Specifications Vol 1 Div 1-6

US Army Corps of Engineers Baltimore District

CONSTRUCTION SPECIFICATIONSUSAMRIID ReplacementUNITED STATES ARMY MEDICAL RESEARCH INSTITUTE OF INFECTIOUS DISEASES (USAMRIID) FT. DETRICK, MD

Phase I - Primary Building PackageVOLUME 1: DIVISIONS 1 - 6 REQUEST FOR PROPOSAL W912DR-08-R-0075 CONTRACT NO. DATE 19 SEPTEMBER 2008CUH2A Smith Carter Hemisphere (JV) CUH2A CN 5380, Princeton, NJ 08543 1000 Lenox Drive Lawrenceville, NJ 08648 Smith Carter Hemisphere Engineering 1123 Zonolite Road Suite 25, Atlanta, GA 30306

F.O.U.O. - For Official Use Only

USAMRIID Replacement

Ft. Detrick, MD

PROJECT TABLE OF CONTENTS DIVISION 01 - GENERAL REQUIREMENTS 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 00 05 07 11 20 27 31 31 31 32 33 33 33 33 35 41 41 42 42 45 45 45 45 51 57 57 60 61 00 00 00 00 00 00 11 15 19 01.00 00 10 29 40 29 50 60 00 13 02.00 10 35 70 00 20.00 23.00 00 23 ADMINISTRATIVE REQUIREMENTS JOB CONDITIONS CUTTING, PATCHING AND REPAIRING SUMMARY OF WORK WARRANTY REQUIREMENT MEASUREMENT AND PAYMENT SUSPENDED LOADING - COORDINATION AND LIMITATIONS CONTAINMENT CONSTRUCTION COORDINATION PROJECT MEETINGS PROJECT SCHEDULE SUBMITTAL PROCEDURES SPECIAL SUBMITTAL PROCEDURES LEED(TM) DOCUMENTATION COLOR/FINISH SAMPLE BOARDS SAFETY AND OCCUPATIONAL HEALTH REQUIREMENTS SEISMIC CONTROL REQUIREMENTS WIND LOAD DESIGN CRITERIA SOURCES FOR REFERENCE PUBLICATIONS REFERENCE STANDARDS, ABBREVIATIONS AND DEFINITIONS QUALITY CONTROL SYSTEM (QCS) CONTRACTOR QUALITY CONTROL SPECIAL INSPECTION ROOM INTEGRITY TESTING TEMPORARY CONSTRUCTION ITEMS ENVIRONMENTAL PROTECTION STORM WATER POLLUTION PREVENTION MEASURES PRODUCT REQUIREMENTS CONTRACTOR FURNISHED CONTRACTOR INSTALLED (CFCI) EQUIPMENT SCHEDULE RECYCLED / RECOVERED MATERIALS GOVERNMENT FURNISHED GOVERNMENT INSTALLED (GFGI) EQUIPMENT SCHEDULE MATERIAL/PRODUCT RESISTANCE AS-BUILT DRAWINGS - CADD CONSTRUCTION AND DEMOLITION WASTE MANAGEMENT STARTING AND ADJUSTING CLOSEOUT PROCEDURES OPERATION AND MAINTENANCE DATA DEMONSTRATION AND TRAINING INDOOR AIR QUALITY COMMISSIONING COMMISSIONING COMPONENT VERIFICATION COMMISSIONING SYSTEM TEST COMMISSIONING INTEGRATED SYSTEM TEST COMMISSIONING FUNCTIONAL OPERATIONAL SYSTEM TEST

10

10

10 10

01 62 35 01 64 02 01 01 01 01 01 01 01 01 01 01 01 01 01 67 72 74 75 77 78 79 81 91 91 91 91 91 00 00 19 00 00 23 00 19 00 01 02 03 04

DIVISION 02 - EXISTING CONDITIONS 02 41 00 DEMOLITION AND DECONSTRUCTION

PROJECT TABLE OF CONTENTS Page 1 19 September 2008 For Official Use Only


Ft. Detrick, MD

DIVISION 03 - CONCRETE 03 03 03 03 03 03 03 03 03 08 11 15 20 31 31 35 41 45 00 13.00 13.00 01.00 00.00 05 13 33.00 01.00 10 10 10 10 COMMISSIONING OF CONCRETE STRUCTURAL CONCRETE FORMWORK EXPANSION JOINTS, CONTRACTION JOINTS, AND WATERSTOPS CONCRETE REINFORCEMENT CAST-IN-PLACE STRUCTURAL CONCRETE HIGH CONTAINMENT CAST-IN-PLACE STRUCTURAL CONCRETE HIGH-TOLERANCE CONCRETE FLOOR FINISHING PRECAST/PRESTRESSED CONCRETE FLOOR AND ROOF UNITS PRECAST ARCHITECTURAL CONCRETE

10 10

DIVISION 04 - MASONRY 04 20 00 04 43 30 04 72 00 MASONRY CUT STONE CAST STONE

DIVISION 05 - METALS 05 05 05 05 05 05 05 05 05 05 05 08 12 30 40 50 50 51 71 72 13 00 00 00 00 00 10.00 00 00 00 FACTORY-APPLIED METAL COATINGS COMMISSIONING OF METALS STRUCTURAL STEEL STEEL DECKS COLD-FORMED METAL FRAMING METAL: MISCELLANEOUS AND FABRICATIONS SPECIAL METAL FABRICATIONS METAL STAIRS ORNAMENTAL STAIRS ORNAMENTAL HANDRAILS AND RAILINGS

DIVISION 06 - WOOD, PLASTICS, AND COMPOSITES 06 06 06 06 06 10 20 41 51 61 00 00 16.00 10 50 16 ROUGH CARPENTRY FINISH CARPENTRY LAMINATE CLAD ARCHITECTURAL CASEWORK FIBERGLASS (FRP) GRATINGS SOLID POLYMER (SOLID SURFACING) FABRICATIONS

DIVISION 07 - THERMAL AND MOISTURE PROTECTION 07 07 07 07 07 07 07 07 07 07 07 07 07 07 07 08 13 14 16 18 21 21 21 21 22 41 42 42 52 55 00 53 00 19 00 00 16 19 29 00 13 13 50 00 56 COMMISSIONING OF THERMAL AND MOISTURE PROTECTION ELASTOMERIC SHEET WATERPROOFING FLUID-APPLIED WATERPROOFING METALLIC OXIDE WATERPROOFING TRAFFIC COATINGS BUILDING INSULATION MINERAL FIBER BLANKET INSULATION SPRAYED POLYURETHANE INSULATION SPRAYED THERMAL INSULATION ROOF AND DECK INSULATION NON-STRUCTURAL METAL ROOFING METAL WALL PANELS ALUMINUM AND PLASTIC COMPOSITE PANELS MODIFIED BITUMINOUS MEMBRANE ROOFING RUBBERIZED ASPHALT PROTECTED MEMBRANE ROOFING



Ft. Detrick, MD

07 07 07 07 07 07 07

60 71 81 81 84 92 95

00 00 00 23 00 00 13

FLASHING AND SHEET METAL ROOF SPECIALTIES AND ACCESSORIES SPRAY-APPLIED FIREPROOFING INTUMESCENT FIREPROOFING FIRESTOPPING JOINT SEALANTS EXPANSION JOINT COVER ASSEMBLIES

DIVISION 08 - OPENINGS 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 05 06 08 11 11 11 12 14 15 31 33 34 38 39 41 41 44 44 44 55 62 71 71 81 91 00 00 00 13 16 19.00 16 00 00 13 23 59 13 15 13 23 00 13 23 00.00 00 00 01 00 00 COMMON WORK RESULTS FOR OPENINGS (FOUO) DOOR AND FRAME SCHEDULE COMMISSIONING OF OPENINGS STEEL DOORS AND FRAMES ALUMINUM DOORS AND FRAMES STAINLESS STEEL DOORS AND FRAMES ALUMINUM DOOR FRAMES WOOD DOORS PLASTIC DOORS ACCESS DOORS OVERHEAD COILING DOORS SECURITY VAULT DOOR STRIP DOORS PNEUMATIC AIR PRESSURE RESISTANT DOORS METAL-FRAMED STOREFRONTS FIRE RATED GLAZED WALL ASSEMBLIES GLAZED CURTAIN WALL GLAZED CURTAIN WALL (INTERIOR) STRUCTURAL GLASS CURTAIN WALL AIR PRESSURE RESISTANT WINDOWS SKYLIGHTS DOOR HARDWARE SECURITY DOOR HARDWARE (FOUO) GLAZING METAL WALL LOUVERS

DIVISION 09 - FINISHES 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 05 08 22 27 29 30 51 57 60 61 64 65 66 66 67 68 69 83 90 97 00 00 00 13 00 00 00 13 05 10 13 00 13 23 00 00 13 13 00 00 COMMON WORK RESULTS FOR FINISHES (FOUO) COMMISSIONING OF FINISHES METAL SUPPORT ASSEMBLIES GLASS FIBER REINFORCED GYPSUM FABRICATIONS GYPSUM BOARD CERAMIC TILE ACOUSTICAL CEILINGS SANITARY CEILINGS VAPOR TRANSMISSION TESTING CONCRETE FLOOR TREATMENT WOOD FLOORING RESILIENT FLOORING PRECAST TERRAZZO RESINOUS TERRAZZO FLOORING FLUID-APPLIED FLOORING CARPET RIGID GRID ACCESS FLOORING ACOUSTICAL WALL AND CEILING TREATMENTS PAINTS AND COATINGS SPECIAL COATINGS



