Type of document: Contract Notice
Country: United States
CCTV connectivity T1 line
Agency:
Department of Homeland Security
Official Address:
601 S. 12th Street
TSA-25, 10th Floor Arlington VA 20598
Zip Code:
20598
Contact:
Peter S Larsen, Contracting Officer, Phone 202-380-8955, Email peter.s.larsen@tsa.dhs.gov
Link:
Date Posted:
28/02/2018
Classification:
60
Contract Description:
1.0 General Requirement Information
The Transportation Security Administration (TSA) has a requirement for monthly connectivity service for CCTV-Ethernet transport with RJ-45 handoff at the Honolulu International Airport (HNL) on a firm fixed price purchase order. This is a total small business set-aside and the applicable NAICS code is 517110 with a small business size standard of 1,500.
2.0 Description of service
The contractor shall provide a minimum 25 Mbps connectivity for the data lines. The connectivity shall support the CCTV real time coverage continuously. The locations and Circuit Numbers for the T1 lines are as follows:
Location: 400 Rodgers Blvd, Honolulu
Acct#: 200000000638042
Circuit ID: 15.KQGS.400177..HAWT
Location: 3375 Koapaka St, Honolulu
Acct#: 200000000638068
Circuit ID: 15.KQGS.400176..HAWT
All services, hardware and/or software provided under this task order must be compliant with DHS 4300A DHS Sensitive System Policy Directive, DHS 4300A Sensitive Systems Handbook., TSA MD 1400.3 Information Technology Security Policy, TSA IT Security Policy Handbook and Technical Standards. Anticipated period of performance is from 3/11/2018 to 3/10/2019 with an additional option year.
This Transportation Security Administration (TSA) guidebook provides program office personnel Information Assurance (IA) requirements for the acquisition of the delivery and or development of information technology (IT) related services. The IA requirements identified in this guide are required to protect against cyber and physical threats aimed at federal government personnel, US critical infrastructure, property and information. All listed clauses and requirements should be included with all IT Delivery and Development acquisitions.
Information Assurance Requirements for TSA Government Acquisitions (April 2016)
A. General Security Requirements
A.1. The Contractor shall comply with all Federal, Department of Homeland Security (DHS) and Transportation Security Administration (TSA) security and privacy guidelines in effect at the time of the award of the contract, As well as those requirements that may be discretely added during the contract.
A.2. The Contractor shall perform periodic reviews to ensure compliance with all information security and privacy requirements.
A.3. The Contractor shall comply with all DHS and TSA security controls to ensure that the GovernmentтАЩs security requirements are met. These controls are described in DHS PD 4300A and TSA MD 1400 series security policy documents and are based on the current National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 standards.
A.4. The Contractor shall include this guidance in all subcontracts at any tier where the subcontractor is performing the work defined in this statement of work (SOW).
A.5. The Contractor shall ensure all staff have the required level of security clearance commensurate with the sensitivity of the information being accessed, stored, processed, transmitted or otherwise handled by the System or required to perform the work stipulated by the contract. At a minimum, all Contractor staff shall be subjected to a Public Trust background check and be granted a Public Trust clearance before access to the System or other TSA resources is granted.
A.6. The Contractor shall sign a DHS Non-Disclosure Agreement (NDA) within (30) calendar days of the contract start date.
A.7. The Contractor shall not release, publish, or disclose agency information to unauthorized personnel, and shall protect such information in accordance with the provisions of the pertinent laws and regulations governing the confidentiality of sensitive information.
A.8. The Contractor shall ensure that its staff follow all policies and procedures governing physical, environmental, and information security described in the various TSA regulations pertaining thereto, and the specifications, directives, and manuals for conducting work to generate the products as required by this contract. Personnel shall be responsible for the physical security of their area and government furnished equipment (GFE) issued to the contractor under the terms of the contract.
A.9. The Contractor shall make all system information and documentation produced in support of the contract available to TSA upon request.
B. Training Requirements
B.1. All Contractor employees, requiring system access, shall receive initial Organizational Security Fundamentals Training within 60 days of assignment to the contract via the Online Learning Center (OLC). Refresher training shall be completed annually thereafter.
B.2. The Contractor shall complete annual online training for Organizational Security Fundamentals and TSA Privacy training.
B.3. Role Based training is required for contract employees with Significant Security Responsibility (SSR), whose job proficiency is required for overall network security within TSA, and shall be in accordance with DHS and TSA policy. The contractor will be notified if they have a position with significant security responsibility.
B.4. Individuals with SSR shall have a documented individual training and education plan, which shall ensure currency with position skills requirements, with the first course to be accomplished within 90 days of employment or change of position. The individual training plan shall be refreshed annually or immediately after a change in the individualтАЩs position description requirements.
B.5. Information Secuirty and Privacy training supplied by the Contractor shall meet standards established by NIST and set forth in DHS and TSA security policy.
B.6. The Contractor shall maintain a list of all employees who have completed training and shall submit this list to the contracting officer representative (COR) upon request, or during DHS/TSA onsite validation visits performed on a periodic basis.
B.7. The contractor shall its employees review and sign the TSA Form 1403 Computer and Wireless Mobile Device Access Agreement (CAA) prior to accessing IT systems.
C. Configuration Management (hardware/software)
C.1. Hardware or software configuration changes shall be in accordance with the DHS Information Security Performance Plan (current year and any updates thereafter), the DHS Continuous Diagnostics and Mitigation (CDM) Program to include dashboard reporting requirements and TSAтАЩs Configuration Management policy. The TSA Chief Information Security Officer (CISO)/Information Assurance and Cyber Security Division (IAD) shall be informed of and involved in all configuration changes to the TSA IT environment including systems, software, infrastructure architecture, infrastructure assets, and end user assets. The TSA IAD POC shall approve any request for change prior to any development activity occurring for that change and shall define the security requirements for the requested change. The COR will provide access to the DHS Information Security Performance Plan.
C.2. The Contractor shall ensure all application or configuration patches and/or Requests for Change (RFC) have approval by the Technical Discussion Forum (TDF), Systems Configuration Control Board (SCCB) and lab regression testing prior to controlled change release under the security policy document, TSA Management Directive (MD) 1400.3 Information Technology Security and TSA Information Assurance (IA) Handbook, unless immediate risk requires immediate intervention. Approval for immediate intervention (emergency change) requires approval of the TSA CISO, SCCB co-chairs, and the appropriate Operations Manager, at a minimum.
C.3. The Contractor shall ensure all sites impacted by patching are compliant within 14 days of change approval and release.
C.4. The acquisition of commercial-off-the-shelf (COTS) Information Assurance (IA) and IA-enabled IT products (to be used on systems entering, processing, storing, displaying, or transmitting тАЬsensitive informationтАЭ) shall be limited to those products that have been evaluated and validated, as appropriate, in accordance with the following:
тАв The NIST FIPS validation program.
