award of interagency agreement
TRANSCRIPT
NRC FORM 662 U.S. NUCLEAR REGULATORY COMMISSION UNRC FORM 662 U.S. NUCLEAR REGULATORY COMMISSION(3-2007)
AWARD OF INTERAGENCY AGREEMENT
6. ISSUED BYU.S. Nuclear Regulatory CommissionDominique MaloneMailstop: TWB/ 1 A31MWashington, DC 20555
1. DATE OF ISSUE
05/30/2012
4. AGENCY LOCATOR NO.
31000001
7. JOB CODE
B1457
9. BOC
253A
2. AGREEMENT NUMBER 3. MOD NO.
NRC-HQ-12-1-10-0008 0
5. B & R NUMBER
2012-40-51-G-156
8. APPROPRIATION SYMBOL
31XS0200
10. DOCUMENT IDENTIFICATION NUMBER
11. NAME AND ADDRESS OF SERVICING AGENCY
US Department of TransportationFederal Aviation Administration6500 S. MacArthur BlvdOKC,OK 73169PROJECT MANAGER
Ron Deavers
12. JOB CODE TITLE 13. AGREEMENT PERFORMANCE PERIOD
IAA for NRC Prism Implementation. Additonal information is attached. 1EGRM ENCBEGIN END
06/01/2012 05/31/201314. OBLIGATION AVAILABILITY PROVIDED BY
A. THIS ACTION $ 1,O 0 0 a.,-Coo
B. TOTAL PLACED PRIOR TO THIS ACTION WITH THE PERFORMING ORGANIZATION $0UNDER THIS JOB CODE FOR THIS FISCAL YEAR
C. TOTAL ORDERS TO DATE FOR THIS JOB CODE FOR THIS FISCAL YEAR $0
D. TOTAL ORDERS TO DATE FOR THIS AGREEMENT $ 1,00q0Oo
15. ATTACHMENTS 16. SECURITY
THE FOLLOWING ATTACHMENTS ARE MADE A PART OF THIS AGREEMENT El WORK ON THIS AGREEMENT INVOLVES
0 STATEMENT OF WORK CLASSIFIED INFORMATION
Z WORK ON'THIS AGREEMENT INVOLVES[I ADDITIONAL TERMS AND CONDITIONS SENSITIVE UNCLASSIFIED INFORMATION
0 OTHER (Specify) DOT/ESC Forms El WORK ON THIS AGREEMENT IS UNCLASSIFIEDAND NOT SENSITIVE
17. FEE BILLABLE UNDER 10 CFR PART 170 E] YES [D NO18. REMARKSThis PRISM Implementation IAA incorporates DOT/ESC's Franchise Agreement and DOT Form F2300.Estimated cost:$7,716,683; Current Obligation:$1, 000,000
19. AUTHORITY TO ENTER INTO INTERAGENCY AGREEMENT (Check only one)[I ENERGY REORGANIZATION ACT OF 1974, AS AMENDED 0l OTHER (Specify)
ED THE ECONOMY ACT OF 1932
[3 THE CLINGER-COHEN ACT OF 1996
20. ADVANCE PAYMENT [D IS NOT AUTHORIZED El IS AUTHORIZED (Requires approval by Director, DFS/OCFO)
21. ESTIMATED COST FOR FULL PERFORMANCE OF THIS AGREEMENT 'SetA4+I-Athej,FY 12 FY 13 FY 14 FY 15 FY 16 TOTAL
. $0 $0 $0 $0 $022. CERTIFICATION OF FUNDS
This certifies that funds in the amount cited in Block 14.A. are available in the current fiscal year allowance for work authorized by thisagreement.FUNDS CERTIFICATION OFFICIAL (Typed Name) SIGNATURE DATEDonald Hall 05/30/2012
23. SIGNATURESNRC ISSUING AUTHORITY (Typed Name and Title) SIGNATURE DATEDominique Malone-- "k"•r'I0•Q_. 05/30/2012SERVICING AGENCY OFFICIAL/DESIGNEE (Typed Name and Title) SIGNATURE DATE
See Attached Form DOT F2300. laNRC. FORM 662 (3i-2007) PRINTE O UN RECUYCLED PAPER
'rEMiplATF - ADMODIUNI REVIEW GOMPLETh JUN 6 2012
NRC CONTACTS:TECHNICAL:
FULL NAME ADDRESS
Ron Deavers Mailstop TWFN/ 9 K1 1TELEPHONE NUMBER FACSIMILE NUMBER Washington, DC 20555(301) 415-7301 (301) 415-0666E-MAIL ADDRESSRon. [email protected]
ADMINISTRATIVE:
FULL NAME ADDRESS
Dominique Malone Mailstop TWB/ 1 A31MTELEPHONE NUMBER FACSIMILE NUMBER Washington, DC 20555(301) 492-3613 (301)492-3437E-MAIL [email protected]
OTHER AGENCY'S CONTACTS:TECHNICAL:FULL NAME ADDRESS
Mike Upton 6500 S. MacArthur BlvdTELEPHONE NUMBER FACSIMILE NUMBER OKC, OK 73169405-954-8980E-MAIL ADDRESS
Mike. [email protected]
ADMINISTRATIVE:FULL NAME ADDRESS
Susan Bramante 6500 S. MacArthur., MPB 204TELEPHONE NUMBER FACSIMILE NUMBER OKC, OK 73169(405) 954-4747E-MAIL ADDRESSSusan. [email protected]
BILLING INFORMATION: To receive reimbursement under this agreement, forward to NRC on a (check one):
[ monthly [] quarterly E] other _ basis, an original and three copies of Standard Form1081 in accordance with the Treasury Fiscal Requirements Manual, Bulletin No. 78-09, or, if possible, bill monthly through the OPACsystem. Send reimbursement requests to the following address:
Payment Policy and Obligations TeamMail Stop: T-9 F30Division of Financial ServicesOffice of the Chief Financial OfficerU.S. Nuclear Regulatory CommissionWashington, DC 20555-0001
Any NRC funds remaining unexpended at the end of a fiscal year may be carried over into future fiscal years unless otherwise notifiedby NRC.
REPORTING REQUIREMENTS: Submit reports to the NRC in accordance with the statement of work. Submit financial status reportson a (check one):
0 monthly 0I quarterly LI other _ basis. These reports shall contain a brief letter status reportwhich summarizes the expenditure of NRC funds. This report shall address the following categories, as applicable: (1) staff effort; (2)travel; (3) equipment and supplies; and (4) subcontract costs. Each report shall include by category: (a) costs for the previous month;(b) cumulative costs and uncosted obligations to date; and (c) projections for the remainder of the NRC obligated funds. The firstmonthly report shall provide the initial projections, and subsequent reports shall either indicate revised projections or indicate "nochange in the cost and uncosted expenditure projection."
Submit these reports to the NRC Technical Contact by the 20th day of the month following the reporting period.
TERMINATING THE AGREEMENT: This agreement may be unilaterally terminated by either party generally upon 30 days' writtennotice to the other party. NRC will pay its share of any project expenses up to the termination date. Any expenses incurred interminating this agreement will be paid by the party terminating the agreement. Any unexpended funds shall be returned to the NRC.
Interagencylintra-agency AgreementParities to the Agreement
REQUESTING AGENCY/BUYER SERVICING AGENCY/SELLERWA. Uenarlnmnt U.S. Nuclear Regulatory Commission iB. Department US Department of Transportation
2A Anency 2B. Agency Federal Aviation AdministrationEnterprise Services Center
3A. tti'c, 3B. Offce Office of information Technology4A. OBLIGATION NUMBER 48. AGREEMENTNUMBER FF-PRISM-ESCI-PNRC-12 Rev 2SA. Aciency Location Coda (ALC) 31000001 8B. Agency Locatn CCode (ALCI 69001104BA. Data UniverSal Numrberig Sys 0 (0UNS. 40535809 B. Data Unirenaw Numbenng Sys 6 (OUNSI 614876758
7A I ax identifcatinl a (TIN) 7B. Tax Idetfltication ia (TIN) 73-0588975BA. Treasury Aproo Fund 5yrrotr (TAPS) 31X0200 .B. TreasuryAporop. Fund Symbol (TAFS) 69X45629A. I rea•g rntmer Coaf BE. Tracing Pannier Code 691200TOP .:n rRe.':culo•n Code Curt. Approp code iOe. Accounrting Classit.cathn Coce
B&R Number: 2012-40-51 -G-1 56; Job Code: B1457 121 ZACINRCIMP.000000.25705.ACRETO0000DATE 12X3000000.R90000($7.W.255.99)Appropriation: 31Y40200; BOC: 253A I
Points of Contact for the Agreement
REQUESTING AGENCYIBUYER .. SERVICING AGENCYISELLERhA Fnnc Pit f otact 11B. Finance Point of Contact
Nam• Patti Hunronmys Nama Susan BremanteI A31M. Mai.tatp TWB
Address Washningion. OC 20555 Address e6oc0 S MacAlitwr Olchd., MPB 205. OKC. OK 73169Prion Phione 405.9544747
I.-mal patti.humphreys(ftnrc.gov E-rmaii susan.bramanteftaaov
12A. Program Point of Contact 12B. Program Point of ContactNamP Dominique Malone Name Do Peeler
i A31M. Mailstop TW 5500 S MacAtihur BWd.. MPB 20QAdatress Washington. DC 20555 Address OKC. OK 73169
Pnone 301-492-3612 Phone 405,954-3201
E-,mail dominlotue.malonel•inrc.gov E-mail bo.peelerafifaao.ov
13. Penrid of Performance 14 Legal AuthorityeNam milt•d•dni :1eo(mradj Public Law 104-205 (1T0 Stat. 2957)
8/t1201 2 11/29/2013AMC-1 Francrnse Fsure Policy Stieameni, FY 2010-01 4/912010
1s. Total Agreement Amount jestimate) 1. Payment Terms and Schedules 57,652,365.99
Advance Pay/menit Required,
17. Brief Descnption of the Supplies. Services and Deliverables Required and Option Years, If Any:
This agreement is to begin Implementatiorn activities as identified in the SOW. Please see attached SOW for further details of the agreement.
Pot $367,718.48Hosfingj Services S1,51 Z,426.00
Telecommunications: $246,117.50Security Services $171,403.00
Compusearch $5,364,691.00
Total:l $7,652,355.99
FY12 is the base year of agreement (FF-PRISM-ESCI-PNRC-12). This agreement has 4 option years that can be exercised.The final option year is FY16.
Subject to Availability of Funding. Advances will be taken in accordance with continuing resolution guidelines. Upon approval of theDOT Approonriation. advances wAIl be taken quarterly.
For Inte.nai Use ONLY
Franchise Agreement Finandial History (addendum)
Authorized Approvals
REQUESTING AGENCYIBUYER SERVICtNG AGENCY/SELLER
Dominique Malone. Sr. Contract Specalist, NRC Bo Peeler. Program Director. Office of Information Services. AMK-003
Da.... .... .... ... X. ..... ~ .~ . ...... .
V Patti Humphreys , FCO
For DT F2300.18 (Rev. 33-20O)
INTERAGENCY AGREEMENTAGREEMENT NUMBER: NRC-HQ-12-1-10-0008
Requesting Agency: U.S. Nuclear Regulatory Commission
Servicing Agency: U.S. Department of Transportation/Federal Aviation Administration/Enterprise Service Center
DATE: May 30, 2012
PART A - GENERAL TERMS & CONDITIONS
A.1. PURPOSE
This Interagency Agreement (IAA) describes the terms and conditions between the U.S Nuclear RegulatoryCommission (Requesting Agency), and the Federal Aviation Administration's Enterprise Services Center (ServicingAgency) for the PRISM Implementation project.
A.2. AUTHORITY
The parties' authority to enter into this interagency agreement (IAA) is:
[X] The Economy Act (31 U.S.C. 1535)
f Franchise Fund (e.g., 31 U.S.C. 501 note) or Revolving Fund (e.g., 40 U.S.C. 321) Identify specific statutoryauthority:
[] Other (identify specific statutory authority or authorities)
A.3. PERIOD OF PERFORMANCE AND ESTIMATED COST
Item No. Period of Performance Estimate Cost Services0001 June 1, 2012 - May 31, $7,716,683.05 Implementation
20131001 June 1, 2013 - May 31, $3,180,924.23 O&M
20142001 June 1, 2014 - May 31, $3,280,680.95 O&M
20153001 June 1, 2015 - May 31, $3,369,148.04 O&M
20164001 June 1, 2016 - May 31, $3,461,423.23 O&M
20174001 June 1, 2017 - May 31, $3,598,977.36 O&M
20186001 June 1, 2018 - May 31, $3,699,397.80 O&M
20197001 June 1,2019 - May 31, $3,804,168.26 O&M
2020 1Total Estimated Cost $32,111,402.92
A.4. AMENDMENTS
Any amendments shall be made in writing and signed by both the Servicing Agency and the Requesting Agency.
A.5. IAA TERMINATION
See NRC Form 662.
