STATEMENT OF WORK (SOW)

Award/Mod Effective Version Date

Solicitation 11/13/2024

Contract Number: To be determined (TBD)

Task Order Number: TBD
Tracking Number: 832469265
Contractor Name: TBD
Follow-on to Previous Contract and 47QTA18D00JM / HC102822F0686
Task Order Number:

1. Contracting Officer’s Representative (COR).

a. Primary COR. See DITCO Additional Text G1 - Points of Contact

b. Alternate COR. See DITCO Additional Text G1 - Points of Contact

c. Property Administrator. See DITCO Additional Text G1 - Points of Contact

2. Task Order Title. Hybrid Cloud Infrastructure

3. Background.

The Hybrid Cloud Infrastructure supports Department of Defense Systems, Applications, Users, Mission Partners,
and Customers on many types of hardware (physical & virtual) in addition to the operating environments such as
x86, zOS IBM Mainframes, Unisys, SPARC-based Unix, Linux, and Windows Operating systems.

The mission of the Infrastructure Line of Business (IFLOB) is to deploy and sustain the hybrid cloud infrastructure
hardware for over 1100 deployed solutions and 3,500 devices at multiple classifications across the globe.

IFLOB provides network and client solution engineering, workload integration, operations, and sustainment for on-
premises data centers, private cloud, commercial cloud, and government cloud, which can be categorized as Hybrid
Cloud Infrastructures. Our services are provided globally to multiple locations both Contiguous United States
(CONUS) and Outside Contiguous United States (OCONUS). This includes infrastructures both inside DISA data
centers as well as remote non-DISA locations.

To fulfill the IFLOB mission, J-933 requires the contractor to accomplish the tasks and responsibilities outlined in
this document.

4. Objectives.

The objective of this requirement is to procure highly skilled technical services to provide strategic engineering and
operational sustainment of the Hybrid Cloud Infrastructure and it’s hosted client solutions. This includes evaluating,
designing, integrating, implementing, automating, and sustaining a highly redundant and scalable infrastructure to
support the diverse Information Technology (IT) requirements of Department of Defense (DOD) Mission Partners.
All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA guidelines
as defined by the Government.

5. Scope.

The contractor shall support the mission of Infrastructure Line of Business (IFLOB) assisting to provide a reliable,
secured, and consumable Hybrid Cloud Infrastructure that is maintained and operated on 24x7x365. Work
performed by the contractor under this Task Order is intended to be a broad range of technical services to include
evaluating, designing, integrating, implementing, automating, and sustaining a highly redundant and scalable
infrastructure that supports hosted environments of the DOD and our Partners.

The contractor shall be required to access both classified and unclassified systems.

The Government may require surge support during the base or any option period, and surge modifications will be
within the scope of the contract and provide increased support for the defined task areas of this SOW. Surge support
over the life of the contract will not exceed 10% of the contractor’s total proposed cost/price for the base and all
option periods, excluding any six-month extension of services pursuant to FAR 52.217-8.

The following Performance Areas apply to the scope of this effort:

Performance Area 1 – Engineering (6.1) – (8 FTEs)

 Infrastructure (6.1.1)
 Client Solutions (6.1.2)
 Infrastructure Tools (6.1.3)

Performance Area 2 – Implementation (6.2) (13 FTEs)

 Client Solutions Integration & Deployment (6.2.1)
 Infrastructure Integration & Deployment 6.2.2
 Client Solution Transition (6.2.3)
 Infrastructure Transition (6.2.4)

Performance Area 3 – Operations (6.3) (15 FTEs)
 Operations (6.3.1)
 Maintenance (6.3.2)
 Sustainment (6.3.3)

Performance Area 4 – Dedicated Labor (6.4) (27 FTEs)

 Defense Health Agency (DHA)
 United States Army (USA) Integrated Personnel and Pay Systems (IPPS-A)
 United States Space Force (USSF) Global Broadcast Service (GBS)
 United States Air Force (USAF) Defense Enterprise Accounting and Management System (DEAMS)
 DISA STRATUS (Private Cloud)
 DISA Zero Day Network Defense (ZND)
 DISA Secure Cloud Computing (SCCA) Architecture Boundary Cloud Access Point (BCAP)
 DISA DNS Domain Management
 DISA Web Application Firewall (WAF)

Performance Area 5 – Automation (6.5) (4 FTEs)

6. Specific Tasks.

6.1 Task 1 – Engineering:

The contractor shall provide engineering support for all aspects of the Hybrid Cloud Infrastructure and the
associated infrastructure configurations of the managed environments. This support will be required 8 hours per day,
5 days per week.

General Tasks include:

a) Designing client hosted solutions and upgrades to existing network infrastructure (physical and
virtual) as it relates to storage, infrastructure tools, and automation.
b) Supporting network services and products, such as routers, switches, firewalls, web application
firewalls, DNS, email gateways, proxy services, VPN, cryptographic devices, associated device
software and firmware, diagnostic tools, and automation systems.
 c) Will provide training and knowledge transfer to the client's IT staff to ensure that they
are able to manage and maintain the network infrastructure. This may include providing
documentation, conducting training sessions, and answering questions.

Performance Standards:
a) STD: 8 Enterprise Network Architect (FTEs)
b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government
d) STD: On duty 8x5, Monday - Friday
e) STD: Secret Security Clearance
f) STD: Information Assurance Technical (IAT) Level II
g) STD: DoD Cyber Workforce (DCWF) 8140 compliance

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Report

The Contractor Shall:

a) Have knowledge of computer networking concepts and protocols, and network security
methodologies.

b) Have knowledge of risk management processes (e.g., methods for assessing and
mitigating risk).

c) Have knowledge of national and international laws, regulations, policies, and ethics as
they relate to cybersecurity.

d) Have knowledge of cybersecurity principles.

e) Have knowledge of cyber threats and vulnerabilities.

f) Have knowledge of specific operational impacts of cybersecurity lapses.

g) Have knowledge of cloud computing service models Software as a Service (SaaS),

Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

h) Cloud Computing Deployment Models:

1. The contractor shall have knowledge of cloud computing deployment models
in private, public, and hybrid environments.
2. The contractor shall understand the difference between on-premises and off-
premises environments. Ensure that the projects they are supporting are up to date with
the latest information and that government leadership is aware of any important efforts
that may not meet mission deadlines. The contractor should be ready to participate in
high-level briefings related to the projects they are supporting.

i) The contractor shall attend all stakeholder meetings in support of the workload, or effort,
they are supporting.

6.1.1 Subtask 1 – Infrastructure Engineering

The Contractor Shall:

a) Provide network design and planning: This involves creating a network design that meets the IFLOB’s
requirements for functionality, performance, and security. The network engineer will need to consider
the current network infrastructure, as well as any future growth or expansion plans.

b) Provide network optimization support which involves reviewing network performance and
capacity to ensure that it can handle the demands placed on it by users and applications.

c) Provide network infrastructure documentation: Will create and maintain documentation for
the network infrastructure. This will involve creating network diagrams, policies, and
procedures, and updating documentation as changes are made to the network infrastructure.
All documents and policies will be submitted to the government for approval.

d) Ensure that all engineering efforts adhere to DISA and DoD policies, and directives from
United States Cyber Command (USCC) and Joint Force Headquarters DODIN (JFHQ-
DODIN).

e) Provide technology evaluation: Will evaluate emerging technologies such as, but are not
limited to, SD-WAN, 5G, and IoT to determine their suitability for the organization's
network infrastructure. This task will involve researching and testing these technologies and
providing a detailed analysis of their potential benefits and drawbacks.

f) Ensure that emerging technologies are implemented in a secure manner. This task will
involve implementing security protocols, such as encryption and authentication, and
ensuring that the network is protected against emerging threats such as IoT-based attacks.

g) Provide pilot and prototype support: Will work with the project stakeholders to understand
the network requirements for the pilot or prototype project, to include but not limited to the
number of users, the types of devices, the expected bandwidth, and the security
requirements. Based on the network requirements, the network engineer will design a
network solution that meets the needs of the pilot or prototype project.

6.1.2 Subtask 2 – Client Solutions Engineering

The Contractor Shall:

a) Conduct needs assessments and requirements gathering with clients pertaining to their infrastructure
requirements.

b) Design and develop customized infrastructure solutions for hosted client applications

c) Collaborating with other team members, such as project managers, developers, and
architects, to ensure successful solution delivery.

d) Provide guidance and support for network scaling and expansion as the client's network
requirements change. This may include planning for network capacity, selecting appropriate
network hardware and software components, and designing network upgrades.

e) Ensure high level government briefings are attended to attain situational awareness of
government efforts and mission priorities. The contractor needs to ensure that all projects
they are supporting have the latest updates on and that government leadership is tracking any
priority efforts that are not expected to meet mission timelines. The contract should be
prepared to participate in high level briefings for workload they are supporting.
 f) Continuously monitor the government directed project management system for project
support requests, project assignments, project tasks/activities, project timelines and
suspense, and project reporting.

g) Provide pilot and prototype support: Will work with the project stakeholders to understand
the network requirements for the pilot or prototype project, to include but not limited to the
number of users, the types of devices, the expected bandwidth, and the security
requirements. Based on the network requirements, the network engineer will design a
network solution that meets the needs of the pilot or prototype project.

6.1.3 Subtask 3 – Infrastructure Tools Engineering

The Contractor Shall:

a) Define the requirements and specifications for infrastructure tools based on the organization's needs.
b) Research and evaluate available infrastructure tools and technologies.

c) Design and implement infrastructure tools, including configuration management,

automation, and monitoring tools.

d) Integrate infrastructure tools with existing systems and processes.

e) Monitor infrastructure tools to ensure they are functioning properly and meeting
performance and security requirements.

f) Maintain and update infrastructure tools as needed to ensure they continue to meet the
organization's needs.

Work schedule: 5x8, Secret Security Clearance, IAT II

Requirements: Initial management plan to be developed and approved by the Government with annual updates,
Develop Integrated Management Schedule (IMS) with biweekly updates, Monthly status updates on performance
regarding quality assurance, progress/status of project regarding cost, schedule, and performance.

Deliverables:

SOW Deliverable Title Format Due Date Distribution/Copies Frequency and

Task# Remarks
6.1 Task Order A001 Draft – 15 days Standard Draft - 15
6.1.1- Management Plan after Award Distribution* Final – 30
6.1.3 Final – 30 days
after Award
6.1 Monthly Status Report A002/Govt on 5th workday COR, KO, Standard Monthly
6.1.1- distribution to
6.1.3 Government Leads
6.1 Weekly Status Report A003/Govt By 1600 E Friday Government Leads Weekly
6.1.1-
6.1.3
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

6.2 Task 2 – Implementation

The contractor shall be responsible for implementing and deploying the engineering team provided client solutions
and infrastructure design packages for the Hybrid Cloud Infrastructure. This support will be required 8x5 weekly.
Implementation support includes client hosting integration & deployment in addition to transition the workload to an
operational status per J-9 HaC standards for declaring Full Operational Capability (FOC). Also includes deploying
and integrating all infrastructure hardware and configurations.

Performance Standards:
a) STD: 10 Enterprise Network Architect (FTEs)
b) STD: 3 IT Technician II (FTEs)
c) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
d) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government
e) STD: On duty 8x5, Monday - Friday
f) STD: Secret Security Clearance
g) STD: Information Assurance Technical (IAT) Level II
h) STD: DoD Cyber Workforce (DCWF) 8140 compliance

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Capacity and Performance Report

The Contractor Shall:

a) Have knowledge of computer networking concepts and protocols, and network security
methodologies.

b) Have knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

c) Have knowledge of national and international laws, regulations, policies, and ethics as they relate
to cybersecurity.

d) Have knowledge of cybersecurity principles.

e) Have knowledge of cyber threats and vulnerabilities.

f) Have knowledge of specific operational impacts of cybersecurity lapses.

g) Have knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure
as a Service (IaaS), and Platform as a Service (PaaS).

h) Have knowledge of cloud computing deployment models in private, public, and hybrid
environment and the difference between on-premises and off-premises environments.

6.2.1 Subtask 1 – Client Solution Integration & Deployment

The Contractor Shall:

 a) Implement new infrastructure solutions for hosted client applications within the timeline set
for each assigned project.

b) Deploy the engineered solutions to any of the applicable hybrid cloud managed
infrastructure environments to include On-Premises, Private Cloud, Commercial Cloud, and
Government Cloud.

c) Integrate the new application solution with existing systems and applications. This includes
configuration and initial connectivity testing.

d) Collaborate with other team members, such as project managers, developers, and architects,
and engineers to ensure successful solution delivery.

e) Continuously monitor the government directed project management system for project
support requests, project assignments, project tasks/activities, project timelines and
suspense, and project reporting.

f) Provide pilot and prototype integration support: Will work with the project stakeholders to
understand the network requirements for the pilot or prototype project. Based on the network
requirements, the network engineer will deploy the engineered client solution that meets the
needs of the pilot or prototype project.

