amended request for information - govshop
TRANSCRIPT
UNCLASSIFIED
UNCLASSIFIED
AMENDED
REQUEST FOR INFORMATION
CyberSecurity Support Services (CS3)
Information Technology Services Directorate (CIO-T)
1.0 DESCRIPTION & PURPOSE
1.1 The National Geospatial-Intelligence Agency (NGA) in support of the Office of the Chief
Information Office (CIO) and Information Technology Services Directorate (CIO-T) is seeking
information regarding industry practices, performance measurements, and assessing the interest
regarding cybersecurity services to protect and defend against cyber-attacks.
1.2 The purpose of this Request for Information (RFI) is twofold:
1.2.1 Industry performance metric information and current industry best practices, both
commercially and governmental, that would enhance the ability to satisfy NGA’s
objectives.
1.2.2 Information regarding new technologies and processes that could positively impact
the satisfaction of NGA’s needs.
1.2.3 Identify nuances that could serve to add to costs and increase the risk of unsuccessful
contract performance.
1.2.4 Recommendations and supporting analyses as a crucial step in formulating evaluation
factors, contracting strategies and acquisition plans, source selection methods, and the
amount and type of proposal information to request.
1.3 THIS IS A REQUEST FOR INFORMATION (RFI) ONLY. This RFI is issued solely for
information and planning purposes – it does not constitute a Request for Proposal (RFP) or a
promise to issue an RFP in the future. This RFI does not commit the Government to contract for
any supply or service whatsoever. Further, NGA is not at this time seeking proposals and will
not accept unsolicited proposals. Responders are advised that the U.S. Government will not pay
for any information or administrative costs incurred in response to this RFI. All costs associated
with responding to this RFI will be solely at the interested party’s expense. Not responding to
this RFI does not preclude participation in any future RFP, if any is issued.
2.0 BACKGROUND
NGA has a mission-critical need for information assurance measures that protect and defend
information and information systems by assuring their availability, integrity, authentication,
confidentiality, and non-repudiation, as well as providing for restoration of information systems
by incorporating protection, detection, and reaction capabilities.
2.1 End State Objectives
Prospective acquisition(s) will likely result in non-personal services contract(s) to achieve the
end-state objectives set forth herein, and to support the NGA geospatial-intelligence (GEOINT)
mission, with the contractor(s) providing all personnel, equipment, supplies, facilities,
transportation, tools, materials, supervision, and other items and non-personal services necessary
to successfully achieve the following end-state objectives through resultant contract(s)s.
UNCLASSIFIED
UNCLASSIFIED PAGE 2 OF 18
The following are the objectives that NGA expects to achieve through the resultant contracts.
Applicable to all of the objectives
Agency level Continuous Monitoring that is:
Tightly integrated with the assessment and authorization processes to inform a Risk
Posture Scorecard for each system, domain, and enterprise, with an automated escalation
process designed to keep systems(s) from reaching an unacceptable level of risk
Matured to the IC inspector General Level 5 for IT Security when as assessed during
annual FISMA evaluations
Enhancement of capabilities to improve data quality, compliance effectiveness, and
expand, improve, and optimize monitoring methods and technologies to better align with
NGA’s cybersecurity goals and objectives
Ensures cybersecurity compliance, metrics, policies, processes, and governance
Aggregation of data monitored into a product that anticipates future threat vectors (Machine
Learning).
Continuous Monitoring
To counter the increasing and evolving cyber threats, NGA requires, as an end-state objective,
the continuous monitoring of all activities set forth herein. To achieve continuous monitoring
will require the employment of one or more automation tools in order to:
Improve response and task completion times
Repeatable and actionable insight into enterprise environments leading to fewer
vulnerabilities
More effective and efficient use of cyber resources by freeing up skilled human labor
from mundane tasks in order to focus on designing and implementing cybersecurity
strategies and initiatives
Knowledge Management
Creates, shares, and manages the knowledge and information of NGA via a
multidisciplinary approach to achieving organizational objectives by making the best use
of knowledge
Supports an enterprise collaborative culture as part of its web presence
1. Assessment & Authorization (A&A) is performed effectively, timely, and
accurately for all systems and applications installed or proposed for installation on
NGA networks:
Effective and timely security onboarding for all new applications proposed for
installation on NGA networks
NGA systems of security requirements protected from cybersecurity risks with the
effective implementation of the Risk Management Framework (RMF)
The assessment process optimized to automate to the furthest extent possible and
tailor technical assessments to each discreet system
UNCLASSIFIED
UNCLASSIFIED PAGE 3 OF 18
The Risk Management Framework (RMF) process optimized to ensure the
execution of all steps (prepare, categorize, select, implement, assess, authorize,
and monitor) and their structure, including purposes, tasks, plans, and
assessments, as set forth in federal, DoD, and IC policy
Comprehensive risk recommendations based on assessment results and cyber-
intelligence
2. Risk Management identifies, evaluates, and prioritizes the effects of uncertainty on
objectives together with a coordinated and economical application of resources to
minimize, monitor, and control the probability of unfortunate events, effectuate tool
agnostic approaches with logic and algorithms informing data quality and answer
security domain questions, and maximizes the realization of opportunities through
following services for all applications on NGA networks.