A.6 BILLING AND PAYMENT
See NRC Form 662
A.7. COMPLIANCE WITH SECTION 508 OF THE REHABILITATION ACT OF 1973, AS AMENDED (AUG 2011)
In 1998, Congress amended the Rehabilitation Act of 1973 (29 U.S.C. 794d) as amended by the WorkforceInvestment Act of 1998 (P.L. 105 - 220), August 7, 1998 to require Federal agencies to make their electronic andinformation technology (EIT) accessible to people with disabilities. Inaccessible technology interferes with an ability toobtain and use information quickly and easily. Section 508 was enacted to eliminate barriers in information technology,open new opportunities for people with disabilities, and encourage development of technologies that will help achievethese goals. The law applies to all Federal agencies when they develop, procure, maintain, or use electronic andinformation technology. Under Section 508 (29 U.S.C. 794d), agencies must give disabled employees and membersof the public access to information that is comparable to access available to others.
Specifically, Section 508 of that Act requires that when Federal agencies develop, procure, maintain, or use EIT,Federal employees with disabilities have access to and use of information and data that is comparable to the accessand use by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed onthe agency. (36 C.F.R. 1194 implements Section 508 of the Rehabilitation Act of 1973, as amended, and is viewableat: http://www.access-board.gov/sec508/standards.htm)
Exceptions.
All EIT that the government acquires by purchase or by lease/rental under this agreement must meet the applicableaccessibility standards at 36 C.F.R. Part 1194, unless one or more of the following exceptions at FAR 39.204 appliesto this acquisition (applicable if checked):
[ The EIT is for a national security system.
[] The EIT is acquired by a contractor incidental to a contract.
[ The EIT is located in spaces frequented only by service personnel for maintenance, repair or occasionalmonitoring of equipment.
U Compliance with the applicable 36 C.F.R. Part 1194 provisions would impose an undue burden on the agency.
Applicable Standards.
The following accessibility standards from 36 C.F.R. Part 1194 have been determined to be applicable to thisagreement. See www.section508.gov for more information:
[X] 1194.21 Software applications and operating systems.
[X] 1194.22 Web-based intranet and internet information and applications. 16 rules.
[X] 1194.23 Telecommunications products.
U 1194.24 Video and multimedia products.
[ 1194.25 Self contained, closed products.
[ 1194.26 Desktop and portable computers.
[X] 1194.31 Functional performance criteria.
[X] 1194.41 Information, documentation, and support.
A.8 Compliance with the Requesting Agencies Laws and Policies
The Servicing Agency shall incorporate the following clauses unique to the Requesting Agency into any contract ororder awarded/issued to a contractor to provide services under this IAA. As applicable, all information security,physical security, and privacy requirements also apply to the Servicing Agency itself.
NRC CLAUSES
A.8.1 INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS - GENERAL
Basic Contract IT Security Requirements
For unclassified information used for the effort, the contractor shall provide an information security categorizationdocument indicating the sensitivity of the information processed as part of this contract if the information securitycategorization was not provided in the performance work statement. The determination shall be made using NIST SP800-60 and must be approved by CSO. The NRC contracting officer and project officer shall be notified immediatelybefore the contractor begins to process information at a higher sensitivity level.
If the effort includes use or processing of classified information, the NRC contracting officer and project officer shall benotified before the contractor begins to process information at a more restrictive classification level.
All work under this contract shall comply with the latest version of all applicable guidance and standards. Individualtask orders will reference applicable versions of standards or exceptions as necessary. These standards include, butare not limited to, NRC Management Directive (MD) volume 12 Security, computer security policies issued until MD12.5, NRC Automated Information Security Program is updated, National Institute of Standards and Technology(NIST) guidance and Federal Information Processing Standards (FIPS), and Committee on National Security Systems(CNSS) policy, directives, instructions, and guidance. This information is available at the following links:
All work under this contract shall comply with the latest version of policy, procedures and standards. Individual taskorders will reference latest versions of standards or exceptions as necessary. These policy, procedures and standardsinclude: NRC Management Directive (MD) volume 12 Security, Computer Security Office policies, procedures andstandards, National Institute of Standards and Technology (NIST) guidance and Federal Information ProcessingStandards (FIPS), and Committee on National Security Systems (CNSS) policy, directives, instructions, and guidance.This information is available at the following links:
NRC Policies, Procedures and Standards (CSO internal website): http://www.internal.nrc.qov/CSO/policies.html
NRC Policy and Procedures For Handling, Marking and Protecting Sensitive Unclassified Non-Safeguards Information(SUNSI): http://www.internal.nrc.qov/sunsi/pdf/SUNSI-Policy-Procedures.pdf
All NRC Management Directives (public website): http://www.nrc.,ov/reading-rm/doc-collections/management-
directives/
NIST SP and FIPS documentation is located at: http://csrc.nist.,ov/
CNSS documents are located at: http://www.cnss.qov/
The Contractor shall ensure compliance with the latest version of NIST guidance and FIPS standards available atcontract issuance and continued compliance with the latest versions within one year of the release date.
When e-mail is used, the Contractors shall only use NRC provided e-mail accounts to send and receive sensitiveinformation (information that is not releasable to the public) or mechanisms to protect the information duringtransmission to NRC that have been approved by CSO.
All Contractor employees must sign the NRC Agency Rules of Behavior for Secure Computer Use prior to being
granted access to NRC computing resources.
The Contractor shall adhere to following NRC policies:
Management Directive 12.5, Automated Information Security Program
NRC Sensitive Unclassified Non-Safeguards Information (SUNSI)
Computer Security Policy for Encryption of Data at Rest When Outside of Agency Facilities
Policy for Copying, Scanning, Printing, and Faxing SGI & Classified Information
Computer Security Information Protection Policy
Remote Access Policy
Use of Commercial Wireless Devices, Services and Technologies Policy
Laptop Security Policy
Computer Security Incident Response Policy
Contractor will adhere to NRC's prohibition of use of personal devices to process and store NRC sensitive information.
All electronic process of NRC sensitive information, including system development and operations and maintenanceperformed at non-NRC facilities shall be in facilities, networks, and computers that have been accredited by NRC forprocessing information at the highest sensitivity of the information that is processed or will ultimately be processed.
Contract Performance And Closeout
The contractor shall ensure that the NRC data processed during the performance of this contract shall be purged fromall data storage components of the contractor's computer facility. Tools used to perform data purging shall beapproved by the CISO. The contractor shall provide written certification to the NRC contracting officer that thecontractor does not retain any NRC data within 30 calendar days after contract completion. Until all data is purged,the contractor shall ensure that any NRC data remaining in any storage component will be protected to preventunauthorized disclosure.
When contractor employees no longer require access to an NRC system, the contractor shall notify the project officerwithin 24 hours.
Upon contract completion, the contractor shall provide a status list of all NRC system users and shall note if any users
still require access to the system to perform work if a follow-on contract or task order has been issued by NRC.
Control Of Information And Data
2 1P ag e
The contractor shall not publish or disclose in any manner, without the contracting officer's written consent, the detailsof any security controls or countermeasures either designed or developed by the contractor under this contract orotherwise provided by the NRC.
Any IT system used to process NRC sensitive information shall:
Include a mechanism to require users to uniquely identify themselves to the system before beginning to perform anyother actions that the system is expected to provide.
Be able to authenticate data that includes information for verifying the claimed identity of individual users (e.g.,
passwords)
Protect authentication data so that it cannot be accessed by any unauthorized user
Be able to enforce individual accountability by providing the capability to uniquely identify each individual computersystem user
Report to appropriate security personnel when attempts are made to guess the authentication data whetherinadvertently or deliberately.
Access Controls
Any contractor system being used to process NRC data shall be able to define and enforce access privileges forindividual users. The discretionary access controls mechanisms shall be configurable to protect objects (e.g., files,folders) from unauthorized access.
The contractor system being used to process NRC data shall provide only essential capabilities and specificallyprohibit and/or restrict the use of specified functions, ports, protocols, and/or services.
The contractors shall only use NRC approved methods to send and receive information considered sensitive orclassified. Specifically,
Classified Information - All NRC Classified data being transmitted over a network shall use NSA approvedencryption and adhere to guidance in MD 12.2 NRC Classified Information Security Program, MD 12.5 NRCAutomated Information Security Program and Committee on National Security Systems. Classified processing shall beonly within facilities, computers, and spaces that have been specifically approved for classified processing.
SGI Information - All SGI being transmitted over a network shall adhere to guidance in MD 12.7 NRC SafeguardsInformation Security Program and MD 12.5 NRC Automated Information Security Program. SGI processing shall beonly within facilities, computers, and spaces that have been specifically approved for SGI processing. Cryptographicmodules provided as part of the system shall be validated under the Cryptographic Module Validation Program toconform to NIST FIPS 140-2 overall level 2 and must be operated in FIPS mode. The contractor shall provide theFIPS 140-2 cryptographic module certificate number and a brief description of the encryption module that includes theencryption algorithm(s) used, the key length, and the vendor of the product.
The most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) forthe performance of specified tasks must be enforced by the system through assigned access authorizations.
Separation of duties for contractor systems used to process NRC information must be enforced by the system throughassigned access authorizations.
The mechanisms within the contractor system or application that enforces access control and other security features
shall be continuously protected against tampering and/or unauthorized changes.. . . . ..... ..... ........ . ... . .. ..... ......... . . . . ............ .......... ... ..... . .3.ia g e
Configuration Standards
All systems used to process NRC sensitive information shall meet NRC configuration standards available at:http://www.internal.nrc..ov/CSO/standards.html.
Media Handling
All media used by the contractor to store or process NRC information shall be controlled in accordance with thesensitivity level.
The contractor shall not perform sanitization or destruction of media approved for processing NRC information
designated as SGI or Classified. The contractor must provide the media to NRC for destruction.
Vulnerability Management
The Contractor must adhere to NRC patch management processes for all systems used to process NRC information.Patch Management reports will made available to the NRC upon request for following security categorizations andreporting timeframes:
5 calendar days after being requested for a high sensitivity system
10 calendar days after being requested for a moderate sensitivity system
15 calendar days after being requested for a low sensitivity system
For any contractor system used to process NRC information, the contractor must ensure that information loaded intothe system is scanned for viruses prior to posting; servers are scanned for viruses, adware, and spyware on a regularbasis; and virus signatures are updated at the following frequency:
1 calendar day for a high sensitivity system
3 calendar days for a moderate sensitivity system
7 calendar days for a low sensitivity system
INFORMATION TECHNOLOGY (IT) SECURITY REQUIREMENTS - GENERAL EXCEPTIONS
All purchases shall comply with the latest version of policy, procedures and standards. Individual task orders willreference latest versions of policy, procedures, standards or exceptions as necessary. These policy, procedures andstandards include: NRC Management Directive (MD) volume 12 Security, Computer Security Office policies,procedures and standards, National Institute of Standards and Technology (NIST) guidance and Federal InformationProcessing Standards (FIPS), and Committee on National Security Systems (CNSS) policy, directives, instructions,and guidance. This information is available at the following links:
All procurements must be certified and accredited prior to being placed into an operational state.
All electronic processing of NRC sensitive information, including all system development and operations andmaintenance activities performed at non-NRC facilities shall be in facilities, networks, and computers that have beenaccredited by NRC for processing information at the highest sensitivity of the information that is processed or willultimately be processed.
41Page
All systems used to process NRC sensitive information shall meet NRC configuration standards available at:http://www.internal.nrc.qov/CSO/standards.html.
A.8.2 SECURITY REQUIREMENTS - DEVELOPMENT AND OPERATIONS AND MAINTENANCE REQUIREMENTS
O&M Security Requirements
All system modifications to classified systems must comply with NRC security policies and procedures for classifiedsystems, as well as federal laws, guidance, and standards to ensure Federal Information Security Management Act(FISMA) compliance.
The Contractor shall correct errors in contractor developed software and applicable documentation that are notcommercial off-the-shelf which are discovered by the NRC or the contractor. Inability of the parties to determine thecause of software errors shall be resolved in accordance with the Disputes clause in Section I, FAR 52.233-1,incorporated by reference in the contract.
The Contractor shall adhere to the guidance outlined in NIST SP 800-53, FIPS 200 and NRC guidance for theidentification and documentation of minimum security controls.
The contractor shall provide the system requirements traceability matrix at the end of the initiation phase,development/acquisition phase, implementation/assessment phase, operation & maintenance phase and disposalphase that provides the security requirements in a separate section so that they can be traced through thedevelopment life cycle. The contractor shall also provide the software and hardware designs and test plandocumentation, and source code upon request to the NRC for review.
All development and testing of the systems shall be protected at their assigned system sensitivity level and shall beperformed on a network separate and isolated from the NRC operational network.
All system computers must be properly configured and hardened according to NRC policies, guidance, and standardsand comply with all NRC security policies and procedures as commensurate with the system security categorization.
All contractor provided deliverables identified in the project plan will be subject to the review and approval of NRCManagement. Time should be reserved for NRC Computer Security Office reviews based upon the complexity of thesystem. Review times to be scheduled range from 7 - 21 calendar days. The contractor will make the necessarymodifications to project deliverables to resolve any identified issues. Project deliverables include but are not limited to:requirements, architectures, design documents, test plans, and test reports.
All contractor provided deliverables identified in the project plan will be subject to the review and approval of NRCManagement. The PM will establish review time based on the complexity of the system and incorporate into theproject schedule. The contractor will make the necessary modifications to project deliverables to resolve any identifiedissues. Project deliverables include but are not limited to: requirements, architectures, design documents, test plans,and test reports.