Ft. Detrick, MD

DIVISION 10 - SPECIALTIES 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 14 14 21 21 22 22 25 25 26 28 44 45 51 56 56 00 01 02 13 23.16 13 26 00 13 13 13 16 40 00 26 26.13 VISUAL COMMUNICATIONS SPECIALTIES EXTERIOR SIGNAGE INTERIOR SIGNAGE TOILET COMPARTMENTS CUBICLE TRACK AND HARDWARE WIRE MESH PARTITIONS OPERABLE PARTITIONS SERVICE WALLS PATIENT BED SERVICE WALLS WALL AND CORNER GUARDS TOILET ACCESSORIES FIRE EXTINGUISHERS OPTICAL PEDESTRIAN SECURITY LANES LOCKERS MOBILE STORAGE UNITS MANUAL MOBILE STORAGE SHELVING

DIVISION 11 - EQUIPMENT 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 05 08 13 19 24 47 52 52 53 53 53 53 53 53 53 53 53 53 53 60 72 72 73 73 94 13 00 10 00 33.01 00 00 13 13 36 53 59 63.00 64 67 69 73 91 93 00 00 13 23 24 00 GENERAL REQUIREMENTS FOR EQUIPMENT COMMISSIONING OF EQUIPMENT DOCK LEVELERS DETENTION EQUIPMENT ROOF MAINTENANCE SYSTEMS ICE MACHINES AUDIO VISUAL EQUIPMENT PROJECTION SCREENS FUME HOODS DUST COLLECTION SYSTEM BIOLOGICAL SAFETY CABINETS CLASS III BIOLOGICAL SAFETY CABINET LINES STERILIZERS ETO STERILIZER DEPYROGENATION OVENS TISSUE DIGESTER SYSTEM MODULAR STAINLESS STEEL WALLS TUNNEL WASHERS PIT MOUNTED WASHER GLASSWARE WASHING EQUIPMENT EXAMINATION AND TREATMENT EQUIPMENT MEDICAL EQUIPMENT, MISCELLANEOUS VACUUM BEDDING AND DUST COLLECTION EQUIPMENT BEDDING DISPENSER DECONTAMINATION MISTING TUNNEL

DIVISION 12 - FURNISHINGS 12 12 12 12 12 12 12 08 24 35 35 35 48 93 00 13 53.13 53.19 53.26 13.13 00 COMMISSIONING OF FURNISHINGS ROLLER WINDOW SHADES METAL LABORATORY CASEWORK ADAPTABLE LABORATORY CASEWORK SYSTEM CUSTOM STAINLESS STEEL LABORATORY CASEWORK ENTRANCE FLOOR MATS SITE FURNISHINGS



Ft. Detrick, MD

DIVISION 13 - SPECIAL CONSTRUCTION 13 13 13 13 13 08 21 48 49 49 00 00 00 19 23 COMMISSIONING OF SPECIAL CONSTRUCTION CONTROLLED ENVIRONMENT ROOMS SEISMIC PROTECTION FOR MISCELLANEOUS EQUIPMENT RADIATION SHIELDING MRI, RF SHIELDED ENCLOSURE

DIVISION 14 - CONVEYING EQUIPMENT 14 14 14 14 21 24 42 83 23 00 00 16 ELECTRIC TRACTION PASSENGER ELEVATORS HYDRAULIC ELEVATORS WHEELCHAIR LIFTS SCISSOR LIFT

DIVISION 21 - FIRE SUPPRESSION 21 08 00 21 10 01 21 30 00 COMMISSIONING OF FIRE SUPPRESSION SYSTEMS COMBINED STANDPIPE AND WET PIPE SPRINKLER SYSTEM, FIRE PROTECTION FIRE PUMPS

DIVISION 22 - PLUMBING 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 22 00 05 05 05 05 05 05 07 08 10 10 10 11 14 15 31 33 33 36 42 62 63 64 67 00 19 29 33 48 53 75 00 00 05 06 19 23 29 19.19 00 00 30.00 10 00 00 16 17 00 00 PLUMBING, GENERAL PURPOSE PLUMBING THERMOMETERS AND GAUGES PLUMBING HANGERS AND SUPPORTS PLUMBING HEAT TRACING SYSTEM PLUMBING SOUND, VIBRATION, AND SEISMIC CONTROL PLUMBING IDENTIFICATION DRAINS AND CLEANOUTS THERMAL INSULATION FOR PLUMBING SYSTEMS COMMISSIONING OF PLUMBING SYSTEMS BUILDING SERVICES AND PROCESS PIPING SYSTEMS BUILDING SERVICES AND PROCESS PIPING SCHEDULES PLUMBING, PIPING SPECIALTIES WATER PRESSURE BOOSTER SYSTEM WASTEWATER PUMP NONLUBRICATED ROTARY SCREW AIR COMPRESSORS WATER SOFTENERS, CATION-EXCHANGE (SODIUM CYCLE) WATER HEATERS SOLAR WATER HEATING EQUIPMENT CHEMICAL SHOWER SYSTEM COMMERCIAL PLUMBING FIXTURES MEDICAL AND LABORATORY GAS AND VACUUM SYSTEM LIQUID NITROGEN SYSTEM BREATHING AIR SYSTEMS PURIFIED WATER GENERATING EQUIPMENT (REVERSE OSMOSIS WATER SKID/TANKS) AUTOMATIC ANIMAL WATERING SYSTEMS DETERGENT TRANSFER SYSTEM

22 71 00 22 72 00



Ft. Detrick, MD

DIVISION 23 - HEATING, VENTILATING, AND AIR CONDITIONING 23 00 00 23 03 00 23 05 48 23 05 93.00 10 23 07 00 23 08 00 23 25 00 23 40 00.00 10 23 64 26 23 65 00.00 10 23 70 03.00 10 23 81 23 AIR SUPPLY, DISTRIBUTION, VENTILATION, AND EXHAUST SYSTEMS BASIC MECHANICAL MATERIALS AND METHODS VIBRATION AND SEISMIC CONTROLS FOR HVAC DUCTWORK, PIPING AND EQUIPMENT TESTING, ADJUSTING, AND BALANCING OF HVAC SYSTEMS THERMAL INSULATION FOR MECHANICAL SYSTEMS COMMISSIONING OF HEATING VENTILATING AND AIR CONDITIONING SYSTEMS CHEMICAL TREATMENT OF WATER FOR MECHANICAL SYSTEMS CHEMICAL, BIOLOGICAL, AND RADIOLOGICAL (CBR) AIR FILTRATION SYSTEM CHILLED, CHILLED-HOT, PROCESS AND CONDENSER WATER PIPING SYSTEMS COOLING TOWER HEATING AND UTILITIES SYSTEMS, CENTRAL STEAM COMPUTER ROOM AIR CONDITIONING UNITS

DIVISION 25 - INTEGRATED AUTOMATION 25 25 25 25 06 08 10 10 00 00 00 01 BUILDING MANAGEMENT SYSTEM (BMS) POINTS LIST COMMISSIONING OF INTEGRATED AUTOMATION SYSTEM BUILDING MANAGEMENT SYSTEM (BMS) BUILDING MANAGEMENT SYSTEM (BMS) - OPTION 15A (LNS Based LonWorks) BUILDING MANAGEMENT SYSTEM (BMS) - OPTION 15B (Non-LNS Based LonWorks/Non-Native BACnet) BUILDING MANAGEMENT SYSTEM (BMS) - OPTION 15C (Native BACnet) BUILDING MANAGEMENT SYSTEM (BMS) FIELD EQUIPMENT ENVIRONMENTAL MONITORING SYSTEM BUILDING MANAGEMENT SYSTEM (BMS) SEQUENCE OF OPERATION

25 10 02 25 10 03 25 30 00 25 50 00 25 90 00

DIVISION 26 - ELECTRICAL 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 00 05 08 08 09 09 09 11 20 23 28 28 29 32 33 36 41 42 51 56 60 00 48.00 00 00.13 13 23 23.13 16 00 00 00.00 01.00 23 15.00 10 BASIC ELECTRICAL MATERIALS AND METHODS SEISMIC PROTECTION FOR ELECTRICAL EQUIPMENT COMMISSIONING OF ELECTRICAL SYSTEMS APPARATUS INSPECTION AND TESTING POWER MONITORING SYSTEM INTEGRATED LOW VOLTAGE LIGHTING CONTROL SYSTEM LIGHTING CONTROL DEVICES SECONDARY UNIT SUBSTATIONS INTERIOR DISTRIBUTION SYSTEM SWITCHBOARDS AND SWITCHGEAR MOTOR CONTROL CENTERS AND PANELBOARDS COORDINATED POWER SYSTEM PROTECTION VARIABLE FREQUENCY DRIVE SYSTEMS UNDER 600 VOLTS DIESEL-GENERATOR SET STATIONARY 100-2500 KW, WITH AUXILIARIES STATIC UNINTERRUPTIBLE POWER SUPPLY (UPS) SYSTEM AUTOMATIC TRANSFER SWITCH AND BY-PASS/ISOLATION SWITCH LIGHTNING PROTECTION SYSTEM CATHODIC PROTECTION SYSTEM (SACRIFICIAL ANODE) INTERIOR LIGHTING EXTERIOR LIGHTING LOW-VOLTAGE MOTORS

10 10 10

53 00.00 10 01.00 10 14.00 10 00 00 13



Ft. Detrick, MD

DIVISION 27 - COMMUNICATIONS 27 27 27 27 05 10 53 54 28.36 00 16.23 00 CABLE TRAYS FOR COMMUNICATIONS SYSTEMS BUILDING TELECOMMUNICATIONS CABLING SYSTEM RADIO FREQUENCY REPEATER SYSTEM (RFRS) COMMUNITY ANTENNA TELEVISION (CATV) SYSTEMS

DIVISION 28 - ELECTRONIC SAFETY AND SECURITY 28 08 00 28 20 01.00 10 28 31 76 COMMISSIONING OF FIRE ALARM AND MASS NOTIFICATION SYSTEMS ELECTRONIC SECURITY SYSTEM (FOUO) INTERIOR FIRE ALARM AND MASS NOTIFICATION SYSTEM

DIVISION 31 - EARTHWORK 31 00 00 31 40 00 31 63 26 EARTHWORK SHORING AND UNDERPINNING DRILLED PIERS (CAISSONS)

