AMENDED REQUEST FOR INFORMATION - GovShop

UNCLASSIFIED

UNCLASSIFIED

AMENDED

REQUEST FOR INFORMATION

CyberSecurity Support Services (CS3)

Information Technology Services Directorate (CIO-T)

1.0 DESCRIPTION & PURPOSE

1.1 The National Geospatial-Intelligence Agency (NGA) in support of the Office of the Chief

Information Office (CIO) and Information Technology Services Directorate (CIO-T) is seeking

information regarding industry practices, performance measurements, and assessing the interest

regarding cybersecurity services to protect and defend against cyber-attacks.

1.2 The purpose of this Request for Information (RFI) is twofold:

1.2.1 Industry performance metric information and current industry best practices, both

commercially and governmental, that would enhance the ability to satisfy NGA’s

objectives.

1.2.2 Information regarding new technologies and processes that could positively impact

the satisfaction of NGA’s needs.

1.2.3 Identify nuances that could serve to add to costs and increase the risk of unsuccessful

contract performance.

1.2.4 Recommendations and supporting analyses as a crucial step in formulating evaluation

factors, contracting strategies and acquisition plans, source selection methods, and the

amount and type of proposal information to request.

1.3 THIS IS A REQUEST FOR INFORMATION (RFI) ONLY. This RFI is issued solely for

information and planning purposes – it does not constitute a Request for Proposal (RFP) or a

promise to issue an RFP in the future. This RFI does not commit the Government to contract for

any supply or service whatsoever. Further, NGA is not at this time seeking proposals and will

not accept unsolicited proposals. Responders are advised that the U.S. Government will not pay

for any information or administrative costs incurred in response to this RFI. All costs associated

with responding to this RFI will be solely at the interested party’s expense. Not responding to

this RFI does not preclude participation in any future RFP, if any is issued.

2.0 BACKGROUND

NGA has a mission-critical need for information assurance measures that protect and defend

information and information systems by assuring their availability, integrity, authentication,

confidentiality, and non-repudiation, as well as providing for restoration of information systems

by incorporating protection, detection, and reaction capabilities.

2.1 End State Objectives

Prospective acquisition(s) will likely result in non-personal services contract(s) to achieve the

end-state objectives set forth herein, and to support the NGA geospatial-intelligence (GEOINT)

mission, with the contractor(s) providing all personnel, equipment, supplies, facilities,

transportation, tools, materials, supervision, and other items and non-personal services necessary

to successfully achieve the following end-state objectives through resultant contract(s)s.

UNCLASSIFIED

UNCLASSIFIED PAGE 2 OF 18

The following are the objectives that NGA expects to achieve through the resultant contracts.

Applicable to all of the objectives

Agency level Continuous Monitoring that is:

Tightly integrated with the assessment and authorization processes to inform a Risk

Posture Scorecard for each system, domain, and enterprise, with an automated escalation

process designed to keep systems(s) from reaching an unacceptable level of risk

Matured to the IC inspector General Level 5 for IT Security when as assessed during

annual FISMA evaluations

Enhancement of capabilities to improve data quality, compliance effectiveness, and

expand, improve, and optimize monitoring methods and technologies to better align with

NGA’s cybersecurity goals and objectives

Ensures cybersecurity compliance, metrics, policies, processes, and governance

Aggregation of data monitored into a product that anticipates future threat vectors (Machine

Learning).

Continuous Monitoring

To counter the increasing and evolving cyber threats, NGA requires, as an end-state objective,

the continuous monitoring of all activities set forth herein. To achieve continuous monitoring

will require the employment of one or more automation tools in order to:

Improve response and task completion times

Repeatable and actionable insight into enterprise environments leading to fewer

vulnerabilities

More effective and efficient use of cyber resources by freeing up skilled human labor

from mundane tasks in order to focus on designing and implementing cybersecurity

strategies and initiatives

Knowledge Management

Creates, shares, and manages the knowledge and information of NGA via a

multidisciplinary approach to achieving organizational objectives by making the best use

of knowledge

Supports an enterprise collaborative culture as part of its web presence

1. Assessment & Authorization (A&A) is performed effectively, timely, and

accurately for all systems and applications installed or proposed for installation on

NGA networks:

Effective and timely security onboarding for all new applications proposed for

installation on NGA networks

NGA systems of security requirements protected from cybersecurity risks with the

effective implementation of the Risk Management Framework (RMF)

The assessment process optimized to automate to the furthest extent possible and

tailor technical assessments to each discreet system

UNCLASSIFIED


The Risk Management Framework (RMF) process optimized to ensure the

execution of all steps (prepare, categorize, select, implement, assess, authorize,

and monitor) and their structure, including purposes, tasks, plans, and

assessments, as set forth in federal, DoD, and IC policy

Comprehensive risk recommendations based on assessment results and cyber-

intelligence

2. Risk Management identifies, evaluates, and prioritizes the effects of uncertainty on

objectives together with a coordinated and economical application of resources to

minimize, monitor, and control the probability of unfortunate events, effectuate tool

agnostic approaches with logic and algorithms informing data quality and answer

security domain questions, and maximizes the realization of opportunities through

following services for all applications on NGA networks.

