SOLICITATION NOTICE
D -- Application Security Services - RRB12Q032 Solicitation Documents
- Notice Date
- 8/23/2012
- Notice Type
- Combined Synopsis/Solicitation
- NAICS
- 541519
— Other Computer Related Services
- Contracting Office
- Railroad Retirement Board, Acquisition Management Division, OA, Procurement Section, 844 North Rush Street, 9th Floor NE, Chicago, Illinois, 60611-2092
- ZIP Code
- 60611-2092
- Solicitation Number
- RRB12Q032
- Point of Contact
- Elizabeth A Kelly, Phone: 312-751-3350, Paul T. Ahern, Phone: (312) 751-7130
- E-Mail Address
-
elizabeth.kelly@rrb.gov, paul.ahern@rrb.gov
(elizabeth.kelly@rrb.gov, paul.ahern@rrb.gov)
- Small Business Set-Aside
- N/A
- Description
- RRB12Q032 Attachment 1 RRB12Q032 Solicitation Document in Word RRB12Q032 SF 1449 Document I. BACKGROUND INFORMATION A. General Information The Railroad Retirement Board (RRB) is an independent federal agency that administers a retirement and survivor benefit program for railroad employees and their families. The RRB was established by the Railroad Retirement Acts of 1937 and 1974.Its benefit program was the forerunner of the more familiar Social Security System. The Railroad Retirement System is unique inasmuch as it is the only federally administered benefit program covering a single private industry. The RRB also administers the Railroad Unemployment Insurance Act, which provides unemployment and sickness benefits to railroad employees. The RRB employs over 900 people and is headquartered in Chicago, Illinois. B. Purpose The RRB is seeking a contractor that can provide application security review and website review services. The objective of the services is to protect the safety and privacy of all RRB constituents who use RRB applications. The RRB wishes to improve its processes and approaches to application development across all platforms within its Software Development Lifecycle. The RRB also seeks to increase the security of existing RRB web applications through risk assessments and code reviews. The RRB may optionally request vulnerability remediation services to assist in correcting any identified coding or configuration flaws that are discovered. C. Performance-Based Acquisition (PBA) Solicitation/Contract This solicitation has been developed in response to the Office of Federal Procurement Policy (OFPP) established policy to prioritize the use of performance-based contracting methods in the acquisition of services. PBA emphasizing objective, measurable mission-related outputs rather than how the work is performed or broad and imprecise statement of work. It requires objective standards in developing statements of work, selecting contractors, determining contract type, incentives, and performing contract administration. D. Post Award Conference In order to codify the implementation and procedural issues attendant upon contract performance start up, a post award conference will be held at the RRB Headquarters Facility, 844 North Rush Street, Chicago, Illinois 60611 or via a conference call. The contractor will be responsible for all costs related to attending this conference. It is anticipated that this conference will be held within 5 workdays after contract award. II. SCHEDULE OF SERVICES. See attached Word Document of the RFQ RRB12Q032 for the Price Schedule Section II. III. STATEMENT OF WORK A. Description of Mandatory IT Security Services 1. Develop RRB Secure Coding Standards and Guidelines The contractor shall develop a policy which establishes the scope, ownership and expectations for secure coding standards to be reviewed and approved by the RRB. The contractor shall incorporate the secure coding practices throughout the RRB SDLC processes, defining checkpoints and milestones where information security requirements are defined, incorporated, tested, and reviewed. The contractor shall develop an RRB Secure Coding Standards document for the RRB to review and approve. This document shall define RRB coding standards based on authoritative secure coding sources, and best practice guidance on how to leverage safe coding frameworks and techniques tailored to the RRB web environment and internal application environment. 2. Infrastructure Security Risk Assessment The contractor shall perform a risk assessment of all systems used in the development, testing, and production of the RRB.GOV website, including those systems located at the 3rd party contractor web hosting site and at the RRB internal network. The contractor will identify security devices which can assist in mitigating security flaws existing in web applications. The Contractor must thoroughly address and demonstrate their knowledge and consideration of the existing RRB IT security program in this assessment. This includes experience with mainframe and distributed environments, the RRB application environment, and network architecture. This will ensure a thorough infrastructure security risk assessment. The risk assessment shall be in accordance with NIST guidance and present findings in the form of agency Plan of Action & Milestones (POA&M) items, assigned to NIST security control families. The contractor will provide as part of their response the methodology and tools they will use to perform the infrastructure security risk assessment. 3. Applications Security Risk Assessment The contractor shall perform an Application Security Risk Assessment of the RRB.GOV website, which includes approximately 17 web applications. For each application, the Contractor shall perform a vulnerability assessment consistent with the Open Web Application Security Project (OWASP) and other authoritative guidelines. The contractor will be responsible for identifying key security components within each applications code, and perform manual and automated code review of each applicationsystem. The contractor should have experience in secure coding and programming languages used on the RRB website including Classic ASP, ASP.NET, VB.Net, VBScript, and JavaScript. The risk assessment shall identify deviations from authoritative sources and the RRB Secure Coding Standards, and must be performed following the acceptance of that document by the RRB. The risk assessment shall also include a review of website and mainframe database and data security. The risk assessment shall be in accordance with NIST guidance and present findings in the form of agency Plan of Action & Milestones (POA&M) items, assigned