System development schedules shall include computer security office go/no-go decision points, including but notlimited to the following system milestones:
1. Requirements review2. Architecture review3. Detailed design review4. Code review5. System test6. System readiness review
51Page
Access Controls
The contractor shall not hardcode any passwords into the software unless the password only appears on the serverside (e.g. using server-side technology such as ASP, PHP, or JSP).
The contractor shall ensure that the software does not contain undocumented functions and undocumented methodsfor gaining access to the software or to the computer system on which it is installed. This includes, but is not limited to,master access keys, back doors, or trapdoors.
Cryptography
Cryptographic modules provided as part of the system shall be validated under the Cryptographic Module ValidationProgram to conform to NIST FIPS 140-2 and must be operated in FIPS mode. The contractor shall provide the FIPS140-2 cryptographic module certificate number and a brief description of the encryption module that includes theencryption algorithm(s) used, the key length, and the vendor of the product.
Configuration Management And Control
The contractor must ensure that the system will be divided into configuration items (CIs). Cis are parts of a systemthat can be individually managed and versioned. The system shall be managed at the CI level.
The contractor must have a configuration management plan that includes all hardware and software that is part of thesystem and contains at minimum the following sections:
1. Introductiona. Purpose & Scopeb. Definitionsc. References
2. Configuration Managementa. Organizationb. Responsibilitiesc. Tools and Infrastructure
3. Configuration Management Activitiesa. Specification Identificationb. Change control form identificationc. Project baselines
4. Configuration and Change Controla. Change Request Processing and Approvalb. Change Control Board
5. Milestonesa. Define baselines, reviews, auditsb. Training and Resources
The Information System Security Officer's (ISSO's) role in the change management process must be described. TheISSO is responsible for the security posture of the system. Any changes to the system security posture must beapproved by the ISSO. The contractor should not have the ability to make changes to the system's security posturewithout the appropriate involvement and approval of the ISSO.
The contractor shall track and record information specific to proposed and approved changes that minimally include:6lPage
1. Identified configuration change2. Testing of the configuration change3. Scheduled implementation the configuration change4. Track system impact of the configuration change5. Track the implementation of the configuration change6. Recording & reporting of configuration change to the appropriate party7. Back out/Fall back plan8. Weekly Change Reports and meeting minutes9. Emergency change procedures10. List of team members from key functional areas
The contractor shall provide a list of software and hardware changes in advance of placing them into operation withinthe following timeframes:
* 30 calendar days for a classified, SGI, or high sensitivity system* 20 calendar days for a moderate sensitivity system* 10 calendar days for a low sensitivity system
The contractor must maintain all system documentation that is current to within:
* 10 calendar days for a classified, SGI, or high sensitivity system* 20 calendar days for a moderate sensitivity system* 30 calendar days for a low sensitivity system
Modified code, tests performed and test results, issue resolution documentation, and updated system documentationshall be deliverables on the contract.
Any proposed changes to the system must have written approval from the NRC project officer.The contractor shall maintain a list of hardware, firmware and software changes that is current to within:
* 15 calendar days for a classified, SGI or high sensitivity system* 20 calendar days for a moderate sensitivity system* 30 calendar days for a low sensitivity system
The contractor shall analyze proposed hardware and software configurations and modification as well as addressedsecurity vulnerabilities in advance of NRC accepted operational deployment dates within:
* 15 calendar days for a classified, SGI, or high sensitivity system* 20 calendar days for a moderate sensitivity system0 30 calendar days for a low sensitivity system
The contractor shall provide the above analysis with the proposed hardware and software for NRC testing in advanceof NRC accepted operational deployment dates within:
* 15 calendar days for a classified, SGI, or high sensitivity system0 20 calendar days for a moderate sensitivity system* 30 calendar days for a low sensitivity system
Control Of Hardware And Software
71 Page
The contractor shall demonstrate that all hardware and software meet security requirements prior to being placed intothe NRC production environment.
The contractor shall ensure that the development environment is separated from the operational environment using
NRC CSO approved controls.
Auditing
The system shall be able to create, maintain and protect from modification or unauthorized access or destruction anaudit trail of accesses to the objects it protects. The audit data shall be protected so that read access to it is limited tothose who are authorized.
The system shall be able to record the following types of events: use of identification and authentication mechanisms,introduction of objects into a user's address space (e.g., file open, program initiation), deletion of objects, and actionstaken by computer operators and system administrators or system security officers and other security relevant events.The system shall be able to audit any override of security controls.
The Contractor shall ensure auditing is implemented on the following:
" Operating System" Application* Web Server* Web Services" Network Devices* Database* Wireless
The contractor shall perform audit log reviews daily using automated analysis tools. In addition, the contractor mustlog at least the following events on systems that process NRC information:
• Audit all failures* Successful logon attempt* Failure of logon attempt• Permission Changes* Unsuccessful File Access" Creating users & objects* Deletion & modification of system files* Registry Key/Kernel changes* Startup & shutdown* Authentication* Authorization/permission granting" Actions by trusted users" Process invocation" Controlled access to data by individually authenticated user* Unsuccessful data access attempt* Data deletion" Data transfer• Application configuration change" Application of confidentiality or integrity labels to data• Override or modification of data labels or markings" Output to removable media
81Page
0 Output to a printer
A.8.3 IT SECURITY REQUIREMENTS - CERTIFICATION AND ACCREDITATION
A. SECURITY RISK ASSESSMENT
The contractor shall work with the NRC project officer in performing Risk Assessment activities according toNRC policy, standards, and guidance. The contractor shall perform Risk Assessment activities that includeanalyzing how the architecture implements the NRC documented security policy for the system, assessing howmanagement, operational, and technical security control features are planned or implemented and how thesystem interconnects to other systems or networks while maintaining security.
B. SYSTEM SECURITY PLAN
The contractor shall develop the system security plan (SSP) according to NRC policy, standards, and guidanceto define the implementation of IT security controls necessary to meet both the functional assurance andsecurity requirements. The contractor will ensure that all controls required to be implemented are documentedin the SSP.
C. ASSESSMENT PROCEDURES - SECURITY TEST & EVALUATION
The contractor shall follow NRC policy, standards, and guidance for execution of the test procedures. Theseprocedures shall be supplemented and augmented by tailored test procedures based on the control objectiveas it applies to NRC. The contractor shall include verification and validation to ensure that appropriatecorrective action was taken on identified security weaknesses.
The contractor shall perform Security Test & Evaluation (ST&E) activities, including but not limited to,coordinating the ST&E and developing the ST&E Plan, execution ST&E test cases and documentation of testresults. The contractor shall prepare the Plan of Action and Milestones (POA&M) based on the ST&E results.
D. PLAN OF ACTION AND MILESTONES (POA&M) MAINTENANCE & REPORTING
The contractor shall provide a determination, in a written form agreed to by the NRC project officer andComputer Security Office, on whether the implemented corrective action was adequate to resolve the identifiedinformation security weaknesses and provide the reasons for any exceptions or risked-based decisions. Thecontractor shall document any vulnerabilities indicating which portions of the security control have not beenimplemented or applied.
The contractor shall develop and implement solutions that provide a means of planning and monitoringcorrective actions; define roles and responsibilities for risk mitigation; assist in identifying security fundingrequirements; track and prioritize resources; and inform decision-makers of progress of open POA&M items.
The contractor shall perform verification of IT security weaknesses to ensure that all weaknesses identifiedthrough third party (e.g., OIG) audits are included in the POA&Ms that the quarterly reporting to OMB isaccurate, and the reasons for any exceptions or risked-based decisions are reasonable and clearlydocumented. This verification process will be done in conjunction with the continuous monitoring activities.
E. CERTIFICATION & ACCREDITATION DOCUMENTATION
The contractor shall create, update maintain all Certification and Accreditation (C&A) documentation inaccordance with the following NRC Certification and Accreditation procedures and guidance:
91Page
" C&A Non-SGI Unclassified Systems* C&A SGI Unclassified Systems* C&A Classified Systems
The Contractor must develop contingency plan and ensure annual contingency testing is completed within oneyear of previous test and provide an updated security plan and test report according to NRC's policy andprocedure.
The Contractor must conduct annual security control testing according to NRC's policy and procedure andupdate POA&M, SSP, etc. to reflect any findings or changes to management, operational and technicalcontrols.
A.8.4. AUTHORITY TO USE GOVERNMENT PROVIDED SPACE AT NRC HEADQUARTERS
Prior to occupying any government provided space at NRC HQs in Rockville Maryland, the Contractor shall obtainwritten authorization to occupy specifically designated government space, via the NRC Project Officer, from the Chief,Space Design Branch, ADSPC. Failure to obtain this prior authorization can result in one, or a combination, of thefollowing remedies as deemed appropriate by the Contracting Officer.
(1) Rental charge for the space occupied will be deducted from the invoice amount due the Contractor
(2) Removal from the space occupied
(3) Contract Termination
A.8.5. BADGE REQUIREMENTS FOR UNESCORTED BUILDING ACCESS TO NRC FACILITIES
During the life of this contract, the rights of ingress and egress for contractor personnel must be made available, asrequired, provided that the individual has been approved for unescorted access after a favorable adjudication from theSecurity Branch, Division of Facilities and Security (SB/DFS).
In this regard, all contractor personnel whose duties under this contract require their presence on site shall be clearlyidentifiable by a distinctive badge furnished by the NRC. The Project Officer shall assist the contractor in obtainingbadges for the contractor personnel. All contractor personnel must present two forms of Identity Source Documents (I-9). One of the documents must be a valid picture ID issued by a state or by the Federal Government. Original 1-9documents must be presented in person for certification. A list of acceptable documents can be found athttp://www.usdoj.gov/crtlrecruit employ/i9form.pdf. It is the sole responsibility of the contractor to ensure that eachemployee has a proper NRC-issued identification/badge at all times. All photo-identification badges must beimmediately (no later than three days) delivered to SB/DFS for cancellation or disposition upon the termination ofemployment of any contractor personnel. Contractor personnel must display any NRC issued badge in clear view at alltimes during on site performance under this contract. It is the contractor's duty to assure that contractor personnelenter only those work areas necessary for performance of contract work, and to assure the protection of anyGovernment records or data that contractor personnel may come into contact with.
101Page
A.8.6. 2052.209-72 ORGANIZATIONAL CONFLICTS OF INTEREST (JAN 1993)
(a (a) Purpose. The primary purpose of this clause is to aid in ensuring that the contractor:
(1) Is not placed in a conflicting role because of current or planned interests (financial, contractual, organizational,or otherwise) which relate to the work under this contract; and
(2) Does not obtain an unfair competitive advantage over other parties by virtue of its performance of this contract.
(b) Scope. The restrictions described apply to performance or participation by the contractor, as defined in 48 CFR
2009.570-2 in the activities covered by this clause.
(c) Work for others.
(1) Notwithstanding any other provision of this contract, during the term of this contract, the contractor agrees toforego entering into consulting or other contractual arrangements with any firm or organization the result of which maygive rise to a conflict of interest with respect to the work being performed under this contract. The contractor shallensure that all employees under this contract abide by the provision of this clause. If the contractor has reason tobelieve, with respect to itself or any employee, that any proposed consultant or other contractual arrangement with anyfirm or organization may involve a potential conflict of interest, the contractor shall obtain the written approval of thecontracting officer before the execution of such contractual arrangement.
(2) The contractor may not represent, assist, or otherwise support an NRC licensee or applicant undergoing anNRC audit, inspection, or review where the activities that are the subject of the audit, inspection, or review are thesame as or substantially similar to the services within the scope of this contract (or task order as appropriate) exceptwhere the NRC licensee or applicant requires the contractor's support to explain or defend the contractor's prior workfor the utility or other entity which NRC questions.
(3) When the contractor performs work for the NRC under this contract at any NRC licensee or applicant site, thecontractor shall neither solicit nor perform work in the same or similar technical area for that licensee or applicantorganization for a period commencing with the award of the task order or beginning of work on the site (if not a taskorder contract) and ending one year after completion of all work under the associated task order, or last time at thesite (if not a task order contract).
(4) When the contractor performs work for the NRC under this contract at any NRC licensee or applicant site,
(i) The contractor may not solicit work at that site for that licensee or applicant during the period of performanceof the task order or the contract, as appropriate.
(ii) The contractor may not perform work at that site for that licensee or applicant during the period ofperformance of the task order or the contract, as appropriate, and for one year thereafter.
(iii) Notwithstanding the foregoing, the contracting officer may authorize the contractor to solicit or perform thistype of work (except work in the same or similar technical area) if the contracting officer determines that the situationwill not pose a potential for technical bias or unfair competitive advantage.
(d) Disclosure after award.
(1) The contractor warrants that to the best of its knowledge and belief, and except as otherwise set forth in thiscontract, that it does not have any organizational conflicts of interest as defined in 48 CFR 2009.570-2.
(2) The contractor agrees that if, after award, it discovers organizational conflicts of interest with respect to thiscontract, it shall make an immediate and full disclosure in writing to the contracting officer. This statement must
.. . . .................... ..... .. . . . . .. . . .......... i . P a g e
include a description of the action which the contractor has taken or proposes to take to avoid or mitigate suchconflicts. The NRC may, however, terminate the contract if termination is in the best interest of the Government.