6.2.2 Subtask 2 – Infrastructure Integration & Deployment

The Contractor Shall:

a) Deploy the network infrastructure: This involves physically installing and configuring all the
infrastructure hardware and software components of the deployment project.

b) Integrate the new infrastructure with existing systems and applications. This might include
tasks like configuring interfaces, setting up data feeds, and testing connectivity

c) Update network infrastructure documentation. This will involve updating network diagrams,
procedures, and updating documentation as changes are made to the network infrastructure.
All documents and policies will be submitted to the government for approval.

d) Provide pilot and prototype integration support: Will work with the project stakeholders to understand
the network requirements for the pilot or prototype project. Based on the network requirements, the
network engineer will deploy the engineered infrastructure solution that meets the needs of the pilot or
prototype project.

6.2.3 Subtask 3 – Client Solution transition

The Contractor Shall:

a) Provide client solution testing and validation: This involves testing the network engineering
application integration and deployment project to ensure that it is functioning as expected. This might
 include tasks like performing load testing, testing failover and recovery procedures, and validating
security settings.

b) Ensure that any failed testing is resolved before transition the project over to the IFLOB Operations
team.

c) Collaborate with other team members, such as the client solutions engineer, operators, and
architects to ensure successful solution delivery and transition.

6.2.4 Subtask 4 – Infrastructure Transition

The Contractor Shall:

a) Provide infrastructure solution testing and validation: This involves testing the engineered
infrastructure solution to ensure that it is functioning as expected. This might include tasks like
performing load testing, testing failover and recovery procedures, and validating security settings.

b) Ensure that any failed testing is resolved before transitioning the newly deployed hardware over to the
IFLOB Operations team.

c) Collaborate with other team members, such as the infrastructure engineer, operators, and
architects to ensure successful solution delivery and transition.

Deliverables:

SOW Deliverable Title Format Due Date Distribution/Copies Frequency and

Task# Remarks
6.2 Task Order A001 Draft – 15 days Standard Draft - 15
6.2.1- Management Plan after Award Distribution* Final – 30
6.2.4 Final – 30 days
after Award
6.2 Monthly Status Report A002/Govt on 5th workday COR, KO, Standard Monthly
6.2.1- distribution to
6.2.4 Government Leads
6.2 Weekly Status Report A003/Govt By 1600 E Friday Government Leads Weekly
6.2.1-
6.2.4
6.2 Capacity Performance A004/Govt By 1600 E Government Leads Monthly
6.2.2 Report
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

6.3 Task 3 – Operations

The contractor shall be responsible for the global 365x24x7 Operations, Maintenance and Sustainment support for
the DISA IFLOB Hybrid Cloud Infrastructure managed environments.

Operations, Maintenance, and Sustainment support includes monitoring the production environments, performing
capacity and performance management, vulnerability management, and sustainment actions for hosted mission
partner services and managed service environments.

Performance Standards:
a) STD: 9 Enterprise Network Architect (FTEs)
b) STD: 6 IT Technician II (FTEs)
c) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
d) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government
e) STD: On duty 365x24x7
f) STD: Secret Security Clearance
g) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report
A005 Shift Turnover Report

The Contractor Shall:

a) Have knowledge of computer networking concepts and protocols, and network security
methodologies.

b) Have knowledge of risk management processes (e.g., methods for assessing and
mitigating risk).

c) Have knowledge of national and international laws, regulations, policies, and ethics as
they relate to cybersecurity.

d) Have knowledge of cybersecurity principles.

e) Have knowledge of cyber threats and vulnerabilities.

f) Have knowledge of specific operational impacts of cybersecurity lapses.

g) Have knowledge of cloud computing service models Software as a Service (SaaS),

Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

h) Have knowledge of cloud computing deployment models in private, public, and hybrid
environment and the difference between on-premises and off-premises environments.

i) Provide operations, maintenance & sustainment for the continued optimal systems
performance of the system.

j) Support all hybrid cloud managed infrastructure environments to include On-Premises,

Private Cloud, Commercial Cloud, and Government Cloud.

k) Store all documentation in accordance with government records management and storage
process.

l) The contractor shall attend all stakeholder meetings in support of the workload, or effort,
they are supporting.

m) Provide network design, configuration, implementation, and sustainment assistance in

accordance with IFLOB best practices, DISA STIGs

6.3.1 Subtask 1 – Operations

The Contractor Shall:

 a) Diagnose and resolve infrastructure connectivity problems, working incident tickets, and
monitor and resolve events in a hybrid cloud infrastructure environment.

b) Diagnose and resolve client service issues.

c) Monitor and perform system modifications and upgrades to the production systems
because of preventive or corrective maintenance.

d) Monitor infrastructure capacity and performance.

e) Once a network wide outage is determined, notification to the Government within 10 minutes is
required. Any required design modifications shall be requested through the normal change
management process.

f) Participate in shift turnover processes for each of the shift changes occurring daily for which any of
their staff are working.

g) Contractor shall provide information or documentation to the turnover lead concerning the status of
any task completed or still in work, as well as any issues encountered during the shift.

h) Contractor shall escalate any issue occurring during a shift immediately and not wait until shift
turnover.

i) Develop a systematic approach and metrics for tracking defect rates, resolution times and release
cycles, and document and implement fixes.

j) Provide a daily System Status Report of all ASI’s, unscheduled outages, Hazardous Conditions
(HAZCONs), and other data as requested by the Government.

k) Work Return Material Authorization (RMA) of infrastructure equipment that has failed.

l) Maintain a daily Incident report by using DISA approved ticket management system in accordance
with the DISA Incident Management process. All trouble calls shall be logged and tracked through
resolution. Upon notification of incidents the Contractor shall respond within 15 minutes to update
actions and mark the ticket status to “In Progress”. All priority 1 and 2 tickets shall be updated
hourly, unless otherwise marked deferred or referred. All other tickets shall follow DISA Incident
Ticket processes for updates, unless otherwise marked deferred or referred. Once the issue is
resolved, immediate notification and ticket updates shall be made.

m) Conduct trend analysis on the system to aid in the prevention of network degradations and outages as
well as recommend configuration/administration changes to the Government based on the
continuous monitoring of the system. No updates or changes shall be made without CCB approval.

n) Recommend and document corrective actions for system improvements to include security, stability,
capacity, throughput, and performance.

6.3.2 Subtask 2 – Maintenance

The Contractor Shall:

a) Manage and maintain approved patches and updates, as well as remediating infrastructure
vulnerabilities.

b) Perform and implement network backup recovery procedures.

 c) Install and maintain infrastructure device operating system software (e.g., IOS, Firmware)

d) Test and Maintain network infrastructure including software and hardware.

e) recommendations based on known bug findings.

f) Ensure application of security patches for commercial products integrated into system
design meet the timelines dictated by management authority for the intended operational
environment.

g) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes, and
enhancements; software and hardware change verification and releases in accordance with
an established Configuration Management (CM) plan.

h) Prepare and manage maintenance releases IAW the DoD/DISA Release Management Plan
(RMP) and process.

i) Perform failover and redundancy testing of Hybrid Cloud Infrastructure environments annually.

j) Provide Life Cycle Support (LCS) for the system and document all security guideline
violations and incidents to the Government Leads via the Security Requirements Report
monthly.

k) Gather all necessary documentation (testing reports/procedures/baseline configuration guides/lessons

learned), organize all artifacts within the appropriate Government provided web portal, and validate
that the current/appropriate document version is in use.

6.3.3 Subtask 3 – Sustainment

The Contractor Shall:

a) Sustainment Support for Customer Service and Change Request, Continuity of

Operations, Operating Environment Technical Refresh, Migrations to/from hybrid cloud
environments, and Certificate Management, both DOD and Commercial.

b) Implement new system design procedures, test procedures, and quality standards.

c) Integrate new systems into existing hybrid cloud infrastructure.

d) Configure and optimize infrastructure equipment, both hardware based and virtualized, to
include routers, switches, firewalls, load balancers, application layer gateways, email
security appliances, and DNS appliances.

e) Work change request and maintain accurate configuration and documentation for all
changes, services, and applications.

f) Submit a Change Request (CR) prior to modification showing the purpose, background, detailed
scope, and recommended change. Change Requests require approval from peers and leads before
proceeding shall comply with the Configuration Control Board (CCB) processes.

g) Provide feedback on infrastructure requirements, including hybrid cloud architecture and

infrastructure.

h) Work to automate manual, labor intensive, repeatable processes.

i) Work to develop automated workflows, playbooks, scripts.

 j) Ensure high level government briefings are attended to attain situational awareness of government
efforts and mission priorities.

k) Ensure changes follow government change management processes are properly categorized and
documented from start to completion.

l) Use government owned data to perform and provide change request audits, develop metrics, and
trend analysis to understand change implementation management workload, effectiveness,
efficiency, and service target performance.

m) Prepare technical documentation to include technical white papers, instructional, engineering

solutions, implementation guides, tactics techniques and procedures (TTP), standard operating
procedures (SOP) in accordance with government processes.

n) Provide IP assignment, VLAN design, configuration, implementation, and sustainment support.

Work schedule: 365x24x7, Secret Security Clearance, IAT II

Deliverables:

SOW Deliverable Title Format Due Date Distribution/Copies Frequency and

Task# Remarks
6.3 Task Order A001 Draft – 15 days Standard Draft - 15
6.3.1- Management Plan after Award Distribution* Final – 30
6.3.3 Final – 30 days
after Award
6.3 Monthly Status Report A002/Govt on 5th workday COR, KO, Standard Monthly
6.3.1- distribution to
6.3.3 Government Leads
6.3 Weekly Status Report A003/Govt By 1600 E Friday Government Leads Weekly
6.3.1-
6.3.3
6.3 Daily Status Report A004/Govt By 1600 E Government Leads Daily
6.3.1-
6.3.3
6.3 Shift Turnover Report A005/Govt Close of Business Government Leads 3x Daily
6.3.1- each Shift - Day and Operations,
6.3.3 Shift (1600 E), Maintenance and
Swing Shift Sustainment
(Midnight E), Mid Distribution List
Shift (0800 E)
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

6.4 Task 4 – Dedicated Labor – 27 FTEs

The contractor shall provide Subject Matter Expert (SME) support for specific workloads as required by mission
needs. To meet the needs of our Mission Partners, DISA offers a dedicated labor service. This service focuses
engineer’s actions on only specific mission partners’ requirements.

The current dedicated labor supported Mission Partners are listed in subtasks below and may increase or decrease in-
scope based on Mission Partner services being procured or decommissioned.

Defense Health Agency (DHA) DHSS

United States Army (USA) Integrated Personnel and Pay Systems (IPPS-A)
United States Air Force (USAF) Defense Enterprise Accounting and Management System (DEAMS)
United States Space Force (USSF) Global Broadcast Service (GBS)
DISA Automated Spectrum Coordination System (ASCS) Domain Management
DISA STRATUS (Private Cloud)
DISA Cross Domain Enterprise Solution (CDES)
DISA Zero Day Network Defense (ZND)
DISA Secure Cloud Computing (SCCA) Architecture Boundary Cloud Access Point (BCAP)
DISA DNS Domain Management
DISA Web Application Firewall (WAF)

The Contractor Shall:

a) Have knowledge of computer networking concepts and protocols, and network security
methodologies.
b) Have knowledge of risk management processes (e.g., methods for assessing and
mitigating risk).
c) Have knowledge of national and international laws, regulations, policies, and ethics as
they relate to cybersecurity.
d) Have knowledge of cybersecurity principles.
e) Have knowledge of cyber threats and vulnerabilities.
f) Have knowledge of specific operational impacts of cybersecurity lapses.
g) Have knowledge of cloud computing service models Software as a Service (SaaS),
Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
h) Have knowledge of cloud computing deployment models in private, public, and hybrid
environment and the difference between on-premises and off-premises environments.

6.4.1 Subtask 1. Defense Health Agency (DHA)

Performance Standards:
a) STD: 6 IT Technician II FTEs

b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs

c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government.

d) STD: On duty 365x24x7

e) STD: Secret Security Clearance

f) STD: Dedicated Labor

g) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report
A005 Shift Turnover Report

The Contractor Shall:

a) Provide dedicated network engineering support to the DHA Mission Partner relating to the
 architecture, infrastructure, design, configuration, implementation, sustainment,
performance, and operations of the DHA network infrastructure solutions.

b) Provide network infrastructure support for all DHA environments (Production, Continuity
of Operations (COOP), Development, and Test).

c) Configure and optimize infrastructure equipment, both hardware based and virtualized, to
include routers, switches, firewalls, load balancers, application layer gateways, email
security appliances, and DNS appliances.

d) Provide network design, configuration, implementation, and sustainment assistance in

accordance with IFLOB best practices, DISA STIGs and DHA requirements.

e) Provide IP assignment, VLAN design, configuration, implementation, and sustainment

support.

f) Provide Ethernet interface design, configuration, implementation, and sustainment support.

g) Provide Load Balancer Operations and Maintenance to include Virtual Services, STIG,
Patching, Upgrades, DTOs, Certificate Lifecycle Support (DOD and Commercial SSL
Certs), and WAF

h) Provide Firewall design, configuration, implementation, and sustainment support.

i) Provide Cloud Migration Strategy Plan and Support

j) Maintain accurate configuration and documentation of DHA infrastructure environment.

k) Manage, maintain, and publish approved patches, updates, changes, and new
capabilities/baselines to production.

l) Patch infrastructure vulnerabilities in accordance with DISA STIG, Scan Reports of Cyber
Vulnerabilities, Directives and Orders, IAVMs, and vendor recommendations based on
known bug findings.

m) Ensure application of security patches for commercial products integrated into system
design meet the timelines dictated by management authority for the intended operational
environment.

n) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes, and
enhancements; software and hardware change verification and releases in accordance with
an established Configuration Management (CM) plan.