to NIST security control families. B. Optional Services 1. Assessment and Gap Analysis of the RRB’s Systems Development Lifecycle (SDLC) As an optional services, the RRB may request the contractor to assess the RRB Systems Development Lifecycle (SDLC) and provide a gap analysis comparing the existing SDLC process to best practices, such as those defined in the Microsoft Security Development Lifecycle or other authoritative sources. The contractor shall provide as part of their response the authoritative sources against which they intend to compare the RRB SDLC. The analysis must encompass a holistic approach to secure software development and procurement at the RRB and must include but not be limited to the following phases of software development: Training, Requirements, Design, Implementation, Verification, Release, and Response. The gap analysis must also include an analysis of current RRB staffing levels, training, currently assigned roles and responsibilities related to application security, and the use of automated application security tools in development, testing, or production which can be used to implement a secure SDLC. All standards and practices recommended by the contractor must be in compliance with applicable federal laws, regulations, NIST guidance, and RRB Information Security Policy. NOTE: If this optional service is exercised by the RRB, the RRB shall award it with the initial Contract award and/or the Contractor shall perform these services during the initial phase of contract services performance. 2. Vulnerability Remediation Services As an optional service the contractor shall provide vulnerability remediation services on code or configurations that were identified as being decifient in the Web Applications Security risk assessment completed by the contractor. The RRB shall indicate to the contractor which deficiencies, if any, require contractor services. The contractor shall research recommended remediations for said deficiencies and work closely with RRB technical and business staff to implement remediations that are in line with RRB coding standards and business requirements. Contractor shall be responsible for writing RRB design change documents, test cases and test plans to remediate specified deficiencies. C. Requirements: 1. Create a secure coding policy for the RRB and develop a Secure Coding Standards document 2. Perform risk assessment of supporting internal network and website infrastructure, with recommendations for improving the infrastructure to support secure applications and a secure SDLC process. This risk assessment report will include results of internal and external scans, and manual tests as described above 3. Perform risk assessment of RRB.GOV website and applications, with recommendations for remediations of findings. This risk assessment report will include results of vulnerability assessment, manual code review, and automated tests as described above 4. As an optional service, perform a gap analysis comparing the RRB Systems Development Lifecycle (SDLC) document to authoritative sources, as specified above, and provide a report of the findings 5. As an optional service, assist in performing remediations identified in the contractor risk assessments and selected for assistance by the RRB The RRB envisions that the majority of the requested services may be provided at the contractor’s facility. Minimal travel to the RRB headquarters facility in Chicago may be required to perform the requested services. The RRB will provide any assigned contractor staff with a workstation while onsite at the RRB headquarters facility. D. Staff Qualification The proposed staff shall meet the following criteria: 1. Possess current knowledge of security products, technologies, and frameworks that can be used in a secure SDLC process 2. Possess education, training, or experience in vulnerability assessments and secure programming 3. Possess programming expertise in web application technologies including Classic ASP, ASP.NET, VB.Net, VBScript and JavaScript E. Deliverables 1. Contractor shall complete the following tasks or activities, achieve Contractor milestones timely and provide contract deliverables in the provision of the tasks listed below. The deliverable schedule is set forth in section III.F. NOTE: All contract deliverables become the property of the RRB upon acceptance. a. Deliverable #1: Develop RRB Secure Coding Standards and Guidelines as required in section III.A.1 b. Deliverable #2: Infrastructure Security Risk Assessment Report in the form of a POA&M as required in section III.A.2 c. Deliverable #3: Application Security Risk Assessment Report in the form of a POA&M as required in section III.A.3 d. Deliverable #4: (OPTIONAL) Assessment and Gap Analysis of the RRB’s Systems Development Lifecycle (SDLC) as required in section III.B.1. e. Deliverable #5 (OPTIONAL): Vulnerability Remediation Services as required in section III.B.2. F. Deliverable Schedule MANDATORY DELIVERABLES 1. Deliverable #1: The written Secure Coding Standards document shall be submitted to the RRB 40 business days upon completion of the field work. The document submission shall include both hard copy and electronic copy. The schedule for the submission and acceptance of the draft Secure Coding Standards document is listed below: TIMEFRAME ACTION a. 25 business days or less upon completion of SDLC review Contractor shall submit the draft Secure Coding Standards document to the RRB. b. 5 business days after receipt from contractor RRB COTR shall ACCEPT the draft Secure Coding Standards document OR RETURN it to contractor with explanatory comments as to why draft report is not acceptable as submitted. c. 10 business days after receipt from the RRB for correction if applicable Contractor shall submit the revised final written Secure Coding Standards document to the RRB. 2. Deliverable #2: The written Infrastructure Security Risk Assessment document shall be submitted to the RRB 60 business days upon completion of field work. The document submission shall include both hard copy and electronic copy. The schedule for the submission and acceptance of the draft and final Infrastructure Security Risk Assessment document is listed below: TIMEFRAME ACTION a. 45 business days or less upon completion of field work Contractor shall submit the draft Infrastructure Security Risk Assessment report to the RRB. b. 5 