Skip to content
This repository has been archived by the owner on Aug 27, 2019. It is now read-only.

Latest commit

 

History

History
1169 lines (886 loc) · 53.9 KB

RFQ.md

File metadata and controls

1169 lines (886 loc) · 53.9 KB
Raw

General Services Administration

Federal Acquisition Service
Technology Transformation Services

1800 F St NW | Washington, DC | 20405

Request for Quotation

Challenge.gov Platform

Solicitation Number

47TCA0-18-Q-0001

From: Michelle McNellis, Contracting Officer, GSA TTS
Subject: Request for Quotation (RFQ)

Date:
Reply By: May 07, 2018 12:00 pm ET

Set Aside: 100% Small Business

Contract Vehicle: GSA Schedule 70 Special Item Number (SIN) 132-40 Cloud Computing Services Sub-Category Software as a Service (SaaS), 132-51 Information Technology Professional Services, 132-52 Electronic Commerce and Subscription Services.

1.0 Instructions

2.0 Background

3.0 Requirements

4.0 Evaluation and Basis for Award

5.0 Period of Performance

6.0 Type of Contract

7.0 Invoicing

8.0 Administration

9.0 Post Award and Kickoff Meeting

10.0 TTS Transparency Policy

11.0 Minimum Security Requirements for Cloud-based Providers (Including SaaS)

12.0 Clauses

1.0 Instructions

Technology Transformation Service (TTS) Office of Acquisition (OA) hereby issues this Request for Quotation (RFQ), under Federal Acquisition Regulation (FAR) 8.405-2(c)(3)(iii)(B) ordering procedures for Software as a Service for Challenge.gov.

The vendor shall submit a quotation in accordance with the instructions and terms and conditions of this RFQ and the terms and conditions of its GSA Schedule contract. The Government intends to award based on initial quotations. Therefore, it is critical that all vendors are fully responsive to the RFQ and submit their best quotation initially.

Unless expressly authorized by the RFQ, any Quoter planning to take exception to a term or condition of the RFQ should consult with the Contracting Officer (CO) in writing at michelle.mcnellis@gsa.gov before submitting a quotation.

1.1 Quote Instructions

Quotes will only be accepted via the linked Google Forms. Quotes will only be accepted from vendors via google forms, and the form must be filled out in its entirety.

It is the vendor's sole responsibility to ensure that any modification is submitted with adequate time so that the modification is approved prior to award of this Task Order. Failure to have SaaS offering on your GSA Schedule 70 contract prior to the RFQ closing date will result in the vendor being non responsive and no longer considered for an award.

1.2 Questions

Questions or comments regarding this RFQ shall be submitted as an Issue using the Issue Template in the solicitation document’s repository no later than May 02, 2018 by 12:00pm EST in order to allow the Government sufficient time to respond. All questions, comments, and answers will be publicly available. Questions or comments received after the required deadline will not be answered. Any changes to this RFQ or attachments will be posted as an amendment in the solicitation document’s repository. The Government expects to provide answers via GitHub to contractors solicited under IT Schedule 70 SIN 132-40, 132-51 and 132-52, no later than May 03, 2018, 5:00 pm ET as indicated in this RFQ.

2.0 Background

General Services Administration’s (GSA) Office of Products and Programs (OPP) is the sponsoring organization for Challenge.gov. Challenge.gov is the official hub for crowdsourcing and challenge competitions across the U.S. government. These problem-solving events include ideation, design, multimedia, software and apps, technical and scientific competitions in which U.S. federal agencies invite and incentivize the public to help solve perplexing mission-centric problems.

Since its launch in 2010, the Challenge.gov program has accelerated the federal government’s mission to spur innovation, cost-effective solutions, and citizen engagement through crowdsourcing competitions. A technical platform, a listing of federal prize competitions, and consultation and support services for running impactful challenges all meld into the program, which is managed by the GSA.

More than 800 challenges have been run in the federal government since the program launched in 2010. Today, incentivized competition has become a standard part of government’s toolbox, with agencies offering more than $250 million in cash prizes along with other valuable and unique incentive prizes. A few helpful stats:

  • 250,000+ solvers participated

  • Over 180 congressional districts

  • More than 5 million site visits

  • Visitors from every country around the globe

  • Participants from every state in the USA

Challenge.gov is a federally appropriated program supported in both the America COMPETES Reauthorization Act of 2011 and the American Innovation and Competitiveness Act of 2017.

3.0 Requirements

This requirement is for a commercially available software as a service (SaaS).

3.1 Baseline Requirements

Maintain a FedRAMP Moderate Impact Level authorization in good standing at both the platform and application layer (i.e., full stack).