6.4.2 Subtask 2. United States Army (USA) Integrated Personnel and Pay Systems (IPPS-A)

Performance Standards:
a) STD: 2 IT Technician II FTEs

b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs

c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government

d) STD: On duty 8x5 (2-hour callback)

e) STD: Secret Security Clearance

f) STD: Dedicated Labor

g) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report

The Contractor Shall:

a) Provide dedicated network engineering support to the IPPS-A System Implementer and Program
Management Office relating to the architecture, infrastructure, design, configuration,
implementation, sustainment, performance, and operations of the IPPS-A network infrastructure
solutions.

b) Provide network infrastructure support for all IPPS-A environments (Production, Continuity of
Operations (COOP), Development, and Test).

c) Configure and optimize infrastructure equipment, both hardware based and virtualized, to
include routers, switches, firewalls, load balancers, application layer gateways, email security
appliances, and DNS appliances.

d) Provide network design, configuration, implementation, and sustainment assistance in

accordance with Oracle and IFLOB best practices, DISA STIGs and IPPS-A requirements.

e) Provide IP assignment, VLAN design, configuration, implementation, and sustainment support.

f) Provide Oracle Super Cluster (OSC) design, configuration, implementation, and sustainment
support.

g) Provide Ethernet interface design, configuration, implementation, and sustainment support.

h) Provide Load Balancer Operations and Maintenance to include Virtual Services, STIG, Patching,
Upgrades, DTOs, Certificate Lifecycle Support (DOD and Commercial SSL Certs), and WAF

i) Provide Firewall design, configuration, implementation, and sustainment support.

j) Provide Cloud Migration Strategy Plan and Support

k) Maintain accurate configuration and documentation of IPPS-A infrastructure environment.

l) Manage, maintain, and publish approved patches, updates, changes, and new
capabilities/baselines to production.

m) Patch infrastructure vulnerabilities in accordance with DISA STIG, Scan Reports of Cyber
Vulnerabilities, Directives and Orders, IAVMs, and vendor recommendations based on known
bug findings.

n) Ensure application of security patches for commercial products integrated into system design
meet the timelines dictated by management authority for the intended operational environment.
 o) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes and
enhancements; software and hardware change verification and releases in accordance with an
established Configuration Management (CM) plan.

6.4.3 Subtask 3. United States Air Force (USAF) Defense Enterprise Accounting and Management System
(DEAMS)

Performance Standards:
a) STD: 1 Enterprise Network Architect FTEs
b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government.
d) STD: On duty 8x5 (2-hour callback)
e) STD: Secret Security Clearance
f) STD: Dedicated Labor
g) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report

The Contractor Shall:

a) Provide dedicated network engineering support to the DEAMS System Implementer and
Program Management Office relating to the architecture, infrastructure, design, configuration,
implementation, sustainment, performance, and operations of the DEAMS network infrastructure
solutions.

b) Provide network infrastructure support for all DEAMS environments (Production, Continuity of
Operations (COOP), Development, and Test).

c) Configure and optimize infrastructure equipment, both hardware based and virtualized, to
include routers, switches, firewalls, load balancers, application layer gateways, email security
appliances, and DNS appliances.

d) Provide network design, configuration, implementation, and sustainment assistance in

accordance with Oracle and IFLOB best practices, DISA STIGs and DEAMS requirements.

e) Provide IP assignment, VLAN design, configuration, implementation, and sustainment support.

f) Provide Oracle Super Cluster (OSC) design, configuration, implementation, and sustainment
support.

g) Provide Ethernet interface design, configuration, implementation, and sustainment support.

h) Provide Load Balancer Operations and Maintenance to include Virtual Services, STIG, Patching,
Upgrades, DTOs, Certificate Lifecycle Support (DOD and Commercial SSL Certs), and WAF.

i) Provide Firewall design, configuration, implementation, and sustainment support.

j) Provide Cloud Migration Strategy Plan and Support

k) Maintain accurate configuration and documentation of DEAMS infrastructure environment.

 l) Manage, maintain, and publish approved patches, updates, changes, and new
capabilities/baselines to production.

m) Patch infrastructure vulnerabilities in accordance with DISA STIG, Scan Reports of Cyber
Vulnerabilities, Directives and Orders, IAVMs, and vendor recommendations based on known
bug findings.

n) Ensure application of security patches for commercial products integrated into system design
meet the timelines dictated by management authority for the intended operational environment.

o) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes and
enhancements; software and hardware change verification and releases in accordance with an
established Configuration Management (CM) plan.

6.4.4 Subtask 4. United States Space Force (USSF) Global Broadcast Service (GBS)

Performance Standards:
a) STD: 2 IT Technician II FTEs
b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government.
d) STD: On duty 8x5 (2-hour callback)
e) STD: Secret Security Clearance
f) STD: Dedicated Labor
g) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report

The Contractor Shall:

a) Provide dedicated network engineering support to the GBS Mission Partner relating to
the architecture, infrastructure, design, configuration, implementation, sustainment, performance, and
operations of the GBS network infrastructure solutions.

b) Provide network infrastructure support for all GBS environments (Production,

Continuity of Operations (COOP), Development, and Test).

c) Configure and optimize infrastructure equipment, both hardware based and virtualized,
to include routers, switches, firewalls, load balancers, application layer gateways, email security
appliances, and DNS appliances.

d) Provide network design, configuration, implementation, and sustainment assistance in

accordance with IFLOB best practices, DISA STIGs and GBS requirements.

e) Provide IP assignment, VLAN design, configuration, implementation, and sustainment

support.

f) Provide Ethernet interface design, configuration, implementation, and sustainment

support.
 g) Provide Load Balancer Operations and Maintenance to include Virtual Services, STIG,
Patching, Upgrades, DTOs, Certificate Lifecycle Support (DOD and Commercial SSL Certs), and WAF

h) Provide support for GBS Route Reflection Routers, Collocated Routers, and switches.

i) Provide Multicast Routing Support

j) Provide Full Motion Video Support

k) Provide Firewall design, configuration, implementation, and sustainment support.

l) Provide Cloud Migration Strategy Plan and Support

m) Provide GRE/IPSEC Virtual Private Network (VPN) support

n) Maintain accurate configuration and documentation of GBS infrastructure environment.

o) Manage, maintain, and publish approved patches, updates, changes, and new
capabilities/baselines to production.

p) Patch infrastructure vulnerabilities in accordance with DISA STIG, Scan Reports of

Cyber Vulnerabilities, Directives and Orders, IAVMs, and vendor recommendations based on known bug
findings.

q) Ensure application of security patches for commercial products integrated into system
design meet the timelines dictated by management authority for the intended operational environment.

r) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes,
and enhancements; software and hardware change verification and releases in accordance with an
established Configuration Management (CM) plan.

6.4.5 Subtask 5. DISA STRATUS (Private Cloud)

Performance Standards:
a) STD: 1 Enterprise Network Architect FTE
b) STD: 2 IT Technician II FTEs
c) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
d) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government.
e) STD: On duty 8x5 (2-hour callback)
f) STD: Secret Security Clearance
g) STD: Dedicated Labor
h) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report

The Contractor Shall:

a) Provide dedicated network engineering support to the STRATUS Program Management

Office relating to the architecture, infrastructure, design, configuration, implementation, sustainment,
performance, and operations of the STRATUS network infrastructure solutions.

b) Provide network infrastructure support for all STRATUS environments (Production,

Continuity of Operations (COOP), Development, and Test).

c) Configure and optimize infrastructure equipment, both hardware based and virtualized,
to include routers, switches, firewalls, load balancers, application layer gateways, email security
appliances, and DNS appliances.

d) Provide network design, configuration, implementation, and sustainment assistance in

accordance with IFLOB best practices, DISA STIGs and STRATUS requirements.

e) Provide IP assignment, VLAN design, configuration, implementation, and sustainment

support.

f) Provide Ethernet interface design, configuration, implementation, and sustainment

support.

g) Provide Load Balancer Operations and Maintenance to include Virtual Services, STIG,
Patching, Upgrades, DTOs, Certificate Lifecycle Support (DOD and Commercial SSL Certs), and WAF

h) Provide support for STRATUS Firewalls, Forward Proxies, and Load Balancers.

i) Provide STRATUS Support for the Infrastructure as a Service (IaaS) Portal

j) Provide Firewall design, configuration, implementation, and sustainment support.

k) Provide Cloud Migration Strategy Plan and Support

l) Provide GRE/IPSEC Virtual Private Network (VPN) support

m) Maintain accurate configuration and documentation of STRATUS infrastructure

environment.

n) Manage, maintain, and publish approved patches, updates, changes, and new
capabilities/baselines to production.

o) Patch infrastructure vulnerabilities in accordance with DISA STIG, Scan Reports of

Cyber Vulnerabilities, Directives and Orders, IAVMs, and vendor recommendations based on known bug
findings.

p) Ensure application of security patches for commercial products integrated into system
design meet the timelines dictated by management authority for the intended operational environment.

q) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes,
and enhancements; software and hardware change verification and releases in accordance with an
established Configuration Management (CM) plan.

6.4.6 Subtask 6. DISA Zero Day Network Defense (ZND)

Performance Standards:
a) STD: 2 IT Technician II FTEs
b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government.
d) STD: On duty 8x5 (2-hour callback)
e) STD: Secret Security Clearance
f) STD: Dedicated Labor
g) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report

The Contractor Shall:

a) Provide dedicated network engineering support to the ZND Program Management

Office relating to the architecture, infrastructure, design, configuration, implementation, sustainment,
performance, and operations of the CDES network infrastructure solutions.

b) Provide network infrastructure support for all ZND environments (Production,

Continuity of Operations (COOP), Development, and Test).

c) Configure and optimize infrastructure equipment, both hardware based and virtualized,
to include routers, switches, firewalls, load balancers, application layer gateways, email security
appliances, and DNS appliances.

d) Provide network design, configuration, implementation, and sustainment assistance in

accordance with IFLOB best practices, DISA STIGs and ZND requirements.

e) Provide IP assignment, VLAN design, configuration, implementation, and sustainment

support.

f) Provide Ethernet interface design, configuration, implementation, and sustainment

support.

g) Provide Load Balancers Operations and Maintenance to include Virtual Services, STIG,
Patching, Upgrades, DTOs, Certificate Lifecycle Support (DOD and Commercial SSL Certs), and WAF

h) Provide support for ZND Firewalls, Load Balancers, switches, and email security
appliance.

i) Provide Firewall design, configuration, implementation, and sustainment support.

j) Provide Cloud Migration Strategy Plan and Support

k) Maintain accurate configuration and documentation of ZND infrastructure environment.

l) Manage, maintain, and publish approved patches, updates, changes, and new
capabilities/baselines to production.

m) Patch infrastructure vulnerabilities in accordance with DISA STIG, Scan Reports of

Cyber Vulnerabilities, Directives and Orders, IAVMs, and vendor recommendations based on known bug
findings.
 n) Ensure application of security patches for commercial products integrated into system
design meet the timelines dictated by management authority for the intended operational environment.

o) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes,
and enhancements; software and hardware change verification and releases in accordance with an
established Configuration Management (CM) plan.