business days after receipt from contractor RRB COTR shall ACCEPT the draft Infrastructure Security Risk Assessment report OR RETURN it to contractor with explanatory comments as to why draft report is not acceptable as submitted. c. 10 business days after receipt from the RRB for correction if applicable Contractor shall submit the revised final written Infrastructure Security Risk Assessment report to the RRB. 3. Deliverable #3: The written Application Security Risk Assessment report shall be submitted to the RRB 60 business days upon completion of field work. The document submission shall include both hard copy and electronic copy. The schedule for the submission and acceptance of the draft and final Application Security Risk Assessment report is listed below: TIMEFRAME ACTION a. 45 business days or less upon completion of field work Contractor shall submit the draft Application Security Risk Assessment report to the RRB. b. 5 business days after receipt from contractor RRB COTR shall ACCEPT the draft Application Security Risk Assessment report OR RETURN it to contractor with explanatory comments as to why draft report is not acceptable as submitted. c. 10 business days after receipt from the RRB for correction if applicable Contractor shall submit the revised final written Application Security Risk Assessment report to the RRB. OPTIONAL DELIVERABLES 4. Deliverable #4:The written SDLC Report shall be completed and submitted to the RRB 40 business days upon the RRB’s exercising this optional service and awarding of an order for the services. The report submission shall include both hard copy and electronic copy. The schedule for the submission and acceptance of the SDLC Report is listed below: TIMEFRAME ACTION a. 25 business days or less upon the award of an order for these services. Contractor shall submit the draft SDLC Report to the RRB for review and/or acceptance. b. 5 business days after receipt from contractor RRB COTR shall ACCEPT the draft SDLC Report OR RETURN it to contractor with explanatory comments as to why draft report is not acceptable as submitted. c. 10 business days after receipt from the RRB for correction if applicable Contractor shall submit the revised final written SDLC Report to the RRB. 5. Deliverable #5: The Contractor shall provide the Optional Vulnerability Remediation Services after the issuance of an order for the services. TIMEFRAME ACTION a. 5 business days or less upon the award of an order for these services. Contractor shall submit project plan to remediate vulnerabilities that have been identified in the initial Risk Assessment of the Web Application. b. 5 business days after receipt from contractor RRB COTR shall ACCEPT the draft project plan OR RETURN it to contractor with explanatory comments as to why draft report is not acceptable as submitted. c. 5 business days after receipt from the RRB for correction if applicable d. 45 business days after acceptance of the project plan by the RRB Contractor shall submit revised project plan to the RRB. Contractor shall complete the remediation services stated in the project plan and submit a detailed report of the remediation effort to the RRB. IV. CLAUSES A. Solicitation Provisions Incorporated by Reference (FEB 1998) FAR 52.252-1 This solicitation incorporates one or more solicitation provisions by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. The offeror is cautioned that the listed provisions may include blocks that must be completed by the offeror and submitted with its quotation or offer. In lieu of submitting the full text of those provisions, the offeror may identify the provision by paragraph identifier and provide the appropriate information with its quotation or offer. Also, the full text of a solicitation provision may be accessed electronically at this/these address(es): https://www.acquisition.gov/Far/ 1. FAR 52.212-4, Contract Terms and Conditions- Commercial Items (FEB 2012); 2. FAR 52.212-1, Instructions to Offerors (FEB 2012); B. Contract Terms and Conditions Required to Implement Statutes or Executive Orders- Commercial Items (JUL 2012) FAR 52.212-5 (a) The Contractor shall comply with the following Federal Acquisition Regulation (FAR) clauses, which are incorporated in this contract by reference, to implement provisions of law or Executive orders applicable to acquisitions of commercial items: (1) 52.222-50, Combating Trafficking in Persons (Feb 2009) (22 U.S.C. 7104(g)). ___Alternate I (Aug 2007) of 52.222-50 (22 U.S.C. 7104(g)). (2) 52.233-3, Protest After Award (AUG 1996) (31 U.S.C. 3553). (3) 52.233-4, Applicable Law for Breach of Contract Claim (OCT 2004) (Pub. L. 108-77, 108-78). (b) The Contractor shall comply with the FAR clauses in this paragraph (b) that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: [Contracting Officer check as appropriate.] __ (1) 52.203-6, Restrictions on Subcontractor Sales to the Government (Sept 2006), with Alternate I (Oct 1995) (41 U.S.C. 253g and 10 U.S.C. 2402). __ (2) 52.203-13, Contractor Code of Business Ethics and Conduct (Apr 2010) (Pub. L. 110-252, Title VI, Chapter 1 (41 U.S.C. 251 note)). __ (3) 52.203-15, Whistleblower Protections under the American Recovery and Reinvestment Act of 2009 (June 2010) (Section 1553 of Pub. L. 111-5). (Applies to contracts funded by the American Recovery and Reinvestment Act of 2009.) __ (4) 52.204-10, Reporting Executive Compensation and First-Tier Subcontract Awards (Feb 2012) (Pub. L. 109-282) (31 U.S.C. 6101 note). __ (5) 52.204-11, American Recovery and Reinvestment Act—Reporting Requirements (Jul 2010) (Pub. L. 111-5). __ (6) 52.209-6, Protecting the Government’s Interest When Subcontracting with Contractors Debarred, Suspended, or Proposed for Debarment. (Dec 2010) (31 U.S.C. 6101 note). __ (7) 52.209-9, Updates of Publicly Available Information Regarding Responsibility Matters (Feb 2012) (41 U.S.C. 2313). __ (8) 52.209-10, Prohibition on Contracting with Inverted Domestic Corporations (May 2012) (section 738 of Division C of Pub. L. 112-74, section 740 of Division C of Pub. L. 111-117, section 743 of Division D of Pub. L. 111-8, and section 745 of Division D of Pub. L. 110-161). __ (9) 52.219-3, Notice of HUBZone Set-Aside or Sole-Source Award (Nov 2011) (15 U.S.C. 657a). __ (10) 52.219-4, Notice of Price Evaluation Preference for HUBZone Small Business Concerns (JAN 2011) (if the offeror elects to waive the preference, it