Additionally, in order to maintain continuity of features, the following are required to be provided by the vendor:

  1. Has previously run a crowdsourcing competition, in which potential solvers invited to provide solutions successfully, from start to finish, on its existing platform.

  2. Has a record of minimal unplanned service outages in the past year.

  3. Supports multiple user types, including administrators and public solvers:

    1. Overarching administrator: maintains view and edit rights for all competitions in draft/staging (pre-publish) and production (published); monitors challenge metrics and analytics directly; communicates with solvers or followers of a specific event; provides notifications and/or offers updates; and clarifies questions in visible discussion areas, if applicable, etc.

    2. Mid-tier administrator: maintains view and edit rights for content specific to their organization or competition; monitors challenge metrics directly; communicates with solvers or followers of a specific event; provides award notification and/or offer updates; and clarifies questions in visible discussion areas, if applicable, etc.

    3. General public: views content, submits and manages personal entries, receives notifications and engages in online community as made available.

  4. Supports the import of existing data in an open format, such as CSV, XML or another mutually agreed upon format.

  5. Imports all Challenge.gov historical and current data.

  6. Will support challenge application and hosting by Challenge.gov’s current customers, including agencies across government

  7. Preserves challenge information after a challenge’s conclusion.

  8. Supports the export of data in an open format, such as CSV, XML or another mutually agreed upon format.

  9. Exports all Challenge.gov data at the end of the contract period of performance.

  10. Does not claim ownership of the data created by running challenges

  11. Allows administrators to easily and quickly create, launch and administer challenges with the appropriate privileges.

  12. Supports both organization-specific challenges as well as challenges from two or more organizations in partnership.

  13. Supports multiple and concurrent challenges, including multiple concurrent challenges by a single organization or group of organizations.

  14. Allows time-limited challenges, and automatically discontinues submissions after submission close date and time.

  15. Supports multi-phase challenges, potentially lasting multiple months.

  16. Allows challenge evaluators to review and score submissions with weighted criteria; supports judging and/or evaluation within the application.

  17. Requires or can be customized to require multi-factor (2FA) authentication for administrators.

  18. Supports multiple types of challenge (e.g., software/app, idea, design, scientific/engineering, multimedia, etc.).

  19. Allows challenges with a monetary prize.

  20. Allows challenges with a non-monetary prize.

  21. Makes prize information easily visible to potential solvers.

  22. Allows public users to view the challenge data without registration.

  23. Allows for accepting multiple types of submissions in response to posted challenges (e.g., text, documents, images) and allows submissions to include links (e.g., to videos, repositories, etc.).

  24. Provides a mechanism to announce winner(s) of a challenge.

  25. Allows admins to turn voting on and off, or to schedule voting to begin at a future time.

  26. Is tested for usability.

  27. Requires, for challenges hosted on the platform, that public participants accept/agree to specific terms and conditions at the time of submission.

  28. Provides analytics or reporting, and supports the use of custom analytics such as the Digital Analytics Program.

  29. Allows administrators to schedule challenges to launch at a future date.

  30. Can be customized to link to challenges hosted externally, including on competitor sites.

  31. Allows for customization of certain page and/or module templates to support Challenge.gov branding of across platform, including logos and prominent links to Challenge.gov content, as well as agency-specific branding at the competition level.

  32. Provides permalinks for each challenge.

  33. Provides social media integrations for challenges.

  34. Provides support or help lines for the platform; unlimited hours of services offered.

  35. Provides onboarding support and training for administrators of the platform.

  36. Conducts regular, planned updates/upgrades.

  37. Provides continuous monitoring of product quality and reporting.

  38. Accepts and responds to security scans, incidents in a timely manner.

  39. Provides open APIs to access challenge data.

  40. Demonstrates a mobile-friendly interface.

3.2 Advanced Technical Capabilities

  1. Demonstrates experience running challenges successfully, from start to finish, for federal customers on its platform.

  2. Challenge.gov administrator: In addition to the overarching administrator rights specified, it is desired that the vendor can customize this user type to maintain the ability to verify/approve content at least once before the initial publication; be able to monitor site analytics and other available metrics in aggregate by fiscal year or another specified date rate, agency or government-wide, or challenge type.

  3. Agency administrator: Along with mid-tier administrator rights, it is desired that vendor can customize this user type to view and edit rights for content specific to their department or agency, as determined by OMB Circular A-11. It is desired that publication rights for content will eventually follow initial approval by a SaaS or Challenge.gov administrator.

  4. Allows or can be customized to allow users to search for challenges by keywords and phrases, and provide analytics on search terms for Challenge.gov administrators.