Enhancement of capabilities with the goals of improved data quality, and

compliance effectiveness

3. On Network Exploitation (Rogue O.N.E.)

Research, detect, analyze, and exploit net vulnerabilities within NGA Enterprise

systems to assess risk and recommend actionable countermeasures

Assess and enhance its information systems’ capabilities to detect, protect,

prevent, and respond to advanced adversary actions

Effective and efficient measurement of the agency’s cybersecurity posture.

Vulnerabilities on systems, services, and applications identified and exploited.

Provide validation evidence exhibiting the migration or remediation of disclosed

vulnerability/ exposure

Effective internal/external cybersecurity exercises and assessments.

Threat modeling identifies and creates intelligence for Threat Emulation

requirements

Penetration testing skills assessment evaluations provide NGA with technical

subject matter expertise and analytic support

Blue Team analyses and assessments to ensure security, identify security flaws,

verify the effectiveness of each security measure, and make certain that all

security measures will continue to be effective post-implementation

Provide Cyber Threat Emulation using the leading-edge of the latest adversary

Tactics, Techniques, and Procedures, enhance the security team’s people,

processes, and technology to prevent, detect, and respond to advanced adversary

actions

Emulate real-world targeted attack, or insider threat through full attack lifecycle,

from initial reconnaissance to mission completion

Simulate a malicious insider or an attacker that has gained access to an end-user

system, including privilege escalation

UNCLASSIFIED


Prioritize which Information Systems to inspect, evaluate, or assess based on IS

mission criticality, adversary techniques and tactics, and identified vulnerabilities

Purple Team – works side by side with internal security

Assess the enterprise security posture and report root cause

Penetration Testing Assessments identify and exploit vulnerabilities on systems,

services, and applications to determine cybersecurity posture to NGA

Conduct tests on systems identified through RA-5 (REvAMP 3+) and IARC and

Threat Intelligence. (Public Facing, Mission Essential Function, Know Adversary

Target-type, Annual retest of systems after ATO.) Provide thorough analysis of

all devices identified within assessment bounds

Red Team challenges NGA to improve effectiveness through its assumption of an

adversarial role or point of view to compromise assets thus enabling the discovery

of existing vulnerabilities to network, applications, the internet of things (IoT)

devices, and personnel; determining the effectiveness of security monitoring and

alerting capabilities; and weaknesses in incident response policies and procedures

Cyber Threat Intelligence to identify and create intelligence for Threat Emulation

requirements through practices such as threat modeling

Learn the different sources to collect Adversarial Tactics and how to exploit and

pivot off of them

Validate information received externally to minimize the costs of bad intelligence

Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC,

and STIX

Incident Response Assessments that provide technical subject matter expertise

and analytic support to NGA Counterintelligence and Cyber Defense provider

components

Vulnerability Validation coordinates with internal and external entities for

validating fixes of responsibly disclosed vulnerabilities/exposures. List includes,

but is not limited to: Command Cybersecurity Operational Readiness Inspection

(CCORI), Vulnerability Disclosure Program (VDP), and Rogue O.N.E.

4. Analytics and Reporting

Employment of science and analytics to Big Data enhance continuous monitoring,

database engineering, and enterprise architecture

Visualization products utilizing Big Data analytics enable decision-making for

various NGA stakeholders. Skillsets involved include but are not limited to

visualization design, Web Development (Full Stack), UI (Design), and UX

(Design)

Cybersecurity analyses, ICD 503, and Nation State Threat Analyses enhance

cyber threat risk analytics and posture reporting

UNCLASSIFIED


5. Vulnerability Management

Vulnerabilities identifies, quantifies, and prioritizes the vulnerabilities that exist in

systems

Data-centric solutions for an effective vulnerability management

Effective and relevant qualitative and quantitative metrics feed risk posture and

continuous monitoring efforts

Automated vulnerability management products enhance efficient and timely

cybersecurity reporting methodologies

Vulnerability mitigation solutions yielding predictive trending analyses

6. Automation & Engineering

Existing tools and workflows, are maintained and improved so as to provide the

development of new solutions

Tools and workflows keep pace with emerging technologies and maximize

business process efficiency

Based on customer feedback, .areas of improvement identified, recommendations

presented, and actionable solutions developed

Requirements documentation adequately scope projects

Effectively manage resources allow time sensitive developments and realignment

of priorities based on mission

Research, identify and recommend Assessments of Alternatives (AoA) in order to

maintain cutting-edge performance

Cybersecurity engineering support maintains efficient movement and stability

throughout the entire Risk Management Framework lifecycle

Assessment of cybersecurity needs employ the reviewed customer documentation

and resources

Guidance and applied resources ensure program’s self-sustainment

Recommendations incorporate a holistic view of all security layers throughout the

entire cybersecurity environment

Automated monitoring of NGA Enterprise Security consumption, common,

hybrid, and system-specific security control testing processes and procedures

Optimized information exchange between cybersecurity tools on NGA’s

Networks

Technical Solutions meet cybersecurity requirements on NGA Networks

Operational cyber visualizations utilizes big data science and analytics on NGA’s