shall so indicate in its offer) (15 U.S.C. 657a). __ (11) [Reserved] __ (12)(i) 52.219-6, Notice of Total Small Business Set-Aside (Nov 2011) (15 U.S.C. 644). __ (ii) Alternate I (Nov 2011). __ (iii) Alternate II (Nov 2011). __ (13)(i) 52.219-7, Notice of Partial Small Business Set-Aside (June 2003) (15 U.S.C. 644). __ (ii) Alternate I (Oct 1995) of 52.219-7. __ (iii) Alternate II (Mar 2004) of 52.219-7. __ (14) 52.219-8, Utilization of Small Business Concerns (Jan 2011) (15 U.S.C. 637(d)(2) and (3)). __ (15)(i) 52.219-9, Small Business Subcontracting Plan (Jan 2011) (15 U.S.C. 637(d)(4)). __ (ii) Alternate I (Oct 2001) of 52.219-9. __ (iii) Alternate II (Oct 2001) of 52.219-9. __ (iv) Alternate III (Jul 2010) of 52.219-9. __ (16) 52.219-13, Notice of Set-Aside of Orders (Nov 2011)(15 U.S.C. 644(r)). __ (17) 52.219-14, Limitations on Subcontracting (Nov 2011) (15 U.S.C. 637(a)(14)). __ (18) 52.219-16, Liquidated Damages—Subcon-tracting Plan (Jan 1999) (15 U.S.C. 637(d)(4)(F)(i)). __ (19)(i) 52.219-23, Notice of Price Evaluation Adjustment for Small Disadvantaged Business Concerns (OCT 2008) (10 U.S.C. 2323) (if the offeror elects to waive the adjustment, it shall so indicate in its offer). __ (ii) Alternate I (June 2003) of 52.219-23. __ (20) 52.219-25, Small Disadvantaged Business Participation Program—Disadvantaged Status and Reporting (Dec 2010) (Pub. L. 103-355, section 7102, and 10 U.S.C. 2323). __ (21) 52.219-26, Small Disadvantaged Business Participation Program— Incentive Subcontracting (Oct 2000) (Pub. L. 103-355, section 7102, and 10 U.S.C. 2323). __ (22) 52.219-27, Notice of Service-Disabled Veteran-Owned Small Business Set-Aside (Nov 2011) (15 U.S.C. 657 f). __ (23) 52.219-28, Post Award Small Business Program Rerepresentation (Apr 2012) (15 U.S.C. 632(a)(2)). __ (24) 52.219-29, Notice of Set-Aside for Economically Disadvantaged Women-Owned Small Business (EDWOSB) Concerns (Apr 2012) (15 U.S.C. 637(m)). __ (25) 52.219-30, Notice of Set-Aside for Women-Owned Small Business (WOSB) Concerns Eligible Under the WOSB Program (Apr 2012) (15 U.S.C. 637(m)). __ (26) 52.222-3, Convict Labor (June 2003) (E.O. 11755). __ (27) 52.222-19, Child Labor—Cooperation with Authorities and Remedies (Mar 2012) (E.O. 13126). __ (28) 52.222-21, Prohibition of Segregated Facilities (Feb 1999). _X (29) 52.222-26, Equal Opportunity (Mar 2007) (E.O. 11246). __ (30) 52.222-35, Equal Opportunity for Veterans (Sep 2010)(38 U.S.C. 4212). __ (31) 52.222-36, Affirmative Action for Workers with Disabilities (Oct 2010) (29 U.S.C. 793). __ (32) 52.222-37, Employment Reports on Veterans (SEP 2010) (38 U.S.C. 4212). __ (33) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). X_ (34) 52.222-54, Employment Eligibility Verification (JUL 2012). (Executive Order 12989). (Not applicable to the acquisition of commercially available off-the-shelf items or certain other types of commercial items as prescribed in 22.1803.) __ (35)(i) 52.223-9, Estimate of Percentage of Recovered Material Content for EPA–Designated Items (May 2008) (42 U.S.C. 6962(c)(3)(A)(ii)). (Not applicable to the acquisition of commercially available off-the-shelf items.) __ (ii) Alternate I (May 2008) of 52.223-9 (42 U.S.C. 6962(i)(2)(C)). (Not applicable to the acquisition of commercially available off-the-shelf items.) __ (36) 52.223-15, Energy Efficiency in Energy-Consuming Products (DEC 2007) (42 U.S.C. 8259b). __ (37)(i) 52.223-16, IEEE 1680 Standard for the Environmental Assessment of Personal Computer Products (DEC 2007) (E.O. 13423). __ (ii) Alternate I (DEC 2007) of 52.223-16. X_ (38) 52.223-18, Encouraging Contractor Policies to Ban Text Messaging While Driving (AUG 2011) (E.O. 13513). __ (39) 52.225-1, Buy American Act—Supplies (Feb 2009) (41 U.S.C. 10a-10d). __ (40)(i) 52.225-3, Buy American Act—Free Trade Agreements—Israeli Trade Act (May 2012) (41 U.S.C. chapter 83, 19 U.S.C. 3301 note, 19 U.S.C. 2112 note, 19 U.S.C. 3805 note, 19 U.S.C. 4001 note, Pub. L. 103-182, 108-77, 108-78, 108-286, 108-302, 109-53, 109-169, 109-283, 110-138, 112-41, and 112-42). __ (ii) Alternate I (Mar 2012) of 52.225-3. __ (iii) Alternate II (Mar 2012) of 52.225-3. __ (iv) Alternate III (Mar 2012) of 52.225-3. __ (41) 52.225-5, Trade Agreements (MAY 2012) (19 U.S.C. 2501, et seq., 19 U.S.C. 3301 note). __ (42) 52.225-13, Restrictions on Certain Foreign Purchases (June 2008) (E.O.’s, proclamations, and statutes administered by the Office of Foreign Assets Control of the Department of the Treasury). __ (43) 52.226-4, Notice of Disaster or Emergency Area Set-Aside (Nov 2007) (42 U.S.C. 5150). __ (44) 52.226-5, Restrictions on Subcontracting Outside Disaster or Emergency Area (Nov 2007) (42 U.S.C. 5150). __ (45) 52.232-29, Terms for Financing of Purchases of Commercial Items (Feb 2002) (41 U.S.C. 255(f), 10 U.S.C. 2307(f)). __ (46) 52.232-30, Installment Payments for Commercial Items (Oct 1995) (41 U.S.C. 255(f), 10 U.S.C. 2307(f)). X_ (47) 52.232-33, Payment by Electronic Funds Transfer—Central Contractor Registration (Oct 2003) (31 U.S.C. 3332). __ (48) 52.232-34, Payment by Electronic Funds Transfer—Other than Central Contractor Registration (May 1999) (31 U.S.C. 3332). __ (49) 52.232-36, Payment by Third Party (Feb 2010) (31 U.S.C. 3332). X_ (50) 52.239-1, Privacy or Security Safeguards (Aug 1996) (5 U.S.C. 552a). __ (51)(i) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631). __ (ii) Alternate I (Apr 2003) of 52.247-64. (c) The Contractor shall comply with the FAR clauses in this paragraph (c), applicable to commercial services, that the Contracting Officer has indicated as being incorporated in this contract by reference to implement provisions of law or Executive orders applicable to acquisitions of commercial items: [Contracting Officer check as appropriate.] __ (1) 52.222-41, Service Contract Act of 1965 (Nov 2007) (41 U.S.C. 351, et seq.). __ (2) 52.222-42, Statement of Equivalent Rates for Federal Hires (May 1989) (29 U.S.C. 206 and 41 U.S.C. 351, et seq.). __ (3) 52.222-43, Fair Labor Standards Act and Service Contract Act—Price Adjustment (Multiple Year and Option Contracts) (Sep 2009) (29 U.S.C. 206 and 41 U.S.C. 351, et seq.). __ (4) 52.222-44, Fair Labor Standards Act and Service Contract Act—Price Adjustment (Sep 2009) (29 U.S.C. 206 and 41 U.S.C. 351, et seq.). __ (5) 52.222-51, Exemption from Application of the Service Contract Act to Contracts for Maintenance, Calibration, or