DIVISION 32 - EXTERIOR IMPROVEMENTS 32 32 32 32 32 32 32 32 32 32 32 32 32 05 11 11 12 12 16 16 17 31 31 92 92 93 33 10 23 17 23 13 15 24.00 10 13.00 51 19 26 00 LANDSCAPE ESTABLISHMENT PAVEMENT DRAINAGE LAYER (RDM) AGGREGATE BASE COURSE (DGA) BITUMINOUS PAVING - MARYLAND (SUPERPAVE) CONCRETE GRID (GRASS) PAVERS CONCRETE SIDEWALKS AND CURBS AND GUTTERS CONCRETE BLOCK PAVEMENTS PAVEMENT MARKINGS CHAIN LINK FENCES AND GATES INTEGRATED BARRIER SYSTEMS (FOUO) SEEDING SPRIGGING EXTERIOR PLANTS

DIVISION 33 - UTILITIES 33 33 33 33 33 33 33 33 08 11 30 40 46 46 60 61 00 00 00 01 00 16 01 00 COMMISSIONING OF UTILITIES WATER DISTRIBUTION SANITARY SEWERS STORM DRAINAGE SUBDRAINAGE SYSTEMS SUBDRAINAGE SYSTEM (AND WALL DRAIN) VALVES, PIPING, AND EQUIPMENT IN VALVE MANHOLES PREFABRICATED UNDERGROUND HEATING/COOLING DISTRIBUTION SYSTEM PRE-ENGINEERED UNDERGROUND HEAT DISTRIBUTION SYSTEM ELECTRICAL DISTRIBUTION SYSTEM, UNDERGROUND TELECOMMUNICATIONS OUTSIDE PLANT (OSP)

33 61 13 33 70 02.00 10 33 82 00

DIVISION 41 - MATERIAL PROCESSING AND HANDLING EQUIPMENT 41 22 03.13 41 22 03.19 MONORAILS WITH MANUAL HOIST MONORAILS WITH ELECTRIC POWERED HOISTS

-- End of Project Table of Contents --



Ft. Detrick, MD

SECTION 01 00 00 ADMINISTRATIVE REQUIREMENTS

PART 1 1.1

GENERAL SUBMITTALS

Government approval is required for submittals with a "G" designation; submittals not having a "G" designation are for information only. When used, a designation following the "G" designation identifies the office that will review the submittal for the Government. The following shall be submitted in accordance with Section 01 33 00 SUBMITTAL PROCEDURES: SD-01 Preconstruction Submittals Title Evidence Proof of purchase for equipment and/or materials. Invoice Copies Proof of rental equipment costs. Payment Evidence Proof of full payment. Photographs Digital images showing construction progress. SD-03 Product Data Cost or Pricing Data Proof of actual equipment costs. Equipment Data An itemized list of serial/model numbers and equipment installed by the Contractor under this contract. SD-05 Design Data Project Schedule; G, AR A schedule that shows the manner in which the Contractor intends to prosecute the work. SD-07 Certificates DIACAP; G AR Provide documentation with completed forms

Issued for Construction 19 September 2008

Section 01 00 00 - Page 1 For Official Use Only


Ft. Detrick, MD

SD-10 Operation and Maintenance Data O and M Data A list of proposed maintenance and instruction manuals that is mainly used for but not limited to customized equipment. Commissioning Activity for HVAC; G AR Additional Commissioning Requirements; G AR The Contractor shall provide separate activities for commissioning.Follow Section 01 91 00 COMMISSIONING and related commissioning sections for commission requirements. 1.2 1.2.1 PROGRESS SCHEDULING AND REPORTING 1998) Project Schedule

The Contractor shall submit for approval a practicable project schedule in accordance with specification Section 01 32 01.00 10 PROJECT SCHEDULE showing the manner in which he intends to prosecute the work. 1.2.2 Software Package

The Contractor shall utilize an industry recognized QCS-W compatible scheduling software package to implement the requirements of Section 01 32 01.00 10 PROJECT SCHEDULE. 1.3 PAYMENTS TO CONTRACTORS: (NOV 1976)

For payment purposes only, an allowance will be made by the Contracting Officer of 100 percent of the invoiced cost of materials or equipment delivered to the site but not incorporated into the construction, pursuant to the Contract Clause (FAR 52.232-5) titled "PAYMENTS UNDER FIXED-PRICE CONSTRUCTION CONTRACTS". The Contracting Officer may also, at his discretion, take into consideration the cost of materials or equipment stored at locations other than the jobsite, when making progress payments under the contract. In order to be eligible for payment, the Contractor must provide satisfactory evidence that he has acquired title to such material or equipment, and that it will be utilized on the work covered by this contract. Further, all items must be properly stored and protected. Earnings will be computed using 100 percent of invoiced value. (CENAB-CO-E) 1.4 IDENTIFICATION OF EMPLOYEES: (OCT 1983)

Each employee assigned to this project by the Contractor and subcontractors shall be required to display at all times, while on the project site, an approved form of identification provided by the Contractor, as an authorized employee of the Contractor/subcontractor. In addition, on those projects where identification is prescribed and furnished by the Government, it shall be displayed as required and it shall immediately be returned to the Contracting Officer for cancellation upon release of the assigned employee and or completion of project. (CENAB) 1.5 PURCHASE ORDER: (SEP 1975)

One readable copy of all purchase orders for critical items of material and equipment, showing firm names and addresses, and all shipping bills, or memoranda of shipment received regarding such material and equipment, shall Issued for Construction 19 September 2008 Section 01 00 00 - Page 2 For Official Use Only


Ft. Detrick, MD

be furnished the appointed Contracting Officer's Representative as soon as issued. Such orders, shipping bills or memoranda shall be so worded or marked that all material and each item, piece or member of equipment can be definitely identified on the drawings. Where a priority rating is assigned to a contract, this rating, the required delivery date, and the scheduled shipping date shall also be shown on the purchase order. At the option of the Contractor, the copy of the purchase order may or may not indicate the purchase price. (CENAB-CO-E) 1.6 EQUIPMENT OWNERSHIP AND OPERATING EXPENSE SCHEDULE (EFARS 52.0231.5000 (OCT 1995)) A. This clause does not apply to terminations. settlement of proposals and FAR Part 49. See 52.249-5000, Basis for

B.

Allowable cost for construction and marine plant and equipment in sound workable conditions owned or controlled and furnished by a contractor or subcontractor at any tier shall be based on actual costs data for each piece of equipment or groups of similar serial and services for which the government can determine both ownership and operating costs from the contractors accounting records. When both ownership and operating costs can not be determined for any piece of equipment or groups of similar serial or series equipment from the contractors accounting records, costs for that equipment shall be based upon the applicable provisions of EP1110-1-8 Construction Equipment Ownership and Operating Expenses Schedule, Region East. Working conditions shall be considered to be average for determining equipment rates using the schedule unless specified otherwise by the contracting officer. For equipment not included in the schedule, rates for comparable pieces of equipment may be used or a rate may be developed using the formula provided in the schedule. For forward pricing, the schedule in effect at the time of negotiations shall apply. For retroactive pricing, the schedule in effect at the time the work was performed shall apply. Equipment rental costs are allowable, subject to the provisions of FAR 31.105(d) (ii) and FAR 31.205-36. Rates for equipment rented from an organization under common control, lease-purchase arrangements, and sale-leaseback arrangements, will be determined using the schedule, except that actual rates will be used for equipment leased from an organization under common control that has an established proactive of leasing the same or similar equipment to unaffiliated leasees. When actual equipment costs are proposed and the total amount of the pricing action exceeds the small purchase threshold, the contracting officer shall request the contractor to submit either certified cost or pricing data, or partial/limited data, as appropriate. The data shall be submitted on Standard Form 1411, Contract Pricing Proposal Cover Sheet. CENAB-CT/SEP 95 (EFARS 52.231-5000) REAL PROPERTY EQUIPMENT DATA: (APR 1975)

C.

D.

1.7

At or before the time of completion of the contract, the Contractor shall submit to the Contracting Officer a complete itemized list, including serial and model number where applicable, showing the unit retail value of each Contractor furnished item of mechanical, electrical and plumbing equipment installed by the Contractor under this contract. Itemized list shall include equipment scheduled under Section 01 61 23 CONTRACTOR FURNISHED CONTRACTOR INSTALLED (CFCI) EQUIPMENT SCHEDULE.For each of the items which is specified herein to be guaranteed for a specified period Issued for Construction 19 September 2008 Section 01 00 00 - Page 3 For Official Use Only


Ft. Detrick, MD

from the date of acceptance thereof, either for beneficial use or final acceptance, whichever is earlier, against defective materials, design, and workmanship, the following information shall be given: the name, address and telephone number of the Subcontractor, Equipment Supplier, or Manufacturer originating the guaranteed item. The list shall be accompanied by a copy of the specific guarantee document for each item which is specified herein to be guaranteed if one had been furnished to the Contractor by the Equipment Supplier or Manufacturer. The Contractor's guarantee to the Government of these items will not be limited by the terms of any manufacturer's guarantee to the Contractor. Baltimore District NADB Form 1019 may be utilized for the itemized listing and will be made available to the Contractor upon request. (CENAB-CO-E) 1.8 O and M DATA: (JUL 1979)

The requirements for furnishing operating and maintenance data and field instruction are specified elsewhere in the specifications. The Contractor shall submit to the Contracting Officer, at a time prior to the 50 percent project completion time, a list of proposed maintenance and instruction manuals to be furnished the Government and the scheduled dates of all required field instructions to be provided by Contractor furnished personnel or manufacturer's representatives. All maintenance and instruction manuals must be furnished to the Contracting Officer at least 2 weeks prior to the scheduled dates of any required Contractor furnished field instructions or at least one month prior to project completion if no Contractor furnished field instructions are required. (CENAB) 1.9 1.9.1 A. FACILITY SECURITY CLEARANCE: Contractor Security Access: Large construction vehicles shall enter Fort Detrick through the Old Farm Gate on Rosemont Avenue. Smaller vehicles such as pickup trucks with temporary passes may enter by the 7th Street gate, but will be searched at each entry. Drivers shall be licensed, have registration and vehicle insurance. Drivers and passengers shall be able to furnish one official form of photo identification. Long term (greater than three months) driver/vehicle combinations may obtain temporary vehicle passes, and may not be searched upon every entry. This means such vehicle is owned/driven by that registered person. Vehicles without passes will be searched at each entry. No illegal aliens are permitted on Fort Detrick. All aliens must have appropriate documentation, and those found to be illegal will be apprehended. There will be no exception for this requirement. Prime Contractor shall contact Security Office at 301-619-2216/6060 for additional information or questions on these procedures. Handling Classified Contract Documents

B.