Networks

7. Cross Domain Support Office

Technical security design guidance and architecture for agency Cross Domain

Services (CDS) ensure proper execution within the Risk Management Framework

Governance and oversight for NGA’s CDS achieve policy approval and

compliance

UNCLASSIFIED


Reviews of CDS architecture and security implementation yield actionable

lessons learned

8. Cyber Business Intelligence & Analytics

Administer, forecast, monitor, report and evaluate cyber business intelligence

Analyses and recommendations based on all available sources

Analysis strategies and guidance for NGA networks

Support the Business Intelligence Steering Group

Data Ingest (Extract, Transform, Load): Data is effectively and accurately

extracted, transformed, and loaded (ETL) from structured and unstructured data

sources with varying schema

Data tagging and overall management of data effectively support a “data as a

service” model (Organization, storage, management, administration and retrieval

of data)

Datastore: Model data pertaining to cybersecurity business intelligence and data

linkage functions enables effective querying and analytics of supplementary data

from external data sources

Dynamic and static visualizations in the form of dashboards to convey insights to

different level of stakeholders through the enterprise

Data is generically accessible to the CIO and IT Services Directorate Senior

Leadership to identify opportunities for growth and efficiencies

Management processes, methodologies, Key Performance Indicators (KPI)

tenable stakeholders to achieve cyber strategic objectives across cyber

organizations

BI strategies are founded on an audit of the current situations and settings out a

vision and plan for the BI in the organization; continually consider and link

activities back to evolving cyber business objectives and include multiple

initiatives to measure, manage and improve the performance of an individual, a

process, a functional team or a business unit or even the entire organization

9. Cyber Governance

Cyber Governance provides the necessary rules, guidelines, and updates for:

Addressing lessons learned

Review, update, and assist implementation of NGA.s cybersecurity

policies

Implementation of checks on the cybersecurity rules as close as possible to

the source of inputs

Relationships among a cybersecurity activity to another cybersecurity

activity

Strict enforcement of cybersecurity rules

UNCLASSIFIED


10. Cyber Compliance & Reporting

Effective and accurate collecting, analyzing, and reporting of cybersecurity

postures to NGA and external organizations including DoD and the IC in

compliance with FISMA

Conduct trends analysis for the scorecard metrics to inform cybersecurity services

providers on recommended courses of action based on analysis when analysis

affects security

Continual evaluation of NIST, DoD and IC guidance to evolve existing metrics,

and fill gaps that are relevant to the CIO and IT Services Directorate Senior

Leadership and cybersecurity service providers

Up-to-date automated solutions to collect, analyze and report on NGA

cybersecurity posture to NGA and external organizations in accordance with

requirements stated in the DoD Scorecard and IC IE CPEM Instructions.

Interactive dashboards, which display real-time enterprise compliance metrics for

up-to-date situational awareness of network risk, such as vital reports with details

on privileged users, Web PKI and DMZ, asset inventory, system authorization,

HBSS/ESS Services, patching and overall organization software compliance

11. Cyber Information Sharing/Knowledge and Content Management

Provide customer Knowledge and Content Management to support an enterprise

collaborative culture as part of its web presence

Provide Cybersecurity Office web presence and SharePoint portal management

and execution

Automated repositories for cybersecurity data together with ready access process

and procedures derived from the data stored on NGA networks

Internal and external web and SharePoint portals integrate effectively with

existing enterprise systems and data stores with the goal of maintaining a well-

connected, secured, and controlled enterprise of systems

Effective Cybersecurity Office data services, data administration, and database

management support in client/server, virtual machine, and cloud infrastructure

environment and/or migrations between these environments

Effective Cybersecurity Office ingestion, data tagging, and overall management

of data supporting a data as a service model

Effective organization, storage, management, administration and retrieval of data

12. Information Requirements Management Catalog

Implement Cybersecurity Risk Management Framework Assessment Tool in

accordance with NIST 800-53 controls and other federal mandated guidance

through an automated tool

Provide guidance on implementing policy directives to Cybersecurity personnel

through an automated tool

UNCLASSIFIED


13. Cyber Governance and Business Process

Provide secretariat governance support to the Cybersecurity Governance Bodies,

such as the Cyber Integrated Product Team (IPT), and Chief Information Officer-

Technology Requirements Investment Board (CRIB)

