(darpa) mission services office (mso) information ... government... · 1/15/2020 · darpa may use...
TRANSCRIPT
Page 1 of 99
Defense Advanced Research Projects Agency
(DARPA)
Mission Services Office (MSO)
Information Technology Directorate (ITD)
Multi-Network Support Services (MNSS)
DRAFT
Performance Work Statement (PWS)
V1.0
January 15, 2020
Page 2 of 99
1.0 General
1.1 INTRODUCTION
The Defense Advanced Research Projects Agency (DARPA) is the research and development agency for the U.S.
Department of Defense (DoD). The DARPA mission is to maintain U.S. technological superiority over potential
adversaries by identifying, developing, and supporting breakthrough technologies of interest to the military.
DARPA is located at 675 North Randolph Street, Arlington, VA 22203-1714.
The key to DARPA’s success has been, and continues to be, its ability to attract the brightest minds from
Government, industry, and academia and provide them an environment that facilitates their ability to turn ideas into
practical, leading-edge technology. DARPA requires Information Technology (IT) services that facilitate this
creativity by providing world-class Government service, state-of-the-art tools and services, and rapid, flexible and
innovative response to mission essential and evolving Government requirements.
1.2 BACKGROUND
DARPA’s Information Technology Directorate (ITD) is responsible for providing and managing administrative
networks to the Agency for typical IT administrative requirements such as back office applications, collaboration,
project management, reporting, financial, and other such day-to-day operational requirements. These IT
requirements are known as common use or commodity IT solutions. Additionally, ITD provides mission critical and
research networks, systems, and services to the Agency and for its performers.
ITD provides Internet café, Unclassified, Secret, Secret/SAR, TS/SCI, and TS/SCI/SAR networks and IT services
utilizing traditional data centers, cloud services, and DoD enterprise services for the Agency and its performers.
DARPA is a Department of Defense (DoD) organization and therefore must comply with the NIST Special
Publication (SP) 800-53 Risk Management Framework (RMF) in order to operate. Therefore, DARPA prescribes to
an iterative lifecycle for all services to be provided by the Contractor. The DARPA services lifecycle will be an
ongoing process of continual improvement, “state-of-the-shelf” products, initial assessments and continuous
monitoring of the security posture, and compliance of all services to ensure that DARPA networks maintain their
authority to operate (ATO). DARPA also anticipates a realization of cost savings, cost effectiveness, and improved
quality due to continuous improvement efforts by the Contractor.
The Deputy Secretary of Defense has designated the Defense Information Systems Agency (DISA) as the single
service provider of commodity/common use IT services for the Fourth Estate. The deputy secretary signed the
Fourth Estate Network Optimization Execution Guidance memo on 12-Nov-19. DARPA is currently scheduled for
transition of common use IT to DISA in FY24.
DoD CIO issued a memo with subject: Fourth Estate Application and System Cloud Migration dated 3-May-18
directing Fourth Estate components to migrate to MilCloud. DARPA mandated cloud first for all unclassified
workloads prior to the release of the memo and classified workloads as the cloud capabilities become available.
IT services provided under this PWS are essential to the accomplishment of DARPA’s mission. DARPA is a multi-
platform environment. It is critical that continuity of operations and services be maintained in alignment with
DARPA-defined performance and continuity of operations (COOP) levels during the period of transition from the
incumbent Contractors to the Contractor. To minimize the risk inherent in transition, DARPA will proactively
facilitate the transfer of explicit and tacit knowledge, methods, and procedures from the DARPA staff and the
incumbent Contractors’ staff to the Contractor. To create an environment for successful transition, DARPA
envisions that this PWS will be accomplished in a manner that provides an orderly ‘ramp up’ for the Contractor and
an orderly ‘ramp down’ for the incumbent Contractors.
Page 3 of 99
DARPA’s classified IT environment provides users with an array of both collateral and compartmented Windows-
based networks, an enterprise multi-level security (MLS) administrative network, and an enterprise multi-
compartmented platform IT (PIT) network. DARPA categorizes its classified networks it supports by “Protection
Levels (PL)” 2-4, as defined in the DoD Joint Special Access Program (SAP) Implementation Guide (JSIG).
1) PL-2: When all general users have all required clearance and formal access approvals to the information on
the system, but may lack need-to-know (NTK) for some of the information on the system (e.g., Collateral
Secret networks)
2) PL-3: When all general users have all required clearance, but some users may lack formal access approval
for some of the information on the system (e.g., SCI and/or SAP networks)
3) PL-4: When at least one user lacks sufficient clearance to some of the information on the network, but all
users have at least a Secret clearance (e.g., MLS, CDS)
DARPA’s PL-4 enterprise MLS network combines cross domain (CD) technology and traditional Windows
interfaces that allows a user to access single level PL-2 and PL-3 networks, transfer data between networks and
domains of varying levels and/or compartments and collaborate at commonly shared levels and compartments. This
provides DARPA users with a single window interface that reduces complexity of navigation through file systems
and email, including but not limited to: e-mail, files, and web and collaboration services within a CD, secure
environment. This MLS CDS instantiation is currently jointly assessed and authorized by DARPA and the DoD
Special Access Program (SAP) CIO in accordance with JSIG, Committee for National Security System (CNSS)
Instruction 1253, and NIST Special Publication (SP) 800-53 [latest version] and tailored security controls for impact
levels of High/High/Moderate, as well as CNSSI 1253 overlays for Intelligence and CDS, and the JSIG overlay for
Accessibility. Components of the CD technologies employed within the MLS network are registered with the
National Cross Domain Strategy & Management Office (NCDSMO) as a baseline CDS. Users are able to access
applications and information, perform data transfers, and exchange e-mails and files, at multiple levels of security,
from a single computer workstation. Connectivity with other DoD and Intelligence Community IT networks,
systems, and databases are available. The enterprise PIT network is intentionally isolated from the MLS and
provides similar capabilities but is constrained to a single level, multi-compartmented environment.
DARPA’s ITD is the primary Government Point of Contact for this contract. The Government Program Manager
(GPM), Contracting Officer’s Representative (COR), Alternate COR (ACOR), Chief Information Security Officer
(CISO), and Authorizing Official (AO), reside within DARPA’s Information Technology Directorate (ITD).
1.3 OBJECTIVE
The primary objective of this PWS is to provide an organizational structure that allows ITD to support DARPA
operational and research requirements. This organizational structure must have the flexibility to programmatically
and contractually detach common use IT services and transition to the proposed DISA managed model in FY24, or
at whatever future time that they are able to meet DARPA’s mission needs. DARPA mission and research
networks, IT services, and other capabilities provided by ITD will persist post transition of common use IT systems
and will be managed by this PWS.
DARPA may use other Government or commercial third parties to advise and/or assist in independent verification
and validation, and performance monitoring of the Contractor. The Government expects the Contractor to participate
and provide timely, reliable and effective input in the oversight process.
DARPA’s IT services consists of standalone systems, local area networks (LANs) and wide area networks (WANs)
that are located in DARPA, Defense Industry Base (DIB) and Government Partner facilities, and commercial cloud
services providing Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)
solutions to the Agency.
Page 4 of 99
1.4 PERFORMANCE OF WORK
The Contractor shall provide and manage the entire range of IT services, support, engineering, and infrastructure
necessary to implement the DARPA IT operational, mission, and research objectives, which are expected to evolve
over the course of this contract. DARPA envisions that the Government staff will focus on inherently Governmental
functions as described in FAR Part 2 and Subpart 7.5, and all applicable DoD policy to include articulating mission
requirements to the Contractor, strategic planning, capital planning, authorization assistance policy and oversight,
verification and validation, and performance monitoring. DARPA may use other Government or commercial third
parties to advise and/or assist in performing its responsibilities.
The Contractor shall provide all labor, management, supervision, training, supplies, materials, equipment, and tools,
not otherwise provided as Government furnished property (GFP), to perform the non-personal services required to
support this Performance Work Statement (PWS).
This PWS establishes the basic requirements related to providing classified and unclassified mission IT, office
computing, networking, communications services, requirements management, engineering, desktop support and
technical support to DARPA. This PWS consists of the following functional areas:
4.7 Program Management
4.8 Quality Management
4.9 Asset and Configuration Management
4.10 Customer Relations Management
4.11 Engineering Management
4.12 Security Operations
4.13 Authorizations and Compliance Management
4.14 Operations Management
4.15 Site Connections Management
4.16 Professional Services
Work identified in this document shall meet the levels of service specified in the Service Level Objectives (SLOs),
as described in Section 5.2.
1.4.1 Inherently Governmental Functions
The Contractor shall not make final decisions or certifications on behalf of the Government, nor perform any
inherently governmental functions as described in FAR Part 2 and Subpart 7.5. The Contractor and its employees
shall not represent the Government nor appear to represent the Government in the performance of these contract
services.
1.4 PERSONNEL
1.4.1 Personnel Security Clearance
The Contractor’s staff shall have final DoD clearances for the system they are supporting at the time that they begin
work. For the Unclassified and Collateral Secret networks a final DoD Secret Clearance is required. For all other
systems a final DoD TS clearance with eligibility for Sensitive Compartmented Information (SCI) and Special
Access Programs (SAP) prior to performing duties on this contract,
1.4.2 Contractor Certification and Training
The Contractor shall ensure that their employees possess requisite training and security certifications per reference
(4) - DoD Directive 8140.01. All personnel hired for performance on the contract shall be compliant on their start
date unless approved by the Government. Additionally, those Contractors performing duties at DARPA will be
Page 5 of 99
required to take on-line and continued training applicable to all DARPA on and off-site personnel. Training costs to
qualify Contractor staff to perform the functions defined in the PWS (e.g. DoD 8140.01) are the responsibility of the
Contractor, to include time to take exams, boot camps, etc. Costs for training personnel who change
roles/responsibilities within the contract are also the responsibility of the Contractor. Training requirements that
occur during the life of the contract as a result of technology transitions (e.g. replacing a Cisco Core Router with that
of another vendor) or new requirements for functions defined in the PWS may be cost-shared at the discretion of the
Government.
1.4.3 Key Personnel
This PWS is premised, at least in part, on the Department of Defense Enterprise Service Management Framework
(DESMF) Edition III, 04-Mar-16. Roles and their corresponding responsibilities are identified below and are
generally aligned with the DESMF.
Certain skilled/experienced professional and/or technical personnel are essential for successful Contractor
accomplishment of the work to be performed under this contract. Key personnel are those individuals designated by
the Government as persons in the Contractor’s organization who provide in-depth experience and management. The
following roles are to be considered Key Personnel:
1) Program Manager
2) Deputy Program Manager
3) Operations Manager
4) Security Manager - Information System Security Manager (ISSM)
5) Customer Relations Manager
6) Authorizations and Compliance Manager
7) Engineering and Development Manager
8) Configuration and Assets Manager
9) Quality Manager
10) Security Control Assessors
11) Site Connections Manager
All candidates for positions designated as Key Personnel shall submit resumes to the Government for review prior to
hiring. The Government may refuse to accept the candidate if the resume does not indicate that the person is
qualified to do the work specified on the contract per the definitions below and in accordance with minimum
qualifications attached to the contract. The Government may request to meet the candidates as part of the review
process. If the Government refuses to accept the person, the burden for proving that the person is qualified for the
proposed position rests on the Contractor. The qualifications of Key personnel must be approved by the COR, prior
to these Key personnel assuming duties on the contract.
The Contractor shall provide notice to the Government as soon as practicable in the event that Key Personnel are
unable to perform under the contract for a period of two weeks or more, terminate their employment with the
Contractor, or provide notice to the Contractor of their intent to terminate employment with the Contractor. The
Government can request replacement of Key Personnel at any time.
1.4.3.1 Program Manager
The Contractor’s Program Manager shall be responsible for the overall management of tasks performed under this
contract and shall be the primary point-of-contact for contract issues. The Program Manager shall be responsible for
ensuring that practical and effective systems are developed to meet the contract requirements. The Program Manager
shall also be responsible for ensuring the quality and timeliness of the work performed resulting in process
improvements that result in cost effectiveness and savings for the Government. The Program Manager shall provide
oversight for financial, contractual, project management, technical and security actions on behalf of the Contractor.
The Program Management group consisting of the Program Manger and Contractor designated personnel are
ultimately responsible for all programmatic and operational requirements as identified within this PWS.
Page 6 of 99
1.4.3.2 Deputy Program Manager
The Contractor’s Deputy Program Manager, in the absence of and/or as a shared responsibility with the Program
Manager, shall be responsible for the overall management of tasks performed under this contract and shall be the
alternate point-of-contact for contract issues. The Deputy Program Manager shall be responsible for ensuring that
practical and effective systems are developed to meet the contract requirements. The Deputy Program Manager shall
also be responsible for ensuring the quality and timeliness of the work performed resulting in process improvements
that result in cost effectiveness and savings for the Government. The Deputy Program Manager shall provide
oversight for financial, contractual, project management, technical and security actions on behalf of the Contractor.
The Program Management group consisting of the Program Manger and Contractor designated personnel are
ultimately responsible for all programmatic and operational requirements as identified within this PWS.
1.4.3.3 Operations Manager
The Operations Manager shall manage operations and shall be responsible for Information Technology Service
Management (ITSM) Tiers 0, 1, and 2. ITSM Tier 0 is self-help and user-retrieved information. Tier 0 is typically
associated with password resets, Frequently Asked Questions (FAQs), Service Catalog Requests, and forums. ITSM
Tier 1 is typically associated with help desk activities wherein support for basic customers issues, fulfillment, and
ticketing is performed. ITSM Tier 2 support is typically provided by experienced technicians and administrators.
The Operations Manager is responsible for steady-state operations and is a down-stream customer of engineering.
Additionally, the Operations Manager shall analyze and improve organizational processes, quality, productivity, and
efficiency. Additional responsibilities include:
1) Provide day to day management and coordination of the Responsible Individuals for the production
systems, test systems, resource management and operational project assignments
2) Ensure infrastructure components such as but not limited to Networks, Data Centers, Servers, SANs, NAS,
Virtual Machines, Cloud Service Providers and storage components are optimally maintained to achieve
the highest value to the customer and Agency.
3) Participate in other functional areas to resolve production problems and initiate corrective actions
4) Meet expected quality of service on maintenance and deployment of upgrades, enhancements, and
modifications to operational systems
5) Promote and implement standards and procedures
6) Work within the established change control processes and coordinate appropriate downtime activities with
internal and external consumers
7) Prepare for and respond to audits for compliance with established standards, policies, configuration
guidelines and procedures
8) Maintain and expand comprehensive system hardware and software configuration database/library of all
supporting documentation
9) Participate in the planning and implementation of IT modernization activities, and systems integration
1.4.3.4 Security Manager / ISSM
The Security Manager shall manage the coordination, application, implementation and execution of Cybersecurity
Services Provider Tier 2 Incident Response and Hunt Team responsibilities, IA policy, A&A, audits, mitigation
recommendations, etc. Additional responsibilities of the Security Manager shall include:
1) Assume or delegate the role of SCIF Manager for the ITD managed SCIF spaces.
2) Ensure the development and delivery of annual security awareness training and the monitoring of
compliance for DARPA personnel.
3) Act as the ITD Contractor representative to the Insider Threat Working Group.
Page 7 of 99
4) Oversee the management of the Security Services across all networks and act as the contract coordinator
for DARPA Cybersecurity Service Provider (CSSP) responsibilities with the DoD Cybersecurity Services
Evaluators Scoring Metrics (ESM).
5) Identify and communicate changes that might affect information system (IS) security authorization status to
the DARPA CISO, AO, and contract Authorization and Compliance Manager.
6) Identify vulnerabilities and work with technical subject matter experts to identify and implement
countermeasures.
7) Prepare reports on the status of security safeguards applied to computer systems.
8) Ensure IS and network nodes are operated, maintained, and disposed of in accordance with established
security policies and practices.
9) Provide leadership, mentoring, and quality assurance for team members as a security expert.
10) Defines, documents, and coordinates connections to unclassified and classified networks.
1.4.3.5 Customer Relations Manager
The Customer Relations Manager shall ensure outstanding customer satisfaction by maintaining strong working
relationships with ITD customers. Additionally, the Customer Relations Manager shall:
1) Guide and lead team members to deliver products and services that meet or exceed customer requirements.
2) Manage customer issues through the ITSM tiers 0, 1, and 2 lifecycles.
3) Manage and train resources to ensure quality and consistency of service to customers.
4) Maintain complete and accurate customer correspondence data.
5) Assist in making operational decisions as required.
6) In conjunction with Product Managers and Engineering, create training guides, frequently asked questions
(FAQs), and internal and customer facing best practice products.
7) Identify and develop problem solving methodologies to resolve customer issues.
1.4.3.6 Authorizations and Compliance Manager
The Authorizations and Compliance Manager shall manage and mentor security professionals in the compliance
oversight of all unclassified and classified information systems and related Contractor and Government networks.
Services include ensuring compliance and accreditation with DoD collateral and SCI/SAP regulations. Additionally,
the Authorizations and Compliance Manager shall:
1. Leads a team to directly support the Chief Information Security Officer (CISO) and Senior Authorizing
Official (SAO) to conduct regular in-house security reviews and Assessment and Authorization (A&A)
actions with the goal of ensuring compliance and maintaining an Authority to Operate (ATO) for all
DARPA systems.
2. Review, prepare, and update ATO packages for DARPA enterprise systems in accordance with NIST RMF
and appropriate DoD / IC guidelines.
3. Ensure security plans and ATOs are accurately and properly submitted to the appropriate authorities for
Defense Industry Base (DIB) system requiring DARPA ATOs.
4. Build relationships with Government counterparts to ensure ITD’s compliance activities are executed
properly.
5. Perform self-inspections, provide security coordination and review of system test plans.
6. Coordinate with business units to ensure compliance of all program-related business unit equipment and
networks. Work closely with MSO/ITD to develop and execute department-level strategy and objectives.
1.4.3.6.1 Security Controls Assessor (SCA)
Each SCA shall be aligned to primarily support a specific DARPA Technical Office and/or the MSO-ITD Enterprise
environment. Independent from either the ITD-contracted operations personnel or the Technical Office performers
who build and implement the information systems (IS) at DARPA, the SCA is responsible for conducting a
Page 8 of 99
comprehensive assessment of the management, operational, and technical security controls employed within or
inherited by the target IS - whether Technical Office mission system or ITD Enterprise system -to determine the
overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the security requirements for the system).
SCAs also provide an assessment of the severity of weaknesses or deficiencies discovered in the IS and its
environment of operation and recommend corrective actions to address identified vulnerabilities. Additionally, they
will:
1) Advise the information system owner (ISO) concerning the impact levels for Confidentiality, Integrity, and
Availability for the information on a system.
2) Advise the ISO concerning the impact levels for Confidentiality, Integrity, and Availability for the
information on a system.
3) Ensure security assessments are completed for each IS.
4) Initiate a POA&M with identified weaknesses and suspense dates for each IS based on findings and
recommendations from the SAR.
5) Evaluate security assessment documentation and provide written recommendations for security
authorization to the CISO and AO.
6) Assess proposed changes to information systems, their environment of operation, and mission needs that
could affect system authorization.
7) Serve as a cybersecurity technical advisor to the CISO and AO for DARPA IS under their purview.
8) Be integral to the development of the monitoring strategy. The system-level continuous monitoring strategy
must conform to all applicable published DoD enterprise-level or DoD Component-level continuous
monitoring strategies.
9) Determine and document in the SAR a risk level for every noncompliant security control in the system
baseline.
10) Determine and document in the SAR an aggregate level of risk to the system, and identify the key drivers
for the assessment. The SCA’s risk assessment considers threats, vulnerabilities, and potential impacts as
well as existing and planned risk mitigation.
11) Develop the Continuous Monitoring Plan specific to the information system.
1.4.3.7 Engineering and Development Manager
The Engineering and Development Manager shall be responsible for managing all engineering and application
development efforts including infrastructure as code (DevOps), software defined networking (SDN), engineering
security into DevOps and SDN (DevSecOps), maintaining architecture diagrams, data flows, and shall manage all
new capabilities being developed for DARPA operational, mission critical, and research requirements. The
Engineering and Development Manager shall be responsible for engineering and developing new capabilities,
integration of existing capabilities, and utilizing modern development, security, and management methodologies.
The Engineering and Development Manager’s responsibilities shall also include ITSM Tier 3 and 4 support
functions.
1) Support Agency in establishing, documenting, maintaining, and maturing an Engineering program that
complies with DoD / Agency guidance and meets DARPA unique requirements.
2) Assist with ensuring that ITD processes and tools support the DARPA mission.
3) Provide leadership and technical implementation expertise in the design, development, and governance of
Service-Oriented Architectures, Web-Oriented Architectures, and Managed Hosting and Cloud Computing
Architectures.
4) Provide subject matter expertise to ensure products meet enterprise technology standards for conducting,
sustaining, and adapting to the mission.
Page 9 of 99
5) Draft, coordinate, maintain and support initial versions of segment architectures for core business and
enterprise services, such as Records Management, Workflow and Tracking, Business Intelligence, ERP,
Cloud Computing, and Web 2.0.
6) Identify and recommend industry best practices, and where feasible, collect existing information on the
selected enterprise services segments through documentation reviews, interviews, as well as the knowledge
gained by the Contractor during the portfolio analysis process.
7) Conduct an assessment of the Agency portfolio from multiple perspectives to identify, document, and
support analytic reporting recommendations on architectural alignment, investment composition, segment
architectures, and changes to the target architecture. The analytics processes shall be designed and
executed to ensure consistent, coordinated IT decision-making across Agency. It shall focus on ensuring
innovation, the efficient use of IT, reduction of unnecessary duplication, avoidance of cost, optimized
information sharing, and interoperability.
Identify, document, and support performance goals and metrics for Business Architecture, Information Architecture,
Application Architecture, and IT Infrastructure and Technology Support from the business strategy through the
implementation and maintenance of the EA Program, as well as the “critical points” and sequence activities of the
Enterprise Architecture Transition Plan.
The Engineering and Development Manager shall also be responsible for managing Process/Product Managers.
While Process/Product Owners are Government personnel, Process/Product Managers share in the end-to-end
lifecycle of products and services.
1.4.3.8 Configuration and Assets Manager
The Configuration and Assets Manager shall manage all ITD IT assets and ensure that assets under the control of the
IT organization are identified, controlled and properly cared for throughout their lifecycle. Additionally the
Configuration and Assets Manager shall:
1. Identify, control, record, report, audit and verify services and other configuration items (CIs), including
versions, baselines, constituent components, their attributes and relationships.
2. Account for, manage and protect the integrity of CIs through the service lifecycle by working with change
management to ensure that only authorized components are used and only authorized changes are made.
3. Ensure the integrity of CIs and configurations required to control the services by establishing and
maintaining an accurate and complete configuration management system (CMS).
4. Maintain accurate configuration information on the historical, planned and current state of services and
other Cis.
5. Provide accurate configuration information to enable timely decisions — for example, to authorize changes
and releases, or to resolve incidents and problems. The CA Manager is responsible for the Accountable
Property and Internal Use Software processes.
1.4.3.9 Quality Manager
The Quality Manager shall be responsible for ensuring that all products and services developed, managed, or
enhanced under this PWS meet or exceed Government quality standards. Additionally, the Quality Manager shall:
1) Provide oversight of quality assurance, quality management, performance and quality control systems to
ensure compliance across the enterprise.
2) Perform quality management audits and reviews to ensure process adherence (e.g., SOPs) in each
operational unit and that all SLOs are understood and reported properly.
3) Manage and lead a team of quality analysts through developing and mentoring staff, and ensuring effective
communication of quality approach and standards.
4) Develop and oversee an effective quality management system to continuously identify opportunities for
improvement while maintaining adherence to contract driven key performance requirements.
Page 10 of 99
5) Establish standards governing stakeholder interactions and implement monitoring programs.
6) Manage internal and external client expectations related to quality management and effectively
communicate quality standards across the program.
7) Perform analysis and monitoring of all performance metrics to ensure compliance with internal, external,
contract performance, and quality standards.
8) Schedule and coordinate all the quality and performance monitoring activities of the quality staff across the
program; prepare QA reports.
9) Aggregate and analyze quality data and suggest methods for improving quality, design and business
processes.
10) Manage all Monthly Operations deliverables and communication between the Contractor and Government
staff. This individual is responsible to the Program Manager to resolve any issues of deficiency in meeting
contractual obligations.
11) Manage report automation, distribution, and quality of all reports.
