reports to provide current situational awareness of ongoing DCO activities, policy implementation, or process development.

• Provide recommendations to threat mitigation strategies and report findings to RCC-E, DCOD and TCOIC/Watch Floor leadership. The Contractor shall be aware of current threats and activity trends on DoD, Army, other government and commercial networks.

• Employ effective web, RCC-E incident handling application, email, and telephonic communications to clearly manage and coordinate security incident response procedures.

• Monitor ongoing official chat communications, such as EUCOM, ACOIC, AFRICOM, USAREUR, USARAF, and DISA EOC chat channels and coordinate events that include cyber incidents (CCIR/FFIRs), sensor status, sensor outages, and higher level tasks.

• Serve as the primary focal point and provides DCO liaison support for visiting and supported DoD agencies and Army units such as, but not limited to, Cyber Protection Teams operating within the USAFRICOM and USEUCOM areas of operations.

• Perform routine event reporting to include trend reporting and analysis.

If your organization has the potential capacity to perform these contract services , please provide the following information:

(1) Organization name, address, email address, Web site address, telephone
number, and size and type of ownership for the organization

(2) Tailor capability statements addressing the particulars of this effort, with appropriate documentation supporting claims of organizational and staff capability. If significant subcontracting or teaming is anticipated in order to deliver technical capability, organizations should address the administrative and management structure of such arrangements.

The Government will evaluate market information to ascertain potential market capacity to:

(1) Provide services consistent, in scope and scale, with those described in this notice and otherwise anticipated.

(2) Secure and apply the full range of corporate financial, human capital, and technical resources required to successfully perform similar requirements.

(3) Implement a successful project management plan that includes: compliance with tight program schedules; cost containment; meeting and tracking performance; hiring and retention of key personnel and risk mitigation.

(4) Provide services under a performance based service acquisition contract

SPECIAL REQUIREMENTS:

Contract Personnel – Employee Qualifications

The contractor shall retain personnel with management, technical and engineering knowledge, skills, expertise and experience needed to accomplish performance of work under this contract. The contractor shall provide personnel with a level of knowledge, skills, abilities and aptitude in IT services to support the requirement Deliverables, and to obtain IT certification for the work they will be performing. Minimum certification requirements are as stated in Appendix – Position Requirements, and shall be required at the start of the contract.

The Contractor shall ensure its CSWF members have the baseline certifications corresponding to their Cyber Security functions, as defined in Chapters 3, 4, 5, 10, and 11, and Appendix 3 of DoD 8570.01-M at work performance start date. Contractors shall obtain all required Computing Environment (CE) certificates within 6 months of work start unless specified otherwise in the contract. The IAT Level I baseline certification is the minimum requirement for unsupervised privileged access at the RCC-E enterprise level. Contractor certification holders shall ensure that their certificates remain active and are renewed prior to expiration.

Technical Expert Status Accreditation (TESA)

All Contractor personnel fall under the Status of Forces Agreement (SOFA) with Germany once they are approved for TESA. German government approval is required for all personnel working in Germany for more than 90 calendar days per 12-month period. When individuals are approved for TESA, Contractors will be entitled to logistical support provided in USAREUR Regulation 600 -700 and its supplements. Contractor employees working under this contract shall fluently speak, read and write English. The minimum Security Clearance for Contract personnel performing on this requirement will be SECERT.

Facility Clearance

The Contractor shall possess and maintain a TOP SECRET facility clearance from the Defense Security Service Contractor personnel performing work in support of DCO requirements under this requirement and must have an active TOP SECRET, Sensitive Compartmented Information (SCI) clearance, with Single Scope Background Investigation (SSBI) adjudicated by the Defense Industrial Security Clearance Office (DISCO); and must maintain the level of security required for the life of the contract. All other Contractor employees are required to have a SECRET security clearance with Single Scope Background Investigation (SSBI) for suitability determination. The Contractor shall have a trained Facility Security Officer (FSO) responsible for ensuring compliance with the Contract Security Classification Specification, DD Form 254, and implementation of the applicable provisions of the National Industrial Security Program Operating Manual (NISPOM), DOD 5220.22-M.

Note: Clearance edibility will not suffice, Contractor must actually have clearance at contract award.

ELIGIBILTY

The Applicable North American Industry Classification System (NAICS) Code for this requirement is 517919 – All Other Telecommunications, with a size standard of $32.5. The Product Service Code is D316 – IT and TELECOM – TELECOMMUNICATIONS NETWORK. Businesses of all sizes are encouraged to respond; however, each respondent must clearly identify their business size in their capabilities statement.

