OCR of the Document

View the Document >>

Department of the Army, Performance Work Statement (PWS) for National Cyber Range Complex (NRCR) Event Planning, Operations, and Support (EPOS), May 19, 2017. Unclassified.

PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft PERFORMANCE WORK STATEMENT PWS FOR NATIONAL CYBER RANGE COMPLEX NCRC EVENT PLANNING OPERATIONS AND SUPPORT EPOS 19 May 2017 U S Army PEO Simulation Training and Instrumentation PEO STRI Project Manager for Instrumentation Targets Threat Simulators and Special Operations Training Systems PM ITTS 12211 Science Drive Orlando Florida 32826-3224 United States Revision Level Initial Document Date May 2017 Summary of Change Sources Sought 1 Pages Affected All PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft Contents 1 SCOPE 5 1 1 BACKGROUND 5 1 2 SYSTEM DESCRIPTION 6 2 APPLICABLE DOCUMENTS 6 3 REQUIREMENTS 7 3 1 PROGRAM MANAGEMENT 7 3 1 1 Contractor Integrated Performance Management 8 3 1 2 Financial Management 8 3 1 3 Risk Management 9 3 1 4 Configuration Management Plan CMP 9 3 1 5 Management Reviews 10 3 1 6 Contractor Manpower Reporting Application 11 3 1 7 Organizational Conflicts of Interest OCI 11 3 1 8 Visitor Support 11 3 1 9 Travel 12 3 2 SYSTEM ENGINEERING 12 3 2 1 Range Capability Cloud Computing and Integration Support and Development 12 3 2 2 Hardware and Software Interface Design and Specification 13 3 2 3 Software Firmware Design and Development 13 3 3 QUALITY ASSURANCE 14 3 4 TECHNOLOGY DEMONSTRATION 14 3 4 1 Cyber Event Operations 14 3 5 SYSTEM MAINTENANCE REQUIREMENTS 15 3 5 1 Toolkit Maintenance 15 3 5 2 Hardware Software HW SW Maintenance 16 3 6 ITEM UNIQUE IDENTIFICATION IUID 16 3 7 SECURITY AND DATA HANDLING 16 3 7 1 Prototype Security Operations 16 3 8 INFORMATION ASSURANCE AND ICD 503 CERTIFICATION AND ACCREDITATION 16 3 9 GOVERNMENT FURNISHED PROPERTY GFP GOVERNMENT FURNISHED EQUIPMENT GFE 17 2 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft vv Performance Work Statement PWS for NCR Complex NCRC Event Planning Operations and Support EPOS 1 SCOPE This Performance Work Statement PWS describes the effort to be performed by the contractor for Event Planning Operations and Support EPOS at a National Cyber Range Complex NCRC facility The NCRC will provide the ability to conduct realistic cybersecurity Test and Evaluation T E of major Department of Defense DoD acquisition programs and the ability to conduct realistic training and certification events for the DoD Cyber Mission Force CMF 1 1 Background The U S Army Program Executive Office for Simulation Training and Instrumentation PEO STRI has a requirement for a National Cyber Range Complex capability In 2009 the Defense Advanced Research Projects Agency DARPA was tasked by the Comprehensive National Cybersecurity Initiative CNCI to establish a front line of defense against today's immediate threats by creating or enhancing the ability to act quickly to reduce our current vulnerabilities and prevent intrusions National Security Presidential Directive 54 NSPD -54 Under the NCR program DARPA developed the architecture and software tools for a secure self-contained environment capable of rapidly emulating large-scale complex cyber range event environments that match the depth diversity fidelity and realism of real-world networks On October 1 2012 the Under Secretary of Defense for Acquisition Technology and Logistics USD AT L directed the Test Resource Management Center TRMC to take responsibility for operations and resources of the National Cyber Range NCR Since then the NCR has executed 140 events for DOD Customers The NCR conducts Cyberspace Testing Training and Operational Events for the full spectrum of DoD Customers including Research Development Acquisition Testing Training and Operational Cyber Mission Forces The NCR executes wide variety of event types including Science and Technology S T Demonstrations Developmental Test Evaluation DT E Operational Test Evaluation OT E Security Controls Assessments SCA Cyberspace Operations Training Cyberspace Tactics Techniques Procedures TTP Development Forensics Malware Analysis and Cyberspace Operations Mission Rehearsal The NCR enables acquisition programs to conduct Cybersecurity Test and Evaluation T E in a representative Cyberspace Environment to identify and close exposed vulnerabilities evaluate resiliency and positively impact program cost schedule and performance The NCR also supports Training and Certification of Cyber Mission Forces in support of US Cyber Command by enabling operational forces to efficiently evaluate cyber warfighting capability in a realistic joint mission environment Finally the NCR is supporting in real time Overseas Contingency Operations as directed by National Authority 3 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft vv To meet growing demand for cybersecurity T E and CMF training and certification the TRMC is embarking on a