(3) It is recognized that the scope of work of a task-order-type contract necessarily encompasses a broadspectrum of activities. Consequently, if this is a task-order-type contract, the contractor agrees that it will disclose allproposed new work involving NRC licensees or applicants which comes within the scope of work of the underlyingcontract. Further, if this contract involves work at a licensee or applicant site, the contractor agrees to exercisediligence to discover and disclose any new work at that licensee or applicant site. This disclosure must be madebefore the submission of a bid or proposal to the utility or other regulated entity and must be received by the NRC atleast 15 days before the proposed award date in any event, unless a written justification demonstrating urgency anddue diligence to discover and disclose is provided by the contractor and approved by the contracting officer. Thedisclosure must include the statement of work, the dollar value of the proposed contract, and any other documentsthat are needed to fully describe the proposed work for the regulated utility or other regulated entity. NRC may denyapproval of the disclosed work only when the NRC has issued a task order which includes the technical area and, ifsite-specific, the site, or has plans to issue a task order which includes the technical area and, if site-specific, the site,or when the work violates paragraphs (c)(2), (c)(3) or (c)(4) of this section.
(e) Access to and use of information.
(1) If in the performance of this contract, the contractor obtains access to information, such as NRC plans, policies,reports, studies, financial plans, internal data protected by the Privacy Act of 1974 (5 U.S.C. Section 552a (1988)), orthe Freedom of Information Act (5 U.S.C. Section 552 (1986)), the contractor agrees not to:
(i) Use this information for any private purpose until the information has been released to the public;
(ii) Compete for work for the Commission based on the information for a period of six months after either thecompletion of this contract or the release of the information to the public, whichever is first;
(iii) Submit an unsolicited proposal to the Government based on the information until one year after the release ofthe information to the public; or.
(iv) Release the information without prior written approval by the contracting officer unless the information haspreviously been released to the public by the NRC.
(2) In addition, the contractor agrees that, to the extent it receives or is given access to proprietary data, dataprotected by the Privacy Act of 1974 (5 U.S.C. Section 552a (1988)), or the Freedom of Information Act (5 U.S.C.Section 552 (1986)), or other confidential or privileged technical, business, or financial information under this contract,the contractor shall treat the information in accordance with restrictions placed on use of the information.
(3) Subject to patent and security provisions of this contract, the contractor shall have the right to use technical.data it produces under this contract for private purposes provided that all requirements of this contract have been met.
(f) Subcontracts. Except as provided in 48 CFR 2009.570-2, the contractor shall include this clause, including thisparagraph, in subcontracts of any tier. The terms contract, contractor, and contracting officer, must be appropriatelymodified to preserve the Government's rights.
(g) Remedies. For breach of any of the above restrictions, or for intentional nondisclosure or misrepresentation ofany relevant interest required to be disclosed concerning this contract or for such erroneous representations thatnecessarily imply bad faith, the Government may terminate the contract for default, disqualify the contractor fromsubsequent contractual efforts, and pursue other remedies permitted by law or this contract.
(h) Waiver. A request for waiver under this clause must be directed in writing to the contracting officer in
accordance with the procedures outlined in 48 CFR 2009.570-9.
12 1 P2Page
(i) Reserved
(1) If the contractor, under this contract, prepares a complete or essentially complete statement of work orspecifications, the contractor is not eligible to perform or participate in the initial contractual effort which is based onthe statement of work or specifications. The contractor may not incorporate its products or services in the statementof work or specifications unless so directed in writing by the contracting officer, in which case the restrictions in thisparagraph do not apply.
(2) Nothing in this paragraph precludes the contractor from offering or selling its standard commercial items to theGovernment.
A.8.7 DRUG FREE WORKPLACE TESTING: UNESCORTED ACCESS TO NUCLEAR FACILITIES, ACCESS TOCLASSIFIED INFORMATION OR SAFEGUARDS INFORMATION, OR PERFORMING IN SPECIALLY SENSITIVEPOSITIONS
NRC's Headquarters Assistant Drug Program Coordinator (ADPC) shall be responsible for implementing andmanaging the collecting and testing portions of the NRC Contractor Drug Testing Program. The Headquarters ADPCfunction is carried out by the Drug Program Manager in the Division of Facilities and Security, Office of Administration.All sample collection, testing, and review of test results shall be conducted by the NRC "drug testing contractor." TheNRC will reimburse the NRC "drug testing contractor" for these services.
All contractor employees, subcontractor employees, and consultants proposed for performance or performing underthis contract shall be subject to the requirements of the clause if they meet one of the following criteria stated in thePlan: (1) individuals who require unescorted access to nuclear power plants, (2) individuals who have access toclassified or safeguards information, (3) individuals who are required to carry firearms in performing security servicesfor the NRC, (4) individuals who are required to operate government vehicles or transport passengers for the NRC,(5) individuals who are required to operate hazardous equipment at NRC facilities, or (6) individuals who admit torecent illegal drug use or those who are found through other means to be using drugs illegally. The Plan includes pre-assignment, random, reasonable suspicion, and post-accident drug testing. The due process procedures applicableto NRC employees under NRC's Drug Testing Program are not applicable to contractors, consultants, subcontractorsand their employees. Rather, a contractor's employees and their subcontractors are subject to the procedures andterms of their employment agreements with their employer.
The NRC Drug Program Manager will schedule the drug testing for all contractor employees, subcontractoremployees, and consultants who are subject to testing under this clause in accordance with the Plan. The NRC willreimburse the NRC "drug testing contractor" for collecting, testing, and reviewing test results. Any NRC contractorfound to be using, selling, or possessing illegal drugs, or any contractor with a verified positive drug test result underthis program while in a duty status will immediately be removed from working under the NRC contract. Thecontractor's employer will be notified of the denial or revocation of the individual's authorization to have access toinformation and ability to perform under the contract. The individual may not work on any NRC contract for a period ofnot less than one year from the date of the failed drug test and will not be considered for reinstatement unlessevidence of rehabilitation, as determined by the NRC "drug testing contractor's" Medical Review Officer, is provided.
Contractor drug testing records are protected under the NRC Privacy Act Systems of Records, System 35, "DrugTesting Program Records - NRC" found at: http://www.nrc.gov/reading-rm/foia/privacy-systems.html
13 1 Pa g e
A.8.8. CONTRACTOR RESPONSIBILITY FOR PROTECTING PERSONALLY IDENTIFIABLE INFORMATION (PII)
In accordance with the Office of Management and Budget's guidance to Federal agencies and the NuclearRegulatory Commission's (NRC) implementing policy and procedures, a contractor (including subcontractors andcontractor employees), who performs work on behalf of the NRC, is responsible for protecting, from unauthorizedaccess or disclosure, personally identifiable information (PlI) that may be provided, developed, maintained, collected,used, or disseminated, whether in paper, electronic, or other format, during performance of this contract.
A contractor who has access to NRC owned or controlled PII, whether provided to the contractor by the NRC ordeveloped, maintained, collected, used, or disseminated by the contractor during the course of contract performance,must comply with the following requirements:
(1) General. In addition to implementing the specific requirements set forth in this clause, the contractor mustadhere to all other applicable NRC guidance, policy and requirements for the handling and protection of NRC ownedor controlled P11. The contractor is responsible for making sure that it has an adequate understanding of suchguidance, policy and requirements.
(2) Use, Ownership, and Nondisclosure. A contractor may use NRC owned or controlled PIH solely for purposes ofthis contract, and may not collect or use such PII for any purpose outside the contract without the prior writtenapproval of the NRC Contracting Officer. The contractor must restrict access to such information to only thosecontractor employees who need the information to perform work under this contract, and must ensure that each suchcontractor employee (including subcontractors' employees) signs a nondisclosure agreement, in a form suitable to theNRC Contracting Officer, prior to being granted access to the information. The NRC retains sole ownership and rightsto its PII. Unless the contract states otherwise, upon completion of the contract, the contractor must turn over all PII inits possession to the NRC, and must certify in writing that it has not retained any NRC owned or controlled PIH exceptas otherwise authorized in writing by the NRC Contracting Officer.
(3) Security Plan. When applicable, and unless waived in writing by the NRC Contracting Officer, the contractormust work with the NRC to develop and implement a security plan setting forth adequate procedures for the protectionof NRC owned or controlled PII as well as the procedures which the contractor must follow for notifying the NRC in theevent of any security breach. The plan will be incorporated into the contract and must be implemented and followed bythe contractor once it has been approved by the NRC Contracting Officer. If the contract does not include a securityplan at the time of contract award, a plan must be submitted for the approval of the NRC Contracting Officer within 30days after contract award.
(4) Breach Notification. The contractor must immediately notify the NRC Contracting Officer and the NRC ProjectOfficer upon discovery of any suspected or confirmed breach in the security of NRC owned or controlled PII.
(5) Legal Demands for Information. If a legal demand is made for NRC owned or controlled PII (such as bysubpoena), the contractor must immediately notify the NRC Contracting Officer and the NRC Project Officer. Afternotification, the NRC will determine whether and to what extent to comply with the legal demand. The ContractingOfficer will then notify the contractor in writing of the determination and such notice will indicate the extent ofdisclosure authorized, if any. The contractor may only release the information specifically demanded with the writtenpermission of the NRC Contracting Officer.
(6) Audits. The NRC may audit the contractor's compliance with the requirements of this clause, including throughthe use of online compliance software.
(7) Flow-down. The prime contractor will flow this clause down to subcontractors that would be covered by anyportion of this clause, as if they were the prime contractor.
(8) Remedies:
14,1 P a g e
(a) The contractor is responsible for implementing and maintaining adequate security controls to prevent the lossof control or unauthorized disclosure of NRC owned or controlled PII in its possession. Furthermore, the contractor isresponsible for reporting any known or suspected loss of control or unauthorized access to PII to the NRC inaccordance with the provisions set forth in Article 4 above.
(b) Should the contractor fail to meet its responsibilities under this clause, the NRC reserves the right to takeappropriate steps to mitigate the contractor's violation of this clause. This may include, at the sole discretion of theNRC, termination of the subject contract.
(9) Indemnification. Notwithstanding any other remedies available to the NRC, the contractor will indemnify theNRC against all liability (including costs and fees) for any damages arising out of violations of this clause.
A.9 NRC Interagency Agreement Representative
(a) The NRC Interagency Agreement Representative (also referred to as the COR) for this IAA is as follows:
Ron DeaversOffice: ADSAMailstop: TWFN/ 9 C1 6Washington, DC 20555-0001Phone: 301-415-7301Email: [email protected]
PART B - ATTACHMENTS
B.1. FORM DOT F2300B.2 NRC FORM 662B.3 NRC BUDGET FORCASTB.4 STATEMENT OF WORKB.5. PROJECT MANAGEMENT PLAN
151 Page
eElCop Statement of Work
e 0ES C
Enterprise Services Center
May 14, 2012
Ii~
N'
Nuclear Regulatory Commission
Implementation SOW
Agreement Number: FF-PRISM-ESCI-PNRC-12
eVf -. Statement of Work
I. EXEC UTIVE SUM M A RY ....................................................................................................... 3
II. A BO UT ESC .............................................................................................................................. 3
III. NEEDS/PRO BLEM S ......................................................................................................... 7
IV . SC O PE O F W O RK .................................................................................................................... 7
V . PRO JEC T M A NAG EM ENT SERVIC ES ................................................................................ 7
VI. HO STING SERVIC ES .... ............................................................................... ............. 8
VII. TELEC O M M UNIC ATIO N SERVIC ES ................................................................................... 8
VIII. SEC URITY SERVIC ES ........................................................................................................ 8
IX. C O M PUSEA RC H SERV IC ES .............................................................................................. 10
X. DO C UM ENT. REC O RDS M A NA G EM ENT ....................................................................... 10
XI. A PPRO V AL ............................................................................................................................. 11
rEC Statement of Work
Executive SummaryThe Nuclear Regulatory Commission (NRC) approached the Federal Aviation
Administration (FAA) Enterprise Services Center (ESC) regarding ESC's ability to meet anNRC requirement to implement an integrated procurement solution to NRC's instance of
Momentum which is called the Financial Accounting and Integrated ManagementInformation System (FAIMIS). ESC submitted a Rough Order of Magnitude (ROM)estimate for this project on July 27, 2011 for a solution which would entail implementing a
Compusearchl PRISM application with integration to Momentum / FAIMIS using ServiceOriented Architecture (SOA).
The NRC staff visited the ESC in Oklahoma City on August 16, 2011 to discuss requirements
and possible direction. After further analysis, ESC notified NRC that we could not meettheir expectations as were relayed in the August meeting at ESC. At the request of NRC,ESC took another look at what needs ESC could meet for this project and relayed thoseat a meeting at NRC offices on Sept 13, 2011. ESC proposed conducting a planning
phase for implementation of a PRISM/Momentum solution which would require extensive
Compusearch participation as a partner on this project. Compusearch is the vendorwho developed PRISM and the service-oriented architecture (SOA) web servicesinterface to Momentum.
ESC will be implementing a solution based upon the planning phase outcome a PRISM
solution using a Flat File (FF) approach. All documentation for the planning phase canbe found in the Section XI. Document Records Manaaement.
11. About ESCIn the 1980's the US Department of Transportation (DOT) dedicated the resources to
create an unparalleled team of professionals dedicated to supporting the diversebusiness needs of its agencies. Today called the Enterprise Services Center, this groupassists numerous agencies with a wide range of business needs.