Repair of Certain Equipment—Requirements (Nov 2007) (41 351, et seq.). __ (6) 52.222-53, Exemption from Application of the Service Contract Act to Contracts for Certain Services—Requirements (Feb 2009) (41 U.S.C. 351, et seq.). __ (7) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (Mar 2009) (Pub. L. 110-247). __ (8) 52.237-11, Accepting and Dispensing of $1 Coin (Sept 2008) (31 U.S.C. 5112(p)(1)). (d) Comptroller General Examination of Record. The Contractor shall comply with the provisions of this paragraph (d) if this contract was awarded using other than sealed bid, is in excess of the simplified acquisition threshold, and does not contain the clause at 52.215-2, Audit and Records—Negotiation. (1) The Comptroller General of the United States, or an authorized representative of the Comptroller General, shall have access to and right to examine any of the Contractor’s directly pertinent records involving transactions related to this contract. (2) The Contractor shall make available at its offices at all reasonable times the records, materials, and other evidence for examination, audit, or reproduction, until 3 years after final payment under this contract or for any shorter period specified in FAR Subpart 4.7, Contractor Records Retention, of the other clauses of this contract. If this contract is completely or partially terminated, the records relating to the work terminated shall be made available for 3 years after any resulting final termination settlement. Records relating to appeals under the disputes clause or to litigation or the settlement of claims arising under or relating to this contract shall be made available until such appeals, litigation, or claims are finally resolved. (3) As used in this clause, records include books, documents, accounting procedures and practices, and other data, regardless of type and regardless of form. This does not require the Contractor to create or maintain any record that the Contractor does not maintain in the ordinary course of business or pursuant to a provision of law. (e)(1) Notwithstanding the requirements of the clauses in paragraphs (a), (b), (c), and (d) of this clause, the Contractor is not required to flow down any FAR clause, other than those in this paragraph (e)(1) in a subcontract for commercial items. Unless otherwise indicated below, the extent of the flow down shall be as required by the clause— (i) 52.203-13, Contractor Code of Business Ethics and Conduct (Apr 2010) (Pub. L. 110-252, Title VI, Chapter 1 (41 U.S.C. 251 note)). (ii) 52.219-8, Utilization of Small Business Concerns (Dec 2010) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds $650,000 ($1.5 million for construction of any public facility), the subcontractor must include 52.219-8 in lower tier subcontracts that offer subcontracting opportunities. (iii) [Reserved] (iv) 52.222-26, Equal Opportunity (Mar 2007) (E.O. 11246). (v) 52.222-35, Equal Opportunity for Veterans (Sep 2010) (38 U.S.C. 4212). (vi) 52.222-36, Affirmative Action for Workers with Disabilities (Oct 2010) (29 U.S.C. 793). (vii) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (Dec 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40. (viii) 52.222-41, Service Contract Act of 1965 (Nov 2007) (41 U.S.C. 351, et seq.). (ix) 52.222-50, Combating Trafficking in Persons (Feb 2009) (22 U.S.C. 7104(g)). ___Alternate I (Aug 2007) of 52.222-50 (22 U.S.C. 7104(g)). (x) 52.222-51, Exemption from Application of the Service Contract Act to Contracts for Maintenance, Calibration, or Repair of Certain Equipment-Requirements (Nov 2007) (41 U.S.C. 351, et seq.). (xi) 52.222-53, Exemption from Application of the Service Contract Act to Contracts for Certain Services-Requirements (Feb 2009) (41 U.S.C. 351, et seq.). (xii) 52.222-54, Employment Eligibility Verification (JUL 2012). (xiii) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (Mar 2009) (Pub. L. 110-247). Flow down required in accordance with paragraph (e) of FAR clause 52.226-6. (xiv) 52.247-64, Preference for Privately Owned U.S.-Flag Commercial Vessels (Feb 2006) (46 U.S.C. Appx. 1241(b) and 10 U.S.C. 2631). Flow down required in accordance with paragraph (d) of FAR clause 52.247-64. (2) While not required, the contractor may include in its subcontracts for commercial items a minimal number of additional clauses necessary to satisfy its contractual obligations. C. Security Provisions and Clauses 1. Security Information: The RRB is a social insurance agency. Privileged information for railroad employees and dependent beneficiaries is accessible from all mainframe terminals, terminal sessions on desktop PC workstations, and VLAN/WAN servers. Privileged information is also available in paper form, data disks, and data tapes throughout the Chicago headquarters facility and remote offices. Access to, and use of, this information is covered under the Privacy Act of 1975 and other U.S. Codes. The provision of the Federal Acquisition Regulation (FAR) section 52.239-1, Privacy or Security Safeguards (Aug 1996), is hereby incorporated by reference. No copies of railroad employee or beneficiary information can be removed from a RRB site or retained by any member of the contractor staff in any transferable media, be that paper or electronic. With the exception of cellular/digital telephones owned and used by the Contractor staff, no communications line other than those analog lines and data links installed and approved by the RRB will be allowed. All CDs and diskettes used by the Contractor in the course of this project will be retained by the RRB upon completion of each task under the base contract. 2. Privacy Act Notification (APR 1984) FAR 52.224-1 The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. 