program to increase cyber range capacity by creating an interconnected complex of NCR-like facilities called the NCR Complex These new facilities will be located within government owned facilities at the following preselected tentative locations Orlando FL Charleston SC Aberdeen MD Patuxent River MD and Fort Walton Beach FL see Figure 1 At maturity the NCRC will consist of an integrated and interoperable constellation of facilities designed to enable the planning and execution of very large-scale complex distributed cybersecurity T E and training events The NCRC will empower programs to conduct research experiments development and operational tests and operational training exercises in environments that emulate their specific computing networking and information systems infrastructures Figure 1 NCR Complex Vision 4 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft 1 2 System Description Each NCRC facility will be comprised of four key elements a secure facility a unique security architecture integrated tools for cyber testing and a multidisciplinary staff see Figure 2 Accredited by the Defense Intelligence Agency DIA NCRC facilities provide efficient and affordable cybersecurity testing and training infrastructure that can operate at levels up to Top Secret Sensitive Compartmented Information TS SCI Using state-of-the-art network isolation capabilities each NCRC will be capable of simultaneously executing combinations of up to eight independent T E and CMF training events at different classification levels Figure 2 NCR Overview 2 APPLICABLE DOCUMENTS TBD 3 REQUIREMENTS 3 1 Program Management The Contractor shall provide the overall management and administrative effort necessary to ensure that the requirements of this contract are accomplished The Contractor shall include provisions for technical and administrative planning organization coordination resource allocation and risk management The Contractor shall track program progress utilizing established metrics and share the metric and related data with the Government through the conduct of Interim Progress Reviews IPRs and Technical Interchange Meetings TIMs The 5 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft Contractor shall send agendas briefing slides and meeting minutes to the Government's Contracting Officer Representative COR and to the NCRC Director Additionally a weekly status report shall be supplied to the NCRC COR and to the NCRC Director by close of business COB every Wednesday for the entire life of the contract with formatting approved by the Government DI-MGMT-80227 Contractor's Progress Status and Management Report 3 1 1 Contractor Integrated Performance Management The Contractor shall develop implement manage to update and maintain an Integrated Master Schedule IMS by logically integrating detailed program activities The schedule shall contain the planned events and milestones exit criteria and their dependencies from contract award to the completion of the contract All contract schedule information delivered or presented at program reviews shall originate from the IMS and shall contain all critical events predecessors and successors' events and their dependencies DI-MGMT-80227 Contractor's Progress Status and Management Report 3 1 2 Financial Management The Contractor shall plan budget schedule and control resources allocated to meet requirements of the contract The Contractor shall maintain a detailed cost and schedule status of work progress on the contract and procedures for planning work controlling costs measuring performance and generating timely and reliable information The Contractor shall document and track the expenditure of all appropriated funds associated with the contract against each contract line item and sub-line item The Contractor shall maintain integrated cost and schedule information on those subcontracts which based on risk schedule criticality or dollar value have the potential to impede the successful completion of the contract The Contractor shall prepare implement and utilize the Contract Work Breakdown Structure CWBS and performance based Contract Statement of Work CSOW to define the work required for the proposed products and processes The Contractor shall identify elements of subcontracted work in the extended CWBS and may propose changes to the CWBS to enhance its effectiveness in satisfying program objectives DI-MGMT-81334D Contractor Work Breakdown Structure CWBS DI-MGMT-81651 Contract Invoicing and Payment Report DI-MGMT-80227 Contractor's Progress Status and Management Report 3 1 2 1 Program Baseline Review PBR The Contractor shall participate with the Government in the assessment of program risk and the degree to which the6 following have been established for PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft applicable tasks The PBR shall occur as soon as feasible but not later than 90days after contract award a Technical scope of work