1.4.3.10 Site Connection Manager
The Site Connection Manager shall manage the connection approval process (CAP) and activities associated with
deploying, connecting, and decommissioning remote site connections with the appropriate DARPA Enterprise WAN
(Savannah, ALCAZAR, DSWAN). The supporting team will deploy to performer and Government sites in both
CONUS and OCONUS locations. Historically the inventory of remote site locations across all DARPA Enterprise
WANs totals approximately 350 (one is OCONUS in Hawaii), and averages approximately 3 activations and/or
decommission events per week.
Similarly for non-DARPA WANs, the Site Connection Manager shall provide management operations necessary to
maintain and obtain DARPA Enterprise system authorizations to connect (ATC) to required external WANs (e.g.,
NIPRNet, SIPRNet, JWICS, etc.).
1.4.4 Hours of Operation
DARPA’s core operational hours are Monday through Friday, 7 a.m. to 7 p.m. EST, excluding federal holidays. The
Contractor shall provide IT services with 24/7/365 availability, with necessary Network Operations and Security
Center support to fulfill the SLOs defined within this PWS.
1.6 CLASSIFIED INFORMATION
This PWS document is not classified. However, the classification of the work to be performed and the items to be
delivered under this contract will be determined and handled in accordance with the DD Form 254 pertaining to this
contract. When the services and support being performed require access to security controlled or classified
information, the Contractor shall obtain and provide personnel with the appropriate security clearance.
1.7 PROTECTION OF INFORMATION IDENTIFIED AS "FOR OFFICIAL USE ONLY" (FOUO)
In the performance of this contract, it may be necessary that certain information and material, identified as "FOR
OFFICIAL USE ONLY (FOUO)” or “CONTROLLED UNCLASSIFIED INFORMATION (CUI)”, be used by the
Contractor. Such material shall be handled and marked in accordance with the current version of DoD Instruction
8582.01, “Security of Unclassified DoD Information on Non-DoD Information Systems”, Enclosure 3 (Reference
(11)).
1.8 TRAVEL AND LOCAL EMPLOYEES AT SITE
Local Travel (mileage, parking, tolls, etc.) is used in support of this requirement to attend meetings and/or
coordinate multi-site, multi-agency projects within the Washington, D.C. Metropolitan area. Non-local travel, at the
request and authorization of the COR, may be required. All Contractor travel must be approved by the COR via the
IT Services Catalog provided by DARPA, in writing by the COR (signed email), or via approved Monthly
Page 11 of 99
Management Reports. In the event of an emergency, the Contractor may obtain approval from the Contracting
Officer (KO) or COR by phone with a follow-on approval by the COR via the methods stated above.
2.0 DEFINITIONS/ACRONYMS Access Management helps to protect the confidentiality, integrity, and availability of assets by ensuring that only
authorized users are able to access or modify the assets. Access management is sometimes referred to as “rights
management” or “identity management.”
Authorized means that a system or facility has been granted ATO by the authoring official (AO) of a Government
agency or entity and/or the Director, Security and Intelligence, DARPA, based on authorization requirements
specified by appropriate DoD 8500-series documents.
Activity refers to a set of actions designed to achieve a particular result.
Activities are usually defined as part of processes or plans and are documented in procedures.
Asset refers to any hardware, software, or service capability. Assets of a service provider include anything that could
contribute to the delivery of a service.
Availability refers to the ability of a configuration item or IT Service to perform its function when required.
Availability is usually calculated as a percentage based on agreed service time and downtime.
Bundle refers to the combination of selected hardware, software, and support services used to create a service
delivery point.
Capacity refers to ubiquity of access, connectivity, redundancy/diversity, compute capacity, committed information
rate/peak information rate, and growth potential/scalability.
Change Management refers to the process responsible for controlling the lifecycle of all changes. The primary
objective of change management is to enable beneficial changes to be made, with minimum disruption to IT services.
The main difference between the change management and configuration management systems is that change
management deals with process, plans, and baselines, while configuration management deals with product
specifications.
Closure refers to the act of changing the status of an incident or service request to the final status in its lifecycle.
When the status is “closed,” no further action is taken.
Closure Time refers to the act of closing a user request (a.k.a. Help Desk ticket) which will occur after the request
has been completed to the user’s satisfaction and a Help Desk manager has reviewed and agreed that the request has
been resolved.
Cloud Computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and
process data, rather than a local server or a personal computer.
Configuration Control Board (CCB) refers to the Government and Contractor representatives who recommend
approval or disapproval of proposed changes to a configuration change or modification.
Configuration Item (CI) any component or other service asset that needs to be managed in order to deliver an IT
service. Information about each configuration item is recorded in a configuration record within the configuration
management system and is maintained throughout its lifecycle by service assets and configuration management.
Configuration items are under control of change management.
Configuration Management refers to the process responsible for maintaining information about CIs delivering an
IT service, including their relationships to other CIs. This information is managed throughout the lifecycle of the CI.
Contractor refers to an entity in private industry that enters into contracts/contracts with the Government to provide
goods or services.
Continuity of Operations (COOP) Site refers to the site (currently located at 21715 Filigree Ct, Ashburn, VA
20147) capable of providing limited failover capabilities, but not complete replacement for all IT operations, pin the
event that the building at Founders Square (Arlington, VA) becomes unavailable.
Core Hours are DARPA’s standard business hours which are 7am to 7pm, Monday through Friday, local time,
excluding federal holidays.
Page 12 of 99
DARPA Enclave, for the purposes of this contract, refers to 675 North Randolph St., Arlington, VA and 21715
Filigree Ct, Ashburn, VA 20147.
DARPA Personnel refers to both Government and Contractor personnel on-site within the DARPA Enclave.
DARPA Portal refers to the intranet site providing DARPA news, information, and services.
DARPA Public Network (DPN)/DPN.org refers to the separate unclassified network designed specifically to allow
DARPA personnel to connect to universities and other institutions with fewer restrictions than on the DARPA
Management Services System.
DARPA Store Front refers to an online, user-friendly, interface to the service catalog allowing users to ‘purchase’
services.
Demand Management refers to activities that understand and influence Government demand for services and the
provision of capacity to meet these demands. At a strategic level, demand management can involve analysis of
patterns of business activity and user profiles.
DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to
deliver applications and services at high velocity: evolving and improving products at a faster pace than
organizations using traditional software development and infrastructure management processes. This speed enables
organizations to better serve their customers and compete more effectively in the market.
DevSecOps is the philosophy of integrating security practices within the DevOps process.
DARPA Management Services System (DMSS) is the primary unclassified data network.
DoD Directive 8140 is the DoD directive that describes the certification requirements for individuals working on
security or security-related functions. Note: most services under this effort have security-related functions.
E-Mail refers to a widely used network application in which electronic mail messages are transmitted between end
users over various types of networks using a variety of network protocols.
Event refers to a change of state which has significance for the management of a CI or IT service. The term is also
used to mean an alert or notification created by any IT service, CI, or monitoring tool. Events typically require IT
operations personnel to take actions, and often lead to incidents being logged.
Failure refers to the loss of ability to operate to specification, or to deliver the required output. The term may be
used when referring to IT services, processes, activities, CIs, etc. A failure often causes an incident.
Founders Square refers to the area on Wilson Boulevard between Quincy Street and North Randolph Street in
Arlington, VA where DARPA is located.
Governance refers to the act of ensuring policies and strategy are actually implemented, and that required processes
are correctly followed. Governance includes defining roles and responsibilities, measuring and reporting, and taking
actions to resolve any issues identified.
Government refers to the person or group who receives the hardware, software, and related services provided under
this PWS, in this case, ITD. The term is also sometimes informally used to mean users, for example “this is a
Government-focused organization.”
Government Survey is the primary means for assessing levels of Government satisfaction.
Help Desk Ticket refers to user support requests and falls into four ticket types: Security Incident, Incident, Service
Requests, and Move, Add, Change, and Delete (MACD).
Infrastructure as a Service (IaaS) is an instant computing infrastructure, provisioned and managed over the
internet. It’s one of the four types of cloud services, along with software as a service (SaaS), platform as a service
(PaaS), and serverless.
Incident refers to an unplanned interruption to an IT service or a reduction in the quality of an IT service. Failure of
a CI that has not yet impacted service is also an incident. Incidents prohibit a user’s ability to do his or her job (e.g. a
user’s network drop is not working).
IT Service Management (ITSM) refers to a service provided to one or more customers by an IT service provider.
An IT service is based on the use of IT and supports the Government’s business processes. It is composed of a
combination of people, processes, and technology.
Key Personnel refers to those persons who are essential to work performance of the contract. All candidates to
replace positions designated as key personnel on the contract, or candidates for newly designated or created key
Page 13 of 99
personnel positions, shall only be utilized for the contract with Government concurrence. The Contractor shall
provide the resumes for candidates for positions designated as key personnel to the Government for Government
review and concurrence and the candidates shall meet with the Government as part of the oversight process.
Local Area Network (LAN) refers to the internal unclassified computer network that currently supports the DARPA
enclave.
Legacy refers to hardware, software, or application systems currently in use in the DARPA enclave.
Move, Add, Change, and Delete (MACD) refers to a request for a change to a CI.
Offsite Storage means a location of sufficient distance (at least 10 miles) from the DARPA enclave to assure
survival of the material in case of disaster or emergency events. Note: this is in addition to the Equinix, VA site.
Operational Level Agreement (OLA) defines the interdependent relationships among the internal groups of
DARPA. The agreement describes the responsibilities of each internal support group toward other support groups,
including the process and timeframe for delivery of their services. The objective of an OLA is to present a clear,
concise and measurable description of the service provider’s internal support relationships. Copies of the OLAs will
be provided to the Contractor at contract award.
Platform as a Service (PaaS) Platform as a service (PaaS) is a complete development and deployment environment
in the cloud, with resources that enable delivery of everything from simple cloud-based apps to sophisticated, cloud-
enabled enterprise applications. PaaS includes infrastructure—servers, storage, and networking—but also
middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS
is designed to support the complete web application lifecycle: building, testing, deploying, managing, and updating.
Plan of Action and Milestones (POA&M) refers to a document that identifies tasks needing to be accomplished to
complete a project. It details resources required to accomplish the elements of the project, any milestones in meeting
the tasks, and scheduled completion dates for the milestones. Typically, the Contractor will provide a recommended
POA&M for contracting officer’s representative (COR) approval.
Privileged User refers to users who have escalated privileges beyond those of a basic user.
Problem refers to the cause of one or more incidents. The cause is not usually known at the time that the problem
record is created.
Professional Services Project refers to a task undertaken to meet specific goals and objectives that has a definable
beginning and end. In respect to this contract, it is to provide one-time or first-time products or services. In the case
of a first-time project, the intent is that once completed, a product or project will become a repeatable service or
product that will be added to the Service Catalog and made available to DARPA Users via the DARPA Store Front.
Project Request (PR) refers to the initial request from the Government to the Contractor defining the requirements
of the work to be completed by the Professional Services staff.
Project Change Request (PCR) refers to the request, by the Government or Contractor, to change the scope of a
given project.
Resolution refers to an action taken to repair the root cause of an incident, or to implement a workaround. If a
workaround is implemented, a new problem record is created to identify the root cause. Resolution time is when the
user responds that he or she agrees that the service request or incident has been resolved. If a user does not respond
within two business days of reasonable attempts to contact, it will be assumed that the user agrees, and the ticket can
be resolved.
Responsiveness is a measurement of the time taken to respond to a security incident, service request, etc.
Retired Services refers to services that have been removed from the Service Catalog and are no longer available.
Software as a Service (SaaS) is a software licensing and delivery model in which software is licensed on a
subscription basis, centrally hosted and supported by the vendor, and is accessible over the internet.
Security Features refers to the security features that are directed by DoD or federal-Government-mandated
guidance, law, or regulation, or as determined by DARPA. Where questions of the interpretation of requirements are
necessary, the Government will consult with the Contractor but shall be the final arbiter.
Security Incident refers to an assessed occurrence that actually or potentially jeopardizes the confidentiality,
integrity, or availability of an information system; the information the system processes, stores, or transmits; or that
Page 14 of 99
constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use
policies.
Service Asset refers to any capability or resource of a service provider. A service asset comprises the hardware
which, when bundled with software and security features (e.g. smart card technology), is necessary for DARPA users
to perform computing functions, to access computing resources, and to receive the Government IT services described
in this PWS.
Service Catalog refers to a database or structured document with information about all available IT services. The
Service Catalog is the only part of the service portfolio available for deployment. The Service Catalog includes
information about deliverables, prices, contact points, and ordering processes.
Service Delivery Maturity refers to the frameworks and quality models such as ISO9000, ISO20000, the IT
Infrastructure Library (ITIL), Capability Maturity Model (CMM), and Capability Maturity Model Integration
(CMMI) and provides a blueprint and a road map for improving processes and procedures. Each framework and
quality model has specific strengths in helping meet business goals, including the potential for cost reductions,
increased customer satisfaction, and greater productivity.
Service Delivery Points (SDP) refers to customer-facing, hardware CIs. This includes desktops, laptops, tablets,
personal digital assistants (PDAs), cellular, satellite, and landline Voice over Internet Protocol (VoIP) phones,
printers, copiers, and all devices which may be added to, replace, or supplement any of the above devices during the
course of the contract.
Service Level Management (SLM) refers to the process responsible for negotiating the levels of service to be
provided and ensuring that these are met.
Service Level Objective (SLO) is a specified level of service included as part of the PWS. SLOs are a means of
measuring the performance of the service provider and are outlined as a way of communicating the Government’s
requirements between the two parties.
Service Provider refers to an organization supplying services to the Government. “Service provider” is often used as
an abbreviation for “IT service provider.”
Service Request refers to a request from a user for information, advice, or a pre-approved change that is low risk,
relatively common, and follows standard procedures. The nature of a service request does not prohibit a user’s ability
to perform his or her job (e.g., a user cannot open an e-mail attachment, but can still send and receive e-mails).
State-of-the-Shelf refers to the innovative use of proven/stable technologies vs. leading/bleeding edge.
Test Bed refers to the stand-alone network environment simulating a production DARPA network used to test and
evaluate new and modified technologies and applications.
Underpinning Contract refers to a contract between the awardee and a third party. The third party provides goods
or services that support delivery of an IT service to the Government; for example, contracts with the internet service
provider and the copier vendor. The underpinning contract defines targets and responsibilities that are required to
meet agreed SLOs.
Unified Communication (UC) refers to the integration of real-time communication services such as instant
messaging (chat), presence information, telephony (including Internet Protocol (IP) telephony), video conferencing,
call control, and speech recognition with non-real-time communication services such as unified messaging
(integrated voicemail, e-mail, Short Message Service (SMS), and fax). UC is not a single product, but a set of
products that provides a consistent unified user interface and user experience across multiple devices and media
types.
User refers to an individual person or system process acting on behalf of an individual person authorized to access an
information system.
User Account refers to authorized access to use specified services, exclusive of the hardware and LAN drop.
3.0 GOVERNMENT-FURNISHED EQUIPMENT, SERVICES, AND FACILITIES The Government will provide the facilities, equipment, material, and services identified herein.
Page 15 of 99
3.1 FACILITIES
3.1.1 Government Furnished Spaces
The Government will provide the furnished space described below at Founders Square:
80 Non-SCIF workspaces.
35 SCIF workspaces.
~1500 sq. ft. of equipment storage onsite.
If additional workspace is required, the Contractor shall provide off-site space for their employees within the
National Capital Region.
The Contractor shall provide ~2000 sq. ft. of equipment storage space within the National Capital Region.
3.2 GOVERNMENT FURNISHED EQUIPMENT (GFE) – COMSEC
As required, the Government will furnish any NSA Type I encryption devices and associated keying material
(KEYMAT) necessary to support encryption of external network connections, which are unable to support NSA-
approved commercial national security algorithm (CNSA) suite encryption, also known as "Type II" or "Suite B", in
accordance with CNSS Policy # 15, "Use of Public Standards for Secure Information Sharing.”
3.3 ACQUISITION OF IA-ENABLED IT PRODUCTS POLICY
Unless otherwise approved by the Government, technologies for Multi-Network Support Services (MNSS) shall be
procured in accordance with CNSSP No. 11, "National Policy Governing the Acquisition of Information Assurance
and IA-Enabled Information Technology Products." In addition, technologies shall be procured which have been
validated by Common Criteria Testing Labs, in accordance with the National Information Assurance Partnership
(NIAP) Protection Profiles (PPs). Where a PP exists but the desired product has not been validated against it, MNSS
shall direct the desired vendor to have their product validated against the appropriate, corresponding PP. For
National Security Systems (NSS) where classified data is being protected at rest or in transit by commercial
products, technologies from the Commercial Solutions for Classified (CSfC) Components List shall be used, in
accordance with NSA's published CSfC Capability Packages. Capability Packages and the CSfC Components List
can be found by visiting the CSfC Components List page
<https://www.nsa.gov/resources/everyone/csfc/components-list/>. NIAP-validated products can be found at the
NIAP website on the CCEVS Product Compliant List <https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm>
page."
4.0 PERFORMANCE REQUIREMENTS
4.1 GENERAL REQUIREMENTS
These Areas are intended to cover the entire life-cycle of support for DARPA’s IT services, support, and
infrastructure environment.
1) The Contractor shall meet or exceed the performance requirements as specified in the Service Level
Objectives (SLO).
2) The Contractor shall provide the labor, management, services, and work necessary to provide and maintain
the computers, networks, devices, and services needed by DARPA at all classification levels.
3) The Contractor shall ensure that all hardware, software, other material and information are properly tagged,
labeled, and that it is safeguarded and accounted for at all times.
4) The Contractor shall keep all equipment rooms, wiring closets, and other work areas in a clean and orderly
state. All equipment, wiring, etc. shall be properly tagged and/or labeled in accordance with current DOD
and/or DARPA regulations or direction.
Page 16 of 99
5) The existing systems are described below. Additional systems and/or services may be required during the
contract and shall be presented to the Contractor by the Government.
a) The DARPA Secure Enterprise shall be composed of the distinct networks and systems referenced
below. The Contractor shall maintain these networks and facilitate the integration of these systems
as directed by DARPA. The implementation may not prohibit growth or impede progress towards
DARPA’s objectives.
i. DARPA Management Services System (DMSS) is the primary controlled unclassified
information (CUI) network with dedicated connectivity to the Internet, the Defense
Information System Network (DISN), and commercial Cloud Service Providers (CSPs).
ii. DARPA Public Network (DPN) is an unclassified network, separate from the DMSS, to
support non-CUI unclassified processing and Internet access for DARPA visitors and
employees.
iii. DARPA Secret Network (DSN) provides HQ LAN access to external SIPRNet resources.
iv. DARPA Secret Wide Area Network (DSWAN) provides an isolated Secret collateral
network LAN/WAN environment to support timely collaboration needs with performers
whom are unable to obtain SIPRNet access.
v. DARPA Joint Worldwide Intelligence Communications System (JWICS) Network (DJN)
provides HQ LAN access to external intelligence community (IC) resources and mission
partners.
vi. ALCAZAR provides an enterprise platform IT (PIT) LAN/WAN capability to support
collaboration up to TS//SCI//SAR levels, as well as controlled interfaces to non-
enterprise PIT systems.
vii. Savannah (SAV) provides a Windows-based LAN environment coupled with a multi-
level security (MLS) cross domain solution (CDS) WAN and circuit transport capability,
enabling performer collaboration up to TS//SCI//SAR levels, as well as enabling singular
interface access to multiple DARPA enterprise, non-enterprise*, and non-DARPA
mission partner classified networks*.
1. Certain networks, such as DARPA non-enterprise or non-DARPA mission
partner networks, only require integration with Savannah to enable access.
Primary administrative responsibility of such networks (also known as guest
networks) is often managed through an external Government organization
and/or contract vehicle. MNSS Contractor integration and auxiliary local
support shall include (but not be limited to): physical and/or logical connectivity
between guest network systems and DARPA systems, troubleshooting of
network connectivity issues, smart hands support of externally managed
systems, and coordination of required change management activities that affect
interfaced systems.
*Similar to the external mission partner systems characterized in the preceding paragraph which
interconnect with Savannah, such systems also exist disconnected from any DARPA information
system at DARPA HQ, but still require support by the Contractor. Unless specified by the
Government, the level of support required will be limited to physical connectivity between the guest
network providers’ circuit and their active equipment, and smart hands troubleshooting support with
the guest network provider.
6) The Contractor shall ensure that all assessment and authorization requirements are met for all systems and
devices in a timely manner and as required by DARPA CIO and Authorizing Official (AO), IAW
Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), United States Cyber
Command (USCYBERCOM), Joint Forces Headquarters-DoD Information Network (JFHQ-DODIN),
Page 17 of 99
Defense Intelligence Agency (DIA), Defense Information Systems Agency (DISA), and DARPA
regulations and that, as appropriate, Authority to Operate (ATO) and Authority to Connect (ATC)
permissions are obtained and are not allowed to lapse.
4.2 COST EFFECTIVENESS
The Contractor shall continuously evaluate the market place to leverage state-of-the-shelf technology. The
Contractor shall make every effort to recommend cost-effective services and solutions. DARPA also acknowledges
that the most expensive up-front cost might have the highest return on investment (ROI) and therefore be the best
choice.
4.3 ACCESS AND OWNERSHIP
All DARPA information resources and Contractor generated data, exclusive of Contractor or 3rd party commercial
proprietary data or software, to include (but not be limited to) system log data, documentation, program code,
automated scripts and ancillary information under the contract is owned by the Government. As such, the Contractor
must allow and provide capabilities for authorized Government managers and staff, as well as designated
Contractors, access to such data. Deliverables shall be made available in a shared repository that is available at all
times to the Government; currently SharePoint services are being used for this purpose. Upon request by the
Government, the Contractor shall, without delay, deliver and convey any/all requested DARPA files/documents, etc.
to the appropriate DARPA person or organization. Likewise, the Contractor must provide on-going direct
systems/automated access to DARPA files and databases. Such direct systems access shall include admin or root
type access for the purpose of oversight, generating reports, forensics and analysis. Management consoles must be
accessible for validation/monitoring purposes. Deliverables required by the contract are Government property and
may be redistributed within the Agency for management or verification purposes, at the sole discretion of the
Government. Additionally, the Government reserves the right to reach down to Contractor personnel directly while
simultaneously coordinating with Contractor Management in order to support urgent requirements or emergencies.
4.4 PERSONNEL STANDARDS
The Contractor shall provide staff with the necessary skill-level for the job types on this contract. The expectation is
for employees to have the knowledge, training, and experience to perform the duties of their position on Day 1. The
Contractor may propose/recommend positions appropriate for entry-level staff, however, Government’s approval is
required, and quality and SLO performance will not be waived. Otherwise, the Government requires certified and
experienced staff so that the quality of service is exemplary and the response times to incidents, requests, and
problems are minimized. The Contractor shall maintain qualified personnel in compliance with DoD 8140.01 and
who are knowledgeable, customer-centric, courteous, and responsive.
4.5 CLASSIFIED NETWORK SYSTEMS
4.5.1 Savannah (SAV) – Multi-Level Security (MLS)
The Contractor shall provide an authorized MLS system capable of supporting Secret to TS/SCI/SAR briefed
personnel and materials. This MLS CDS instantiation is currently jointly assessed and authorized by DARPA and
the DoD Special Access Program (SAP) CIO in accordance with JSIG, Committee for National Security System
(CNSS) Instruction 1253, and NIST Special Publication (SP) 800-53 Rev4 baseline and tailored security controls for
impact levels of High/High/Moderate, as well as CNSSI 1253 overlays for Intelligence and CDS, and the JSIG
overlay for Accessibility. Components of the CD technologies employed within the MLS network are registered
with the National Cross Domain Strategy & Management Office (NCDSMO) as a baseline CDS. The system
facilitates secure communication between DARPA performers and Government partners at common classification
levels and compartmented access to multiple Windows-based PL-2 and PL-3 LAN/WANs via a combination of PL-
3 and PL-4 software and hardware-controlled interfaces. Additionally, it shall connect to the DoD SAP CIO’s
secure web services (SWS) enterprise to facilitate both access for general users to SWS services as well as to permit
Page 18 of 99
automated batch ingestion, at least every 12 hours, of user SAP accesses into the MLS identity and access
management (IdAM) infrastructure.