Implement and assist the development of Cybersecurity governance policies,

processes, and guidelines that are aligned to Agency governance boards as

appropriate

Manage the NGA’s execution of the NIST Cybersecurity Framework (CSF) and

ensure that cybersecurity activities align to the CSF subcategories (identify,

protect, detect, respond, recover)

NIST Cybersecurity Framework implementations and operations are effectively

managed

14. Project Management

Systems engineering, integration, and program management support the effective,

timely, and accurate evolution and implementation of Enterprise Security Services

Enterprise Security Services Architectures effectively relate to existing enterprise

architectures

15. Cybersecurity Framework Assessment

Using the NIST CSF for identifying, assessing, and managing cybersecurity risk

across six domains

Document the current and target profiles for each CSF subcategory as it relates to

security, including people, processes, and technologies

Collaborate with cyber government stakeholders to document the results of the

security assessment and develop the recommendations report

Visualize in a live database and updated monthly with new data as a result of

cyber architecture changes and updates

16. DoD Information Collections

Implement the Agency’s Information Collection and Reporting Program in terms

of prioritizing, planning, tracking, and ensuring implementation of all DoD

Information Collection activities to ensure Agency compliance with Title 44 USC

Chapter 35, Paperwork Reduction Act of 1995, and other Federal and DoD

guidance

Manage, track, and control all NGA information collections requirements to

ensure they are valid, necessary, and appropriately approved and licensed

17. Cybersecurity Dashboard

Covers all of the preceding sections

Provides near-real time monitoring and reporting of cyber security metrics, trends,

status, awareness, etc.

Status reporting, covering all cyber activities set forth herein, is current, complete,

accurate and a visually intuitive manner

UNCLASSIFIED


Risk Posture Scorecard reporting

Provides staff accountability for organizational goals and measures

Enables interactive Monitoring and tracking all leading indicators (incidents,

events, scans, errors, threats, and known vulnerabilities) to prevent incidents.

Provides incident tracking that includes the number of identified, open, and closed

cyber incidents; the number of data loss prevention incidents by specific reasons

such as policy and type

Provides clear data on all performance indicators and metrics such as mean time

to patch, mean time to detect and respond to potential incidents, average window

of exposure, and the number and types of exceptions

Focuses on measuring of elements that present the highest risk, and provides

effectiveness of security controls visibility. It provides NGA with a good

understanding of whether goals set forth for threat management are actually being

met.

Provides the necessary flexibility to effectively communicate with its audience

Provides dynamic and static visualizations to convey insights to different levels of

stakeholders through the enterprise

2.2 PERIOD & LOCATION(S) OF PERFORMANCE:

Period of Performance (POP) for Prospective Acquisition(s): One year Base ordering

period with up to four 1-year option periods.

Location(s): The work shall be primarily performed at NGA’s facilities located in

Springfield, Virginia, the St. Louis, Missouri, and Denver, Colorado Metropolitan Areas.

2.3 CONSTRAINTS AND LIMITATIONS: The most recent editions of the documents set forth in the

following appendices are anticipated to apply to prospective acquisition(s):

Appendix B - Compliance Documents

Appendix C - NGA Policies, Instructions, and Directives, NGA CIO Directives and Office

of the CIO Guides, and Other Reference Documents

2.4 SECURITY REQUIREMENTS: Contractor personnel shall possess active TS/SCI clearances.

2.5 ORGANIZATIONAL CONFLICT OF INTEREST (OCI): Prospective acquisition(s) are

anticipated to be for commercial services. In accordance with FAR Part 9.5, please discuss any

performance which may lead to an OCI and how the Offeror would mitigate, avoid, or neutralize

the conflict.

3.0 REQUESTED INFORMATION

Responses must only contain UNCLASSIFIED information and be marked “UNCLASSIFIED”

on all pages in both the header and footer. No classified information may be included in your

response.

Neither proprietary or classified concepts, nor classified information should be included in the

submittal. Input on the information contained in the responses may be solicited and reviewed by

UNCLASSIFIED


NGA non-Government consultants or experts who are bound by appropriate non-disclosure

agreements.

3.1 ADMINISTRATIVE

Information to include the following as a minimum:

3.1.1. CONTACT

Name, mailing address, overnight delivery address (if different from mailing address), phone

number, fax number, company website, and e-mail of designated point(s) of contact.

3.1.2. BUSINESS TYPE.

In accordance with FAR 19.102(a) (1), the Small Business Administration (SBA) establishes

small business size standards on an industry-by-industry basis. Small business size standards,

matched to industry North American Industry Classification System (NAICS) codes, are

published and available at www.sba.gov/contenet/table-small-business-size-standards .