is fully included and is consistent with authorizing documents b Project schedule key milestones are identified and supporting schedules reflect a logical flow to accomplish the work c Tasks are planned and can be measured objectively relative to the technical progress d Management processes are rational and support successful execution of the project e Resources budget facilities personnel skills etc are available and adequate for the assigned tasks DI-MGMT-80227 DI-ADMN-81505 Contractor's Progress Status and Management Report Report Record of Meeting Minutes 3 1 3 Risk Management The Contractor shall prepare implement and maintain a cost technical and schedule risk management process which includes risk detection and identification assignment of risk categories risk mitigation planning mitigation plan implementation corrective action tracking of compliance reporting of status and planning for risk abatement The Contractor shall utilize the risk management process for a Identification and documentation of moderate and high-risk items for each risk assessment area to be presented at management reviews b Identification and implementation of risk handling approaches and track over time each moderate and high-risk item c Documentation of risk issues that have been successfully resolved and scheduling each open item into the program schedule d Developing mitigation plans to identify the recommended critical path for contract completion and the appropriate risk handling approach to lower the level of uncertainty identified e Recommendation of decision points in terms of cost schedule and performance objectives to facilitate management and technical control DI-MGMT-80227 Contractor's Progress Status and Management Report 7 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft 3 1 4 Configuration Management Plan CMP In coordination with the Government the Contractor shall develop and execute a Configuration Management Plan CMP to ensure the coordinated and effective changes of the architecture at each NCRC facility are understood and documented and approved by the NCRC Configuration Management Board NCRC CCB The NCRC CCB shall be chaired by the NCRC Chief Engineer The CMP shall include the objective that no proprietary or highly unique solutions will be utilized The NCRC CCP shall approve any proprietary or highly unique solution prior to it being implemented at an NCRC facility The CMP shall be subject to periodic review Formal revisions and guidance will be provided at program reviews and status meetings at the direction of the COR in accordance with the intended scope of this PWS 3 1 4 1 Engineering Change Proposals System Engineering and Design The Contractor shall document all changes to established baselines and all changes to the requirements including changes to the performance work statement contract data requirements list CDRL the contract schedule and the general provisions of the contract Documentation updates shall be developed IAW the initial document format and content standards or as otherwise directed The Contractor shall prepare and submit all documentation in accordance with the CDRL DI-CMAN-80639C Engineering Change Proposal 3 1 4 2 Deviations and Waivers The Contractor shall document the rationale and the potential impact of any deviation or waiver The Contractor shall obtain approval before deviating from any Government controlled baseline DI-CMAN-80640C Request for Deviation RFD 3 1 5 Management Reviews 3 1 5 1 Post Award Conference PAC The Contractor shall hold a Post Award Conference at the NCRC facility within 45 days after contract award The conference shall introduce key participants with emphasis on top level management of the program identify points of contact and discuss both parties' understanding of the scope of work agree on metrics that will be used as management and technical indicators identify the partnering approach and other contract issues The conference materials and minutes shall be sent to the NCRC COR and to the NCRC Director Receipt and acceptance of the required contract deliverable constitutes the goal for completion 8 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft DI-MGMT-80227 DI-ADMN-81505 Contractor's Progress Status and Management Report Report Record of Meeting Minutes 3 1 5 2 Interim Progress Reviews IPR The Contractor shall coordinate with the NCRC COR and NCRC Director to schedule Interim Progress Reviews IPRs to evaluate the status of the contract's planned performance measurement baseline Initially this shall occur as soon as feasible but not later than 60-days after contract award and subsequently on a quarterly schedule Each IPR should verify that the Contractor is using a reliable performance measurement baseline which includes the funded scope of work is consistent with contract schedule requirements and has adequate resources assigned The Contractor shall convene the first IPR as soon as