  5. Allows users to search and/or sort for challenges by criteria such as submission dates/range, and/or prize amount/range.

  6. Allows administrators to mark submissions as public or private; when public, allows public users to see, discuss and rate solutions proposed by others.

  7. Offers functionality that supports outreach to the public within the SaaS (e.g., newsletters, alerts as challenges launch in a desired topic area) at no added cost.

  8. Supports single sign-on using agency credentials.

  9. Facilitates collaboration between solvers with similar interests; provides one or more method for solvers to interact with each other.

  10. Provides one or more method for users to interact with the organization hosting a challenge.

  11. Provides visualizations of key metrics within the application.

  12. Can support the addition/creation of a blog within the platform for highlighting winner stories (e.g., PrizeWire blog).

  13. Allows organizations to customize terms and conditions for each competition.

  14. Allows challenges with no prize.

  15. Provides comprehensive documentation for all user types.

  16. Can provide prominent and permanent links to external sites, such as the Challenges and Prizes Toolkit, PrizeWire blog).

4.0 Evaluation and Basis for Award

This procurement is being conducted in accordance with the ordering procedures as prescribed in FAR Subpart 8.405-2. The Government will make an award with the offeror that represents the overall best value to meet the Government’s need. Best value is defined as the expected outcome of an acquisition that, in the Government’s estimation, provides the greatest overall benefit in response to the requirement, in accordance with FAR 2.101(b).

The vendor shall submit a quotation in accordance with the instructions and terms and conditions of this RFQ and the terms and conditions of the vendor’s GSA Schedule contract.

The best value basis for award will be determined by a pass/fail Compliance Review, two technical evaluation factors—technical capabilities and similar experience—and a review of the the offeror’s Price as provided in the price quotation. The price evaluation will be reviewed separately from the technical evaluation. The Government is more concerned with obtaining superior technical capabilities than with making awards at the lowest overall price to the Government. Offerors are advised that the technical evaluation factors combined are significantly more important than price. Note that as submissions become more technically equal in their merit, the total evaluated price becomes more important.

4.1 - Phase 1 Compliance Review

Compliance is defined as (1) maintaining a FedRAMP Moderate Impact Level authorization in good standing at both the platform and application layer (i.e., full stack), and (2) meeting all required characteristics in section 3.1. Vendors who do not satisfy both requirements at quote submission time will be deemed non-compliant. Only quotes deemed as compliant will move on to Phase 2. The quoter shall submit Compliance Review information via the Technical Evaluation Google Form.

4.2 - Phase 2 Technical Evaluation

The following will be used to evaluate technical quotes:

Factor 1 - Technical Capabilities

  • The Government will evaluate the offeror’s technical capabilities based on the requirements in section 3.0 of the RFQ.

  • Advanced Technical Capabilities are not required, but will be considered during evaluation.

Factor 2 - Similar Experience

The offeror shall provide two examples of past or current challenge clients of the proposed SaaS offering meeting substantially the same requirements and complexity as listed within section 3.0 of the RFQ.

4.3 - Phase 3 Price Evaluation

The vendor shall submit a quote either at or below its current GSA Schedule price. Prices shall be submitted via the Price Evaluation Form. Proposed prices shall be evaluated for reasonableness and consistency with industry standards.

Evaluation of options under FAR 52.217-8 will be accomplished by using the prices offered for the last option period to determine the price for a 6-month option period, which will be added to the base and other option years to arrive at the total price. Evaluation of options will not obligate the Government to exercise the option(s).

The Government also reserves the right to make no award.

5.0 Period of Performance

The Period of Performance (POP) consists of a Base Year and 4-Option Years. Actual dates will be provided at time of award.

6.0 Type of Contract

Based on the nature of this requirement, the government intends to award a Firm Fixed Price (FFP) task order.

7.0 Invoicing

The contractor must submit invoices on a monthly basis. At the end of the period of performance a final invoice must be submitted. The contractor must submit it within 60 calendar days from contract completion and no further charges are to be billed. With the submission of a final invoice, a completed and signed Release of Claims (GSA Form 1142) shall be provided to the CO.