C.

D. E.

F.

1.9.2

The classified documents issued as part of this contract shall be handled and controlled per the provisions of AR 380-5, Department of the Army Information Security Program, and other procedures established by the local Issued for Construction 19 September 2008 Section 01 00 00 - Page 4 For Official Use Only


Ft. Detrick, MD

Security Officer. All procedures and Non Disclosure Agreements established during the solicitation period remain in effect throughout the contract period. 1.9.3 Handling Unclassified Contract Documents

For the unclassified contract documents, all procedures and Non Disclosure Agreements established during the solicitation period remain in effect throughout the contract period. The Contractor shall take reasonable steps to minimize risk of access by unauthorized personnel, to include storing documents in containers, desks or cabinets when not in use. Electronic sharing of documents is generally prohibited, however sharing the documents on a secured project web site may be allowed after Government approval of the specific provisions of the web site. 1.10 HOT-WORK PERMIT

A hot-work permit, DA Form 5383-R, must be submitted to the COR before using heat-producing equipment. Additional instructions are found on " Fort Detrick Fire Department Pre-Construction Conference Report" form, which also includes a requirement to attend a briefing conference and provide a signature acknowledging receipt of briefing. 1.11 NEGOTIATED MODIFICATIONS: (OCT 84)

Whenever profit is negotiated as an element of price for any modification to this contract with either prime or subcontractor, a reasonable profit shall be negotiated or determined by using the OCE Weighted Guidelines method outlined in EFARS 15.902. (Sugg. NAB 84-232) 1.12 PHOTOGRAPHS

Provide monthly, and within one month of the completion of work, digital photographs in JPEG file format showing the sequence and progress of work. Take a minimum of forty digital photographs prior to the seventh day of each month of views and points located by the Contracting Officer, in coordination with Garrison requirements and USAMRIID "For Official Use Only" restrictions for photographs taken on site. Submit a view location sketch indicating points of view. Submit with the monthly invoice two sets of digital photographs each set on a separate CD-R, cumulative of all photos to date. Photographs for each month shall be in a separate monthly directory and each file shall be named to indicate its location on the view location sketch. The view location sketch shall also be provided on the CD as digital file. All file names shall include a date designator. (CENAB-EN) 1.13 PARTNERING: (NOV 92)

In order to most effectively accomplish this contract, the Government is willing to form a cohesive partnership with the Contractor and its subcontractors. This partnership would strive to draw on the strengths of each organization in an effort to achieve a quality project done right the first time, within budget and on schedule. This partnership would be bilateral in make-up and participation will be totally voluntary. Any cost associated with effectuating this partnership will be agreed to by both parties and will be shared equally with no change in contract price. (CENAB-EN-DT)




Ft. Detrick, MD

1.14 A.

PERMITS The permits listed below have been obtained by the Government or are in the approval process and may require additional action by the Contractor to become complete. After final approvals by the respective state agencies are received, the Government will furnish approval letters and permits to the Contracting Officer who will furnish the Contractor all such permits before or during construction. The Contractor shall abide by all permit requirements. 1. Erosion and Sedimentation (E and S) Control Plan: The E and S control plans were submitted to the Maryland Department of the Environment (MDE). Permit number is: MDE No. - (TBD). Stormwater Management (SWM) Plan: The (SWM) Plans were submitted to the Maryland Department of the Environment. Permit number is: MDE No. - (TBD).

2.

1.15 A.

DEFENSE INFORMATION ASSURANCE CERTIFICATION AND ACCREDITATION PROCESS Provide completed documentation, using forms with required supplemental information, for work associated with Division 25 INTEGRATED AUTOMATION, and Division 28 ELECTRONIC SAFETY AND SECURITY for DoD Information Assurance Certification and Accreditation Process (DIACAP). The DoD process for identifying, implementing, validating, certifying, and managing IA capabilities and services, expressed as IA controls, and authorizing the operation of DoD ISs, including testing in a live environment, in accordance with statutory, Federal, and DoD requirements. The Contractor shall comply with the requirements of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP). Provide DIACAP compliant components and completed forms documenting the level of compliance for each component. Acceptance of components not fully documented as compliant with the MAC II Vendor Controls are subject to case-by-case review and approval by the Government. MAC II Vendor Controls requirements are following this Section 01 00 00. ARCHITECT ENGINEER REFERENCES

B.

C. 1.16

With the exception of coded items on the submittal register and unless otherwise directed, all references to "AE" or "Architect-Engineer" in the contract documents shall be understood to mean "the Government". PART 2 PRODUCTS

Not Applicable.




Ft. Detrick, MD

PART 3

EXECUTION

Not Applicable. -- End of Section --



HOT-WORK PERMITFor use of this form, see AR 420-90; the proponent agency is ACSIM

1. LOCATION

2. DATE

3. PERMIT NO.

4. TYPE OF WORK

5. START TIME

6. FINISH TIME

7.a. NAME OF PERSON RESPONSIBLE FOR HOT-WORK AT JOB SITE (Contractor/Government Employee)

7.b. SIGNATURE

PRECAUTIONS BEFORE OPERATIONSCHECKLIST 8. Did Fire Department Inspector inspect site? 9. Are there procedures for Fire Department emergency notification? (Emergency No.) 10. Are combustibles in area noted? 11. Should combustibles be covered? (If yes, note in remarks) 12. Are proper extinguishers on hand? 13. Is wet-down necessary? (If yes, note in remarks) 14. Is smoking permissible at work sites? 15. Is continuous fire watch required? 16. Is Fire Department standby required? 17. Are other precautions required? (If yes, note in remarks) 18.a. FIRE DEPARTMENT INSPECTOR'S SIGNATURE 18.b. DATE CHECK ONE YES NO

PRECAUTIONS AFTER OPERATIONSCHECKLIST 19.a. Was Fire Department notified after hot-work operation was completed? 19.b. Time: 20.a. Did Fire Department inspector inspect work site? 20.b. Time: 21. Are after work conditions safe? (If no, note in remarks) 22. Are heat producing devices safe if left at work site? 23.a. FIRE DEPARTMENT INSPECTOR'S SIGNATURE 23.b. DATE CHECK ONE YES NO

24. REMARKS

NOTE: PERMIT VALID ON DAY OF OPERATION AT ONE LOCATION ONLY

DA FORM 5383-R, SEP 92

EDITION OF JAN 85 IS OBSOLETE

USAPPC V1.00

USAMRIID Replacement MAC II Sensitive ControlsControl Number DCCT-1 Control Name Subject Area Compliance Testing Threat/Vulnerability/Counterm easure Most information systems Security Design A comprehensive set of procedures is throughout an organization and Configuration implemented that tests all patches, are unique. Patches, upgrades, and new AIS applications upgrades, and new prior to deployment. applications can behave quite differently when applied Are there documented procedures in across disparate systems. It place to test patches and upgrades in is paramount that steps be a test environment before implementing taken to maintain the them in the production environment. stability of the production IS. Proper compliance testing provides a reasonable level of assurance that system changes will achieve expected results. Description General Implementation Guidance 1. Each component shall implement a comprehensive set of test procedures that verify modifications to fielded systems will not be negatively impacted by the introduction of patches, upgrades, or modification. 2. Identify need for upgrade by monitoring appropriate channels such as vendor sites, mailing lists, third party sources, vulnerability scans or other means of detection. 3. Patches shall come from an approved trusted source and be tested and deployed in a timely manner. 4. Follow all prescribed installation procedures associated with the upgrade. Impact Code NIST SP 800-40, Medium Procedures for Handling Security Patches. August 2002 DoDI 8500.2, Information Assurance (IA) Implementation, para E3.2.4, E3.2.5.7, 06 February 2003

FT. Detrick, MD

DCFA-1

Functional Security Design Architecture and Configuration for AIS Applications

For AIS applications, a functional architecture that identifies the following has been developed and is maintained: - all external interfaces, the information being exchanged, and the protection mechanisms associated with each interface - user roles required for access control and the access privileges assigned to each role (See ECAN) - unique security requirements (e.g., encryption of key data elements at rest) - categories of sensitive information processed or stored by the AIS application, and their specific protection plans (e.g., Privacy Act, HIPAA) - restoration priority of subsystems, processes, or information (See COEF). An Interface document will need to be provided (main system with all interfaces), information gathered or transmitted, user roles for access (especially if a DB)

Information systems without proper architectural documentation may be difficult to troubleshoot in a timely manner. Additionally, continuity of operations is seriously degraded when system architecture is undocumented. Having complete and accurate functional documentation for an AIS application architecture ensures all unique aspects are captured.

1. Each Component shall identify standard and unique characteristics of their AIS applications to develop a functional architecture that identifies the following: a. All external interfaces, the information being exchanged, and the protection mechanisms associated with each interface; b. User roles required for access control and the access privileges assigned to each role (See ECAN); c. Unique security requirements (e.g., encryption of key data elements at rest); d. Categories of sensitive information processed or stored by the AIS application, and their specific protection plans (e.g., Privacy Act, HIPAA); and e. Restoration priority of subsystems, processes, or information (See COEF). 2. Components shall maintain and keep current their functional architecture documentation through disposal.