6.4.7 Subtask 7. DISA Secure Cloud Computing (SCCA) Architecture Boundary Cloud Access Point (BCAP)

Performance Standards:
a) STD: 1 Enterprise Network Architect FTE
b) STD: 3 IT Technician II FTEs
c) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
d) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government.
e) STD: On duty 8x5 (2-hour callback)
f) STD: Secret Security Clearance
g) STD: Dedicated Labor
h) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report

The Contractor Shall:

a) Provide dedicated network engineering support to the SCCA Program Management

Office relating to the architecture, infrastructure, design, configuration, implementation, sustainment,
performance, and operations of the SCCA Boundary Cloud Access Point network infrastructure solutions.

b) Provide network infrastructure support for all SCCA BCAP Regions

c) Configure and optimize infrastructure equipment, both hardware based and virtualized,
to include routers, switches, firewalls, load balancers, application layer gateways, email security
appliances, and DNS appliances.

d) Provide network design, configuration, implementation, and sustainment assistance in

accordance with IFLOB best practices, DISA STIGs and SCCA BCAP requirements.

e) Provide IP assignment, VLAN design, configuration, implementation, and sustainment

support.

f) Provide Ethernet interface design, configuration, implementation, and sustainment

support.

g) Provide Load Balancer Operations and Maintenance to include Virtual Services, STIG,
Patching, Upgrades, DTOs, Certificate Lifecycle Support (DOD and Commercial SSL Certs), and WAF

h) Provide support for SCCA BCAP Routers, Firewalls, and Load Balancers

i) Provide Firewall design, configuration, implementation, and sustainment support.

j) Provide support for Mission Partner’s Sustainment Requirement through the DISA
SCCA BCAPs.

k) Provide support for SCCA Cloud Service Environments.

l) Provide Cloud Migration Strategy Plan and Support.

m) Maintain accurate configuration and documentation of SCCA BCAP infrastructure

environment.

n) Manage, maintain, and publish approved patches, updates, changes, and new
capabilities/baselines to production.

o) Patch infrastructure vulnerabilities in accordance with DISA STIG, Scan Reports of

Cyber Vulnerabilities, Directives and Orders, IAVMs, and vendor recommendations based on known bug
findings.

p) Ensure application of security patches for commercial products integrated into system
design meet the timelines dictated by management authority for the intended operational environment.

q) Test, implement, and assess the impact of software/hardware patches, upgrades, fixes,
and enhancements; software and hardware change verification and releases in accordance with an
established Configuration Management (CM) plan.

6.4.8 Subtask 8. DISA Web Application Firewall (WAF)

Performance Standards:
a) STD: 7 Enterprise Network Architect FTEs
b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government.
d) STD: On duty 8x5 (2-hour callback)
e) STD: Secret Security Clearance
f) STD: Dedicated Labor
g) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report
A006 WAF Migration Checklist

The Contractor Shall:

a) Provide dedicated network engineering support to the DISA WAF Program

Management Office relating to the architecture, infrastructure, design, configuration, implementation,
sustainment, performance, and operations of the DISA DNS network infrastructure.

b) Provide design, engineering, implementation, migration, and sustainment support for

migrating and sustaining applications aligned behind the WAF.

c) Execute the WAF Design Solution and deployment per the WAF Design Guide.

d) Shall execute WAF program tasks in accordance with the most recent
OPORD/FRAGORD/TASKORD/STIG and other relevant issued DISA policy guidance, to include the
WAF Break and Inspect Framework.

e) Provide support to the DISA engineering peers and other DISA counterparts on policies,
procedures, and operational concerns regarding WAF configurations and supported applications as well as
future migrations for new and existing Business.

f) Recommend operational processes to ensure successful migration and maintenance of

applications behind the WAF.

g) Provide implementation solution documents and WAF subject matter expertise for the
configuration and maintenance of DISA hosted Application Delivery Controllers to include software
modules such as load Balancer BIG-IP Local Traffic Manager (LTM), Global Traffic Manager (GTM),
Access Policy Manager (APM), and Application Security Manager (ASM) modules.

h) Provide design solution documents that out-line guidance on licensing, physical

architecture, logical configuration, eligibility, checklist, application inventory, security policy protection
phases, and basic administration to include system configuration baseline and security policy
configuration baseline.

i) Provide guidance regarding administration, optimization, and failover for the production
configurations. The contractor shall provide WAF subject matter expertise that will test and optimize the
Governments effort.

j) Provide engineering support for WAF technical documentation.

k) Maintain and update application and network discovery to include a WAF Migration
Checklist.

l) Update Technology Security Groups and Security Policies as new application categories
are discovered.

m) Develop an Authorized Service Interruption (ASI) migration guide detailing

configuration steps, migration details, and fail-back plan.

n) Follow current Government processes and assist in the development of new processes
for building WAF policies and detailed troubleshooting steps after implementation. The contractor shall
provide sustainment and engineering support during migration ASIs.

o) Provide engineering support for WAF Tier III Sustainment Activities.

p) Work with DISA engineers to provide engineering support for WAF standardization
settings, global settings, associating technology groups to applications, analyzing learning suggestions,
and aligning security policy.

q) Provide project direction, general guidance, and customer engagement for security
policy modifications.

r) Provide change ownership for security policy modifications, Attack Signature analysis
and recommendations, and policy exception processing.

s) Perform inventory control for applications, security policies, and policy groupings.

t) Provide resolution of operating issues including vendor engagement for problem

resolution.

u) Provide ASI support and maintenance of Security Policy.

 v) Provide monitoring support and consult with CND or CSSP or like group to assist with
threat analysis and application correlation, to include attack signature analysis before deployment by
COL-NA.

w) Provide engineering support for WAF readiness and security policy readiness.

x) Provide engineering support onboarding activities for new WAF-eligible applications

through the WAF security lifecycle.

y) Provide engineering support for WAF security policy readiness activities including
creating and applying WAF security policy to the Virtual Server, reviewing learning suggestions,
producing, and reviewing Exception Readiness Report (ERR) with mission partner(s), and notifying for
blocking readiness.

z) Provide engineering support to implement WAF blocking security policy including

transitioning applications from Migration to Blocking, scheduling & executing ASIs, and monitoring
application(s) for unnecessary Blocking Events.

aa) Provide engineering support to sustain WAF blocking security policy including
completion of all steps involved in the security policy implementation process, monitoring exception
policy reports, maintaining Application Security Modules (ASMs), and configuring ASMs.
bb) Provide analysis, implementation, and monitoring for vendor released security updates.

cc) Submit a Change Request (CR) prior to modification showing the purpose, background,
detailed scope, and recommended change. Change Requests require approval from peers and leads before
proceeding shall comply with the Configuration Control Board (CCB) processes.

dd) Maintain a daily Incident report by using DISA approved ticket management system in
accordance with the DISA WAF ticketing process. All trouble calls shall be logged and tracked through
resolution. Upon notification of incidents the Contractor shall respond within 15 minutes to update actions
and mark the ticket status to “In Progress”. Once the issue is resolved, immediate notification and ticket
updates shall be made.

Deliverables:

SOW Task# Deliverable Format Due Date Distribution/ Copies Frequency and
Title Remarks
6.4 Task Order A001 Draft – 15 days Standard Distribution* Draft - 15
6.4.1 Management after Award Final – 30
through6.4.8 Plan Final – 30 days
after Award
6.4 Monthly A002/Govt on 5th workday COR, KO, Standard Monthly
6.4.1 Status Report distribution to
through6.4.8 Government Leads
6.4 Weekly Status A003/Govt By 1600 E Government Leads Weekly
6.4.1 Report Friday
through6.4.8
6.4 Daily Status A004/Govt By 1600 E Government Leads Daily
6.4.1 Report
through6.4.8
6.4.1 Shift A005/Govt Close of Government Leads 3x Daily
Turnover Business each and Operations,
Report Shift - Day Shift Maintenance and
(1600 E), Swing Sustainment
 Shift (Midnight Distribution List
E), Mid Shift
(0800 E)
6.4.8 WAF A006/Govt 5 Business days Government Leads As requested
Migration prior to
Checklist implementation
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

6.5 Task 5 – Automation

The contractor shall be responsible for developing and implementing automated solutions, monitoring, and
optimizing network performance, ensuring security and compliance, and collaborating with cross-functional teams
to streamline network operations, enhance efficiency and reliability, and ensure compliance with DoD standards and
policies using automation.

Performance Standards:
a) STD: 4 Automation Engineer FTEs
b) STD: All actions must be done in accordance with official Government guidelines to maintain compliance with
all official TTPs
c) STD: All engineering tasks must comply with the following guidelines: FISMA, NIST, RMF, and other DISA
guidelines as defined by the Government
d) STD: On duty 8x5 (2-hour callback)
e) STD: Secret Security Clearance
f) STD: Information Assurance Technical (IAT) Level II

Deliverables:
A001 Task Order Management Plan
A002 Monthly Status Report
A003 Weekly Status Report
A004 Daily Status Report

The Contractor Shall:

a) Have knowledge of computer networking concepts and protocols, and network security
methodologies.

b) Have knowledge of Python and YAML Languages

c) Develop and Implement Infrastructure Automation Solutions

a) Design and develop automated scripts and tools to streamline network operations,
including provisioning, configuration management, and monitoring.
b) Perform Network Infrastructure Analysis: Conduct detailed analysis of the current
network infrastructure to identify areas where automation can enhance efficiency
and reliability.
c) Integrate Automation Tools with Existing Systems: Integrate new and existing
automation tools with current network management systems and workflows to
ensure seamless operations.
d) Create and Maintain Documentation: Develop and maintain comprehensive
documentation for all automation processes, including design documents, user
manuals, and operational guides.

d) Monitor and Optimize Infrastructure Automation Performance

a. Conduct Regular Network Audits: Perform regular audits of network configurations and
operations to ensure compliance with DoD standards and policies through automated
 processes.
b. Monitor and Optimize Network Performance: Utilize automation and/or monitoring
tools to continuously monitor network performance and implement automated solutions
to optimize performance and reduce downtime.

e) Ensure Security and Compliance

a. Develop Custom Automation Solutions: Design and implement custom automation
solutions tailored to specific organizational requirements and network environments.
b. Ensure Security and Compliance: Develop automated processes to ensure network
security and compliance with DoD requirements, including regular updates and patches.

f) Collaborate with Cross-Functional Teams

a. Provide Training and Support: Train network operations staff on the use of automation
tools and scripts and provide ongoing support to resolve any issues that arise.
b. Collaborate with Cross-Functional Teams: Work closely with other Lines of Businesses
(LOBs) to understand requirements, share knowledge, and ensure that infrastructure
automation aligns with overall organizational needs and objectives.

Work schedule: 8x5, Secret Security Clearance, IAT II

Deliverables:

SOW Deliverable Format Due Date Distribution/Copies Frequency and

Task# Title Remarks
6.5 Task Order A001 Draft – 15 days Standard Draft - 15
Managemen after Award Distribution* Final – 30
t Plan Final – 30 days
after Award
6.5 Monthly A002/Govt on 5th workday COR, KO, Standard Monthly
Status distribution to
Report Government Leads
6.5 Weekly A003/Govt By 1600 E Friday Government Leads Weekly
Status
Report
6.5 Daily Status A004/Govt By 1600 E Government Leads Daily
Report
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

6.6 Minimum Qualifications Matrix

The Contractor Shall:

a) Hold qualifications for any applicable/selected GSA MAS Labor Category listed below
to meet all tasks in the contract. Personnel assigned to or utilized by the contractor in the performance of
this order shall, as a minimum, meet the experience, educational, or other background requirements
associated with the applicable/selected GSA MAS Labor Categories set forth below, and will be fully
capable of performing in an efficient, reliable, and professional manner.

Minimum Qualifications Matrix (67 Full-Time Equivalents)

SOW Task# FTEs Applicable GSA MAS Labor Categories DISA Locations
6.1, 6.2, 6.3, 6.4 37 Enterprise Network Architect Gunter AFB, Alabama
Fort Meade, Maryland
Technical Architect Columbus, Ohio
Tinker AFB, Oklahoma
 Senior Network Engineer Mechanicsburg, Pennsylvania
San Antonio, Texas
Systems Security Engineer and Network Hill AFB, Utah
Engineer

System Engineer II

System Engineer III

System Engineer IV

System Engineer 5
6.1, 6.2, 6.3, 6.4 26 IT Technician II Gunter AFB, Alabama
Fort Meade, Maryland
Network Engineer Columbus, Ohio
Tinker AFB, Oklahoma
Network Engineer II Mechanicsburg, Pennsylvania
San Antonio, Texas
Network Engineer – Intermediate Hill AFB, Utah

Security Engineer
Cloud Network Engineer

System Administrator 1

System Administrator II

System Administrator III

System Administrator IV

System Administrator 5

Junior Network Engineer

6.5 4 Automation Engineer Gunter AFB, Alabama
Fort Meade, Maryland
Systems Engineer Columbus, Ohio
Tinker AFB, Oklahoma
Application Programmer Mechanicsburg, Pennsylvania
San Antonio, Texas
Hill AFB, Utah

6.7 Task 6.7 – Task Area 1 – Contract Task Management.

Deliverables:
A002 Monthly Status Report
A007 Hybrid Cloud Network Infrastructure Familiarization and Technology Training Certification
A008 Hardware/Software Specific Competency Certification
Monthly NDA Status Report
VAR
TAR Travel Expense Report
A009 Staff Report
6.71–For all tasks assignments and performance within scope of Tasks 6.1, 6.2, 6.3, 6.4 and 6.5Contractor
shall be responsible for start to finish management of their staff's task performance to ensure DISA or
Mission Partner requirements are fulfilled. Contractor shall plan for all tasks in order to prepare their staff
to execute tasks to DISA or Mission Partner requirements and milestones. Contractor shall continuously
monitor and control their work in progress to identify in advance variances or potential risks to schedule,
quality or other results that may require corrective actions and/or notification or escalation to DISA or
Mission Partner stakeholders. Contractor shall provide task status or progress updates as requested by DISA
or Mission Partner stakeholders.

