70RCSJ24R00000009

Attachment 1:
Information Technology Security & Compliance
Support Services
Statement of Work (SOW)
PCCA-24-00025

DEPARTMENT OF HOMELAND SECURITY (DHS)

CYBERSECURITY AND INFRASTRUCTURE SECURITY
AGENCY (CISA)

Statement of Work (SOW)

for
Information Technology Security and Compliance Support Services (ITSCSS)

April 18, 2024

1 PURPOSE

CISA’s Information Security (INFOSEC) has a mission to work with CISA’s divisions to achieve
compliance with federal mandates (e.g., Federal Information Security Management Act (FISMA),
DHS Sensitive Systems Policy Directive 4300A, National Institute of Standards and Technology
(NIST) Special Publication (SP) 800 Series, Office of Management and Budget (OMB) Circulars,
and all applicable laws, directives, policies, and directed actions and to provide the methodologies,
tools, guidance, and subject matter expertise to help ensure CISA’s information security programs
can meet federal compliance and reporting requirements.

The purpose of this SOW is to obtain expert IT Security support services to ensure CISA’s systems
achieve and maintain their Authority to Operate (ATO) with a security posture in accordance with
DHS 4300A and NIST SP guidance.

2 SCOPE

The Scope of this requirement includes the Contractor providing Subject Matter Expert (SME) IT
security assessment and IT security audit functions to ensure Federal Information Security
Management Act (FISMA) compliance, SME support in developing and maintaining
documentation in support of Assessment and Authorization (A&A) as required by FISMA;
ensuring all A&A system security documentation is kept up to date; and ensuring systems meet all
security requirements mandated by DHS 4300A and DHS Management Directives, and as directed
by the CISA Information Security (INFOSEC).

2.1 Applicable Documents or References

 DHS Management Directives (Volume 11000)

 DHS Management Directive 140-01, “Information Technology System Security Program,
Sensitive Systems”
 DHS Sensitive Systems Policy Directive 4300A (Version 13.3, February 13, 2023)
 DHS National Security Systems Policy Directive 4300B (Version 10.1, November 21,
2018) for NSS Collateral (Unclass, Secret or Top Secret Collateral)
 DHS Sensitive Compartmented Information (SCI) Systems Instruction Manual 4300C
(Version 2.1, March 24, 2017) for TS SCI/C-LAN
 DHS System Security Authorization Process Guide

Page 1 of 24
April 18, 2024
PCCA-24-00025

 National Institute of Standards and Technology (NIST) Special Publications (800 Series)
 Office of Management and Budget (OMB) Circulars
 Federal Information Processing Standards (FIPS) 199, Standards for Security
Categorization of Federal Information and Information Systems
 Acquisition Instruction / Guidebook (Acquisition Directive 102-01-001 [AD 102-01- 001]
and associated appendices
 Safeguarding Information Designated as CVI: Revised Procedural Manual and the
regulations found at 6 CFR Part 27, and other general CVI guidelines.
 National Industrial Security Program Operating Manual DOD 5220.22-M incorporating
Change 2

3 PERIOD OF PERFORMANCE

The period of performance for this contract is one (1) six-month base period with four (4) twelve-
month option periods as follows:

Base Period: July 27, 2024 – January 26, 2025

Option Period One: January 27, 2025 – January 26, 2026
Option Period Two: January 27, 2026 – January 26, 2027
Option Period Three: January 27, 2027 – January 26, 2028
Option Period Four: January 27, 2028 – January 26, 2029

4 PLACE OF PERFORMANCE

All performance will be ON-SITE, within one or more CISA facility locations within the National
Capital Region (NCR). The specific location will be identified either at time of award, or exercise
of option. On-site parking for Contractor personnel may not be available, is not guaranteed, and
off-site parking is not reimbursed.

5 BACKGROUND – This SOW is a recompete of, and replacement for 54151HACS Task
Order 70RCSA21FR0000055. There have been updates made to the previous SOW which
are reflected in this SOW.

6 TASKS

6.1 TASK ONE: Senior Project Management

Contractor access to classified information will be required under this Task. The maximum
level of classification for this Task is SECRET; it is anticipated one (1) IT Security Specialist
will require SECRET clearance. Details will be specified in a DD Form 254.

The Government estimates successful performance of this Task will require the full-time efforts of
one (1) Senior Project Manager (Sr. PM)

The Sr. PM shall provide project management for the entire contract. This effort provides the

Page 2 of 24
April 18, 2024
PCCA-24-00025

overarching support and guidance to all subordinate projects, tasks, and activities that together
make up the INFOSEC support. The Sr. PM will need to coordinate and facilitate submission of
contractor employee security and entry-on-duty documents, facilitate and track issuance of
Government Furnished Equipment (GFE) and handle any quality or performance complaints
relative to all other Tasks.

The Sr. PM must be able to provide advice and guidance to all members of the Contractor’s team.
The Sr. PM will serve as the central point of contact for the Government for all program-wide
technical issues and will represent the Contractor at all post-award status meetings. The Sr. PM is
responsible for all issue resolution, program management, and other contract support including
providing comprehensive account support for the contract. The Sr. PM will be a single point of
contact for the Contracting Officer, (CO) COR and Federal Program Manager (FPM). As KEY
personnel, the Contractor shall not replace the Sr. PM without prior approval from the Contracting
Officer. Because the Sr. PM oversees all performance under this contract and is the primary point
of contact for interactions between the Government and Contractor, the Sr. PM must be an
employee of the Prime Contractor. This position and any backup, alternate or replacement shall
not be subcontracted. Once appointed, substitutions or replacements for the alternate Sr. PM must
also be approved by the Contracting Officer.

The Sr. PM position is designated as KEY personnel. Because performance of all other Tasks
requires supervision and coordination by the Sr. PM, the Sr. PM must already have, at the time of
proposal submission, an active Secret clearance. Any approved replacements, or anyone acting in
their absence also must already have active Secret clearance in hand. The name of any alternate(s)
who will act in the absence of the Sr. PM, must be provided to the Contract Officer Representative
(COR) in advance. During any absence of the Sr. PM, only one alternate shall have full authority
to act for the Contractor on all matters relating to work performed under this contract.

The Sr. PM shall be available to the COR via telephone between the hours of 8:00 am and 5:00 pm
(EDT), Monday through Friday (excluding federal holidays) and shall respond to a request for
discussion or resolution of technical problems within twenty-four (24) hours of notification.