ESC has become a provider of choice because we take the time to learn our customer's
business processes and requirements. We establish expectations and service levels anduse the information we gather to develop an appropriate integration strategy for each
customer.
ESC has extensive experience cross servicing other federal organizations, to include the
Government Accountability Office, Department of Education, US Air Force, Coast Guard,Social Security Administration, Transportation Security Administration, NationalEndowment for the Arts, General Services Administration, Indian Health Service, and ofcourse the Department of Transportation (DOT).
I Compusearch has successfully implemented PRISM-to-Momemtum installations at the EnvironmentalProtection Agency (EPA) and the United States Agency for International Development (USAID).
r "IC Statement of Work
In February 2005, the Enterprise Services Center at the Federal Aviation AdministrationMike Monroney Aeronautical Center was named one of OMB's Financial Management
Centers of Excellence/Shared Service Providers.
The ESC constantly strives to improve service and our quality levels by:
" Providing Service Level agreements (SLAs) that ensure the performance you expect
backed with complete performance metrics
* Updating and modifying your applications with the most current versions available
" Maintaining your Database
" Administering your servers
. Monitoring and tracking your system needs
• Providing system security including Certification and Accreditations (C&As)
The ESC utilizes a generic interagency agreement to make conducting business easy.Once basic terms are agreed to and funding identified, the signature of principals fromeach organization is required. Work will begin once all the necessary signatures havebeen obtained and funds have been made available.
Standards and PracticesThe ESC provides oversight of system changes and operations based on InformationTechnology Infrastructure Library (ITIL) best practices and International Organization forStandardization (ISO) 9001:2000 and ISO/ the International Etectrotechnicat Commission(IEC) 20000 processes.
ESC Compliance with Federal Financial Management Requirements
ESC is committed to following all federal financial management requirements. Thefollowing illustrates how we address key federal financial management requirements andfederal systems security and privacy laws, regulations, standards and guidelines.
OMB Circular No. A-127, Financial Management Systems
ESC PRISM is integrated with Delphi using our unique SOA based interface. This interfacenot only exchanges data between Delphi and PRISM, but adds important value-added
features that both the accounting and procurement users will value. For example, ESCPRISM performs real time accounting code and supplier validation, as well as on-linefunds checking and real time update of validated obligating documents. This solutionimproves integrity by eliminating manual entry of acquisition documents into the financial
system. We would utilize our experience and knowledge of our ESC PRISM product toimplement a PRISM solution for NRC using the web services SOA interface developed by
Compusearch to integrate with Momentum.
ESC O&M phase includes all patches and numbered upgrades within a base version.Upgrades to the next major version of PRISM will be negotiated with NRC separately asthese upgrades include major technology changes which may significantly changebusiness processes including interface support. ESC is committed to keeping PRISMpatch levels current and supported.
OMB Circular No. A-130, Management of Federal Information Resources
r•j,'o Statement of Work
The ESC core financial management system complies with OMB Circular A-1 30 by utilizinga record retention policy and a disaster recovery plan or COOP to manage the
information resources of ESC.
Our records are governed by the General Records Schedule (GRS) and the schedulesthat National Archives and Records Administration (NARA) have set forth. The records
are properly accounted for by managing the Official Files Lists, performing annual audits,and proper disposition of a record. The disposition of a record is established by the GRS
or/and NARA.
Our Continuity of Operations (COOP) program is managed by a living life cycle. Theprogram is kept current by conducting annual Business Impact Analysis/Business Process
Analysis (BIA/BPAs) which is incorporated into the COOP Plan. Annual testing, training,and exercising are performed to find strengths and weaknesses which are then
incorporated into the COOP plan.
Federal Financial Management Improvement Act of 1996
ESC complies with requirements of the Office of Management and Budget (OMB)Circular A-1 23, Appendix A - Management's Responsibility for Internal Control issued
under the authority of the Federal Managers' Financial Integrity Act of 1982 as codified in31 U.S.C. 3512.
ESC documents key business processes in relation to OMB Circular A-1 23 guidance. Thiskey business process documentation is used to assess, test, and report on theeffectiveness of internal controls over financial reporting. Process documentation andtransaction testing on the key business processes is performed yearly to ensure that ESC
internal control is effective.
National Institute of Standards and Technology (NIST) & Federal Information SecurityManagement Act of 2002 (FISMA)
As an OMB-designated SSP for Financial Management, ESC systems adheres to theNational Institute of Standards and Technology (NIST) 800-series special publications toremain in. compliance with the Federal Information Security Management Act of 2002(FISMA).
ESC was also designated by OMB as a Shared Services Center (SSC) under theInformation Systems Security Lines of Business (ISSLoB) initiative, with a focus on
Certification and Accreditation (C&A) and Other Security Services. Only one of fourfederal organizations to hold this SSC designation, ESC provides a broad spectrum ofinformation security services,, to include Information System Security Officer (ISSO) services
as well as independent Certification services.
E-Gov Act of 2002
ESC supports the E-Gov initiative by providing financial and procurement data, in support
of federal regulations, for publishing on federal websites.
Section 508 Accessibility Requirements
OOEOOýC Statement of Work
Oracle Federal Financials and Compusearch's PRISM system both are certified Section508 compliant. ESC is diligent in the procurement process to ensure software purchases
are 508 compliant.
Mission - Vision
The Vision of the ESC:
To transform our culture: where continuously improving our Business Services and Solutions
becomes a way of life, where exceptional customer support makes us the Provider ofChoice.
And our Mission is to:
Deliver products and services that enable our customers to excel in managing the
business of government.
r6•".. o Statement of Work
Ill. Needs/ProblemsThe Nuclear Regulatory Commission (NRC) seeks to integrate an acquisitionsystem using the PRISM suite of acquisition software products into the FinancialAccounting and Integration Management Information System (FAIMIS) CoreFinancial System (CFS) as well as the CRISP Data Warehouse. The solution willreplace NRC's existing acquisition system, streamline workflows and include thedevelopment and documentation of improved acquisition business processeswhich are executed using the functionality provided by the PRISM suite ofacquisition software products. This is the second phase which will implement thefindings and deliverables from the previous planning phase. See section Xl.Document Records Manaaement for location of the document for furtherProject Management documents that outline the needs/problems.
IV. Scope of WorkThe Scope of the Work will be outlined in the Project Management Plan. Pleasesee Section XI. Document Records Management for location of the document.
V. Project Management ServicesAt the onset on a project, the ESC Project Management resource will deliver aproject management plan to include, at minimum:
* Scope and objectives
* Work Breakdown Structure
" Definition of roles and responsibilities between all parties
" Initial risk assessment and mitigation plan
" Project communication protocol
• Project deliverables and acceptance criteria
" Change management strategy and protocol
" Schedule of milestones
" Budget management plan
Additional elements of the project management plan may be included basedon project requirements, as deemed necessary by the ESC project managerand/or customer. Acceptance of the project management plan will be in theform of signature approval from the ESC and customer project managers andexecutive stakeholders. The project will be managed and controlled inaccordance with the project management plan by the ESC project managerthrough each decision-gate and closure.
The ESC project manager will facilitate the completion of all project documentsusing those in ESC project template repository or those requested by the
00S'-I,• Statement of Work
customer. Communication and change management will be facilitated by theESC project manager in accordance with the project management plan.
VI. Hosting ServicesHosting Services will include, but. not limited to the following.
" Tenant Plus with Disaster Recovery
" Secure Facility Management
" Account Management
* System Administration
" ORACLE Database Administration
• Production Control
" Storage Administration
" Backup and Recovery
VII. Telecommunication ServicesTelecommunication services will include the following:" Implement Site to Site VPN tunnel and T1 Circuit within 120 days.
* Support firewall appliances and firewall management server at MMACincluding installation, configuration, and maintenance.
" Install and remove firewall rules as requested and approved to support thesecurity infrastructure of the MMAC backbone network.
* Serve as an Internet Access Point (lAP) for MMAC and other regions and
service areas.
" Provide network support and network security for systems located in the ESCData Center.
" Configure and manage NRC, CGI and ESC TI Circuit router.
VIII. Security ServicesInformation System Security Services- Ensure NRC PRISM system meets theFederal Information Security Management Act (FISMA) requirements.
Information Security Operations will provide:
Security Documentation Creation/Modification for NRC PRISM system
o Security Operations Branch shall review, modify, update, or create thefollowing documents.in accordance with National Institute of Standardsand Technology (NIST) requirements
o Security Documentationa Information System Security Plan (ISSP), to include System
rEIC Statement of Work
Characterization Document (SCD)* Configuration Management Plan (CMP)* Incident Response Plan* Media Handling Procedures* Audit Log Monitoring Procedures* Architectural Diagrams* Account Management Procedures- Privacy Threshold Analysis (PTA)* Privacy Impact Analysis (PIA)
* System of Record Notice (SORN)* eAuthentication Risk Assessment* (4) Interface Memorandum of Understanding (MOU)
o Contingency Documentation" Business Impact Analysis (BIA)" Information System contingency Plan (ISCP)" DR Tabletop Test/Exercise included" Single DR Exercise limited to four (4) hours
o Travel includedScanning for NRC PRISM system
o Perform a one-time vulnerability scan of the NRC PRISM (27) Servers forvulnerabilities.
* High and Medium vulnerabilities will be tracked. ESC will coordinatewith the system's ISSO and System Administrators to ensure thevulnerabilities are remediated in a timely manner. If a scan identifiesa vulnerability that is believed to be inaccurate, assistance will beprovided to create any required document(s).
o Perform a one-time Database scan of the NRC PRISM system. The scan willbe against (12) database(s).
" Each discovered vulnerability will be analyzed, compared andcross-referenced against the National Vulnerability Database (NVD)Common Vulnerabilities and Exposures (CVE) database.
" A comprehensive report will be generated that identifies allpotential database security-related issues
" Once completed, the generated report along with all raw scandata will be delivered to the customer.
o Scan (1) Web Application of the NRC PRISM system" Each discovered vulnerability will be analyzed, compared and'
cross-referenced against the National Vulnerability Database (NVD)Common Vulnerabilities and Exposures (CVE) database
" A comprehensive report will be generated that identifies allpotential web application security-related issues
* Once completed, the generated report along with all raw scandata will be delivered to the customer.
o Travel not required.
Information Security Assessment Branch will provide:
0 Conduct independent assessments of the NRC PRISM system to help the systemattain/maintain Federal Information Security Management Act FISMA
compliance.
0 Security Authorization (SA) deliverables for NRC PRISM:
eEICl Statement of Work
" Executive Summary" Security Authorization Memos" Security Assessment Report (SAR)" Risk Assessment Report (RAR; based on weaknesses identified)" Status Reports (distributed weekly to System POC's)" Out-brief Telecon (as coordinated by System POC's)" Plan of Action and Milestones (POA&M) with Mitigation
Recommendations" Assessment activities will be conducted in accordance with the latest
NIST, DOT and FAA requirements0 (4) Interface MOU Compliance Reviews to ensure proposed Interface MOU's
adhere to NIST 800-47 requirements.
. Travel included
IX. Compusearch ServicesESC will maintain the contract with Compusearch and provide the followingservices to NRC:This requirement is for implementation support of implementing a PRISMapplication with web services integration with NRC's Momentum core financialsystem FAIMIS. This will include providing knowledgeable staff that haveexperience in gathering, analyzing and documenting customer requirements aswell as leading workshops and discussions with NRC acquisition and financestaff to determine detailed requirements and processes that will need to beaddressed during implementation. It also includes developing, testing andimplementing the full scale implementation of the integrated PRISM solutionwith NRC's FAIMIS and CRISP systems. FAIMIS is the NRC financial system that isMomentum financials and CRISP is NRC's data warehouse system. This includesconfiguration and potential coding changes to extensions of the PRISMsoftware modules, developing and executing data migration strategies andplans, preparing for and conducting unit, systems integration and useracceptance testing. The scope also includes the purchase of a bundled PRISMFull subscription Enterprise license for NRC use of the following PRISM modules:" PRISM Procurement
" PRISM Grants
" Procurement Interface to Fed Connect
" Grants Interface to Fed Connect
" Fed Connect Portal
" Business Intelligence Dashboard
" PIV Authentication module
X. Document Records ManagementAll documents and records for this project will be stored on the FAA Knowledge
Services Network (KSN) in the project repository at,httos://ksn2.faa-.qov/arc/esc/amk/escpmo/dashboard/NRC/default.aspx.
eEIC Statement of Work
Xl. ApprovalThe approval signatures will be captured on the Inter/Intra Agency Agreementincluded with this package.
NRC PRISM ImplementationProject Management Plan
Version 8
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
Revision HistoryDate Version Description Author
03MAR12 18 Port content from ESC PMO template to Cliff JohnsonNRC PMO template
15MAR12 3 Added verbiage under section 4 still Cliff Johnsonin progress
16MAR12 4 Completed Project Change Request Cliff Johnsonprocess definition.