Enhancement of capabilities with the goals of improved data quality, and
compliance effectiveness
3. On Network Exploitation (Rogue O.N.E.)
Research, detect, analyze, and exploit net vulnerabilities within NGA Enterprise
systems to assess risk and recommend actionable countermeasures
Assess and enhance its information systems’ capabilities to detect, protect,
prevent, and respond to advanced adversary actions
Effective and efficient measurement of the agency’s cybersecurity posture.
Vulnerabilities on systems, services, and applications identified and exploited.
Provide validation evidence exhibiting the migration or remediation of disclosed
vulnerability/ exposure
Effective internal/external cybersecurity exercises and assessments.
Threat modeling identifies and creates intelligence for Threat Emulation
requirements
Penetration testing skills assessment evaluations provide NGA with technical
subject matter expertise and analytic support
Blue Team analyses and assessments to ensure security, identify security flaws,
verify the effectiveness of each security measure, and make certain that all
security measures will continue to be effective post-implementation
Provide Cyber Threat Emulation using the leading-edge of the latest adversary
Tactics, Techniques, and Procedures, enhance the security team’s people,
processes, and technology to prevent, detect, and respond to advanced adversary
actions
Emulate real-world targeted attack, or insider threat through full attack lifecycle,
from initial reconnaissance to mission completion
Simulate a malicious insider or an attacker that has gained access to an end-user
system, including privilege escalation
UNCLASSIFIED
UNCLASSIFIED PAGE 4 OF 18
Prioritize which Information Systems to inspect, evaluate, or assess based on IS
mission criticality, adversary techniques and tactics, and identified vulnerabilities
Purple Team – works side by side with internal security
Assess the enterprise security posture and report root cause
Penetration Testing Assessments identify and exploit vulnerabilities on systems,
services, and applications to determine cybersecurity posture to NGA
Conduct tests on systems identified through RA-5 (REvAMP 3+) and IARC and
Threat Intelligence. (Public Facing, Mission Essential Function, Know Adversary
Target-type, Annual retest of systems after ATO.) Provide thorough analysis of
all devices identified within assessment bounds
Red Team challenges NGA to improve effectiveness through its assumption of an
adversarial role or point of view to compromise assets thus enabling the discovery
of existing vulnerabilities to network, applications, the internet of things (IoT)
devices, and personnel; determining the effectiveness of security monitoring and
alerting capabilities; and weaknesses in incident response policies and procedures
Cyber Threat Intelligence to identify and create intelligence for Threat Emulation
requirements through practices such as threat modeling
Learn the different sources to collect Adversarial Tactics and how to exploit and
pivot off of them
Validate information received externally to minimize the costs of bad intelligence
Create Indicators of Compromise (IOCs) in formats such as YARA, OpenIOC,
and STIX
Incident Response Assessments that provide technical subject matter expertise
and analytic support to NGA Counterintelligence and Cyber Defense provider
components
Vulnerability Validation coordinates with internal and external entities for
validating fixes of responsibly disclosed vulnerabilities/exposures. List includes,
but is not limited to: Command Cybersecurity Operational Readiness Inspection
(CCORI), Vulnerability Disclosure Program (VDP), and Rogue O.N.E.
4. Analytics and Reporting
Employment of science and analytics to Big Data enhance continuous monitoring,
database engineering, and enterprise architecture
Visualization products utilizing Big Data analytics enable decision-making for
various NGA stakeholders. Skillsets involved include but are not limited to
visualization design, Web Development (Full Stack), UI (Design), and UX
(Design)
Cybersecurity analyses, ICD 503, and Nation State Threat Analyses enhance
cyber threat risk analytics and posture reporting
UNCLASSIFIED
UNCLASSIFIED PAGE 5 OF 18
5. Vulnerability Management
Vulnerabilities identifies, quantifies, and prioritizes the vulnerabilities that exist in
systems
Data-centric solutions for an effective vulnerability management
Effective and relevant qualitative and quantitative metrics feed risk posture and
continuous monitoring efforts
Automated vulnerability management products enhance efficient and timely
cybersecurity reporting methodologies
Vulnerability mitigation solutions yielding predictive trending analyses
6. Automation & Engineering
Existing tools and workflows, are maintained and improved so as to provide the
development of new solutions
Tools and workflows keep pace with emerging technologies and maximize
business process efficiency
Based on customer feedback, .areas of improvement identified, recommendations
presented, and actionable solutions developed
Requirements documentation adequately scope projects
Effectively manage resources allow time sensitive developments and realignment
of priorities based on mission
Research, identify and recommend Assessments of Alternatives (AoA) in order to
maintain cutting-edge performance
Cybersecurity engineering support maintains efficient movement and stability
throughout the entire Risk Management Framework lifecycle
Assessment of cybersecurity needs employ the reviewed customer documentation
and resources