тАв The National Security Agency (NSA)/NIST, National Information Assurance Partnership (NIAP) Evaluation and Validation Program.
тАв The International Common Criteria for Information Security Technology Evaluation Mutual Recognition Agreement.
C.5. US Government Configuration Baseline and DHS Configuration Guidance
a) The provider of information technology shall certify applications are fully functional and operate correctly as intended on systems using the US Government Configuration Baseline (USGCB) and in accordance with DHS and TSA guidance.
1. USGCB Guidelines:
a.
2. DHS Sensitive Systems Configuration Guidance
a.
b) The standard installation, operation, maintenance, updates and/or patching of software shall not alter the configuration settings from the approved USGCB configuration. The information technology shall also use the Windows Installer Service for installation to the default тАЬprogram filesтАЭ directory and shall be able to discretely install and uninstall.
c) Applications designed for general end users shall run in the general user context without elevated system administration privileges.
C.6. The Contractor shall establish processes and procedures for continuous monitoring of Contractor systems that contain TSA data/information by ensuring all such devices are monitored by, and report to, the TSA Security Operations Center (SOC). The Contractor shall perform monthly security scans on servers that contain TSA data, and shall send monthly scan results to the TSA IAD.
D. Risk Management Framework
This section is not applicable if contract has DHS Sensitive Information Required Special Contract Terms (MARCH 2015), SAFEGUARDING OF SENSITIVE INFORMATION (MAR 2015)
D.1. The Security Authorization and Ongoing Authorization Process in accordance with NIST SP 800-37 and SP 800-137 (current versions) is a requirement for all TSA IT systems, including General Support Systems (e.g., standard TSA desktop, general network infrastructure, electronic mail), major applications and development systems (if connected to the operational network or processing, storing, or transmitting government data). These processes are documented in the NIST Risk Management Framework (RMF). Ongoing Authorization is part of Step 6 тАЬMonitoringтАЭ of the RMF. All NIST guidance is publicly available; TSA and DHS security policy is disclosed upon contract award with some exceptions, which are public facing (i.e., DHS Security and Training Requirements for Contractors).
D.2. A written Authorization to Operate (ATO) granted by the TSA Authorizing Official (AO) also known as TSA Chief Information Secuirty Officer (CISO) is required prior to processing operational data or connecting to any TSA network. The contractor shall provide all necessary system information for the security authorization effort.
D.3. TSA shall assign a security category to each IT system compliant with the requirements of Federal Information Processing Standards (FIPS) Pub 199 Standards for Security Categorization of Federal Information and Information Systems impact levels and assign security controls to those systems consistent with FIPS Pub 200 Minimum Security Requirements for Federal Information and Information Systems methodology.
D.4. Unless the AO specifically states otherwise for an individual system, the duration of any Accreditation shall be dependent on the FIPS 199 rating and overall residual risk of the system; the length can span up to 36 months.
D.5. The Security Authorization (SA)Package contains documentation required for Security Authorizations and Ongoing Authorization. The package shall contain the following security documentation: 1) Security Assessment Report (SAR), 2) Security Plan (SP) or System Security Authorization Agreement (SSAA), 3) Contingency Plan, 4) Contingency Plan Test Results, 5) Federal Information Processing Standards (FIPS) 199 Security Categorization, 6) Privacy Threshold Analysis (PTA), 7) E-Authentication, 8) Security Assessment Plan (SAP), 9) Authorization to Operate (ATO) Letter, 10) Plan of Action and Milestones (POA&M), and 11) Ongoing Authorization Artifacts as required by the DHS Ongoing Authorization Methodology (current version). The SA package shall document the specific procedures, training, and accountability measures in place for systems that process personally identifiable information (PII). All security compliance documents shall be reviewed and approved by the CISO and the IAD, and accepted by the CO upon creation and after any subsequent changes, before they go into effect. Ongoing Authorization artifacts include monthly TRigger Accountability Log (TRAL), monthly operating system scan results, application scans as directed, updated control allocation table (CAT), and associated memos as directed. All steps in the DHS Information Assurance Compliance Systems (IACS) shall be completed correctly, thoroughly and in a timely manner for all steps of the RMF.
D.6. The contractor shall support the successful remediation of all identified system weaknesses and vulnerabilities that are identified as a result of the aforementioned security review process.
D.7. The contractor shall submit and analyze monthly operating system vulnerability scans for the DHS Information Security Performance Plan FISMA Scorecard. Vulnerabilities not remediated are generated into Plan of Action and Milestone (POA&M)s after 30 days.
E. Contingency Planning
This section is not applicable if contract has DHS Sensitive Information Required Special Contract Terms (MARCH 2015), SAFEGUARDING OF SENSITIVE INFORMATION (MAR 2015)
E.1. The Contractor shall develop and maintain a Contingency Plan (CP), to include a Continuity of Operation Plan (COOP), to address circumstances whereby normal operations may be disrupted and thus require activation of the CP and/or COOP. are disrupted. The contractorтАЩs CP/COOP responsibility relates only to the system they provide or operate under contract.
E.2. The Contractor shall ensure that contingency plans are consistent with template provided in the DHS IACS Tool. If access has not been provided initially, the contractor shall use the DHS 4300A Sensitive System Handbook, Attachment K IT Contingency Plan Template.
E.3. The Contractor shall identify and train all TSA personnel involved with COOP efforts in the procedures and logistics of the disaster recovery and business continuity plans.
E.4. The Contractor shall ensure the availability of critical resources and facilitate the COOP in an emergency situation.
E.5. The Contractor shall test their CP annually and retain records of the annual CP testing for review during periodic audits.
E.6. The Contractor shall record, track, and correct any CP deficiency; any deficiency correction that cannot be accomplished within one month of the annual test shall be elevated to IAD.
E.7. The Contractor shall ensure the CP addresses emergency response, backup operations, and recovery operations.
E.8. The Contractor shall have an Emergency Response Plan that includes procedures appropriate to fire, flood, civil disorder, disaster, bomb threat, or any other incident or activity that may endanger lives, property, or the capability to perform essential functions.
E.9. The Contractor shall have a Backup Operations Plan that includes procedures and responsibilities to ensure that essential operations can be continued if normal processing or data communications are interrupted for any reason.
E.10. The Contractor shall have a Post-disaster Recovery Plan that includes procedures and responsibilities to facilitate rapid restoration of normal operations at the primary site or, if necessary, at a new facility following the destruction, major damage, or other major interruption at the primary site.
E.11. The Contractor shall ensure all TSA data (e.g., mail, data servers, etc.) is incrementally backed up on a daily basis.
E.12. The Contractor shall ensure a full backup of all network data occurs as required by the systemтАЩs availability security categorization impact rating per TSA Information Assurance policy.
E.13. The Contractor shall ensure all network application assets (e.g., application servers, domain controllers, Information Assurance (IA) tools, etc.) shall be incrementally backed up as required to eliminate loss of critical audit data and allow for restoration and resumption of normal operations within one hour.
E.14. The Contractor shall ensure sufficient backup data to facilitate a full operational recovery within one business day at either the prime operational site or the designated alternate site shall be stored at a secondary location determined by the local element disaster recovery plan.
E.15. The Contractor shall ensure that data at the secondary location is current as required by the systemтАЩs availability security categorization impact rating.
E.16. The Contractor shall ensure the location of the local backup repository and the secondary backup repository is clearly defined, and access controlled as an Information Security Restricted Area (ISRA).
E.17. The Contractor shall adhere to the DHS IT Security Architecture Guidance Volume 1: Network and System Infrastructure for the layout of the file systems, or partitions, on a systemтАЩs hard disk impacting the security of the data on the resultant system. File system design shall:
E.18. The contractor shall adhere to the DHS IT Security Architecture Guidance Volume 1: Network and System Infrastructure for the management of mixed data for OS files, user accounts, externally-accesses data files and audit logs.
F. Program Performance
F.1. The Contractor shall comply with requests to be audited and provide responses within three business days to requests for data, information, and analysis from the TSA IAD and management, as directed by the Contracting Officer (CO).
F.2. The Contractor shall provide support during the IAD audit activities and efforts. These audit activities shall include, but are not limited to the following: requests for system access for penetration testing, vulnerability scanning, incident response and forensic review.
F.3. Upon completion of monthly security scans, findings shall be documented and categorized as High, Moderate, or Low based on their potential impact to the System IT Security posture. The Contractor shall provide TSA with estimates of the total engineering service hours required to support the remediation of open POA&M items. High security findings shall be remediated first in 45 days or less; Moderate security findings shall be remediated in 60 days or less, and Low security findings shall be remediated in 90 days or less. The Contractor shall work with the TSA System ISSO and the respective CO and/or Contracting OfficerтАЩs Representative (COR), as well as OIT IAD and the System Owner (as required) to prioritize and plan for the remediation of open POA&Ms. The TSA System ISSO shall maintain all security artifacts and perform Ongoing Authorization (per NIST 800-137 and DHS-TSA requirements) and Continuous Diagnostics and Mitigation (CDM) (per OMB M-14-03) activities to ensure active compliance with security requirements. Specific POA&M guidance and information can be found in the SOP 1401 Plan of Action and Milestone (POA&M) Process, as well as the DHS 4300A PD Attachment H Plan of Action and Milestones (POA&M) Process Guide.
G. Federal Risk and Authorization Management Program (FedRAMP)
If a vendor is to host a system with a Cloud Service Provider, the following shall apply:
G.1. FedRAMP Requirements: Private sector solutions shall be hosted by a Joint Authorization Board (JAB)-approved Infrastructure as a Service (IaaS) Cloud Service Provider (CSP) () and shall follow the Federal Risk and Authorization Management Program (FedRAMP) requirements. The CSP shall adhere to the following in addition to the FedRAMP requirements:
Identity and entitlement access management shall be done through Federated identify; SSI and PII shall be encrypted in storage and in transit as is dispersed across cloud; sanitization of all TSA data shall be done as necessary at the laaS, PaaS, or SaaS levels; Cloud bursting shall not occur; TSA data shall be logically separated from other cloud tenants; All system administrators shall be properly cleared and vetted U.S. citizens; TSA data shall not leave the United States; and The cloud internet connection shall be behind a commercial trusted internet connection (TIC) that has EINSTEIN 3 accelerated(E3A) capabilities deployed. These include but are not limited to the analysis of network flow records, detecting and alerting to known or suspected cyber threats, intrusion prevention capabilities and under the direction of DHS detecting and blocking known or suspected cyber threats using indicators. The E3A capability shall use the Domain Name Server Sinkholing capability and email filtering capability allowing scans to occur destined for .gov networkers for malicious attachments,uniform resource locators and other forms of malware being delivered to .gov users.
G.2. Private Sector System Requirements: TSA shall conduct audits at any time on private sector systems, and the system shall be entered into the TSA FISMA Inventory as a system of record using the Control Implementation Summary (CIS) provided by the Cloud Service Provider. Security artifacts shall be created and maintained in the DHS IACS. The private sector systems are required to go through the Security Authorization Process and the RMF in accordance the Federal Information Systems Management Act (FISMA) and NIST SP 800-37 Rev. 1. The cloud internet connection shall be behind a commercial Trusted Internet Connection (TIC) that has E3A deployed. Security event logs and application logs shall be sent to the TSA SOC. Incidents as defined in the TSA Management Directive 1400.3 and its Attachment 1 (TSA IA Handbook) shall be reported to the TSA SPOC 1-800-253-8571. DHS Information Security Vulnerability Management Alerts and Bulletins shall be patched within the required time frames as dictated by DHS and communicated by the contracting officer representative (COR) or contract security point of contact (POC).
H. Information Assurance Policy
H.1. All services, hardware and/or software provided under this task order shall be compliant with applicable DHS 4300A Sensitive System Policy Directive, DHS 4300A Sensitive Systems Handbook, TSA MD 1400.3 Information Technology Security, TSA IA Handbook, Technical Standards (TSs) and standard operating procedures (SOPs).
H.2. The contractor solution shall follow all current versions of TSA and DHS policies, procedures, guidelines, and standards, which shall be provided by the Contracting Officer.
H.3. Authorized access and use of TSA IT systems and resources shall be in accordance with the TSA IA Handbook.
H.4. The contractor shall complete TSA Form 251 and TSA Form 251-1 for sensitive or accountable property. The contractor shall email the completed forms to TSA-Property@dhs.gov and include a hard copy with the shipment.
I. Data Stored/Processed at Contractor Site
I.1. Unless otherwise directed by TSA, any storage of data shall be contained within the resources allocated by the Contractor to support TSA and may not be on systems that are shared with other commercial or government clients.
J. Remote Access
J.1. The Contractor remote access connection to TSA networks shall be considered a privileged arrangement for both Contractor and the Government to conduct sanctioned TSA business. Therefore, remote access rights shall be expressly granted, in writing, by the TSA IAD.
J.2. The Contractor employee(s) remote access connection to TSA networks shall be terminated immediately for unauthorized use, at the sole discretion of TSA.
J.3. The Contractor shall use his or her federal issued personal identifiable verification (PIV) badge to access TSA resources to include IT applications and physical facility.
K. Interconnection Security Agreement
If the service being supplied requires a connection to a non-DHS, Contractor system, or DHS system of different sensitivity, the following shall apply:
K.1. Interconnections between DHS and non-DHS IT systems shall be established only through controlled interfaces and via approved service providers. The controlled interfaces shall be accredited at the highest security level of information on the network. Connections with other Federal agencies shall be documented using an interagency agreements; memoranda of understanding/agreement, service level agreements or interconnection service agreements.
K.2. ISAs shall be reissued every three (3) years or whenever any significant changes have been made to any of the interconnected systems.
K.3. ISAs shall be reviewed and updated as needed as a part of the annual FISMA self-assessment.
L. SBU Data Privacy and Protection
This section is not applicable if contract has DHS Sensitive Information Required Special Contract Terms (MARCH 2015), SAFEGUARDING OF SENSITIVE INFORMATION (MAR 2015)
L.1. The contractor shall satisfy requirements to work with and safeguard Sensitive Security Information (SSI), Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (Sensitive PII). All support personnel shall understand and rigorously follow DHS and TSA requirements, SSI Policies and Procedures Handbook, and Privacy policies, and procedures for safeguarding SSI, PII and SPII.
L.2. The Contractor shall be responsible for the security of: i) all data that is generated by the contractor on behalf of the TSA, ii) TSA data transmitted by the contractor, and iii) TSA data otherwise stored or processed by the contractor regardless of who owns or controls the underlying systems while that data is under the contractorтАЩs control. All TSA data, including but not limited to PII, SPII, Sensitive Security Information (SSI), Sensitive But Unclassified (SBU), and Critical Infrastructure Information (CII), shall be protected according to DHS and TSA security policies and mandates.
L.3. TSA shall identify IT systems transmitting unclassified/SSI information that shall require protection based on a risk assessment. If encryption is required, the following methods are acceptable for encrypting sensitive information:
FIPS 197 (Advanced Encryption Standard (AES)) 256 algorithm and cryptographic modules that have been validated under FIPS 140-2 (current version)
National Security Agency (NSA) Type 2 or Type 1 encryption (current version)
Public Key Infrastructure (PKI) (see paragraph 5.5.2.1 of the DHS 4300A Sensitive Systems Handbook), current version
L.4. The contractor shall maintain data control according to the TSA security level of the data. Data separation shall include the use of discretionary access control methods, VPN encryption methods, data aggregation controls, data tagging, media marking, backup actions, and data disaster planning and recovery. Contractors handling PII shall comply with TSA MD 3700.4, Handling Sensitive Personally Identifiable Information (current version).
L.5. Users of TSA IT assets shall adhere to all system security requirements to ensure the confidentiality, integrity, availability, and non-repudiation of information under their control. All users accessing TSA IT assets are expected to actively apply the practices specified in the TSA IA Handbook, and applicable IT Security Technical Standards and SOPs.
L.6. The contractor shall comply with Sensitive Personally Identifiable Information (Sensitive PII) disposition requirements stated in the TSA IA Handbook, applicable Technical Standards, SOPs and TSA MD 3700.4, Handling Sensitive Personally Identifiable Information.
L.7. The Contractor shall ensure that source code is protected from unauthorized access or dissemination (see TSA IA Handbook).
M. Disposition of Government Resources
M.1 At the expiration of the contract, the contractor shall return all TSA information and IT resources provided to the contractor during the contract, and provide a certification that all assets containing or used to process TSA information have been sanitized in accordance with the TSA MD 1400.3, TSA IA Handbook, Technical Standards and SOPs. The contractor shall certify in writing that sanitization or destruction has been performed. Sanitization and destruction methods are outlined in the NIST Special Publication 800-88 Guidelines for Media Sanitization, TSA Technical Standard 046 IT Media Sanitization and Disposition, and SOP 1400-503 IT Media Sanitization. The contractor shall email a signed, by the contractorтАЩs designated security officer or senior official, proof of sanitization to the COR. In addition, the contractor shall provide the contracting officer a master asset inventory list that reflects all assets, government furnished equipment (GFE) or authorized non-GFE that were used to process TSA information.
N. Special Considerations and Circumstances (if applicable and when requested)
N.1 For major agency Information Technology (IT) infrastructure support ranging in the total estimated procurement value (TEPV) of about $100 million or above or per TSA managementтАЩs request, the contractor shall provide, implement, and maintain a Security Program Plan (SPP) based on the templates provided by the TSA IAD. This plan shall describe the processes and procedures that shall be followed to ensure the appropriate security of IT resources are developed, processed, or used under this contract. At a minimum, the contractorтАЩs SPP shall address the contractorтАЩs compliance with the controls described in NIST SP 800-53 (current version). The security controls contained in the plan shall meet the requirements listed in the TSA IA Handbook, Technical Standards and the DHS Sensitive Systems Policy Directive and Handbook 4300A (current versions).
N.2 The SPP shall be a living document. It shall be reviewed and updated semi-annually,beginning on the effective date of the contract, to address new processes, procedures, technical or federally mandated security controls and other contract requirement modifications or additions that affect the security of IT resources under contract.
N.3 The SPP shall be submitted within 30 days after contract award. The SPP shall be consistent with and further details the approach contained in the offerorтАЩs proposal or quote that resulted in the award of this contract and in compliance with the system security requirements.
N.4 The SPP, as submitted to the Contracting Officer, and accepted by the Information Systems Security Officer (ISSO), shall be incorporated into the contract as a compliance document. The Contractor shall comply with the accepted plan.
O. Trusted Internet Connection 2.0 Requirements for Managed Trusted Internet Protocol Service Offering (MTIPS)
O.1 MTIPS providers shall comply with the FedRAMP TIC 2.0 Overlay requirements in addition to the basic requirements outlined in the DHS TIC Reference Architecture v2.0.
P. ISSO Support
P.1 The contractor Program Manager shall ensure that the contractor ISSO duties and responsibilities align with the Information Assurance and Cyber Security Division, Governance, Risk, and Compliance (GRC) Branch mission and security responsibilities. The TSA CISO is the uthorizing official for ISSO designation.
Q. Continuous Diagnostics and Mitigation
Q.1 The Government, through a Continuous Monitoring as a Service (CMaaS) vendor, shall provide the contractor with GFE appliances and tools to support the implementation and maintenance of the Continuous Diagnostics and Mitigation (CDM) Solution. The tools shall be hosted on the DHSтАЩ Infrastructure as a Service (IaaS) program. The Government, through the CMaaS vendor, shall provide sensor kits and agents that shall be deployed on all contractor Information Systems supporting the TSA.
Q.2 The contractor shall support the installation (including rack and configuration) of the sensor kits and agents on all TSA contract supported devices and environments per TSA engineering, security, and configuration standards.
Q.3 The contractor shall tune their existing endpoint security products to coexist with the identified products to ensure smooth and cohesive functionalities. Credentials (Service accounts) shall be provided, by the TSA CISO or designee, for vulnerability scans and host interrogation.
Q.4 The Government, through the CMaaS vendor, shall provide the following support for operations and maintenance of the CDM solution sensor kits:
тАв Patching (Controlled through a CMaaS Windows Server Update Service (WSUS))
тАв Hardware troubleshooting & Risk Management (RMA)
тАв Application maintenance (done from the Government/TSA Management Enclave)
тАв Vulnerability scanning
Q.5 The contractor shall install TSA-provided CDM Solution patches within two (2) days of issuance, or as directed by TSA, and provide evidence of implementation to the TSA Information System Security Officer (ISSO).
Q.6 The TSA Contracting Owner is authorized to provide technical direction to the contractor for the sole purpose of implementing the CDM Solution. If the technical direction results in any cost incurred by the contractor, for which the contractor shall seek reimbursement from the Government, the contractor shall identify the following information in any cost/price proposal to the Government: name of system owner, summary of the technical direction, date of the technical direction, purpose of the technical direction, summary of actions taken by the contractor, any other information the contracting officer may require to further guide the directed change. The contactor shall receive approval from the Contracting Officer of the directed change prior to incurring costs associated with the technical direction.
R. Software Guidance
The Contracting Officer shall provide a listing of all TSA approved security software upon contract award. The approved security software listing is maintained by the Information Assurance Division (IAD).
R.1 In support of the CDM objective to protect high value assets (HVAs) and information, the Government has acquired security tools in order to conduct Indicator of Compromise (IOC) scans within the mandated time frame. The Government shall provide the tool license and/or equipment for installation of tool agents on all TSA supported assets.
R.2 The contractor shall support efforts to allow for the IOC scanning mandate. This may include installation of tool servers and/or agents within each systemтАЩs environment and on all TSA supported assets. The Government shall provide the contractor with the tool server(s) that shall not belong to the contractorтАЩs system boundary. The tool server shall be reachable from OneNet/TSANet over the Internet. The tool server(s) shall be properly configured to reach all assets with the tool agent installed on the network. Credentials (service accounts) shall be provided for IOC scans and tool interrogation.
R.3 The contractor shall support or perform the installation of forensic software servlet agents on supported Operating Systems on all TSA contract supported devices and environments per TSA engineering, security, and configuration standards. The contractor shall test and upgrade the servlet agents as directed by the IAD.
R.4 The Government shall provide the contractor with a forensic software server that shall not belong to the contractorтАЩs system boundary. The contractor shall support or perform the installation of the server. The server shall be reachable from TSANet over the Internet and shall be primarily used for authentication and proxy functions. The server shall be properly configured to reach all assets with the agent installed on the network.
R.5 The contractor shall support efforts of incident response and forensic investigation. This includes authorization to connect TSA authorized equipment where the forensic software servlet agents are reachable to perform analysis.
R.6 The contractor shall install TSA-provided solution patches within two (2) days of issuance, or as directed by TSA CIO, and provide evidence of implementation to the TSA Information System Security Officer (ISSO).
S. Passwords
S.1 The contract ISSO shall determine and enforce the appropriate frequency for changing passwords in accordance with appropriate guidance documentation. In the absence of specific guidance documentation, passwords shall not remain in effect longer than ninety (90) days.
T. Personal Identifiable Verification (PIV)
T.1 The Contractor shall use PIV as the primary means to access TSA resources to include IT applications and physical facility. TSA network domain user account password expiration function shall be disabled when using PIV Machine Based Enforcement (MBE). PINs for PIV card-enabled users shall not expire, and shall have a minimum six-digit PIN when logging into the network using a PIV card.
T.2 The Contractor shall ensure newly developed information system(s) support PIV smartcard authentication. The information system shall be capable to accept and electronically verify PIV credentials.
T.3 The Contractor shall employ information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.
T.4 The Homeland Security Presidential Directive 12 (HSPD-12) requires the use of the Personal Identity Verification (PIV) credentials as the common means of authentication for access to TSAтАЩs facilities, networks, and information systems.
U. End-of-Life (EOL) / End-of-Service (EOS)
U.1 The Contractor shall ensure that any hardware or software that is procured develops a full lifecycle plan based on the vendorтАЩs established life and service expectancy of the product and total cost of ownership. Any new or existing product that shall reach end-of-life (EOL)* within three (3) years and is part of a TSA FISMA IT System shall require development of a remediation, upgrade, replacement and funding plan to remove the EOL item(s) from the TSA environment completely within that time frame. A plan of action and milestone (POA&M) shall be submitted for risk acceptance to the TSA CISO in order to track remediation milestones appropriately.
*EOL / EOS тАУ Defined as production and/or development, technical support, application updates, spare parts and security patches which are no longer available from the vendor.
V. Maintenance
V.1 The Contractor shall ensure that the system, once operational, is properly maintained and monitored, to include: immediate response to critical security patches, routine maintenance windows to allow for system updates, and compliance with a defined configuration management process. All patches and system updates shall be properly tested in a development environment before being implemented in the production environment.
V.2 The contractor shall perform customer support twenty-four (24) hours, seven (7) days a week within the continental United States only.
W. Security in the Agile Development Process
All TSA systems shall follow the below guidance when delivering system and application solutions to the agency.
тАв All applications shall be reviewed prior to acceptance by the Contractor
тАв Contractor shall implement Threat Modeling
тАв Developer shall deliver a defect list
тАв Developer shall implement Patching and Configuration Management strategies
тАв Developer shall use Component Analysis
тАв Developer shall implement build tests
тАв Developer shall implement Manual Code Inspection
тАв Developer shall implement Security Regression Tests
тАв Developer shall implement Pre-Deployment/Post Deployment Automated Tests
тАв Developer shall implement industry standard тАЬEvery-Sprint PracticesтАЭ, which at a minimum consists of:
o Threat Modeling
o Use of Approved Tools
o Deprecate Unsafe Functions
o Static Analysis
o Conduction Final Security Review
o Certify, Release and Archive
тАв Developer shall implement industry standard Practices, which at a minimum consists of:
o Create Quality Gates/Bug Bars
o Perform Dynamic Analysis
o Perform Fuzz Testing
o Conduct Attach Surface Review
тАв Developer shall implement industry standard One-Time Practices, which at a minimum consists of:
o Establish Security Requirements
o Perform Security and Privacy Risk Assessments
o Establish Design Requirements
o Perform Attack Surface Analysis
o Create Incident Response Plan
DHS and TSA Enterprise Architecture Compliance
a) The Contractor shall ensure that all solutions, products, deliverables, and services are aligned and compliant with the current DHS and TSA Enterprise Architecture, and the Federal Enterprise Architecture Framework (OMB Reference Models).