18MAR12 5 Added section 2.4 Project Cliff JohnsonDeliverables
27MAR12 6 Added section 3 Project Cliff JohnsonOrganization
23APR2012 7 Changed Project Org charts and Cliff Johnsonadded references to other plandocuments
1OMAY2012 8 Cliff Johnson
NRC PRISM Implementation =Version: 7Project Management Plan Date: 23APR2012
Table of Contents1. Introduction 1
1.1 Purpose 11.2 Scope 11.3 Definitions, Acronyms and Abbreviations 11.4 References 1
2. Project Overview 42.1 Purpose, Scope and Objectives 42.2 Work Breakdown Structure 5
1.0 Plan and Manage Project 52.0 Procurement 53.0 Manage Requirements 54.0 Application Configuration and Installation 55.0 Architecture and Infrastructure 56.0 Security 67.0 Data Migration 68.0 Integration and Interfaces 69.0 Training 610.0 Testing 611.0 Deployment 612.0 System Stabilization 6
2.3 Assumptions and Constraints 72.4 Project Deliverables 72.5 Master Schedule and Budget Summary 10
3. Project Organization 103.1 Project Context 103.2 Organizational Structure 11
3.2.1 Project Governance 113.2.2 Project Team Structure 12
3.3 Roles and Responsibilities 133.3.1 Project Management 133.3.2 Functional 143.3.3 Configuration 143.3.4 Data Migration 143.3.5 Interface 153.3.6 Infrastructure 153.3.7 Security 153.3.8 Testing 163.3.9 Training 16
IN A e L--.,L I 1- r1%l__ A e_
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
3.5 Project Change Management3.5.1 Purpose and Scope3.5.2 Process Definition3.5.3 Roles and Responsibilities3.5.4 Project Change Request Form
3.6 Project Monitoring and Control3.6.1 Requirements Management3.6.2 Schedule and Cost Control3.6.3 Project Reporting and Communications3.6.4 Metrics Collection
3.7 Risk Management3.8 Issue Management3.9 Project Closeout
4. Technical Processes4.1 Development Case4.2 Methods, Tools and Techniques4.3 Infrastructure4.4 Acceptance Criteria
17171718192222232324252525
25
25252525
25
25252525262626
262626
26
26
5. Supporting Processes
5.1 Configuration Management5.2 Verification and Validation5.3 Documentation Management5.4 Quality Assurance5.5 Problem Resolution5.6 Contractor Management5.7 Deployment Management
6. Security and Privacy6.1 Privacy Issues6.2 Computer Security Activities
7. Additional Activities
8. Appendices
NRC PRISM Implementation Version: 7
Project Management Plan Date: 23APR2012
Project Management Plan
1. Introduction1.1 Purpose
This document defines the Project Management Plan for the NRC PRISM Implementationproject. It defines the scope, processes, organization, and tools that will be used to managethe project. Where appropriate, the document may reference external documents thatcontain relevant information.
1.2 Scope
This document addresses the project management elements required to provide sufficientplanning, execution, control, communications, reporting, and closure for the identified projecttasks, deliverables, resources, and quality.
1.3 Definitions, Acronyms and Abbreviations
CRISP - Comprehensive Reporting Information System Portal
SSP - System Security Plan
ISAs - Interconnection Service Agreements
MOUs - Memorandums of UnderstandingCFS - Core Financial System
1.4 References
The NRC PRISM Implementation project is a large scale, complex project. The managementof the project shall be controlled through a set of complimentary, related management anddesign documents. All documents listed are subordinate to the Project Management Plandocument. Figure 1 - Project Documentation and the accompanying list show the inter-relationships and description for each document.
NRC PRISM Implementation I Version: 7Project Management Plan Date: 23APR2012
Information SystemSystem Security Architecture
Plan
Figure 1 - Project Documentation
* Project Management Plan - Overarching Plan document identifying how the project will beorganized and managed. Discusses scope, organizational structure, cost/schedule elements,management of Change and Risk, internal/external Communications for the project, Reportingprocess, and Administrative matters.
* Project Schedule - An MS Project Schedule containing the tasks and time line for projectexecution. Contains milestone deliverables that correlate to Earned Value and Project Statusreports.
* Implementation Plan - Compliments the PMP by providing greater details about theImplementation of PRISM. Identifies how the solution will be implemented from requirements todeployment and stabilization. The document contains sections that may reference otherdocuments.
* Information System Security Plan (ISSP) - This will begin during the pre-implementation workand be completed during the Implementation phase. It serves as the basis for the security
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
" Organizational Change and Communication Plan - Identifies how Organizational change andcommunication to NRC interested parties will be handled. Framework will be provided byESC/Compusearch, but will be executed and managed by NRC. Document will guide theactivities of the designated Communications Manager, who will be responsible for communicatingwith all NRC stakeholders who are not directly members of the project team or project controlboard.
" Data Migration Plan - How the Data Migration will take place. Document to be done duringimplementation. Analysis/design will begin with extension of planning activities as noted on theextended planning calendar.
* Interface Design - Technical design document that identifies the custom interfaces (FAIMIS andCRISP) whose scope was identified during the Planning period. Each identified interface shouldinclude the design with appropriate technical diagrams with supporting verbiage. Designelements would be documented during the Implementation phase.
* Training Plan - How training is going to be developed, organized, and delivered. Informationgathering and discussions will start in April per the extended planning calendar. Documentation ofthe plan will follow during the Implementation.
* Testing Plan - Identifies how testing will be conducted. This includes definition of the differenttypes of testing:* Unit* Integration* Load* User Acceptance
Additionally, the document shall identify which type of testing is done, at what points in the project,and by whom. The document shall also define the following:" steps in the test/fix lifecycle* roles/responsibilities for test manager/testers* defect tracking process, reporting, and repository" defined test cases
1.5 Estimate Cost and Period of Performance
Period of Performance Estimate Cost ServicesJune 1, 2012 - May 31, 2013 $7,716,683.05 ImplementationJune 1, 2013-May 31, 2014 $3,180,924.23 O&MJune 1, 2014-May 31, 2015 $3,280,680.95 O&MJune 1, 2015-May 31, 2016 $3,369,148.04 O&MJune 1, 2016- May 31, 2017 $3,461,423.23 O&MJune 1, 2017- May 31, 2018 $3,598,977.36 O&MJune 1, 2018-May 31, 2019 $3,699,397.80 O&MJune 1, 2019-May 31, 2020 $3,804,168.26 O&MTnt•l F•timatp.r rn.t I _1 11 -In_.q2
NRC PRISM Implementation Version: 7
Project Management Plan Date: 23APR2012
2. Project Overview2.1 Purpose, Scope and ObjectivesThe purpose of this project is to satisfy the strategic objectives identified in the Statement ofWork (SOW) document identified as NRC FAIMIS Acquisitions System Implementationthrough a turnkey hosted implementation of the Compusearch PRISM acquisitions systemwith integration to FAIMIS Core Financials System (CFS) and CRISP data warehouse.
Strategic scope of this project is identified through the key vision elements to be realized:
* Replace NRC's existing disparate acquisitions systems with an acquisitions systemintegrated with NRC FAIMIS CFS.
* Provide the framework for a full array of acquisitions business processes based onthe functionality of the PRISM acquisitions system and related modules.
* Configure the acquisition system to optimize automation, streamline workflows, andmaximize functional consistency.
" Integrate PRISM with the existing FAIMIS CFS.* Meet the NRC's Open Government reporting requirements." Develop IT Architecture with sufficient flexibility and scalability to support
organizational and system needs through 2020.* Identify and acquire Hosting and Software support solutions in support of the PRISM
acquisitions system for reliable, ongoing Operations and Maintenance (O&M).* Transition to Operations and Maintenance (O&M) support following implementation of
the acquisitions system." Provide online access for NRC staff and designated contracted staff.* Provide real-time data that is auditable and transaction based." Establish the validation of check and balances between the acquisitions and financial
systems.
The objectives of this project are to acquire all resources required for the implementation ofthe designated PRISM software components on an enterprise quality infrastructure; providecustomer training in the use of the system; develop system integrations to defined externalsystems; migrate the defined data from the legacy acquisitions data source; and provide postproduction system stabilization before transitioning to ongoing O&M services. This scope ofwork is further supported with language in section 2.2 Work Breakdown Structure andsection 2.4 Project Deliverables.
Overall project success will be measured by the meeting the project goals in terms of cost,schedule, and scope. Project scope elements will be achieved when the agreed upon projectdeliverables are completed to customer satisfaction and final customer acceptance isreceived. Project Cost parameters will be deemed successful by staying within agreed uponproject budget parameters. Project Schedule parameters will have been met if the projectscope is completed within the allotted time as defined in the most recent base lined project
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
This project is affected by, and dependent on, the following related projects.
" FAIMIS CFS Re-hosting* Data Migration Analysis and Preparation
2.2 Work Breakdown Structure (WBS)
WBS elements are described below.
1.0 Plan and Manage ProjectThe Plan and Manage Project element address all project management related activities andassociated deliverables. This includes ongoing project control and reporting as well asfinancial reporting.
2.0 ProcurementThe Procurement category includes all activities and deliverables associated with theacquisition and procurement of required computing equipment, software licenses,professional contract services, and support services.
3.0 Manage RequirementsThe Manage Requirements category includes the ongoing management and validation offunctional and technical requirements defined in the RTM, As-Is Process Flow, To-BeProcess Flow, and Technical Architecture. It includes ongoing validation of the requirementsrelative to what has been built or configured. Configuration Management is defined in aseparate Configuration Management Plan document.
4.0 Application Configuration and InstallationApplication Configuration and Installation includes the tasks required to install and configureall PRISM software components on the defined architecture in accordance with the RTM andother application definitions developed during Planning. It includes all unit testing andvalidation that can be done without the interfaces or the migrated data.
5. 0 Architecture and InfrastructureThe Architecture and Infrastructure category identifies the overall hosting architecture forPRISM and the underlying implementation of infrastructure elements. The SystemArchitecture is defined by a System Architecture document which will be the basis forvalidating the infrastructure and supporting Configuration Management prior to Operationand Maintenance (O&M) transition. This includes telecommunications, networks, servers,operating systems, middleware, database, monitoring, storage, and system security controls.All unit testing and validation of the infrastructure separate and apart from the applicationsoftware is included. This includes the infrastructure for the environments defined in the
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
6.0 SecurityThe Security category includes all security related services and deliverables required toachieve authority to operate (ATO), as defined in the security services proposal identified inthe final franchise agreement. This includes documentation, certification, and identifiedISA/MOUs.
7.0 Data MigrationData Migration includes the development, testing, and execution of the Data Migrationprocess as identified in the Data Migration Plan.
8.0 Integration and InterfacesThe Integration and Interfaces category identifies all the activities to design, develop,implement, and test the PRISM related interfaces identified in the Integration Plan andagreed to as part of the executed Franchise Agreement and related documents.
9.0 TrainingThis includes all activities related to the planning and execution of PRISM user andadministrator training according to the defined Training Plan.
10.0 TestingThis includes the preparation, execution, documentation, and review of System Integrationand User Acceptance Testing according to the Testing Plan
11.0 DeploymentThe Deployment category includes all tasks required to assemble tested components, verifytest results, obtain project team and customer concurrence, and manage the phase 1 andphase 2 go live deployments. The detail for the two deployments will be defined in theDeployment Section of the Implementation Plan.
12.0 System Stabilization
The System Stabilization category includes the tasks required to provide support andmonitoring for a period of 30 days following each of the Phase 1 and 2 go live deployments.It includes periodic review meetings with dedicated application support resources, customerrepresentatives, and technical staff resources to identify and respond to any issues followinggo live. This will be transitioned over to normal O&M support for application and hosting
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
2.3 Assumptions and Constraints0
0
FAIMIS CFS Re-hostingData Migration Analysis and Preparation
2.4 Project DeliverablesTable 1 - Project Deliverables contains the list of primary deliverables with description. Theactual dates will be defined within the Project Schedule.
Table 1 - Project Deliverables
;D136iveriabl ~ Description
Executed A contractual agreement between ESC and NRC to implement NRCImplementation PRISM and provide related deliverables as defined in this section.Agreement This deliverable starts the Implementation projectPackage
Project A collection of documents that define the project and provide for theManagement Plan comprehensive management of it. This includes; Project Charter,Package Project Management Plan, Implementation Plan, and Project
Schedule.
Testing Plan A document describing the process for managing the testing of NRCPRISM and related Interfaces. The document includes test casesbased on the functional requirements contained in the RTM.
Data Migration Plan A document describing how the defined legacy data will be migratedto NRC PRISM for Phase I Go-Live.
Training Plan A document describing the type of ESC PRISM training to bedelivered to ESC. This includes all planning for the training, the list ofcourses, and the dates/locations for each.
System Integration A document defining the technical architecture with infrastructure,Architecture and telecommunications, etc. that will support NRC PRISM in O&MDesign mode.
Hosting Services A contractual agreement between ESC and NRC to provide hostingFranchise and related services on an ongoing basis for O&M.Agreement
Implementation Procurement service to obtain competent professional services forServices the implementation of PRISM.Procurement
Training Services Procurement service to obtain competent end user and application
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
Delivera'ble Description.
Oracle Database Procurement service to purchase Oracle Database and middlewareand Middleware software and related technical support and software maintenance.LicensingProcurement
PRISM Software Procurement service to purchase PRISM software licenses andLicensing software maintenance. These licenses will be transferred to NRC asProcurement part of transition to O&M at the conclusion of the Implementation
Project.
Baseline RTM The Requirements Traceability Matrix document from which PRISMconfigurations and testing will be based.
Project Status This ongoing, periodic document will contain status information aboutReports the project state and activities including; status, issues & risks,
schedule update, scope update, and near term plan.