Guidance and applied resources ensure program’s self-sustainment
Recommendations incorporate a holistic view of all security layers throughout the
entire cybersecurity environment
Automated monitoring of NGA Enterprise Security consumption, common,
hybrid, and system-specific security control testing processes and procedures
Optimized information exchange between cybersecurity tools on NGA’s
Networks
Technical Solutions meet cybersecurity requirements on NGA Networks
Operational cyber visualizations utilizes big data science and analytics on NGA’s
Networks
7. Cross Domain Support Office
Technical security design guidance and architecture for agency Cross Domain
Services (CDS) ensure proper execution within the Risk Management Framework
Governance and oversight for NGA’s CDS achieve policy approval and
compliance
UNCLASSIFIED
UNCLASSIFIED PAGE 6 OF 18
Reviews of CDS architecture and security implementation yield actionable
lessons learned
8. Cyber Business Intelligence & Analytics
Administer, forecast, monitor, report and evaluate cyber business intelligence
Analyses and recommendations based on all available sources
Analysis strategies and guidance for NGA networks
Support the Business Intelligence Steering Group
Data Ingest (Extract, Transform, Load): Data is effectively and accurately
extracted, transformed, and loaded (ETL) from structured and unstructured data
sources with varying schema
Data tagging and overall management of data effectively support a “data as a
service” model (Organization, storage, management, administration and retrieval
of data)
Datastore: Model data pertaining to cybersecurity business intelligence and data
linkage functions enables effective querying and analytics of supplementary data
from external data sources
Dynamic and static visualizations in the form of dashboards to convey insights to
different level of stakeholders through the enterprise
Data is generically accessible to the CIO and IT Services Directorate Senior
Leadership to identify opportunities for growth and efficiencies
Management processes, methodologies, Key Performance Indicators (KPI)
tenable stakeholders to achieve cyber strategic objectives across cyber
organizations
BI strategies are founded on an audit of the current situations and settings out a
vision and plan for the BI in the organization; continually consider and link
activities back to evolving cyber business objectives and include multiple
initiatives to measure, manage and improve the performance of an individual, a
process, a functional team or a business unit or even the entire organization
9. Cyber Governance
Cyber Governance provides the necessary rules, guidelines, and updates for:
Addressing lessons learned
Review, update, and assist implementation of NGA.s cybersecurity
policies
Implementation of checks on the cybersecurity rules as close as possible to
the source of inputs
Relationships among a cybersecurity activity to another cybersecurity
activity
Strict enforcement of cybersecurity rules
UNCLASSIFIED
UNCLASSIFIED PAGE 7 OF 18
10. Cyber Compliance & Reporting
Effective and accurate collecting, analyzing, and reporting of cybersecurity
postures to NGA and external organizations including DoD and the IC in
compliance with FISMA
Conduct trends analysis for the scorecard metrics to inform cybersecurity services
providers on recommended courses of action based on analysis when analysis
affects security
Continual evaluation of NIST, DoD and IC guidance to evolve existing metrics,
and fill gaps that are relevant to the CIO and IT Services Directorate Senior
Leadership and cybersecurity service providers
Up-to-date automated solutions to collect, analyze and report on NGA
cybersecurity posture to NGA and external organizations in accordance with
requirements stated in the DoD Scorecard and IC IE CPEM Instructions.
Interactive dashboards, which display real-time enterprise compliance metrics for
up-to-date situational awareness of network risk, such as vital reports with details
on privileged users, Web PKI and DMZ, asset inventory, system authorization,
HBSS/ESS Services, patching and overall organization software compliance
11. Cyber Information Sharing/Knowledge and Content Management
Provide customer Knowledge and Content Management to support an enterprise
collaborative culture as part of its web presence
Provide Cybersecurity Office web presence and SharePoint portal management
and execution
Automated repositories for cybersecurity data together with ready access process
and procedures derived from the data stored on NGA networks
Internal and external web and SharePoint portals integrate effectively with
existing enterprise systems and data stores with the goal of maintaining a well-
connected, secured, and controlled enterprise of systems
Effective Cybersecurity Office data services, data administration, and database
management support in client/server, virtual machine, and cloud infrastructure
environment and/or migrations between these environments
Effective Cybersecurity Office ingestion, data tagging, and overall management
of data supporting a data as a service model
Effective organization, storage, management, administration and retrieval of data
12. Information Requirements Management Catalog
Implement Cybersecurity Risk Management Framework Assessment Tool in
accordance with NIST 800-53 controls and other federal mandated guidance
through an automated tool
Provide guidance on implementing policy directives to Cybersecurity personnel
through an automated tool
UNCLASSIFIED
UNCLASSIFIED PAGE 8 OF 18
13. Cyber Governance and Business Process