7.1 Content of Invoice

In addition to the requirements for a proper invoice specified in FAR 52.212-4 (g) and the Prompt Payment clause, FAR 52.212-4(i)(2), the following information or documentation must be submitted with each invoice, all of which will be provided at time of award:

  • Contract/Order Number

  • Period of Performance covered by the invoice

  • CLINs

    • 0001 Challenge.com - Base Year Price:

    • 1001 Challenge.com - Option Year 1 Price:

    • 2001 Challenge.com - Option Year 2 Price:

    • 3001 Challenge.com - Option Year 3 Price:

    • 4001 Challenge.com - Option Year 4 Price:

  • The Accounting Number Associated with the task order

7.2 Invoice Submission

The Contractor is required to submit invoices to GSA Vendor Customer Self Service (VCSS) and the Contracting Officer Representative (COR). GSA TTS does not manage or run this system. All invoicing questions should be directed to customer support at 866-450-6588 or the VCSS customer service site https://vcss.ocfo.gsa.gov/.

8.0 Administration

This acquisition will be administered by the following individuals, who will also monitor contractor performance:

  1. GSA Product Owner: Will be provided at time of award

  2. GSA TTS Contracting Officer: Michelle McNellis

  3. GSA TTS Contracting Officer Representative: Will be provided at time of award

9.0 Post Award and Kickoff Meeting

9.1 Post Award Orientation Conference

The Government's team, CO/COR, and the TTS Product Owner will hold a Kickoff Meeting/Post-Award Conference with the contractor. This Kickoff will include the contractor’s team and other relevant Government staff to review and clarify the project’s objectives, expectations from the Government, and address any questions the contractor may have.

The Kickoff Meeting/Post-Award Conference will take place within 10 calendar days from award.

9.2 Termination

GSA may choose to cancel the task order if the contractor has its FedRAMP authorization (JAB Provisional or Agency) revoked and the deficiencies are greater than agency risk tolerance thresholds.

Should the task order be terminated prior to the end of the period of performance, the contractor shall transfer all project materials to the CO/COR and the TTS Product Owner within two weeks of the CO/COR and the TTS Product Owner’s request.

9.3 Travel

No travel is anticipated or will be required as part of this task order.

9.5 Transition Activities

During the transition to the Government or a new contractor, the Contractor shall perform all necessary transition activities. Expected transition activities may include, but not be limited to:

  • Continuation of full services to TTS Office of Products and Programs.

  • Participation in meetings with the Government or a new contractor to effect a smooth transition and provide detailed information on the operation of all deliverables such as new subscription license key, at the COR and the TTS Product Lead's discretion.

10.0 TTS Transparency Policy

Vendors are advised that TTS reserves the right to publish documents associated with this requirement on a publicly-available website, including any Requests for Quotation (including amendments), Question and Answer exchanges with vendors (source-identifying information removed), and other relevant information that is not confidential or proprietary in nature or source selection sensitive information that would otherwise implicate procurement integrity concerns.

Upon award, TTS may publish the total awarded pricel and certain non-source-identifying data (for example, the number of bids, the mean price, median, and standard deviation of price). During the performance of this task order, TTS may similarly publish data related to project management (for example, user stories, milestones, and performance metrics) and top-line spending data.

10.1 508 Compliance

The contractor shall support the Government in its compliance with Section 508 throughout the development and implementation of the work to be performed.

Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. 794d) requires that when Federal agencies develop, procure, maintain, or use electronic information technology, Federal employees with disabilities have access to and use of information and data that is comparable to the access and use by Federal employees who do not have disabilities, unless an undue burden would be imposed on the agency. Section 508 also requires that individuals with disabilities, who are members of the public seeking information or services from a Federal agency, have access to and use of information and data that is comparable to that provided to the public who are not individuals with disabilities, unless an undue burden would be imposed on the agency.

11.0 Minimum Security Requirements for Cloud-based Providers (Including SaaS)

As required by the Federal Information Technology Acquisition Reform Act (FITARA), agencies utilizing cloud services shall do so in a manner that is consistent with requirements of the Federal Risk and Authorization Management Program (FedRAMP) and National Institute of Standards and Technology (NIST) guidance.[1]

As the seat of the FedRAMP program, GSA holds its information systems and service providers to a high security standard, including other agency hosted, outsourced, and cloud computing solutions. GSA requires contracted infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service solutions (SaaS) to require a FedRAMP authorization.

Security requirements:

  1. Maintain a FedRAMP Moderate Authorization to Operate, implementing the controls contained within the FedRAMP Cloud Computing Security Requirements Baseline and FedRAMP Continuous Monitoring Requirements for moderate impact systems (as defined in FIPS PUB 199). The contractor shall generally, substantially, and in good faith follow FedRAMP guidelines and security guidance. In situations where there are no procedural guides, the contractor shall use generally accepted industry best practices for IT security.