PRISM A defined set of infrastructure with software components. TheDevelopment Development Instance is the initial infrastructure used to build out theInstance PRISM configuration and support subsequent development activities.
The Development Instance will include interim VPN tunnelconnectivity to NRC HQ and the PDC. Once T1 circuits have beeninstalled and tested, the VPN tunnels will be removed.
PRISM Test A defined set of infrastructure with software components. The TestInstance Instance is the second set of infrastructure for use in testing
completed configurations, interfaces, etc. before migration toproduction.
PRISM Data A defined set of infrastructure with software components. The DataMigration Instance Migration Instance will be used to develop, test, and execute the
migration of Legacy data for Phase 1 Go-Live.
PRISM Production A defined set of infrastructure with software components. TheInstance Production Instance will be used to by acquisitions personnel in
direct support of daily business. This is the instance that will be usedfor the Phase I and Phase II go-live deliverables.
TI Circuit SMF- A T1 telecommunications circuit to be provisioned between the ESCNRC HQ Systems Management Facility (SMF) in Oklahoma City and NRC
Headquarters in Rockville. ESC Telecom will own and support therouters on each end of the circuit.
T1 Circuit SMF-PDC
A TI telecommunications circuit to be provisioned between the ESCSystems Management Facility (SMF) in Oklahoma City and the CGIPhnpniy fltn r.nntpr (PIn.r in Phnionv P'.q. Taiar~nm will nwn nnrl
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
Deliveabier Description
PRISM-CRISP A system interface between PRISM and CRISP using flat file, batchInterface mode architecture with FTP transport. The interface will support the
defined functionality and pass a system integration test uponcompletion.
PRISM-FAIMIS A system interface between PRISM and FAIMS using flat file, batchInterface mode architecture with FTP transport. The interface will support the
defined functionality and pass a system integration test uponcompletion.
Data Migration The process, procedures, and software needed to migrate theProcess designated legacy data elements into a PRISM database.
PRISM Training The set of PRISM training classes delivered to NRC employees andcontractors in accordance with the NRC PRISM Training Plandocument.
User Acceptance The final set of test cases executed by the designated NRCTest employees and contractors with final results recorded and reviewed
by the Test Sub-Team leads; and approved by the NRC Sponsor.The User Acceptance Test shall be conducted according to thedocumented Test Plan.
Security The creation of system documentation, security assessmentCertification & activities, and final security C&A documentation package withAccreditation recommendation forwarded through the CISO to the designated
Authorizing Official for Authority to Operate (ATO).
Phase I Go-Live The collection of activities resulting in the initial productiondeployment and Go-Live of PRISM and interfaces, defined for PhaseI in the Implementation Plan. This includes the production readinessreview, go/no-go approval, and execution of the Data Migrationprocess.
PRISM Disaster A defined set of infrastructure with software components. TheRecovery Instance Disaster Recovery Instance will be a warm site DR instance used to
support critical PRISM functionality in the event of a disaster. Theinstance shall be available to PRISM users only during declareddisasters and planned Disaster Recovery exercises. Terms andconditions associated with the DR instance will be provided in theHosting franchise agreement and related documentation.
Disaster RecoveryTelecom Circuitsand VPN tunnels
The collection of telecom T1 circuits and VPN tunnels as defined inthe Telecom portion of the System Architecture and referenced in theHostinq franchise aqreement. Collectively this telecom infrastructure
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
Deliverable Description",
Phase II Go-Live The collection of activities resulting in the final productiondeployment and Go-Live of PRISM and interfaces, defined for PhaseII in the Implementation Plan. This marks the transition of all NRCacquisition personnel onto the PRISM platform.
Project Closure The final project document providing recap and review of all projectReport activities, deliverables, and issues. The report also provides for O&M
transition by noting the disposition of any outstanding issue to ensurecontinuity and ongoing resolution by application and hosting servicesupport providers.
2.5 Master Schedule and Budget Summary
The Master Schedule Overview shown in Figure 2 illustrates the major activities of the projectfor the top level WBS.
I Task Name Mstart is rede'-, 2nd Qua3rter I3d Quarter 14th Quarter I1st Quarter I2nd Quarter 13rd Quarter 4th QuarterJ u i Apr My Jun Jutl Au ISe Octtuv Sec Jes FebIMon Aon MnyJun Jl 3t Oct tos Dec
9] Plan and Manage Project Fri 5/25/12 Wed 8/811298Procurement (ESC) Fr 5/25/12 Mon 7/30/12E] Manage Requirements Fri 6/8/12 Wed 7/25/12
9] Conduct EIPR and Configuration Thu 6/14/12 Thu 7/11/13
E] Establish IT Architecture Mon 6/4/12 Tue 10/9/112 a
[] Security/ Certification and Accreditation (C&A) Support Tue 7/3/12 Thu 6/27/13
9] Data Migration Mon 6/18/12 Fri 9/13/13
E9 Integration Thu 7/5/12 Thu 4/4/13 i
" Prepare and Delivertrauning Thu 7/5/12 Mon 10/28/13
"] User Acceptance Test Wed 11/21/12 Mon 6/24/13 V
"] Deployment Mon 12/lV312 Thu 8/1/13E] System Stabilization Tue 7/30113 Mon 11/25/13
Figure 2 - Master Schedule Overview
3. Project Organization
3.1 Project ContextThe NRC PRISM Implementation project is sponsored by the NRC Office of Administration,Associate Directorate of Strategic Acquisitions (ADM/ADSA), referred to in this section as NRC.NRC has selected the Department of Transportation, Federal Aviation Administration EnterpriseService Center (DOT/FAA ESC) as the system integrator responsible for overall managementand execution of the Droiect.
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
NRC maintains contractual relationships with a number of other organizations related to or insupport of the project. As part of the project execution, it is expected that NRC will select aservice provider and award a contract forPRISM Application Support Services. Therelationships depicted in Figure 3 illustrate these contractual relationships and the organizationsinvolved.
Organizational Relationships
NRC Implementation DOT/FAAADM/ADSA Franchise Agreement ESC
iData Cleansing PRISM Implementation
Hostng /Services AgreementAgreement I Agreement
PRISMApplication Iv&v
Support Agreement
cGI Agreement Centeva Compusearch
TBD Aegis~net
Figure 3 - Organizational Relationships
3.2 Organizational StructureWithin the Project Context, two organizational structures exist as a direct result of the NRCPRISM Implementation project. These organizations serve to provide project governance andproject execution. These project organizations and their relationship is shown in Figure 4.
3.2.1 Project GovernanceThe Project Control Board (PCB) is an organizational structure created to provide advice andrecommendations to the Project Sponsor governance of the NRC PRISM Implementationproject. The organization is temporal and shall be disbanded upon project closure followingNRC acceptance of all project deliverables. The members of the PCB include the projectsponsor, sponsor's representative, project manager, and selected members of ESC and NRCmanagement. The Project Sponsor shall choose a chair for the PCB. The chair will be in chargeof managing communications and organizing meetings for the PCB.
NRC PRISM Implementation Version: 7
Project Management Plan Date: 23APR2012
variation greater than 10%.
The PCB shall also be notified of any pending change requests that are significant, in theopinion of the Project Sponsor's Representative. The PCB also has the responsibility torecommend approval of go-live and acceptance of project completion.
Phyllis Bower,
Project Sponsor
Project Control Board
Rayba Sanchez. TBD, Janet SheCI. Cliff Johnson,Sponsor's Rep James Owner System Owner " CFS ESC Spsr Project Manager-- RS--Representative - - Representative.............
,/"\ Governance and Control
. Management and Execution
Project Team
Functional
NRC - Eleni JemellCSS - TBD
DataMigration
i NRC - Sean McCoy!CS -TBD
Interface
NRC - Sean McCoyCSS- TBD
Configuration
NRC - Bill IshmaelCSS - TBD
Project Management
Cliff Johnson,Project Manager
Bill Ishmael.Risk/Chg Mgr
Me g Gold,Functional SME
iJenny Gatil,!Com....icalions
Ray Conse.Sponsor's
Representative
Ron Deavers,COR
Jim Morgan,Compusearch
Stephanie Smith,.Project Support... ............ -
Infrastructure
NRC - Ray CrouseESC - Dennis RoySME - John Davis
Security
NRC - Ray CrouseESC - Deidra Bullard
SME-Alan Sage
Testing Training
NRC - Angela Wilson NRC - Bev KingCSSTBDSS-TBD .......
LeaendI CSS - Compusearch Software Systems
ESC - Enterprise Services CenterNRC - Nuclear Regulatory CommissionSME - Subject Matter Expert
Figure 4 - Project Control Board and Team
3.2.2 Project Team StructureThe Project Team is organized into a collection of sub teams, as shown in Figure 4. The subteams are structured to align with the major WBS areas. Each sub team will be led by two,named co-leads. One co-lead will be named by NRC, the other co-lead will come fromESC/Compusearch and will be named by the project manager.
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
against the scheduled tasks and milestones, risk and issue updates, resource information, andchanges. The co-leads will be expected to coordinate/communicate with the other sub-teams,including the project management sub-team.
The description of the named sub-teams and their responsibilities follows. All teams areexpected to execute tasks in accordance with the relevant management plan document orsection from the PMP/Implementation plan documents. All sub teams are required to vet anychanges through the Project Management sub-team and obtain authorization from the ChangeManager before implementing.
3.3 Roles and Responsibilities
3.3.1 Project Management
The Project Management sub-team shall be co-led by the Project Manager and the Sponsor'sRepresentative, who participate in the Project Control Board (PCB). The PM sub-team isresponsible for managing the project, controlling execution, and reporting status. The sub-teamis central in the administration and control of the project. The following roles exist within thesub-team:
Project Manager - This person is ultimately responsible to the Project Sponsor todeliver the scope of the project, on time, and within budget. The Project Manager worksclosely with the Sponsor's representative to ensure plans, actions, and decisions alignwith expectations.
Sponsor's Representative - This person aligns closely with the Sponsor and acts as anextension to her. This person must have an understanding of the project subject matterand wield some organizational authority to make things happen. Sponsor's rep worksclosely with the Project Manager because the Sponsor is typically too engaged in otheractivities to be readily available.
Functional SME - This would be a knowledgeable individual who has the trust of thefunctional community at NRC. The Functional SME is a sounding board on functionalissues and should be involved in all status meetings and high level discussions.
Vendor/Partner Manager - When you have a project with a key partner outside yourown organization, it is best to have the partner's project/engagement managerparticipating in Project Management discussions. Compusearch is clearly a key partnerin this effort.
Risk Manager - Risk Management can become a full time task, if the project is largeenough. Also, the less slack time you have = greater importance of a dedicated PMriding herd over the Risk Management process and managing the Risk Register. TheRisk Manager must work in partnership with the Project Manager in making decisions
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
execution of the Project Change Management process, including chairing of regularProject Change Management review meetings and tracking of Project ChangeManagement requests. This role can also evolve into Quality Management role duringtesting to ensure the proper tracking and resolution of defects. Similar to the RiskManager, this person would work in partnership with the Project Manager to maintaincontrol over task execution and deliverables.
Project Support - Meeting minutes, action items, status reports, schedules, and lists stillneed to stay current and be communicated to the appropriate audiences. This personwould attend meetings, stay on top of action items, and manage the ProjectManagement Repository.
3.3.2 Functional
The Functional Sub-Team shall be responsible for executing the tasks within the ManageRequirements WBS section, in accordance with the Requirements Management Plan. Thisincludes the following:
* Changes/updates to the RTM or Process Flows documents* IV&V of Requirements and application functionality* Coordination with Testing, Training, and Configuration sub-teams* Defining and executing the Organizational Change Management plan.