The desired connectivity is such that users should be able to communicate within DARPA and with other secure
nodes connected to the MLS at their common access level. Connectivity between the MLS and non-MLS classified
networks shall be via authorized Controlled Interfaces and Web-based applications approved by the Government on
a case by case basis. The system shall:
Provide communications capabilities that support inter-site and intra-site connectivity to include file shares,
email, printing, video, and web communities of interest.
Provide connectivity via email, remote desktop sessions, and two-factor authentication web file transfers
(low to high) to DARPA controlled Single Level networks.
Maintain connectivity to DARPA’s classified personnel access database and facilities database system
instances as well as provide a method to automate verification of clearances/program access for the MLS to
provide access to data.
Provide the capability and maintain a process for deploying new sites based on Government requirements
for connectivity to outside groups.
Maintain and audit all controlled interfaces required for access to non-MLS systems.
Provide alternative solutions for any application required for DARPA’s mission that is not compatible with
the MLS.
Provide advanced security features, authentication methods (two factor authentication), and technology.
Provide Deep Content Inspection of files being transmitted between networks of differing classification
levels.
Possess the ability to archive program data via a set of configurable rules on the network.
Network nodes can be characterized as fixed sites. Fixed sites generally consist of a DARPA controlled LAN with
the capability to extend services to locally managed Single Level LAN via accredited Controlled Interfaces managed
by the Contractor.
Fixed sites are a mixture of Government and Contractor sites supporting a secure e-business environment.
4.5.2 Savannah - ASCEND
Within the Savannah authorization boundary, DARPA maintains two PL-3 compartmented Windows enclaves – one
to process up to TS//SCI/SAR, and the other to process up to S//SAR- which provide access to the MLS web
services. All data sharing is required to cross an approved controlled interface to ensure authorized access to the
information. PL-2 and PL-3 applications within the two ASCEND enclaves are authorized on a case by case basis
and must be segregated from the other systems.
4.5.3 ALCAZAR
The Contractor shall maintain a mixed Windows, Linux, and Oracle-based platform IT (PIT) enterprise network,
which currently supports multiple DARPA SAPs in a PL-3 mode of operation. Although it does not connect to any
other DARPA Enterprise network, it is a distributed WAN currently supporting 30 sites. The managed enterprise
services currently include WAN transport, boundary protection, end-point monitoring, single sign on (SSO), VoIP,
Atlassian Suite products, and a GOTS PL-3 collaboration product provided by the Georgia Tech Research Institute
(GTRI). The enterprise also supports localized site requirements to connect and isolate program specific networks
and/or hardware from the rest of the enterprise.
4.5.4 Windows Networks
The remaining DARPA Windows Networks consist of the networks described below. While some deltas exist for
end-user requested software all three networks utilize similar configurations for core services. These services
Page 19 of 99
currently consist of a Microsoft Windows network supporting email (MS Exchange), web communities of interest
(SharePoint), File Services (NetApp) and Directory services (MS Active Directory). All services run on Virtual
Machine Infrastructure (VMWare) where possible. The clients are a combination of Windows workstations and
Thin Clients connecting to Microsoft Remote Desktop Services. Additionally, each network supports both a VOIP
and VTC capability. Two of the three systems are dependent on the cognizant DoD / Intelligence Community (IC)
WANs and systems for communication outside of DARPA.
4.5.4.1 Secret Wide Area Network Support (DARPA Secret WAN (DSWAN))
The Contractor shall maintain a Windows based network (historically over 180 nodes at 120 physical sites)
throughout the United States at the Secret Collateral Level with connectivity to the MLS through a CDS Interface
that controls specific mission traffic flows.
The Contractor shall support and/or continue the deployment of the WAN nodes that provide DARPA cleared
defense Contractors (CDCs) and Government partners with Email, File Sharing, video, Network Transport of those
partner-authorized LAN/WANs, and Web Communities of Interest at the Collateral Secret Level. The deployment
environment and certain security controls at CDC locations and associated roles and responsibilities will be defined
by DARPA and partner authorizing authorities and will limit dissemination of classified media (Hard Drives, etc.) to
the DARPA HQ Building whenever possible. This is currently accomplished via a Virtual Desktop Infrastructure
based on VMWare vSphere and Remote Desktop Services Technologies.
4.5.4.2 SCI Network (DARPA JWICS Network (DJN))
The Contractor shall maintain connectivity to the Government-furnished IC WAN node located at DARPA IAW
applicable IC policies as well as internal connectivity to the MLS via an authorized Controlled Interface.
4.5.4.3 Secret Network (DARPA Secret Network (DSN))
The Contractor shall maintain connectivity to the SIPRNet IAW applicable DoD policies, as well as internal
connectivity to Savannah through a CDS Interface that controls specific mission traffic flows. The Contractor shall
also support the future transition of the DSN, or identified DSN services, to a Defense Information Systems Agency
(DISA)-managed enclave or service, once the Government determines such an external entity or service can meet
DARPA’s mission requirements.
4.5.5 Other Networks
The Contractor shall support connectivity to other networks as directed.
4.6 UNCLASSIFIED NETWORK SYSTEMS
4.6.1 Testbed Network
The Contractor shall maintain and operate a testbed network at both the unclassified and classified levels. The
network is intended to simulate all Classified operating environments and provide the capability to develop and/or
test new systems, architectures, and security patches and signatures prior to deploying on production Classified
networks. The simulated classified network segment of the DARPA unclassified testbed network, to include any
external boundary interfaces to other simulated classified networks.
4.6.2 DARPA Public Network (DPN)
The Contractor shall maintain and operate a separate system to support non-FOUO/CUI communications with non-
DoD partners or services that are not accessible from the DoDIN. This system is authorized as a Low/Low/Low
public Internet system under NIST SP 800-53.
4.6.3 DARPA Management Services System (DMSS) Network
The Contractor shall maintain and operate a Windows unclassified Moderate/Moderate/Low network for access to
Internet and NIPRNet applications. The system shall:
Page 20 of 99
1) Provide communications capabilities that support inter-site and intra-site connectivity to include file shares,
email, printing, video, and web communities of interest.
2) Maintain connectivity to NIPRNet’s Federated Gateway (NFG) for access to DoD services needed to
conduct DARPA business.
3) Maintain connectivity to AWS GovCloud via AWS Direct Connect.
4) Provide the capability and maintain a process for deploying new sites based on Government requirements.
5) Provide alternative solutions for any application required for DARPA’s mission that are not compatible
with the network.
6) Provide advanced security features, authentication methods (multi-factor authentication), and technology.
7) Support custom applications created and maintained within ITD and Comptroller Office that are critical in
conducting DARPA business (e.g. Broad Agency Announcement Tool – BAAT, COMP Business Analysis
System, etc.)
The DMSS currently consists of 4 primary segments.
1) FS Internal (data center): Consists of the desktop systems, campus network, and some and internal
DARPA data repositories (e.g. file shares, web portals, management applications, etc.)
2) AWS GovCloud: DARPA operational applications (i.e. Exchange, SharePoint, Agency web applications)*
3) DMZ: Consists of publicly releasable (Impact Level 2) web presences and external collaboration tools (e.g.
web portal, web applications supporting programs, etc.) Data contained can be up to FOUO/CUI (Impact
Level 4) and access is managed via approved accounts following strict account previsioning processes.
4) Security: Consists of the required tools to support DARPA’s Tier 2 CSSP role and the DARPA Cloud
Services Gateway.
The Contractor shall also support the transition of the DMSS, or identified DMSS services, to a Defense Information
Systems Agency (DISA)-managed enclave or service, once the Government determines such an external entity or
service can meet DARPA’s mission requirements.
4.6.2 Defense Information System Network (DISN) DISN Multi-Protocol Label Switching (MPLS) Node
The Contractor shall maintain and operate DARPA’s own Multi-Protocol Label Switching (MPLS) router node on
the Defense Information System Network (DISN), which is used to access and transport DARPA, DoD, and IC
WANs.
4.6.3 Commercial Cloud Services
The Contractor shall support the unclassified operational workloads in Amazon Web Services (AWS) GovCloud.
The current workloads include typical back office applications such as Microsoft Exchange, SharePoint, Adobe
Connect, as well as custom developed web applications.
ITD has categorized DARPA data as Impact Level 4 or below as is defined in the DoD Cloud Security
Requirements Guide [current version].
The Contractor shall support the two current Software as a Service (SaaS) offerings for the Agency. Okta is an
Impact Level 2 (IL2) SaaS cloud service offering (CSO) that provides identity access, management, governance, and
single-sign-on (SSO) capabilities. Box is an enterprise content and collaboration CSO that is authorized at Impact
Level 4 (IL4).
Connectivity to Box and Okta is via public Internet through the DARPA Cloud Services Gateway. Box and Okta
logs are ingested into the DARPA on-premises SIEM through secured APIs.
Additionally, the Contractor shall evaluate multiple SaaS offerings for utilization by the Agency and DARPA
technical offices to include ServiceNow, Slack, SalesForce, Zoom, and others.
Page 21 of 99
4.7 PROGRAM MANAGEMENT
The Contractor shall provide effective, efficient and responsive program and project management, financial
management, and contract administration services for this PWS. The Contractor shall provide a management team
that is responsible for interfacing and collaborating with the Government and other Contractors’ management,
formulating and enforcing work and quality standards, establishing schedules, reviewing work in progress,
developing standard operating procedures (SOPs) and managing personnel. DARPA requires the Contractor to assist
with the drafting of business and technology strategies, technical architecture to support the strategies, and
conducting the research of new technology trends, products and services, such as hardware components, system
software, and networks that offer opportunities to improve the efficiency and effectiveness of IT services. The
Contractor may also be required to participate in briefings of these services and technologies to senior Government
personnel.
4.7.1 Management and Administration
The Contractor’s Program Manager or designee shall support IT governance in the following ways:
1) Attend Government directed morning stand-ups
2) Report the status and progress of each item of work being performed on an autonomous, near-real time and
monthly basis
3) Hold in-process reviews on a quarterly basis with the Government. Issues to be addressed include:
a. Strategic planning
b. Contractor performance with respect to quality, schedule, cost and cost savings
c. Summary review of detailed Plan of Action and Milestones (POA&M) for each initiative
d. Metrics that portray the progress of work under the contract
e. A summary of the quality of work performed from the points of view of DARPA Users such as
via surveys, and
f. Plans for improvement of the Contractor staff to achieve more effective and efficient support of
the DARPA mission
4.7.2 Demand Management
At a Strategic level, the Contractor shall analyze the patterns of business activity and user profiles. The Contractor
shall anticipate and address Government requirements for new and or enhanced services to include software,
hardware, support and infrastructure services. The Contractor shall inform the Government of cost-effective options
and processes, and their implications, to satisfy IT service requirements. Reference SLO 8.3.
4.7.3 Service Portfolio Management
The Contractor shall manage a portfolio of services from the inception of a service through deployment of the
service to retirement. The Contractor shall provide information to the Government detailing the life-cycle of each
service or configuration item and the impact the service retirement has upon the DARPA IT environment.
4.7.4 Service Management
The Contractor shall establish and maintain the Service Pipeline, listing all IT services that are under consideration
or development, but are not yet available to the Government. The Contractor shall establish and maintain the Service
Catalog which shall contain information about all available IT Services, including those available for deployment.
The Service Catalog shall be used to support the charge and delivery of IT Services to the Government. The Service
Catalog includes information about deliverables, prices, contact points, ordering and request processes. As part of
the tracking of the service lifecycle, the Contractor shall maintain a list of all services removed from the Service
Catalog (retired) in the Service Portfolio.
Page 22 of 99
4.7.5 Program Coordination Support
The Contractor shall provide technical and managerial support and input to Government program boards, panels,
reviews, teams, working groups, and various ad-hoc meetings and committees. Some meetings require the Contractor
to give formal briefings, while others may only require attendance and participation. The Contractor shall support these
meetings and reviews with the level of technical and managerial participation sufficient to meet the needs of the
meeting or review. Examples include, but are not limited to:
1) Configuration Control Board (CCB)
2) Configuration Control Board Working Group (CCBWG)
3) Ad-hoc Committees/Boards
4) Outage Reviews
5) Management and Contract Reviews
6) Monthly Technical Operations Reviews
7) CO/COTR Meetings
4.7.6 Ad hoc Services
The Contractor shall provide support for ad hoc services, within the general scope of this requirement, as requested.
4.8 QUALITY MANGEMENT
4.8.1 Quality Assurance Plan
The Contractor shall measure and report their performance against the PWS requirements and the Service Level
Objectives listed in Section 5.2.3. All SLOs and requirements will be reviewed and adjusted annually on the
anniversary of the contract to meet changing DARPA IT service, support and infrastructure requirements.
Adjustments to SLOs during the annual review will be made by mutual agreement between the Government and the
Contractor.
4.8.2 Report Automation
The Contractor shall design, propose, implement once approved by the Government, and manage an automated
reporting solution to provide real-time and near real-time reports for product/process management, project
management, customer interactions, pipelines, risk management, compliance, and other reports as directed by the
Government. The objective is to automate as much static reporting as possible.
4.8.3 Service Improvement
The Contractor shall develop a methodology for managing continual service improvement with particular attention
given to cost savings and operational efficiencies through the use of Service Delivery Maturity models. The Contractor
shall provide flexible and innovative solutions to the Government as detailed in SLO 8.3.
The Contractor will ensure that the following requirements are met:
1) Develop and receive approval for a Service Delivery Maturity Plan
2) Participate in a joint working group with the Government that will continually measure and report on the
progress of achieving service delivery maturity
3) Develop a Systems Development Life Cycle (SDLC) process and documentation to be compliant with
applicable service maturity model(s) for Government approval
4.8.4 Enterprise Content Management & Repositories
The Contractor shall manage the ITD enterprise content management (ECM) process and maintain all associated
document repositories. The Contractor shall merge existing disparate repositories into the current ITD ECM
solution.
Page 23 of 99
4.8.5 Process Improvement Tasks
These tasks are generally of a short duration and involve the Contractor performing specific tasks to incorporate
lessons learned from engagements. Task requirements may include, but are not limited to, those listed below.
1) Updating the ITD Reference Project to:
a. Incorporate applicable identified standards and best practices of the Agency.
b. Reflect the evolution within 30 calendar days of a change.
c. Notified by the Government that an update is required.
2) Drafting or revising policies and standards for coordination and approval.
3) Creating, revising and/or delivering project management presentations.
4) Documenting common issues encountered and recommended resolution to these common issues.
5) Documenting common pitfalls to assist project teams.
6) Enhancing the SDLC.
4.8.6 Operational Level Agreements (OLA)
The Contractor shall support existing Operational Level Agreements.
4.8.7 Service Level Agreements (SLA)
The Contractor shall monitor and audit Service Level Agreements with vendors.
4.8.8 Memorandums of Understanding / Memorandums of Agreement (MOU/MOA)
The Contractor shall support existing MOUs/MOAs.
4.9 ASSET AND CONFIGURATION MANAGEMENT
4.9.1 Support to the Configuration Control Board
The Contractor shall control, manage, track, and report all operational changes executed on all networks. The
Contractor shall provide a real-time Change Management Report on-line.
The Contractor shall provide a real-time Configuration Change Request Report on-line. The Report shall include, at
a minimum, the following information with regard to each configuration change:
1) Type of Request
2) Priority Level
3) Name/Organization of Requestor
4) Explanation of Change
5) Justification of Change
6) Impact of Change
7) Security Concerns, Known Risks
8) Schedule
Reference SLO 5.3
4.9.2 Service Catalog – DARPA Store Front
The Contractor shall populate a Government-provided automated Service Catalog of hardware, software, support
services and other COTS items to meet DARPA’s need for specialized or advanced functionality to be ordered and
funded as needed. Items listed in the catalog shall be pre-integrated and available for immediate access when
ordered to augment services, or available for pilot purposes when ordered in conjunction with Professional Services
requirements. All items in the catalog shall be integrated and interoperate with all services upon deployment.
Page 24 of 99
The Contractor shall utilize the Government provided electronic ordering system as the front-end to the Service
Catalog referred to as the DARPA Store Front. The Service Catalog shall publish alerts, via e-mail, to all
appropriate parties as order status changes. The Service Catalog shall have the capability of generating live reports
including financial reports by time, status and office. If a Configuration Item in the Service Catalog must be
procured, then SLO 1.2 applies.
The Contractor shall comply with the Service Catalog procedures provided by the Government and implemented by
the Contractor. As such, the Contractor must allow and provide capabilities for authorized Government managers
and staff, as well as designated Contractors, access to such documents.
4.9.3 Service Asset
The Contractor shall provide and support DARPA Service Assets to achieve optimal performance and customer
satisfaction. The Contractor shall provide support services with security features for the general DARPA enterprise
infrastructure and external networks to produce an effective and efficient interface with performer, Department of
Defense (DoD), and Government communications environments. All service asset configurations (hardware and
software) shall be proposed by the Contractor and submitted in advance of deployment to the Configuration Control
Board (CCB) for approval as outlined in the DARPA IT Configuration Control Governance Process. Procurement of
service assets shall be initiated by User orders via the DARPA Store Front. As they are considered service assets,
the Contractor shall obtain and manage software licenses in accordance with applicable DoD Security Guidelines.
The Contractor shall monitor and audit all software licenses to preclude inadvertent license and maintenance
expiration. Additionally, the Contractor shall track all follow-on costs associated with software (licensing,
maintenance, etc.) reporting as required and in coordination with the ITD Budget cycle. The Government reserves
the right to purchase and own bulk licenses. At Government direction the Contractor will be authorized to use GSA
Schedule Contracts, or other Government procurement vehicles (i.e., the DoD Approved Software, Enterprise
Software Initiative) with the goal of minimizing cost.
4.9.4 Integrated Configuration Management (CM) and Asset Management Control Process
The Contractor shall track and report on all assets, including Internal Use Software (IUS), supporting DARPA
Networks. Accountable Property is tracked separately and currently reported in the DPAS systems. Semi-annual
reports of asset inventories shall be provided representing current location of assets and status. A 100% annual
physical inventory is required for all assets and will be provided to the Government in an electronic form. The
Government will provide the authoritative database for tracking of Assets (currently Remedy for Unclassified and
ServiceNow for Classified).
The Contractor shall review the current centralized configuration management control process encompassing the
complete inventory of hardware, software, documentation, and processes. The Contractor shall propose, within 45
days, improvements including how to create and maintain in a Configuration Management Database (CMDB). The
CMDB shall contain all Configuration Items (CIs) and provide the capability to map relationships of CIs to other
CIs, including systems, devices, applications, groups, and individuals. The Service Catalog shall be a part of the
CMDB.
The Contractor shall provide and maintain a software library to include authorized and deployed software
configurations.
The Contractor shall provide, at the appropriate levels, a systems architecture view of all networks in the
Contractor’s standard format. The data shall include a full description of all external interface points, to include
DoD compliant technologies, protocols, and peering arrangements for external connectivity. It shall include
physical and logical connectivity, and how interoperability is achieved at the interfaces. The architecture shall detail
network hosting of current systems. Data shall include graphic architecture designs and cabling diagrams, at least to
the building level, and shall be updated as changes occur.
Page 25 of 99
The Contractor shall present to, and provide technical support for the CCB. The Contractor shall present all
proposed technology refreshment, technology insertion, or technology enhancement changes for each section of this
PWS to the CCB. The Contractor shall document the benefits to be achieved for DARPA in terms of effectiveness
and efficiency in an impact assessment of proposed technology changes on contract cost. The CCB must authorize
all proposed technology refreshment changes.
4.9.5 Inventory / Asset Management
The Contractor shall assume accountability of all ITD assets. The Contractor shall not use property provided by the
Government for any purpose other than in contract performance.
The Contractor shall use, maintain and account for Government-furnished property in accordance with the
Contractor’s written and Government-approved property control plan and support DARPA’s Accountable Property
System, currently DPAS.
The Contractor shall maintain a complete and current asset inventory database of all hardware and software
accessible within the Government provided tool(s). The Contractor shall define and implement processes to audit
and control inventory, which shall allow the Contractor to monitor and re-deploy assets efficiently in the DARPA
up-tempo environment. Inventory acquired during the Period of Performance shall be tracked and remain available
to the Government.
The Contractor shall provide a semi-annual listing of GFP/GFE and complete a 100% inventory of all assets located
within the DARPA-enclave annually. In combination with yearly mandatory inventories, audit procedures should
include desk-side visits to validate user equipment; however, visits should be done with minimal impact to the
Government. The Government may designate personnel to accompany Contractor personnel to validate desk-side
audits. The Contractor shall assist in the conducting of an annual inventory report of all classified removable media
and internal hard drives (Collateral, SAP, and SCI).
The Contractor shall submit a property control plan to the Government in MSO-ITD format for review no later than
30 business days after the start of the Period of Performance for the contract. The Government will review and
make final acceptance of the property control plan within 10 business days of receipt. Changes to the property
control plan during the period of performance of the contract shall be submitted to the COR and Government
Program Manager (GPM) no later than 10 calendar days prior to the effective date of the change. The Government
will make final review and acceptance of any subsequent changes.
4.9.6 Service Database / Repository
The Contractor shall establish and maintain a service database to contain the Service Portfolio. The database and the
data held therein shall be the property of the Government.
4.9.7 Service Catalog Planning
The Contractor shall work with the Government to ensure the proper planning and coordination is in place for the
transition of Configuration Items from the Service Pipeline to the Service Catalog.
4.9.8 Commercial Off-the-Shelf (COTS) Catalog Services
The Contractor shall provide COTS Catalog services via the DARPA Store Front to allow for the purchase of approved
and integrated software, hardware and services. The Contractor shall make available support services for all COTS
items to include installation, initial training, warranties and Help Desk support. The Contractor shall provide users with
the capability to select and bundle software, hardware and services as the User requires.
4.9.10 COTS Catalog Maintenance
Addition and removal of items from the Catalog as well as changes in cost shall be upon the approval of the COR.
Items in the COTS Catalog shall include, but are not be limited to, supported items listed in the Accreditation
Page 26 of 99
Package. COTS Catalog pricing shall be adjusted annually. Any item that is ordered once shall by default be
automatically entered into the COTS Catalog, unless overridden by security concerns. For all new COTS items, the
Contractor shall include an associated support services line item in the catalog. This item shall provide the cost of
supporting the new item, with this cost being updated in the catalog at least annually. The Contractor shall update
the catalog and the Property Asset Tracking System to include the new items. The Contractor shall also ensure
obsolete items are removed.
In the event of a COTS catalog order cancellation, the Contractor shall, in conjunction with the Government,
determine if the item(s) should be returned to the original vendor or retained as an in-stock item. If the item is
returned, the Contractor and the Government will determine an equitable adjustment to be reflected on the
Contractor’s invoice.
4.10 CUSTOMER RELATION MANAGEMENT
The Customer Service functional area focuses on the “customer facing” aspects of supporting the services provided to
the Users under this contract.
4.10.1 User Outreach
The Contractor shall perform proactive communications and outreach with DARPA Users to inform them about
services provided in this PWS. The Contractor shall provide current informational materials such as brochures,
briefings, seminars, white papers, flyers, FAQs, web content, etc. The Contractor shall conduct information
exchange sessions (e.g., Town Halls and focus groups) in conjunction with the Government Representative as
required to provide information and receive user feedback about the IT services provided under this PWS and in
accordance with SLO 6.1. The Contractor shall form a supportive and close working relationship with other
DARPA Contractors performing work impacted by or related to this PWS. The Contractor shall also send out User
satisfaction surveys completed by the Users within one week of ticket closure; User satisfaction surveys shall be
used in accordance with SLO 6.1.
4.11 ENGINEERING MANAGEMENT
The Contractor shall utilize product teams for existing and new capabilities developed under this PWS. For the
purposes of this PWS, products refer to the services offered for both administrative and mission activities in support
of the DARPA Tech Offices. A typical product team is led by the product manager, and includes leaders from
engineering across multiple disciplines. This team is responsible for implementing strategy, roadmap, and feature
definition for that product or product line.
4.11.1 DARPA Technical Program Office Delegates
It is important that product teams lead with conviction by understanding and interacting with their product’s end
users. This offers a strong sense of what users want, and serves as the basis for a product's strategic vision. In
support of this and in addition to the proposed team personnel, the Contractor shall provide a delegate for each
DARPA Technical Program Office. Tech Office Delegates shall be responsible for the following tasks:
1) Business Relationship Management (BRM)- building and maintaining a solid business relationship with
each of the DARPA tech offices.