b) All solutions and services shall meet DHS and TSA Enterprise Architecture policies, standards, and procedures. Specifically, the contractor shall comply with Homeland Security Enterprise Architecture (HLS EA) requirements.
i. All developed solutions and requirements shall be compliant with the HLS EA.
ii. The contractor shall align all solutions and services and ensure compliance with applicable TSA and DHS IT Security, Application, System, Network, Data, Information, and Business Architecture policies, directives, guidelines, standards, segment architectures and reference architectures.
iii. The contractor shall utilize any existing TSA or DHS user interface design standards, style guides, and/or policies and standards for human factors, usability, user experience, or human computer interaction (HCI).
iv. All solution architectures and services (Application, System, Network, Security, Information, etc.) shall be reviewed and approved by TSA EA as part of the TSA SELC review process and in accordance with all applicable DHS and TSA IT governance policies, directives, and processes (i.e. TSA IT Governance Management Directive 1400.20). This includes the Solution Engineering Review (SER), Preliminary Design Review (PDR) and Critical Design Review (CDR) stage gates. All implementations shall follow the approved solution architecture/design without deviation. Any changes, to either the prior approved solution and/or prior approved design that are identified during subsequent SELC phases, including testing, implementation and deployment, shall undergo additional EA review prior to proceeding.
v. All IT hardware and software shall be compliant with the TSA and HLS EA Technical Reference Model (TRM) Standards and Products Profile; all products are subject to TSA and DHS Enterprise Architectural approval. No products may be utilized in any production environment that is not included in the TSA and HLS EA TRM Standards and Products Profile.
c) Description information for all data assets, information exchanges and data standards, whether adopted or developed, shall be submitted to the TSA Enterprise Architecture Data Management Team, who will be responsible for coordination with the DHS Enterprise Data Management Office (EDMO) for review, approval and insertion into the DHS Data Reference Model and Enterprise Architecture Information Repository.
i. Development of data assets, information exchanges, and data standards will comply with the DHS Data Management Policy MD 103-01 and all data-related artifacts will be developed and validated according to DHS and TSA data management architectural guidelines and subject to the TSA Enterprise Architecture Data Management Team (EDM) approval.
ii. In addition to the Federal Acquisitions Regulations (FAR) Subpart 27.4 тАУ тАШRights in Data and CopyrightsтАЩ and Section 35.011 detailing technical data delivery, the contractor shall provide all TSA-specific data in a format maintaining pre-existing referential integrity and data constraints, as well as data structures in an understandable format to TSA. Examples of data structures can be defined as, but not limited to
a. Data models depicting relationship mapping and, or linkages
b. Metadata information to define data definitions
c. Detailed data formats, type, and size
d. Delineations of the referential integrity (e.g., primary key/foreign key) of data schemas, structures, and or taxonomies
iii. All TSA-specific data shall be delivered in a secure and timely manner to TSA. Data security is defined within the тАШRequirements for Handling Sensitive, Classified, and/or Proprietary InformationтАЩ, section of this SOW. This definition complies with not only the delivery of data, but also maintaining TSA-specific data within a non-TSA or DHS proprietary system. Alternative data delivery techniques may also be defined by TSA Enterprise Data Management (EDM) team.
iv. All metadata shall be pre-defined upon delivery to TSA. Metadata shall be delivered in a format that is readily interpretable by TSA (e.g. metadata shall be extracted from any metadata repository that is not utilized by TSA and delivered in a TSA approved manner). Metadata shall also provide an indication of historical verses the most current data to be used, as well as frequency of data refreshes.
v. The contractor shall adhere to providing a Data Management Plan (DMP), as defined by Enterprise Architecture, to the EA design review team before the preliminary/critical design review. The Data Management Plan includes conceptual and logical data models, data dictionaries, data asset profile, and other artifacts pertinent to the projectтАЩs data. All data artifacts must adhere to TSA EA data standards defined and published before the design review. Data Standards include but are not limited to, data asset standards, metadata standards, logical/physical naming standards, and information exchange (using the National Information Exchange Model (NIEM)) standards. All required artifacts must be provided to and approved by the EA Design Review team.
d) Applicability of Internet Protocol Version 6 (IPv6) to DHS-related components (networks, infrastructure, and applications) specific to individual acquisitions shall be in accordance with the DHS Enterprise Architecture (per OMB Memorandum M-05-22, August 2, 2005) regardless of whether the acquisition is for modification, upgrade, or replacement. All EA related component acquisitions shall be IPv6 compliant as defined in the U.S. Government Version 6 (USGv6) Profile (National Institute of Standards and Technology (NIST) Special Publication 500-267) and the corresponding declarations of conformance defined in the USGv6 Test Program.
H.5200.224.004 SECURITY REQUIREMENTS FOR HANDLING PERSONALLY IDENTIFIABLE INFORMATION AND PRIVACY INCIDENT REPONSE (JULY 2017)
Prescription: (1) The Contracting Officer (CO) shall include this special contract requirement in all contracts in which the contractor will have access to, process, store, or otherwise handle sensitive personally identifiable information where such contract has not otherwise been determined as тАЬhigh riskтАЭ per HSAR Deviation 15-01 and thus does not include the special terms from that Deviation.
(2) Along with this special contract requirement, the CO shall likewise include HSAR 3052.204-70 тАЬSecurity Requirements for Unclassified Information Technology ResourcesтАЭ (JUN 2006), HSAR 3052.204-71, тАЬContractor Employee AccessтАЭ (SEP 2012), and FAR 52.224-3 тАЬPrivacy TrainingтАЭ (JAN 2017) in the same contract. Additionally, the CO shall add the following to paragraph (c) of FAR 52.224-3:
тАЬContractor employees shall satisfy this requirement by completing Privacy at DHS: Protecting Personal Information accessible at Training shall be completed within 30 days of contract award and be completed on an annual basis thereafter not later than October 31st of each year.тАЭ
(3) If a contract requirement involves only PII and does not include SPII as defined below, the CO shall delete items 1(c), 2, 3 (a), 3(b)((vii), 4(b), and 6(a) from this special contract requirement before inserting it into the contract.
1. Definitions.
(a) тАЬBreachтАЭ (may be used interchangeably with тАЬPrivacy IncidentтАЩ) as used in this clause means the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar situation where persons other than authorized users, and for other than authorized purpose, have access or potential access to Personally Identifiable Information, in usable form whether physical or electronic.