Medium DoDI 8500.2, Information Assurance (IA) Implementation, 06 February 2003


1 of 13

For Official Use Only

USAMRIID Replacement MAC II Sensitive ControlsControl Number DCHW-1 Control Name Subject Area HW Baseline Threat/Vulnerability/Counterm easure Security Design A current and comprehensive baseline Organizations without a valid and Configuration inventory of all hardware (HW) (to hardware baseline inventory include manufacturer, type, model, are vulnerable to the physical location and network topology introduction of unauthorized or architecture) required to support hardware to their IS. enclave operations is maintained by Additional concerns include the Configuration Control Board (CCB) not knowing what HW to use to and as part of the SSAA. A backup copy rebuild a system after of the inventory is stored in a firecatastrophic loss. A current rated container or otherwise not hardware baseline enables collocated with the original. consistency within the environment and the A table listing all Hardware rebuilding of information associated with the system and a systems. system network diagram. Description General Implementation Guidance 1. Each Component shall develop a current and comprehensive baseline inventory of all hardware (HW). 2. At a minimum the baseline shall include manufacturer, type, model, physical location and network topology or architecture required to support enclave operations. 3. Physical and logical location of hardware shall be recorded. 4. The baseline shall be maintained by the Configuration Control Board (CCB) and as part of the system security documentation. 5. A current and comprehensive backup copy of the inventory shall be stored in a fire-rated container or otherwise not collocated with the original. 6. Regular updates to the HW baseline shall be managed through the CCB. 7. The HW baseline shall be validated during turnover of duties to include but not limited to: management and operations. 8. The HW baseline shall be validated not less then annually. 1. Non-repudiation is accomplished by employing various mechanisms or techniques (e.g., digital signatures, digital message receipts, and time stamps). 2. Each Component shall ensure proper nonrepudiation implementation on all systems. 3. Follow system specific and FIPS guidance for latest approved non-repudiation methods. 4. NIST FIPS 140-2 validated cryptography (e.g., DoD PKI class 3 or 4 token) shall be used to implement encryption (e.g., AES, 3DES, DES, Skipjack), key exchange (e.g., FIPS 171), digital signature (e.g., DSA, RSA, ECDSA), and hash (e.g., SHA-1, SHA-256, SHA-384, SHA-512). 5. Newer standards shall be applied as they become available. 1. User interface services (e.g., web pages) are physically or logically separated from data storage and management services (e.g., database management systems). 2. Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. Impact Code ANSI/EIA-649 High Configuration Management, National Consensus Standard for Configuration Management, July 1998

FT. Detrick, MD

DCNR-1

Nonrepudiation

Security Design NIST FIPS 140-2 validated cryptography and Configuration (e.g., DoD PKI class 3 or 4 token) is used to implement encryption (e.g., AES, 3DES, DES, Skipjack), key exchange (e.g., FIPS 171), digital signature (e.g., DSA, RSA, ECDSA), and hash (e.g., SHA-1, SHA-256, SHA-384, SHA-512). Newer standards should be applied as they become available. Does this system support Public Key Infrastructure (PKI) authentication?

Without the ability to ensure proof of sender identity as well as proof of delivery, organizations foster an environment of lawlessness where individuals can deny having processed data. NIST FIPS 140-2 validated cryptography provides a means to provide for nonrepudiation.

FIPS 140-2, Security Medium Requirements for Cryptographic Modules, 25 May 2001

DCPA-1

Partitioning Security Design User interface services (e.g., web the and Configuration services) are physically or logically Application separated from data storage and management services (e.g., database management systems). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. Are the Interfaces to the system physically or logically separated?

Unauthorized users as well as malicious insiders who gain access to a particular service will find it relatively easy to gain access and exploit another service on the same hard drive. As part of the defense in depth methodology, services must be separated to provide an additional layer of protection between them.

DISA Web Server STIG, Low Version 5, 26 July 2004


2 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number DCPD-1 Threat/Vulnerability/Counterm easure Binary or machine executable public Public Domain Security Design Public domain software Software and Configuration domain software products and other products introduce an element Controls software products with limited or no of uncertainty to DoD warranty such as those commonly known information systems due to as freeware or shareware are not used their public and unsupported in DoD information systems unless they nature. Organizations should are necessary for mission not use public domain accomplishment and there are no software products unless alternative IT solutions available. required for a mission Such products are assessed for critical purpose and as information assurance impacts, and approved by the DAA. approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government. Does this system utilize freeware or shareware? DCPP-1 Ports, Security Design DoD information systems comply with Protocols, and Configuration DoD ports, protocols, and services and Services guidance. AIS applications, outsourced IT-based processes and platform IT identify the network ports, protocols, and services they plan to use as early in the life cycle as possible and notify hosting enclaves. Enclaves register all active ports, protocols, and services in accordance with DoD and DoD Component guidance. Open, undocumented, and unnecessary ports, protocols, and services increase the risk of data compromise and system unavailability. Adhering to DoD guidance minimizes the inherent risk associated with ports, protocols, and services. 1. DoD information systems shall comply with DoD ports, protocols, and services guidance. 2. A port, protocol, or service that does not explicitly support a business function shall be disabled or removed. 3. A list of ports, protocols, and services shall be documented and regularly updated and maintained through the CCB. 4. Organizations shall identify the network ports, protocols, and services they plan to use within AIS applications, outsourced IT-based processes and platform IT as early in the life cycle as possible and notify hosting enclaves. 5. Enclaves shall register all active ports, protocols, and services in accordance with DoD and DoD Component guidance. 6. Components shall monitor emerging threats and vulnerabilities to the ports, protocols, and services they use. 1. Libraries shall be controlled by the CCB. 2. Access to libraries shall be restricted to a minimum number of individuals. 3. A library access log shall be maintained, preferably automated. JTF-GNO PNP Update Medium Message, 14 March 2003 ASD/C3I Memorandum DoD Ports, Protocols and Services, 28 January 2003 DoD Ports, Protocols and Services Security Technical Guidance, 05 November 2005 Firewall Guidance Message. September 2002 DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), 13 August 2004 http://iase.disa.mil/p orts/index.html DoDD O-8530.1, Computer Network Defense (CND), 08 MIL-STD-498, Software Medium Development and Documentation Control Name Subject Area Description General Implementation Guidance 1. Components shall establish local policy governing freeware or shareware. 2. The CCB shall ensure freeware or shareware applications are distributed and used as directed. 3. Such products shall be assessed for information assurance impacts, and approved for use by the DAA. 4. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend. 5. If such software products are determined to be warranted, the organization shall limit the distribution of software to those that have a legitimate business need. 6. Periodic audits shall be conducted to ensure such software is being used for its intended business purpose. Impact Code Open Source Software Medium (OSS) in the Department of Defense (DoD) Memorandum., 28 May 2003 CJCSI 6510.01D, Information Assurance (IA) and Computer Network Defense (CND), Enclosure B and D, 15 June 2004

FT. Detrick, MD

DCSL-1

System Library Management Controls

Security Design System libraries are managed and and Configuration maintained to protect privileged programs and to prevent or minimize the introduction of unauthorized code.

Without appropriate library management controls, unauthorized code can intentionally or inadvertently be added to Is the source code for the application information systems. protected? Software versioning, access rights, etc. all work towards


3 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number DCSP-1 Threat/Vulnerability/Counterm easure The security support Security Security Design The security support structure is infrastructure of an Support and Configuration isolated by means of partitions, information system, Structure domains, etc., including control of Partitioning access to, and integrity of, hardware, particularly in the form of an enclave or application software, and firmware that perform security functions. The security suit isolated from the rest support structure maintains separate of the system, performs essential functions in execution domains (e.g., address spaces) for each executing process. guarding the confidentiality, integrity, and availability What is the security posture of this of the system. For this system? How is access being reason, the system is subject controlled? to compromise if the security support infrastructure is not appropriately isolated from the rest of the system and access granted only to appropriately authorized administrator personnel. Control Name Subject Area Description General Implementation Guidance 1. Review the system architecture documentation or other relevant functional architecture. 2. Ensure that the security support structure is isolated by means of partitions, domains, etc., including control of access to, and integrity of, hardware, software, and firmware that perform security functions. 3. Verify that the security support structure is maintaining a separate execution domain (e.g., address space) for each process that it is executing. Impact Code Medium DISA Network Infrastructure STIG, Version 5, Release 2, 29 September 2003 DISA Web Server STIG, Version 5, 26 July 2004

FT. Detrick, MD

DCSQ-1

Software Quality

Security Design Software quality requirements and and Configuration validation methods that are focused on the minimization of flawed or malformed software that can negatively impact integrity or availability (e.g., buffer overruns) are specified for all software development initiatives. Is there a software development life cycle, and if so, are there provisions for quality checks?

Poor software quality can introduce problematic behavior to DoD systems. Degradation to integrity or availability can negatively impact mission success. To promote software quality, strict requirements and validation methods must be established and followed.

1. Components engaged in software development initiatives shall develop local procedures and checklists to insure software quality. 2. Formal software test methodologies shall be adhered to during all phases of product lifecycle.

DCSW-1

SW Baseline

Security Design A current and comprehensive baseline and Configuration inventory of all software (SW) (to include manufacturer, type, and version and installation manuals and procedures) required to support DoD information system operations is maintained by the CCB and as part of the C&A documentation. A backup copy of the inventory is stored in a firerated container or otherwise not collocated with the original. Provide a list of all software that comprises this system.

Without a comprehensive software baseline, it may not be possible to identify unauthorized changes to system software or to successfully rebuild network equipment after facility loss. Maintaining a SW baseline allows for periodic software consistency checks and dependable system rebuilds.

1. Each Component shall develop a current and comprehensive baseline inventory of all software (SW). 2. At a minimum the baseline shall include manufacturer, type, model, physical location and network topology or architecture required to support enclave operations. 3. Physical and logical location of software shall be recorded. 4. The baseline shall be maintained by the Configuration Control Board (CCB) and as part of the system security documentation. 5. A current and comprehensive backup copy of the inventory shall be stored in a fire-rated container or otherwise not collocated with the original. 6. Regular updates to the SW baseline shall be managed through the CCB. 7. The SW baseline shall be validated during turnover of duties to include but not limited to: management and operations. 8. The SW baseline shall be validated not less then annually.