2) Represent ITD in all tech office interactions and being able to speak to and/or demonstrate:
a. ITD Catalog of Services
b. New capability pipelines
c. Engineering capabilities
d. Operational capabilities
e. DoD and industry trends
3) Requirements capturing, defining, and documenting in alignment with ITD requirements management
processes and procedures.
4) Serve as members of IT product teams.
Page 27 of 99
5) Providing tech office feedback, concerns, and upcoming projects by utilizing a CRM solution.
4.11.2 Enterprise Architecture
The Contractor shall provide DoD Enterprise Architecture (EA) engineering and development services. Information
provided in response to enterprise-level EA activities shall adhere to the format and technologies specified by the
ITD Enterprise Architect. EA support shall include current state modeling, enterprise analysis, target state
definitions, and transition plans. In addition, the Contractor shall support the continuous maturity of Agency’s EA
Program through program and process documentation in alignment with the EA Program charter.
4.11.3 Business Architecture
The Contractor shall ensure IT investments effectively support business requirements, are linked to the Agency and
Department level Strategic Plans, and provide maximum business value to customers, both internal and external.
Examples of this include:
1) Work with Information Technology Planning, Architecture and E-Government, and other organizations to
complete business and IT architecture planning.
2) Provide support for BPR efforts within the Agency.
3) Assess business drivers and IT capability gap analysis.
4.11.4 Information Architecture
The Contractor shall provide support for the planning and implementation of a robust data management program
that supports Agency Enterprise Architectures and mission requirements. As a part of this effort the Contractor shall
assist in defining, prioritizing, scheduling and executing steps to establish a framework for Data Management
Program(s) including: conducting requirements gathering; assessing the As-Is data management situation;
performing gap analysis; developing a To-Be data management program; developing a transition plan; and
supporting the data management initiative.
4.11.5 Application Architecture
The Contractor shall document and perform analyses of the current application inventory and provide detailed
application architecture guidelines to improve both business and technology processes and applications in the
interest of integration and cost containment. These analyses may include perspectives such as Gartner Magic
Planning and Resource Allocation Enterprise Architecture Quadrant, interoperability capability, performance and
scalability, reliability and availability, application lifecycle stage, and technological risks. Additional efforts
include:
1) Support requirements gathering and high-level design for IT application development.
2) Analysis of core business activities and business components.
3) Support development of business requirements documents.
4) Assess and document the alignment of applications/services to Agency programs.
4.11.6 Maintenance of ITD’s SDLC
Support is required for ongoing maintenance of ITD’s Software Development Lifecycle (SDLC), including but not
limited to, standards and process updates, ITD-wide communication of changes to the SDLC, SDLC documentation,
and posting website updates. All changes shall adhere to Agency change management processes. Historically, 10 to
20 website maintenance updates are required per month.
4.11.7 Architectural Engagement Support
Architectural engagement support has varying Contractor support requirements. Individuals assigned to engagement
tasks may be embedded within product teams for an extended period of time, while in other situations they may be
available to provide assistance to development teams on an as-needed basis for short durations, for example to assist
with specific technical or design issues. In all cases engagement activities are intended to assist in the promotion of
ITD’s EA SDLC as well as to provide service where needed to application development teams.
Page 28 of 99
4.11.8 Engagement Support
Support requirements may include, but are not limited to, those listed below.
1) Assisting the Government in clarifying the requirements, deliverables, and milestones of the MOU for the
engagements.
2) Providing senior level development and architectural expertise for the project engagements.
3) Supporting alignment with Agency standards and processes (e.g. Enterprise Architecture).
4) Develop and maintain a collaborative environment within the team designed to build trust and confidence
both within the team itself and associated stakeholders.
5) Supporting compliance with ITD SDLC processes and standards by mentoring project teams and providing
feedback to the Government for process improvements.
6) Automated build and testing support.
7) Development tool set up and support.
4.11.9 Service Integration Management
The Contractor shall perform all activities necessary to allow for the integration of IT services within the DARPA
enclave. The Government or its designee will monitor the Contractor’s efforts in the following areas:
1) Infrastructure Architecture – this includes all hardware and network services
2) Software Architecture – this includes all software used by more than one technical office
3) Security Architecture – this includes all software and hardware required to provide DARPA’s network with
the necessary tools to ensure proper IT security
4) Service Architecture – this includes service support, service operations and professional services.
Reference SLO 8.3.
4.11.10 Transition Planning and Support
The Contractor shall provide transition planning and support for all new services to be transitioned from development
into production. Transition Planning and Support shall include the following processes:
1) Release and Deployment Management
2) Service Validation and Testing
4.11.10.1 Release and Deployment Management
The Contractor shall provide all documentation (SOPs, FAQs, etc.) to support the Release and Deployment processes.
When possible, releases and deployments shall be planned, tested, scheduled and implemented to avoid unscheduled
downtime or impact to the production environment. Any service downtime related to release and deployments must
be approved by the Government. DevOps and SecDevOps methodologies shall be utilized for release and deployment
management.
4.11.10.2 Service Validation and Testing
For every new service, or major modification to an existing service or application, the Contractor shall, in coordination
with the Government, incorporate in the development, release and delivery processes, stages that test the validation of
the service. Validation and testing ensure that the IT infrastructure, including power, rack space and servers can
support the new service and meet user expectations.
The Contractor shall have a service validation and testing process to ensure that release and deployments of
applications and services do not affect performance of the associated systems and the resulting services meet user
expectations.
The Contractor must ensure that the IT operations team will be able to support the new applications and services.
Results of the testing will be provided as part of the package sent to CCB for approval.
Page 29 of 99
4.11.11 Technology Refreshment, Insertion and Enhancement Planning
The Technology Refreshment process shall include an analysis of Government needs and requirements, including
coordination with legacy system and application owners. The Contractor shall review legacy hardware on a semi-
annual basis and make recommendations on the need for replacing hardware. The Government shall have the option
to refuse refresh recommendations. The Contractor shall submit all recommendations through the CCB process for
Government approval. The Contractor shall make every effort to ensure minimal impact to customers during
refreshment, insertion and enhancement activities. The Contractor shall ensure the accuracy of any data transfers
and carryovers from the existing to the new technologies. The Contractor may use surge support according to the
Surge Support Plan and with Government approval.
The Contractor shall refresh networking equipment as required and with Government approval. A networking
equipment technology refresh may be initiated due to any one of the following events:
1) Equipment is incapable of supporting new technological requirements as required by the Government or
DoD requirements.
2) Equipment can no longer support the demand and capacity of the organization.
3) End-of-Life support by the Vendor.
4) Expiration of equipment warranty.
5) Equipment is greater than three-years old, with Governments approval.
The following is DARPA’s technical refresh schedule:
1) Laptops: 36 months, 1/3 annually.
2) Desktops: 36 months, 1/3 annually.
3) Conference Room electronic equipment, as agreed to by the Government.
4) Printer/Copier Devices: 48 months.
5) Software (included in the basic image): N-1.
6) Servers: 48 Months.
7) Network Infrastructure: 72 Months.
8) Mobile Devices: 24 Months.
4.11.12 On-Line Collaboration Site Development and Maintenance
The Contractor shall provide application analysis, design and programming services for the creation and
maintenance of on-line collaboration and websites. These services shall be included in the Government provided
Service Catalog.
Provide an automated method (dashboard) for daily operational status updates to keep management, the Help Desk,
and the Government informed about the system issues.
4.12 SECURITY OPERATIONS
The Contractor shall implement a Cybersecurity team structured based on the requirements provided in the latest
DoD Cybersecurity Services Evaluator Scoring Metrics (ESM) and in support of DARPA’s Tier II Cybersecurity
Service Provider (CSSP) role. The team should be scaled to support the Identify, Protect, Detect, Respond, and
Recover requirements across all DARPA enterprise and connected performer systems. The team should be
integrated with all actions being performed across this IT Services contract, to include Engineering, Service
Operations, and Configuration Management. Additionally, the Contractor shall ensure compliance with DoD STIG,
IAVA and Task Order requirements ensuring successful results in a Command Cyber Readiness Inspection (CCRI),
Command Cyber Operational Readiness Inspection (CCORI), or other DoD Inspection or Audit DARPA is required
to support.
Page 30 of 99
4.12.1 Sensitive Information Support (Classified)
Under current Federal guidelines, all officially held information is considered sensitive to some degree and must be
protected by the Contractor as specified in applicable IT Security Plans. Types of sensitive information that shall be
found on DARPA systems include, but are not limited to:
1) Privacy Act information.
2) Information that is proprietary to companies or Contractors other than the subject Contractor.
3) Information protected by International Traffic in Arms Regulation (ITAR).
4) Technology restricted from foreign dissemination.
5) DARPA administrative communications, including those of senior Government officials.
6) Procurement and budget data.
7) Information related to Equal Employment Opportunity (EEO).
8) Labor relations.
9) Legal actions.
10) Disciplinary actions.
11) Complaints.
12) IT security pending cases.
13) Civil and criminal investigations.
14) Information not releasable under the Freedom of Information Act (FOIA) (e.g. payroll, personnel, and
medical data).
Performance under this contract shall involve access to and/or generation of sensitive information or systems. The
Contractor shall perform an assessment to determine position sensitivity and management controls to prevent the
individuals in these positions from bypassing controls and processes such as individual accountability requirements,
separation of duties, access controls, and limitations on processing privileges. Ongoing re-evaluations of the
position and suitability requirements shall be necessary during the life of the contract as positions and assignments
change. Due to the sensitivity of the information, Contractor personnel who exhibit characteristics of mental
impairment or characteristics that indicate a lack of integrity, conduct, or attitude that brings into question their
trustworthiness, shall be immediately reported to the Director Security & Intelligence Directorate, DARPA.
The Contractor shall conduct risk assessments, document the results, and develop and maintain internal security
plans on-line and in accordance with applicable IC and DoD guidelines and the NISPOM.
4.12.2 Classified Information Support
In accordance with the National Industrial Security Program Operating Manual, DoD 5220.22-M, and its Overprint,
the Contractor must possess a Top Secret SCI/SAP Facility to perform the requirements or services required on this
contract. Security requirements relating to the handling and safeguarding of classified information are identified in
the DD Form 254 provided as part of the contract. Contractor personnel, whose duties require access to systems
processing classified information, must possess a security clearance at least equal to the highest degree of
classification involved and have a validated need-to-know prior to beginning work on the classified system. All
personnel must have a final DoD TS clearance, be eligible for SCI/SAP access.
4.12.3 Privacy and Security Safeguards
The Contractor shall not publish or disclose in any manner, without written consent of the Government, the details
of any security safeguards designed, developed, or implemented by the Contractor under this effort. This restriction
is applicable to the Contractor’s off-site corporate offices.
The Contractor shall develop procedures and implementation plans to ensure that IT resources leaving the control of
the assigned user, such as being reassigned, removed for repair, replaced, or upgraded, is cleared of all DARPA data
and sensitive application software by a technique approved by the Government. For IT resources leaving DARPA
Page 31 of 99
use, applications acquired via a "site-license" or "server license" shall be removed. Damaged IT storage media shall
be degaussed or destroyed in accordance with the appropriate IC, DoD, or DARPA security requirements.
DARPA shall carry out a program of inspection and audit to safeguard against threats and hazards to the
confidentiality, integrity, and availability of Government data. The Contractor shall afford DARPA access to the
Contractor's facilities, installations, technical capabilities, operations, documentation, records, system databases, and
personnel to facilitate the audits and inspections. DARPA shall conduct an audit on a periodic event-driven basis of
the Contractor’s security management processes and procedures.
4.12.4 Security Incident Reporting
The Contractor shall immediately report any act or circumstance in which there is a deviation from the requirements
of the governing security regulations to the GPM, PSO, CISO, and AO. Security incident examples include, but are
not limited to, compromise, inadvertent disclosure, need-to-know violation, and administrative deviation. The
Contractor shall provide real time or near real time data feed supporting Government oversight of security functions.
4.12.5 Trusted Controlled Interface
The Contractor shall implement and maintain cross domain-controlled interfaces between the MLS system boundary
and other classified internal and external Single Level Domain (SLD) and MLS systems that are required by
DARPA. These duties shall include, but are not limited to, configuration of hardware and software, establishing
accounts, upgrading and modifying database applications, and supporting the required security accreditation
paperwork to maintain required security authorization for deployed controlled interfaces. Services that are required
to traverse the Interfaces include but are not limited to E-Mail, Web, Remoted Desktop connections, and File
Upload.
4.12.6 Security Information and Event Management (SIEM)
The Contractor shall recommend and implement a Government approved Security Information Management System
to act as a central repository for the collection of all security data (e.g., event logs), provide trending, reporting,
charts and graphs both in real time and extending to a period of no less than 13 months. The SIEM shall conduct
real-time monitoring, correlation of events, notifications and console viewing, as well as, long-term storage, analysis
and reporting of log data. Additionally, the SIEM will be responsible for the monitoring of user and service
privileges, directory services, network incident review and response.
4.12.7 Public Key Infrastructure (PKI) Integration
The Contractor shall support PKI certificates and its integration, where possible, throughout all networks. The
Contractor shall develop the means to use PKI certificates within the MLS System.
4.12.8 ITD Security Services
The Contractor shall interface with the Government to provide Defense-in-Depth by being an active and engaged
partner in planning, designing, architecting and engineering security products and tools to meet IA and security
initiatives. The Contractor shall support the Government’s lead for Incident Response Teams comprised of the
applicable skill sets to respond to incidents when they occur. Overall the Contractor shall ensure the Government’s
security requirements are met, complying with applicable DoD policies and providing Computer Network Defense
Services to meet all CSSP requirements to protect the Government’s Information Systems (IS).
The Contractor shall coordinate CSSP services with the Government. In accordance with Government direction, the
Contractor shall support the application, implementation and execution of required Response and Recover actions.
The requirements of the CND Services are detailed in CJCSI 6510.01F, “Information Assurance (IA) and Computer
Network Defense (CND)” and the DoD Cybersecurity Services ESM.
Page 32 of 99
The Contractor shall provide specific security services for the Government’s Information Systems (IS), Information
Systems Domains (Communities of Interest), and Information Content (at rest, in use, and in transit) that will include
at a minimum, the following or equivalents:
1) Network boundary/perimeter protection, including firewalls and intrusion detection systems (IDSs).
2) Security monitoring and response for DARPA enterprise and connected DIB systems.
3) Incident Management, including emergency response and forensic analysis.
4) Vulnerability assessment and penetration testing and analysis of computers and networks.
5) Anti-Virus and content filtering Services.
6) Information Security Risk Assessments.
7) Facilitate security information sharing and workflow across traditional organizational and functional lines.
8) The Contractor shall provide support personnel for general Security Operation Services and to properly
address or escalate an event, if necessary. This may include, but is not limited to, event analysis and
resolution, calling in additional support personnel and alerting or escalating to Government oversight.
9) Monitoring and analysis of the network infrastructure, and detection and rapid response commensurate with
the threat’s potential harm or damage to the Government’s IT systems.
10) An expert level of proficiency in tools, techniques and counter- measures in network vulnerabilities.
11) Assistance in the development and maintenance of security policies and procedures.
12) Assurance that policies and procedures are implemented and enforced, through both manual and automated
controls.
13) Management status reports and escalations on all security operation requests and problems.
14) Participation in the remediation of audit findings.
15) Implement procedures and metrics for security operations as specified by the Government.
16) Implementation of automated tools for security operations.
17) Surge capabilities.
Due to the dynamic nature of IT-based attacks, significant advances will be expected in Cybersecurity tools and
practices over the life of this contract. The Contractor shall be expected to continue to offer best-of-breed defense
products and services, and employ industry best practices; therefore, the requirements listed above shall be considered
as a baseline.
4.12.9 ITD Hunt Team
The Contractor shall provide proactive cyber security services to monitor, detect, mitigate, and counter internal and
external cyber threats posed to DARPA data and personnel. The Contractor shall perform information threat analysis
and conduct intelligence and profiling for DARPA information systems through passive and active monitoring, data
sharing and collaboration, and advanced technical analysis. Information Defense services shall include:
1) Detection and mitigation of threats to DARPA information systems.
2) Investigative and organic Cyber Intelligence (CI) activities.
3) Malware analysis.
4) Monitoring, via active and passive activities, of cyber threats to the DARPA information infrastructure both
internally and externally.
5) Advanced technical expertise and analysis of security incidents.
6) Authorized penetration testing of DARPA assets/networks.
7) Coordination and sharing of information regarding cyber threats between DARPA staff, US Government
Agencies, and, with Government approval, other Contractors.
8) Recommendations for improved and innovative solutions and methodologies for detecting and mitigating
cyber threats.
Page 33 of 99
9) Incident Response Support – The Contractor shall provide advanced technical analysis during and after
security incidents.
10) Cyber Threat Analysis and Coordination – The Contractor shall, with proper Government oversight,
coordinate, communicate, and collaborate with external Government entities to provide an independent
assessment of the current information threat landscape and report and recommend appropriate defensive
measures.
The Contractor shall support the following capabilities:
1) E-Mail Analysis – A review of reported emails, tracking the following information to determine if it is
indicative of a larger attack initiative:
o E-mail origin.
o Delivery vectors.
o Payload usage.
o Social engineering patterns.
o Timing.
o Recipients.
o Crafting methodology.
o Security Tools Monitoring.
o Coding Skills.
o Technical writing and Reporting.
o Any other perceived patterns that could potentially provide information for identifying trends of
malicious activity.
2) Malware Analysis – A review of detected or reported malware to garner information including: command
and control information, attribution, detection characteristics, and capabilities. Specific data captured shall
include: MD5/SHA1 hash, date/time of collection, source, and attributes collected. This data will be
retained for trending and future analysis
3) Threat Profiling – The Contractor shall monitor sensors and other data collection toolsets on DARPA
networks. Data collected will include passive DNS collection, network flows, and a malicious code
database.
4.12.10 Insider Threat Management
The Contractor shall comply with DoD requirements for Insider Threat monitoring and reporting. Additionally the
Contractor shall provide technical solutions to support the following:
1) Review and report on privileged user across Contractor managed systems to ensure
a. Continuing need for the access granted to each privileged user,
b. Required training has been completed and maintained,
c. Verification of required security clearances for access.
2) Ensure all methods for sharing data (portals, file shares, etc.) are monitored and provide logging in support
of enterprise audit systems (currently Splunk).
3) Implement PKI capabilities across all networks.
4) Maintain a list of privileged user roles relevant to each network, ensuring each role limits the scope to only
the permissions required (least privileged model).
5) Develop and maintain two stage control for system administration where possible.
6) Create reports, dashboards and other methods for disseminating audit information as required by the
DARPA Insider Threat Working Group.
7) Act as a technical advisor to the DARPA Insider Threat Working Group to assist in DARPA with
implementing tools and configurations that meet DARPA and DoD insider threat requirements.
Page 34 of 99
4.13 AUTHORIZATIONS AND COMPLIANCE MANAGEMENT
4.13.1 Assessment and Authorization (A&A)
The Contractor is responsible for maintaining and delivering systems that can be assessed and authorized in accordance
with DoD security requirements and the Risk Management Framework processes.
The Contractor shall assist the Government in managing the RMF lifecycle of DARPA information systems between
the various operations, security, and SCA personnel of the MNSS contract, to include successfully completing system
Assessment and Authorization (A&A) events and managing the continuous monitoring of security control
implementations. The Contractor shall review policy and procedure changes that have occurred since the system was
last authorized and recommend appropriate actions to address any deltas. The Contractor shall assist the Government
with the Risk Management Framework Implementation Plan, assignment of security controls, and completion of
required security artifacts. The Contractor shall assist the Government with risk and security-related documents such
as a:
1) Risk assessment.
2) Privacy impact assessment.
3) System interconnection agreements.
4) Contingency plan.
5) Security configurations.
6) Configuration management plan.
7) Incident response plan.
8) Continuous monitoring strategy.
The Contractor shall also assist the Government in developing the following documents:
Security Assessment Report (SAR):
1) Prepared by the security control assessor.
2) Provides the results of assessing the implementation of the security controls identified in the security plan
to determine the extent to which the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting the specified security requirements.
3) Contains a list of recommended corrective actions for any weaknesses or deficiencies identified in the
security controls.
Plan of Actions and Milestones (POA&M) (as required)
1) Prepared by the ISO or common control provider
2) Describes the specific measures planned:
a. Correct weaknesses or deficiencies noted in the security controls during the assessment
b. Address known vulnerabilities in the information system.
Authorization Decision Document (ATO)
1) Transmits the final security authorization decision from the AO to the information system owner or
common control provider and other key organizational officials, as appropriate.
2) Contains the following information:
a. Authorization decision.
b. Terms and conditions for the authorization.
c. Authorization termination date.
d. Risk executive (function) input (if provided).
Page 35 of 99
Supporting Documentation, including the Risk assessment report and all other artifacts specifically required for
security control compliance.
The team responsible for the supporting the Authorizing Official in Assessment and Authorization decisions has
historically consisted of:
1) Team Lead: SCA overseeing actions across all Tech Offices and classification levels.
2) SAP Team Lead: SCA overseeing actions across all SAP programs
3) Enterprise (2): SCA supporting ITD managed enterprise systems
4) Inspection SCA: SCA supporting MSO/SID site reviews conducted at DIB locations.
5) PIT SCA (2): SCA directly supporting Tech Office Platform IT requirements.
6) Tech Office SCA (7): Embedded SCA's directly supporting DARPA Tech Office programs on a daily basis.
4.13.2 Continuous Monitoring
The Contractor shall perform continuous monitoring of all networks with Authorities to Operate (ATO).
Continuous monitoring shall include:
1) Automated and manual audits of all relevant RMF controls over the lifecycle of each ATO.
1) In conjunction with 4.14.1.26 Cybersecurity Compliance, the Contractor shall be vigilantly aware of
compliance requirements associated with:
a. JFHQ-DODIN IAVA process.
b. JFHQ-DODIN DODIN Cyberspace Tasking Cycle (D-CTC).
c. IC SCC ICVM process.
d. DISA STIG Compliance (where applicable).
e. Common security practices across all networks.
f. IC and DoD policies for RMF: ICD 503, JSIG, and 8510.01.
g. Ensure continuous monitoring practices based on RMF SP/SCTM and Insider Threat
requirements.
h. CSSP.
i. CCRI.
j. CCORI.
k. HBSS and ACAS compliance.
l. Internal SharePoint IAVA and DRA process.
4.14 OPERATIONS MANAGEMENT
4.14.1 Operations
The Contractor shall provide full life-cycle support (i.e., vendor offered warranties, licenses, and maintenance
agreements) for all of the services identified in this PWS. The underlying support for services are Server Operating
Systems, Server hardware and the associated maintenance, compliance with records management for capturing
server and service activities, and technology refreshment of servers and services. All servers and services
operational under the current contract shall continue to be supported by any new Contractor. The information
provided below are designated services for each network, unless specifically detailed. While consistency across
systems is the goal of the Government, it is understood that some services may be implemented differently across
classifications (e.g. email on the DMSS may be Exchange versus a Multi-Level WebMail on the MLS).
4.14.1.1 Self-Help Support
The Contractor shall provide user-accessible, self-help tools and capabilities for all networks that are designed and
maintained to address IT inquiries and incidents without users having to formally place Help Desk calls. The
Contractor tools and capabilities shall include a searchable knowledge repository providing User access to FAQs
Page 36 of 99
and a library of commercially available and DARPA custom knowledge documents encompassing all classified
DARPA User Configuration Items.
The Contractor shall provide the following:
1) A knowledge repository that includes a searchable library of relevant IT policy and administrative
documents.
2) Tools and capabilities which provide Users with updates regarding the current status of network services,
planned outages, and other IT-related notifications.
3) The monitoring and review of the effectiveness and usage of self-help tools and capabilities for service
improvement analysis.
4) The development of recommendations for improvement to self-help tools and capabilities as requested.
4.14.1.2 Help Desk Services
The Contractor shall provide an on-site Help Desk based on industry best practices with Government-centric,
courteous, responsive and knowledgeable technical assistance for solving information technology service-related
issues to the User’s satisfaction. The Contractor shall plan to have sufficient coverage to answer all calls within three
rings. The Contractor should expect a number of Help Desk tickets commensurate with the industry standard for
exemplary support of ~1400 Users on an unclassified system in the DARPA HQ and approximately 8500 users utilizing
both CONUS/OCONUS Secret and Top Secret systems. This includes providing an integrated service with a single
point of entry for all DARPA Users. The Contractor shall provide knowledgeable analyst support in order to maximize
first call resolution. Best practices include, but are not limited to the following policies:
1) Help Desk analysts shall retain “ownership” of each request they open until its resolution, including
managing ticket escalation, providing follow-up, and regularly notifying Users as to ticket status.