(b) тАЬPersonally Identifiable Information (PII)тАЭ as used in this clause means any information that permits the identity of an individual to be directly or indirectly inferred, including any other information that is linked or linkable to that individual regardless of whether the individual is a citizen of the United States, legal permanent resident, or a visitor to the United States. Examples of PII include: name, date of birth, mailing address, telephone number, Social Security Number (SSN), email address, zip code, account numbers, certificate/license numbers, vehicle identifiers including license plates, uniform resource locators (URLs), Internet protocol addresses, biometric identifiers (e.g., fingerprints), photographic facial images, or any other unique identifying number or characteristic, and any information where it is reasonably foreseeable that the information will be linked with other information to identify the individual.
(c) тАЬSensitive Personally Identifiable Information (Sensitive PII)тАЭ as used in this clause is a subset of Personally Identifiable Information, which if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Complete social security numbers (SSN), alien registration numbers (A-number) and biometric identifiers (such as fingerprint, voiceprint, or iris scan) are considered Sensitive PII even if they are not coupled with additional PII. Additional examples include any groupings of information that contains an individualтАЩs name or other unique identifier plus one or more of the following elements:
(1) DriverтАЩs license number, passport number, or truncated SSN (such as last 4 digits)
(2) Date of birth (month, day, and year)
(3) Citizenship or immigration status
(4) Financial information such as account numbers or Electronic Funds Transfer Information
(5) Medical Information
(6) System authentication information such as motherтАЩs maiden name, account passwords or personal identification numbers (PIN)
Other Personally Identifiable information may be тАЬsensitiveтАЭ depending on its context, such as a list of employees with less than satisfactory performance ratings or an unlisted home address or phone number. In contrast, a business card or public telephone directory of agency employees contains Personally Identifiable Information but it is not sensitive.
2. Systems Access. Work to be performed under this contract requires the handling of Sensitive PII. The Government may elect to conduct random periodic reviews to ensure that the security requirements contained in this contract are being implemented and enforced. The contractor shall provide the Government access to, and information regarding the contractorтАЩs systems, when requested by the Government, as part of its responsibility to ensure compliance with security requirements, and shall otherwise cooperate with the Government in assuring compliance with such requirements. Government access shall include independent validation testing of controls, system penetration testing by the Government, Federal Information Security Management Act (FISMA) data reviews, and access by agency Inspectors General for its reviews.
3. Systems Security.
(a) In performing its duties related to management, operation, and/or access of systems containing Sensitive PII under this contract, the contractor, its employees and subcontractors shall comply with applicable security requirements described in the most current versions of DHS Sensitive System Publication 4300A or any replacement publication and rules of conduct as described in TSA Management Directive (MD) 3700.4.
(b) All Contractor-operated systems that input, store, process, output, and/or transmit SPII shall meet or exceed the continuous monitoring requirements identified in the Fiscal Year 2014 DHS Information Security Performance Plan, or successor publication. The plan is updated on an annual basis. The Contractor shall also store monthly continuous monitoring data at its location for a period not less than one year from the date the data is created. The data shall be encrypted in accordance with FIPS 140-2 Security Requirements for Cryptographic Modules and shall not be stored on systems that are shared with other commercial or Government entities. The Government may elect to perform continuous monitoring and IT security scanning of Contractor systems from Government tools and infrastructure.
(c) Use of contractor-owned laptops or other media storage devices to process or store PII is prohibited under this contract until the contractor provides, and the contracting officer in coordination with CISO approves, written certification by the contractor that the following requirements are met:
(i) Laptops employ encryption using a NIST Federal Information Processing Standard (FIPS) 140-2 or successor approved product;
(ii) The contractor has developed and implemented a process to ensure that security and other applications software are kept current;
(iii) Mobile computing devices utilize anti-viral software and a host-based firewall mechanism;
(iv) When no longer needed, all removable media and laptop hard drives shall be processed (i.e., sanitized, degaussed, or destroyed) in accordance with DHS security requirements.
(v) The contractor shall maintain an accurate inventory of devices used in the performance of this contract;
(vi) Contractor employee training requirements are covered in FAR 52.224-3.
(vii) All Sensitive PII obtained under this contract shall be removed from contractor-owned information technology assets upon termination or expiration of contractor work. Removal must be accomplished in accordance with DHS Sensitive System Publication 4300A, which the contracting officer will provide upon request. Certification of data removal will be performed by the contractorтАЩs Project Manager and written notification confirming certification will be delivered to the contracting officer within 15 days of termination/expiration of contractor work.
4. Data Security.
(a) Contractor shall limit access to the data covered by this clause to those employees and subcontractors who require the information in order to perform their official duties under this contract.
(b) The contractor, contractor employees, and subcontractors must physically secure Sensitive PII when not in use and/or under the control of an authorized individual, and when in transit to prevent unauthorized access or loss. When Sensitive PII is no longer needed or required to be retained under applicable Government records retention policies, it must be destroyed through means that will make the Sensitive PII irretrievable. The contractor shall only use Sensitive PII obtained under this contract for purposes of the contract, and shall not collect or use such information for any other purpose without the prior written approval of the contracting officer. At expiration or termination of this contract, the contractor shall turn over all Sensitive PII obtained under the contract that is in its possession to the Government.
(c) The ContractorтАЩs invoicing, billing, and other recordkeeping systems maintained to support financial or other administrative functions shall not maintain Sensitive PII. It is acceptable to maintain in these systems the names, titles and contact information for the COR or other Government personnel associated with the administration of the contract, as needed.
5. Breach Response. The contractor agrees that in the event of any actual or suspected breach of SPII (i.e., loss of control, compromise, unauthorized disclosure, access for an unauthorized purpose, or other unauthorized access, whether physical or electronic), it shall immediately, and in no event later than one hour of discovery, report the breach to the Contracting Officer, the Contracting OfficerтАЩs Representative (COR), and the TSA Director of Privacy Policy & Compliance (TSAprivacy@dhs.gov). The contractor is responsible for positively verifying that notification is received and acknowledged by at least one of the foregoing Government parties. The report of a breach shall not, by itself, be interpreted as evidence that the contractor failed to provide adequate safeguards for SPII.
Award fee contracts:
(a) For any portions of this contract that involve an award fee, the contractor may be awarded no award fee for any evaluation period in which there is a breach of privacy or security, including any loss of sensitive data or equipment containing sensitive data. Lost award fee due to a breach of privacy or security may not be allocated to future evaluation periods.
(b) For any portions of this contract that involve an award fee, to ensure that the final award fee evaluation at contract completion reflects any breach of privacy or security in an interim period, the overall award fee pool shall be reduced by the amount of the fee available for the period in which the breach occurred if a zero fee determination was made because of a breach of privacy or security.