Medium CJCSI 6510.01D, Information Assurance (IA) and Computer Network Defense (CND), 15 June 2004 MIL-STD-498, Software Development and Documentation IEEE 12207.0, Industry Implementation of International Standard ISO/IEC 12207: 1995 (ISO/IEC 12207)) Standard for Information Technology Software Life Cycle Processes, 01 March ANSI/EIA-649 High Configuration Management, National Consensus Standard for Configuration Management, July 1998


4 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number EBRP-1 Control Name Subject Area Remote Access Enclave Boundary for Defense Privileged Functions Description Threat/Vulnerability/Counterm easure Remote access for privileged functions Remote access for privileged functions is especially is discouraged, is permitted only for dangerous due to the compelling operational needs, and is strictly controlled. In addition to transmission of administer usernames and passwords over EBRU-1, sessions employ security measures such as a VPN with blocking non-DoD media and devices. Compromised privileged mode enabled. A complete audit trail of each remote session is recorded, credentials can cause network and the USAMRIID IAM/IAO reviews the denial of service and of log for every remote session. unauthorized use of sensitive DoD information. Proper Ensure that no remote access is security precautions such as necessary or given correct use of VPN and auditing minimize the risk of network compromise and attack. General Implementation Guidance 1. If needed for a compelling operational need, remote access for privileged functions shall be used only with VPN. 2. Auditing of each remote VPN session shall be enabled. 3. The USAMRIID IAM/IAO shall review the audit log for every remote session. 4. Refer to DoD or other applicable guidance for proper connection requirements and procedures. Impact Code CJCSM 6510.01, High Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004 DISA Network Infrastructure STIG, Version 6 Draft, 29 October 2004 DISA Secure Remote Computing STIG, Version 1, Release 1, 14 February 2003 DISA Enclave Security STIG, Version 2, Release 1, 01 July 2004

FT. Detrick, MD

EBRU-1

Remote Access Enclave Boundary for User Defense Functions

All remote access to DoD information systems, to include telework access, is mediated through a managed access control point, such as a remote access server in a DMZ. Remote access always uses encryption to protect the confidentiality of the session. The session-level encryption equals or exceeds the robustness established in ECCT. Authenticators are restricted to those that offer strong protection against spoofing. Information regarding remote access mechanisms (e.g., Internet address, dial-up connection telephone number) is protected. Ensure that no remote access is necessary or given

Remote access allows users to interact with enclave resources from afar. This convenience introduces inherent risks such as spoofing and brute force attacks. Proper security precautions such as a properly configured remote access server in a DMZ along with approved encryption techniques minimize the chance of network compromise and attack.

1. All remote access connections shall authentic network users and encrypt transmitted data by using approved access controls and cryptographic means. 2. Components shall establish a process for managing remote access user accounts to include prompt account removal or disablement as warranted. 3. Components shall take steps to ensure remote access numbers or Internet addresses are secure. 4. Refer to DoD or other applicable guidance for proper connection requirements and procedures.

High CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004 DISA Network Infrastructure STIG, Version 6 Draft, 29 October 2004 DISA Secure Remote Computing STIG, Version 1, Release 1, 14 February 2003 Public Law 106-346, Section 359, Attachment 1, Memorandum to Executive Departments and Agencies, Congressional Federal Telework Mandate 2001, 23 October 2000 DISA Enclave Security STIG, Version 2, Release 1, 01 July 2004 UNIX STIG, Version 4, Release 4, 15 September 2003


5 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number ECAR-2 Control Name Subject Area Description Audit Record Enclave Computing Audit records include: Content Environment User ID. Sensitive Successful and unsuccessful Systems attempts to access security files. Date and time of the event. Type of event. Success or failure of event. Successful and unsuccessful logons. Denial of access resulting from excessive number of logon attempts. Blocking or blacklisting a user ID, terminal or access port and the reason for the action. Activities that might modify, bypass, or negate safeguards controlled by the system. Ensure the system meets the auditing requirements set forth in the appropriate STIGS Threat/Vulnerability/Counterm easure Insufficient security related information recorded in the audit trails cannot support system forensics effectively and efficiently. This implementation guide is aimed to help system administrators implement the system audit mechanisms properly to provide effective monitoring and detection of the security problems, and security fixes can be implemented in a timely manner. General Implementation Guidance 1. The system administrator shall select audit events against security files of individual system components in accordance with DISA STIGs related to operating system, database, and application, such as excessive number of logon attempt; blocking or blacklisting a user ID; and bypassing or negating safeguards controlled by the system. 2. The system administrator shall configure each audit event to record sufficient information in the audit trails such as date/time of the event, user ID, source, target, type of event, and success/failure. 3. If the system does not provide the capability of recording DOD required security events, the system administrator shall identify and install a DOD approved 3rd party product and configure it in accordance with DISA STIGs and vendor documentation for auditing. 4. The system administrator shall test the auditing capability to ensure that the audit trails record required security events; each event contains sufficient information to support system forensics; and the auditing functions do not affect system operations. Impact Code CJCSI 6510.01D, Medium Information Assurance (IA) and Computer Network Defense (CND), 15 June 2004 CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004 DISA Windows NT Security Checklist, 10 December 2004 DISA Windows 2003 Security Checklist (draft), 10 December 2004 DISA Unix STIG, 15 September 2003 DISA UNISYS STIG, 22 July 2003 DISA Solaris Security Checklist, 20 January 2004 DISA Database STIG, 24 July 2004 DOD OC/390 RACF Checklist October 2004 DOD OC/390 ACF2 Checklist October 2004 DOD OC/390 TSS Checklist October 2004 NSA Microsoft SQL Server Guides, 02

FT. Detrick, MD


6 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number ECAT-2 Control Name Subject Area Audit Trail, Enclave Computing Monitoring, Environment Analysis and Reporting Description An automated, continuous on-line monitoring and audit trail creation capability is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability to automatically disable the system if serious IA violations are detected. If an intrusion were to happen, is there a mechanism to alert personnel? Threat/Vulnerability/Counterm easure Lack of automated, continuous on-line monitoring and audit capability would cause the delay of detection of security violations, and further damage to the system would not be prevented in a timely manner. This implementation guide is aimed to help network administrators implement an automated auditing tool that can provide continuous online monitoring and audit report generation to provide effective and efficient detection of minor and/or major security violations that affect critical system operations. General Implementation Guidance Impact Code

FT. Detrick, MD

CJCSI 6510.01D, 1. The system engineering team (consisting of Medium Information Assurance project manager, system engineer, network (IA) and Computer administrator, security engineer, IA personnel) Network Defense (CND), shall identify a list of DOD approved automated, 15 June 2004 continuous on-line monitoring tools (e.g. CJCSM 6510.01, intrusion detection system). Defense-in-Depth: 2. The system project management team shall Information Assurance perform an analysis of advantages and disadvantages of individual monitoring tools based (IA) and Computer on tool functions, system environment, and fund. Network Defense (CND), 3. The system project management team shall select 10 August 2004 an automated, continuous on-line monitoring tool DISA Network Infrastructure STIG, 29 that is the best suitable to the system environment. September 2003 4. The network administrator shall install the NIST SP 800-31, selected automated, continuous on-line monitoring Intrusion Detection tool in a lab environment and configure the tool Systems, November 2001 properly in accordance with vendor security NIST SP 800-36, Guide checklists and/or industry best practices. to Selecting 5. The network administrator shall test the tool, Information Security at a minimum, the following capabilities: Products, October 2003 Recording and monitoring security events on real-time Alerting personnel immediately of any unusual or inappropriate security activity Disabling the system if serious IA violations are detected based on detection signatures. 6. The network administrator shall determine the options of alerting via pager, email, or cell phone and 7. If the tool works as planned, the network administrator shall implement the tool into the system in th


7 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number ECCD-2 Control Name Subject Area Changes to Data Threat/Vulnerability/Counterm easure Lack of proper access Enclave Computing Access control mechanisms exist to controls would allow Environment ensure that data is accessed and unauthorized users to gain changed only by authorized personnel. Access and changes to the data are access to the system. This would impact the integrity, recorded in transaction logs that are reviewed periodically or immediately confidentiality, and upon system security events. Users are availability of the system notified of time and date of the last and its data. This change in data content. implementation guide is aimed to help system administrators Ensure the system has adequate access implement proper access controls that meet or exceed the controls through user applicable STIGS privileges, file permissions, auditing, and user notification. Description General Implementation Guidance Impact Code

FT. Detrick, MD

ECDC-1

Data Change Controls

Enclave Computing Transaction-based systems (e.g., Environment database management systems, transaction processing systems) implement transaction roll-back and transaction journaling, or technical equivalents. Ensure transaction handling meets or exceeds applicable STIGS