2) The Contractor shall ensure Help Desk analysts are current on the latest Government-relevant IT
Government Service and technical training.
3) The Contractor shall meet Government expectations by setting and adhering to promised schedules.
4) Re-opened tickets shall be tracked and Trend Analysis shall be performed and reported.
5) U.S. Persons and privacy information shall be protected; and
6) A Help Desk Operations Manual shall be developed and maintained covering support requirements,
Standard Operating Procedures and appropriate checklists.
In addition, Help Desk services shall include mid and senior-level support for service requests that extend beyond the
basic Government services and problem resolution associated with Help Desk support. These service requests shall be
supported and documented within the HDMS. Examples of these types of service requests include, but are not limited
to, the following:
1) Virus scanning of disks.
2) Data copies/moves/conversion/organization/migration.
3) SW/HW installation and re-configuration.
4) Initiation of the file restoration process.
The Contractor shall provide escalation services with procedures to be reviewed and approved by the Government and
implemented by the Contractor. These services shall include the timely notification of Government personnel by the
Help Desk of planned or unplanned system maintenance or degradation of Government’s information technology
services. Because Help Desk service is mission-essential for the DARPA User community, the Contractor must
provide ongoing training to Help Desk personnel in order to maintain a high caliber of service and support.
Page 37 of 99
For the purposes of this PWS, the term trouble tickets or tickets will be used to refer to Help Desk Tickets that have
not yet been classified as a Service Request, Incident, Move, Add, Change, Delete (MACD), etc. Service Requests
align with the Service Delivery SLOs. Incidents are trouble tickets where the problem that the User is experiencing is
preventing them from doing their job. Incidents align with the Incident Management SLOs.
4.14.1.3 Contractor Service Level Support
The Contractor shall provide end-to-end life-cycle management of all Help Desk Government service requests
facilitating the effective hand-off between support Tiers and functional areas, as follows:
Tier 1 provides support as to the features, functions, and usage of in-scope hardware and software
(traditionally called answering support, initial diagnosis, and triage) and may be transitioned to other
personnel for desk-side support
Tier 2 provides support for issues that are more technical or specialized in nature and are the result of an
escalation procedure from Tier 1 (escalation within the Help Desk or transitioned - to other personnel for
desk-side support)
Tier 3 provides support for incidents that cannot be resolved in Tiers 1 and 2 (escalation to other functional
groups, subject matter personnel, third parties or transitioned to other personnel for desk-side support)
Reference SLOs 1.1, 1.2, and 1.4.
4.14.1.4 Help Desk Support Center
The Contractor shall provide a centralized Help Desk Support Center as a single point of entry for Users to receive
support. While the Help Desk Support Center will be a single point of entry, users shall have multiple methods for
contacting the Help Desk for support (web forms, e-mail, and a phone call). The Contractor shall provide User
relationship management services as detailed in the following sections.
4.14.1.5 Help Desk Management System (HDMS)
A Help Desk Management System (HDMS) shall be employed. The Contractor shall continue use of current Help
Desk tools. The HDMS shall be used to develop and maintain a knowledge base of all Help Desk Tickets, including
resolutions. Contractor shall develop and submit to the Government for approval a HDMS User interface design
and data dictionary to ensure that all desired information is captured.
The Contractor shall record the out-of-scope incidents, out-of-scope service requests, and other out-of-scope items
in the Help Desk Management System and redirect them to the GPM.
4.14.1.6 User Training
The Contractor shall provide initial and recurring annual training to established sites and users. The Contractor shall
submit a training plan, standard operating procedures and training materials prior to the training sessions.
For each change in services and/or applications, the Contractor shall analyze, identify, and implement the form of
training most effective and efficient for DARPA users. Types of training are expected to include desk-side, and on-
line (including Web-based FAQs for self-help on all new hardware and software deployed throughout the network).
Automated user training solutions used by the Contractor shall incorporate advanced distance learning solutions.
User training shall be made available as a result of the following minimum:
1) Initial Implementation.
2) Implementation of a change in technology or user interface.
3) Identification of user knowledge shortfall (e.g. as a result of a Help Desk call or user-invoked systems
failure).
4) Move/Add/Change.
Page 38 of 99
5) Trusted Download Procedures.
6) Data Transfer Procedures.
7) Utilization of the Cross-domain Solutions.
Online training packages shall be updated to accurately reflect the current system and shall be accessible to assist
users in navigating the MLS interface, with additional Help Desk phone support as required.
4.14.1.7 Server Operating System Support
The Contractor shall provide, as a service, the installation of the Government approved server operating system and
maintenance of the operating system by applying hot fixes, updates and services packs. Specifically, the Contractor
shall provide, at a minimum, the following services for all servers covered under this contract:
1) The service or application provided by the underlying server(s) shall be maintained with minimum
downtime or service degradation and maximum availability in accordance with the appropriate Service
Availability SLO.
2) Per cybersecurity policies and procedures, maintain the current versions of security patches and appropriate
security configurations for server operating systems and applications unless waived by the Government.
3) Enforce, protect and change passwords or enable PKI in compliance with Government and IA policies.
4) Track and report on SLOs for specific servers as required (e.g. Email Servers, Infrastructure Services, etc.)
5) Review, maintain, provide alerts and archive server system events logs as specified by DARPA or in
applicable DoD/IC policy.
6) Respond to all monitoring alerts which may indicate degradation in service, an outage, or hardware failure.
7) Troubleshoot and resolve server related hardware and software failures.
8) Provide third tier support to include, but not limited to, end-users, Help Desk staff and other functional area
staff as needed.
4.14.1.8 Client-Side Application Support
The Contractor will provide the first line of support for all client-side applications to include but not limited to:
1) Legacy Applications –The Contractor shall provide data interface and enterprise infrastructure service for
legacy applications.
2) Government Applications –This may include but is not limited to the Intelink sites, IC information sharing
portals, etc.
3) Office Automation Applications (e.g. Office, Anti-virus, etc.) - The Contractor staff shall be fully trained to
support the use of and the troubleshooting of the Office Automation.
4) Specialized applications (e.g. AutoCAD, MATLAB, etc.) – All COTS software that supports specialized
project needs beyond those provided by the standard office automation tools shall be made available after
going through the CCB approval process (e.g. as a general rule, freeware cannot be installed on
Government-issued computers).
Client-side applications in addition to the client-side office automation applications are provided as a baseline
configuration to all desk-side Users, include, but may not be limited to the following:
1) Operating System.
2) PDF Reader.
3) Web Browsers (Firefox, IE, Chrome).
4) Antivirus.
5) Viewer/Converter (e.g., Quick View Plus).
6) File Compression (e.g. WinZip, PKWare).
7) Video Player (e.g. Quick Time, Windows Media Player).
Page 39 of 99
8) Sound Player.
9) Image Viewer.
4.14.1.9 Desk-Side Hardware Services and Maintenance
The Contractor shall provide support for multiple hardware configurations, to include, but not be limited to, Dell, HP,
and Apple (Mac OS) computers. The Contractor shall ensure hardware configurations are integrated with security
devices.
In order to meet the Government’s mission, the Contractor will work with the Government to define technologically
advanced desk-side hardware packages to meet, if not exceed, the expectations of Government personnel. The
Contractor shall repair, support and refresh all desk-side and public access area hardware, to include, but not limited
to:
1) Laptops, Desktops, Tablets
2) Monitors
3) Keyboards and mice
4) Docking stations
5) Printers
6) Conference Room Audio/visual equipment
7) Network cables
8) Wireless
9) Cellular
10) VPN
11) Commercial mobile devices
Desk-side hardware configurations will be bundled together per guidance and approval from the CCB and made
available in the DARPA Store Front for Government personnel to choose based on their individual requirements.
Based on the technology refresh guidelines set forth by this PWS or from the CCB, the Contractor will purchase
hardware warranties commensurate with the expected lifecycle of the equipment. Based on the requirements outlined
in the SLOs, the Contractor shall repair or provide an interim solution until the hardware can be repaired or replaced.
The staff supporting the desk-side hardware services and maintenance tasks will participate in the asset management
process and a status of all desk-side hardware inventories should be accessible to the Government and its designees
via web or other reporting mechanism in near real-time.
4.14.1.10 Knowledge Management System Support
The Contractor shall provide input to the Government-owned Knowledge Management System (KMS) for
documenting solutions to resolve Help Desk Tickets where commercial knowledge documentation does not exist or
does not address the incident. The Contractor shall use the Government-owned system. Issues and solutions shall
be added to the KMS knowledgebase and made available to users as self-help support within five business days of
incident closure.
The Contractor shall inform users of the status of their tickets through the following methods:
1) Phone calls.
2) E-mail responses.
The Contractor shall provide updates to the user upon any change in the ticket. The Contractor shall maintain all
ticket data for the life of the contract and provide synopsized reports upon request. The Contractor shall provide all
ticket data in an easily portable format that maintains any relational information. Data shall be provided within ten
business days of request in a portable data format approved by the Government. The Contractor shall further
Page 40 of 99
provide comprehensive Help Desk statistics and trends as part of the Weekly Activity Report (WAR), and forward
tickets that are open longer than 30 calendar days to the Government for review.
4.14.1.11 Knowledge Database(s) Maintenance
The Contractor shall provide process improvement by implementing methodologies to capture IT knowledge
resulting in improved service and support over the life of the contract.
4.14.1.12 Moves, Adds, Changes and Deletes (MACDs)
For User requested MACDs, the Contractor shall provide services to perform system hardware and software changes
of data, video conferencing center, printer, and/or wireless devices. MACDs include the following:
1) De-installation, move, re-installation, or change of Hardware Configuration Items.
2) Creation, modification or deletion of a User account including telephone numbers, e-mail and directory
services.
3) A change in type of device.
4) A Contractor periodic or unscheduled software refresh or update.
5) Application of appropriate security features.
4.14.1.13 Standard Application Support
Standard Applications that are in production in the DARPA environment shall be maintained by the Contractor
through software distributions of new versions and appropriate upgrades and patches. If the application has an
associated database, database support shall also be provided for all standard applications.
4.14.1.14 E-Mail Services
The Contractor shall provide all E-mail functionality and services supporting the customer including, but not limited
to sending, storing, processing, searching and receiving electronic messages and multimedia e-mail attachments. The
Government currently uses Microsoft Exchange 2013/2016 on the Windows based networks and a Web Based General
Dynamics Multi-Level Email capability on the MWS. The services shall be configurable to provide the capability for
sending and receiving signed and encrypted e-mail and attachments, by utilizing the DoD standard where applicable.
Each end-user shall be supplied with an e-mail account and access via web or desktop client.
The Government currently has no storage quotas for users’ e-mail.
4.14.1.15 Print Services
The Contractor shall provide network connectivity to print services. The Contractor shall monitor the printers for
user availability.
4.14.1.16 Compliance with Records Management Policies
The Contractor shall be in accordance with DoD Directive 5015.02-STD and maintain compliance with records
management and retention policies by utilizing a centralized log repository. The Contractor shall provide the
Government with direct read and direct reporting access to the centralized log repository to allow CSSP functions,
security oversight and records management functions.
4.14.1.17 Access Management
The Contractor shall provide Access Management services, providing DARPA’s users access to networked
resources; currently DARPA is using Windows Server Active Directory for user account management, Group
Policies, Group Membership, Access Rights, and Delivery and Linux tool ‘user add’ for the MLS. All MLS
accounts created shall be verified via JADE and appropriate access levels granted. Non-SAP accounts are verified
via DARPA SSO/Joint Personnel Adjudication system (JPAS).
Page 41 of 99
All privileged user accounts shall be established and administered in accordance with a role-based access scheme
that organizes all system and network privileges into roles (e.g., key management, network, system administration,
database administration, web administration). Privileged User accounts require the user to have final clearances
equal to the level of the system administered. Privileged Users shall configure and operate IA and IA-enabled
technology according to DoD and ODNI (as applicable) information system IA policies and procedures, and a
current list of these privileged users shall be kept current and made available to both the CISO and the Information
Systems Security Officer (ISSO). The Contractor shall notify the CISO of any changes that might adversely impact
IA. Privileged Users shall establish and manage authorized user accounts for DoD information systems, including
configuring access controls to enable access to authorized information, and removing authorizations when access is
no longer needed. Reference SLO 3.1
4.14.1.18 Shared File Services
The Contractor shall provide the ability for users to store and retrieve files on shared, controlled access storage
media. This includes access controls, and back-up and recovery. DARPA currently imposes no quotas for users on
file storage or e-mail storage. The Contractor shall monitor classified network storage space and report monthly on
space utilization within all storage areas. Reference SLOs 1.5, SLO 2.4 and SLO 2.5.
4.14.1.19 Voice over IP (VoIP)
The Contractor shall support Voice over IP for all WANs as required by the Government. Reference SLO 2.6.
4.14.1.120 Internal Chat Services
The Contractor shall provide internal instant messaging/chat services through DoD and Government approved
applications.
4.14.1.21 Video Teleconference (VTC)
The Contractor shall support the hardware, software and security features to enable both hardware and software-
based point-to-point and multi-point VTC capabilities on all DARPA enterprise networks, to include small form
factors (Desktop VTC) and conference room form factors (Studio VTC). Additionally, the Contractor will provide
technical assistance for integrating, testing, configuring and troubleshooting VTCs connected to external DoD
networks.
4.14.1.22 Service Continuity Management
In order to provide Service Continuity Management, the Contractor shall provide Backup and Restore Services,
Disaster Recovery Services and Continuity of Operations (COOP) support services commensurate with DARPA
systems Availability designation (IAW RMF security categorization levels). While DARPA information systems
have a Low to Moderate impact level for Availability from an RMF perspective, day-to-day service continuity is
extremely important to DARPA’s successful completion of its mission; therefore, the Contractor shall plan for
redundancy and high levels of availability outside of the disastrous event. Reference SLO 2.1 through 2.7.
4.14.1.23 Backup and Restore Services
The Contractor shall provide backup and restore services to include on-site and off-site storage of Government-
owned media containing backups of data and files, as well as documentation and training for Government personnel
on the procedures for restoration. The Contractor shall develop and maintain a Backup and Recovery SOP and
submit it to the Government quarterly for review and approval. All backup and restore policies are subject to
Government approval and DoD guidelines. The Contractor shall comply with Service Delivery SLO 1.5.
The Contractor shall perform, at a minimum, the following Backup and Restoration activities:
1) Execution and verification of the backups of all production servers. All servers shall have the backup client
and all associated patches installed.
Page 42 of 99
2) Complete regular test restores of files and entire systems to verify the quality of the backups as well as the
procedures for completing restores.
3) Generate SOPs associated with the backup/restore processes and perform periodic tests to restore/build the
service or systems in event of failure.
4) Coordinate and, if required, provide Government-approved commercial space for the retention of backup
and storage media.
4.14.1.24 Disaster Recovery Services
The Contractor shall provide and maintain a Disaster Recovery Plan, approved offsite secure storage of data and
files, and training for DARPA personnel, subject to Government approval. The plan shall enable recovery from
local or network-wide system failures and/or loss of data, to include provisions from interim operations during
system outage. The Contractor plan should include recommendations on the following: identified critical
equipment, redundancy requirements, recovery time, failover and annual testing and review schedules. This
requirement covers partial loss of service and is intended to be a part of the Agency’s Continuity of Operations Plan
(COOP).
4.14.1.25 Software Distribution and Upgrades
Contractor shall provide, for all standard applications support to the end-user, an automated method or tool (currently
in use is SCCM for Windows Networks) for software distribution and upgrades. Application distribution and upgrades
will be, as much as possible, transparent to the users. Software distributions due to Vulnerability Announcements shall
comply with SLOs 4.2 through 4.3. Other software distributions and upgrades will be completed by the Government
designated deadline per SLO 5.3.
4.14.1.26 Cybersecurity Compliance
The Service Operations team members shall be responsible for ensuring that all workstations, servers, applications and
services within the DARPA enclaves meet IA compliance criteria. This shall include applying all Government-directed
IA mandates such as CPCONs (Information Operations Conditions), Security Technical Implementation Guides
(STIGs) [current version]) and other Vulnerability Announcements. Implementation of IA mandates shall be in
accordance with Government-specified timeframes and SLOs. The Contractor shall ensure that information
systems/software remains compliant with all STIGs, and report STIG compliance quarterly. Additionally, the
Contractor must support the NIST Security Automation Protocol (S-CAP which “automates” compliance reporting of
the STIG’s, when it is released. The Contractor shall also be responsible for ensuring that the Government
infrastructure meets the requirements for certification and accreditation in accordance with DoD policy. The Contractor
shall maintain the state of all information systems/applications to ensure full compliance with Command Cyber
Readiness Inspections (CCRI) checklists and in accordance with a Level-II Cybersecurity Services Provider (CSSP).
To support Government oversight, the Contractor shall make available, near real-time, data feeds, to include access to
operating systems and networks, databases, access logs, Intrusion Defense Systems, and network tools.
When implementing updates, patches, service packs and hot fixes the Contractor shall use tools that are, when possible,
automated and transparent to the end- user and completed by DoD mandated deadlines. Such tools may include, but
are not limited to, anti-virus programs and firewalls. The Contractor shall verify compliance and ultimate mitigation
of the vulnerability by using the DoD preferred and approved vulnerability scanner(s).
1) Cyber Command IAVA process.
2) IC SCC ICVM process.
3) DISA STIG Compliance (where applicable).
4) Common security practices across all networks.
5) IC and DoD policies and RMF implementations DJSIG, JSIG and 8510.01.
6) Ensure continuous monitoring practices based on RMF SP/SCTM and Insider Threat requirements.
Page 43 of 99
7) CSSP.
8) CCRI.
9) CCORI.
10) HBSS and ACAS compliance.
11) Internal SharePoint IAVA and DRA process.
4.14.1.26 Database Support
Standard applications requiring back-end databases (including SQL, non-SQL, and cloud) shall be maintained by the
Contractor, who shall designate database administrator(s) to perform routine maintenance to include, but not limited
to:
1) The creation and testing of backups to ensure that the database can be recovered in the event of a failure.
2) Verify and maintain data integrity.
3) Define and/or implement access controls to the data.
4) Maintain database availability by ensuring maximum uptime through non-disruptive updates or a redundant
environment, such as a clustered database server farm.
5) Maintain database performance by ensuring maximum performance and capacity through monitoring.
6) Assistance with development and testing support by helping programmers and engineers to efficiently
utilize and access data in the existing databases.
4.14.1.27 Web Hosting Services
The Contractor shall provide maintenance and support of the Web Services and associated Web pages. The
Contractor shall also provide Web Services, associated secure Web pages maintenance, Web File Sharing and
support to DARPA networks. Web services on the MLS shall be provided via appropriate applications that provide
access by users and storage of data from the Secret to TS/SCI/SAP levels. The Windows networks currently utilize
SharePoint along with numerous DARPA developed applications.
The Contractor shall provide and maintain trusted, hosted services to include associated development of applications
approved through the CCB. The hosted services shall be maintained and updated to show a contemporary look and
feel reflective of a Government Agency. Reference SLO 2.5.
4.14.2 Infrastructure
The Contractor shall maintain accredited infrastructure services that are transparent to DARPA users but are
essential to DARPA network functionality, security, performance, and interoperability. "Infrastructure services"
refers to the various management and operational activities, hardware, software, encryption, and transmission media
necessary for the delivery of services specified in this PWS to internal and external DARPA users. The Contractor
shall keep all equipment rooms, wiring closets, and other work areas in a clean and orderly state.
The Contractor shall facilitate the integration of these systems into the DARPA network environment, which
includes Government and Contractor locations that support DARPA. The implementation may not prohibit growth
or impede progress towards DARPA’s objectives.
DARPA classified networks shall provide secure information exchange between all users within their respective
networks and via trusted interfaces to approved networks.
Infrastructure Services shall comply with the appropriate SLO. Infrastructure services build on the base network
connectivity and focus on the essential network services; these services include, but are not limited to:
1) Trusted Controlled Interface.
2) IP address management.
3) Machine Address Code (MAC) management.
Page 44 of 99
4) Directory Services management.
5) DHCP Management.
6) DNS Management.
7) Unified Communications.
Reference SLO 2.3 through 2.7.
4.14.2.1 Directory Services (DS)
The Contractor shall provide and maintain global information services delivering a distributed computing
environment that supports the management and utilization of file services, network resources, security services,
messaging, web, e-business, white pages, and object-based services across DARPA, currently DARPA is using
Windows Server Active Directory for user account management, Group Policies, Group Membership, Access
Rights, and Delivery and Linux tool ‘user add’ for the MLS. The Contractor shall ensure directory entries conform
to Government standards.
The DS should support and facilitate the following basic functions:
1) Support for PKI authentication services and provide the capability for users, devices, and applications to
utilize global directory information such as telephone, fax, and E-Mail addresses.
2) Support the monitoring of administration and management of network resources.
3) Support the implementation of global account management and subsequent authentication and
authorization to data maintained in the global directory service.
4) Support the enablement and distribution of applications.
5) Provide a proactive environment that builds and manages relationships between objects within the global
directory service.
4.14.2.2 Standard Integrated Office Automation Software Suite
The standard integrated software suite shall include at a minimum, email, word processing, spreadsheet, presentation
graphics, project management, database, calendaring, a collaborative work environment, forms processing, browser,
and virus protection tools. The Microsoft Office suite is currently in use and is preferred. The software suite shall
provide the capability to view, hear, manipulate and manage information consisting of text, graphics, images, video,
and audio. This shall also include processing and rendering of the multimedia data being transferred from any
source. COTS software to support advanced and/or specialized functions beyond those provided as standard office
automation tools shall be available and may be purchased separately from the Service Catalog / DARPA Store
Front.
4.14.2.3 Network Printer Configuration Item
A printer Configuration Item is comprised of the hardware, software, security features, and services necessary for
DARPA Users to perform either local or network printing functions. Printer Configuration Items must be compatible
with all data-related capabilities provided by the Contractor. The Contractor shall electronically monitor printers to
provide proactive service. Printer Configuration Items shall be proposed by the Contractor to the Government, and
will be reviewed and approved by the CCB. Printers shall be provided with the services described in Sections
2.4.5.7 of this PWS.
4.14.2.4 Conference Room (A/V Equipment) Support
The Contractor shall examine and validate an accredited VTC solution utilizing existing software/hardware provided
by the Government and also examine other potential low-cost interfaces that prove acceptable.
The Contractor shall provide support to DARPA’s conference room facilities. The Contractor shall support Video
Teleconferencing in all designated conference rooms in accordance with SLO 2.7.
Page 45 of 99
4.14.2.5 Desk-Side Technology Refreshment
The Contractor shall make every effort to ensure minimal impact to the User during refreshment, insertion and
enhancement activities. For DARPA devices, the Contractor shall minimize downtime; if the device is the User’s
primary workstation, the Contractor shall offer a temporary device for use while the primary workstation is
unavailable. Additionally, the Contractor shall ensure the accuracy of data transfer and carryover: printers
configured, drivers re-installed, files transferred, and applications re-installed. Reference SLOs 5.2 and SLO 8.3
4.14.2.6 IP Address Management
The Contractor shall provide IP address management for the all DARPA networks. This will include managing the
provisioning of IP ranges for all Service Delivery Points. IP address support shall be provided for DHCP, IPv4,
IPv6, VoIP, Unified Communications, audio and video conferencing as well as fax, print, and copy services.
4.14.2.7 Machine Address Code (MAC) Management
The Contractor shall track MAC addresses for all network connected systems.
4.14.2.8 IP Version 6 Support
All information systems equipment purchased for DoD agencies and organizations shall be IPv6 capable and in
compliance with DoD IPv6 Standard Profiles for IPv6 Capable Products (Reference PWS Section 5 Applicable
Documents document 23).
4.14.2.9 Domain Name Server (DNS)
The Contractor shall provide DNS services to the Government networks providing both internal and external name
to IP resolution. DNS, where applicable, will be integrated with Directory Services to take advantage of DNS
features such as secure dynamic updates, record aging, DNS Security Extensions (DNSSEC) and scavenging
features. The DNS services shall meet all functionality of the current Domain Name Server (DNS) service, to
include flexible support for offsite locations.