Provide secretariat governance support to the Cybersecurity Governance Bodies,
such as the Cyber Integrated Product Team (IPT), and Chief Information Officer-
Technology Requirements Investment Board (CRIB)
Implement and assist the development of Cybersecurity governance policies,
processes, and guidelines that are aligned to Agency governance boards as
appropriate
Manage the NGA’s execution of the NIST Cybersecurity Framework (CSF) and
ensure that cybersecurity activities align to the CSF subcategories (identify,
protect, detect, respond, recover)
NIST Cybersecurity Framework implementations and operations are effectively
managed
14. Project Management
Systems engineering, integration, and program management support the effective,
timely, and accurate evolution and implementation of Enterprise Security Services
Enterprise Security Services Architectures effectively relate to existing enterprise
architectures
15. Cybersecurity Framework Assessment
Using the NIST CSF for identifying, assessing, and managing cybersecurity risk
across six domains
Document the current and target profiles for each CSF subcategory as it relates to
security, including people, processes, and technologies
Collaborate with cyber government stakeholders to document the results of the
security assessment and develop the recommendations report
Visualize in a live database and updated monthly with new data as a result of
cyber architecture changes and updates
16. DoD Information Collections
Implement the Agency’s Information Collection and Reporting Program in terms
of prioritizing, planning, tracking, and ensuring implementation of all DoD
Information Collection activities to ensure Agency compliance with Title 44 USC
Chapter 35, Paperwork Reduction Act of 1995, and other Federal and DoD
guidance
Manage, track, and control all NGA information collections requirements to
ensure they are valid, necessary, and appropriately approved and licensed
17. Cybersecurity Dashboard
Covers all of the preceding sections
Provides near-real time monitoring and reporting of cyber security metrics, trends,
status, awareness, etc.
Status reporting, covering all cyber activities set forth herein, is current, complete,
accurate and a visually intuitive manner
UNCLASSIFIED
UNCLASSIFIED PAGE 9 OF 18
Risk Posture Scorecard reporting
Provides staff accountability for organizational goals and measures
Enables interactive Monitoring and tracking all leading indicators (incidents,
events, scans, errors, threats, and known vulnerabilities) to prevent incidents.
Provides incident tracking that includes the number of identified, open, and closed
cyber incidents; the number of data loss prevention incidents by specific reasons
such as policy and type
Provides clear data on all performance indicators and metrics such as mean time
to patch, mean time to detect and respond to potential incidents, average window
of exposure, and the number and types of exceptions
Focuses on measuring of elements that present the highest risk, and provides
effectiveness of security controls visibility. It provides NGA with a good
understanding of whether goals set forth for threat management are actually being
met.
Provides the necessary flexibility to effectively communicate with its audience
Provides dynamic and static visualizations to convey insights to different levels of
stakeholders through the enterprise
2.2 PERIOD & LOCATION(S) OF PERFORMANCE:
Period of Performance (POP) for Prospective Acquisition(s): One year Base ordering
period with up to four 1-year option periods.
Location(s): The work shall be primarily performed at NGA’s facilities located in
Springfield, Virginia, the St. Louis, Missouri, and Denver, Colorado Metropolitan Areas.
2.3 CONSTRAINTS AND LIMITATIONS: The most recent editions of the documents set forth in the
following appendices are anticipated to apply to prospective acquisition(s):
Appendix B - Compliance Documents
Appendix C - NGA Policies, Instructions, and Directives, NGA CIO Directives and Office
of the CIO Guides, and Other Reference Documents
2.4 SECURITY REQUIREMENTS: Contractor personnel shall possess active TS/SCI clearances.
2.5 ORGANIZATIONAL CONFLICT OF INTEREST (OCI): Prospective acquisition(s) are
anticipated to be for commercial services. In accordance with FAR Part 9.5, please discuss any
performance which may lead to an OCI and how the Offeror would mitigate, avoid, or neutralize
the conflict.
3.0 REQUESTED INFORMATION
Responses must only contain UNCLASSIFIED information and be marked “UNCLASSIFIED”
on all pages in both the header and footer. No classified information may be included in your
response.
Neither proprietary or classified concepts, nor classified information should be included in the
submittal. Input on the information contained in the responses may be solicited and reviewed by
UNCLASSIFIED
UNCLASSIFIED PAGE 10 OF 18
NGA non-Government consultants or experts who are bound by appropriate non-disclosure
agreements.
3.1 ADMINISTRATIVE
Information to include the following as a minimum:
3.1.1. CONTACT
Name, mailing address, overnight delivery address (if different from mailing address), phone
number, fax number, company website, and e-mail of designated point(s) of contact.
3.1.2. BUSINESS TYPE.
In accordance with FAR 19.102(a) (1), the Small Business Administration (SBA) establishes
small business size standards on an industry-by-industry basis. Small business size standards,
matched to industry North American Industry Classification System (NAICS) codes, are
published and available at www.sba.gov/contenet/table-small-business-size-standards .