feasible but not later than four months after contract award and subsequently on a quarterly schedule The conference materials and minutes shall be sent to the NCRC COR and to the NCRC Director Receipt and acceptance of the required contract deliverable constitutes the goal for completion DI-MGMT-80227 DI-ADMN-81505 Contractor's Progress Status and Management Report Report Record of Meeting Minutes 3 1 5 3 Technical Interchange Meetings TIMs The Contractor shall coordinate with the NCRC COR NCRC Director and NCRC Chief Engineer to schedule and conduct technical interchange meetings to be held at both Contractor and Government facilities The meetings shall be co-chaired by the NCRC and Contractor Chief Engineers The Contractor shall be prepared to explain the reasoning assumption and methodologies in arriving at particular conclusions recommendations or alternatives in the accomplishment of the tasks required by the contract The Contractor shall prepare drawings and other documentation to aid in the presentations The Contractor shall have all the required personnel and resources present The Contractor shall facilitate the NCRC discussions as necessary to coordinate and execute this task as directed by the Government The Contractor shall prepare the meeting agendas and document the meeting results Except where noted herein meetings shall be considered fulfilled when all of the following items are completed o A formal review meeting has been conducted o All action items requiring contractor response have been documented and posted o Submittal of TIM minutes Receipt and acceptance of the required contract deliverable constitutes the goal for completion DI-MGMT-80227 DI-ADMN-81505 Contractor's Progress Status and Management Report Report Record of Meeting Minutes 9 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft 3 1 6 Contractor Manpower Reporting Application The Contractor shall report all contractor labor hours including subcontractor labor hours required for performance of services under this contract for an NCRC facility via a secure data collection site The Contractor is required to completely fill in all required data fields using the following web address http www ecmra mil Reporting inputs will be for labor executed during the period of performance during each Government Fiscal Year FY which runs October 1 through 30 September While inputs may be reported any time during the FY all data shall be reported no later than October 31 of each calendar year Contractors can find User Guides Frequently Asked Questions and may direct questions to the help desk at http www ecmra mil 3 1 7 Organizational Conflicts of Interest OCI It is recognized that the effort to be performed by the Contractor under this contract may include advisory and assistance services a myriad of systems engineering efforts support in the preparation of specifications and work statements technical evaluation of other Contractors' products and services and access to other Contractors' proprietary information Consequently performance of this contract may create potential organizational conflicts of interest such as are contemplated by Federal Acquisition Regulation FAR 9 505 Therefore the Contractor shall develop and maintain an OCI mitigation plan to avoid neutralize and mitigate real and perceived organizational conflicts of interest This OCI plan shall be incorporated into the contract by reference 3 1 8 Visitor Support The Contractor shall be required to host Very Important Person VIP visits and arrange for and provide demonstrations of system performance program progress and other system characteristics as required 3 1 9 Travel Travel may be required to support the NCRC EPOS The Contractor shall request the Government's approval for all travel requirements above and beyond NCRC cyber event planning operations and support through advanced notice via email or weekly status report 3 2 System Engineering 3 2 1 NCRC Capability Integration Support and Modification Upon request from the Government the Contractor shall provide an Engineering Change Proposal to provide engineering and technical expertise to assist the Government in integrating components of other mission technology areas and range capabilities into the NCRC architecture The Government can initiate 1 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft Engineering Change Proposals as needed for modifications to the NCRC architecture and tool suite The Contractor shall provide a response to include anticipated schedule and funding required to meet the Government's proposed changes The proposed scope may include the following items a Expanding or enhancing the functional architecture of the NCRC range hardware and software assets to support new technology and mission areas either on NCRC facilities or in conjunction with other cyber ranges and enterprise solutions in support of distributed missions regardless of the physical