Based upon NAICS, code 541512, IT and Telecom – Other IT and Telecommunications will be

applicable to prospective acquisition(s). The respondent is requested to provide the following

information:

Business Size: □ SMALL BUSINESS □ OTHER THAN small business

□ DOD Pilot Mentor-Protégé Program Participant (DFARS 219.71)

If a SMALL BUSINESS, check all of the following that apply:

□ Eligible small business concern for participation in SBA’s 8(a) program (FAR 19.8)

□ Historically Underutilized Business Zone small business concern (FAR 19.13)

□ Service-Disabled, Veteran-Owned, Small Business (SDVOSB) concern (FAR 19.14)

□ Woman-Owned Small Business (WOSB) concern (FAR 19.15)

3.1.3 BUSINESS INFORMATION

Data Universal Numbering System (DUNS) Number: _________________

Commercial and Government Entity (CAGE) Code: ______________________________

System for Award Management (SAM) www.sam.gov current registration: ____________

Defense facility security clearance? ____________________________________________

o Type: ____________________________________________________________

o Level: ___________________________________________________________

Accounting system

o Date of last audit: ___________________________________________________

o Performed by: _____________________________________________________

o Adequacy Determination? ____________________________________________

http://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012

http://www.sba.gov/contenet/table-small-business-size-standards

http://www.sam.gov/

UNCLASSIFIED


Purchasing system


o Performed by: _____________________________________________________


Timekeeping system


o Performed by: _____________________________________________________


3.1.4 OTHER GOVERNMENT CONTRACTS

Provide information regarding the respondent’s other Government contracts that contain services

that could be employed to satisfy one or more of the end state objectives and is applicable to the

stated NAICS code. For each of the following categories, the respondent is requested to identify

the particulars of each contract in the category (Program/Schedule Name, Contract Number,

Award Date, and End Date), together with the specific end-state objectives.

Federal Supply Schedules (FAR 8.4)

Government-wide Acquisition Contracts (GWAC)

Other Government Contracts

Any additional details not already requested:

3.2 EXPERIENCE

3.2.1 COMMERCIAL.

Respondents are requested to provide relevant details concerning the providing the same or

similar services offered or made to the general public or to non-governmental entities for

purposes other than governmental purposes in the last three (3) years. Relevant details to NGA’s

proposed acquisition should include, but not be limited to, information regarding the contract

value, size and length of the effort, responder performing as a prime or subcontractor, customary

practices (warranty, financing, discounts, contract types, etc.) under which the sales of the

service(s) are made, security details, the customary practices regarding customizing, modifying,

or tailoring of a service(s) to meet customer needs and associated costs, the kinds of factors that

are used to evaluate performance; the kinds of performance incentives used; the kinds of

performance assessment methods commonly used; the common qualifications of the people

performing the services; and requirements of law and/or regulations unique to these service(s),

that can demonstrate the responder’s abilities and capacity to meet NGA’s statement of

objectives.

3.2.2 GOVERNMENT (EXCLUDING NGA)

Respondents are requested to provide relevant details concerning providing the same or similar

services offered or made to Government agencies other than NGA in the last three (3) years.

Relevant details to NGA’s proposed acquisition should include, but not be limited to contract

value, information regarding the contract number, agency, responder performing as a prime or

subcontractor, size and length of the effort, type of pricing and/or cost, security details, the kinds

of factors used to evaluate performance; the kinds of performance incentives; the kinds of

UNCLASSIFIED


performance assessment methods; the qualifications of the people performing the services; and

any unique terms and conditions, that can demonstrate the responder’s abilities and capacity to

meet NGA’s statement of objectives.

3.2.3 NGA.

Provide relevant details on the responder providing the same or similar services offered or made

to NGA in the last three (3) years. Relevant details to NGA’s proposed acquisition should

include, but not be limited to contract value, information regarding the contract number, program

name, size and length of the effort, responder performing as a prime or subcontractor, type of

pricing and/or cost, security details, the kinds of factors used to evaluate performance; the kinds

of performance incentives; the kinds of performance assessment methods; the qualifications of

the people performing the services; and any unique terms and conditions, that can demonstrate

the responder’s abilities and capacity to meet NGA’s statement of objectives.

3.3 CAPABILITIES

Respondents are requested to provide the following information regarding their capabilities to

successfully perform the proposed acquisition set forth in section 2 of this RFI.

3.3.1 Capabilities needed to successfully achieve the RFI statement of objectives

3.3.1.1 Capabilities that the respondent currently possesses. Responses should include the

relevant information regarding specific skills, experience, and security clearances that its

employees, by labor category, currently possess in performing these services, and any

needed hardware or software.

3.3.1.2 Detail the service capabilities that the respondent currently does not possess in

order to meet the objectives, together with the capability and means to secure necessary

services.

3.3.3 Extent to which the responder has the ability to meet the proposed acquisition and any interest

in Prime contract; Teaming to include Joint Venture; or exploring subcontractor opportunities.

3.3.4 Notional schedule and type of plan for transition-in and transition-out (based on previous or

similar work efforts).

3.3.5 Security capabilities and plans that demonstrate the ability to meet NGA’s security

requirements beginning at contract award and throughout the POP.