Based upon NAICS, code 541512, IT and Telecom – Other IT and Telecommunications will be
applicable to prospective acquisition(s). The respondent is requested to provide the following
information:
Business Size: □ SMALL BUSINESS □ OTHER THAN small business
□ DOD Pilot Mentor-Protégé Program Participant (DFARS 219.71)
If a SMALL BUSINESS, check all of the following that apply:
□ Eligible small business concern for participation in SBA’s 8(a) program (FAR 19.8)
□ Historically Underutilized Business Zone small business concern (FAR 19.13)
□ Service-Disabled, Veteran-Owned, Small Business (SDVOSB) concern (FAR 19.14)
□ Woman-Owned Small Business (WOSB) concern (FAR 19.15)
3.1.3 BUSINESS INFORMATION
Data Universal Numbering System (DUNS) Number: _________________
Commercial and Government Entity (CAGE) Code: ______________________________
System for Award Management (SAM) www.sam.gov current registration: ____________
Defense facility security clearance? ____________________________________________
o Type: ____________________________________________________________
o Level: ___________________________________________________________
Accounting system
o Date of last audit: ___________________________________________________
o Performed by: _____________________________________________________
o Adequacy Determination? ____________________________________________
UNCLASSIFIED
UNCLASSIFIED PAGE 11 OF 18
Purchasing system
o Date of last audit: ___________________________________________________
o Performed by: _____________________________________________________
o Adequacy Determination? ____________________________________________
Timekeeping system
o Date of last audit: ___________________________________________________
o Performed by: _____________________________________________________
o Adequacy Determination? ____________________________________________
3.1.4 OTHER GOVERNMENT CONTRACTS
Provide information regarding the respondent’s other Government contracts that contain services
that could be employed to satisfy one or more of the end state objectives and is applicable to the
stated NAICS code. For each of the following categories, the respondent is requested to identify
the particulars of each contract in the category (Program/Schedule Name, Contract Number,
Award Date, and End Date), together with the specific end-state objectives.
Federal Supply Schedules (FAR 8.4)
Government-wide Acquisition Contracts (GWAC)
Other Government Contracts
Any additional details not already requested:
3.2 EXPERIENCE
3.2.1 COMMERCIAL.
Respondents are requested to provide relevant details concerning the providing the same or
similar services offered or made to the general public or to non-governmental entities for
purposes other than governmental purposes in the last three (3) years. Relevant details to NGA’s
proposed acquisition should include, but not be limited to, information regarding the contract
value, size and length of the effort, responder performing as a prime or subcontractor, customary
practices (warranty, financing, discounts, contract types, etc.) under which the sales of the
service(s) are made, security details, the customary practices regarding customizing, modifying,
or tailoring of a service(s) to meet customer needs and associated costs, the kinds of factors that
are used to evaluate performance; the kinds of performance incentives used; the kinds of
performance assessment methods commonly used; the common qualifications of the people
performing the services; and requirements of law and/or regulations unique to these service(s),
that can demonstrate the responder’s abilities and capacity to meet NGA’s statement of
objectives.
3.2.2 GOVERNMENT (EXCLUDING NGA)
Respondents are requested to provide relevant details concerning providing the same or similar
services offered or made to Government agencies other than NGA in the last three (3) years.
Relevant details to NGA’s proposed acquisition should include, but not be limited to contract
value, information regarding the contract number, agency, responder performing as a prime or
subcontractor, size and length of the effort, type of pricing and/or cost, security details, the kinds
of factors used to evaluate performance; the kinds of performance incentives; the kinds of
UNCLASSIFIED
UNCLASSIFIED PAGE 12 OF 18
performance assessment methods; the qualifications of the people performing the services; and
any unique terms and conditions, that can demonstrate the responder’s abilities and capacity to
meet NGA’s statement of objectives.
3.2.3 NGA.
Provide relevant details on the responder providing the same or similar services offered or made
to NGA in the last three (3) years. Relevant details to NGA’s proposed acquisition should
include, but not be limited to contract value, information regarding the contract number, program
name, size and length of the effort, responder performing as a prime or subcontractor, type of
pricing and/or cost, security details, the kinds of factors used to evaluate performance; the kinds
of performance incentives; the kinds of performance assessment methods; the qualifications of
the people performing the services; and any unique terms and conditions, that can demonstrate
the responder’s abilities and capacity to meet NGA’s statement of objectives.
3.3 CAPABILITIES
Respondents are requested to provide the following information regarding their capabilities to
successfully perform the proposed acquisition set forth in section 2 of this RFI.
3.3.1 Capabilities needed to successfully achieve the RFI statement of objectives
3.3.1.1 Capabilities that the respondent currently possesses. Responses should include the
relevant information regarding specific skills, experience, and security clearances that its
employees, by labor category, currently possess in performing these services, and any
needed hardware or software.
3.3.1.2 Detail the service capabilities that the respondent currently does not possess in
order to meet the objectives, together with the capability and means to secure necessary
services.
3.3.3 Extent to which the responder has the ability to meet the proposed acquisition and any interest
in Prime contract; Teaming to include Joint Venture; or exploring subcontractor opportunities.
3.3.4 Notional schedule and type of plan for transition-in and transition-out (based on previous or
similar work efforts).