location of the assets being evaluated during NCRC events b When directed the Contractor shall provide assessments to the Government which detail how the NCRC can be modified to support specific missions architectures and or environments These assessments shall include recommendations on how to integrate the NCRC architecture and tool suite into these missions architectures and or environments such that the NCRC shall function as a hardware agnostic entity These assessments shall be conducted while simultaneously maintaining the NCRC mission schedule It is anticipated that at most one to two assessments would be conducted per year DI-ADMN-80925 Revisions to Existing Government Documents Technical Data package TDP 3 2 2 Hardware and Software Interface Design and Specification The Contractor shall update any changes to the interface characteristics of the NCRC subsystems and the components of those subsystems that have been modified as directed and in accordance with configuration control activities for the NCRC Equipment interface requirements shall be communicated to programmers and to equipment designers in order to consider the impact of their designs on each other This will include all critical NCRC hardware components and any modifications related to the NCRC interacting with other entities Receipt and acceptance of the required contract deliverable constitutes the goal for completion DI-ADMN-80925 Revisions to Existing Government Documents Technical Data package TDP 3 3 Quality Assurance The Contractor shall implement and maintain a QA program using industry-accepted best practices and establish a QA process with full Government insight subject to Government program approval The contractor shall maintain an NCRC facility QA program IAW approved procedures The Contractor shall maintain records of quality conformance and shall make these records 1 available for Government review PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft The Contractor shall maintain a structured quality control process that ensures the prompt detection of deficiencies and initiation of necessary corrective actions for any software artifacts or deliverables found non-compliant with this Performance Work Statement The Contractor shall introduce quality controls that pertain to hardware software firmware materials and supporting technical documentation The Contractor shall establish measurement points that will provide maximum visibility into new and prior processes to assure contractual requirements are being met The Contractor shall select the proper methods to analyze these processes to continuously improve the system The Contractor shall develop management and technical metrics to assist management visibility into an adequate process control system The Contractor shall utilize the established discrepancy tracking system with the ability to produce complete permanent records of all discrepancy or database listing The Contractor shall establish a suspense system to ensure timeliness of analysis and corrective action for discrepancies and risk reduction items 3 4 Technology Demonstration As required by the Government the Contractor shall demonstrate and verify the NCRC technologies operate in a manner designed to illustrate the benefits of the range DI-MISC-80711A Scientific and Technical Reports 3 4 1 Cyber Event Operations The Contractor shall plan design deploy execute and document the results of cyber events e g DT OT tests training and certification activities mission rehearsal activities using the NCRC architecture and infrastructure The Government shall control scheduling event execution at each NCRC facility NCRC events may include multiple offsite participants collaborating with one or more NCRC facilities and other cyber ranges via the JMETC Multiple Independent Levels of Security Network JMN or the Joint Information Operations Range JIOR both of which have been approved for use by NCRC facilities The following requirements shall be addressed as part of this task a Provide all facilities and facility support to operate the NCRC facility at the highest security classification level approved by the Government b Provide cleared staff to maintain and operate the NCRC facility and infrastructure c Provide NCRC customers with pre-event support event execution support and post-event support in accordance with event requirements 1 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft d Provide cleared staff capable of Cyber Table Top CTT event planning facilitation execution and post-CTT data analysis and reporting to support NCRC customers in assessing and defining specific cyber range event goals and objectives e Deliver the following documentation as applicable for each event and as directed by the Government o Pre-Event Report that outlines the basic test approach high-level schedule and significant risks to successful event execution o Detailed Event Support Plan that