Achievement of this Task will require:

 Providing monthly reports as described in Sections 15 and 16 of this SOW.
 Participating in monthly conference calls/meetings regarding the contract status, activity
status, costs, etc. with INFOSEC Task leads and the COR.
 Ensuring activities stay on task and deliverables are submitted on time.
 Conducting risk management to identify potential issues early.
 Providing monthly metric reports for assessments to the INFOSEC staff.
 Participating in weekly meetings (in person, teleconference, webinar) with technical staff
and project team members as it relates to planned and/or ongoing operations and
maintenance for INFOSEC activities.
 Create and maintain a system assessment schedule.

Page 3 of 24
April 18, 2024
PCCA-24-00025

Task One Deliverables:

 Monthly Progress Report (MPR) due the 15th of every month.
 Monthly Progress Report Executive Brief slide deck due within 3 days after delivery of
MPR.
 Develop and brief the system assessment schedule bi-weekly to the government.

6.2 TASK TWO. Security Assessment and Compliance (SCA) Support

Contractor access to classified information will be required under this Task. The maximum
level of classification for this Task is SECRET; it is anticipated one (1) IT Security Specialist
will require SECRET clearance. Details will be specified in a DD Form 254.

The Government estimates successful performance of this Task will require the full-time efforts of
a total of ten (10) full-time Level II Information Assurance (IT Security Specialists), of which one
(1) will require SECRET clearance. Positions on this Task requiring Classified clearances (any
level) will be designated as KEY personnel. The remainder of staff on this Task will require only
(unclassified) DHS suitability clearance and are not KEY personnel.

Contracted staff shall provide a compliance assessment of the severity of weaknesses or

deficiencies in CISA’s information systems and prepare security assessment reports containing the
results and findings from the assessment. The findings produced by Security Assessors are used to
determine the overall effectiveness of the security controls associated with an information system
(including system-specific, common, and hybrid controls) and to provide credible and meaningful
inputs to the organization’s risk management process. Security Assessment is conducted by the
Security Control Assessment (SCA) Team, who refers to the self-assessment, plan and procedures
guidance, and results and performs more extensive testing with respect to roles and accesses, as
well as the application or system itself.

Achievement of this Task will require the Contractor to conduct SCA’s for CISA’s systems:
 Conduct system assessment kick-off meeting with system stakeholders.
 SCA testing of the application or system.
o Review test matrix and requirement information to ensure the right controls are
present and understand what needs to be tested.
o Perform extensive control, vulnerability and configuration management testing tests
and analysis and enter the results in the DHS Information Assurance Compliance
System tool.
o Create Security Assessment Report (SAR) documenting findings of the SCA, to
identify each security weakness or deficiency found in the security controls and
provide recommended corrective actions.
 Incorporate into the SAR and other supporting documents, the results of previous or other
risk assessments, penetration tests, vulnerability reports, and other tests as appropriate to
provide a judgement of the residual risk posed by the system under assessment.
 SCA must meet the government’s timelines for the Risk Management Framework.
 Perform independent security control assessments.
o Develop Security Assessment Plan (SAP) in accordance with DHS standards.

Page 4 of 24
April 18, 2024
PCCA-24-00025

 Assess the security controls in accordance with the NIST 800-53A and DHS standards
Develop the SAR executive summary report.
 Design, discuss, and present system risks during the risk out briefing with customers and
executive leadership including providing a list of findings grouped by commonality of
remediation.
 Produce risk analysis and residual risk reports from the DHS Information Assurance
Compliance System.
 Develop and give presentations on the status of the systems under assessment, weekly.
 Provide support to federal lead for reports, presentations, development of supporting
artifacts regarding the risk to CISA from the systems under assessment.
 Innovate the assessment and authorization process to enhance delivery of security risks and
findings.
 Develop standardized control implementation language for use by CISA systems.
 Perform reassessment of failed controls as required by government lead.
 Provide input for the development and maintenance of common control programs.
 Provide an analysis of the risk and threat exposures as a result of the security assessment
performed on CISA systems.
 Develop and maintain a CISA minimum security control baseline to supplement the DHS
minimum Security Control baseline.
 Develop and maintain internal operating procedures for the security assessment process.
 Support security control assessments for systems in Ongoing Authorization (OA)
 Develop and maintain SCA internal operating procedures.

Task Two Deliverables:

 Security Assessment Plan (SAP) due 5 Business days before the scheduled Kick Off
Meeting
 Assessment Kick Off Meeting Deck 5 days prior to any scheduled Kick Off activities.
 Security Authorization Package, including the Executive Summary, Security Assessment
Report (SAR), and the DHS Information Assurance Compliance System reports (Residual
Risk and Risk Analysis) for each assigned system.
 Weekly Assessment Briefing Deck to System Stakeholders by COB Friday each week
during the assessment engagement
 Assessment Outbrief Deck to system stakeholders and executive leadership 5 days prior to
scheduled Outbrief activities.
 Develop and maintain SCA internal operating procedures, initial submission is due within
90 business days of contract award and reviewed annually.

6.3 TASK THREE: Continuous Monitoring (CM) and Ongoing Authorization (OA) Support

The Government estimates successful performance of this Task will require the efforts of one (1)
full-time Level III IT Security Specialist and three (3) full-time Level II IT Security Specialists.

Achievement of this Task does not require Classified clearances. None of the staff on Task
Three are designated as KEY personnel.

Page 5 of 24
April 18, 2024
PCCA-24-00025

6.3.1. Continuous Monitoring (CM) Support

Contractor shall provide support in researching, collecting, parsing, analyzing, and reporting data
supporting the CISA’s OCIO / INFOSEC team for CM requirements as directed. Achievement of
this Task will require:
 Providing technical support for CISA INFOSEC and Division personnel regarding CM data
submission issues and agency data calls (i.e., deliver results from Governance, Risk and
Compliance (GRC) tools and other applicable cybersecurity tools)
 Conduct analysis of ISCM data received from CISA systems to determine risk exposure
and data gaps this includes reviewing the FedRAMP documentation, monitoring cloud
capabilities.
 Perform a quality control check for Plan of Actions and Milestones (PO&AMs) that are in a
closure request status located in the DHS Information Assurance Compliance System
ensuring artifacts are uploaded and ready for closure. Develop an executive report
comprised of all CISA systems showing risk nearing the 120 overdue window.
 Report KEV remediation status within CISA systems, escalate non-compliance to the
government.
 Develop and maintain an ATO contingency register to track and monitor system risks
monthly.
 Collect, validate, and prepare data calls as they relate to DHS requirements or FISMA.
 Participate, review, and consolidate program information related to data calls as required.
 Provide recommendation for process improvement for CM.
 Develop and maintain CM internal operating procedures.
 Review, and track waivers/risk acceptances received from CISA programs as needed.
 Maintain and update the common control package.
 Daily review of the weakness remediation report to ensure Plan of Action & Milestones
(POA&M) weaknesses are remediated accordingly.
 Conduct reviews of POA&M closures for completeness and compliance
 Review and support remediation activities in coordination with the customer
 Develop an executive report comprised of all current CISA systems risk posture Develop
and maintain an Authority to Operate (ATO) register to track and monitor system risks.
 Validate updates to system documentation.
 Ensure system/program authorization requirements are met to remain in compliance.
 Conduct analysis of ISCM data received from CISA systems to determine risk exposure
and data gaps.
 Review and Monitor security metrics for systems to maintain security Authorization to
Operate (ATO)/Ongoing Authorization status.
 Provides analytical support for CISA INFOSEC and Division personnel regarding the
FISMA Scorecard and agency data calls.
 Perform risk analysis of unmitigated risks.
 Assist in the research and address information security issues as required.
 Assist with pre-assessment preparation by reviewing metric and validating ATO
Contingencies
 Responsible for ensuring meeting minutes are accurately captured, documented, and
provided to the meeting organizer for review in a timely manner.
 Supporting, as required, maintenance and future validation of the CISA CISO Program
Common Control Catalog by reviewing existing catalogs for necessary updates.