CJCSI 6510.01D, 1. The system, database, and/or application High Information Assurance administrators shall create user accounts only (IA) and Computer upon approval of System Access Request by Network Defense (CND), authorized personnel (e.g., user 15 June 2004 manager/supervisor/USAMRIID IAM/IAO). CJCSM 6510.01, 2. The system, database, and/or application Defense-in-Depth: administrators shall determine user privileges Information Assurance required to perform their job functions. 3. The system, database, and/or application (IA) and Computer administrators shall configure the system software Network Defense (CND), (e.g., operating system, database, and 10 August 2004 application) to which users have access to read or DISA Windows NT modify data to perform job functions in accordance Security Checklist, 10 with DISA STIGs applicable to the software based December 2004 on the least privileges and need to know. DISA Windows 2003 4. The administrators shall configure the audit Security Checklist trails and transaction logs to capture user access (draft), 10 December to the software/application. 2004 5. The administrators shall configure the system DISA Unix STIG, 15 to display and generate audit reports for regular September 2003 reviews or immediate reviews upon system security DISA UNISYS STIG, 22 events. July 2003 6. The system administrator shall research and DISA Solaris Security Checklist, 20 January determine if the system software provides the 2004 capability of notifying users of time and date of the last change in data content and perform the followi a. If the system provides the capability, the system administrator shall enable the capability. DISA Database STIG, b. If the system does not provide the capability, Version 7, Release 1, the administrators shall implement other means (e.g., 7. The system administrator shall generate and review the audit trails and the transaction logs on a regu 29 October 2004 DOD OC/390 RACF Checklist October 2004 DOD OC/390 ACF2 Checklist October 2004 DOD OC/390 TSS Checklist October 2004 NSA Microsoft SQL Without implementing 1. The database administrator shall identify and DISA Database STIG, Medium transaction roll-back and determine if the database systems (e.g., Oracle, Version 7, Release 1, journaling, unauthorized or Microsoft SQL Server) implemented into the system 29 October 2004 unintentional modification or provide transaction capabilities (e.g., NSA Microsoft SQL destruction of data stored in transaction roll back and transaction journaling). Server Guides, 02 the database would cause the 2. If the database systems provide the capability October 2003 loss of critical data. This of transaction roll back and journaling, the NSA Oracle Database implementation guide is aimed database administrator shall enable the capability Server Guides, 02 to help database in order to log database updates to either files October 2003 administrators ensure the or disk partition according to DISA Database STIG Center for Internet recovery of database data and organization specific database guides. Security Database that was modified or deleted 3. If the database systems do not provide the Security Checklist, 06 unintentionally or by transaction roll back and journaling or technical April 2005 unauthorized users. equivalent, the database administrator shall: Vendor Security Identify a DoD approved 3rd party product that Administration Guide, provides transaction roll back and journaling or (Refer to if no DSSA/NSA/NIST/USG technical equivalent Configure the product and test it in a lab guidance is available) environment to ensure it functions properly Install the product on the database system in


8 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number ECLO-1 Control Name Subject Area Logon Threat/Vulnerability/Counterm easure Enclave Computing Successive logon attempts are Without proper user account Environment controlled using one or more of the lockout policies in place, following: unauthorized users could Access is denied after multiple continually attempt to gain unsuccessful logon attempts. system access and not be The number of access attempts in a noticed by the system given period is limited. administrator. This A time-delay control system is implementation guide is aimed employed. If the system allows for to help system administrators multiple logon sessions for each user implement the account lock ID, the system provides a capability policy and a limited number to control the number of logon of logon sessions for each sessions. user ID. Ensure logons are controlled and monitored and that the systems meets or exceeds applicable STIGS Description General Implementation Guidance 1. The system administrator shall configure the account policy of the operating system, database, and/or application that authenticates users to access the system. For example, for Windows operating system, the User Account Lockout Policy in the User Manager can be set as follows: Account lockout duration: 0 Account lockout threshold: 3 bad login attempts Reset account lockout counter after: 60 minutes 2. For the implementation of a number of logon sessions for the same user ID, a. If the system software (e.g., Novell Netware) provides the capability of restricting a number of logon sessions, the system administrator shall configure the feature to the limited number (e.g., one or two). b. If the system software does not provide the capability of restricting a number of logon sessions, the system administrator shall use an approved method (e.g., scripts) that restricts simultaneous login sessions for the same user ID. Otherwise, the system administrator shall review the audit trails regularly to monitor and detect simultaneous logons with the same user ID. Impact Code Medium CJCSI 6510.01D, Information Assurance (IA) and Computer Network Defense (CND), 15 June 2004 CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004 DISA Windows NT Security Checklist, 10 December 2004 DISA Windows 2003 Security Checklist (draft), 10 December 2004 DISA Unix STIG, 15 September 2003 DISA Unisys STIG, 22 July 2003 DOD Database STIG, 24 July 2004 NSA Microsoft SQL Server Guides, 02 October 2003 NSA Oracle Database Server Guides, 02 October 2003 NSA Guide to Securing Windows 2000 Policy Toolsets, Chapter 3, 05 March 2003 NSA Guide to Securing

FT. Detrick, MD


9 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number ECLP-1 Control Name Subject Area Least Privilege Threat/Vulnerability/Counterm easure Enclave Computing Access procedures enforce the Unauthorized users could gain Environment principles of separation of duties and access to critical classified "least privilege." Access to and/or sensitive data through privileged accounts is limited to the improperly granted privileged users. Use of privileged privileges. This could accounts is limited to privileged result in unauthorized functions; that is, privileged users disclosure, modification, and use non-privileged accounts for all destruction of classified and non-privileged functions. This control sensitive information. This is in addition to an appropriate implementation guide is aimed security clearance and need-to-know to help system administrators authorization. implement proper access privileges based on user job Ensure the system conforms to the functions and need to know policy of least privilege and maintain privileged accounts securely. Description General Implementation Guidance Impact Code

FT. Detrick, MD

ECML-1

Marking and Labeling

Enclave Computing Information and DoD information Environment systems that store, process, transit, or display data in any form or format that is not approved for public release comply with all requirements for marking and labeling contained in policy and guidance documents such as DoD 5200.1R. Markings and labels clearly reflect the classification or sensitivity level, if applicable, and any special dissemination, handling, or distribution instructions. Ensure system labels data or information at the appropriate classification level

High 1. The Information Assurance Manager (IAM) shall CJCSI 6510.01D, determine the number of roles/groups that are Information Assurance associated with specific functions required for (IA) and Computer the system. Network Defense (CND), 2. The USAMRIID IAM shall determine the names of 15 June 2004 the specific roles/groups (e.g., Engineering, IA, CJCSM 6510.01, Configuration Management) and assign users to Defense-in-Depth: specific groups based on users job functions. Information Assurance 3. The system administrator shall grant least (IA) and Computer privileges to individual users within the group Network Defense (CND), (e.g., read, write, execute) only based on user 10 August 2004 job functions and need to know and upon the DISA Windows NT completion of background investigation. Security Checklist, 10 4. The system administrator shall grant access to December 2004 privileged accounts (e.g., root, administrator) DISA Unix STIG, only to a limited number of privileged users Version 4, Release 4, (e.g., system administrator, database 15 September 2003 administrator, application administrator). DISA Application 5. The system administrator shall assign Security Checklist, individual unique user accounts (e.g., johndoe1) Version 2, Release 1.5. to users with privileged functions, which must be 28 January 2005 used only to perform non-privileged functions. NSA Guide to Securing 6. The system administrator shall review audit Windows XP, Chapters 2 trails regularly to ensure that privileged users use the non-privileged accounts to perform non-privilege and 4, 22 October 2004 7. The system administrator shall create non-privileged accounts for privileged users to perform non-priv NSA Microsoft SQL Server Guides, 02 October 2003 NSA Oracle Database Server Guides, 02 October 2003 NSA Guide to Securing Windows 2000 Policy Toolsets, 05 March 2003 DoD 5200.1R, High Without proper markings and 1. The information owner shall identify and Information Security labels, classified and/or determine if the system stores, processes, transits, or displays data in any form or format, Program, Chapter 5, sensitive information could which is not approved for public release. Marking, January 1997 not be handled properly. 2. If the system has data not approved for public CJCSM 6510.01, This could result in Defense-in-Depth: unauthorized disclosure, release, the information owner shall perform the Information Assurance modification, or destruction following prior to marking classification levels of data. This implementation in accordance with DoD 5200.1R: (IA) and Computer Network Defense (CND), guide is aimed to help a. Determine the overall classification of the 10 August 2004 information owners implement document. proper markings and labels b. Identify specific classified information and Organizations labeling and marking that reflect the its level of classification within the document classification or sensitivity c. Identify information that should be included policies and/or level of information. in the marking and labeling process guidelines d. Determine the type of standard markings and labeling format that is specified in DoD 5200.1R and/or organizations classification labeling guide. e. Determine the specific pages where markings are displayed (e.g., front page, outside of back cover) f. Apply the labels and markings on the classified and sensitive documents as determined.


10 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number ECPA-1 Control Name Subject Area Privileged Account Control Description Enclave Computing All privileged user accounts are Environment established and administered in accordance with a role-based access scheme that organizes all system and network privileges into roles (e.g., key management, network, system administration, database administration, web-administration). The USAMRIID IAM tracks privileged role assignments. self explanatory Threat/Vulnerability/Counterm easure An organizations network and the integrity of stored information are at risk if the control of actions, functions, applications and operations of legitimate users are not managed with a role-based access scheme. The unnecessary allocation and use of system privileges significantly increases the vulnerability of systems. Role-based systems are designed to minimize the potential for inside security violations by providing greater control over users' access to information and resources. Also, by assigning individuals to predefined roles, the administrative process of establishing privileges is streamlined and management time for reviewing privilege assignments is reduced. General Implementation Guidance 1. An analysis of how an organization operates shall be accomplished for the basis of defining user roles and privileges. 2. Systems shall employ a role-based access scheme that enforces separation of duties and network privileges. 3. Privileged user accounts (administrators, root/super users on UNIX, routers and LAN servers, SANs, etc) shall be limited to the absolute minimum number needed to manage the system, and the USAMRIID IAM shall document all privileged role assignments. 4. Privileged user accounts shall be limited to the minimum number of privileges needed to perform their assigned duties. 5. Where technically possible, privileged users should initially log on with a personal user ID and only be granted privileged access by way of group assignment. 6. Privileged and guest accounts shall be renamed from any default. Impact Code CJCSM 6510. 01, High Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 25 March 2003 NSA Guide to Securing Windows 2000 Policy Toolsets, 05 March 2003 NSA Guide to Securing Windows XP, 22 October 2004 DISA Unix STIG, Version 4, Release 4, 15 September 2003 DISA UNISYS STIG, 22 July 2003 NSA Windows 2000 Security Recommendations Guide 16 January 2004 NSA Windows NT Security Recommendations Guide 18 September 2001 DISA Database STIG, Version 7, Release 1, 29 October 2004 http://csrc.nist.gov/rb ac/

FT. Detrick, MD

ECSC-1

Enclave Computing For Enclaves and AIS applications, all The computer hardware and Security Configuration Environment DoD security configuration or software systems used within implementation guides have been the DOD have varying amounts Compliance applied. of risks. Security configuration or Self explanatory implementation guides are created to minimize the security risks associated with the hardware or software products.