3.3.6 Extent to which the responder is aware of any potential OCI issues in accordance with FAR

Part 9.5 or any non-mitigatable OCI related to current development work at NGA.

3.4 RECOMMENDATIONS

3.4.1 Key Performance Indicators (KPIs):

“What gets measured gets done,” and “what you measure is what you get.”

KPIs establish the performance levels required to meet the contract requirements to successfully

achieving the end-state objectives. For the planned acquisition objectives set forth in section 2.1,

the Government is seeking information as to specific KPIs to be applied to measure the

performance of achieving one or more of these objectives. Respondents are requested to provide

information regarding KPIs that are specific; quantifiable and measurable, and include minimum

UNCLASSIFIED


acceptable quality level(s); achievable within the POP; relevant to one or more of the end-state

objective goals and priorities; and are time-bound.

Each proposed KPI should include the following:

Identity of the objective(s) and the applicable task(s) that are relevant to the KPI;

Value of the KPI to monitor and measure the effectiveness in achieving the objective(s);

KPI defined in a manner that is understandable, meaningful, and measurable;

KPI is quantifiable (formula driven) with identified performance data necessary for

calculation identified and defined;

KPI’s performance reporting … how, format, frequency; and

KPI’s commercial measure of the lowest level of quality that is acceptable commercially

(Acceptable Quality Level (AQL)).

3.4.2 Performance Incentives

The Government is seeking appropriate incentive arrangements that are designed to motivate

performance efforts in achieving a level of performance that exceed their respective acceptable

quality levels, and to discourage performance efforts that fail to achieve their respective

minimum acceptable quality levels. Respondents are requested to provide information regarding

performance incentives that are directly tied to and calculated in accordance with specific KPI(s),

and are of sufficient magnitude to motivate superior performance and discourage performance

that falls short.

3.4.3 Key Positions

Successful contract performance in achieving end-state objectives requires the contractor employ

qualified personnel at key positions as performance nexus within the performance process.

Past experience has demonstrated that the position of Program Manager as being one of those

positions. The Program Manager position’s typical responsibilities can be summed up as the

nexus for all contract performance activities … the action “belly button” for the Government –

contractor performance exchanges, with full authority to act on behalf of the Contractor on all

contract matters relating to daily operation of the contract Given the responsibility scope and

nature, together with the complexities in achieving these objectives, and the negative impacts

arising from the failure to do so, NGA is seeking recommendations as to this position’s

minimum qualifications in terms of education, certifications and training, experience, and record

of success, that an individual successfully performing would be expected to possess, along with

any qualification tradeoffs.

In addition to the position of Program Manager, the Government is seeking information as to

other key positions that are critical to successful performance in achieving stated objectives. As

with that of the program manager, respondents are requested to identify those positions, their

distinct responsibilities, and of these individuals to include specific education, certifications,

training, and experiences, and the tradeoff considerations among these qualification items.

3.4.4 Recommendations

Going forward, proposed acquisitions are anticipated to be a full and open (FAR 6.1/6.2) with

Indefinite Quantity-Indefinite Delivery (FAR 16.504), and performance-based (FAR 37.6).

Within that framework and the purposes set forth in Section 1.2 of this RFI, responders are

invited to provide information, recommendations, and supporting analyses, for fashioning

UNCLASSIFIED


proposed acquisition(s). Recommendation areas may include the type of contract, anticipated

contract terms & conditions, incentives, NAICS Codes, variations in delivery schedule, price

and/or cost proposal support, and data requirements, contract pricing, and any other areas that the

responder believes is relevant for the Government to achieve its stated objectives.

Recommendations shall be accompanied with specific rationales that are of sufficient detail.

Respondents are invited to opine regarding setting aside all or some of the requirements for small

business (FAR 6.203 thru 6.207). Recommendations shall identify the scope of the set-aside,

total or partial, the specific boundaries of the set-aside, if partial, and any specific set-aside sub-

category. Recommendations shall be accompanied with specific rationales that are of sufficient

detail.

4.0 RESPONSES

4.1 Interested parties are directed to respond electronically to this RFI via a “white paper”.

4.2 The “white paper” shall be in Microsoft Word for Office or compatible format and shall

not exceed twenty-five (25) pages, with a “page” defined as each face of an 8½” x 11” sheet

with information contained within a one inch margin on all sides. Font type shall be Times

Roman 12 point.

4.3 Responses containing the White Paper are due no later than 5:00 pm Eastern Time (ET)

on 29 October 2019. Responses shall be limited to and submitted via UNCLASSIFIED e-mail

only as a message attachment to [email protected] with the message subject line “RFI

Response – CyberSecurity Support Services (CS3).”

4.4 Proprietary information, if any, should be minimized and MUST BE CLEARLY

MARKED. To aid the Government, please segregate proprietary information. Please be advised

that all submissions become Government property and will not be returned.