3.3.3 Configuration
The Configuration Sub-Team has responsibility to execute the tasks identified in the BPR andConfiguration WBS section. The team is expected to perform tasks in accordance with theConfiguration Management Plan. This includes the following:
* To-Be Process Review* Migrate the initial configuration from the Compusearch Demo environment" Conduct Configuration Workshops" Implement configuration in Dev, Training, Test, and Data Migration environments" Ensure all configuration documentation is current
3.3.4 Data Migration
The Data Migration Sub-Team is responsible for activities defined under the Data Migrationsection of the WBS. The sub-team is expected to develop the Data Migration Plan and performtasks in accordance with the plan. Responsibilities of the Data Migration Team include:
" Develop Migration Plan including strategy and scope* Define and document the Data Migration process/cookbook" Develop any related scripts/code- % -:. ... L.J.L- --- .i.J-&- A ~ - ___J --.jC: -
NRC PRISM Implementation I Version: 7Project Management Plan Date: 23APR2012
3.3.5 InterfaceThe Interface Sub-Team is responsible for the performance of the project schedule taskscontained within the Integration and Interfaces WBS section. This team is a predominantlytechnical team that will design, develop, test, and implement the defined custom NRC FAIMISCFS and CRISP interfaces. The team shall ensure the tasks and deliverables conform to thedefined System Architecture and are done according to the Integration Plan. These tasksinclude:
* Document Interface Requirements and Design* Develop, install, and test all code* Perform System Integration Testing to obtain customer acceptance• Validate and document final deliverables
3.3.6 InfrastructureThe Infrastructure Sub-Team is responsible for performance of the project schedule taskscontained with the Architecture and Infrastructure WBS section. This technical team isresponsible for the defining, building, and maintaining the technical infrastructure elementsrequired to securely operate the PRISM application. This sub-team will work closely with theData Migration, Security, Interface, and Configuration sub-teams. They will produce deliverablesand provide service in accordance with the System Architecture document. Tasks anddeliverables include:
" Validation of the System Architecture.* Requisition, Implementation, and support of defined Telecommunication and network
components and services." Build and configuration of all Storage and Server components.* Installation and configuration of all non-PRISM software components." Installation, configuration, and support of all Database components." Implementation and configuration of network appliances including firewalls and load
balancing appliances.* Implementation and monitoring of system resources.* Administration of all non-PRISM software components.• Validation of all infrastructure components and configurations.• Provide technical support of other sub-teams
3.3.7 SecurityThe Security Sub-Team is responsible for the Security/C&A Support WBS section. They willdevelop and implement the required security services and documents. Upon execution of theImplementation agreement, a named ISSO will be provided on NRC's behalf. The Securityteam shall be responsible for the following named deliverables and services:
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
a ISSO consultation services
3.3.8 Testing
The Testing Sub-Team will be responsible for the execution of tasks and deliverables containedin the Testing section of the WBS. The Testing Sub-Team shall develop and manage theiractivities in accordance with the Test Plan. To build the Test cases, the Test Sub-Team willwork with the Functional and Configuration Sub-Teams to ensure traceability through therequirements. Through the tracking and management of test results/defects, the Test Sub-Teamwill coordinate closely with the various technical sub-teams and the Configuration Sub-Team.The Test team shall be responsible for the following tasks and deliverables:
" Develop and Document the Test Plan" Develop and Document functional Test Cases and Scripts" Coordinate the System Integration and User Acceptance Tests" Identify and manage named testers for the User Acceptance Test" Gather all test results and document these in the appropriate testing tool provided by
NRC" Establish and configure the testing tools and defect tracking repository.* Record and track all defects to resolution* Periodically report test status and defects to the Project Management Sub-Team
3.3.9 Training
The Training Sub-Team will be responsible for the execution of all Training related tasks. Theteam shall develop and execute the Training plan to ensure proper training of all PRISM usersand Administrators. The members of the Training Sub-Team will be responsible to perform thefollowing tasks:
" Develop and document training strategy" Develop training curriculum and materials* Coordinate and schedule training classes* Conduct User and Administrator training sessions
3.4 Start-Up Plan
3.4.1 Project Estimates
Project estimates for time and cost were based on customer requirements, project scope, andexpert opinion. Initial requirements were defined by NRC through Statement of Work (SOW)and accompanying appendices. ESC proposed an initial planning/discovery phase for 90 daysto perform a detailed assessment and develop a subsequent proposal for implementation.Planning initiated on 9 Jan 2012 as a collaborative effort between ESC, Compusearch, and
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
* 15 June 2013 - Phase 1 Go-Live for Requestors* October 2013 - Phase 2 Go-Live for Contract Officers/Project Officers* November 2013 - Full O&M and Project Closeout
Final delivery of Inter-Agency Agreement with SOW and Franchise Agreement is scheduled for16 May 2012.
3.4.2 Phases and Iterations
The high level milestones for the proposed schedule are:
3.4.3 Staffing Plan
Project staffing is closely aligned with the Organizational structure described in Section 3.2Organizational Structure.[3.4.4 Resource Acquisition
3.4.5 Staff Training
3.5 Project Change Management
3.5.1 Purpose and Scope
Project Change Management is the process used to ensure alignment on expectations and anychanges to the original scope, cost, and timeline for the project. The process covers all changesto the project and provides an auditable trail between the baseline plan elements and the finaldeliverables. The goals for.the Project Change Management process are:
• Transparency to the project stakeholders* Auditability* Traceability
3.5.2 Process Definition
The process is used to document and collect change requests, define impact, obtain customerapproval, and formally introduce changes into the scope of the project.
The Project Change Management process does introduce some overhead in the form ofadditional labor cost associated with the steps in the process, and additional time delays toexecute the process and modify any agreements. The actual time for the process execution isdependent on the complexity/magnitude of the change, and requirements to make any requiredcontract modifications.
The entire process revolves around a single document artifact known as Project Change
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
Prdject Change Request Process
Document and Submit 5 Analyze and Review 3 Implement and Communicate
S.. YEsLO , " " C -" . .aWO• "-a. .
a - ' a2 a Review PCR -aK Approved? *~
:___ _2 i INo TD aum. Change and Re. Update Log. andCIO Sub- D " A ne s d alt in Initite actions to baseline scope, Communicate I
an urdmod revantCn n re a nd f ; r ethe schedule, andcost change to teama
ac o a gremnt
o approval documents eand stakeholder
Submit a request change Change
an PCR threugh enned impl ented'
an authorized
a- a gremn
Figure 5 - Project Change Requ est Process
3.5.3 Roles and Responsibilities
The Project Change Management Process has several roles and responsibilities depicted inTable 2. The roles are referenced by the process flow in Figure 5 - Project Change RequestProcess.
Role Authorized Personnel' Responsibility,-".
Requestor ESC or NRC Project Requestors are responsible for initiating requests using theManager; prescribed form and process. It is their responsibility toNRC Project Sponsor or define the change in sufficient detail and provide thesponsors required information elements. They become the "owners" ofrepresentative; the request and need to make themselves available toNRC project respond on any follow up questions from other partiesstakeholders in a during the Project Change Management process.management position
ChangeManager
ESC Project Manageror named
The Change Manager is responsible for oversight of theChange Management process, assigning the tasks of
NRC PRISM Implementation Version: 7
Project Management Plan Date: 23APR2012
:Role Authorized'Personnel• Reponiibiit•y.
Approver (s) Change Manager, Approval of a request requires agreement between theRequestor, and Project Manager, Sponsor or Sponsor's representative, andNRC Project Sponsor or Requestor. Based on:sponsor's Change Manager - process integrityrepresentative Requestor - acceptance of cost/schedule impact
Sponsor - authorization of cost/schedule impact
CO/COTR Named COTR or CO The CO shall validate the requested contract modification iswho manages the legal. The CO shall notify the COTR and Project Managercontract requiring the of any required documentation and advise how longmodification approval should take. Once the contract modification is
executed, the CO shall notify the Project Manager andCOTR that work on the change can proceed.
Table 2 - Project Change Request Roles and Responsibilities
3.5.4 Project Change Request Form
The Project Change Request Form is the primary control form for the Project ChangeManagement Process. Each PCR submission is given a unique control number and is thereforea controlled document. The form contains multiple sections to support the information addedduring the various steps of the Project Change Management process. These sections areillustrated below.
Information in the PCR Request section, shown in Figure 6, is provided by the requestor whenmaking the PCR submission.
NRC PRISM Implementation = Version: 7Project Management Plan Date: 23APR2012
Change Description:
Change project scope to include upgrade of Oracle GRID component as a pre-requisite to the Oracle11.2.0.2 DBMS upgrade. Deployment timing constraint is that GRID must be upgraded prior toupgrading any DBMS instance on the RAC cluster where GRID is hosted. There are six instance ofGRID (including PROD).
Patch level 1 = 11.2.0.1
Patch level 2 = 11.2.0.2
Business Benefit:
The driver behind this change in scope is the desire to utilize patch level 2 of 1 lgR2 over patch level 1.In discussions with the project team, it was noted that upgrading to patch level 1 will require anotherupgrade to patch level 2 with a relatively short turnaround. Patch level 2 of 1 lgR2 makes the DBMSmore current from a support standpoint and would help reduce the risk of becoming non-compliant.
Implications of Not Making the Change:
A decision to not accept this change will result in:
* Increased risk of non-compliance with patching policy
" Increased risk of falling back into extended support with Oracle
" Shorter turnaround time before having to upgrade the Oracle DBMS again
* Increased impact to resources due to additional work for subsequent DBMS upgrade effort
Figure 6 - PCR Request section
The information contained in the PCR Header section is provided by the Change Manager whenhe/she receives the request. This is illustrated in Figure 7.
Change Request Form
Change #: Control number assigned by Change Manager. Requested By:Rob Helms/Gary Chancellor
Date Requested: Assignment for impact anatsis made bEy
0410812011 Change ManagerChange Assigned To:
4Maage
NRC PRISM Implementation I Version: 7Project Management Plan Date: 23APR2012
Impact to the Project:
Accepting the change increases the scope of the project to include a GRID upgrade discovery effortand the actual GRID upgrades. There is also increased risk of destabilizing the Delphi DBMS instanceson the cluster when GRID is upgraded.
Alternatives:
Delay the inevitable Patch level 2 and GRID upgrades to a later release cycle.
Figure 8 - PCR Impact Assessment Section
The recommended action section shown in Figure 9, is an optional part of the PCR ImpactAssessment Section. This section may be filled out by the requestor, assessment team, orChange Manager as appropriate.
Recommended Action:
The Oracle technical team members and Delphi Configuration Manager recommend doing the GRIDupgrade and Patch level 2 DBMS upgrade as part of the Oracle 1 1g Upgrade effort. The incrementalLOE does not appear to be significant. The production Oracle DBA lead (AMI-320) feels the rsk ofproblems with the GRID upgrade can be mitigated through doing GRID upgrade discovery on the Jcluster (sandbox) instance.
It is recommended that we proceed with Patch level 2 and include the requisite GRID upgrade in thescope of Delphi Oracle 1 1g Upgrade.
Figure 9 - optional recommendation
After the Impact assessment is complete, the PCR is then routed for acceptance by the ProjectManager, Requestor, and Project Sponsor (or Sponsor's representative). Signatures arerecorded in the approvals section of the PCR shown in Figure 10. The document is thenimaged and stored in the Project Management repository. The PCR log entry corresponding tothe PRC is updated to show approval/denial, and the information is communicated tostakeholders via the Project Status Report.
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
Approval from Project Manager for Recommended Action:
Cliff Johnson Project Manager, Delphi OracleI1lg Upgrade
Name Title Signature
Date
Approval from Configuration Manager forRecommended Action:
Robert Helms Delphi Configuration Manager
Name Title Signature
Date
Approval from Sponsor for Recommended Action:
James C_ Davis Acting Director, Office ofApplications Services
Name Title Signature
Date
Figure 10 - PCR Approvals Section
3.6 Project Monitoring and Control
3.6.1 Requirements Management
The Project Manager shall ensure sufficient processes are in place to manage the projectrequirements during the Functional requirements for implementation of PRISM and identifiedinterfaces shall be documented in the following artifacts maintained on the designated Projectinformation repository:
0 Reauirements Traceability Matrix (RTM)
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
approved as part of the project scope, requirement changes shall be communicated out to theproject team and stakeholders via project status meetings and/or project status reports.
Details concerning the processes used to manage requirements are contained in theImplementation Plan document.
3.6.2 Schedule and Cost Control
3.6.3 Project Reporting and Communications
NRC PRISM Implementation a:Version: 7Project Management Plan Date: 23APR2012
3.6.4 Metrics CollectionTable 1.0- Project Metrics
Metric Mea'sure . Discussion .Mtho oCapture
Time (Is the project Schedule performance Automated toolon schedule?) index (SPI) such as
MicrosoftProject orMicrosoft Excel
Resources (How Actual time expended Automated toolmuch time are we vs. project schedule such asspending on the Microsoftproject?) Project or
Microsoft Excel
Cost (Are we within Cost Performance Automated toolbudget or within a Index (CPI) such as10 percent Microsoftvariance?) Project or
Microsoft Excel
Scope (Is the Amount of scope creep Volume/,scope creep' in line vs the scope frequency ofwith expectations?) management plan scope increase
requests byprojectstakeholders
Quality (Are we Amount of functionality RTM statisticsreviewing and received; number ofaddressing requirements satisfiedquality?) using requirements
traceability matrix(RTM)
Actions (Have wecompleted all
Percent of action itemscompleted per month
Microsoft Word;Microsoft Excel
NRC PRISM Implementation Version: 7
Project Management Plan Date: 23APR2012
Measure DisCussion MethodWo'
MetricCapture
Risks (Have the Percent of risks with a Microsoft Excelrisks been defined mitigationdefined?) strategy in accordance
with the riskmanagement plan;Percent of risks whichhave communication inaccordance with thecommunications plan
Issues (Are the Rate that issues are Microsoft Excelissues being being resolvedtracked?)
3.7 Risk Management
3.8 Issue Management
3.9 Project Closeout
4. Technical Processes4.1 Development Case
4.2 Methods, Tools and Techniques
4.3 Infrastructure
4.4 Acceptance Criteria
5. Supporting Processes
5.1 Configuration Management
5.2 Documentation Management
Reference process for handling and storage of documents. Note Document/QA Engineer role.Mention KSN Repository. Reference review period and walkthrough process for deliverables.
5.3 Quality Assurance
Describe the triple constraint (Scope, Cost, and Time). Reference to ProjectChange Management process to manage scope creep. Identify the modified EVM reporting tomanaae Cost and Time. Mention identifvina kev deliverables as milestones on the Droiect.
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012
5.4 Problem Resolution
5.5 Contractor Management
5.6 Deployment Management
6. Security and Privacy
6.1 Privacy Issues
6.2 Computer Security Activities
7. Additional Activities
8. Appendices
NRC PRISM Implementation Version: 7Project Management Plan Date: 23APR2012