4.14.2.10 Dynamic Host Configuration Protocol (DHCP)
Where possible, the Contractor shall provide DHCP services for auto configuration of IP address and network
information for the Government networks.
4.14.2.11 External Network Access and Services
The Contractor shall provide external network services, on applicable networks, that are transparent to DARPA
users but are essential to Government telecommunication functionality, security, performance, and interoperability.
“Network service” refers to the various management and operational activities, hardware, software, connection
service, and transmission media necessary for the delivery of internet and telecommunications services to internal
and external users on DARPA controlled WAN’s and DARPA controlled LAN’s connected to other DoD WAN’s.
External Networks shall include connectivity and transport services to, from, and among all Government Service
Delivery Points and other non-DARPA organizations.
4.14.2.12 DARPA Intranet Services
The Contractor shall provide and maintain a DARPA intranet on each network that is a private web-based portal that
is specifically designed for DARPA users to conduct internal business. Currently, the windows networks utilize
SharePoint and the MLS utilizes the TNE™ WebDB services. The Contractor shall provide a service whereby
DARPA users may access services and search the contents of DARPA intranet web pages.
The Contractor shall provide the capability for web-crawling, site indexing, security features, and a search engine.
Additional services such as authoring of the web content and application development for DARPA users may be
requested and will be handled based on scope and magnitude as a routine change or Professional Service. The
Contractor shall identify and define the level of effort required for any support requests that necessitate
engineering/senior development services that extend beyond the scope of the basic web/intranet support.
Page 46 of 99
4.14.2.13 DARPA Extranet Services
The Contractor shall provide, maintain, and support a DARPA Extranet secured via PKI, when possible, or password
access that provides a secure point of entry for DARPA-authorized users to upload, download and access services, data
and files from remote locations, and collaborate with other users, including DARPA personnel.
4.14.2.14 Internal (LAN) Connectivity
The Contractor shall provide and maintain internal LAN connectivity and security services to networked Service
Delivery Points (SDPs). The security services are described in the Information Assurance and Network Defense
section of this PWS. The Contractor shall comply with SLO 2.1.
4.14.2.15 Throughput / Bandwidth Monitoring
The Contractor shall monitor the throughput and bandwidth utilizations of the entire DARPA enterprise, identifying
a day-to-day baseline. From that baseline, the Contractor shall identify peaks and anomalies in network traffic for
capacity planning and for identifying potential network incidents. If the Contractor finds that network segments,
connections, core switches, and connections to external networks are consistently hitting peaks near 70%, the
Contractor shall bring it to the attention of the Government, identify the root cause, and propose a mitigation or
resolution strategy.
4.14.2.15 Storage Capacity Monitoring
The Contractor shall monitor the storage capacity for all network servers and services, and shared file storage
solutions. The Contractor shall notify the Government if file systems exceed Government-specified thresholds.
4.14.2.16 Availability Management
The Contractor shall monitor all networked resources to ensure that they are available. The Contractor shall address
and resolve any issue that reduces the availability of network services according to severity levels and the
timeframes specified in 3.2.
4.14.2.17 Network Management System (NMS)
The Contractor shall provide a Network Management System (NMS) to monitor and administer each network. The
NMS services provided by the Contractor shall include fault management and participation in the configuration
management process, access management, and performance management. The Contractor shall make available to
designated Government entities, near real time information feeds to support Government oversight, maintain accessible
historical data, provide summary management reports that detail the NMS functions, and allow the Contractor to
forecast networking requirements through the use of modeling techniques.
Specifically, the Government requires that the Contractor shall provide a centralized network monitoring service that
will comprehensively monitor DARPA’s networks on a 24x7-basis. The Government requires that the Contractor
provide sophisticated capabilities for real-time monitoring of performance and utilization levels for all segments of the
network infrastructure. The monitoring service shall provide the following capabilities and services at minimum:
1) Best practice monitoring of email, Directory Services, File Services, etc.
2) SNMP monitoring of all active network devices serving the Government
3) Comprehensive performance monitoring capabilities that extends to each Government edge router
4) Comprehensive performance monitoring capabilities that track availability and performance of network
links at DARPA connection and peering points with external networks
5) Regular periodic reporting to Government and individual DARPA Partners as appropriate, for network
performance and reliability.
6) Government-accessible, real-time, Web-based services that provide comprehensive network status
information
7) Government-accessible, web-based problem reporting facilities that support ticket generation, ticket status
updates and ticket resolution notification
8) Resource utilization reports that document usage
Page 47 of 99
4.14.2.18 Network Operations and Security Center (NOSC)
The Contractor shall provide a Network Operations and Security Center which shall operate 24x7x365. The NOSC
shall provide network, server, IA and availability monitoring services, information, and reporting, incident
management and perform other tasks as directed by the Government.
The NOSC shall provide support to the Help Desk as required. NOSC personnel shall follow Contractor-issued,
Government-approved escalation procedures for specified events and outages, which may include notifying
Government personnel and participating in CIRT/CERT response teams. The Contractor provided NOSC shall include
a Trouble-shooting bridge with a staffed Incident Manager. The Contractor shall provide the following monthly and
quarterly Network Failure reports to the Government and its designees:
1) Summary of network availability and problems encountered
2) Detailed failure analysis and corrective actions applied for all network events that caused a service
interruption, including at a minimum the following:
a. Event description, including network impact
b. Event date, time and duration
c. Services affected
d. Information on how the event was detected
e. Corrective actions
f. Root cause analysis
g. Preventative actions taken
h. Date and time Government directed personnel were notified
4.14.2.19 Network Hardware Services and Maintenance
The Contractor shall evaluate the hardware upon which the Infrastructure Services are built and recommend to the
Government when upgrades, repairs or replacements are necessary. The network hardware shall be compliant with
IA and DoD Policies as well as being certified for use within the enclave.
4.14.2.20 Mobile Device Management
The Contractor shall provide mobile device management operations to the Agency.
MDM managed services shall include:
1) Support DARPA Enterprise Mobility policies.
2) Administer the DARPA Enterprise Mobility policy and preconfigure the Mobile Device Management
(MDM) software to distribute rules, reactions, restrictions, applications and content (if applicable).
3) Deploy the mobile device management system to all existing devices based on established strategy,
processes and architecture.
4) Device Lifecycle Management
a. Execute procurement of new devices
b. Execute activations of new devices through cellular network (if applicable).
c. Execute plan for enrollment of new devices in the mobile device management system.
d. Provision all devices with the necessary resources (DARPA email, applications, VPN, Wi-Fi
credentials, etc.)
e. Enforce the DARPA mobility policy by means of monitoring, alerting and response.
f. Execute the process to retire any device from the mobile device management system.
g. Provide an automated process for secure device recycling (including resetting to factory settings).
h. Certified destruction of mobile devices when applicable.
5) Help Desk Support
a. Provide tiers 1, 2 and 3 support for end users, IT managers and VIPs.
Page 48 of 99
b. Lock/unlock, user add, user enrollment, locate device, push policy, push application, push
documents, wipe device, selective wipe, general inquiries, client specific requests.
c. 24/7/365 emergency availability.
d. Provide online training and information resources for end users, IT managers and VIPs.
6) Monitoring/Reporting
a. Monitor DARPA email traffic through our Secure Email Gateway; and provide the option to block
unwanted devices.
b. Monitor device roaming information daily to ensure rapid response to runaway roaming devices.
c. Monitor device compliance bi-weekly to ensure the solidarity of the enterprise mobility policy.
d. Monitor device resources monthly to ensure all devices are provisioned with all the necessary
resources (DARPA email, applications, VPN, Wi-Fi Credentials, etc.)
e. Provide a reporting portal for device, application and certificate asset management.
f. Telecom reporting setup and monitoring.
g. Environment changes, reporting, location and user group creation, device re-assignment,
application management, document management, policy change and push, technical support, new
device testing, containerized testing and reporting and other client specific requests.
4.15 SITE CONNECTIONS MANAGEMENT
The Contractor shall provide connection approval process (CAP) management operations to the Agency to support
policies, processes, and procedures for deploying, connecting, and decommissioning remote site connections with
the appropriate DARPA Enterprise WAN (Savannah, ALCAZAR, DSWAN). Similarly, the Contractor shall
provide management operations necessary to maintain and obtain authorizations to connect (ATC) with required
external WANs (e.g., NIPRNet, SIPRNet, JWICS, etc.).
Refer to the Site Connection Manager (section 1.4.3.11) key personnel role for additional information.
4.16 PROFESSIONAL SERVICES
4.16.1 Professional Services Work Categories
The Contractor shall provide qualified expertise that falls under the professional services categories listed below.
Specific products, technologies, and services of interest to the Government have been identified within the
categories as applicable. The Contractor shall respond to new products, technologies, or services of interest within
the scope and intent of the applicable Category.
Details of the following work categories may be found in Appendix A: Professional Services Work Categories, of
this PWS.
1) Category 1: Advanced Windows System Integration and Servers Application Support
2) Category 2: Advanced Non-Windows Systems Integration, Applications and Servers Support
3) Category 3: Application Analysis, Design and Programming Support
4) Category 4: Emerging Technologies Research Support
5) Category 5: Cloud Engineering Support
6) Category 6: Surge Support
4.16.2 Professional Services Project Change Management
In the event of a project change request, the Contractor shall provide clear justification for the change, cost and
schedule impact, and proposed course of action. The Contractor shall not proceed without COR approval.
4.16.3 Professional Services Projects
Professional Services (PS) Projects begin with requirements from a customer request. Contractor personnel are
responsible for initial requirements gathering. If the request is approved by the Government, a work assignment, or
Page 49 of 99
statement of work (typically between 1 and 3 pages), will be prepared and provided to the Contractor. The
Contractor shall typically prepare a Cost and Technical proposal in response within five (5) business days unless
otherwise specified in the Contracting Officer’s request—if additional time will be required to prepare the proposal,
the Contractor shall notify the Government within one (1) business day. All PS Projects shall be limited in scope
and duration with Government-approved schedules and resource/personnel plans. Once a project is underway,
changes in scope, deliverables, and time (completion date), may only be modified with consent of the Government.
Project Change Management and Change Request processes shall be utilized. Individual staff or subcontractors shall
be proposed by the Contractor in response to a Project Request on an as needed basis. Reference SLO 7.1 and SLO
7.2
4.16.4 Common Professional Services
Professional Services project support requests shall fall into one of two categories: Short-term Projects and Long-
term Projects. The type of category will be determined by the critical attributes of the request which are:
Time – the estimated time to complete the requirement or project.
Standardized or Routine – most of the work to be completed is standardized and/or routine (SharePoint Website
creation).
Design – to make drawings, preliminary sketches, or plans. Is there a design element involved? (e.g., design of
special graphics for a website or a need to design a custom template for a website).
Engineering – The application of science, mechanical and/or technical knowledge to practical uses such as the
design and creation of structures, machines, and systems. Is there a need to write programming code, to create a
program or software application often to include a back-end database?
Project Management – Is significant project management required to see the project through to successful
completion?
Estimated time
to Complete
Work is
Standard or
Routine
Design
Requirements
Engineering
Requirements
Significant Project
Management
Short-Term
Project
< 30 days* Possibly Yes No or Minimal No
Long-Term
Project
> 30 days* No Yes Yes Yes
Note: Calendar days
The Contractor shall, within the two broad project categories above, provide underlying services that can be ordered
through the Service Catalog or through contact with the Help Desk. When long-term projects are requested through
the Service Catalog, they shall be brought to the attention of the Government for approval and then proceed through
the Project Request process for costing. The types of services within the project categories may overlap; therefore,
projects shall be categorized via the differentiating factors designated in the chart above.
4.17 TRANSITION SERVICES
1) In the event this contract is terminated, expires or is superseded, as appropriate the Contractor shall be
required to return to the Government or its designee all hardware, software, documentation and/or related
material, in such a way as to facilitate a smooth, professional, business-like transition to full support by a
new Contractor in accordance with the provisions of FAR 52.237-3. The Contractor shall perform all
activities in the subparagraphs to follow, including transition planning and reporting, and at the discretion
of the Government, shall be required to continue to provide services during the transition period of the
follow-on Contractor.
2) Within 90 days of the start of the contract, the Contractor shall provide a phase out plan for transferring
responsibilities specific herein to effect an orderly transition with the successor.
Page 50 of 99
a. Orientating assigned employees of the succeeding Contractor during the last 60 days of the period
of this contract. The incumbent may also be required to provide continued operational support
throughout the transition period and phase-in training of incoming personnel and others, i.e.
exercise its best efforts and cooperation to effect an orderly and efficient transition to its successor.
b. Material and Services. The Contractor shall return to the Government all hardware, software,
documentation, operating manuals, drawings, specifications, procedures, current inventory listings
and/or related material, according to the Contractor’s depreciation schedule, for any or all of the
material in the possession of the Government in the event this contract is terminated for any
reason. Likewise the Contractor shall permit the Government or its designee to assume any leases
at its discretion for any equipment, software, training, materials, supplies, services or
communications capabilities provided under this contract in the event this contract is terminated
for any reason. A complete inventory of all Secret/TS/SCI/SAR related items shall be
accomplished as part of the phase-in/phase-out.
c. Data and Files. The Contractor shall relinquish all files and documentation related to this contract,
regardless of the media it is stored on (including paper, tape, diskette, CD, etc.), to the
Government or its designee and facilitate the migration of data.
d. Explicit and Tacit Knowledge. The Contractor shall transition all explicit and tacit knowledge
related to this contract to the Government or its designee. Specifically, all documentation related
to this contract, including processes, plans, procedures and methods, etc., regardless of the source
excluding Contractor or 3rd party proprietary data or technique used to acquire this knowledge, is
the property of the Government or its designee. Additionally, all documentation must be
maintained on-line.
e. Disposition of Classified Equipment. The Contractor shall dispose of all equipment associated
with this PWS using DoD and DARPA guidelines and procedures for disposition of classified
systems.
4.18 CONTRACT DELIVERABLES
The Contractor shall provide all deliverables to designated individuals as indicated in section 4.18.1. The Contractor
shall electronically post all deliverables for online and/or secure WEB access by designated DARPA personnel.
Deliverables shall be in Government-approved format. The Contractor shall recommend the format of each
deliverable to the COR for approval prior to submission. The initial submission of each Contract Deliverable shall
be provided within 30 days of contract award unless otherwise specified.
4.18.1 CONTRACT DELIVERABLES TABLE
For review status, please use the following legend:
1) Government will review/respond within 5 business days
2) Acceptance upon submittal
3) Acceptance after 5 business days of Government silence
4) Submission into formal Government approval process
Deliverable Title Recipients Frequency Review Status
4.18.2.1 Program Management Plan
(PMP)
KO/COR/GPM Within five (5)
calendar days of
contract award,
updated 35
calendar days after
contract Start, and
then Quarterly.
3
4.18.2.2 Risk Assessment and IT
Security Plan
COR/GPM/ISSO/ISSM Within 30 Days
from Contract 4
Page 51 of 99
Start Date, then,
as directed.
4.18.2.3 Configuration Management
Plan
COR/GPM Within 30 Days
from Contract
Start Date, then,
as updated.
4
4.18.2.4 Quality Control Plan KO/COR/GPM Within 30 days
from Contract
Start Date, then,
as updated.
3
4.18.2.5 Software Development Plan COR/GPM Within 90 days of
Contract Start and
as updated.
3
4.18.2.6 Service Delivery Maturity
Plan
COR/GPM Within 90 days of
Contract Start and
as updated.
3
4.18.2.7 End of Contract Transition
Plan
KO/COR/GPM Within 90 days of
Contract Start and
as updated.
3
4.18.2.8 Government Furnished
Equipment Inventory
Reports
KO/COR/GPM Semi-Annually
4
4.18.2.9 Disaster Recovery Plan
(DRP)
COR/GPM//ISSO/ISSM/AO Semi-Annually 1
4.18.2.10 Contractor Self-Assessment KO/COR/GPM Quarterly (15
business days after
end of the period)
2
4.18.2.11 Service Level Objectives
Data Report
COR/GPM Monthly/Quarterly
(10 business days
after the end of the
month)
3
4.18.2.12 Account Inactivity Report COR/GPM Monthly 3
4.18.2.13 Monthly Management
Report (MMR)
KO/COR/GPM Monthly 3
4.18.2.14 Weekly Project Summary COR/GPM Weekly 1
4.18.2.15 Weekly Activity Report COR/GPM Weekly 1
4.18.2.16 Root Password File SAPCO Within 48 hours
of change 2
4.18.2.17 Continuity of Operations
Plan
COR/GPM As updated 4
4.18.2.18 Information Feeds for
Government Oversight
COR/GPM Near Real-Time 4
4.18.2.19 Operation Status Report COR/GPM Daily, by 9:00
A.M. 2
4.18.2.20 Ad-Hoc Management
Reports
COR/GPM As requested 1
4.18.2.21 Security Incident Report COR/GPM As required 1
Reference SLO 8.1.
4.18.2.1 Program Management Plan (PMP)
The first Program Management Plan shall be submitted 30 calendar days after contract award and then updated
quarterly thereafter, or as otherwise required. As part of the PMP, the Contractor shall develop, maintain and submit
for Government review, a Policies and Procedures (P&P) section including, but not limited to:
Page 52 of 99
1) Staff conduct and security requirements
2) Security procedures
Frequency: Within five (5) calendar days of contract award, updated 35 calendar days after contract Start, and then
Quarterly.
4.18.2.2 Risk Assessment Plan
The Contractor shall provide and maintain a Risk Assessment Plan
Frequency: Within 30 Days from Contract Start Date, then, as directed.
4.18.2.3 Configuration Management Plan
The Contractor shall provide a plan which shall include organizational structure, roles, responsibilities, policies, and
methods employed for configuration management.
Frequency: Within 30 Days from Contract Start Date, then, as directed.
4.18.2.4 Quality Control Plan
The Contractor shall establish and maintain a Quality Control (QC) Program to provide independent corporate and
on-site management surveillance and inspection of Contractor operations to assure that the requirements of the
contract are satisfactorily performed. The QC program shall be documented in a comprehensive Quality Control and
Quality Assurance Plan (QCQA Plan) that shall be made available on-line within 30 calendar days after the start of
the Period of Performance for the contract. The Plan shall address the qualifications of personnel as well as
operational requirements. At a minimum, the Plan shall address the Contractor’s approach to each work requirement
in this PWS. The Government will make final review and acceptance of the QCP within 10 calendar days of receipt.
Changes to the QCP shall be submitted to the Contracting Officer not later than 10 calendar days prior to the
effective date of the change. The Government will make final review and acceptance of any subsequent changes.
The basic tenet of the plan is that the Contractor is responsible for quality.
Frequency: Within 30 Days from Contract Start Date, then, as directed.
4.18.2.5 Software Development Plan
The Contractor shall provide a Software Development Plan to identify and describe the policies and methods
employed during the life cycle management of all applications for the contract. It describes the Contractor‘s formal
Software Lifecycle approach for development of information technology (IT) applications utilized by DARPA
personnel.
Frequency: Within 90 days of Contract Start and as updated.
4.18.2.6 Service Delivery Maturity Plan
The Contractor will evolve the IT service delivery process to a maturity level that is consistent with an IT process
model or framework during the early stages of the contract. No later than 90 calendar days after contract award, the
Contractor shall deliver the Service Delivery Maturity Plan and begin implementation immediately following
transition.
Frequency: Within 90 days of Contract Start and as updated.
4.18.2.7 End of Contract Transition Plan
The Contractor shall generate and maintain an end of contract transition plan, which will provide the means for
managing and administering the orderly transition of services to a follow-on Contractor or any party designated by
the Government.
Page 53 of 99
Frequency: Within 90 days of Contract Start and as updated.
4.18.2.8 Government Furnished Equipment Inventory Reports
The Contractor shall provide inventory reports of Government Furnished Equipment (GFE).
Frequency: Semi-annually.
4.18.2.9 Disaster Recovery Plan (DRP)
The Disaster Recovery Plan (also known as a Contingency Plan) provides essential guidance for contingency
preparations, emergency reactions, backup operations and the restoration of services following the occurrence of a
disaster situation related to this application. The Plan will answer the question of what would need to be done in
order to get this application back up and running if there was a hardware failure, software failure, natural disaster or
human error.
Requirements: The Disaster Recovery Plan (DRP) should be created with the following five (5) scenarios in mind.
SCENARIO 1: DARPA FACILITY AFFECTED-PARTIAL LOSS OF INFRASTRUCTURE
Assumptions: DARPA facility is affected and the surrounding buildings, utilities, and transportation systems are
operational. The DARPA facility is open, but a portion of the building is uninhabitable (fire contained to floor,
explosion, water damage, etc.). The DARPA infrastructure (IT, power, and HVAC system) is operational.
SCENARIO 2: DARPA FACILITY IS CLOSED FOR NORMAL BUSINESS ACTIVITIES
Assumptions: DARPA facility is closed and the surrounding buildings, utilities, and transportation systems are
operational. The DARPA facility is uninhabitable (explosion, IT virus, contamination). The DARPA infrastructure
(IT, power, and HVAC system) is non-operational.
SCENARIO 3: ARLINGTON COUNTY AFFECTED INCLUDING DARPA FACILITY
Assumptions: Arlington and the DARPA facility are closed for normal business activities as a result of the threat of
or the occurrence of a catastrophic event (power grid damaged, contamination, etc.). The DARPA infrastructure
shall be affected even if it is not initially damaged if the duration of the disruption prohibits SSO personnel from
accessing the DARPA facility to maintain the systems.
SCENARIO 4: NATIONAL CAPITAL REGION (NCR) AFFECTED INCLUDING THE DARPA FACILITY
Assumptions: The entire NCR has been closed for normal business activities as a result of the threat of or the
occurrence of a catastrophic event. The DARPA infrastructure shall be affected even if it is not initially damaged if
the duration of the disruption prohibits ITD personnel from accessing the DARPA facility to maintain the systems.
SCENARIO 5: PANDEMIC EVENT
Assumptions: The DARPA facility and operations could be affected by a pandemic event. Due to the complexity
and unpredictability of a pandemic event, it has been broken down into separate scenarios and response actions.
Frequency: Semi-annually.
4.18.2.10 Contractor Self-Assessment
The Contractor shall provide a quarterly self-assessment report that shows their compliance with the SLOs and
accomplishments during the Award Fee Period. This report will be provided prior to the Award Fee Board for
review and will be presented to the Board by Contractor personnel.
Page 54 of 99
Frequency: Quarterly (15 business days after end of the period)
4.18.2.11 Service Level Objectives Data Report
The data shall include Service Levels and Network Failure provided for the reporting period. The Contractor shall
provide network failure analysis and corrective actions applied for all network events that lasted 15 minutes or more.
Frequency: Monthly and Quarterly (due 10 business days after the end of the month)
4.18.2.12 Account Inactivity Report
The Contractor shall provide a report that identifies all User Accounts on the four core DARPA networks that have
not been accessed in the past 30, 60, and 90 working days.
Frequency: Monthly.
4.18.2.13 Monthly Management Report (MMR)
The Contractor shall prepare and submit Monthly Management Reports (MMRs) within 10 business days after the
month being reported to depict the status and progress of work efforts, schedules, and costs as further described
below. The Contractor shall recommend any other formatting for the report not addressed in this section to the
Government for approval before initial submission.
1) Contractor’s name and address
2) Contract number
3) Date of report
4) Period covered by report
5) Cost curves portraying proposed/initial estimates, actual, and an Estimate at Completion (EAC) based on
current spend rate and projections.
6) Cost incurred for the reporting period and total contractual expenditures as of report date. The format for
providing incurred costs shall be approved by the Government prior to submission. Other Direct Costs
shall be separated and detailed by cost category (Travel, Material, Maintenance, Consultants, etc.).
Professional Services Projects shall be detailed separately. Also, note that the cost information from these
reports shall be traceable to the invoices
7) Cost and technical status of projects and/or equipment directed or approved by the Contracting Officer
and/or the COR and GPM. This shall include:
a. For projects, percentage of completion, date project was approved, original start date, estimated
milestone and completion dates, explanation for adjustment to milestone and completion dates,
projected costs and breakdown of actual costs by component, funds associated with the project,
funds remaining, and problems and achievements
b. For equipment or material, status of order (e.g., in process, date order approved by Government,
date order placed, expected delivery date), anticipated cost and actual costs, a breakdown of costs
by component, to include Contractor fees
8) Description of progress made during period reported, including problem areas encountered
recommendations, if any for subsequent solution beyond the scope of the Contract
9) Projected staffing issues for the next reporting period such as, employee planned absences (sick, vacation,
leave of absence, etc.), terminations, resignations, new hires, etc.