4.5 The contents of the White Paper shall include all of the information requested in Section 3

of this RFI. Include Section number and title prior to each Response.

5.0 MEETINGS AND DISCUSSIONS

The Government representatives may or may not choose to meet with potential RFI service

providers. Such meetings and discussions would only be intended to get further clarification of

potential capability, especially any development and certification risks.

6.0 SUMMARY

The information provided in this RFI is subject to change and is not binding to the Government.

The Government has not made a commitment to procure any of the RFI requirements discussed,

and release of this RFI should not be construed as such a commitment or as authorization to

incur cost for which reimbursement would be required or sought. All submissions become

Government property and will not be returned.

mailto:[email protected]

UNCLASSIFIED


Appendix A – Glossary

AIS - automated information system

AQL – acceptable quality level

CAGE - commercial and government entity

CIO – Office of the Chief Information Officer

CIO-T - Information Technology Services Directorate

CRIB - Chief Information Officer-Technology Requirements Investment Board

DFARS – Department of Defense Federal Acquisition Supplement

DOD – Department of Defense

DTE - Desktop Environment

DUNS – Dun & Bradstreet Data Universal Numbering System (DUNS) Number

FAR – Federal Acquisition Regulations

GEOINT - NGA geospatial-intelligence

GWAC - government-wide acquisition contract

HUBZone - historically underutilized business zone

IC – Intelligence Community

IDIQ - indefinite delivery indefinite quantity

KPI – key performance indicator

NAICS - North American Industry Classification System

NCE - NGA Campus East in Virginia

NCW - NGA Campus West in Missouri.

NGA – National Geospatial-Intelligence Agency

N2W - NGA Next West

OCI - organizational conflict of interest

POP – period of performance

SAM - system for award management

SCIF – sensitive compartmented information facility

SDVOSB - service-disabled, veteran-owned, small business

WOSB - woman-owned small business

UNCLASSIFIED


Appendix B - Compliance Documents

These are the documents that are anticipated to be applicable to future acquisitions. The

Contractor shall abide by all applicable regulations, publications, manuals, and local policies

and procedures (current versions shall be utilized).

Clinger Cohen Act of 1996, National Defense Authorization Act for Fiscal Year 1996,

Title 40, U.S.C. 1401, 10 Feb 1996.

CNSS Instruction No. 1253, Security Categorization and Control Selection for

National Security Systems, March 2014

CNSS Policy 22, Policy on Information Assurance Risk Management for National

Security Systems, Jan 2012, as amended.

DoD Directive 8570.01, Information Assurance Training, Certification, and

Workforce Management, 15Aug 2004.

DoD Instruction 8500.01, Cybersecurity, 14 Mar 2014.

DoD Instruction 8510.01, RMF for DoD IT, 12 Mar 2014.

DoD Instruction 8540.01, Cross Domain (CD) Policy, 8 May 2015.

E-Government Act of 2002, also known as the “FISMA of 2002”, Title 44, U.S.C. 101.

Executive Order 12333, United States Intelligence Activities, 4 Dec 1981, as amended.

Executive Order 13526, Classified National Security Information, 29 Dec 2009, as amended.

ICD 503, IC IT Systems Security Risk Management, 21 July 2015.

National Security Directive 42, National Policy for the Security of National

Security Telecommunications and Information Systems, 5 Jul 1990.

National Security Presidential Directive-54/Homeland Security Presidential Directive-

23, Cybersecurity Policy, 8 Jan 2008.

NIST SP 800-137, ISCM for Federal Information Systems and Organizations, Sep 2011.

NIST SP 800-30, Guide for Conducting Risk Assessments, Sep 2012.

NIST SP 800-37, Guide for Applying the RMF to Federal ISs: A Security Life

Cycle Approach, Feb 2010.

NIST SP 800-39, Managing Information Security Risk: Organization, Mission,

and Information System View, Mar 2011.

NIST SP 800-47, Security Guide for Interconnecting IT Systems, Aug 2002.

NIST SP 800-53, Revision 4, Information Security, Security and Privacy Controls

for Federal Information Systems and Organizations, April 2013.

NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in

Federal Information Systems and Organizations, June 2010.

NIST SP 800-55, Revision 1, Performance Measurement Guide for Information

Security, July 2008.

Office of Management and Budget Circular A-130, Management of Federal

Information Resources, 28 Nov 2000, as amended

UNCLASSIFIED


Appendix C – NGA Policies, Instructions, and Directives

The following NGA documents or their successor specifications, regulations, policies, or

directives provide constraints that may be applicable to the objectives (current versions shall

be utilized).

NGAD 3020, Directive for Business Continuity/Disaster Recovery, 28 October 2015.

NGAD 5200, Personnel Security, August 24, 2016.

NGAD 8010, Information Systems RMF, November 16, 2015.

NGAD 8231, Cyber Defense Operations, October 28, 2015.

NGAI 5200.1, Information Security, May 30, 2017.