3.3.5 Security capabilities and plans that demonstrate the ability to meet NGA’s security
requirements beginning at contract award and throughout the POP.
3.3.6 Extent to which the responder is aware of any potential OCI issues in accordance with FAR
Part 9.5 or any non-mitigatable OCI related to current development work at NGA.
3.4 RECOMMENDATIONS
3.4.1 Key Performance Indicators (KPIs):
“What gets measured gets done,” and “what you measure is what you get.”
KPIs establish the performance levels required to meet the contract requirements to successfully
achieving the end-state objectives. For the planned acquisition objectives set forth in section 2.1,
the Government is seeking information as to specific KPIs to be applied to measure the
performance of achieving one or more of these objectives. Respondents are requested to provide
information regarding KPIs that are specific; quantifiable and measurable, and include minimum
UNCLASSIFIED
UNCLASSIFIED PAGE 13 OF 18
acceptable quality level(s); achievable within the POP; relevant to one or more of the end-state
objective goals and priorities; and are time-bound.
Each proposed KPI should include the following:
Identity of the objective(s) and the applicable task(s) that are relevant to the KPI;
Value of the KPI to monitor and measure the effectiveness in achieving the objective(s);
KPI defined in a manner that is understandable, meaningful, and measurable;
KPI is quantifiable (formula driven) with identified performance data necessary for
calculation identified and defined;
KPI’s performance reporting … how, format, frequency; and
KPI’s commercial measure of the lowest level of quality that is acceptable commercially
(Acceptable Quality Level (AQL)).
3.4.2 Performance Incentives
The Government is seeking appropriate incentive arrangements that are designed to motivate
performance efforts in achieving a level of performance that exceed their respective acceptable
quality levels, and to discourage performance efforts that fail to achieve their respective
minimum acceptable quality levels. Respondents are requested to provide information regarding
performance incentives that are directly tied to and calculated in accordance with specific KPI(s),
and are of sufficient magnitude to motivate superior performance and discourage performance
that falls short.
3.4.3 Key Positions
Successful contract performance in achieving end-state objectives requires the contractor employ
qualified personnel at key positions as performance nexus within the performance process.
Past experience has demonstrated that the position of Program Manager as being one of those
positions. The Program Manager position’s typical responsibilities can be summed up as the
nexus for all contract performance activities … the action “belly button” for the Government –
contractor performance exchanges, with full authority to act on behalf of the Contractor on all
contract matters relating to daily operation of the contract Given the responsibility scope and
nature, together with the complexities in achieving these objectives, and the negative impacts
arising from the failure to do so, NGA is seeking recommendations as to this position’s
minimum qualifications in terms of education, certifications and training, experience, and record
of success, that an individual successfully performing would be expected to possess, along with
any qualification tradeoffs.
In addition to the position of Program Manager, the Government is seeking information as to
other key positions that are critical to successful performance in achieving stated objectives. As
with that of the program manager, respondents are requested to identify those positions, their
distinct responsibilities, and of these individuals to include specific education, certifications,
training, and experiences, and the tradeoff considerations among these qualification items.
3.4.4 Recommendations
Going forward, proposed acquisitions are anticipated to be a full and open (FAR 6.1/6.2) with
Indefinite Quantity-Indefinite Delivery (FAR 16.504), and performance-based (FAR 37.6).
Within that framework and the purposes set forth in Section 1.2 of this RFI, responders are
invited to provide information, recommendations, and supporting analyses, for fashioning
UNCLASSIFIED
UNCLASSIFIED PAGE 14 OF 18
proposed acquisition(s). Recommendation areas may include the type of contract, anticipated
contract terms & conditions, incentives, NAICS Codes, variations in delivery schedule, price
and/or cost proposal support, and data requirements, contract pricing, and any other areas that the
responder believes is relevant for the Government to achieve its stated objectives.
Recommendations shall be accompanied with specific rationales that are of sufficient detail.
Respondents are invited to opine regarding setting aside all or some of the requirements for small
business (FAR 6.203 thru 6.207). Recommendations shall identify the scope of the set-aside,
total or partial, the specific boundaries of the set-aside, if partial, and any specific set-aside sub-
category. Recommendations shall be accompanied with specific rationales that are of sufficient
detail.
4.0 RESPONSES
4.1 Interested parties are directed to respond electronically to this RFI via a “white paper”.
4.2 The “white paper” shall be in Microsoft Word for Office or compatible format and shall
not exceed twenty-five (25) pages, with a “page” defined as each face of an 8½” x 11” sheet
with information contained within a one inch margin on all sides. Font type shall be Times
Roman 12 point.
4.3 Responses containing the White Paper are due no later than 5:00 pm Eastern Time (ET)
on 29 October 2019. Responses shall be limited to and submitted via UNCLASSIFIED e-mail
only as a message attachment to [email protected] with the message subject line “RFI
Response – CyberSecurity Support Services (CS3).”