Page 6 of 24
April 18, 2024
PCCA-24-00025

 Support CISA OCIO at the DHS Common Controls Working Group.

6.3.2. Ongoing Authorization (OA) Support
Contractor shall assist with identifying, developing, and implementing Ongoing Authorization
programs, best practices, and general guidance for use across CISA. Work under this Task
includes:
 Validating the system packages for OA eligibility
 Provide support to the CISA OCIO Continuous Monitoring (CM) Program utilizing
elements of the DHS HQ Ongoing Authorization (OA) Trigger Accountability Log
(TRAL). The TRAL is an accountability tool used by the Organizational Risk Management
Board (ORMB), chaired by the OA Manager, to clearly identify ongoing/continuous
discrepancies within a System Owner IT system/network. The OA Manager will determine
the frequency at which the TRAL is updated and delivered prior to any ORMB meeting.
 Collect, validate, and prepare the OA Eligibility Criteria Finding Report to ensure systems
are meeting and maintaining OA eligibility requirements. The Federal OA Manager will
determine the frequency of the OA Eligibility Criteria Finding Report.
 Proactively identify and provide metrics and reporting data to federal staff to make sound
risk decisions for continued authorization of systems.
 Daily communication with government stakeholders regarding system status
 Perform continuous monitoring of security controls to ensure that they are implemented
correctly, operating as intended, and producing the desired outcome with respect to meeting
the cybersecurity requirements for assigned IT systems.
 Manage A&A document repository and assure IT system security documents are current
and compliant.
 Develop and maintain OA internal operating procedures.
 Maintain the OA Forecast for ongoing system monitoring and performance against OA
requirements.

Task Three Deliverables:

 Review and update the Common Control package in the Information Assurance
Compliance System quarterly and as needed.
 ORMB Report no later than 3 days after each ORMB Meeting is conducted
 Executive POA&M Summary Report (CISA Weekly Total Report), to include open, closed,
and expired POA&Ms by system due each Friday by 12pm
 OA Eligibility Criteria Finding Report due the 1 st and the 15th of every month
 OA Forecast Report due the 1st and the 15th of every month
 OA Trigger Accountability Log due each Friday by 12pm
 Develop and maintain CM internal operating procedures, initial submission is due 90 days
of contract award and reviewed annually.
 Develop and maintain OA internal operating procedures, initial submission is due 90 days
of contract award and reviewed annually.

6.4 TASK FOUR: Information Systems Security Officer (ISSO) Support

Achievement of this Task does not require Classified clearances. The Government estimates
successful performance of this Task will require the efforts of twenty (20) full-time Level III

Page 7 of 24
April 18, 2024
PCCA-24-00025

(Senior) Information Assurance (IT Security Specialist) . None of the staff on Task Four are
designated as KEY personnel.

The ISSO Support is responsible for carrying out tasks required to authorize systems IAW NIST
800-53 and revisions and DHS 4300A guidance. The ISSO serves as the principal advisor to the
Information System Owner, INFOSEC, and ISSM on all matters, technical and otherwise,
involving the security of an information system. ISSOs are responsible for ensuring the
implementation and maintenance of security controls in accordance with the System Security Plan
(SSP) and Department of Homeland Security (DHS) policies.

Achievement of this Task will require:

 Authority to Operate (ATO) Package Support through the Systems Engineering Life Cycle
(SELC) for CISA systems
o Initial creation and maintenance of all ATO packages assigned.
o Monitoring compliance of all ATO packages assigned
o Conducting Annual Assessments of all ATO packages assigned
o Ensure periodic scans are performed for IT systems of all ATO packages assigned and
review scan reports.
o Conducting audit log reviews of IT systems of all ATO packages assigned
o Ensuring DHS 4300A decommission requirements are followed.
 User Account Access Support
o Ensure unused or inactive accounts are reviewed and deactivated monthly in accordance
with DHS requirements.
o Ensure user account recertifications are performed in accordance with DHS
requirements.
o Participate in the CISA CCB process for assigned systems’ changes, conduct security
impact analysis related to the changes, and update the appropriate system security
documentation.
o Ensure separation of duties is enforced through technical or manual means.
 IT System Vulnerability Management Support
o Monitor and ensure remediation of security vulnerabilities and risks at the system level
within the timeframes specified by CISA and DHS policy, and applicable federal law.
o Analyze vulnerability and compliance scans to identify possible network security
attacks and vulnerabilities in workstations, servers, and other network assets via
cybersecurity tools.
o Monitor and analyze vulnerability trends across assigned systems using the automated
cybersecurity tools.
o Comply with Information Security Vulnerability Management (ISVM) notifications by
monitoring, remediating, maintaining and validating ISVM acknowledgement and
compliance responses.
o Review scans and ensure all assets, device types, operating systems, software, and
appliances are identified within reports.
o Contractor shall review the scans for completeness, anomalies, open ports, encryption in
use, identified vulnerabilities, authorized accounts, privilege accounts, and system
configuration compliance.
o Ensure CISA Known Exploited Vulnerabilities (KEVs) are remediated NLT the stated

Page 8 of 24
April 18, 2024
PCCA-24-00025

remediation date or a POA&M is created.