NGAI 5200.4, Operations Security August 11, 2016.

NGAI 5230.1, Instruction for Polygraph and Creditability Assessment

Program Administration Update November 6, 2015.

NGAI 5425.1, NGA Corporate Policy Program, 27 January 2017

NGAI 8010.8, Information Assurance Vulnerability Management, November 10, 2015.

NGAI 8010.9, Information Operations Condition, November 10, 2015.

NGAI 8400.4, Implementation of Section 508 of the Rehabilitation Act, October 26, 2015.

NGAI 8500.2, Instruction for Authorized Outages and Maintenance Activities, October

26, 2015.

NGAPN 8100.2, Policy Notice, Transfer of all NGA IT Resources and Assets to the Chief

Information Officer-Information Technologies (CIO-T) Services Directorate, March 5,

2014, Administrative Revision July 2014.

NGAPN 8100.3, Managing and Safeguarding HUMINT Control System Data on IT

Systems, November 16, 2015.

NGAPN 8460.2, Policy Notice for Identity and Access Management, 31 March 2012.

NGAPN 8470.1, External WebMail Access for Personal Use, 15 November 2016.

NGAPN 8960.1, Discoverability of GEOINT Information, November 16, 2015

NI 5205.1, Instruction for Protection of Sensitive Compartmented Information,

November 24, 2003.

NI 5210.9, Instruction for Control of Information System Equipment and Media Entering

or Exiting NGA Sites and Facilities, September 20, 2005.

NI 5240.1, Instruction for Reporting Counterintelligence and Espionage

Concerns, November 24, 2003.

NI 7400.1, Configuration Management, November 10, 2015.

NI 8010.11, Instruction for NGA-Controlled Computer Network Connectivity at

Contractor and Other Facilities, 10 November 2015.

NI 8010.14, Instruction for Password Administration, 17 October 2016.

NI 8010.15, Instruction for Access to Removable Media Devices and File Transfers on

NGA Information Systems, 10 November 2015.

NI 8010.16, Managing Compartmented and Sub-Compartmented Information on

Sensitive Compartmented Information Systems, November 18, 2015.

NI 8010.2, Instruction for Information System Security and Training, November 10, 2015.

NI 8410.1, Instruction for Implementation of Mobile Code, November 12, 2015.

NI 8420.2, Instruction for Antivirus Response, November 12, 2015

UNCLASSIFIED


NI 8420.3, Instruction for Controlled Interfaces for Systems and Networks, November

12, 2015.

NI 8460.1, Instruction for Communications Security, November 12, 2015.

NI 8470.3, Instruction for Use of Electronic Mail and Other Electronic

Communications, November 13, 2015.

NI 8900.4, Instruction for the Intelligence Oversight Compliance and Awareness

Program, November 15, 2015

PN 8100.2 Policy Notice for Transfer of all NGA IT Resources and Assets to CIO-T, 24

Nov 2015

PN 8100.3, Policy Notice for Managing and Safeguarding HUMINT Control System Data

on IT Systems, 6 June 2014

PN 8470.1, Policy Notice for External Webmail Access for Personal Use, November

15, 2015

PN 8960.1, Policy Notice for Discoverability of GEOINT Information, 16 November 2015

NGA CIO Directives and Office of the CIO Guides

NCD 8000-003, CIO Directive, Encryption of Data at Rest, October 2007

NCD 8000-015, CIO Directive, Deployment of Information Systems to External

Sites, August 2008

NCD 8000-016, CIO Directive, Ports, Protocols, and Services Management, August 2008

NCD 8000-020, CIO Directive, Digital Signatures of Sensitive But Unclassified E-

Mail, October 2008

NCD 8000-023, CIO Directive, Security Technical Implementation Guidance and

Security Configuration Guide Compliance, January 2009

NCD 8000-024, CIO Directive, Web Services, February 2009

NCD 8000-025, Directive, User Based Enforcement, February 2009

NCD 8000-026, Enterprise Management, May 2010

NCP 8000-012, Certification and Accreditation Procedures, March 2010

NGA DAA and NGA CISO Memo, Administrative Credential Access for all NGA

Assets, December 2010

Other Reference Documents

Establishment of the Authorization Review Panel, 21 Mar 2017

MFR Enterprise Critical Security Controls, 21 Jan 2016

NGA Cybersecurity Risk Acceptance SOP, 8 Mar 2016

NGA Information Assurance Requirements Catalog 19 May 2016

NGA REvAMP 10 May 2017

Risk Management Framework Quick Guide, 17 Mar 2017

Senior Cybersecurity Roundtable Charter, December 2015

NGA Vulnerability Management Standard Operating Procedures, 6 June 2014

Vulnerability Management Panel Terms of Reference 2015

AMENDED REQUEST FOR INFORMATION - GovShop

Documents

Transcript of AMENDED REQUEST FOR INFORMATION - GovShop