3. Privacy Act (APR 1984) FAR 52.224-2 (a) The Contractor agrees to - (1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies - (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this subparagraph (c), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency. (c)(1) 'Operation of a system of records,' as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) 'Record,' as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) 'System of records on individuals,' as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 4. Privacy or Security Safeguards (AUG 1996) FAR 52.239-1 (a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer's written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. (b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor's facilities, installations, technical capabilities, operations, documentation, records, and databases. (c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party. (d) Each agency has its own rules regarding privacy and security of data. The RRB’s rules are summarized in the following publications: (1) Privacy Act Information http://www.rrb.gov/bis/privacy_act/introduction.asp http://www.rrb.gov/bis/privacy_act/overview.asp http://www.rrb.gov/bis/privacy_act/information_rrb_maintains.asp (2) RRB’s Privacy System of Records http://www.rrb.gov/bis/privacy_act/sornlist.asp (3) Internal Revenue Service’s (IRS) Publication 1075, Tax Information and Security Guidelines for Federal, State and Local Agencies http://www.irs.gov/pub/irs-pdf/p1075.pdf (e) Anticipated threats and hazards that the contractor must guard against: Data stored on equipment following the completion of the project. Data removal process not including eradication methods. Contractor employees not fully versed in responsibilities with respect to Privacy and Security. Contractor accessing RRB data from unauthorized sites. (f) Safeguards that the contractor must specifically provide include: A contractor having access to RRB data should have in place preventive measures to assure that: (1) Accessed data is not retained in contractor files or on contractor’s equipment. (2) Data temporarily housed on contractor’s equipment must be eradicated, the space not just marked for reuse. (3) All contractor staff members are made aware of their responsibilities with respect to Privacy and Security. (4) Contractor access to RRB data is limited to RRB approved sites. 5. PERSONAL IDENTITY VERIFICATION OF CONTRACTOR PERSONNEL (JAN 2011) FAR 52.204-9 (a) The Contractor shall comply with agency personal identity verification procedures identified in the contract that implement Homeland Security Presidential Directive-12 (HSPD-12), Office of Management and Budget (OMB) guidance M-05-24 and Federal Information Processing Standards Publication (FIPS PUB) Number 201 (see attachment A). (b) The Contractor shall account for all forms of Government-provided identification issued to the Contractor employees in connection with performance under this contract. The Contractor shall return such identification to the issuing agency at the earliest of any of the following, unless otherwise determined by the Government: (1) When no longer needed for contract performance. (2) Upon completion of the Contractor employee’s employment. (3) Upon contract completion or termination. (c) The Contracting Officer may delay final payment under a contract if the Contractor fails to comply with these requirements. (d) The Contractor shall insert the substance of this clause, including this paragraph (d), in all subcontracts when the subcontractor’s employees are required to have routine physical access to a Federally-controlled facility and/or routine access to a Federally-controlled information system. It shall be the responsibility of the prime Contractor to return such identification to the issuing agency in accordance with the terms set forth in paragraph (b) of this section, unless otherwise approved in writing by the Contracting Officer. D. Other Contract Clauses or Provisions: 1. OPTION TO EXTEND SERVICES (NOV 1999) FAR 52.217-8 The Government may require continued performance of any services within the limits and the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within the period specified in the Schedule. 2. Conflicts of interest The offeror agrees not to have any direct or indirect financial or familiar interest, or engage in any activity, which conflicts substantially, or appears to conflict substantially, with the offeror’s duties under this contract. The offeror further agrees that the RRB shall have the exclusive right to determine whether such a conflict of interest exists, and whether it is substantial. Failure of the offeror to adhere to this provision will, at the discretion of the RRB, result in the immediate termination of the contract without any further liability of the RRB. 3. Post-award conference In order to codify the implementation and procedural issues attendant upon contract performance, a post-award conference will be held at the RRB headquarters facility in Chicago, IL no later than five (5) calendar days after contract award. The Contractor must attend this conference and be prepared to discuss the project milestone events and schedule. The Contractor will be responsible for all costs related to attending this conference. 4. Billing Contractor shall submit detailed invoices with quantities for work completed and deliverables submitted and accepted by the RRB and CLIN pricing as designated in Section II.B including dates and descriptions of services. Contractor shall only bill for deliverables provided and accepted by the RRB. Travel may be submitted on completion of travel or after first milestone whichever is later. 5. Technical Direction Performance of the work under this contract shall be subject to the technical direction of the Contracting Officer Representative (COR). The term “technical direction” is defined to comprise the following: a. Directions to the Contractor which redirect the contract effort, shift work emphasis between work areas or tasks, require pursuit of certain lines of inquiry, fill in details or otherwise serve to accomplish the contractual statement of work. b. Provisions of information to the Contractor which assists in the interpretation of drawings, specifications or technical portions of the work description. c. Review and, where required by the contract, approve technical reports, drawings, specifications and technical information to be delivered by the Contractor to the Government under this contract. Technical directions must be within the general scope of work stated in the contract. The COR does not have the authority to and may not issue any direction which (1) constitutes an assignment of additional work outside the general scope of the contract; (2) constitutes a change as defined in the contract article entitled “Changes”; (3) in any manner causes an increase or decrease in the estimated cost or the time required for contract performance; or (4) changes any of the expressed terms, conditions, or specifications of the contract. The Contractor shall