4.4 Proprietary information, if any, should be minimized and MUST BE CLEARLY
MARKED. To aid the Government, please segregate proprietary information. Please be advised
that all submissions become Government property and will not be returned.
4.5 The contents of the White Paper shall include all of the information requested in Section 3
of this RFI. Include Section number and title prior to each Response.
5.0 MEETINGS AND DISCUSSIONS
The Government representatives may or may not choose to meet with potential RFI service
providers. Such meetings and discussions would only be intended to get further clarification of
potential capability, especially any development and certification risks.
6.0 SUMMARY
The information provided in this RFI is subject to change and is not binding to the Government.
The Government has not made a commitment to procure any of the RFI requirements discussed,
and release of this RFI should not be construed as such a commitment or as authorization to
incur cost for which reimbursement would be required or sought. All submissions become
Government property and will not be returned.
UNCLASSIFIED
UNCLASSIFIED PAGE 15 OF 18
Appendix A – Glossary
AIS - automated information system
AQL – acceptable quality level
CAGE - commercial and government entity
CIO – Office of the Chief Information Officer
CIO-T - Information Technology Services Directorate
CRIB - Chief Information Officer-Technology Requirements Investment Board
DFARS – Department of Defense Federal Acquisition Supplement
DOD – Department of Defense
DTE - Desktop Environment
DUNS – Dun & Bradstreet Data Universal Numbering System (DUNS) Number
FAR – Federal Acquisition Regulations
GEOINT - NGA geospatial-intelligence
GWAC - government-wide acquisition contract
HUBZone - historically underutilized business zone
IC – Intelligence Community
IDIQ - indefinite delivery indefinite quantity
KPI – key performance indicator
NAICS - North American Industry Classification System
NCE - NGA Campus East in Virginia
NCW - NGA Campus West in Missouri.
NGA – National Geospatial-Intelligence Agency
N2W - NGA Next West
OCI - organizational conflict of interest
POP – period of performance
SAM - system for award management
SCIF – sensitive compartmented information facility
SDVOSB - service-disabled, veteran-owned, small business
WOSB - woman-owned small business
UNCLASSIFIED
UNCLASSIFIED PAGE 16 OF 18
Appendix B - Compliance Documents
These are the documents that are anticipated to be applicable to future acquisitions. The
Contractor shall abide by all applicable regulations, publications, manuals, and local policies
and procedures (current versions shall be utilized).
Clinger Cohen Act of 1996, National Defense Authorization Act for Fiscal Year 1996,
Title 40, U.S.C. 1401, 10 Feb 1996.
CNSS Instruction No. 1253, Security Categorization and Control Selection for
National Security Systems, March 2014
CNSS Policy 22, Policy on Information Assurance Risk Management for National
Security Systems, Jan 2012, as amended.
DoD Directive 8570.01, Information Assurance Training, Certification, and
Workforce Management, 15Aug 2004.
DoD Instruction 8500.01, Cybersecurity, 14 Mar 2014.
DoD Instruction 8510.01, RMF for DoD IT, 12 Mar 2014.
DoD Instruction 8540.01, Cross Domain (CD) Policy, 8 May 2015.
E-Government Act of 2002, also known as the “FISMA of 2002”, Title 44, U.S.C. 101.
Executive Order 12333, United States Intelligence Activities, 4 Dec 1981, as amended.
Executive Order 13526, Classified National Security Information, 29 Dec 2009, as amended.
ICD 503, IC IT Systems Security Risk Management, 21 July 2015.
National Security Directive 42, National Policy for the Security of National
Security Telecommunications and Information Systems, 5 Jul 1990.
National Security Presidential Directive-54/Homeland Security Presidential Directive-
23, Cybersecurity Policy, 8 Jan 2008.
NIST SP 800-137, ISCM for Federal Information Systems and Organizations, Sep 2011.
NIST SP 800-30, Guide for Conducting Risk Assessments, Sep 2012.
NIST SP 800-37, Guide for Applying the RMF to Federal ISs: A Security Life
Cycle Approach, Feb 2010.
NIST SP 800-39, Managing Information Security Risk: Organization, Mission,
and Information System View, Mar 2011.
NIST SP 800-47, Security Guide for Interconnecting IT Systems, Aug 2002.
NIST SP 800-53, Revision 4, Information Security, Security and Privacy Controls
for Federal Information Systems and Organizations, April 2013.
NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in
Federal Information Systems and Organizations, June 2010.
NIST SP 800-55, Revision 1, Performance Measurement Guide for Information
Security, July 2008.
Office of Management and Budget Circular A-130, Management of Federal
Information Resources, 28 Nov 2000, as amended
UNCLASSIFIED
UNCLASSIFIED PAGE 17 OF 18
Appendix C – NGA Policies, Instructions, and Directives
The following NGA documents or their successor specifications, regulations, policies, or
directives provide constraints that may be applicable to the objectives (current versions shall
be utilized).
NGAD 3020, Directive for Business Continuity/Disaster Recovery, 28 October 2015.
NGAD 5200, Personnel Security, August 24, 2016.