ADDITIONAL INFORMATION AND SUBMISSION DETAILS (CAPABILITIES STATEMENT)

The following attachments are attached for review:
Attachment Appendix – Services and Assets
Attachment – Deliverables
Attachment – Position Requirements

Interested parties are requested to submit a capabilities statement of no more than twenty-five (25) pages in length in Times New Roman font of not less than10 pitch. The deadline for response to this request in no later than 1100 hours Mountain Standard (MST) time, 20 November 2017. All responses under this Sources Sought Notice must be e-mailed to Ms. Wendy S. Alameda-Clark at wendy.s.alameda-clark.civ@mail.mil and Contracting Officer, Ms. Elizabeth (Chrissy) Woodson at elizabeth.c.woodson.civ@mail.mil.

 

 

Documentation must address at a minimum the following items.

(1) What type of work has your company performed in the past in support to the same or similar requirement?

(2) Can or has your company managed a task of this nature? If so, please provide details.

(3) Can or has your company managed a team of subcontractors before? If so, provide details.

(4) What specific technical skills does your company possess which ensure capability to perform the tasks?

(5) Please note that under a Small-Business Set-Aside, in accordance with FAR 52.219-14, the small business prime must perform at least 50% of the work themselves in terms of the cost of performance. Provide an explanation of your company’s ability to perform at 50% of the tasking described in this Sources Sought Notice for the base period as well as the option periods.

(6) Provide a statement including current small/large business status and company profile to include number of employees, annual revenue history, office locations, SUNs number etc.

(7) Respondents to this notice also must indicate whether they qualify as a Small, Small Disadvantage, Women-Owned, HUBZone, or Service Disabled Veteran-Owned Small Business Concern.

The estimated period of performance consists of a base year to include a Phase-In period of sixty (60) days with four (4) one-year option periods with performance commencing in FY 18.

The contract type is anticipated to a single award Contract with Cost Plus Firm-Fixed-Fee (CPFF) Labor and “Other Than Direct” – “ODCs” – “COST” Contract Line Item Numbers (CLINs) and corresponding Subline Item Numbers (SLINs).

The Government requests that the following information be provided in addition to the above requested minimum documentation:

1. Comments on the appropriateness of the anticipated NAICS code.

2. Comments on the appropriateness of the anticipated contract type i.e. single award versus multiple award ID/IQ.

3. Comments on the appropriateness of the anticipated CPFF Labor with Cost ODC’s.

4. Comments on the appropriateness of the anticipated contract length of five (5) year – One (1) Base Year with thirty (60) days phase-in period and Four (4) one year Option periods.

5. Although, this requirement will be performed entirely outside of the United States and FAR 19.000(b) exempts this acquisition from utilizing small business goals; 13 CFR 125.2, states in §125.2 paragraph (a) General – “the objective of the SBA’s contracting programs is to assist small business concerns, including 8(a) BD Participants, HUBZone small business concerns, Service Disabled Veteran-Owned Small Business Concerns Women-Owned Small Businesses and Economically Disadvantaged Women-Owned Small Businesses, in obtaining a fair share of Federal Government prime contracts, subcontracts, orders, and property sales. Can or has your company managed a team of subcontractors before? If, so, provide details.
• If your company where to use subcontractor’s in order to deliver technical capability, how would you utilize small business? Please, address the administrative and management structure of such arrangements.
• What percentage of work for this requirement could feasibly be subcontracted out? To small business? To Large Business?
• How would subcontracting opportunities for small business be determined? By function? By location? Other?
• Given the fact that this requirement spans more than one location, how would your company manage its subcontractors?
• Given that this requirement will be performed entirely in OCONUS, is there any type of special support your company would need to provide to subcontractors who are small business?
• Would having soci-economic subcategory goals e.g. SDB, WOSB, EDWOSD, VOSB, SDVOSD, HUB Zone, etc be feasible? Why or why not?

6. Would you recommend this requirement be structured as an Incentive Contract? If yes, what type of incentive and what measurement matric would you suggest. Would a monetary amount, or award term beyond five (5) years be more motivation/effective for this type of service? Why or Why not?

7. Do you feel the requirement is mature enough and defined enough to fix price some efforts, and if it were what risk would that pose to industry?

9. Is there any innovation or changes to industry standards related to O&M of network Equipment?

 Upon evaluation of the capability statements, if it is determined that this requirement will be an unrestricted competition, the Government intends to evaluate the Small-Business response and conduct further market research to identify a subcontracting goal.

All data received in response to this Sources Sought that is marked or designated as corporate or proprietary will be fully protected from any release outside the Government.

No, phone dalls will be accepted.

All questions must be submitted to the Contract Specialist identified in this notice. The Government is not committed nor obligated to pay for the information provided, and no basis for claims against the Government shall arise as a result of a response to this Sources Sought.

Additional Info:

We reiterate, this annoucement is not a request for proposals nor is the technical capability statement to be a proposal.  No reimbursement will be made for any costs associated with providing information in response to this Sources Sought or any follow-up information requests.  

Note: Only the stated reference material listed within this notice will be made available to industry at this time.
 

 

 

 

 

 

 

 

 

 

Response Date:
112017

Sol Number:
W91RUS-18-R-DA02