6. Personally Identifiable Information Notification Requirement.
(a) The contractor shall have in place procedures and the capability to promptly notify any individual whose Sensitive PII was, or is reasonably believed to have been, breached, as determined appropriate by the Government. The method and content of any notification by the contractor shall be coordinated with, and subject to the prior approval of the Government, based upon a risk-based analysis conducted by the Government in accordance with DHS Privacy Incident Handling Guidance. Notification shall not proceed unless the Government has determined that: (i) notification is appropriate; and (ii) would not impede a law enforcement investigation or jeopardize national security.
Subject to Government analysis of the breach and the terms of its instructions to the contractor regarding any resulting breach notification, a method of notification may include letters to affected individuals sent by first class mail, electronic means, or general public notice, as approved by the Government. At minimum, a notification should include: (i) a brief description of how the breach occurred; (ii) a description of the types of personal information involved in the breach; (iii) a statement as to whether the information was encrypted or protected by other means; (iv) steps an individual may take to protect themselves; (v) what the agency is doing, if anything, to investigate the breach, to mitigate losses, and to protect against any further breaches; and (vi) point of contact information identifying who affected individuals may contact for further information.
(b) In the event that a PII breach occurs as a result of the violation of a term of this contract by the contractor or its employees, the contractor shall, as directed by the contracting officer and at no cost to the Government, take timely action to correct or mitigate the violation, which may include providing notification and/or other identity protection services to affected individuals for a period not less than18 months from discovery of the breach. Should the Government elect to provide and/or procure notification or identity protection services in response to a breach, the contractor will be responsible for reimbursing the Government for those expenses.
7. Pass-Through of Security Requirements to Subcontractors. The contractor agrees to incorporate the substance of this clause, its terms and requirements, in all subcontracts under this contract, and to require written subcontractor acknowledgement of same. Violation by a subcontractor of any provision set forth in this clause will be attributed to the contractor.
(End of term)
Accessibility Requirements (Section 508)
Section 508 of the Rehabilitation Act, as amended by the Workforce Investment Act of 1998 (P.L. 105-220) requires that when Federal agencies develop, procure, maintain, or use electronic and information technology (EIT), they must ensure that it is accessible to people with disabilities. Federal employees and members of the public who have disabilities must have equal access to and use of information and data that is comparable to that enjoyed by non-disabled Federal employees and members of the public.
All EIT deliverables within this work statement shall comply with the applicable technical and functional performance criteria of Section 508 unless exempt. Specifically, the following applicable EIT accessibility standards have been identified:
Section 508 Applicable EIT Accessibility Standards
36 CFR 1194.21 Software Applications and Operating Systems, applies to all EIT software applications and operating systems procured or developed under this work statement including but not limited to GOTS and COTS software. In addition, this standard is to be applied to Web-based applications when needed to fulfill the functional performance criteria. This standard also applies to some Web based applications as described within 36 CFR 1194.22.
36 CFR 1194.22 Web-based Intranet and Internet Information and Applications, applies to all Web-based deliverables, including documentation and reports procured or developed under this work statement. When any Web application uses a dynamic (non-static) interface, embeds custom user control(s), embeds video or multimedia, uses proprietary or technical approaches such as, but not limited to, Flash or Asynchronous Javascript and XML (AJAX) then 1194.21 Software standards also apply to fulfill functional performance criteria.
36 CFR 1194.24 Video and Multimedia Products, applies to all video and multimedia products that are procured or developed under this work statement. Any video or multimedia presentation shall also comply with the software standards (1194.21) when the presentation is through the use of a Web or Software application interface having user controls available.
36 CFR 1194.31 Functional Performance Criteria, applies to all EIT deliverables regardless of delivery method. All EIT deliverable shall use technical standards, regardless of technology, to fulfill the functional performance criteria.
36 CFR 1194.41 Information Documentation and Support, applies to all documents, reports, as well as help and support services. To ensure that documents and reports fulfill the required 1194.31 Functional Performance Criteria, they shall comply with the technical standard associated with Web-based Intranet and Internet Information and Applications at a minimum. In addition, any help or support provided in this work statement that offer telephone support, such as, but not limited to, a help desk shall have the ability to transmit and receive messages using TTY.
Section 508 Applicable Exceptions
Exceptions for this work statement have been determined by DHS and only the exceptions described herein may be applied. Any request for additional exceptions shall be sent to the COTR and determination will be made in accordance with DHS MD 4010.2. DHS has identified the following exceptions that may apply: 36 CFR 1194.3(b)
Incidental to Contract, all EIT that is exclusively owned and used by the contractor to fulfill this work statement does not require compliance with Section 508. This exception does not apply to any EIT deliverable, service or item that will be used by any Federal employee(s) or member(s) of the public. This exception only applies to those contractors assigned to fulfill the obligations of this work statement and for the purposes of this requirement, are not considered members of the public.
Section 508 Compliance Requirements
36 CFR 1194.2(b) (COTS/GOTS products), When procuring a product, each agency shall procure products which comply with the provisions in this part when such products are available in the commercial marketplace or when such products are developed in response to a Government solicitation. Agencies cannot claim a product as a whole is not commercially available because no product in the marketplace meets all the standards. If products are commercially available which meet some but not all of the standards, the agency must procure the product that best meets the standards. When applying this standard, all procurements of EIT shall have documentation of market research that identify a list of products or services that first meet the agency business needs, and from that list of products or services, an analysis that the selected product met more of the accessibility requirements than the non-selected products as required by FAR 39.2. Any selection of a product or service that meets less accessibility standards due to a significant difficulty or expense shall only be permitted under an undue burden claim and requires authorization from the DHS Office of Accessible Systems and Technology (OAST) in accordance with DHS MD 4010.2.
All tasks for testing of functional and/or technical requirements must include specific testing for Section 508 compliance, and must use DHS Office of Accessible Systems and Technology approved testing methods and tools. For information about approved testing methods and tools send an email to accessibility@hq.dhs.gov.
2.2 Requirement Information
Name of Requiring Office: Honolulu International Airport
Attn: Valerie Kaneshiro
Honolulu, HI
2.3 Pricing Table
The prices shall be detailed in the following pricing table:
CLIN No.00001 Item Monthly price Total Price
00001 IP data line from HNL Airport Rodgers Blvd, ACC Room-Gate 13 to TSA offsite office located at 3375 Koapaka St., Top Floor Honolulu (25 MBPS connectivity.)
00002 Option Year IP data line from HNL Airport Rodgers Blvd, ACC Room-Gate 13 to TSA offsite office located at 3375 Koapaka St., Top Floor Honolul (25 MBPS connectivity.) Grand Total $
Firm fixed pricing to include all parts, labor, maintenance, fees, permits, applicable taxes to provide service. TSA is a tax exempt Federal Agency.
Response Date:
030618
Sol Number:
70T05018Q7NHNL003