o Monitor, remediate/manage, and track security vulnerabilities and risks at the FISMA
system level.
 Review the technical reference model (TRM) system list monthly to ensure software is
authorized for CISA use, if not escalate within two days to the ISSM for awareness and
engagement with the program upon identification
 Respond to Indicators of Compromise within the specified timeframes identified within the
request.
 Review control implementation statements within the SP to validate implementation and
documentation of the risk.
 Review CISA system antivirus (AV) files for completeness and accuracy bi-weekly
 Maintain assigned systems hardware and software inventory monthly and review for End of
Life (EOL)/End of Support (EOS)
 Monitor and track mitigation efforts for identified risks through POA&M, any POA&M
nearing expiration within 60 days with no progress should be escalated to the ISSM for
addressal.
 Create POA&M IAW DHS 4300A guidelines, completing all necessary fields to fully
document POA&M.
 Validate all POA&Ms are created and tracked in the DHS Information Assurance
Compliance System to completion.
 Review PO&AMs for completeness to ensure all system deficiencies are properly
identified.
 Validate POA&Ms are associated to a SAR-generated finding if applicable.
 Collaborate with system ISSM to escalate POA&Ms prior to their expiration or overdue
status.
 Validate POA&Ms that can’t be mitigated follow the proper risk acceptance or waiver
process.
 Close out POA&Ms as needed based on POA&M Closure process.
 Provide input for the development and maintenance of the common control catalog.

Task Four Deliverables:

 ISSO Weekly System Status Report to ISSM, due Thursday by Close of Business
o Status report on all completed, outstanding and upcoming assessment and
authorization activities to include continuous monitoring status.
 Develop System Security Plan in the Information Assurance Compliance System (IACS) 10
business days prior to the assessment readiness date.
 Develop and maintain ISSO internal operating procedures, initial submission is due 90 days
of contract award and reviewed annually.

6.5 TASK FIVE: IT Security & Compliance Policy Support

Achievement of this Task does not require Classified clearances. None of the staff supporting
Task Five are designated as KEY personnel.

The Government estimates successful performance of this Task will require the efforts one (1) full-
time Level III (Senior) Policy Writer (Documentation Specialist).

Page 9 of 24
April 18, 2024
PCCA-24-00025

Contractor support staff supporting this Task shall work with CISA INFOSEC Federal Policy
Manager to implement DHS policy and develop CISA-level policy to address specific requirements
within the INFOSEC office for unclassified and classified IT systems and/or processes. Contractor
personnel working on this Task will not have access to classified materials, only helping develop
and implement policy pertaining thereto.

Achievement of this Task will require:

 Identification, development, and implementation of policy changes to support DHS,
FISMA and OMB IT systems mandates.
 Research current DHS libraries for related policy
 Research Federal agencies for related policy
 Work with CISA INFOSEC federal Policy Manager to develop language required for new
policy.
 Assist with research and development of documentation for INFOSEC projects, task areas
and activities to provide project management support and recommendations.
 Support development of internal operating procedures for all Task Areas, as needed.

Task Five Deliverables:

 Edit, review, and provide comments on draft CISA-level policies within five (5) days of
receipt from the Federal INFOSEC Policy Manager.

6.6 TASK SIX: Additional Support / Surge Support Services (OPTIONAL)

The Government may require additional support services to respond to a surge or unanticipated
critical event. These services may be performed through additional hours using the same
personnel, or by temporarily adding new qualified personnel within the same labor categories, .

Additional Support / Surge Support services must be within the scope of and consistent with Tasks
One through Five, and may only use the same labor categories being used in performance of Tasks
One through Five, as follows:
 Level II Information Assurance (IT Security Specialist)
 Level III Information Assurance (IT Security Specialist)
 Level III (Senior) Policy Writer (Documentation Specialist)

The Contractor shall not incur any costs for Additional Support / Surge Support services unless
prior written authorization is received from the Contracting Officer (CO) in accordance with FAR
52.217-7. Performance under Task Six will be Labor Hours based with an estimated, not-to-
exceed ceiling assigned.

7 CONTRACTOR PERSONNEL CONSTRAINTS

The Government defines full-time staffing as 1912 hours per year per position, i.e one (1) Full-
Time Equivalent (FTE) = 1912 hours per year. Unless the Government specifies otherwise, the
Government expects full-time performance. Personnel proposed as full-time staffing shall not be
cross utilized in support of other requirements, for CISA or any other entity. If a position is staffed

Page 10 of 24
April 18, 2024
PCCA-24-00025

using two or more personnel working part-time hours, the hours for all personnel fulfilling that 1
FTE must total 1912 hours.

The Contractor shall provide qualified personnel to perform all requirements specified in this SOW
with the minimum requirements defined in this Section. All personnel performing under this
SOW must receive DHS Suitability clearance (regardless of Classified access level) prior to
performing any services.

LABOR CATEGORIES: Minimum Requirements

Education &
Labor Category SOW Minimum Requirements Clearance
Experience
Senior Project 6.1 Masters’ degree plus Either degree must be in a related field. Classified
Manager Task One 10 years’ experience Experience must be relevant IT Security SECRET,
(Key Personnel) Senior Project OR related, to include a minimum of two (2) plus,
Management Bachelor of Science years of FISMA experience. Public
(BS) plus 15 years’  Knowledgeable in all aspects of all Trust /
experience Suitability
work described in this SOW.
 Demonstrated expertise in SELC,
Information Security processes, and
IT security development projects.
 Knowledge of security code review
processes and best practices,
Enterprise Architecture
Level II 6.2 BS plus 5 years’ Degree must be in a related field. Classified
Information Task Two experience Experience must be relevant IT Security SECRET,
Assurance SCA Support OR related, to include a minimum of two (2) plus,
(IT Security High School (HS) years of FISMA experience. Public
Specialist) plus 10 years’ Trust /
(Key Personnel) experience Suitability
Level II 6.2 BS plus 5 years’ Degree must be in a related field. Public
Information Task Two experience Experience must be relevant IT Security Trust /
Assurance SCA Support OR related, to include a minimum of two (2) Suitability
(IT Security and HS plus 10 years’ years of FISMA experience.
Specialist) & experience
(non-Key) 6.3
Task Three
CM & OA
Support
Level III 6.3 BS plus 5 years’ Degree must be in a related field. Public
(Senior) Task Three experience Experience must be relevant IT Security Trust /
Information CM & OA OR related, to include a minimum of two (2) Suitability
Assurance Support HS plus 10 years’ years of FISMA experience.
(IT Security experience
Specialist)
(non-Key)

Page 11 of 24
April 18, 2024
PCCA-24-00025

Education &
Labor Category SOW Minimum Requirements Clearance
Experience
Level III 6.4 BS plus 5 years’ Degree must be in a related field. Public
(Senior) Task Four experience Experience must be relevant IT Security Trust /
Information ISSO Support OR related experience to include a minimum Suitability
Assurance HS plus 10 years’ of two (2) years of FISMA experience.
(IT Security experience ISSO Support Candidates (SOW 6.4)
Specialist) must also hold any applicable
(non-Key) certifications required to serve as
Information System Security Officer
(ISSO).
Level III 6.5 BS plus 5 years’ Degree and experience must be in a Public
(Senior) Task Five experience related field. Trust /
Policy Writer IT Security & OR Suitability
(Documentation Compliance HS plus 10 years’
Specialist) Policy Support experience
(non-Key)

7.1 Key Personnel

Before replacing any individual in a position designated as KEY personnel by the Government, the
Contractor shall notify the Contracting Officer no less than fifteen (15) business days in advance,
submit written justification for replacement, and provide the name and qualifications of any
proposed substitute(s). All proposed substitutes shall possess qualifications equal or superior to
those of the personnel being replaced, unless otherwise approved by the Contracting Officer. The
Contractor shall not replace KEY Contractor personnel without approval from the Contracting
Officer.

The following Contractor personnel are designated as KEY for this requirement:
 One (1) Senior Project Manager (Task One), Section 6.1
 One (1) Level II Information Assurance (IT Security Specialist) (Task Two), Section 6.2

7.1.1 Additional Minimum Experience / Qualifications for KEY Personnel – In addition to

the minimum education and experience requirements stated in the table above, Key
Personnel shall also possess the following experience / qualifications.

7.1.1.1 (Task One), Section 6.1 - Senior Project Manager (SECRET)

 SECRET CLEARANCE must be in-hand (final/approved), PRIOR to the Contractor’s
submission of a proposal in response to the solicitation.
 Any replacement or alternate must already have SECRET CLEARANCE in hand prior to
being proposed as a replacement.
 Knowledgeable in all aspects of all work described in this SOW.
o Experience must include Organizing, directing, and managing contract operation
support functions, involving multiple, complex, and inter-related project tasks.
o Managing teams of information security personnel at multiple locations.
o Meeting with customer and contractor personnel to formulate and review task plans and
deliverable items.
o Ensuring conformance with program task schedules and costs.
o Establishing and maintaining technical and financial reports to show progress of

Page 12 of 24
April 18, 2024
PCCA-24-00025

projects.
o Organizing and delegating responsibilities to subordinates and overseeing the successful
completion of all assigned tasks.
o Demonstrated expertise in SELC, Information Security processes, and IT security
development projects.
o Knowledge of security code review processes and best practices, Enterprise
Architecture

7.1.1.2 (Task Two), Section 6.2 - Level II Information Assurance (IT Security Specialists)
(SECRET)
Additional Minimum Qualifications:
 SECRET CLEARANCE must be in-hand (final/approved), prior to start of services, and
must at time of the Contractor’s submission of a proposal in response to the solicitation
already be in process and expected to achieve final/approved status by start of services.
 Any replacement must already have SECRET CLEARANCE in hand prior to being
proposed as a replacement.
 Experience must include:
o Providing support to plan, coordinate, and implement the organization’s information
security program.
o Providing support for facilitating and helping agencies identify their current security
infrastructure and define future programs, design and implementation of security related
to IT systems.
o Overseeing the efforts of security staff to design, develop, engineer, and implement
solutions to security requirements.
o Being responsible for implementation and development of DHS IT security processes
and policies.
o Gathering and organizing technical information about an organization's mission goals
and needs, existing security products, and ongoing programs in the MLS arena.
o Performing risk analyses, which also includes risk assessment.
o Working knowledge of the following areas is required: understanding of business
security practices and procedures; knowledge of current security tools available;
hardware/software security implementation; different communication protocols;
encryption techniques/tools; familiarity with commercial products and current
Internet/EC technology.

7.2 Employee Identification

7.2.1 Contractor Visitors

Contractor representatives or other personnel visiting Government facilities must wear an
identification badge that, at a minimum, displays the Contractor name, the employee’s photo,
name, clearance-level, and badge expiration date. Visiting Contractor personnel must comply with
all Government escort rules and requirements. All Contractor personnel must identify themselves
as Contractors when their status is not readily apparent and display all identification and visitor
badges in plain view above the waist at all times.

Page 13 of 24
April 18, 2024
PCCA-24-00025

7.2.2 Contractor Employees

Contractor employees working on-site at Government facilities must wear a government-issued
identification badge. All Contractor employees must identify themselves as Contractors when their
status is not readily apparent (in meetings, when answering Government telephones, in e- mail
messages, etc.) and always display the Government issued badge in plain view above the waist.
Contractor employees choosing to also reference the name of their employer (such as in email
footers) shall not include a company logo, mission statement or motto, nor use the DHS or CISA
branding or seals unless authorized by the Government to do so.

7.3 Employee Conduct

Contractor employees must comply with all applicable Government regulations, policies, and
procedures (e.g., fire, safety, sanitation, environmental protection, security, “off limits” areas,
wearing of parts of DHS uniforms, and possession of weapons) when visiting or working at
Government facilities. The Contractor must ensure Contractor employees always present a
professional appearance and that their conduct shall not reflect discredit on the United States or the
Department of Homeland Security. ALL Contractor employees must understand and abide by
Department of Homeland Security established rules, regulations, and policies concerning safety
and security.

7.3.1 Removing Employees for Misconduct or Security Reasons

The may, at its sole discretion (via the Contracting Officer), exclude any Contractor employee from
DHS facilities and/or revoke network access for misconduct or security reasons. Exclusion from
DHS facility access or revocation of network access does not relieve the Contractor of the
responsibility to continue providing the services at the level of effort required under the contract.
The Contracting Officer will provide the Contractor with a written explanation to support any
contractor employee facility exclusion or network access revocation.

7.4 Compliance with DHS Security Policy Requirements for National Security Systems

All services provided under this contract must be compliant with DHS National Security Systems
Policy Directive 4300B series and/or the 4300C series for Sensitive Compartmented Information
SCI systems.

8 OTHER APPLICABLE CONDITIONS

8.1 Encryption Compliance:

National Security Systems, requiring encryption shall comply with the following standards:

 Products using FIPS 197 Advanced Encryption Standard (AES) algorithms with at least 256-bit
encryption that has been validated under FIPS 140-2 (Note: The use of triple DES [3DES] and
FIPS 140-1 is no longer permitted.)
 NSA Type 2 or Type 1 encryption

Page 14 of 24
April 18, 2024
PCCA-24-00025

8.2 SECURITY

FACILITY ACCESS CLEARANCE REQUIRED: The Prime Contractor must HAVE at the
time of proposal submission an ACTIVE, FINAL SECRET facility clearance and maintain
same throughout all periods of performance. Any subcontractors providing staffing which
require a classified clearance at any level, shall have an ACTIVE, FINAL SECRET facility
clearance commensurate with the highest Classified security level of the staffing they provide
before any classified subcontractor staff can perform any services, and shall maintain same
throughout all periods of performance, for as long as they are providing any staffing
requiring classified clearances1.