NGAD 8010, Information Systems RMF, November 16, 2015.
NGAD 8231, Cyber Defense Operations, October 28, 2015.
NGAI 5200.1, Information Security, May 30, 2017.
NGAI 5200.4, Operations Security August 11, 2016.
NGAI 5230.1, Instruction for Polygraph and Creditability Assessment
Program Administration Update November 6, 2015.
NGAI 5425.1, NGA Corporate Policy Program, 27 January 2017
NGAI 8010.8, Information Assurance Vulnerability Management, November 10, 2015.
NGAI 8010.9, Information Operations Condition, November 10, 2015.
NGAI 8400.4, Implementation of Section 508 of the Rehabilitation Act, October 26, 2015.
NGAI 8500.2, Instruction for Authorized Outages and Maintenance Activities, October
26, 2015.
NGAPN 8100.2, Policy Notice, Transfer of all NGA IT Resources and Assets to the Chief
Information Officer-Information Technologies (CIO-T) Services Directorate, March 5,
2014, Administrative Revision July 2014.
NGAPN 8100.3, Managing and Safeguarding HUMINT Control System Data on IT
Systems, November 16, 2015.
NGAPN 8460.2, Policy Notice for Identity and Access Management, 31 March 2012.
NGAPN 8470.1, External WebMail Access for Personal Use, 15 November 2016.
NGAPN 8960.1, Discoverability of GEOINT Information, November 16, 2015
NI 5205.1, Instruction for Protection of Sensitive Compartmented Information,
November 24, 2003.
NI 5210.9, Instruction for Control of Information System Equipment and Media Entering
or Exiting NGA Sites and Facilities, September 20, 2005.
NI 5240.1, Instruction for Reporting Counterintelligence and Espionage
Concerns, November 24, 2003.
NI 7400.1, Configuration Management, November 10, 2015.
NI 8010.11, Instruction for NGA-Controlled Computer Network Connectivity at
Contractor and Other Facilities, 10 November 2015.
NI 8010.14, Instruction for Password Administration, 17 October 2016.
NI 8010.15, Instruction for Access to Removable Media Devices and File Transfers on
NGA Information Systems, 10 November 2015.
NI 8010.16, Managing Compartmented and Sub-Compartmented Information on
Sensitive Compartmented Information Systems, November 18, 2015.
NI 8010.2, Instruction for Information System Security and Training, November 10, 2015.
NI 8410.1, Instruction for Implementation of Mobile Code, November 12, 2015.
NI 8420.2, Instruction for Antivirus Response, November 12, 2015
UNCLASSIFIED
UNCLASSIFIED PAGE 18 OF 18
NI 8420.3, Instruction for Controlled Interfaces for Systems and Networks, November
12, 2015.
NI 8460.1, Instruction for Communications Security, November 12, 2015.
NI 8470.3, Instruction for Use of Electronic Mail and Other Electronic
Communications, November 13, 2015.
NI 8900.4, Instruction for the Intelligence Oversight Compliance and Awareness
Program, November 15, 2015
PN 8100.2 Policy Notice for Transfer of all NGA IT Resources and Assets to CIO-T, 24
Nov 2015
PN 8100.3, Policy Notice for Managing and Safeguarding HUMINT Control System Data
on IT Systems, 6 June 2014
PN 8470.1, Policy Notice for External Webmail Access for Personal Use, November
15, 2015
PN 8960.1, Policy Notice for Discoverability of GEOINT Information, 16 November 2015
NGA CIO Directives and Office of the CIO Guides
NCD 8000-003, CIO Directive, Encryption of Data at Rest, October 2007
NCD 8000-015, CIO Directive, Deployment of Information Systems to External
Sites, August 2008
NCD 8000-016, CIO Directive, Ports, Protocols, and Services Management, August 2008
NCD 8000-020, CIO Directive, Digital Signatures of Sensitive But Unclassified E-
Mail, October 2008
NCD 8000-023, CIO Directive, Security Technical Implementation Guidance and
Security Configuration Guide Compliance, January 2009
NCD 8000-024, CIO Directive, Web Services, February 2009
NCD 8000-025, Directive, User Based Enforcement, February 2009
NCD 8000-026, Enterprise Management, May 2010
NCP 8000-012, Certification and Accreditation Procedures, March 2010
NGA DAA and NGA CISO Memo, Administrative Credential Access for all NGA
Assets, December 2010
Other Reference Documents
Establishment of the Authorization Review Panel, 21 Mar 2017
MFR Enterprise Critical Security Controls, 21 Jan 2016
NGA Cybersecurity Risk Acceptance SOP, 8 Mar 2016
NGA Information Assurance Requirements Catalog 19 May 2016
NGA REvAMP 10 May 2017
Risk Management Framework Quick Guide, 17 Mar 2017
Senior Cybersecurity Roundtable Charter, December 2015
NGA Vulnerability Management Standard Operating Procedures, 6 June 2014
Vulnerability Management Panel Terms of Reference 2015