  2. Platform should operate using a hybrid deployment model (as defined by NIST Special Publication 800-145), which serves two or more cloud infrastructures (i.e., general public use and use specific to a community of organizations -- in this case, federal agencies -- with the shared purpose of crowdsourcing).[2]

  3. Must determine, in a multi-tenant environment, user roles and permissions at login, and set multi-factor authentication for Challenge.gov and agency administrators (i.e., privileged accounts). Today, Challenge.gov verifies administrators via multi-factor authentication facilitated via OMB MAX Authentication-as-a-Service. OMB MAX verifies a user’s .gov/.mil email status or agency-approved sponsorship, and assigns a department/agency based on OMB Circular A-11: Preparation, Submission and Execution of the Budget.[3] Challenge.gov’s use of MaaS is facilitated as part of an interagency agreement, or IAA, with other Office of Programs and Products platforms (e.g., Data.gov).

  4. Certify the personnel security requirements by furnishing documentation reflecting favorable adjudication of background investigations for all personnel (including subcontractors) supporting the system. Contractors shall comply with GSA Order 2100.1 – “GSA Information Technology (IT) Security Policy” and GSA Order CIO P 2181.1 – “HSPD-12 Personal Identity Verification and Credentialing Handbook.” (GSA separates the risk levels for personnel working on Federal computer systems into three categories: Low Risk, Moderate Risk, and High Risk. Those contract personnel determined to be in a Low Risk position will require a National Agency Check with Written Inquiries (NACI) investigation. Those Applicants determined to be in a Moderate Risk position will require either a Limited Background Investigation (LBI) or a Minimum Background Investigation (MBI) based on the Contracting Officer’s (CO) determination. Those Applicants determined to be in a High Risk position will require a Background Investigation (BI). Applicants will not be re-investigated if a prior favorable adjudication is on file with FPS or GSA, there has been less than a one year break in service, and the position is identified at the same or lower risk level. Once a favorable FBI Criminal History Check (Fingerprint Check) has been returned, Applicants may receive a GSA identity credential (if required) and initial access to GSA information systems. The HSPD-12 Handbook contains procedures for obtaining identity credentials and access to GSA information systems as well as procedures to be followed in case of unfavorable adjudications. GSA shall sponsor the investigation when deemed necessary. No access shall be given to government computer information systems and government sensitive information without a background investigation being verified or in process. If results of background investigation are not acceptable, then access shall be terminated. The Contractor shall provide a report of separated staff on a monthly basis, beginning 60 days after execution of the option period.

  5. Certify that vetted personnel

    1. Submit to and pass yearly security training

    2. Access SaaS solution only through VPN and Terminal

  1. Certify that the system uses:

    1. Time-based two-factor authentication

    2. Require passwords with minimum length of 12 characters, including 1 uppercase, 1 lowercase, 1 numeric digit, 1 special character

    3. Require session lock after 15 minutes

    4. Require remote access connection after thirty (30) minutes of inactivity

    5. Require password hash that provides an added layer of security against hacking; should meet or exceed Public-Key Cryptography Standards (e.g., PBKDF2)

    6. Require host-based and network-based infrastructure detection systems

    7. Require multi-active data center architecture that supports failover

    8. Require encryption at rest (AES-256) and in transit (TLS)

    9. Require monthly operating system and application vulnerability scans

    10. Require vulnerability scans of all uploaded files (e.g., submission materials)

    11. Require system and application audit login enabled

The SaaS provider shall ensure the following essential security controls are implemented. The SaaS provider shall implement control parameters and implementation guidance, as applicable. Further, the vendor shall make the proposed system and security architecture of the information system available to the Security Engineering Division, in the Office of the Chief Information Security Officer, GSA, for review and approval before commencement of system build (architecture, infrastructure, and code (as applicable)) and/or the start as A&A activities.

Control ID

Control Title

FedRAMP Baseline

AC-2

Account Management

L, M, H

AU-2

Audit Events

L, M, H

CM-6

Configuration Settings

L, M, H

CP-7

Alternative Processing Site

M, H

CP-8

Telecom Services

M, H

IA-2 (1)

Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts

L, M, H

IA-2 (2)

Identification and Authentication (Organizational Users) | Network Access to Non-Privileged Accounts

M, H

IA-2 (12)

Identification and Authentication (Organizational Users) | Acceptance of PIV Credentials

L, M, H

IA-7

Cryptographic Module Authentication

L, M, H

MP-4

Media Storage

M, H

MP-5

Media Transport

M, H

PL-8

Information Security Architecture

M, H

RA-5

Vulnerability Scanning

L, M, H

SC-8 / SC-8(1)

Transmission Confidentiality and Integrity / Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection

M, H

SC-13

Cryptographic Protection

L, M, H

SC-17

PKI Certificates

M, H

SC-18

Mobile Code

M, H

SC-22

Architecture and Provisioning for Name / Address Resolution Service

L, M, H

SC-28 (1)