1. All IA and IA-enabled applications deployed within the enclave (C&A boundary) shall be configured or implemented according to the information within applicable security guides (e.g., STIGs, SNAC Guides). 2. If security guides are not available for deployed IA products, waivers shall be obtained and commercial best practices shall be applied.

High http://www.nsa.gov/snac / National Security Agency, Systems and Network Attack Center Security and Configuration Guides http://csrc.nist.gov/pc ig/ Defense Information Systems Agency, STIGs http://csrc.nist.gov/pc ig/ppsp.html Public and Private Security Practices


11 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number ECWM-1 Control Name Subject Area Warning Message Threat/Vulnerability/Counterm easure Enclave Computing All users are warned that they are The use of warning banners on Environment entering a Government information computers and networks system, and are provided with provides legal notice to appropriate privacy and security anyone accessing them that notices to include statements they are using a U.S. informing them that they are subject Government system that is to monitoring, recording and auditing. subject to monitoring, recording, and auditing. Ensure the latest DoD Warning Banner Users also being notified of is display prior to logging into the possible sanctions, such as system loss of privileges or even prosecution, if they misuse or access the network without authorization help mitigate malicious activity. Description General Implementation Guidance 1. A warning banner shall be displayed after a successful log-on and this includes banners for internal and local logins as well as external logins. 2. The following elements shall be included in the warning message: a. use of the application constitutes the users consent to monitoring, b. use of the application is limited to official US Government business only, c. unauthorized use is subject to criminal prosecution, and d. notice that this is a DOD system. Impact Code CJCSM 6510.10, Low Defense-In-Depth: Information Assurance (IA) and Computer Network Defense (CND), 15 March 2002 NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998 DISA Instruction 630230-19, Security Requirements for Automated Information Systems, 09 July 1996 DISA Computer Services Security Handbook, Version 3, 01 December 2000 DISA Defense Switched Network STIG, Version 1, Release 1, 12 March 2003 DISA Network Unattended workstations and Database STIG, Unless there is an overriding 1. Unless there is an overriding technical or Medium servers are at risk to technical or operational problem, Version 7, Release 1, operational problem, workstation screen-lock unauthorized access to workstation screen-lock functionality functionality shall be associated with each 29 October 2004 sensitive and classified is associated with each workstation. workstation. Secure Remote When activated, the screen-lock information if there is not a 2. When activated, the screen-lock function shall Computing STIG, Version function places an unclassified screen-lock function in place an unclassified pattern onto the entire 1, Release 1, 14 pattern onto the entire screen of the place. screen of the workstation. This functionality February 2003 workstation, totally hiding what was shall totally hide what was previously visible on Department of previously visible on the screen. Such the screen. Transportation Solaris a capability is enabled either by 3. Such a capability shall be enabled either by Secure Baseline explicit user action or a specified explicit user action or a specified period of Configuration period of workstation inactivity workstation inactivity (e.g., 15 minutes) in Standards, 20 January (e.g., 15 minutes). Once the accordance with agency standard operating 2004) workstation screen-lock software is UNIX STIG, Version 4, procedures. activated, access to the workstation 4. Once the workstation screen-lock software is Release 4, 15 September requires knowledge of a unique activated, access to the workstation shall require 2003 authenticator. A screen lock function knowledge of a unique authenticator. Windows NT STIG, is not considered a substitute for 5. A screen lock function shall not be considered Version 4, Release 2, logging out (unless a mechanism a substitute for logging out (unless a mechanism 18 September 2001 actually logs out the user when the actually logs out the user when the user idle time Addendum to Windows user idle time is exceeded). is exceeded). NT STIG, Version 3, Release 1, 24 November Ensure the system employs a screen 2002 lock feature that will activate within Windows XP STIG 10 minutes of in-activity Version 1, Release 8, 03 December 2002 Windows NT/XP/2000 Addendum Version 4, Release 1 STIG, 26 February 2004 Department of Transportation Windows 2000 Secure Baseline Configuration Standards, Section 1,

FT. Detrick, MD

PESL-1

Screen Lock

Physical and Environmental


12 of 13


USAMRIID Replacement MAC II Sensitive ControlsControl Number Control Name Subject Area Description Threat/Vulnerability/Counterm General Implementation Guidance easure Impact Code

FT. Detrick, MD

Acronyms: AIS IS IA IAM DAA CCB DoD IT STIG IAO DMZ C&A VPN SW HW Automated Information System Information System Information Assurance Information Assurance Manager Designated Approving Authority Configuration Control Board Department of Defense Information Technology Security Technical Implementation Guidelines Information Assurance Office DeMilitarized Zone Certification and Accreditation Virtual Private Network Software Hardware


13 of 13



Ft. Detrick, MD

SECTION 01 05 00 JOB CONDITIONS

PART 1 1.1

GENERAL LAYOUT OF WORK

LAYOUT OF WORK: The Contractor shall layout its work from Government established base lines and bench marks indicated on the drawings, and shall be responsible for all measurements in connection with the layout. The Contractor shall furnish, at his own expense, all stakes, templates, platforms, equipment, tools, materials, and labor required to lay out any part of the work. The Contractor shall be responsible for executing the work to the lines and grades that may be established or indicated by the Contracting Officer. The Contractor shall also be responsible for maintaining and preserving all stakes and other marks established by the Contracting Officer until authorized to remove them. If such marks are destroyed by the Contractor or through its negligence before their removal is authorized, the Contracting Officer may replace them and deduct the expense of the replacement from any amounts due or to become due the Contractor. 1.2 PHYSICAL DATA

Data and information furnished or referred to below is for the Contractor's information. The Government shall not be responsible for any interpretation or conclusion drawn from the data or information by the Contractor. 1.2.1 Transportation Facilities

Fort Detrick Maryland's main post is north and contiguous to the city of Frederick, with access via city streets and county roads. The Frederick by-pass, U.S. Route 15, connects with Interstate 70 and 270, U.S. Routes 40, 15, 340 and Md. Route 26 and provides easy access to West Seventh Street approximately one-half mile south of the main gate of Fort Detrick, to Opossumtown Pike which serves as access to the East Coast Telecommunications Center area and to Rosemont Avenue (West 4th Street) which serves the west gate of the installation. Montevue Lane and Rocky Springs Road connect the main post with Area "B". There is no direct rail access. 1.2.2 Explorations

The physical conditions indicated on the drawings and in the specifications are the result of site investigations by surveys and borings. Foundation exploration logs are available for inspection in the Baltimore District, Corps of Engineers, Geotechnical Engineering Branch, Room 9250, City Crescent Building, 10 South Howard Street, Baltimore, Maryland. Soils and rock samples are also available for inspection; however, prospective bidders are required to call (410) 962-4045 between the hours of 9:00 a.m. and 3:30 p.m., Monday through Friday (excluding Federal Holidays), a minimum of 24 hours in advance to arrange a time and date for the inspection of the samples.




Ft. Detrick, MD

1.3 1.3.1 A.

UTILITIES Availability of Utilities Including Lavatory Facilities Prior to June 30, 2011: 1. It shall be the responsibility of the Contractor to provide all utilities he may require during the entire life of the contract. He shall make his own investigation and determinations as to the availability and adequacy of utilities for his use for construction purposes and domestic consumption. He shall install and maintain all necessary supply lines, connections, piping, and meters if required, but only at such locations and in such manner as approved by the Contracting Officer. Before final acceptance of work under this contract, all temporary supply lines, connections and piping installed by the Contractor shall be removed by him in a manner satisfactory to the Contracting Officer. Utility Connections shall be approved by USAG Directorate of Installation Services (DIS). Backflow prevention devices for connections to Water Systems shall be approved by DIS.

2.

B.

After June 30, 2011: Starting on 30 June 2011, the Central Utility Plant (CUP) will be operating at sufficient capacity and will be fully connected to provide permanent steam, chilled water and electricity to this facility. As of this date, and for the remainder of the construction duration, the government shall purchase steam, chilled water and electricity from the CUP as required for the contractor's use in accordance with a utilities phase-in plan agreed between the government and the contractor at that time. Interruption of Utilities: No utility services shall be interrupted by the Contractor to make connections, to relocate, or for any purpose without approval of the Contracting Officer. Request for permission to shut down utility services shall be submitted in writing to the Contracting Officer not less than 17 calendar days prior to proposed date of interruption. The request shall give the following information: Nature of Utility (Gas, L.P. or H.P., Water, Etc.) Size of line and location of shutoff. Buildings and services affected. Hours and date of shutoff. Estimated length of time service will be interrupted. Services will not be shut off until receipt of approval of the proposed hours and date from the Contracting Officer. Shutoffs which will cause interruption of Government work operations as determined by the Contracting Officer shall be accomplished during regular non-work hours or on non-work days of the Using Agency without any additional cost to the Government.

1.3.2 A.

B.

C. D. E. F. G. H.

I.




Ft. Detrick, MD

J.

Operation of valves on water mains will be by Government personnel. Where shutoff of water lines interrupts service to fire hydrants or fire sprinkler systems, the Contractor shall arrange his operations and have sufficient material and personnel available to complete the work without undue delay or to restore service without delay in event of emergency. Flow in gas mains which have been shut off shall not be restored until the Government inspector and/or Washington Gas has determined that all items serviced by the gas line have been shut off. Buildings 1408, 1412, and 1425 are mission

Specifications Vol 1 Div 1-6

Documents

Transcript of Specifications Vol 1 Div 1-6