proceed promptly with the performance of technical directions duly issued by the COR in the manner prescribed by this Section and within his authority under the provisions of this Section. If, in the opinion of the Contractor, any instruction or direction issued by the COR is within one of the categories as defined in (1) through (4) above, the Contractor shall not proceed but shall notify the Contracting Officer within five (5) working days after receipt of any such instruction or direction and shall request the Contracting Officer to modify the contract accordingly. Upon receiving such notification from the Contractor, the Contracting Officer shall issue an appropriate contract modification or advise the Contractor in writing that, in his opinion, the technical direction is within the scope of this Section and does not constitute a change under the Changes article of the contract. The Contractor shall thereupon proceed immediately with the direction given. A failure of the parties to agree upon the nature of the instruction or direction or upon the contract action to be taken with respect thereto shall be subject to the provisions of the contract article entitled “Disputes”. 6. Contracting Officer: The Contracting Officer has the overall responsibility for the administration of this contract, and He alone, without delegation, is authorized to take actions on behalf of the Government to: amend, modify or deviate from the contract terms, conditions, requirements, specifications, details and/or delivery schedules; make final decisions on disputed deductions from contract payments for nonperformance or unsatisfactory performance; terminate the contract for convenience or default; issue final decisions regarding contract questions or matters under dispute. The Contracting Officer He may, however, delegate certain other responsibilities to his authorized representatives including the COR and the Contractor Administrator. V. PROPOSAL SUBMISSION INSTRUCTIONS A. General Instructions 1. The proposal shall be submitted in two parts – a “business proposal” and a “technical proposal”. Each of the parts shall be separate and complete in itself so that evaluation of one may be conducted independently of, and concurrently with, evaluation of the other. 2. Proposals shall be submitted on or before 1:00PM CST on September 12, 2012. Offerors must submit electronic versions of their proposals to proposals@rrb.gov to the attention of Ms. Elizabeth Kelly at the RRB. Any further questions regarding this RFQ must be submitted to the RRB by August 29, 2012 at 11:00AM CST to proposals@rrb.gov. B. Business Proposal 1. The Offeror shall submit one (1) signed copy of Standard Form (SF-) 1449 with Blocks 12, 17a. and b., and 30a., b., and c. completed. 2. The offeror shall complete Section II – The Price Schedule with prices for all CLINS. 3. Other information the contractor determines appropriate and relevant to the evaluation team. C. Technical Proposal The offeror shall provide an electronic copy of their technical proposal with sections separated as described below. The technical proposal shall include a description of the services being offered in sufficient detail to evaluate compliance with the requirements and the evaluated technical factors of the solicitation. The offeror shall fully and clearly address each mandatory and other evaluated technical factor so that the RRB’s technical evaluation panel can identify and comprehend the capability and resources the offeror intends to bring to this procurement. The technical proposal shall provide technical information to substantiate the offeror’s ability to satisfy requirements in Section III. All mandatory requirements shall be met for an offeror to be considered responsive. Offerors shall provide complete and detailed technical information to facilitate RRB evaluation and scoring of the following evaluated technical factors: 1. Project Management Approach Detailed documents shall be presented to indicate how the offeror will manage the performance of the full range of services required in the Statement of Work, Section III as demonstrated through the following three plans: a. Project management plan: The project plan shall include a detailed narrative outlining the contractor’s project approach and methodology for all deliverables, the required functionalities and activities, authoritative sources which they intend to leverage in the development of secure coding standards and guidelines, and a projected time-line/milestone chart for all deliverables except # 5. b. Staffing plan: The staffing plan shall explain and provide details of the proposed staffing and organizational structure to accomplish the deliverables described in Section III. An organizational chart shall be presented depicting the key project positions by title and, when feasible, by name and shall include a description of the related functions, including supervisory/managerial levels and responsibilities. This staffing plan shall be consistent with the actual staff proposed in Section V.C.2 below. c. Quality control plan: Offerors shall submit details to demonstrate they have a quality control plan which will ensure effectiveness, efficiency, soundness, and high quality services incident to performing the Statement of Work described in Section III. The plan shall address procedures for deficiency detection and implementation of corrective measures. The plan will also address use of corporate resources beyond the assigned team to ensure quality control. 