provides the detailed administrative and technical information required to execute the event including the goals and objectives the metrics the measurement instrumentation and data analysis plan technical details specifications and configurations of the planned event environment and administrative e g security health and safety information o Quick Look Event Report that provides a high-level summary of the test results and significant observations regarding performance of the NCRC facility and infrastructure major lessons learned and actions items required to complete event closeout o Detailed Event Summary Report that provides an overview of the event technical details specifications and configurations of the actual event environment highlights and technical accomplishments NCRC utilization details and metrics technical information regarding any new event-specific capabilities and content presentation and explanation of result and any recommendations for short and long-term NCRC improvements and lessons learned DI-MISC-80711A Scientific and Technical Reports Pre-Event Report Detailed Event Support Plan Quick Look Event Report Detailed Event Summary Report 3 5 System Maintenance Requirements 3 5 1 NCRC Problem Tracking and Reporting The Contractor shall track problems and deficiencies identified during NCRC operations and work with the Government to prioritize the troubleshooting and resolution of any identified deficiencies in the NCRC architecture and infrastructure Hardware and software updates and troubleshooting shall be conducted in an unclassified engineering environment using unclassified event data unless the problem cannot be recreated in that unclassified system Receipt and acceptance of the required contract deliverable constitutes 1 the goal for completion PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft DI-MGMT-80227 Contractor's Progress Status and Management Report 3 5 2 Hardware Software HW SW Maintenance The Contractor shall maintain the range including HW SW vendor support The Contractor shall ensure the latest security changes are reflected on the range and that problem resolution is timely for any functional or mission related problem This includes both the classified range infrastructure and the unclassified engineering testbeds Range configuration changes problem resolution and identified issues requiring resolution shall be reported to the Government Changes in the range design to include the integration of the range infrastructure into distributed and or service oriented environments shall be similarly maintained as the changes are integrated into the NCRC mission space and architecture s Receipt and acceptance of the required contract deliverable constitutes the goal for completion DI-MGMT-80227 DI-TMSS-80527C Contractor's Progress Status and Management Report Commercial Off-The-Shelf Manuals Associated Supplemental Data 3 6 Item Unique Identification IUID The Contractor shall work with the NCRC COR NCRC Director and NCRC Chief Engineer to determine items requiring unique identification including Government owned embedded subassemblies components and parts and identify the UID to be used for each item The Contractor shall provide unique item identification or a Department of Defense recognized unique identification Status will be given on the progress of this effort DI-MGMT-80227 Contractor's Progress Status and Management Report 3 7 NCRC Security Operations and Data Handling The Contractor shall adhere to the Contract Security Classification Specification DD254 guidance and NCRC Security Classification Guide SCG The Contractor shall perform the tasks as specified in the NCRC Security Procedures to ensure the on- going operations of the classified range and unclassified engineering testbeds Range configuration changes problem resolution and identified issues requiring resolution shall be reported to the NCRC Information Systems Security Manager ISSM DI-MGMT-80227 Contractor's Progress Status and Management Report 3 8 Cybersecurity Assessment and Authorization A A The Contractor shall adhere to Government guidance on requested level of 1 PWS-2017-042 W900KK-17-NCR 19 May 2017 Draft accreditation and maintain Certification and Accreditation of the NCRC facility at a minimum of the TS SCI classification level Part of this accreditation maintenance shall include re-assessing and re-authorizing any changes in the range management and coordinating with the Authorizing Official to approve any changes in the software or hardware baseline 3 9 Government Furnished Property GFP Government Furnished Equipment GFE The Contractor shall be responsible for the accountability maintenance custody control and storage of all GFP including GFE and Government Furnished Software GFS in performance of this contract DI-MGMT-80269 Report Status of Government Furnished Equipment GFE 1                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu