Amendment 001 to SB1341‐17‐RP‐0007 Cybersecurity Research Development Implementation Support Services # Section of RFP RFP Page Referenced 1 Sec L 1 a 90 of 114 Paragraph Section of Page Response to Questions Amendment 002 Description of Question Response This paragraph references Standard Form 1449 however RFP SB1341‐17‐RP‐0007 was The NAICS code for this effort is 541519 ‐ Other computer related services with a small business size 2nd paragraph below issued with Standard Form 33 Consequently there is no NAICS code specified nor is there standard of $27 5 million title a small business standard identified on the SF33 Will the Government please identify any applicable NAICS code s and small business size standard Reference updated provision 52 204‐8 found under RFP Section K 2 This section of the RFP indicates that the SF1449 not provided can be used to submit our response to SB1341‐17‐RP‐0007 and we assume the SF33 can be used instead Please confirm However Section L 2 page 93 in section titled Proposal Volume Requirements there is a requirement to provide a cover letter letter of transmittal The same paragraph requires a title page as first page to be completed in accordance with FAR 52 215‐1 L 2 Section 5 0 Price Requirements for Volume V requires the SF33 be used as the cover sheet or first page of the Price Cost volume 2 Sec L 2 Is it the Government’s intention that the front matter for Volumes I through IV should be 3rd paragraph below ordered as follows title for L 1 b L 2 page 90 of 114 for L 1 b 93 section titled Proposal Cover Transmittal page Offerors shall submit a complete response in accordance with instructions provided in RFP Section L 2 93 for L 2 Volume Requirements Title Page 100 for L 2 Section 5 0 Instructios to Offerors ‐ FAR 52 212‐1 Addendum to Instructions to Offerors L 2 Section 5 0 page 100 Table of Contents the last paragraph on Table of Figures List of Tables page Glossary of Abbreviations and Acronyms And that front matter for Volume V should be as follows Signed completed SF33’s Title Page Table of Contents Table of Figures List of Tables Glossary of Abbreviations and Acronyms 3 Sec L 2 93 and 96 4 not give 93 and 96 5 Sec L 97 98 100 6 Sec L 90 The table of Volumes On page 93 the table shows 150 pages for Volume II Technical Approach However the and page limitations on first line on page 96 indicates that the page limit is 75 pages inclusive of all subsections As per Amendment 001 posted 04 04 2017 the correct page limiatiom for Volume II is 150 pages page 93 first line on page 96 Which page limitation is correct not given There is a big discrepancy in the number as page 93 states there is a 150 page limit and page 96 states there is a 75 page limit This makes a big difference when planning our As per Amendment 001 posted 04 04 2017 the correct page limiatiom for Volume II is 150 pages responses and would be beneficial to know before the official question responses are issued 2nd par on pg 97 3rd para on pg 97 last Please define “major subcontractor ” bulleted para on page 1st para on page 100 1 a For the purposes of this solicitation a major subcontractor is considered any first‐tier subcontractor There does not appear to be an SF1449 as described “The NAICS code and small business No the Government does not intend to provide a SF 1449 Offerors shall reference the updated provision size standard for this acquisition appear in Block 10 of the solicitation cover sheet SF at 52 204‐8 found under RFP Section K 2 and shall submit proposals in accordance with the instructions 1449 ” Does the Government intend to provide a SF 1449 found in section L 2 of the RFP Amendment 001 to SB1341‐17‐RP‐0007 Cybersecurity Research Development Implementation Support Services The SF 33 states “Sealed offers in original and 1 copies for furnishing…will be received at the place specified in item 8…” However page 94 paragraph 5 of the RFP states “Electronic Submission of Proposal ” Does the Government anticipate an email submission The Government will accept ONLY Electronic Submissions as per instructed in RFP Section L 2 Instructions as well as a copy delivered to its headquarters office at 100 Bureau Drive Stop 1640 to Offerors ‐ FAR 52 212‐1 Addendum to Instructions to Offerors Building 301 Room B129 Gaithersburg MD 20899 If an original and 1 copies is required for delivery what type of media is required – i e physical hardcopy digital softcopy etc… 7 SF 33 1 8 Sec L 94 9 Schedule of Labor Categories 18 19 Minimum Education The Minimum Education requirement for Program Manager II and III implies individuals must be certified as a Project Manager Professional PMP at the time of the proposal submission We recommend the Government add language to state the PMP certificate must be obtained by date of award or within 90 days after award 10 Sec L 94 1 Page Limitations Would the Government like a Compliance Matrix included as part of the submission If so A Compliance Matrix is not a requirement when submitting proposal responses If Offerors submit we recommend the Government not include this matrix in the page count limitations responses containing a Compliance Matrix it will count towards the page count limitations 11 Sec L 96 Box 9 Response to Questions Amendment 002 5 Electronic Submission If this is an electronic submission is there a file size limit for each volume we should of Proposal adhere to The maximum email message size is limited to 25 Megabytes Within 90 days of award is acceptable Section 2 1 Paragraph 2 states “Finally the offeror shall submit its list of proposed labor categories for the IDIQ contract The offeror’s proposed IDIQ labor categories shall match the Government’s list of required IDIQ labor categories including the descriptions and minimum qualifications for each labor category ” This requirement seems to imply the government would like the offeror to list out the Schedule of Labor Categories located between pages 7 and 26 in the RFP in the offeror’s Volume II Technical Response and this would be inclusive in page count limitation Is this the government’s intent or has the offeror misunderstood the requirement Offerors' Technical Reponse shall include the list of proposed labor categories for the IDIQ contract which shall match the government's list of required IDIQ labor categories plus any additional labor categories The reason the offeror has inferred this is because the requirement subsequently states being proposed by the Offeror The offeror shall cleary identify any labor categories being proposed that “However offerors may also propose additional labor categories for the IDIQ outside of are not included in the Government's list of required labor categories and shall clearly state the title 2 1 Sub‐Factor 1 – Project Plan for IDIQ those required by the Government The offeror shall clearly identify any labor categories description and any minimum qualifications for each labor category proposed However the proposed list Contract Paragraph #2 being proposed that are not on the Government’s list of required labor categories The of labor categories for the IDIQ inclusive of the Government's required labor categories and any offeror shall clearly state the labor category title description and any minimum additional labor categories proposed by the offeror may be submitted as an attachment to this volume of qualifications for each labor category proposed The proposed list of IDIQ labor categories the proposal and will not count towards the page limitations may be submitted as an “attachment” to this volume of the proposal and will not count towards the page count limitations of this volume ” As such our interpretation of the requirement is to include the Schedule of Labor Categories in the technical response which will be included in page count limitations and propose additional Labor Categories as attachments to the Technical Volume and those will not be included in page count limitation Government clarification will be helpful 12 Sec J_Sample Past Performance Questionnaire 2 4 Some of our References would like the Government to consider modifying the fill‐in box for If the Past Performance Questionnaire template provided in the RFP does not allow enough room for a “Description of the contract order work ” to accommodate more text to fully describe the given section references may attach a typed addendum to a given questionnaire to expand on such work performed We recommend the Government expand the description box or allow an sections However Offerors shall submit those questionnaires that use addendums such that the addendum to each past performance questionnaire such that the offeror’s References addendum is one with the questionnaire and is easily correlated to the subject questionnaire could substantially discuss the specific details of work performed 13 C 3 1 4 g 32 not given Does a contractor have to show direct experience with “developing an economic and social impact evaluation of the state pilots funded under the NSTIC State Pilots Cooperative The demonstration of the transative skills needed is acceptable Agreement Program ” or can a contractor show that they have the transitive skills to perform those tasks If it is the former and a contractor has to show direct knowledge we feel that his will limit the competition and heavily favor the incumbent 14 L 2 100 not given Can the past performance questionnaires be submitted for IDIQ contracts or do they need Past Performance Questionnaires may be submitted for IDIQ contracts Task Delivery orders BPAs Call to be for standalone contracts and individual task orders Orders and standalone contracts 15 Sec J TO#4 not given not given Does this Task Order require an approach that would have a large team of full‐time SMEs No It is expected that the work would utilize experts in very short blocks of time no more than 80 hours per requirement and the requirements are expected to be intermittent that have expertise across the subject areas Amendment 001 to SB1341‐17‐RP‐0007 Cybersecurity Research Development Implementation Support Services 16 Sec J TO#4 not given not given Response to Questions Amendment 002 Is NIST looking for the ability to pull in the expertise for short periods of time that presumably are working on other programs projects That is possible Resources in the past on similar task orders have been utilized for very short periods of time from other Task Orders so long as there was no significant impact to the other TO The Program Manager 3 needs to have a fundamental understanding of a broad range of computer security topics how they inter‐relate how they can potentially interact with other topics and what the general concerns are that NIST addresses for other government agencies A candidate with 5 years IT experience may be considered but they should demonstrate as much knowledge about computer security as possible Classes or other formalized training will be taken into consideration The Government does not intend to issue an extension to the proposal due date 17 Sec B 1 19 2 What is the reasoning for 5 years of IT experience in computer security for the Program Manager 3 – Contract Level Will 5 years of IT experience be acceptable even if it is not directly related to computer security 18 Block 9 SF 33 Due Date 1 Block 9 Various religions have major holidays that involve travel and time off during April We respectfully request a 10 days extension of the proposal due date to ensure that we can obtain the signatures for required up to 8 past performance questionnaires 19 Sec J TO#5 5 20 4 0 Past Performance Requirements 100 of 114 112 of 114 Factor C – Past 97 98 of 114 Performance 2 4 Specialized Experience Item 8 in the The Description says “Evidence of contribution to standards for a” Will the Government Deliverables table that is It should read standards fora Meaning multiple standards forums please provide the rest of the Deliverable description at the top of the page Per page 100 of the solicitation “Offerors are directed to provide completed Past Performance Questionnaires on no more than eight 8 of the offeror’s most recently completed Federal Government or Commercial contracts for services similar in scope to those of this requirement for work completed or substantially completed within the last three 3 years ” Additionally Section M states “The Government will only consider past performance of the Offeror’s projects that were completed or substantially completed within the past three years ” 2 4 3 1 However pages 97 98 of the solicitation state “To the extent possible any identified prime offeror or major subcontractor team member corporate experience performed within the past five years should be traceable to the information provided in Volume IV Past Performance ” Yes the Past Performance Questionnaires and Specialized Experience sections are different and have different requirements Are there different requirements for the Past Performance Questionnaires and Specialized Experience sections Are PPQ projects within the past three years but Specialized Experience examples can be within the past five years 21 not applicable not applicable not applicable Can the government clarify or provide an estimate to how many anticipated awardees are The Government does not have a predetermined number of awards it intends to issue as a result of the expected for this multiple award IDIQ RFP 22 not applicable not applicable not applicable Are there any incumbent contractor s to Task Order 1 for National Vulnerability Database Yes The Incumbent is Trusted Security Alliance LLC Analysis Support If so who is the current incumbent for Task Order 1 23 not applicable not applicable not applicable 24 not applicable not applicable not applicable 25 not applicable not applicable not applicable Are there any incumbent contractor s to Task Order 4 for Variable Subject Matter Expert Yes The Incumbent is Trusted Security Alliance LLC SME Support If so who is the current incumbent for Task Order 4 26 not applicable not applicable not applicable Are there any incumbent contractor s to Task Order 5 for Technical Analysis and Document Development in Support of the National Strategy for Trusted Identities in Cyberspace If so who is the current incumbent for Task Order 5 27 not applicable not applicable not applicable Are there any incumbent contractor s to Task Order 6 for NIST Special Publication SP 800‐ Yes The Incumbent is Trusted Security Alliance LLC 118 Support If so who is the current incumbent for Task Order 6 28 not applicable not applicable not applicable 29 not applicable not applicable not applicable Are there any incumbent contractor s to Task Order 2 for Computer Security Resource Center and National Vulnerability Database Development Support If so who is the Yes The Incumbent is Trusted Security Alliance LLC current incumbent for Task Order 2 Are there any incumbent contractor s to Task Order 3 for Support to Validation Programs Yes The Incumbent is Trusted Security Alliance LLC If so who is the current incumbent for Task Order 3 Yes The Incumbent is Trusted Security Alliance LLC Are there any incumbent contractor s to Task Order 7 for Research related to Internet of Things IoTs Architecture and Cybersecurity Risk Management Framework If so who is Yes The Incumbent is Trusted Security Alliance LLC the current incumbent for Task Order 7 Are there any incumbent contractor s to Task Order 8 for Program and Technical Services to Support the National Initiative for Cybersecurity Education NICE Effort If so who is Yes The Incumbent is Trusted Security Alliance LLC the incumbent for Task Order 8 Amendment 001 to SB1341‐17‐RP‐0007 Cybersecurity Research Development Implementation Support Services 30 not applicable not applicable not applicable Response to Questions Amendment 002 As this is a small business set‐aside does the government require that the small business FAR 52 219‐14 Limitations on Subcontracting Jan 2017 is applicable to this solicitation Offerors shall Prime Offeror perform 51% of work for each task order Or will the Government require read and comply with FAR 52 219‐14 Limitations on Subcontracting Jan 2017 for details on these that 51% of the work be performed over the life of the IDIQ contract across all task orders constraints However the general answer to the question is that it is over the life of the IDIQ contract For all task orders the Offeror shall provide sufficient supporting documentation to show its proposed total prices by tasks identified in each task order PWS Offerors shall propose a total price or ceiling price for labor hour or hybrid task orders for each task order The total price of the task order shall include Page 102 Section 5 0 B says “The Offeror shall clearly identify a total price for each separate optional task or option period ” Does the government want to see a task order any and all base and option tasks periods and travel Additionally the supporting documentation for each total price inclusive of optional tasks or should the optional tasks totals be kept separate task order shall demonstrate how the total prices were derived and shall show the derivation by task For any task orders with optional tasks or option periods the Offeror shall clearly identify a price for each separate optional task or option period as delineated in the instructions in Section L 2 31 Sec 5 0 B 102 2 32 not applicable not applicable not applicable 33 FAR 52 212‐1 ADDENDUM TO INSTRUCTIONS TO OFFERORS Electronic Submission of Proposal a 94 5th Paragraph Last Paragraph The Government will accept ONLY Electronic Submission as per instructed in RFP Section L 2 Instructions Can the government confirm that electronic submission of proposal is to the listed emails to Offerors ‐ FAR 52 212‐1 Addendum to Instructions to Offerors for Contracting Officer keith bubar@nist gov and Contracting Specialist chantel adams@nist gov on page 93 Yes those are the correct email addresses 34 3 3 Sub‐Factor 3 – Transition Plan 99 4th Paragraph “The transition should be no less than 60 days and no more than 90 days for startup from contract award date to performance start date ” If the contract award date for the base Offerors shall assume that all task orders would begin in the base period of the IDIQ contract However IDIQ is September 2017 can the government provide or confirm when the “performance specific start dates for each task order cannot be provided start dates” are for each of the eight task orders 35 3 3 Sub‐Factor 3 – Transition Plan 100 Due to the complexity of the response requirements that Offerors are to submit a complete response for all eight task orders inclusive of key personnel resumes would the The Government does not intend to issue an extension to the proposal due date government consider providing an extension of the deadline for proposal responses 4th bullet The instructions for the Transition Plan in Section L 2 of the solicitation specifically in Section 3 3 of Section The RFP indicates that Offeror’s transition plan shall address “Dated milestones for each L 2 have been amended to remove the requirement for the Transition Plan to include “Dated milestones step of the plan” – can the government clarify if it requires milestone dates for each of the for each step of the plan ” Offerors need not include specific dates for each step However offerors shall include specific time frames in which each step will be completed e g “within XX days of completion of eight task orders If so can the government provide anticipated start dates for Task Orders 1‐8 Step YY” in the Transition Plan Offerors shall assume that all task orders would begin in the base period of the IDIQ contract TO #1 Section 4 1 2 discusses analysis of vulnerability data and developing a triage process for that analysis What is the current approach to validating the vulnerabilities Are the An initial description of the vulnerability is produced by the vendor reporting the vulnerability The analyst takes the description and along with any information that can be found on specific research sites will vulnerabilities being re‐created and tested on a VM or other representation of the vulnerable software In the documentation it said there was an average of 20 minutes of perform a risk categorization and classification using CVSS Vulnerabilities are not recreated as a part of analysis per vulnerability which does not seem consistent with re‐creating the the analysis vulnerability 36 TO#1 Section 4 1 2 2 Paragraph 2 3 37 TO#6 Section 4 1 2 Paragraph 2 TO#6 ‐ Section 4 1 outlines the first step as interviewing a maximum of 5 staff Is it likely that the 5 staff members are in the same region and can it be assumed that these interviews can occur in a span of a few days as to reduce costs to one trip TO#7 ‐ For Section 4 1 1 which discusses creating a survey of the Different IoT Sectors Verticals This indicates that sources shall originate from Industry groups business Contacts and information will be given as available but it is also expected that the contractor should be bringing some expertise in the area to bear Any membership fees necessary will be provided by the trade organizations internet resources and IT research and advisory committee Will government however only with prior approval from the COR This TO does not include actual testing of these sources and membership to these organizations be provided to the contractor IoT devices This TO is intended to be at a higher level of abstraction than individual device testing Additionally will any IoT Devices be provided for this TO to test and evaluate recommended practices etc 38 TO#7 Section 4 1 1 2 Paragraph 2 39 Task Order 3 5 2 Documentation Support 3 7 All of the relevant staff are at the NIST Gaithersburg facility therefore it is entirely possible the interviews could be scheduled within a few days unless someone is out of the office during that time period e g at a conference on PTO etc In Task Order 3 all tasks under 5 2 Documentation Support are listed as labor hour tasks All tasks under Section 5 2 of TO 3 should be Labor Hour However they are listed as Firm Fixed Price in the solicitation on page 103 of 114 Are these tasks Labor Hour or Firm Fixed Price Section L 2 has been amended to reflect this correction Amendment 001 to SB1341‐17‐RP‐0007 Cybersecurity Research Development Implementation Support Services 40 41 42 Amendment 1 Q A Section L Section 5 0 – Price Requirements Subsection B PWS 2 Scope of Work 1 102 103 and 104 Question 10 Response to Questions Amendment 002 The answer in Question 10 of the Q A released with Amendment 1 indicated that “Past There may be a misinterpretation of the Government's answer to Question #10 from Amendment 001 The performance of individual members from their past employers is acceptable ” If an Offeror Government was saying that Offerors can submit past performance of individual members of their team Prime or Subcontractor member were to use past performance from an individual even if those individual members were working for different employers at the time of performance member from their past employers then However the past performance effort the references are evaluating the individual on shall still be for a recently completed government or commercial contract for services similar in scope to those of this 1 Can the government clarify what information would be required for the PPQ in requirement for work completed or substantially completed within the last three years Therefore the regards to contract value contract type etc for that individual member past information given on the PPQ with regards to contract value contract type etc should still be the performance information for whatever contract order the individual member performed under and is being evaluated on The actual agency entity that received the services of the company or individual should still be the 2 Would the past employer be the customer reference that completes the reference that completes the PPQ questionnaire The Government states For any task orders that include travel requirements the offeror shall clearly identify its total proposed ceiling price for estimated travel costs ” Also in Subsection B in the detailed Task Order paragraphs under Task Orders 4 5 and 8 the Government states Offeror shall estimate a total ceiling travel cost of $15 000 00” 2 and Task Order Offeror shall estimate a total ceiling travel cost of $20 000 00” and Offeror shall That is correct Offerors need not provide supporting documentation for their proposed ceiling travel Instructions for TOs 4 5 estimate a total ceiling travel cost of $20 000 00” for Task Orders 4 5 and 8 respectively costs since the ceiling travel costs have been pre‐defined by the Government and 8 Subsection B does not specify a requirement to provide any supporting documentation for these proposed ceiling prices for estimated travel costs Is it the Government’s direction that Bidders include these referenced ceiling travel costs with no supporting documentation The support needed to ensure a successful mission ranges from internal programmatic support to technical expertise and research consulting in a wide range of cyber and information security areas 30 of 114 2nd paragraph When performing any research consulting if we include intellectual property from our corporate Internal Research and Development IRAD efforts would this preclude us from selling our products We are concerned about OCI issues There is nothing in this contract that would preclude the Contractor from using its previously developed IP in commercial products Nothing in this contract should affect background IP IP developed prior to the contract work
OCR of the Document
View the Document >>