10) Issues impacting or potentially impacting morale and/or efficiency
11) Open security actions / issues (Program Access Requests, SCI access, facility clearance, etc.)
12) Request for Travel Approval for the next reporting period
13) Lab results and priority list of products or issues being tested for the Government’s review/approval.
14) COTS Catalog Activity, Current Period COTS, Adjustments, Current Expenditures Total, YTD COTS
Expense (Contract and Fiscal), ITD COTS Expense, YTD (Contract and Fiscal)
Page 55 of 99
15) COTS Activity by Office, Current Period, YTD (Contract and Fiscal), Graphic to reflect, Current Period by
Office, YTD Trends by Office
Frequency: Monthly
4.18.2.14 Weekly Project Summary
The Contractor shall provide a consolidated summary report of all projects to include high level milestone status,
upcoming decision points, and any risks.
Frequency: Weekly
4.18.2.15 Weekly Activity Report
The Contractor shall generate a status report summarizing weekly Help Desk transactions (ticket types, file
restoration results), asset management (counts and variances), configuration control (CCB case status, account
counts per network, and capacity data for systems per network), and customer survey results. The report shall also
provide a brief description of any Information Assurance Officer Functions, system anomalies or unscheduled
downtimes that occurred during the week.
Frequency: Weekly
4.18.2.16 Root Password File
The Contractor shall provide a properly labeled hard copy of the root access information necessary for
administrative oversight.
Frequency: Upon contract award and thereafter within 48 hours of any change.
4.18.2.17 Continuity of Operations Plan
The Contractor shall participate in discussions and provide written input for creation and maintenance of a
Continuity of Operations Plan.
Frequency: As updated.
4.18.2.18 Information Feeds for Government Oversight
The Contractor shall provide a historical summary and management report detailing Network Management System
(NMS) functions.
Frequency: Near Real-Time.
4.18.2.19 Operation Status Report
The Contractor shall provide a daily operational status report of all supported networks.
Frequency: Daily, by 9:00 A.M.
4.18.2.20 Ad-Hoc Management Reports
The Contractor shall provide reports for all aspects of performance under the Contract, as requested.
Frequency: As Requested
4.18.2.21 Security Incident Report
The Contractor shall provide a report that will contain data for all security incidents, regardless of level – computer,
network, server, configuration changes, INFOCON status, and intrusion detection system (IDS) reaction alert status.
Frequency: As Required
Page 56 of 99
5.0 APPLICABLE DOCUMENTS References: The following listed documents form a part of this PWS. Primary compliance documents for AIS,
information assurance, personnel, and physical security in the execution of this PWS:
1) DoD 5200.02 (DoD Personnel Security Program)
2) DoDI 8500.01 (Cybersecurity)
3) DoDI 8510.01 (Risk Management Framework for DoD Information Technology (IT))
4) DoDD 8140.01 (Cyberspace Workforce Management)
5) Intelligence Community Directive (ICD) 503, Intelligence Community Information Technology Systems
Security Risk Management, Certification, and Accreditation, 15 September 2008
6) Department of Defense Joint Special Access Program Implementation Guide (JSIG), Oct 9, 2013
7) Department of Defense Intelligence Information System Joint Security Implementation Guide (DJSIG),
August 2011
8) Revision 1, Department of Defense Overprint to the National Industrial Security Program Operating
Manual, DoD 5220.22-M, Supplement, 28 February 2006
9) DARPA Security Classification Guideline for its SAP Network, provided under separate cover
10) DoD Enterprise Service Management Framework (DESMF) Edition III, Mar 4, 2016
Additional directives, guidance, instructions, manuals, and policies for AIS, information assurance, personnel,
physical security necessary for the effective and efficient execution of this PWS:
11) DoDI 8582.01, “Security of Unclassified DoD Information on Non-DoD Information Systems”
12) DoD Directive 8520.2, “Public Key Infrastructure (PKI) and Public Key (PK) Enabling”
13) DoD Directive O-8530.1, “Computer Network Defense (CND)”
14) DoD Directive 8320.02, “Data Sharing in a Net-Centric Department of Defense”
15) DoD 8320.2G, “Guidance for Implementing Net-Centric Data Sharing”
16) DoD Directive 5015.02-STD, “Electronic Records Management Software Applications Design Criteria
Standard”
17) DoD 5200.1, "DoD Information Security Program", December 13, 1996
18) DoD Directive 5200.2, “DoD Personnel Security Program”, December 20, 1979
19) DoD Directive 5230.30, “Visits and Assignments of Foreign Nationals”
20) FAR 52, “Federal Acquisition Regulation, Part 52, Solicitation Provisions and Contract Clauses” FAR
52.237-3 Continuity of Services,
21) CJCSI 6510.01F, “Information Assurance (IA) and Support to Computer Network Defense (CND)”
22) DoD STIGs, “Security Technical Implementation Guides”, comprehensive list,
http://iase.disa.mil/stigs/stig/index.html
23) Department of Defense Patch Repository, https://patches.csd.disa.mil/ (requires DoD issued CAC card to
access).
24) DoD IPv6 Product Requirements, IPv6 Standard Profiles for IPv6 Capable Products v3.0 13 June 2008,
http://jitc.fhu.disa.mil/apl/ipv6/pdf/disr_ipv6_product_profile_v3.pdf
25) DoD Approved Software, Enterprise Software Initiative, http://www.esi.mil/
26) INFOCON Procedures, STRATCOM Directive (SD) 527-1, https://powhatan.iiie.disa.mil/policy-
guidance/d527-01.pdf
27) Clinger-Cohen Act of 1996, Public Law 104-106, 40 U.S.C. 25.
28) E-Government Act of 2002, Public Law 107-347, 44 U.S.C. 101.
29) Inventory Reform Act of 1998, Public Law 105-270, 31 U.S.C. 501 note.
30) Federal Acquisitions Streamlining Act of 1994, Public Law 103-355.
31) Government Performance and Results Act of 1993, Public Law 103-62.
32) OMB Circular A-130 - "Management of Federal Information Resources."
Page 57 of 99
33) OMB Circular A-11, Part 3 - "Planning, Budgeting, and Acquisition of Capital Assets."
34) OMB Circular A-76 - "Performance of Commercial Activities."
35) DoDD 5000.01 - "The Defense Acquisition System", May 12, 2003.
36) DoDI 5000.02 Interim, "Operation of the Defense Acquisition System", November 11, 2013
37) DoDD 8000.01, "Management of the Department of Defense Information Enterprise", 10 February 2009.
38) E-Government Strategy of February 27, 2002 - Integrated Acquisition Environment (IAE).
39) Open Government Directive, http://www.whitehouse.gov/open/documents/open-Government-directive
40) DARPA Instruction (DI)-2, “DARPA Responsibilities, Functions, Relationships, and Authorities”,
February 8, 2007.
41) DI-37, “Managers' Internal Control (MIC) Program”, September 16, 2011.
42) DI-53, “DARPA Security, Intelligence, and Emergency Management Programs”, December 6, 2013.
43) DI-70, “Contractor Relationships: Inherently Governmental Functions, Prohibited Personal Services, and
Organizational Conflicts of Interest”, May 5, 2014
44) Rehabilitation Act of 1973, section 508, as amended (29 U.S.C. 794).
45) National Security Presidential Directive 51/Homeland Security Presidential Directive 20, National
Continuity Policy, May 9, 2007;
46) DoDD 3020.26, Department of Defense Continuity Programs, January 9, 2009;
47) DARPA Continuity of Operations Plan, March 22, 2011
48) DoD Policy and Guidance, comprehensive list, http://iase.disa.mil/policy-guidance/index.html
49) DoDI 8551.1, “Ports, Protocols, and Services Management (PPSM)”, May 28, 2014
5.1 EXAMPLE SERVERS AND SERVICES WITH CRITICALITY LEVELS
Examples of current server and service assignments to Criticality Levels as specified in the PWS and for Service
Level Objectives (SLO). The lists below are not inclusive all of all Servers and Services provided under the IT
Services contract; it is an example of the types of servers and services to be supported and at what level of
availability.
5.1.1 Mission Critical Servers and Services
Examples of servers and services that are currently in use under the IT Services contract and under this classification
are:
1) Non MLS systems
a) E-mail Services – Currently based on Exchange 2013 Servers.
b) Active Directory Services – Currently based on Windows Server 2012 R2.
c) Storage Area Network (SAN) – Currently based on NetApp Filers with Data ONTAP.
d) VOIP / Call Manager Express
2) MLS System
a) Email Services – Send mail
b) Name/IP resolution and Account Management: DNS and ADMS (LDAP)
c) Network File Management: Currently NFS
d) Windows Native Services: RDP/SAMBA
e) Connection to External Networks: HACI’s, Gateway’s, TDI’s and Proxies
f) Audit Servers
g) VOIP / Call Manager Express
5.1.2 Critical Servers and Services
Examples of servers and services that are currently in use under the IT Services contract and categorized as Critical
Servers and/or Services:
1) Non MLS
Page 58 of 99
a) Microsoft Systems Center Configuration Manager (SCCM formerly SMS)
b) Network Management System (NMS)
c) SEIM
2) MLS
a) DNS Backup Server
b) Terminal Servers
c) Network Management System
d) SEIM
5.1.3 Non-Critical, but essential, Servers and Services
Examples of servers and services that are currently in use under the IT Services contract and categorized as Non-
Critical, but essential, Servers and/or Services:
1) Non MLS
a) Redundant Virtual infrastructure
b) Test Bed
2) MLS
a) Failover Server
b) Backup Application Server
c) Test Bed
5.2 SERVICE LEVEL OBJECTIVES
SLOs define quantitative measurements of performance over time, and establish the contractual understanding of the
Government’s service expectations and the Contractor’s commitment to meeting these expectations.
The Contractor shall provide written monthly reports regarding compliance with all SLOs specified in this PWS.
Performance of the Contractor against all SLOs is auditable by the Government or a third party on behalf of the
Government. The Contractor shall implement measurement and monitoring tools to produce the reports necessary to
measure its performance as specified by the SLOs. Upon request in connection with an audit, and at no additional
charge to the Government, the Contractor shall provide the Government with information and access to tools and
procedures used to produce such metrics.
All SLOs and requirements will be reviewed and adjusted as necessary, annually on the anniversary of the contract
to meet changing IT service and support requirements. Adjustments to SLOs during the annual review will be made
by mutual agreement between the Government and the Contractor without impacting the overall structure and cost
of the contract.
5.2.1 DEFINITIONS AND CONVENTIONS
The following term definitions and conventions are used through this section:
Standard Exceptions: Standard Exceptions are applicable to all SLOs due to the following:
1) Contracting Officer’s Representative (COR) waiver
2) COR-approved, scheduled maintenance and scheduled downtime (in some cases)
3) Any networks or network equipment not owned or controlled by the Contractor
4) Circumstances beyond reasonable control of the Contractor, including, without limitation, acts of war,
insurrection, armed conflict, embargo, fire, flood, or power outages needed for the provision of a SLO
5) Any negligence, willful misconduct, or use of services in breach of DARPA’s Acceptable Use Policy.
Time-based performance targets are considered “less than or equal to”. Percentage-based targets are considered the
minimum performance level.
Page 59 of 99
5.2.2 LIST OF SERVICE LEVEL OBJECTIVES
32 SLOs are defined across eight service and support categories, as follows:
1. Service Delivery
1.1. Configuration Item Fulfillment Resolution Time
1.2. Configuration Item Procurement Resolution Time
1.3. E-mailed Service Request Responsiveness
1.4. Service Request “End-to-End” Closure Time
1.5. File Restoration Request Closure Time
2. Service Availability
2.1. LAN Infrastructure Availability
2.2. Internet Availability
2.3. VPN Availability
2.4. Wide Area Network Availability
2.5. Infrastructure Services Availability
2.6. E-mail Services Availability
2.7. Server Services Availability
2.8. VoIP Services Availability
2.9. Video Teleconferencing Availability
2.10. Internal Web Services
2.11. DARPA Public Network (DPN) Availability
3. Incident Management
3.1. Network Incident Responsiveness
3.2. Network Incident Resolution Time
4. Security Management Services
4.1. Computer Security Incident Responsiveness
4.2. IAVA Compliance Percentage
4.3. Vulnerability Announcement Mitigation Compliance
4.4. Security Management Services
5. Asset and Configuration Management
5.1. Asset / Inventory Accuracy
5.2. Asset Tracking Update Timeliness
5.3. Software Update / Upgrade Timeliness
6. User Satisfaction
6.1. User Satisfaction Survey Results
6.2. Operational Level Agreements (OLA)
7. Professional Services Performance
7.1. Project Completed On-Time
7.2. Projects Completed Within Budget
8. Program Management Performance
8.1. Reporting Timeliness and Accuracy
8.2. Contractor Availability and Responsiveness
Page 60 of 99
8.3. Upgrades Currency and Maintenance
8.4. Contractor Flexibility and Innovation
5.2.3 Individual SLO Descriptions
The following pages detail each SLO including its description, performance target, exceptions, measurement
method, data sources, and calculation formula.
Page 61 of 99
5.3.3.1 SERVICE DELIVERY
SLO Number 1.1
SLO Category Service Delivery
SLO Title Configuration Item Fulfillment Resolution Time
SLO Description Time to complete an install, move, add, change, delete (MACD), or de-installation of a
standard Configuration Item from inventory after a Government approved request is
received. This metric is from the initial request until successful completion of the
MACD. Includes time to create accounts/permissions, and install, configure and test
new hardware or software.
Time Applicability Core Hours
Exceptions and Exclusions Standard Exceptions; Does not include time to obtain the requisite approvals, schedule
an agreed upon time for the work to take place, verify completion of services and
confirm satisfaction, excluding shipping and travel time or while a User is unavailable
for delivery of services.
This SLO does not include infrastructure changes. See Professional Services SLOs for
infrastructure changes.
Performance Target Results of the Calculation formula should be:
≤ 5 business days
(Pass/Fail)
Measurement Window Monthly
Measurement Method End-to-end elapsed time (business days)
Data Sources Help Desk Management System (raw ticket data)
Calculation Formula Average Completion Time for Applicable Requests (total time/# tickets)
Additional Requirements
Related PWS section(s) TBD for all SLOs
Page 62 of 99
SLO Number 1.2
SLO Category Service Delivery
SLO Title Configuration Item Procurement Resolution Time
SLO Description Time to procure a Configuration Item from a vendor after a Government approved
procurement request/order is received. This is the elapsed time from ordering
Configuration Items to receiving them into inventory (i.e., does not include
delivery/installation at User site, which is covered by SLO 1.1; See Exceptions and
Exclusions below).
Time Applicability Core Hours
Exceptions and
Exclusions Standard Exceptions; Does not include time to obtain the requisite approvals,
previously agreed upon vendor lead times for infrastructure CIs or to perform
fulfillment / MACDs (see SLO 1.1).
Performance Target ≤ 5 business days for user-requested purchases. For all other purchases, procurement
should be according to established project plan or Government-approval.
Measurement Window Monthly
Measurement Method End-to-end elapsed time (business days)
Data Sources Help Desk Management System (raw ticket data)
Related PWS section(s)
Page 63 of 99
SLO Number 1.3
SLO Category Service Delivery
SLO Title E-mailed Service Request Responsiveness
SLO Description Time to reply via e-mail auto or manual to a new e-mailed trouble ticket, i.e., time a
User is waiting for an acknowledgement that their request was received. Reply will
provide the assigned tracking/ticket number, a detailed description of the transaction
and expected completion time, if able to be ascertained from User-provided
information.
Time Applicability 24x7
Exceptions and Exclusions Standard Exceptions
Performance Target
Results of the Calculation formula should be:
a. Core hours: ≤ 30 minutes
b. Non-Core hours: ≤ 60 minutes
(Pass/Fail: If either metric fails it is a failure for the SLO)
Measurement Window Monthly
Measurement Method Elapsed time from receipt of e-mail to issuing reply to originator
Data Sources Help Desk Management System (raw ticket data); E-mail Messaging system
Calculation Formula Average Response Time for Applicable Requests (total time/# tickets)
Additional Requirements E-mail transactions to the Help Desk shall result in a reply e-mail to the originating
User
Related PWS section(s)
Page 64 of 99
SLO Number 1.4
SLO Category Service Delivery
SLO Title Service Request “End-to-End” Closure Time
SLO Description Time to resolve a Service Request to the User’s satisfaction from the receipt of the
initial request by the Help Desk. This is an “end-to-end” metric inclusive of the entire
process from initial contact, across any support tier, until final closure of the request.
Time Applicability Core Hours
Exceptions and Exclusions
Standard Exceptions; Excludes Configuration Item fulfillment/MACDs (SLO 1.1),
Network issues related to other SLO’s, File Restoration Requests (SLO 1.5), and
procurement requests (SLO 1.2).
Performance Targets Results of the Calculation formula should be
1) Highest Priority Tickets: (Do not require extensive research or outside experts
(e.g. Microsoft) to complete) ≤ 4 hours
2) All other Tickets: ≤ 2 business days
3) Special Case: Re-enable Account Access (e.g. reset password): ≤ 10 minutes
(Pass/Fail: Failure of any of the three time frames is a failure of the entire SLO)
Measurement Window Monthly
Measurement Method End-to-end elapsed time
Data Sources Help Desk Management System (raw ticket data)
Calculation Formula Average Closure Time using interior mean, which will exclude one percent of tickets
with the longest resolution time, and one percent of tickets with the shortest resolution
time.
Additional Requirements The Contractor shall provide comprehensive Help Desk statistics and trends as part of
the Weekly Activity Report (WAR), including identification of Service Requests that
have been open longer than 30 days.
Related PWS section(s)
Page 65 of 99
SLO Number 1.5
SLO Category Service Delivery
SLO Title File Restoration Request Closure Time
SLO Description Time to restore a file to the User’s satisfaction from the receipt of the initial restore
request by the Help Desk. This is an “end-to-end” metric inclusive of the entire
process from initial contact, across any support tier, until final closure of the request.
Also assumes that the User can accurately define the file(s) for restoration.
Time Applicability Core Hours
Exceptions and Exclusions Standard Exceptions
Performance Targets
Results of the Calculation formula should be:
a. Successfully restore file from on-line backups: ≤ 2 hours
b. Successfully restore file from off-line/on-site archive: ≤ 24 hours
c. Successfully restore file from off-site archives: ≤ 5 business days
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
SLO score equals the sum of networks passed.
(Pass/Fail: Failure of any of the three time frames is a failure of the entire SLO)
Measurement Window Monthly
Measurement Method End-to-end elapsed time
Data Sources Help Desk Management System (raw ticket data); Backup/ Restore Logs
Calculation Formula Average Completion Time
MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Additional Requirements
Related PWS section(s)
Page 66 of 99
5.2.3.2 SERVICE AVAILABILITY
SLO Number 2.1
SLO Category Service Availability
SLO Title Local Area Network (LAN) Infrastructure Availability
SLO Description The percentage of time the following networks are fully functioning and available to
Users.
1) MLDs
2) SCI LAN
3) Secret LAN
4) Secret WAN
5) DMSS
Time Applicability Core Hours
Exceptions and Exclusions Availability will be monitored per network and monitoring criteria cannot be
aggregated and averaged to meet the SLO requirements. Outages that do not affect
service availability due to redundant capabilities are excluded.
Sites other than the EMC’s are excluded from this SLO. These other sites will be
tracked via SLO’s 7.1 and 7.2.
Performance Target
Results of the Calculation formula should be
DMSS: ≥ 99.99%
MLD: ≥ 99.99%
Other: ≥ 99.95%
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
SLO score equals the sum of networks passed.
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in Reporting Period (TTRP)
Data Sources
Page 67 of 99
Calculation Formula Uptime / (TTRP – SD) * 100
MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Additional Requirements
Related PWS section(s)
Page 68 of 99
SLO Number 2.2
SLO Category Service Availability
SLO Title Internet Availability (DMSS Only)
SLO Description The percentage of time Internet access is fully functioning and available to Users.
Time Applicability 24x7
Exceptions and Exclusions Standard Exceptions, Outages that do not affect service availability due to redundant
capabilities are excluded. Note: Failure of equipment managed by the Contractor will
not be excluded from the requirements of this SLO. DPN (covered in SLO 2.11)
Performance Target
≥ 99.99%
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in
Data Sources Reporting Period (TTRP)
Calculation Formula Network Monitoring Applications; Incident Management
Additional Requirements System
Related PWS section(s)
Page 69 of 99
SLO Number 2.3
SLO Category Service Availability
SLO Title Virtual Private Network Availability
SLO Description The percentage of time the Government Virtual Private Network (VPN) is fully
functioning and available to Users.
Time Applicability 24x7
Exceptions and Exclusions Standard Exceptions, Outages that do not affect service availability due to redundant
capabilities are excluded. Note: Failure of equipment managed by the Contractor will
not be excluded from the requirements of this SLO.
Performance Target
≥ 99.99%
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in
Data Sources Reporting Period (TTRP)
Calculation Formula Network Monitoring Applications; Incident Management
Additional Requirements System
Related PWS section(s)
Page 70 of 99
SLO Number 2.4
SLO Category Service Availability
SLO Title Wide Area Network Availability
SLO Description The percentage of time network access is fully functioning and available to Users.
1) MLD: Access to other MLD sites
2) DJN: Access to JWICS resources outside of the DJN
3) DSN: Access to SIPRNet resources outside of the DSN
4) DSWAN: Access to other DSWAN sites
Time Applicability Core Hours
Exceptions and Exclusions Availability will be monitored per network and monitoring criteria cannot be
aggregated and averaged to meet the SLO requirements. Outages that do not affect
service availability due to redundant capabilities are excluded. Outages that fall under
SLO 2.1 are excluded. Sites other than the EMC’s are excluded from this SLO.
Performance Target
Results of the Calculation formula should be
MLD: ≥ 99.99%
Other: ≥ 99.95%
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
(Pass/Fail: Failure of either metric is a failure for the entire SLO)
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in Reporting Period (TTRP)
Data Sources Network Monitoring Applications; Incident Management System
Calculation Formula Uptime / (TTRP – SD) * 100 MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) +
DSWAN (0 or 25%) + DMSS (0 or 25%)
Additional Requirements
Related PWS section(s)
Page 71 of 99
SLO Number 2.5
SLO Category Service Availability
SLO Title Infrastructure Service Availability
SLO Description The percentage of time the Government infrastructure services, including DNS, HACI,
TDI, Trusted Gateway, MLS Main Servers, and Domain Controllers are fully
functioning and available to Users per the following networks.
1) MLD
2) DJN
3) DSN
4) DSWAN
Time Applicability Core Hours
Exceptions and Exclusions Availability will be monitored per service and monitoring criteria cannot be
aggregated and averaged to meet the SLO requirements. Outages that do not affect
service availability due to redundant capabilities are excluded. Outages that fall under
SLO 2.1 or SLO 2.2 are excluded. Sites other than the EMC’s are excluded from this
SLO.
Performance Target
Results of the Calculation formula should be
MLD: ≥ 99.99%
Other: ≥ 99.95%
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
(Pass/Fail: Failure of either metric is a failure for the entire SLO)
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in Reporting Period (TTRP)
Data Sources Network Monitoring Applications; Incident Management System
Calculation Formula Uptime / (TTRP – SD) * 100
MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Additional Requirements
Page 72 of 99
Related PWS section(s)
Page 73 of 99
SLO Number 2.6
SLO Category Service Availability
SLO Title E-mail Services Availability
SLO Description The percentages of time the E-mail Services network wide are fully functioning and
available to Users. E-mail services are highly critical to the communications of the
DARPA organization and are therefore separated out from the standard server
services. For the purposes of this SLO Email Servicer, refer to the servers used to
store, process, send and receive email. It does not include isolated reports of issues
with email clients due to client side issues covered under SLO 1.4.
Time Applicability Core Hours
Exceptions and Exclusions Availability will be monitored per service and monitoring criteria cannot be
aggregated and averaged to meet the SLO requirements. Outages that do not affect
service availability due to redundant capabilities are excluded. Outages that fall under
SLO 2.1 or SLO 2.2 are excluded.
Performance Target
Results of the Calculation formula should be
99.99%
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
(Pass/Fail)
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in Reporting Period (TTRP)
Data Sources Network Monitoring Applications; Incident Management System
Calculation Formula Uptime / (TTRP – SD) * 100
MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Additional Requirements
Related PWS section(s)
Page 74 of 99
SLO Number 2.7
SLO Category Service Availability
SLO Title Server Services Availability
SLO Description The percentages of time the specified Services are fully functioning and available to
Users. All servers are categorized by into Criticality Levels (1, 2 and 3) as defined in
the PWS “Service Continuity Management” section.
Time Applicability Core Hours
Exceptions and Exclusions Availability will be monitored per device and monitoring criteria cannot be aggregated
and averaged to meet the SLO requirements. Outages that do not affect service
availability due to redundant capabilities are excluded. Outages that fall under SLO
2.1 or SLO 2.2 are excluded.
Performance Target
Results of the Calculation formula should be
Server Services, as defined by Criticality Level:
1) Mission Critical Services: ≥ 99.99% or no more than 4.32 minutes of
downtime/month
2) Critical Services: ≥ 99.95% or no more than 21.56 minutes of downtime/month
3) Non-Critical, but Essential Services: ≥ 99.9% or no more than 43.2 minutes of
downtime/month
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
SLO score equals the sum of networks passed
(Pass/Fail: Failure of any of the three metrics frames is a failure of the entire SLO)
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in Reporting Period (TTRP)
Data Sources Network Monitoring Applications; Incident Management System
Calculation Formula Uptime / (TTRP – SD) * 100
MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Additional Requirements
Page 75 of 99
Related PWS section(s)
Page 76 of 99
SLO Number 2.8
SLO Category Service Availability
SLO Title VoIP Services Availability
SLO Description The percentage of time VoIP Services are fully functioning and available to Users.
Time Applicability Core Hours
Exceptions and Exclusions Availability will be monitored per device and monitoring criteria cannot be aggregated
and averaged to meet the SLO requirements. Outages that do not affect service
availability due to redundant capabilities are excluded. Outages that fall under SLO
2.1 or SLO 2.2 are excluded.
Performance Target
Results of the Calculation formula should be
≥ 99.95%
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLD TS/SAR VOIP: 30%
MLD S/SAR VOIP: 10%
DSWAN VOIP: 10%
DMSS VOIP: 30%
SLO score equals the sum of networks passed.
The DIA controlled DJN VOIP is not included under SLO 2.6
(Pass/Fail)
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in Reporting Period (TTRP)
Data Sources Network Monitoring Applications; Incident Management System
Calculation Formula Uptime / (TTRP – SD) * 100
Additional Requirements
Related PWS section(s)
Page 77 of 99
SLO Number 2.9
SLO Category Service Availability
SLO Title Video Teleconferencing Availability
SLO Description The percentage of time Video Teleconferencing (VTC) services are fully functioning
and available to Users.
Time Applicability Core Hours
Exceptions and Exclusions Availability will be monitored per device and monitoring criteria cannot be aggregated
and averaged to meet the SLO requirements. Outages that do not affect service
availability due to redundant capabilities are excluded. Outages that fall under SLO
2.1 or SLO 2.2 are excluded. Sites other than the EMC’s are excluded from this SLO.
Performance Target
Results of the Calculation formula should be
≥ 99.99%
(Pass/Fail)
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in Reporting Period (TTRP)
Data Sources Network Monitoring Applications; Incident Management System
Calculation Formula Uptime / (TTRP – SD) * 100
Additional Requirements
Related PWS section(s)
Page 78 of 99
SLO Number 2.10
SLO Category Service Availability
SLO Title Internal Web Services
SLO Description The percentage of time that all customer facing internal web services are available to
include (but not limited to): DARPA Portal, network search, customer applications to
support DARPA Office operations.
Time Applicability 24x7
Exceptions and Exclusions Standard Exceptions Outages that do not affect service availability due to redundant
capabilities are excluded. Note: Failure of equipment managed by the Contractor will
not be excluded from the requirements.
Performance Target
Measurement Window ≥ 99.99%
Measurement Method Monthly
Data Sources Availability will be monitored per service and monitoring criteria cannot be
aggregated and averaged to meet the requirements.
Calculation Formula Network Monitoring Applications; Incident Management
Additional Requirements System, Help Desk Tickets
Related PWS section(s)
Page 79 of 99
SLO Number 2.11
SLO Category Service Availability
SLO Title DARPA Public Network (DPN) Availability
SLO Description The percentage of time the DPN is fully functioning and available to Users.
Time Applicability 24x7
Exceptions and Exclusions Standard Exceptions, Outages that do not affect service availability due to redundant
capabilities are excluded. Note: Failure of equipment managed by the Contractor will
not be excluded from the requirements of this SLO.
Performance Target
≥ 99.99%
Measurement Window Monthly
Measurement Method Uptime, Scheduled Downtime (SD), and Total Time in
Data Sources Reporting Period (TTRP) (e.g., 43,200 minutes for 30- day month)
Calculation Formula Network Monitoring Applications; Incident Management
Additional Requirements System
Related PWS section(s)
Page 80 of 99
5.2.3.3 INCIDENT MANAGEMENT
SLO Number 3.1
SLO Category Incident Management
SLO Title Network Incident Responsiveness
SLO Description Time to notify the Government and begin mitigation (e.g., containment, remediation
planning and/or resolution of anomalies) after the detection and identification of a
network Incident or outage event.
Time Applicability 24x7
Exceptions and Exclusions
Standard Exceptions; see Additional Requirements.
Sites other than the EMC’s are excluded from this SLO.
Performance Target
Results of the Calculation formula should be
1) Network outage during Core Hours: ≤ 5 minutes
2) Network outage during non-Core Hours: ≤ 120 min
(Pass/Fail: Failure of either metric is a failure of the SLO)
Measurement Window Monthly
Measurement Method Government correspondence and Help Desk Management System
Data Sources Automated Network Monitoring tool; Government notification records
Calculation Formula
“Pass” or “Fail” based on missing the target for any single Incident/ event condition
during the reporting period
Additional Requirements
In the event of connectivity failures due to third-party Providers (e.g. Verizon cut a
wire), the Contractor is responsible for noticing the outage (via monitoring), notifying
the Government of the outage, and contacting the third party to obtain any information
as far as the root cause of the problem and the estimated time of the outage. The
Contractor shall then notify the Government with the information gathered.
Related PWS section(s)
Page 81 of 99
SLO Number 3.2
SLO Category Incident Management
SLO Title Network Incident Resolution Time
SLO Description Time to resolve all Data Center and Network equipment Incidents causing an
unplanned system or service outage. It includes the period of time starting when an
Incident is detected, through troubleshooting and complete remediation of the Incident,
whereby the service is returned to a state of normal operation within the defined
timeframe. Time to Return to Service covers both hardware and software components.
Time Applicability Core Hours
Exceptions and Exclusions
Standard Exceptions; not readily available replacement parts for hardware failures.
Sites other than the EMC’s are excluded from this SLO.
Performance Target Results of the Calculation formula should be
1) Severity Level 1: ≤ 4 hours (start w/in 30 min)
2) Severity Level 2: ≤ 8 hours (start w/in 60 min)
3) Severity Level 3: ≤ 1 business day (start w/in 120 min)
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
SLO score equals the sum of networks passed.
(Pass/Fail: Failure of any of the three metrics is a failure of the SLO)
Measurement Window Monthly
Measurement Method Elapsed Time to Return to Service per Incident (by Severity Level); Severity Levels
must be assessed and captured when Incidents are logged.
Data Sources Network Monitoring Applications and Incident Management System
Calculation Formula Time to Return to Service / Total number of Incidents
MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Additional Requirements
Related PWS section(s)
Page 82 of 99
5.2.3.4 SECURITY MANAGEMENT SERVICES
SLO Number 4.1
SLO Category Security Management Services
SLO Title Computer Security Incident Responsiveness
SLO Description Time to notify the Government and begin mitigation (e.g., containment, remediation
planning and/or resolution of anomalies) after the detection and identification of a
Security Incident.
Time Applicability 24x7
Exceptions and Exclusions Standard Exceptions
Performance Target
Government notification and actions executed in accordance with “DARPA Computer
Security Incident Response Guide” procedures. Timeframes and actions vary
according to the type of Security Incident and when it occurs.
Measurement Window Monthly
Measurement Method Government correspondence and Help Desk Management System
Data Sources Automated Network Monitoring tool; Government notification records
Calculation Formula “Pass” or “Fail” based on missing the target for any single Incident/ event condition
during the reporting period
Additional Requirements
Related PWS section(s)
Page 83 of 99
SLO Number 4.2
SLO Category Security Management Services
SLO Title IAVA/ICVM Compliance Percentage
SLO Description Percentage of DoD Information Assurance Vulnerabilities Alerts (IAVAs) and IC
Vulnerability Alerts (ICVAs) installed on classified systems by the DoD requested
compliance date unless otherwise specified in the Contractor proposed, Government
approved POA&M.
Time Applicability NA
Exceptions and Exclusions Standard Exceptions
Performance Target Raw results are derived from the ACAS program. The following formula will be used
to calculate the overall Weighted Average.
Weighted Average= (f1w1 + f2w2+f3w3) / (w1+w2+w3)
fn = finding/host
wn = weight (10/4/1)
% of Pass/Fail based upon the overall Weighted Average score.
< 2.5 100%
>=2.5 75%
>=3.5 0%
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
SLO score equals the sum of networks passed.
Measurement Window Monthly
Measurement Method Overall Weighted Average score utilizing monthly ACAS scan.
Data Sources ACAS scanning application.
Calculation Formula MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Page 84 of 99
Additional Requirements
While the performance target allows for some margin of error due to system
inaccessibility, all IAVA/ICVAs must eventually reach 100% and reporting will
continue until 100% compliance is achieved.
Related PWS section(s)
Page 85 of 99
SLO Number 4.3
SLO Category Security Management Services
SLO Title Vulnerability Announcement Mitigation Compliance
SLO Description Percentage
Time Applicability Percentage of DoD issued Vulnerability Announcement Mitigations installed on
unclassified systems by the DoD requested compliance date unless otherwise specified
in the Contractor proposed, Government approved POA&M.
Exceptions and Exclusions 24x7
Performance Target Standard Exceptions
Measurement Window Device Types:
Measurement Method a. All Servers and network equipment/appliances: = 100%
Data Sources b. All Desktops: ≥ 98%
Calculation Formula c. All Laptops and other applicable mobile devices: ≥ 90%
Additional Requirements
Monthly
Related PWS section(s)
Page 86 of 99
SLO Number 4.4
SLO Category Security Management Services
SLO Title Other DoD Directed Actions Timeliness
SLO Description Time to distribute and successfully complete installation of DoD or IC directed actions
other than IAVA/ICVAs (CTOs, IAVBs, IAVTs, etc.).
Time Applicability Core Hours
Exceptions and Exclusions Standard Exceptions; Patching delays resulting from inaccessible equipment, such as
unconnected User laptops.
Performance Target
Completed by DoD-specified Compliance Date, unless otherwise directed by the
Government (DAA or IAM)
Each network shall be separately assessed as pass/fail and weighted for the SLO as
follows:
MLDs: 25%
DSN: 10%
DJN: 15%
DSWAN: 25%
DMSS: 25%
SLO score equals the sum of networks passed.
Measurement Window Monthly
Measurement Method Elapsed time to update the target population for each deployment attempt (from
approval to completion)
Data Sources Automated Patch Management System
Calculation Formula
Provided via reports issued from the automated software system and based on each
requirement as provided by DoD.
MLD (0 or 25%) + DSN (0 or 10%) + DJN (0 or 15%) + DSWAN (0 or 25%) +
DMSS (0 or 25%)
Additional Requirements
Related PWS section(s)
Page 87 of 99
5.2.3.5 ASSET AND CONFIGURATION MANAGEMENT
SLO Number 5.1
SLO Category Asset and Configuration Management
SLO Title Asset / Inventory Accuracy
SLO Description Percentage of accurate inventory assets (items assigned a bar code number) based on
random sampling of at least 25% of applicable tickets. Reflects verification that asset
tag, location, responsible owner, and status are all correct. Applicable ticket types
include:
1) Update Assets
2) Install Hardware
3) Relocate Equipment
4) Uninstall Hardware
5) Install Printer
Sample selection and comparison is performed by the Contractor’s Quality Assurance
component, and is auditable by the Government or a Government designated third-
party.
Time Applicability Core Hours
Exceptions and Exclusions Standard Exceptions
Performance Target
Results of the Calculation formula should be
≥ 98%
(Pass/Fail)
Measurement Window Monthly
Measurement Method Number of Accurate Items/Total Items Sampled
Data Sources Asset Tracking Database
Calculation Formula Number of Items where data is correct / Total Items Sampled * 100
Additional Requirements
Related PWS section(s)
Page 88 of 99
SLO Number 5.2
SLO Category Asset and Configuration Management
SLO Title Asset Tracking Update Timeliness
SLO Description Time to update the asset tracking database with current information after receiving,
installing, refreshing or moving Configuration Items.
Time Applicability Core Hours
Exceptions and Exclusions Standard Exceptions
Performance Target
Results of the Calculation formula should be
≤ 4 business hours after the Configuration Item change is made
(Pass/Fail)
Measurement Window Monthly
Measurement Method Elapsed Time to reflect all asset changes to the Asset Tracking Database
Data Sources Help Desk Management System; Asset Tracking Database
Calculation Formula Total Time for Asset Tracking Database update / Number of Changes
Additional Requirements
Related PWS section(s)
Page 89 of 99
SLO Number 5.3
SLO Category Asset and Configuration Management
SLO Title Software Update / Upgrade Timeliness
SLO Description Time to install all commercially released updates, upgrades and patches upon
Government approval. For example, upgrades for packages such as Adobe Acrobat,
Microsoft Project.
Time Applicability Core Hours
Exceptions and Exclusions Standard Exceptions
Performance Target
Meet all Government directed installation dates. The installation date will be based on
coordination with the performer but will be set by the Government. No impact on
Users during core hours.
Measurement Window Monthly
Measurement Method Actual vs. Scheduled Date
Data Sources
Government written notification from an authorized official; Configuration
Management Tracking Tool
Calculation Formula “Pass” or “Fail” based on missing the target for any scheduled date during reporting
period
Additional Requirements
Related PWS section(s) Change Management
Service Operations Support
Software Distribution and Upgrades
Page 90 of 99
5.2.3.6 USER SATISFACTION
SLO Number 6.1
SLO Category User Satisfaction
SLO Title User Satisfaction Survey Results
SLO Description The Contractor shall utilize the DARPA ITD provided Customer Satisfaction Survey
process to measure and report on customer satisfaction. As service tickets are closed,
this automated survey tool will send out customer surveys at Government approved
pre-determined intervals. The Contractor shall tally all results and include those results
in the monthly Service Level Objective (SLO) Data Report.
Time Applicability n/a
Exceptions and Exclusions Standard Exceptions
Performance Target ≥ 4.5 on a five-point scale
Measurement Window Quarterly
Measurement Method
Overall Performance score based on a five-point scale:
1 Poor
2 Fair
3 Good
4 Very Good
4.5 Excellent
Data Sources Raw Survey Data
Calculation Formula Sum of Overall Performance score from each Response/ Total Number of Participants
responding
Additional Requirements
Related PWS section(s)
Page 91 of 99
SLO Number 6.2
SLO Category User Satisfaction
SLO Title Operational Level Agreement Compliance
SLO Description The Contractor’s ability to perform against Operational Level
Agreements (OLAs) in-place between ITD and other DARPA
Organizations.
Time Applicability n/a
Exceptions and
Exclusions Standard Exceptions
Performance Target “Satisfactory” evaluation from all DARPA Government
Organizations with OLAs in-place
Measurement Window Monthly
Measurement Method Government POC feedback
Data Sources POC correspondence
Calculation Formula Sum of Overall Performance score from each Participant /
Total Number of Participants responding
Additional
Requirements
The Contractor shall prepare a project plan with Government
input and approval to resolve identified User dissatisfaction with
Contractor performance against Operational Level Agreements.
Related PWS
section(s)
Page 92 of 99
5.2.3.7 PROFESSIONAL SERVICES PERFORMANCE
SLO Number 7.1
SLO Category Professional Services Performance
SLO Title Projects Completed On-Time
SLO Description Professional service projects were all completed on-time, based on Project Plan vs.
Actual variance.
Time Applicability n/a
Exceptions and Exclusions Standard Exceptions; Assumes Project requirements were accurate and remained
within scope of the approved PWS, Technical and Cost Proposals (T&CPs), and any
subsequent approved Project Change Requests (PCRs).
Performance Target All Projects completed on-time during the reporting period (“Pass”)
Measurement Window Monthly
Measurement Method Government and Project’s DARPA POC
Data Sources Project Plan; Actual Completion Date
Calculation Formula ”Pass” or “Fail” depending if completed on-time or not
Additional Requirements
Related PWS section(s)
Page 93 of 99
SLO Number 7.2
SLO Category Professional Services Performance
SLO Title Projects Completed Within Budget
SLO Description Professional service projects were all completed within cost budget, based on Project
Plan vs. Actual variance.
Time Applicability n/a
Exceptions and Exclusions
Standard Exceptions; Assumes Government requirements were accurate and remained
within scope of the approved PWS, Technical and Cost Proposals (T&CPs), and any
subsequent approved Project Change Requests (PCRs).
Performance Target All Projects completed within budget during the reporting period (“Pass”)
Measurement Window Monthly
Measurement Method Government and Project’s DARPA POC
Data Sources Project Total Cost Estimate/Budget; Actual Total Project Costs
Calculation Formula ”Pass” or “Fail” depending if completed within budget or not
Additional Requirements
Related PWS section(s)
Page 94 of 99
5.2.3.8 PROGRAM MANAGEMENT PERFORMANCE
SLO Number 8.1
SLO Category Program Management Performance
SLO Title Reporting Timeliness and Accuracy
SLO Description Timeliness and accuracy of scheduled CDRLs in the designated format and according
to the specified schedule (weekly, monthly, quarterly, etc.).
Time Applicability Core Hours
Exceptions and Exclusions
Standard Exceptions
Timeliness applies to all CDRLs.
Accuracy applies to those CDRLs submitted on a monthly basis or longer.
Performance Target 100% on-time delivery and accuracy of completed reports and deliverables per
reporting requirements
Measurement Window
Monthly assessment, however reporting occurs on a defined time schedule (weekly,
monthly, quarterly, etc.)
Measurement Method Government validation of CDRLs delivery and accuracy of contents
Data Sources See PWS/CDRL for specified reports and schedules
Calculation Formula Number of Reports delivered on schedule and accurately / Total number of reports
specified
Additional Requirements
Related PWS section(s)
Page 95 of 99
SLO Number 8.2
SLO Category Program Management Performance
SLO Title Contractor Availability and Responsiveness
SLO Description The Contractor personnel (Program Manager or designated personnel) shall be
available and accessiblefor consultation with personnel as identified by the
Government. The expectation is within five (5) minutes during business hours and
within two (2) during non-business Hours.
Time Applicability 24x7, with expectations described above.
Exceptions and Exclusions Standard Exceptions
Performance Target Pass/Fail
Measurement Window Monthly
Measurement Method Government satisfaction
Data Sources Government identified personnel
Calculation Formula “Pass”, “Fail”
Additional Requirements
Related PWS section(s)
Program Management
Service Integration Management
Page 96 of 99
SLO Number 8.3
SLO Category Program Management Performance
SLO Title Upgrades Currency and Maintenance
SLO Description The Contractor provided service to distribute new and upgraded software to DARPA
service delivery points and appropriate DARPA infrastructure. This capability
includes, but is not limited to, commercially available off-the-shelf (COTS) software,
Government-off-the-Shelf (GOTS), custom application software, end-user and systems
services, enterprise functional servers and software licenses.
Time Applicability 24x7, with expectations described above.
Exceptions and Exclusions Standard Exceptions
Performance Target
≥ 99%
Measurement Window Quarterly
Measurement Method Vendor shall provide monthly list of software releases greater than N-1. Data logs
shall be maintained for Government or designated third-party audit. 99 percent of
installed releases are equal to or better than N-1.
Data Sources Government identified personnel and software vendor publicly available release notes.
Calculation Formula The number of installed software releases that are equal to or more current than N-1
divided by the total number of software releases, where N is defined as the latest
software release.
Additional Requirements 8.3
Related PWS section(s) Inventory / Asset Management
Page 97 of 99
SLO Number 8.4
SLO Category Program Management Performance
SLO Title Contractor Flexibility and Innovation
SLO Description This includes the Contractor proactively:
1) Identifying problems and proposing problem resolutions
2) Introducing innovative solutions
3) Offering suggestions for cost-savings initiatives
4) Adjusting processes, technology, and subject matter expertise to respond to
evolving requirements within the dynamic DARPA environment.
Time Applicability Core Hours
Exceptions and Exclusions
Standard Exceptions; Excludes routine services, such as responding to requests that are
expected to be resolved by Help Desk staff (e.g., how-to questions, connectivity issues,
software configuration problems, and user addressable hardware problems).
Performance Target “Pass”, “Fail”, or “Excel”
Measurement Window Monthly
Measurement Method Government satisfaction
Data Sources Government staff
Calculation Formula
Graded on a scale between 0% - 100% on the level of flexibility in accomplishing
Government requirements and innovation in implementing the technology to meet
those requirements.
Additional Requirements The Contractor’s program management staff will work in cooperation with the
Government to ensure processes and practices are defined, implemented, and
evaluated on a regular basis in-line with industry standard project management
practices and service delivery models.
Related PWS section(s)
Page 98 of 99
5.3 APPENDIX A: PROFESSIONAL SERVICES WORK CATEGORIES
A description of each Category follows with a list of technologies and services of interest to the Government within
the Category. Once a first-time project is completed, documentation, transition of knowledge and training shall be
conveyed to support services. Ongoing monitoring and maintenance shall be covered by the support services. The
project deliverable shall be added to the Service Catalog. Should ongoing specialized skills be required to maintain
the system, the Project Manager shall obtain approval from the Government prior to staff augmentation.
Category 1: Advanced Windows System Integration and Servers Application Support
Advanced Windows Systems support includes the pre-installation planning activities, installation, and problem
determination, resolution, documentation, and transition of knowledge of new applications or services. This category
shall also include technology trials, pilots, prototypes and proofs of concept, residing on Windows based operating
systems that have not been previously used in the DARPA enclave. These applications and services may require
subject matter expertise through product vendors such as Microsoft, to provide state-of-the-art support and
implementation of the next generation of services. Examples would be:
a. General COTS/GOTS applications
b. Exchange
c. SharePoint
d. Network Security Design and Implementation (e.g. Internet Security Appliance (ISA))
e. Domain migration and configuration (e.g. Active Directory)
Category 2: Advanced Non-Windows Systems Integration, Applications and Servers Support
Non-Windows Systems support includes pre-installation planning activities, installation, and problem determination,
resolution, documentation, and transition of knowledge of new applications or services. This category shall also
include technology trials, pilots, prototypes and proofs of concept, residing on non-windows based operating
systems that have not been previously used in the DARPA enclave. Technologies and services included, but not
limited to, for this category are:
a. Virtualization platforms
b. Network Appliances
c. UNIX flavors such as Solaris, Linux, HP-UX, etc.
d. Non-Windows based Web Servers
Category 3: Application Analysis, Design and Programming Support
Analysis and programming for systems applications development shall include requirements analysis, detailed
specifications, programming and deployment of computer applications whether web-based or distributed (client-
server). Application development includes the complete SDLC involved in producing a computer application in
addition to following the standard release and deployment process. Examples of systems application development
expertise are as follows:
a. Logical and physical database design
b. Web application programming
c. Web application user interface programming (thin or thick clients)
d. Client-server application analysis and programming
e. Object-oriented language analysis and programming
f. SQL programming (SQL or Oracle)
g. Visual Basic .Net Programming
h. Publishing technologies (e.g., PHP and Drupal)
Page 99 of 99
Category 4: Emerging Technologies Research Support
The Government may require assistance in researching and evaluating future and emerging technologies for
supporting their mission. The Contractor shall provide appropriate subject matter expertise to evaluate the emerging
technologies. The primary deliverable of this type of project will be a whitepaper or analysis research papers on the
requested technologies, to include a cost/benefit analysis of available technologies and whether they meet the
Government’s requirements.
Category 5: Surge Support
The Contractor may, in order to meet Government-mandated deadlines or in response to a Government request,
propose a surge support solution. The Government must approve all surge support proposals prior to project
initiation.