Contractor employee access to classified information is required under this SOW. The
maximum level of classification for this SOW is SECRET. This will be dictated by the needs
of the specific office being served. Contractor personnel supporting each Task shall be
required to obtain and maintain the following levels of classified clearance, unless otherwise
specified below.

Task One – Senior Project Manager (SECRET) – one (1) position

Task Two - Level II Information Assurance (IT Security Specialist) (SECRET) - one (1)
position

Task Six – Additional Support Services:

 Shall follow the same security classification requirements as the Task (Two through Five)
which the additional services are intended to augment.

All positions under this SOW require contractor personnel to obtain and maintain DHS Suitability
clearance, in addition to any classified clearances noted above.

The Contractor shall pre-screen all personnel being presented for performance under this
SOW, to confirm their eligibility for the levels of clearance required (classified or otherwise).

8.3 DHS SENSITIVE SYSTEMS POLICY DIRECTIVE 4300A Version 13.1 Controls
Required
 DHS 4300A ver. 13.1- 3.3.b. Contractor information system services and operations shall
adhere to all applicable DHS information security policies.
 DHS 4300A ver. 13.1 - 4.1.1.d Components shall ensure that no contractor personnel are
granted access to DHS systems without having a favorably adjudicated Background
Investigation (BI) as defined in Department of Homeland Security Acquisition Regulation
(HSAR) and the DHS Instruction 121-01-007-01, Revision 1, Personnel Security,
Suitability and Fitness Program, Chapter 3, Excepted Service Federal Employee and
Contractor Employee Fitness Requirements. In cases where contractor personnel have been
investigated by another Federal agency, DHS Component personnel security organizations

1
Subcontractors providing NO personnel required to have Classified clearances are not required to have or obtain a
Classified Facility Clearance (FCL).

Page 15 of 24
April 18, 2024
PCCA-24-00025

may, whenever practicable, use these investigations to reduce investigation requests,

associated costs, and unnecessary delays (Chapter 3, paragraph G).
 DHS 4300A ver. 13.1 - 3.3.d. SOWs and contracts shall include a provision stating that,
when the contract ends, the contractor shall return all information and information
resources provided during the life of the contract and certify that all DHS information has
been purged from any contractor-owned system(s) that have been used to process DHS
information.
 DHS 4300A ver. 13.1 - 4.3.1.c DHS personnel, contractors, and others working on behalf
of DHS are prohibited from using any non-Government-issued removable media (USB
drives and from connecting them to DHS equipment or networks or using them to store
DHS sensitive information.
 DHS 4300A ver. 13.1 - 4.8.3.b Equipment that is not owned or leased by the Federal
Government or operated by a contractor on behalf of the Federal Government, shall not be
connected to DHS equipment or networks without the written prior approval of the DHS
CISO.
 DHS 4300 B DHS National Security Systems Policy Directive, Version 10.1 November 21,
2018.
 DHS 4300 C Sensitive Compartmented Information (SCI) Systems Policy Directive.
 Ensure that the Security products selected for the solution are approved on the TRM.
 Ensure that the solution adheres to FIPS 140-2 and FIPS 197 Advanced Encryption
Standard (AES) 256 encryption compliance.

8.4 POST-AWARD INSTRUCTIONS REGARDING SECURITY REQUIREMENTS FOR

CONTRACTS/ORDERS

The procedures outlined below shall be followed for the CISA Office of the Chief Security Officer
(OCSO), Personnel Security Division (PSD) to process background investigations, Entry on Duty
determinations, and Fitness determinations, as required, in a timely and efficient manner.

Carefully read the security clauses in the contract. Compliance with the security clauses in the
contract is not optional.

Contractor employees (to include applicants, temporaries, part-time and replacement employees)
under the contract, requiring access to sensitive information, shall undergo a position-sensitivity
analysis based on the duties each individual will perform on the contract. The results of the
position sensitivity analysis shall identify the appropriate background investigation to be
conducted. All background investigations will be processed through the CISA OCSO/PSD.
Prospective contractor employees shall submit the below completed forms to their COR. The
Standard Form (SF) 85P must be completed electronically through the Office of Personnel
Management’s e-QIP System. The SF-85P signature pages and other completed forms must be
given to the OSCO/PSD no less than thirty (30) days before the start date of the contract or thirty
(30) days prior to the requested entry on duty date, for all contractor employees whether a
replacement, addition, subcontractor employee, or vendor:

 Standard Form (SF) 85P – Questionnaire for Public Trust Positions

Page 16 of 24
April 18, 2024
PCCA-24-00025

 SF-85P Certification
 SF-85P Authorization for Release of Informaiton
 FD Form 258, - Fingerprint Card (2 copies)
 DHS Form 11000-6 – Conditional Access To Sensitive But Unclassified Information Non-
Disclosure Agreement
 DHS Form 11000-9 – Disclosure and Authorization Pertaining to Consumer Reports
Pursuant to the Fair Credit Reporting Act

Only complete packages will be accepted by the CISA OCSO/PSD. Specific instructions on
submission of packages will be provided upon award of the contract.

CISA OCSO/PSD may, as it deems appropriate, authorize, and grant favorable Entry on Duty
(EOD) decision based on preliminary checks. A favorable EOD decision allows a contractor
employee to commence work temporarily prior to the completion of the full background
investigation. The granting of a favorable EOD decision shall not be considered as assurance that a
favorable Fitness determination will follow. In addition, a favorable EOD or Fitness determination
shall in no way prevent, preclude, or bar CISA from withdrawing or terminating access to
government facilities or information, at any time during the term of the contract. No employee of
the Contractor shall be allowed unescorted access to a Government facility without a favorable
EOD or Fitness determination by the CISA OCSO/PSD.

Limited access to Government buildings is allowable without an EOD decision if the Contractor is
escorted by a Government employee and the purpose of the visit is to attend a limited number of
required briefings or nonrecurring meetings in order to facilitate the transition of a contract. The
intent of this statement is to allow a minimum amount of meeting / transition attendances to
prepare for the new contract.

CISA OCSO/PSD shall be notified of all terminations / resignations within five (5) days of
occurrence. The Contractor shall return to the COR all CISA-issued identification cards and
building passes that have either expired or have been collected from terminated employees. If an
identification card or building pass is not available to be returned, a report shall be submitted to the
COR, referencing the pass or card number, name of individual to whom it was issued and the last
known location and disposition of the pass or card.

9 HOURS OF OPERATION

Contractor employees shall generally perform all work between the hours of 8:00am and 5:00pm
EST, Monday through Friday (except Federal holidays). However, there may be occasions when
Contractor employees shall be required to work other than normal business hours, including
weekends and holidays, to fulfill requirements under this SOW.

In addition to the days designated as Federal Holidays, the Government observes the following
days:
 Any other day designated by Federal statute.
 Any other day designated by Executive Order
 Any other day designated by the President’s Proclamation

Page 17 of 24
April 18, 2024
PCCA-24-00025

10 CONTRACTOR TELECOMMUTING / TELEWORK

Telework is a work arrangement that allows personnel to perform work, during any part of regular,
paid hours, at an approved alternative worksite (e.g., home, telework center, contractor
facility). CISA recognizes two types of telework which could be approved under this SOW:
Situational and Routine (Hybrid).
 Situational telework occurs on an occasional, non-routine basis. Situational telework
includes, but is not limited to, telework that occurs on a temporary basis while personnel
are recovering from an injury or illness; as a result of special work assignments; or when
the regular worksite is closed due to Continuity of Operations (COOP)/pandemic health
crisis or other emergency situations.
 Routine (Hybrid) telework involves an arrangement in which personnel works from an
approved alternative worksite on a consistent schedule, but less than full time.

Full-time telework (Remote work) is not available for any portions of this SOW.

Telework may only be approved for positions and work for which personnel can effectively
accomplish job functions outside of the designated Government facility without diminished
performance or Agency operation. When approved, telework shall be approved on an individual
contractor employee basis, not by category, position title, Task, or group.

Work that requires access to Classified information/networks must be completed within CISA’s
facilities, using equipment specifically designated for Classified access. Telecommuting cannot be
approved for performance of ANY Classified work. All work performed outside of the identified
government facility(s) will be performed at the Unclassified FOUO level and ensuring access is
limited to personnel who are authorized access.

For non-classified portions of the Tasks of this SOW, Situational or Routine (Hybrid) telework
may be permitted in accordance with the requirements below:
 Telework requests and schedules must be submitted by the Contractor’s PM to the COR
and receive COR approval prior to commencement of any telework.
 Contractor staff are required to sign the company’s Telecommuting Agreement, which shall
be no less stringent than the language of the Government’s own telework agreements
regarding eligibility, performance, tracking of time, workplace environment, computer
workstation, dependent care, security, and internet connection. Signed Telecommuting
Agreements must be in effect before a telecommuting request is made to the COR, and the
Contractor shall certify that any requesting personnel have signed said Agreement.
 The Contractor shall update its telecommuting agreements in response to changes in the
Government’s telework agreement language, requirements, and/or posture.
 Telework approval is not guaranteed, nor indefinite. The provision to permit contractor
telecommuting may be revoked at the order level (e.g., task order, or contract) at any time if
the Government makes such determination. The telecommuting provision does not change
any contract requirements; all other terms and conditions of the contract remain in full force
and effect.

Page 18 of 24
April 18, 2024
PCCA-24-00025

 Telework, if approved, may only be performed within the 50 United States and/or District
of Columbia.

If any telecommuting will be requested immediately following award, a copy of the Contractor’s
Telecommuting Agreement form will be due to the COR for review within 10 business days
following award. If telecommuting is requested to be permitted later, the Telecommuting
Agreement form shall be provided to the COR for review no less than 10 business days before any
telework requests are submitted.

Prior to a contractor employee taking Government Furnished Equipment (GFE) out of the facility,
or attempting to perform services from outside the facility, said contractor employee must have
received COR approval on their individual request to telework, either Situationally or Routine
(Hybrid). GFE shall not leave the 50 United States and/or District of Columbia under any
circumstance and must never be out of the contractor employee’s direct physical possession while
traveling (shall not be inside checked luggage, nor stowed in overhead compartments).

11 CONTRACTOR LABOR RATES CHARGED WHILE TELECOMMUTING:

The Contractor shall charge the same rates as for a Government site when Contractor personnel are
telecommuting at their approved, designated telecommuting location.

12 TRAVEL

Contractor travel may be required to support this requirement. All travel required by the
Government outside the local commuting area(s) will be reimbursed to the Contractor in
accordance with the Federal Travel Regulations. The Contractor shall be responsible for obtaining
COR approval (electronic mail is acceptable) for all reimbursable travel in advance of each travel
event.

All costs associated with local travel within fifty (50) mile radius of the contractor’s normal place
of performance commuting area are not reimbursable. Expenses for telework-approved contractor
personnel to travel between to their approved telework location and their designated Government
facility / place of performance will not be reimbursed, regardless of the 50-mile radius.

Cost associated with approved contractor travel will be reimbursed in accordance with the Federal
Travel Regulation and FAR Subpart 31.205-46. A written request sent to the COR (with copy to
the CO) shall be submitted well in advance of any anticipated travel to allow sufficient time for
notification and approval. The following information shall be provided in the travel request:

 Name of individual(s) who will be traveling.

 Task Number or CLIN which they are supporting.
 Inclusive dates and locations of the proposed travel
 Reason for travel
 Cost estimate for travel expenses
 Government personnel name requesting contractor travel

Page 19 of 24
April 18, 2024
PCCA-24-00025

13 POST AWARD CONFERENCE

The Contractor shall attend a Post Award Conference with the Contracting Officer and the COR no
later than 10 business days after the date of award, as scheduled by the Government. The purpose
of the Post Award Conference, which will be chaired by the CO, is to discuss technical and
contracting objectives of this contract and review the Contractor's draft project plan. The Post
Award Conference will be held virtually via teleconference.

14 PROJECT PLAN

The Contractor shall provide a draft Project Plan at the Post Award Conference for Government
review. The Contractor shall provide a final Project Plan to the COR not later than 10 business
days after the Post Award Conference.

15 PROGRESS REPORTS

The Task One Sr. PM shall provide a monthly progress report to the Contracting Officer and COR
via electronic mail. This report shall include a summary of all Contractor work performed,
including a breakdown (by Task Number and title) of labor hours, an assessment of technical
progress, schedule status, any travel conducted and any Contractor concerns or recommendations
for the previous reporting period.

Each monthly progress report shall include a staffing report, which includes the names (but no
other personal information) of all personnel assigned to this contract, sorted by Task number and
position title. It shall note changes to staffing, to include at a minimum: employment status, entry /
exit date, title, availability, schedule / hours, and duty location. Key personnel positions shall be
identified as Key.

16 PROGRESS MEETINGS

The Task One Sr. PM shall deliver a Monthly Progress Report (MPR) Brief to the Federal PM and
the COR within 3 days of delivery of the MPR. This Brief will address deliverables, discuss
progress, exchange information, and resolve emergent technical problems and issues. These
meetings shall take place at the Government’s facility or via teleconference, as determined by the
Government.

17 GENERAL REPORT REQUIREMENTS

The Contractor shall provide all written reports in electronic format with read/write capability
using applications that are compatible with DHS workstations (Microsoft Office Applications).

18 GOVERNMENT FURNISHED RESOURCES

The Government will provide the workspace, equipment and supplies necessary to perform the on-
site portion of Contractor services required in this contract, unless specifically stated otherwise in
this work statement.

Page 20 of 24
April 18, 2024
PCCA-24-00025

The Contractor shall use Government furnished facilities, property, equipment and supplies only
for the performance of work under this contract and shall be responsible for returning all
Government furnished facilities, property, and equipment in good working condition, subject to
normal wear and tear.

In the event of loss or damage of GFE, the Contractor shall promptly notify the COR, CS, CO and
[email protected]. ALL contractor employees are to be cognizant of GFE loss
or damage protocols.

19 GOVERNMENT ACCEPTANCE PERIOD

The COR will review deliverables prior to acceptance and provide the contractor with an e-mail
that provides documented reasons for non-acceptance. If the deliverable is acceptable, the COR
will send an e-mail to the Contractor notifying it that the deliverable has been accepted.
The COR will have the right to reject or require correction of any deficiencies found in the
deliverables that are contrary to the information contained in the Contractor’s accepted
proposal. In the event of a rejected deliverable, the Contractor shall be notified in writing by
the COR of the specific reasons for rejection. The Contractor may have an opportunity to
correct the rejected deliverable and return it per delivery instructions.

19.1 The COR will have ten (10) business days to review deliverables and make comments. The
Contractor shall have ten (10) business days to make corrections and redeliver.

19.2 All other review times and schedules for deliverables shall be agreed upon by the parties,
based on the final approved Project Plan. The Contractor shall be responsible for timely delivery
to Government personnel in the agreed upon review chain, at each stage of the review. The
Contractor shall work with personnel reviewing the deliverables to assure that the established
schedule is maintained.

20 SUMMARY OF DELIVERABLES

The Contractor shall consider items in BOLD as having mandatory due dates. Items in italics are
deliverables or events that must be reviewed and/or approved by the COR prior to proceeding to
next deliverable or event in this SOW. All due dates referenced in the table below are business
days.

# SOW DELIVERABLE / DUE BY DISTRIBUTION

REFERENCE EVENT

1. 12 Post Award Conference Within ten (10) days after N/A

award

Page 21 of 24
April 18, 2024
PCCA-24-00025

# SOW DELIVERABLE / DUE BY DISTRIBUTION

REFERENCE EVENT

2. 10 Telecommuting Within 10 days following COR, PM

Agreement form award, or 10 days before
first request to approve
teleworking, whichever is
earlier.
3. 12, 13 Draft Contractor At Post Award Conference COR,
Project Plan Contracting
Officer
4. 13 Final Contractor Project No later than ten (10) days COR,
Plan after Post Award Contracting
Conference Officer
th
5. 6.1, 14, Task Monthly Progress By the 15 of the Month COR,
One Reports Following Contracting
Officer
6. 6.1, Task One Monthly Progress Within 3 days after PM, COR
Report Executive Brief delivery of MPR.
Slide Deck
7. 6.2, Task Two Security Package, Within forty-four (44) PM, COR
including the Executive business days or earlier
Summary, Security after assignment by ISSM
Assessment Report
(SAR), and the DHS
Information Assurance
Compliance System
reports (Residual Risk
and Risk Analysis) for
assigned system.
8. 6.2, Task Two Assessment Kick Off 5 Business days prior to PM, COR
Meeting Deck any scheduled Kick Off
activities.
9. 6.2, Task Two Security Assessment 5 Business days prior to PM, COR
Plan (SAP) scheduled Kick off
Meeting
10. 6.2, Task Two Weekly Assessment COB Friday each week PM, COR
Briefing Deck to System during the assessment
Stakeholders engagement

11. 6.2, Task Two Assessment Outbrief 5 Business days prior to PM, COR
Deck to system scheduled Outbrief
stakeholders and activities.
executive leadership

Page 22 of 24
April 18, 2024
PCCA-24-00025

# SOW DELIVERABLE / DUE BY DISTRIBUTION

REFERENCE EVENT

12. 6.2, Task Two SCA Internal Operating Within 90 Business days of PM, COR
Procedures contract award and
reviewed annually.
13. 6.3, Task Three OA Eligibility Criteria The 1st and 15th of every PM, COR
Finding Report month
14. 6.3, Task Three OA Forecast Report The 1st and 15th of every PM, COR
month
15. 6.3, Task Three OA Trigger Weekly, each Friday by PM, COR
Accountability Log 12pm
16. 6.3, Task Three Develop IOP for OA Within 90 Business days of PM, COR
Workstream contract award and
reviewed annually.
17. 6.3, Task Three Develop IOP for CM Within 90 Business days of PM, COR
Workstream contract award and
reviewed annually.
18. 6.3, Task Three Creation, updating and Ongoing
closing of work tickets in
the CISA-defined
Enterprise Ticketing
System
19. 6.3, Task Three Review and Update Quarterly, and as needed
Common Control
package
20. 6.3, Task Three Operational Risk Within 3 days after each PM, COR
Management Board ORMB Briefing
(ORMB) After Action
Report
21. 6.4, Task Four Executive POA&M Weekly each Friday by 12 PM, COR
Summary Report (CISA pm
Weekly Total Report),
for all ISSO Services
assigned systems to
include open, closed, and
expired POA&Ms by
system.

Page 23 of 24
April 18, 2024
PCCA-24-00025

# SOW DELIVERABLE / DUE BY DISTRIBUTION

REFERENCE EVENT

22. 6.4, Task Four ISSO Weekly System Every Thursday by COB PM, COR
Status Report to ISSM
to include Status report
on vulnerabilities for
ISSO assigned CISA
systems including
Log4J, KEVs, ISVM,
Assessment results,
Binding Operational
Directives (BODs)
23. 6.4, Task Four System Security Plan in 10 business days prior to PM, COR
the Information the assessment readiness
Assurance Compliance date
System (IACS)
24. 6.6, Task Five Policy Review Within 5 business days of PM, COR
receipt from the Federal
INFOSEC Policy Manager

If Task Six is exercised to augment any other Task, the relevant deliverables of the augmented
Task will apply to performance of Task Six.

21 CLAUSES, TERMS AND CONDITIONS

All Clauses, Terms and Conditions are provided in a separate document.

Page 24 of 24
April 18, 2024