- Monthly Status Report (MSRs). The contractor shall provide a MSR that will capture
accomplishments over the past month and planned objectives for the next month, issues or
risks, deliverable updates, mandatory training updates, faces and spaces updates, vacancy
reporting and updates to Government Furnished Equipment for personnel. The contractor
shall submit the MSR to the Contracting Office Representative (COR) within 5 calendar
days of the end of the reporting period. The report will be provided in a Government
generated template.

Deliverable: Monthly Status Report

6.1.3. – DISA Mandatory Training. Contractor employees may be required to take

periodic mandatory training courses provided through the agency not to exceed 20
hours annually, such as records management training and other training required by
statute, regulation, DOD, or DISA policy. No other training of contractor personnel
shall be provided by the Government unless authorized by the Contracting Officer.
Contractor shall on an ongoing basis manage and monitor compliance of all their
staff for any DISA mandatory training requirements to include ensuring 100% staff
completion by deadlines identified by DISA.

6.1.3.1. - DISA Hybrid Cloud Network Infrastructure Familiarization and

Technology Awareness. The contractor shall ensure all new employees assigned to this
task receive familiarization training on DISA Hybrid Cloud network architecture and
stay abreast of technical developments with Industry and Government. A training
program shall be developed by the contractor that shall enable personnel assigned to this
task to operate and maintain network resources at levels defined in this task. The
resources and materials utilized for this training program shall be at the discretion of the
contractor. The contractor shall provide a certification document to the government
showing completion of this training program within 60 days of employee onboarding.

Deliverable: DISA Hybrid Cloud Network Infrastructure Familiarization and Technology

Training Certification
6.1.3.2 – Hardware/Virtual Specific Competency Certification. The contractor shall develop and maintain
a hardware/virtual specific certification program that shall demonstrate personnel assigned to this task
can configure, operate, maintain, and troubleshoot network devices hosted within the DISA Hybrid
Cloud infrastructure. The resources and materials utilized for this training shall be at the discretion of
the contractor. The contractor shall provide a certification document for personnel assigned to this task
to the government on an annual basis.

Deliverable: Hardware/Virtual Specific Competency Certification

6.1.3.3 DOD 8140/8570 Certifications, CE/NE Compliance. Contractor shall on an ongoing basis manage and
monitor compliance of all their staff in obtaining and maintaining any DISA mandated certifications or training
in accordance with DOD 8140 and 8570 directives.

6.1.3.4 – DOD ID Card. Contractor shall on an ongoing basis manage and monitor the expiration dates of all
of their staff's DOD identification cards. Contractor shall identify expiring identification cards in advance
and retain oversight of all staff to ensure renewal activities are being scheduled and completed before
expiration.

6.1.3.5 – DISA Network Tokens. Contractor shall on an ongoing basis manage and monitor all their
staff in obtaining and maintaining network tokens per DISA processes for access to all networks
required for duty performance.
6.1.3.6 – DISA Non-Disclosure Agreements (NDA). During performance of duties, Contractor may
encounter information that cannot be disclosed outside of authorized channels per DISA instructions or per
Government policy. All Contractor staff are required to sign a DISA NDA, which is a pre-requisite for the
network access to perform Tasks 6.1, 6.2 and 6.3. Contractor shall initiate signed NDA by all employees, to
include uploading per DISA instructions to the system of record. Contractor shall perform ongoing monitoring
of NDA status of all staff to ensure 100% compliance.

Deliverable: Monthly NDA Status Report

6.1.3.7 – Security Clearances. Contractor shall on an ongoing basis manage and monitor the security clearance
status for all employees. Contractor shall identify clearance reviews coming due in advance and retain oversight
of staff to ensure renewal activities are being scheduled and completed.

6.1.3.8 – Visitor Access Requests (VAR). Contractor shall provide a VAR to the COR as described in the
Security
Section of this SOW prior to award or option year renewal or at least 10 working days before inclusion or
transfer of Contractor employee and 48 hours after employee departure from the contract . Contractor
shall on an ongoing basis manage and monitor the status of all staff's visit access requests (VAR), and take
actions to ensure they are continuously up to date in advance of expiration.

Deliverable: VAR

6.1.3.9 – Travel Access Requests (TAR). Travel to perform duties at temporary work locations is non-
routine, but possible for Contractor personnel to support Mission Partner or DISA requirements. Contractor
shall request travel authorization from the Government in advance of any travel by submittal of Travel Access
Request to the COR. Upon completion of travel, Contractor shall submit Travel Expense Report to the
Government to initiate reimbursement for travel expenses incurred.

Deliverables: TAR Trip Expense Report

6.1.3.10 – Contractor Staff Online Status Monitoring. DISA utilizes various collaboration and
other tools capable of DISA management monitoring the online presence, availability to work, and
status of all staff.
Contractor shall, as instructed by DISA, enable and utilize such tools to allow DISA to monitor the online
status of Contractor personnel.
 Deliverables: Staff Report

6.1.3.11 – Government Furnished Equipment. Contractor shall manage all government furnished equipment
(GFE) for all staff per contract provisions and DISA mandated processes and procedures.

6.1.3.12 – Government Notification of Expiration or Lapse. For any access credential or job prerequisite for
any staff that the contractor identifies shall likely expire or lapse, the contractor shall within one business day
of identification notify the government of pending expiration or lapse and the plan and anticipated schedule for
credential renewal. As long as any Contractor staff's credentials are in a lapsed or expired state, Contractor shall
provide ongoing status updates to Government until renewal is fully accomplished.

6.1.3.13 – Government System Usage. Contractor shall gain access and utilize all DISA mandated systems in-
volved in the approval, acquisition, and maintenance of all access credentials and other job prerequisites, to
include uploading evidence of completion as mandated by DISA.

6.1.4 – Transitioning

6.1.4.1 Phase In Transition Plan

The contractor shall create a detailed phase in transition strategy plan for assuming responsibility of
the contract upon award. The Phase In Transition Plan (Plan) shall be provided with the proposal
and shall be incorporated into the contract either as an attachment or full text. The plan must
identify and encompass all tasks to be performed by the awardee. The Plan should include a list of
any questions posed to or information required from the Government. The Plan should also clearly
identify the timelines when the VARs for the contractor’s staff will be submitted and when the
contractor’s staff are estimated to be actively conducting performance, hereafter referred to as “in
seat”. The Plan shall include dates for staffing achievements and the corresponding number of
employees in seat. The Plan will be used to assess compliance with the contract and the application
of incentives/disincentives during contract performance. The Plan will lay out dates for future status
meetings and program reviews, etc. It will include, but is not limited to, details about the timely
transition of responsibility such as requirements, deliverables, staffing positions with qualified
people, and a schedule that meets the requirements of the SOW.

The contractor shall be responsible for all performance and staff in seat 30 calendar days after award,
i.e. after the 30 calendar day phase in transition period. The awardee shall use the 30 calendar day
phase in transition period to hire and clear contractor personnel to work on the contract. Fifty percent
(50%) of total staffing must be cleared through the VAR process and “in seat” on the first day of
contract performance. 100 percent (100%) of total staffing must be “in seat” no later than 30
calendar days after the base period of performance’s start date.

The Government acknowledges that the VAR process is dependent on the Government’s timely
processing of VAR requests. The Government’s goal is to process a VAR request no later than 7
calendar days after a VAR’s submittal. If the VAR request takes longer than 7 calendar days, the
respective employee will be temporarily considered towards meeting the staffing goals until the
VAR is either approved or rejected by the Government. Please note, internal moving of employees
to other, possibly senior positions, does not restart the VAR process for the purposes of assessing
disincentives and monitoring staffing requirements. To illustrate this point, if a contractor
employee, e.g. Amy, is promoted on 1/1/2023 to take the place of a position vacated by another
employee, e.g. Matt, on 12/15/2022, the staffing timeline is established by Matt’s departure date
(12/15/2022) and is not “restarted” on 1/1/2023, i.e. Amy’s promotion date.

6.1.4.2 Phase-Out Transition Plan. The contractor shall create a detailed phase-out plan describing the
method of transferring responsibility for tasks described in the Statement of Work (SOW). The
phase-out plan will assist the Government in the transition of services from this contract to any
 CUI

follow-on contractor or government team. The transition strategy must provide for
completing the transition of all data by, or before, the end of the existing con- tract's
period of performance. The contractor shall coordinate service transition with any
follow-on contractor or government team to prevent service disruption during the
transition. The contractor shall provide a phase-out plan based on these criteria.

• Provide familiarization training and documentation to the Government

and/or follow- on service provider.
• Transition of service operations outlined in the SOW to any follow-on
service provider. The plan shall address the orderly transition of
responsibility between Government and/or service providers while ensuring
continuity of operations. This should include a risk assessment and
mitigation strategy.
• Inventories and locations of all documentation (technical drawings,
configuration data [including warranty, maintenance, etc.] implementation
plans, Concept of Operations, etc.). The plan shall address current retention
schemes and access for Government and/or follow-on service provider.
• Provide a smooth transition of all engineering efforts to Government
and/or follow-on service provider.
• Transition milestones and communications. The plan shall address the
milestones required to successfully transition the effort to Government
and/or a follow-on service provider. The plan shall also include a
reporting plan to address milestone progress updates.

The contractor shall meet with the Government within 120 days of the end of the last
option period of performance to plan the transition strategy. The contractor shall provide
a written transition plan within 90 days prior to the end of last option period of
performance.

The contractor shall conduct a joint inventory with government personnel of all
government- furnished property. The contractor shall deliver to the government COR a final
inventory of all government furnished property No Later Than (NLT) 90 business days
before the end of contract performance. The contractor shall permit current employees to be
interviewed for possible employment by a successor contractor.

Deliverables:

SOW Deliverable Format Due Date Distribution/Copies Frequency and

Task# Title Remarks
6.7 Monthly A002/Govt on 5th workday COR, KO, Standard Monthly
Status distribution to
Report Government Leads
6.7 Hybrid A007 60 Days from New COR, KO, Standard 60 Days from
Cloud Employee distribution to New Employee
Network Onboarding Government Leads Onboarding
Infrastructur
e
Familiarizat
ion and
technology
Certification
6.7 Hardware/ A008 60 Days from COR, KO, Standard 60 Days from
Virtual Employee distribution to Employee
Controlled By: DISA
Controlled By: J9122
CUI Category: PROCURE
Distribution/Dissemination Control: FEDCON
POC: [email protected]
Page 31 of 48 Pages
 CUI

Specific onboarding, Government Leads onboarding,

Competency annually after that annually after
Certification that
6.7 Monthly Contractor determined No later than end Standard Monthly (NDA
NDA Status format of the 1st week of Distribution* status as of the
Report each month end of the
previous month)

6.7 Visit Access Attached Format Pre-start of One Copy to COR As needed per
Request performance or employee
(VAR) option execution.
10 days in
advance of any
new employee start
6.7 Travel Attached format At least 10 days One Copy to COR Per Trip
Authori prior to any travel
zation
Request
(TAR)
6.7 Staff Report A009 on 5th workday COR, KO, Standard Monthly
distribution to
Government Leads
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

7. Performance Standards.

TASK: 6.1 Engineering

Performance Acceptable Quality Level Surveillance Method Incentive / Disincentive
Standard (AQL)
6.1.1, 6.1.2, 6.1.3 Performance/ Deliverables: Inspection of delivered Accuracy Plus/Minus
Contain required information, materials. 95% No Change
95% accurate/error free, and
delivered on time 92-94% -2%
89-91% -4%
Any required revisions are: 85-88% -6%
 Resolved within 1
0-84% 0
week.

Accepted by COR

6.1.1 Performance is based on Inspection Accuracy Plus/Minus

a) d) providing Network Design 99.75-100% No Change
and Planning that meets DISA
And DOD requirements, 99.51- -2%
policies, and directives for 99.75%
functionality, performance, 99.26-99.5% -4%
and security. 99.1-99.25% -6%
0-99% 0
6.1.1 Performance is based on Inspection Accuracy Plus/Minus
c) Providing network 99.75-100% No Change
infrastructure documentation
that meets the Governments 99.51- -2%
Requirements 99.75%

Page 32 of 48 Pages
CUI
 CUI

TASK: 6.1 Engineering

Performance Acceptable Quality Level Surveillance Method Incentive / Disincentive
Standard (AQL)
99.26-99.5% -4%
99.1-99.25% -6%
0-99% 0
6.1.2 Performance is based on Inspection Accuracy Plus/Minus
a) b) conducting client assessments 99.75-100% No Change
and requirements gathering
and developing customized 99.51- -2%
solutions for hosted client 99.75%
applications within project 99.26-99.5% -4%
timelines 99.1-99.25% -6%
0-99% 0
6.1.3 Performance is based on Inspection Accuracy Plus/Minus
a) c) f) defining, designing, 99.75-100% No Change
implementing, and
maintaining infrastructure 99.51- -2%
tools to meet the 99.75%
organization’s needs. 99.26-99.5% -4%
99.1-99.25% -6%
0-99% 0
6.1.3 Performance is based on Inspection Accuracy Plus/Minus
c) f) outages/impact caused by a 99.75-100% No Change
contractor performed change.
If the change was impacted by 99.51- -2%
a vendor bug, then a detail 99.75%
explanation of what happened 99.26-99.5% -4%
via vendor TAC case will be 99.1-99.25% -6%
required. 0-99% 0

6.1.3 Submit a Change Request Inspection Accuracy Plus/Minus

c) f) (CR) prior to modification 99.75-100% No Change
showing the purpose,
background, detailed scope, 99.51- -2%
and recommended change. 99.75%
Change Requests require 99.26- -4%
approval from peers and leads 99.5%
before proceeding shall 99.1- -6%
comply with the Configuration 99.25%
Control Board (CCB) 0-99% 0
processes.
TASK: 6.2 Implementation
Performance Acceptable Quality Level Surveillance Method Incentive / Disincentive
Standard (AQL)
6.2.1, 6.2.2, 6.2.3, Performance/ Deliverables: Inspection of delivered Accuracy Plus/Minus
6.2.4 Contain required materials. 95% No Change
information, 95%
accurate/error free, and 92-94% -2%
delivered on time 89-91% -4%
85-88% -6%
Any required revisions are:
0-84% 0
 Resolved within 1
Page 33 of 48 Pages
CUI
 CUI

week.

Accepted by COR

6.2.1, 6.2.2, 6.2.3, Performance is based on Inspection Accuracy Plus/Minus

6.2.4 outages/impact caused by a 99.75-100% No Change
contractor performed
change. If the change was 99.51- -2%
impacted by a vendor bug, 99.75%
then a detail explanation of 99.26-99.5% -4%
what happened via vendor 99.1-99.25% -6%
TAC case will be required. 0-99% 0

6.2.1, 6.2.2, 6.2.3, Provide implementation Inspection Accuracy Plus/Minus

6.2.4 support for all assigned 99.75-100% No Change
projects and maintain
accurate updates and 99.51- -2%
documentation for all 99.75%
project activities within the 99.26-99.5% -4%
specified timeframes. 99.1-99.25% -6%
0-99% 0
6.2.1, 6.2.2, 6.2.3,Submit a Change Request Inspection Accuracy Plus/Minus
6.2.4 (CR) prior to modification 99.75-100% No Change
showing the purpose,
background, detailed scope, 99.51- -2%
and recommended change. 99.75%
Change Requests require 99.26-99.5% -4%
approval from peers and 99.1-99.25% -6%
leads before proceeding 0-99% 0
shall comply with the
Configuration Control
Board (CCB) processes.
TASK: 6.3 Operations, Maintenance & Sustainment
Performance Acceptable Quality Level Surveillance Method Incentive / Disincentive
Standard (AQL)
6.3 Operations, Store all documentation in Inspection Accuracy Plus/Minus
Maintenance, & accordance with 95% No Change
Sustainment government records 92-94% -2%
management and storage 89-91% -4%
k)
process.
85-88% -6%
0-84% 0
6.3.1 Operations Work incident tickets and Inspection Accuracy Plus/Minus
maintain accurate updates 95% No Change
a) l)
and documentation for all 92-94% -2%
incident tickets. 89-91% -4%
85-88% -6%
0-84% 0
6.3.2 Maintenance Performance is based on Inspection Accuracy Plus/Minus
outages/impact caused by a 95% No Change
a) c) d) e) g) i)
contractor performed 92-94% -2%
change. If the change was 89-91% -4%
impacted by a vendor bug,
85-88% -6%
then a detail explanation of
0-84% 0
Page 34 of 48 Pages
CUI
 CUI

what happened via vendor

TAC case will be required.

6.3.3 Sustainment Successful completion of Inspection Accuracy Plus/Minus

DoD and Commercial 99.75- No Change
a)
Certificates on hybrid cloud 100%
infrastructure devices. 99.51- -2%
Performance is based on 99.75%
success rate of certificate 99.26- -4%
add/modify/renewals. 99.5%
99.1- -6%
99.25%
Submit a Change Request
0-99% 0
(CR) prior to modification
showing the purpose, Inspection
f) Accuracy Plus/Minus
background, detailed scope,
and recommended change. 99.75- No Change
Change Requests require 100%
approval from peers and 99.51- -2%
leads before proceeding 99.75%
shall comply with the 99.26- -4%
Configuration Control 99.5%
Board (CCB) processes. 99.1- -6%
99.25%
Prepare technical 0-99% 0
documentation to include
technical white papers,
instructional, engineering
solutions, implementation
guides, tactics techniques
and procedures (TTP), Inspection Accuracy Plus/Minus
m) standard operating 95% No Change
procedures (SOP) in
92-94% -2%
accordance with
89-91% -4%
government processes.
85-88% -6%
0-84% 0

TASK: 6.4 Dedicated Labor

Performance Acceptable Quality Level Surveillance Method Incentive / Disincentive
Standard (AQL)
6.4.1, 6.4.2, 6.4.3,
6.4.4, 6.4.6, 6.4.7,
6.4.8 (Dedicated
Labor Tasks)

Page 35 of 48 Pages
CUI
 CUI

a) b) c) d) e) f) g) h) Performance is based on the Inspection Accuracy Plus/Minus

(i) Dedicated Service provided 99%-100% No Change
to those Mission Partners that
pay for Dedicated Labor. The 96-98% -2%
overall will be rated off the 93-95% -4%
response times to those 90-92% -6%
Mission Partners, ticket
0-90% 0
SLAs, engineering level
support, and Mission partner
satisfaction.

k) o) Performance/ Deliverables: Inspection of delivered Accuracy Plus/Minus

Contain required information, materials. 95% No Change
95% accurate/error free, and
delivered on time. 92-94% -2%
89-91% -4%
Any required revisions are: 85-88% -6%
 Resolved within 1
0-84% 0
week.

Accepted by COR

l) m) n) Performance is based on Inspection

outages/impact caused by a Accuracy Plus/Minus
contractor performed change. 99.75-100% No Change
If the change was impacted
by a vendor bug, then a detail 99.51- -2%
explanation of what happened 99.75%
via vendor TAC case will be 99.26-99.5% -4%
required. 99.1-99.25% -6%
0-99% 0
6.4.5 (STRATUS)
c) f) g) h) j) Performance is based on Inspection Accuracy Plus/Minus
outages/impact caused by a 99.75-100% No Change
contractor performed change.
If the change was impacted 99.51- -2%
by a vendor bug, then a detail 99.75%
explanation of what happened 99.26-99.5% -4%
via vendor TAC case will be 99.1-99.25% -6%
required. 0-99% 0

a) d) i) Performance/ Deliverables: Inspection of delivered Accuracy Plus/Minus

Contain required information, materials. 95% No Change
95% accurate/error free, and
delivered on time. 92-94% -2%
89-91% -4%
Any required revisions are: 85-88% -6%
 Resolved within 1
0-84% 0
week.

Accepted by COR

6.4.8 (WAF)
Page 36 of 48 Pages
CUI
 CUI

e) h) j) k) q) s) Performance/ Deliverables: Inspection of delivered Accuracy Plus/Minus

Contain required information, materials. 95% No Change
95% accurate/error free, and
delivered on time 92-94% -2%
89-91% -4%
Any required revisions are: 85-88% -6%
 Resolved within 1
0-84% 0
week.

Accepted by COR

c) m) n) z) Performance is based on Inspection Accuracy Plus/Minus

outages/impact caused by a 99.75-100% No Change
contractor performed change.
If the change was impacted 99.51- -2%
by a vendor bug, then a detail 99.75%
explanation of what happened 99.26-99.5% -4%
via vendor TAC case will be 99.1-99.25% -6%
required. 0-99% 0

cc) Submit a Change Request Inspection Accuracy Plus/Minus

(CR) prior to modification 99.75-100% No Change
showing the purpose,
background, detailed scope, 99.51- -2%
and recommended change. 99.75%
Change Requests require 99.26-99.5% -4%
approval from peers and leads 99.1-99.25% -6%
before proceeding shall 0-99% 0
comply with the
Configuration Control Board
(CCB) processes.

TASK: 6.5 Automation

Performance Acceptable Quality Level Surveillance Method Incentive / Disincentive
Standard (AQL)
6.5 Performance/ Deliverables: Inspection of delivered Accuracy Plus/Minus
a) b) c) d) e) f) Contain required information, materials. 95% No Change
95% accurate/error free, and
delivered on time 92-94% -2%
89-91% -4%
Any required revisions are: 85-88% -6%
 Resolved within 1
0-84% 0
week.

Accepted by COR

6.5 Performance is based on Inspection Accuracy Plus/Minus

c) e) outages/impact caused by a 99.75-100% No Change
contractor performed change.
If the change was impacted by 99.51- -2%
a vendor bug, then a detail 99.75%
explanation of what happened 99.26-99.5% -4%
Page 37 of 48 Pages
CUI
 CUI

via vendor TAC case will be 99.1-99.25% -6%

required. 0-99% 0

8. Place of Performance.

Primary Place of Performance. Work shall be performed on-site within the following facilities:

Mission Location:
DISA Gunter-Maxwell AFB, 01 East Moore Drive Bldg 857, Maxwell AFB Gunter Annex Montgomery, AL 36114
DISA Fort Meade, 6910 Cooper Ave, Fort Meade, MD 20755
DISA Columbus, Defense Supply Center, 3990 E Broad Street, Columbus, OH 43218
DISA at Tinker AFB, 8705 Industrial Blvd, BLDG 3900 Oklahoma City, OK
DISA at Naval Support Activity, 5450 Carlise Pike, Mechanicsburg, PA 17050
DISA at Joint Base San Antonio, 3326 General Hudnell Dr, San Antonio, TX 78226
DISA at Hill AFB, 7981 Georgia St, Hill AFB, UT 84056

Classified and unclassified work may be performed at the government location.

All Contractor work related to this SOW shall be completed at Government-provided facilities as listed in the
Section 8 (Place of Performance) in the SOW, unless a Remote Work Waiver is granted IAW the below:

Alternative work sites allow for regular telework or remote work flexibilities. Regardless of where work is
performed, the Contractor shall ensure that work is completed effectively and that mission needs and requirements
are met, without degradation of services. Also, the contractor may be required to account for the physical location of
their personnel should this information be requested by the COR. The Contractor shall propose on-site rates for all
work performed at an alternative work site. Incidental charges incurred while working at an alternative work site
(e.g., electricity, internet) are not allocable to the contract and shall not be billed to the government.

Remote Work – Contractor shall attempt to fill all positions at the locations specified in the Place of Performance
within this SOW. The deviation to allow for remote work is limited and shall only be approved on a case-by-case
basis—there is no authorization for blanket remote work waiver approval. Therefore, the Contractor shall submit the
completed Remote Waiver form that details the following information: the Contract/Task Order, Contractor Name,
Position, Primary Place of Performance, SOW Section supported, requested remote work location (Residence,
Contractor Facility, Other (please specify)), Reason for Remote Waiver request. This form shall be submitted via
email to the COR.

The COR/ACOR shall coordinate with both the LOB Chief and respond back in writing before remote work is
authorized. No remote work may begin until the COR provides written authorization. In some cases, remote work
may be limited to specific SOW sections. In the event tasks require access to classified networks, remote work
positions shall only be approved for locations within 120 minutes from an approved DISA site.

On this task order, employees who support SOW Task 6.1, 6.2, 6.3, 6.4, 6.5, and 6.6 may request a Remote Work
Waiver; however, all other SOW Tasks shall be performed at the specified location in the SOW.

Alternate Place of Performance - Contingency Only. As determined by the COR, contractor employees may be
required to work at an alternate place of performance (e.g., home, the contractor's facility, or another approved
activity within the local travel area) in cases of unforeseen conditions or contingencies (e.g., pandemic conditions,
exercises, government closure due to inclement weather, etc.). Non-emergency/non-essential contractors should not
report to a closed government facility. Contractor shall prepare all deliverables and other contract documentation
utilizing contractor resources. To the extent possible, the contractor shall use best efforts to provide the same level
of support as stated in the SOW. In the event the services are impacted, reduced, compromised, etc., the Contracting
Officer or the contractor may request an equitable adjustment pursuant to the Changes clause of the contract.

Travel in and around the primary place of performance may be required throughout the period of performance. TDY
costs shall not be reimbursed for travel less than 150 miles within the primary place of performance. Moreover,
Page 38 of 48 Pages
CUI
 CUI

TDY costs shall not be reimbursed for any personnel with a remote work waiver. Additional travel within CONUS
may be required to support the requirements of this SOW.
In the Monthly Status Report, report the status of personnel who work on this contract under an approved remote
work waiver. This information should include Contractor Employee Name, SOW Support Task(s), Remote Work
Location, and Primary Place of Performance.

Secondary Place of Performance – Contingency Only. As determined by the Contracting Officer’s Representative
(COR), contractor employees may be required to work at a secondary place of performance (e.g., home, the
contractor's facility, or another approved activity within the local travel area) in cases of unforeseen conditions or
contingencies (e.g., pandemic conditions, exercises, government closure due to inclement weather). Additionally,
the contractor may be required to account for the physical location of their personnel should this information be
requested by the COR. Non-emergency/non-essential contractors should not report to a closed government facility.
Contractor shall prepare all deliverables and other contract documentation utilizing contractor resources. To the
extent possible, the contractor shall use best efforts to provide the same level of support as stated in the SOW. In the
event the services are impacted, reduced, compromised, etc., the Contracting Officer or the contractor may request
an equitable adjustment pursuant to the Changes clause of the contract.

9. Period of Performance (PoP). The PoP shall be a one 12-month base period followed by three 12- month option
periods.and one optional six-month extension, if exercised per FAR 52.217-8.

Base: July 12, 2025 – July 11, 2026

Option Year 1: July 12, 2026 – July 11, 2027
Option Year 2: July 12, 2027 – July 11, 2028
Option Year 3: July 12, 2028 – July 11, 2029

Unless otherwise addressed in the SOW, the contractor shall perform Monday through Friday excluding all Federal
holidays, with core hours of 8:00AM Central Time to 3:00PM Central Time. Normal duty hours are 8 hours per day
and do not include vacation, sick, holiday and TDY time. When the Government installation grants administrative
leave to its employees (e.g. as a result of inclement weather, potentially hazardous condition, or other special
circumstances), contractor personnel working on-site shall also be authorized to telework.

As directed by the Contracting Officer (KO), the contractor shall continue performance in emergency or mission
essential conditions. Additionally, the contractor may be required to account for the whereabouts of their personnel,
should this information be requested by the COR.

10. Delivery Schedule.

SOW Deliverable Format Due Date Distribution/Copies Frequency

Task# Title and Remarks
6.1 – Task Order A001 Draft – 15 days Standard Draft - 15
6.5, Management after Award Distribution* Final – 30
6.7 Plan Final – 30 days
after Award
6.1 – Monthly Status A002/Govt On 5th workday COR, KO, Standard Monthly
6.5. Report distribution to
6.7 Government Leads
6.1 – Weekly Status A003/Govt By 1600 E Friday Government Leads Weekly
6.5 Report
6.2.1- Capacity A004/Govt By 1600 E Government Leads Monthly
6.2.3 Performance
Report
6.3 Shift Turnover A005/Govt Close of Business Government Leads 3x Daily
6.3.1- Report each Shift - Day and Operations,
6.3.3 Shift (1600 E), Maintenance and

Page 39 of 48 Pages
CUI
 CUI

6.4.1 Swing Shift Sustainment

(Midnight E), Mid Distribution List
Shift (0800 E)
6.4.8 WAF A006/Govt 5 Business days Government Leads As requested
Migration prior to
Checklist implementation
6.7 Hybrid Cloud A007 60 Days from New COR, KO, Standard 60 Days from
Network Employee distribution to New
Infrastructure Onboarding Government Leads Employee
Familiarization Onboarding
and technology
Certification
6.7 Hardware/ A008 60 Days from COR, KO, Standard 60 Days from
Virtual Employee distribution to Employee
Specific onboarding, Government Leads onboarding,
Competency annually after that annually after
Certification that
6.7 Staff Report A009 on 5th workday COR, KO, Standard Monthly
distribution to
Government Leads
6.7 Monthly NDA Contractor No later than end Standard Monthly
Status Report determined format of the 1st week of Distribution* (NDA status
each month as of the end
of the
previous
month)

6.1- Visit Access Attached Format Pre-start of One Copy to COR As needed
6.5, Request (VAR) performance or per employee
6.7 option execution.
10 days in
advance of any
new employee start
6.1- Travel Attached format At least 10 days One Copy to COR Per Trip
6.5, Authorizat prior to any travel
6.7 ion
Request
(TAR)

11. Security Requirements. This section supplements Block 13 of the Government provided DD Form 254,
Contract Security Classification Specification. The following security requirements shall apply to this effort.

The contractor shall coordinate visits with site Point Of Contract (POC)s providing at least a 72-hour notice (or
according to each site security requirements) prior to any site access. Contractor personnel without security
clearances performing any task under this SOW must be escorted by cleared DISA personnel (civilian, military, or
contractor).

References:

a. DISA End User Access Agreement, 11 February 2021

b. DISA Policy Letter, Unauthorized Connections to Network Devices, 11 September 2013
c. DISA Instruction 240-110-8, Information Security
d. DISA Instruction 240-110-36, Personnel Security
e. DISA Instruction 240-110-38, Industrial Security
Page 40 of 48 Pages
CUI
 CUI

f. DISA Instruction 240-110-43, Insider Threat Program

g. DISA Instruction 630-230-19, Cybersecurity
h. DoD Manual 5200.01, Vol 1-3 Information Security Program, 24 February 2012
i. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program, 3 April 2017
j. DoD Instruction 5200.48, Controlled Unclassified Information (CUI), 6 March 2020
k. 32 CFR Part 117, “National Industrial Security Program Operating Manual (NISPOM)”, 24 February 2021
l. DoD Manual 5105.21 Sensitive Compartmented Information Administrative Security Manual:
Administration of Information and Information Systems Security.
m. DoDI 5230.24, “Distribution Statements for DoD Technical Information,” January 10, 2023

11.1 Facility Security Clearance. Work performed under this contract/order is up to the Secret level and will
require Sensitive Compartmented Information (SCI) access eligibility for some personnel. Therefore, the company
must have an interim or final Secret Facility Clearance from the Defense Counterintelligence and Security Agency
Facility Clearance Branch.

11.2 Security Clearance. All personnel performing on or supporting a DISA contract/order in any way shall be
U.S. citizens. The personnel security requirements for this contract/order cover the individuals supporting the Task
Areas delineated in the table below. Contractor personnel must possess the interim or final security clearance
eligibility delineated in the table below when performance starts.

SOW Task / Level of

Clearance Level Justification for Access to Classified
Subtask Classified Access
6.1 - 6.6 Secret/Secret SIPRNET/SCI Services provided under this effort may
Compartmentalize require participation in meetings
d Information I classified at the Secret level. Services
(SCI) provided under this effort shall be
required to monitor and respond to email
classified at the Secret level using
SIPRNET. This shall require a privileged
access to a DISA information system,
which shall have an ability and authority
to control and change. SCI access is
required to support these tasks.

11.2.1 Individuals supporting SOW Tasks / Subtasks that require(s) an interim or a final Secret security clearance
will, immediately upon hire, require SCI access eligibility adjudicated by the Department of Defense (DoD)
Consolidated Adjudication Facility or other federal adjudications facility to perform their duties. SCI processing for
SCI eligibility will be coordinated with the supporting Government Security Manager and will begin immediately
upon start of duty performance under this contract/order.

All SCI* work under this contract/order will be monitored by COR/ACOR.

*The COR/ACOR must be indoctrinated into SCI to monitor the work.

11.3 Investigation Requirements. All personnel requiring Secret access under this contract/order shall undergo a
favorably adjudicated Tier 3 investigation formerly known as a National Agency Check, Local Agency Check and
Credit Check or Access National Agency Check and Inquiries as a minimum investigation. Enrollment into
Continuous Evaluation current within 5 years and reflected in The Defense Information System for Security (DISS),
would meet the requirement for the Periodic Reinvestigation (PR).

11.3.1 All personnel requiring Secret access under this contract/order shall undergo a favorably adjudicated Tier 3
(T3) Investigation formerly known as a National Agency Check, Local Agency Check and Credit Check or Access
National Agency Check and Inquiries as a minimum investigation. Enrollment into Continuous Evaluation current
within 5 years and, reflected in DISS, would meet the requirement for a current PR.
Page 41 of 48 Pages
CUI
 CUI

11.3.2 The contractor is required to have personnel cleared with an interim or final Secret (as specified in the table
located in section 11.2) at contract start date. If contractor personnel is replaced during performance of the contract,
replacement personnel should also have interim or final clearance Secret (as specified in the table located in section
11.2).

11.4 Visit Authorization Letters (VAL). Visit requests shall be processed and verified through the DISS to
Security Management Office (SMO) Ft Meade-DKABAA10, Montgomery-DKAWKH, Columbus-DKAWCB,
Oklahoma City-DKAWKB, Mechanicsburg-DKAWMB, San Antonio-DKAWKE, and Ogden-DKAWGB. DISS
visits for contracts/orders are identified as “Other” or “TAD/TDY” and will include the Contract/Order Number of
the contract/order in the Additional Information section. Contractors that do not have access to DISS may submit
visit authorizations by e-mail in a password protected .pdf to the COR/ACOR specified in DITCO Additional Text
G1 - Points of Contact.

*Prior coordination with the DISA COR should be made via email to ensure the VAL/ Visit Authorization
Request (VAR)/ Visit Termination Notification (VTN) process is agreed upon and properly secure.

11.4.1 VAR Package. VARs must be received via email and require pre-approval from the assigned DISA COR
five business days in advance of the report date. The VAL/VAR/VTN should be sent via email to the appropriate
COR. The VAL/VAR/VTN should be sent using in a locked “Zip” file in one e-mail and then followed-up by
another e-mail with the password to unlock the Zipped file, because it contains sensitive information covered by the
Privacy Act.

Documents to include in the VAR Package:

1. Inter-office Memorandum (IOM)
2. DD Form 254 Prime and/or Sub (Good Standing approval emails for current option year)
3. Contractor VAL signed by the Contractor Facility Security Officer (FSO)

If DISS is not available, the VAL must contain the following information on company letterhead.

 Company name, address, telephone number, facility security clearance

 CAGE CODE
 Contract/Order Number
 Name, SSN, date and place of birth, and citizenship of the employee intending to visit.
 Certification of personnel security clearance and any special access authorizations required for the visit
(type of investigation & date and adjudication date & agency)
 Name of COR/Alt COR
 Dates or period the VAL is to be valid.

11.4.2 VTN Package. The Contractor FSO will forward a VTN letter to the DISA COR identified in the
SOW/TO/Sub for all employees leaving the contract/task order/subcontract.

11.4.2.3 In addition, the DISA CORs and security managers shall inform the DISA Security Office when contractor
personnel are removed for cause from a contract supporting DISA. This step is being added to prevent contractor
personnel removed for security related issues from returning to DISA without appropriate vetting. This step will also
provide security with pertinent information to make an informed decision regarding potential contractor employees’
access to secure facilities and sensitive information. “For Cause” is information regarding an individual that falls
into one or more of the actions or incidents that are within one of the 13 adjudicative guidelines as cited in the
Security Executive Agent Directive (SEAD) 4.

The VTN must contain the following information on company letterhead.

 Company name, address, telephone number, facility security clearance

 CAGE CODE
 Contract/Order Number
 Name, SSN, date and place of birth, and citizenship of the employee.
Page 42 of 48 Pages
CUI
 CUI

 Name of COR/Alt COR

 Termination Date
 Reason for Termination

*Any VAL/VAR submitted without the above information will be denied. *

11.5 Security Contacts. DISA Security Personnel can be contacted for Industrial or Personnel Security related
issues at (301) 225-1235 or via mail at:

Defense Information Systems Agency Defense Information Systems Agency

ATTN: MP61, Industrial Security ATTN: MP62, Personnel Security
Command Building Command Building
6910 Cooper Ave. 6910 Cooper Ave.
Fort Meade, MD 20755-7088 Fort Meade, MD 20755-7088

For Center or Directorate-specific security related matters, contact the Directorate or Center

Security Manager at: Name: Craig H. Donnelly J1/MP62

Phone Number: 667-890-3521
E-mail: [email protected]

11.6 Information Security and other miscellaneous requirements.

11.6.1 Contractor personnel shall comply with all local security requirements including entry and exit control for
personnel and property at the Government facility.

11.6.2 Contractor employees shall be required to comply with all Government security regulations and requirements.
Initial and periodic safety and security training and briefings will be provided by Government security personnel.
Failure to comply with Government security regulations and requirements shall require the company to provide the
Government with a written remediation/corrective action plan; furthermore, failure to comply with such
requirements can be cause for removal and the contractor will not be able to provide service on this contract/order.

11.6.3. Contractor employees with an incident report in DISS who have had their access to classified suspended will
not be permitted to fill positions requiring access to classified information on a DISA contract/order.

11.6.4 The Contractor shall not divulge any information, classified or unclassified, about DoD files, data processing
activities or functions, user identifications, passwords, or any other knowledge that may be gained, to anyone who is
not authorized to have access to such information. The Contractor shall observe and comply with the security
provisions in effect at the DoD facility. Identification shall be worn and displayed as required.

11.6.5 The authority for the contractor personnel to regain access must be granted by DISA Chief of Security.

11.6.5.1 DISA retains the right to request removal of contractor personnel regardless of prior clearance or
adjudication status, whose actions, while assigned to this contract, clearly conflict with the interest of the
Government.

11.6.5.2 DISA retains the right to revoke contractor personnel access to DISA facilities and networks, who
violates one or more of Security Personnel Adjudicative guidelines, harassment or violence in the workplace while
assigned to a contract clearly conflict with the interest of the Government.

11.6.5.3 If contractor employee is accused of violating state or federal laws and/or Government
professional conduct policies or regulations, then the Government may require that such contractor employee be
removed from Government premises and/or that such contractor employee be removed from supporting this
contract, pending the duration and outcome of a Government investigation if the Contracting Officer finds that the
Page 43 of 48 Pages
CUI
 CUI

conduct or violation alleged has the potential to negatively interfere with contract performance or operations at a
Government facility. Only the Contracting Officer can make such a request on behalf of the Government. Removal
of contractor employee shall not negatively impact contract performance.

11.6.6 Contractor personnel will generate or handle documents that contain Controlled Unclassified Information
(CUI) at the Government facility. Contractor personnel will generate or handle documents that contain Proprietary,
Contract Sensitive, or similarly designated information at the [Government and/or contractor] facility.) Contractor
personnel will have access to, generate, and handle classified material up to CONFIDENTIAL/ SECRET level only
at the Government location(s) (Ref: Block 8 Place of Performance on DD254) and listed in the place of performance
section of this document. All contractor deliverables shall be marked in accordance with DoDM 5200.01, Vol. 3,
DoD Information Security Program: Protection of Classified Information; DoDI 5200.48, Controlled Unclassified
Information (CUI); and DoDM 5400.07, Freedom of Information Act Program, unless otherwise directed by the
Government. The contractor shall comply with the provisions of the DoD Industrial Security Manual for handling
classified material and producing deliverables. The contractor shall comply with DISA Instruction 630-230-19,
Cybersecurity.

11.6.7 The Contractor shall afford the Government access to the contractor’s facilities, installations, operations,
documentation, databases, and personnel used in performance of the contract/order. Access shall be provided to the
extent required to carry out a program of IT inspection (to include vulnerability testing), investigation and audit to
safeguard against threats and hazards to the integrity, availability, and confidentiality of data or to the function of
information technology systems operated on behalf of DISA or DoD, and to preserve evidence of computer crime.

12. Government Furnished Property (GFP).

GFP will be provided for this contract as indicated in the GFP attachment included at solicitation, distributed at
award and incorporated via the GFP Module in PIEE. GFP shall be managed IAW the terms of FAR 52.245-1,
corresponding GFP DFARS clauses and additional DITCO Instructions incorporated in award.

Contractors shall accept and/or report provided GFP via the Shipping and Receiving document in the GFP module
upon acceptance and/or IAW Additional DITCO Instruction H9. Serially managed items are provided to the
contractor by DoD and require all events identified in DFARS 252.245-7005 (and/or any subsequent DFARS or
Agency GFP reporting requirements) to be reported by the contractor.

Contractors in possession of GFP shall provide the COR or PA an annual report of all GFP in its possession to
include the item description, make, model, serial number, IUID, and last inventory date; the report should be
minimally provided on an annual basis and 30 days prior to the expiration of any performance period (base and
options) IAW with Additional DITCO Instruction H9.

Deliverable:

SOW Deliverable Format Due Date Distribution/ Frequency and

Task# Title Copies Remarks

12 GFP Inventory MS Excel 30 days prior to the end of Standard Annually

spreadsheet the POP. Distribution*

H9 Property Provided 10 days after award. COR and PA At award

Management template
Plan
H9 Final GFP Contractor On or prior to the last day COR, PA, CS At end of
Disposition provided of the end of the POP. contract/ order
Notification format
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

13. Incentives/Disincentives:

Page 44 of 48 Pages
CUI
 CUI

13.1 The Government shall assess disincentives if the contractor does not maintain FTE staffing levels at 50% or
greater during the first 30 calendar days of contract performance. After the aforementioned 30 calendar day period,
the Government shall assess disincentives if the contractor does not maintain FTE staffing levels at 100%. An FTE
position is considered staffed if the employee’s VAR is approved by the Government, the employee is onboarded by
the contractor, the employee satisfies the minimum qualifications described herein, the employee is actively working
on the contract either onsite or remotely, and the respective employee has not otherwise been absent from the FTE
position for more than 30 calendar days, e.g. being absent for over 30 calendar days due to medical issues or military
deployment would result in the FTE position being deemed vacant/unstaffed.

13.2 When an FTE position becomes vacant, vacancies must be filled with fully functional resources to perform
duties. Except as described in paragraph 13.1, the Government shall assess disincentives after a 21 consecutive
calendar day vacancy if the respective FTE position remains unstaffed even if the FTE position is unstaffed due to
the employee not onboarding or the Government rejecting the VAR.

13.2.1 The Government will strive to process a VAR’s initial submission no later than 7 calendar days after
the Government receives said VAR from the contractor. In the event the Government does take longer than 7
consecutive, calendar days to approve or reject a VAR’s initial submission, the Government will extend the period
that the Government considers the vacancy as temporarily filled until the Government formally approves or rejects
the respective VAR

13.3 To assess a disincentive, the contractor’s invoice shall be decremented. The decrease shall be based on the
number of unstaffed/vacant FTE positions and the number of days the FTE positions were unstaffed/vacant.
Monthly disincentives will match the percentage of unfilled FTE positions. The disincentive will be prorated
according to the number of days in the month that any FTE position is unstaffed beyond the days allowed to staff an
FTE position as described in paragraph 13.1 and

13.4. The calculation of vacant dates will be retroactively calculated and restored to the date an FTE position
originally became unstaffed or vacant if: (1) a VAR is submitted for the FTE position; (2) the Government approves
the VAR; and, (3) the individual who was granted access via the VAR does not onboard. Submitting a VAR for the
Government’s review/approval shall not be considered the same as (1) staffing a vacancy, (2) fulfilling a fully
functional resource, or (3) an FTE position becoming newly vacant. Disincentives, if applicable, will resume with
the calculation of the date the former FTE position with a fully functional resource vacated the position. Despite any
VAR submission or Government access being granted, the position vacancy date will be reset to the date the FTE
position was vacated and held a fully functional resource.

For example, if the monthly invoice is for $90 for a 30-day month, and the contractor does not fill 1 out of 10 labor
categories for 10 days of the 30-day month, then the invoice will be decremented by 10% for those 10 days. Thus,
the invoice for the month will be decremented by: (90/30 = $3 daily charge)*.10*10 = $3.

13.5 As an additional disincentive, there will be a 1% reduction in the monthly invoice amount for each (1) late or
missing deliverable as specified in Section 10 - Delivery Schedule unless the Contracting Officer finds that any such
late deliverable was caused by the Government, (2) deliverable falling below the minimum AQL as specified in
Section 7 - Performance Standards, and (3) deficient deliverable. A deficient deliverable is one that is submitted but
is found to be incomplete, missing key required information, containing erroneous data, or not organized according
to SOW requirements.

13.6 These specific disincentives do not limit the Government’s other remedies, including terminating the contract
for default and reporting negative performance in the Contractor Performance Assessment Rating System.

14. Other Pertinent Information or Special Considerations

a. Identification of Possible Follow-on Work. The government may require surge support during the base or
any option period, and surge modifications shall be within the scope of the contract and provide increased support
for the defined task areas of this SOW. Surge sup-port over the life of the contract shall not exceed 25% of the con-
Page 45 of 48 Pages
CUI
 CUI

tractor’s total proposed cost/price for the base and all option periods, excluding any six- month extension of services
pursuant to FAR 52.217-8.
b. Identification of Potential Conflicts of Interest (COI). Due to the nature of the DoD IA Program, OCI is-
sues are a significant concern as they hold the potential to disrupt the performance of this contract and other con-
tracts awarded and administered by DISA. The contractor shall identify all potential or actual OCIs and document an
avoidance or mitigation strategy for each in an OCI Mitigation Plan for the Contracting Officer’s approval. The
contractor has a continuing obligation during the performance of the contract to identify any new OCIs and to up-
date its OCI Mitigation Plan as appropriate. Any newly identified OCIs must be brought to the Contracting Officer’s
attention within 24 hours. Additional information regarding OCIs are found in the clauses incorporated in the con-
tract.
c. Identification of Non-Disclosure Requirements. The contractor shall obtain and maintain Non-
Disclosure Agreements (NDA) for each employee assigned to the contract/TO. Initial NDAs shall be signed within
one week of contract/TO award, and NDAs shall be kept current through the entirety of the period of performance as
employee turnover occurs. The contractor shall ensure that all employees assigned to the contract have executed
NDAs on file as of the date of the Monthly NDA Status Report, which shall include names and NDA status of all
current employees assigned to the contract.

Deliverable:
SOW Deliverable Format Due Date Distribution/ Frequency and
Task# Title Copies Remarks

13c. Monthly NDA Contractor No later than end of Standard Monthly (NDA
Status Report determined the 1st week of each Distribution* status as of the
format month end of the
previous month)

*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

d. Packaging, Packing and Shipping Instructions. N/A

e. Inspection and Acceptance Criteria. N/A

f. Property Accountability. The contractor shall submit the Consolidated Product Listing (linked below) in
addition to complying with all requirements of DFARS 252.211-7003. See DITCO Additional Text H2,
Requirement to Submit an Electronic Product List for additional information.

g. Transitioning.

1. Transition-In (Phase In). 50 percent total staffing must be complete within two weeks of the start
of the PoP and 100 percent within 30 days.
2. Transition-Out (Phase Out). You will need to collaborate with the MP at least 120 days or sooner,
prior to the end of the contract, to develop a transition-out plan IAW FAR 52.237-3.

DELIVERABLES:

SOW Deliverable Format Due Date Distribution/ Frequency and

Task# Title Copies Remarks

12 GFP Inventory MS Excel 30 days prior to the Standard Annually

spreadsheet end of the POP. Distribution*

H9 Property Provided 10 days after award. COR and PA At award

Management template
Page 46 of 48 Pages
CUI
 CUI

Plan
H9 Final GFP Contractor On or prior to the last COR, PA, CS At end of
Disposition provided day of the end of the contract/ order
Notification format POP.
*Standard Distribution: 1 copy of the transmittal letter with the deliverable to the Primary COR.

i. Training. Contractor employees may be required to take periodic mandatory training courses provided
through the agency, such as records management training and other training required by statute, regulation, DoD, or
DISA policy. other training of contractor personnel shall be provided by the Government unless authorized by the
Contracting Officer.

15. Section 508 of the Rehabilitation Act, as amended by the Workforce Investment Act of 1998 (P.L. 105-220)
requires that when Federal agencies develop, procure, maintain, or use information and communication technology
(ICT), it shall be accessible to people with disabilities. Federal employees and members of the public who have
disabilities must have access to, and use of, information and data that is comparable to people without disabilities.

E206 Hardware

E206.1 General. Where components of ICT are hardware and transmit information or have a user interface, such
components shall conform to the requirements in Chapter 4.

E207 Software

E207.1 General Where components of ICT are software and transmit information or have a user interface, such
components shall conform to E207 and the requirements in Chapter 5
Exception from E207.1 General: Software that is assistive technology and that supports the accessibility services of
the platform shall not be required to conform to the requirements in Chapter 5.

E302 Functional Performance Criteria

302.1 Without Vision. Where a visual mode of operation is provided, ICT shall provide at least one mode of
operation that does not require user vision.

302.2 With Limited Vision. Where a visual mode of operation is provided, ICT shall provide at least one mode of
operation that enables users to make use of limited vision.

302.3 Without Perception of Color. Where a visual mode of operation is provided, ICT shall provide at least one
visual mode of operation that does not require user perception of color.

302.4 Without Hearing. Where an audible mode of operation is provided, ICT shall provide at least one mode of
operation that does not require user hearing.

302.5 With Limited Hearing. Where an audible mode of operation is provided, ICT shall provide at least one mode
of operation that enables users to make use of limited hearing.

302.6 Without Speech. Where speech is used for input, control, or operation, ICT shall provide at least one mode of
operation that does not require user speech.

302.7 With Limited Manipulation. Where a manual mode of operation is provided, ICT shall provide at least one
mode of operation that does not require fine motor control or simultaneous manual operations.

302.8 With Limited Reach and Strength. Where a manual mode of operation is provided, ICT shall provide at least
one mode of operation that is operable with limited reach and limited strength.

Page 47 of 48 Pages
CUI
 CUI

302.9 With Limited Language, Cognitive, and Learning Abilities. ICT shall provide features making its use by
individuals with limited cognitive, language, and learning abilities simpler and easier.

The Technical Standards above facilitate the assurance that the maximum technical standards are provided to the
Offerors. Functional Performance Criteria is the minimally acceptable standards to ensure Section 508 compliance.
This block is checked to ensure that the minimally acceptable electronic and information technology (E&IT)
products are proposed.

Page 48 of 48 Pages
CUI