Protection of Information at Rest | Cryptographic Protection

M, H

SI-2

Flaw Remediation

L, M, H

SI-3

Malicious Code Protection

L, M, H

SI-4

Information System Monitoring

L, M, H

SI-10

Information Input Validation

M, H

Control ID

Control Title

FedRAMP Baseline

GSA will leverage the SaaS provider’s FedRAMP A&A package to document and assess the customer controls for which GSA has responsibility and issue a GSA authorization-to-operate (ATO) for the agency’s instance of the vendor’s SaaS offering. The vendor shall work with the GSA to facilitate documentation and assessment of required customer controls, as necessary.

The SaaS provider shall comply with FedRAMP requirements as mandated by federal laws and policies, including making available any documentation, physical access, and logical access needed to support this requirement. The level of effort for the A&A is based on the system’s NIST Federal Information Processing Standard (FIPS) Publication 199 categorization.

The contractor shall create, maintain and update the following documentation using FedRAMP requirements and templates, which are available at https://www.fedramp.gov/:

  1. Privacy Impact Assessment (PIA)

  2. FedRAMP Test Procedures and Results

  3. Security Assessment Report (SAR)

  4. System Security Plan (SSP)

  5. IT System Contingency Plan (CP)

  6. IT System Contingency Plan (CP) Test Results

  7. Plan of Action and Milestones (POA&M)

  8. Continuous Monitoring Plan (CMP)

  9. FedRAMP Control Tailoring Workbook

  10. Control Implementation Summary Table

  11. Results of Penetration Testing

  12. Software Code Review

  13. Interconnection Agreements/Service Level Agreements/Memorandum of Agreements

GSA may choose to cancel the task order if the contractor has its FedRAMP authorization (JAB Provisional or Agency) revoked and the deficiencies are greater than agency risk tolerance thresholds.

Additionally, the government reserves the right to perform periodic security assessment and penetration testing (of its instance). If the government exercises this right, the SaaS provider shall allow government employees (or designated third parties) to conduct security assessment and penetration testing activities to include control reviews. Penetration shall be supported by mutually agreed upon rules of engagement. Review activities include but are not limited to manual penetration testing; automated scanning of operating systems, web applications; wireless scanning; databases and other applicable systems, including general support structure, that support the processing, transportation, storage, or security of government information for vulnerabilities.

Identified gaps between required security control baselines and continuous monitoring controls and the SaaS vendor's implementation as documented in the security assessment report shall be tracked by the SaaS provider for mitigation in a Plan of Action and Milestones (POA&M) document. Depending on the severity of the gaps, the government may require them to be remediated before a GSA authorization is issued.

The contractor is responsible for mitigating all security risks found during A&A and continuous monitoring activities. All high-risk vulnerabilities must be mitigated within 30 days and all moderate risk vulnerabilities must be mitigated within 90 days from the date vulnerabilities are formally identified. The government will determine the risk rating of vulnerabilities.

Continuous monitoring and periodic audit of the operational controls within a contractor’s system, environment, and processes will determine if the security controls in the information system continue to be effective over time in light of changes that occur in the system and environment. Through continuous monitoring, security controls and supporting deliverables shall be updated in agreement with FedRAMP guidelines and submitted to the MAX.gov portal or repository designated by FedRAMP.

PROTECTION OF INFORMATION

The SaaS provider shall be responsible for properly protecting all information used, gathered, or developed as a result of work under this contract. The contractor shall also protect all government data, equipment, etc. by treating the information in accordance with its FISMA system categorization. If contractor personnel must remove any information from the primary work area that is included in the ATO boundary, they should protect it to the same FedRAMP requirements. The use of any information that is subject to the Privacy Act will be utilized in full accordance with all rules of conduct as applicable to Privacy Act Information.

Unrestricted Rights to Data

The government will retain unrestricted rights to government data. The ordering activity retains ownership of any user created/loaded data and applications hosted on vendor’s infrastructure, as well as maintains the right to request full copies of these at any time at no additional cost to the government.

Personally Identifiable Information

Privacy data is in the scope of acquisition and privacy data is expected to be stored in the vendor's cloud solution. The use of any information that is subject to the Privacy Act will be utilized in full accordance with all rules of conduct as applicable to Privacy Act Information.

Privacy data (should it come into scope) will require that the vendor’s cloud solution be FedRAMP authorized at the FIPS PUB 199 moderate level.

Data Rights and Ownership of Deliverables
Any data or deliverable created as a result of the work performed under the task order will be committed to the public domain, at a minimum:

  • All data, documents, graphics and code created under this call order including but not limited to: plans, reports, schedules, schemas, metadata, architecture designs, and the like;

  • In accordance with the 18F open source policy, any and all new open source software created by the contractor and forks or branches of current open source software where the contractor has made a modification; and,

  • Any and all new tooling, scripting configuration management, infrastructure as code, or any other final changes or edits to successfully deploy or operate the software.

The contractor shall use open source technologies wherever possible, in support of the 18F source code policy. All licenses must be expressly listed in the deliverable. Regardless of license(s) used (e.g., MIT, GPL, Creative Commons CC0), the license(s) shall be clearly listed in the documentation.

If the contractor needs to incorporate work that does not have an open source license, the contractor is required to request permission from GSA TTS, in writing, before utilizing that work in any way in connection with the order. If approved, all licenses shall be clearly set forth in a conspicuous place when work is delivered to GSA TTS.

If an open source license provides implementation guidance, the contractor shall ensure compliance with that guidance. If implementation guidance is not available, the contractor shall attach or include the license within the work itself. Examples of this include code comments at the beginning of a file or contained in a license file within a software repository.

Data Availability

The data must be available to the government upon request within one business day or within the timeframe negotiated with the vendor, and shall not be used for any other purpose other than that specified herein. The contractor shall provide requested data at no additional cost to the government.

Data Release

Any information made available to the vendor by the government shall be used only for the purpose of carrying out the provisions of this contract and shall not be divulged or made known in any manner to any persons except as may be necessary in the performance of the contract. In performance of this contract, the vendor assumes responsibility for protection of the confidentiality of government records and shall ensure that all work performed by its subcontractors shall be under the supervision of the vendor or the vendor’s responsible employees. Each officer or employee of the vendor or any of its subcontractors to whom any government record may be made available or disclosed shall be notified in writing by the contractor that information disclosed to such officer or employee can be used only for that purpose and to the extent authorized herein. Further disclosure of any such information, by any means, for a purpose or to an extent unauthorized herein, may subject the offender to criminal sanctions imposed by 18 U.S.C. §§ 1030.

Vendor will not disclose customer data to any government or third party or access or use customer data; except in each case as necessary to maintain the SaaS or to provide the SaaS to the customer in accordance with this contract, or as necessary to comply with the law or a valid and binding order of a governmental or regulatory body (such as a subpoena or court order). Unless it would be in violation of a court order or other legal requirement, vendor will give government reasonable notice of any such legal requirement or order, to allow government to seek a protective order or other appropriate remedy.

Data Ownership

All Government data collected in the system is the property of the federal government. All data collected by the system shall be provided by the Contractor (system provider) as requested during the contract period and at the completion of the contract period.

Confidentiality and Nondisclosure

Personnel working on any of the described tasks, shall at the government’s request, be required to sign formal non-disclosure and/or conflict of interest agreements to guarantee the protection and integrity of government information and documents.

GSA Non-Disclosure Agreement

Each individual contractor/subcontractor employee who performs work on this contract is required to sign an employee non-disclosure agreement. The vendor shall submit to the COR a completed confidentiality and non-disclosure agreement form for each individual contractor/subcontractor.

The vendor and all contractor/subcontractor employees may have access to sensitive data, proprietary, or confidential business information of other companies or the government in the course of performing official duties on this contract. The term “proprietary information” means any information considered so valuable by its owners that it is held in secret by them and their licensees and is not available to the public.

All information that is (1) obtained related to or derived from this contract, and (2) results from or derived from any actual tasks assigned to contractor employees while participating on this contract is considered proprietary.

The vendor and all contractor/subcontractor employees will not use such proprietary information except as necessary to perform this contract, and shall agree not to disclose such information to third parties, including any employee of the contractor/subcontractor who has signed the required nondisclosure agreement, or use such information in any manner inconsistent with the purpose for which it was obtained. The contractor understands that unauthorized disclosure of such information may subject it to criminal and/or civil penalties in accordance with 18 USC s. 1832.

Additional Stipulations

  1. Certified encryption modules must be used in accordance with FIPS PUB 140-2, “Security Requirements for Cryptographic Modules.”

  2. The vendor shall certify applications are fully functional and operate correctly as intended on systems using the United States Government Configuration Baseline (USGCB). This includes Internet Explorer configured to operate on Windows. The standard installation, operation, maintenance, update, and/or patching of software shall not alter the configuration settings from the approved USGCB configuration. The information technology should also use the Windows Installer Service for installation to the default “program files” directory and should be able to silently install and uninstall. Applications designed for normal end users shall run in the standard user context without elevated system administration privileges. The vendor shall use Security Content Automation Protocol (SCAP) validated tools with USGCB Scanner capability to certify their products operate correctly with USGCB configurations and do not alter USGCB settings.

  3. The contractor shall cooperate in good faith in defining non-disclosure agreements that other third parties must sign when acting as the federal government’s agent.

  4. The government has the right to perform manual or automated audits, scans, reviews, or other inspections of the vendor’s IT environment being used to provide or facilitate services for the government. The vendor shall be responsible for the following privacy and security safeguards:

    1. The vendor shall not publish or disclose in any manner, without the COR’s written consent, the details of any safeguards either designed or developed by the vendor under this contract or otherwise provided by the government. Exception - Disclosure to a Consumer Agency for purposes of A&A verification or to the MAX.Gov portal.

    2. To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of government data, the vendor shall afford the government access to the vendor’s facilities, installations, technical capabilities, operations, documentation, records, and databases within 72 hours of the request.

    3. Access to support incident investigations, shall be provided as soon as possible but not longer than 72 hours after request. Physical Access Considerations – If the SaaS provider is operated within an IaaS that is FedRAMP authorized (e.g., AWS); physical access to the physical datacenter environment will be governed by the terms of access allowed by the underlying infrastructure provider as defined in the FedRAMP A&A authorization package.

The program of inspection shall include, but is not limited to:

  • Authenticated and unauthenticated operating system/network vulnerability scans

  • Authenticated and unauthenticated web application vulnerability scans

  • Authenticated and unauthenticated database application vulnerability scans

  • Automated scans can be performed by government personnel, or agents acting on behalf of the government, using government operated equipment, and government specified tools. If the vendor chooses to run its own automated scans or audits, results from these scans may at the government’s discretion, be accepted in lieu of government performed vulnerability scans. In these cases, scanning tools and their configuration shall be approved by the government. In addition, the results of vendor-conducted scans shall be provided in full to the government.

If new or unanticipated threats or hazards are discovered by either the government or the contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.

References

12.0 Clauses

FAR 52.252-1 -- SOLICITATION PROVISIONS INCORPORATED BY REFERENCE (FEB 1998)

This solicitation incorporates one or more solicitation provisions by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. The offeror is cautioned that the listed provisions may include blocks that must be completed by the offeror and submitted with its quotation or offer. In lieu of submitting the full text of those provisions, the offeror may identify the provision by paragraph identifier and provide the appropriate information with its quotation or offer. Also, the full text of a solicitation provision may be accessed electronically at this/these address(es): (https://www.acquisition.gov/browsefar)

(End of provision)

FAR 52.252-2 -- CLAUSES INCORPORATED BY REFERENCE (FEB 1998)

This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available. Also, the full text of a clause may be accessed electronically at this/these address(es): (https://www.acquisition.gov/browsefar)

(End of clause)

FAR 52.203-18 Prohibition on Contracting with Entities that Require Certain Internal Confidentiality Agreements or Statements-Representation (JAN 2017)

FAR 52.217-8 - Option to Extend Services (Nov 1999)

The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within__15___

FAR 52.217-9 - Option to Extend the Term of the Contract (Mar 2000)

(a) The Government may extend the term of this contract by written notice to the Contractor within 10 days provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 15 days before the contract expires. The preliminary notice does not commit the Government to an extension.

(b) If the Government exercises this option, the extended contract shall be considered to include this option clause.

(c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed 5 years and 6 months.

(End of clause)

GSAR 552.217-71 - Notice Regarding Option(s) (Nov 1992) - The General Services Administration (GSA) has included an option to extend the term of this contract in order to demonstrate the value it places on quality performance by providing a mechanism for continuing a contractual relationship with a successful Offeror that performs at a level which meets or exceeds GSA’s quality performance expectations as communicated to the Contractor, in writing, by the Contracting Officer or designated representative. When deciding whether to exercise the option, the Contracting Officer will consider the quality of the Contractor’s past performance under this contract in accordance with 48 CFR 517.207

GSAR 552.212-4 Contract Terms and Conditions - Commercial Items (Alternate II)(FAR Deviation) (July 2015).

GSAR 552.232-39 Unenforceability of Unauthorized Obligations. (FAR Deviation Feb 2018)

  1. OMB M16-19 Memorandum for Heads of Executive Departments and Agencies: Data Center Optimization Initiative, August 2016.

  2. Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service, February 2012.

  3. OMB Circular A-11: Preparation, Submission and Execution of the Budget, Part 7, Appendices: Listing of OMB agency/bureau and treasury codes, August 2017.