2. Experience, qualifications, and expertise of proposed staff Specific numbers of years experience, demonstrated qualifications, and expertise in performing information security risk assessments and secure code reviews shall be submitted and clearly explained. Resumes of the individuals to be assigned to this project shall be submitted. Specific years of experience in the above work and relevant certifications and/or degrees (Bachelor’s and higher) shall be clearly presented. The staff proposed in this section shall be consistent with the staffing plan and related organization chart presented in Section V.C.1.b. 3. Past performance The offeror shall submit, as part of its proposal, information on previously performed or ongoing contracts that are similar to the Statement of Work in this solicitation performed for the Federal, State, or local Government and for commercial firms. Information shall be provided on either: 1) all such contracts within the past eighteen months, or 2) the last three such contracts performed, whichever is fewer, and shall be limited to the name and address of the organization for which the services were performed and the names and phone numbers of at least two knowledgeable technical contacts for each contract listed. The offeror should not describe past performance history in the proposal. The RRB will obtain information from the contract references provided by the offeror. The offeror is advised that the RRB may obtain past performance information from sources other than those identified by the offeror. The RRB intends to contact at least three clients for which similar tasks have been performed. The following performance characteristics shall be evaluated: a. Direct applicability of the referenced project to the RRB’s project scope and requirements (security assessments of Web-based applications, IT security and Systems Development Policy/Procedures assessments, and remediation of coding vulnerabilities ), b. Customer satisfaction, which includes satisfaction of end users with the offeror’s service, c. Quality of service, d. Reliability and timeliness of performance, which includes the offeror’s reliability as well as the ability to perform in a timely manner. e. Contractor’s record for completing services within the project resource plan and budget, thereby avoiding cost overruns. VI. EVALUATION AND AWARD A. Evaluation—Commercial Items (Jan 1999) FAR 52.212-2 The Government will award a contract resulting from this solicitation to the responsible offeror whose offer conforming to the solicitation will be most advantageous and a best value to the Government, price and other factors considered as outlined below. Offerors shall be evaluated on a technical to price ratio of 2:1. The following factors shall be used to evaluate offers: 1. Business Proposal a. The total evaluated price for each offeror shall be the sum of the total of the firm-fixed prices offered for CLINS 001- 004 and the offered Firm Fixed Price hourly rates for each labor category in CLIN 005 multiplied by the percentage of services to be provided by each category multipled by 500 hours. b. Calculation of the price score (100 possible points) will be computed by multiplying the maximum point score available by a fraction representing the ratio of the lowest total evaluated price of all technically acceptable offers received by the Board to the total evaluated price of the offer being evaluated. 2. Technical Proposal To be considered responsive, the offeror must comply with the format and content specified in Section V, “Instructions to Offerors”. Offerors whose proposals are deemed deficient in this regard may be permitted, at the RRB’s discretion, to remedy the deficiency by submitting additional clarifying or supplemental information. Responsive proposals shall be evaluated to determine the relative technical merit of each response. Accordingly, the objective of this evaluation is to measure the extent to which proposals meet the requirements as stated in the Statement of Work and the required proposal format and content, Section V, “Instructions to Offeror”. Calculation of the technical score (200 possible points) will be accomplished by adding the points awarded for each rated area. Technical proposals will be first reviewed for content conformance to proposal preparation instructions. Proposals that are so deficient in this area as to not warrant further consideration will be rejected and the offeror will be so notified. Technical proposals shall be evaluated using the following criteria in descending order of importance: 1). Project Management Approach (100 points, 50% of the technical points available) as demonstrated through the quality of the: offeror’s Project management plan is feasible and appropriate and includes a detailed narrative outlining the required functionalities and activities, a projected time-line/milestone chart, worksteps involved and responsibilities to ensure timely and quality completion of deliverables, staffing plan, including an organization chart and a description of related functions, and Quality control plan, to ensure high quality of services and detect and mitigate deficiencies in services provided. See Section V.C.1. 2). Experience, qualifications, and expertise of proposed staff (70 points - 35% of the points available) The RRB will evaluate the contractor’s proposed staff as to their capability to accomplish the project’s deliverables, as demonstrated through the resumes of the proposed project staff. Numbers of years experience and relevant certifications and/or degrees will be considered. See Section V.C.2. 3). Past performance (30 Points - 15% of the points available) The RRB will evaluate the contractor’s capability to perform the required services as indicated by: the direct applicability of the references, customer satisfaction, quality of service, reliability and timeliness of performance of services within project plans and budgets. See Section V.C.3. B. The contracting officer shall deem any offer which fails to address all of the mandatory services requirements and optional services of Section III, the Statement of Work, as non-responsive. C. The contracting officer may request clarifications to any proposals after the initial business and technical review and hold discussions as determined necessary. The Government reserves the right to award without discussions per FAR Part 15. D. A written notice of award or acceptance of an offer, mailed or otherwise furnished to the successful offeror within the time for acceptance specified in the offer, shall result in a binding contract without further action by either party. Before the offer's specified expiration time, the Government may accept an offer (or part of an offer), whether or not there are negotiations after its receipt, unless a written notice of withdrawal is received before award. VII. ATTACHMENTS A. Attachment 1: Notification of PIV Requirements
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/RRB/BSS/PD/RRB12Q032 /listing.html)
- Place of Performance
- Address: 844 N. Rush St., Chicago, Illinois, 60477, United States
- Zip Code: 60477
- Zip Code: 60477
- Record
- SN02851908-W 20120825/120823235741-8ac84050a13194686b97be2b72e0bdb8 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |