ML18267A011
| ML18267A011 | |
| Person / Time | |
|---|---|
| Issue date: | 09/21/2018 |
| From: | Jessica Chu Acquisition Management Division |
| To: | Olivas G Leidos Innovations Corp |
| References | |
| NRC-HQ-10-17-A-0007 | |
| Download: ML18267A011 (94) | |
Text
___________
(x) 31310018F0015 x NRC-HQ-10-17-A-0007 copies of the amendment; (b) By acknowledging receipt of this amendment on each copy of the offer submitted ; or (c) By separate letter or electronic communication which includes a reference to the solicitation and amendment numbers. FAILURE OF YOUR ACKNOWLEDGEMENT TO BE RECEIVED AT THE PLACE DESIGNATED FOR THE RECEIPT OF OFFERS PRIOR TO THE HOUR AND DATE SPECIFIED MAY RESULT IN REJECTION OF YOUR OFFER. If by virtue of this amendment you desire to change an offer already submitted, such change may be made by letter or electronic communication, provided each letter or electronic communication makes reference to the solicitation and this amendment, and is received prior to the opening hour and date specified.
See Schedule 080285804 LEIDOS INNOVATIONS CORPORATION NRCHQ Washington DC 20555-0001 Mail Stop: TWFN-5E03 Acquisition Management Division U.S. NRC - HQ EWC See Schedule See Block 16C P00003 94 1
- 13. THIS ITEM ONLY APPLIES TO MODIFICATION OF CONTRACTS/ORDERS. IT MODIFIES THE CONTRACT/ORDER NO. AS DESCRIBED IN ITEM 14.
- 12. ACCOUNT NG AND APPROPRIATION DATA (If required) is not extended.
is extended tems 8 and 15, and returning Offers must acknowledge receipt of this amendment prior to the hour and date specified in the solicitation or as amended, by one of the following methods: (a) By completing The above numbered solicitation is amended as set forth in Item 14. The hour and date specified for receipt of Offers
- 11. THIS ITEM ONLY APPLIES TO AMENDMENTS OF SOLICITATIONS FAC LITY CODE CODE 10B. DATED (SEE ITEM 13) 10A. MODIFICATION OF CONTRACT/ORDER NO.
9B. DATED (SEE ITEM 11) 9A. AMENDMENT OF SOLICITATION NO.
CODE
- 8. NAME AND ADDRESS OF CONTRACTOR (No., street, county, State and ZIP Code)
- 7. ADMINISTERED BY (If other than Item 6)
CODE
- 6. ISSUED BY PAGE OF PAGES
- 4. REQUISITION/PURCHASE REQ. NO.
- 3. EFFECTIVE DATE
- 2. AMENDMENT/MODIFICATION NO.
- 5. PROJECT NO. (If applicable)
- 1. CONTRACT D CODE AMENDMENT OF SOLICITATION/MODIFICATION OF CONTRACT 04/05/2018 Attn: Gilbert Olivas 13560 DULLES TECHNOLOGY DR HERNDON VA 20717-3414 Net Increase:
CHECK ONE A. THIS CHANGE ORDER IS ISSUED PURSUANT TO: (Specify authority) THE CHANGES SET FORTH IN ITEM 14 ARE MADE IN THE CONTRACT B. THE ABOVE NUMBERED CONTRACT/ORDER IS MODIF ED TO REFLECT THE ADM NISTRATIVE CHANGES (such as changes in paying office, C. THIS SUPPLEMENTAL AGREEMENT IS ENTERED INTO PURSUANT TO AUTHORITY OF:
D. OTHER (Specify type of modification and authority) appropriation data, etc.) SET FORTH N ITEM 14, PURSUANT TO THE AUTHORITY OF FAR 43.103(b).
E. IMPORTANT Contractor is not is required to sign this document and return copies to the issuing office.
ORDER NO. IN ITEM 10A.
52.212-4(c), 2052.215-70 x
- 14. DESCRIPTION OF AMENDMENT/MODIFICATION (Organized by UCF section headings, including solicitation/contract subject matter where feasible.)
X 1
GSA Contract #: GS-35F-285DA The purpose of this modification is to add (1)
Service Delivery Lifecycle Management (SDLM)
Toolset support, and (2) Additional Regional and TTC Support. The PWS is clarified in the following areas: (1) Service Catalog support, and (2) Hours of Operation for Account Management.
Some language in PWS is also cleaned up that was missed during the first modification.
Additionally, regional Alternate CORs are designated in Section G. Finally, additional Continued...
16A. NAME AND TITLE OF CONTRACT NG OFFICER (Type or print) 15A. NAME AND TITLE OF SIGNER (Type or print) 15C. DATE SIGNED 16B. UNITED STATES OF AMERICA 15B. CONTRACTOR/OFFEROR 16C. DATE SIGNED (Signature of person authorized to sign)
(Signature of Contracting Officer)
JESSICA CHU STANDARD FORM 30 (REV. 11/2016)
Prescribed by GSA FAR (48 CFR) 53.243 Previous edition unusable Except as provided herein, all terms and conditions of the document referenced in Item 9 A or 10A, as heretofore changed, remains unchanged and in full force and effect.
09/21/2018
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 6 of 82 Table of Contents SECTION B:
Services and Price / Costs..................................................................................8 B.1 Brief Description of Work...................................................................................................8 B.2 Contract-Line-Items (CLINs)..............................................................................................8 B.3 Consideration and Obligation - Labor-Hour....................................................................10 B.4 Consideration and Obligation-Firm-Fixed-Price.............................................................10 SECTION C:
Statement of Work.............................................................................................11 C.1 Background......................................................................................................................11 C.2 Objective..........................................................................................................................11 C.3 Scope of Work.................................................................................................................12 C.3.1 Call Wide Responsibilities.....................................................................................13 C.3.2 End-User Management and Deployment..............................................................17 C.3.3 Help Desk Services...............................................................................................20 C.3.4 Security Compliance.............................................................................................32 C.3.5 Service Level Requirements.................................................................................42 C.3.6 Transition and Associated Management...............................................................63 C.4 Key Personnel.................................................................................................................63 C.4.1 BPA Call Project Manager or Equivalent..............................................................64 C.4.2 Transition Manager or Equivalent.........................................................................64 C.4.3 Call Center (Tier 1) Manager or Equivalent..........................................................64 C.4.4 Deskside Services (Tier 2) Manager or Equivalent...............................................64 C.4.5 Service Catalog Manager or Equivalent...............................................................64 C.5 Deliverables.....................................................................................................................64 C.5.1 Performance Standards........................................................................................66 C.6 Inspection and Acceptance of Deliverables.....................................................................66 C.7 Section 508 - Electronic and Information Technology Standards...................................68 C.8 Release and Ownership of Publications............................................................................70 SECTION D:
Packaging and Marking.....................................................................................71 D.1 Marking Deliverables.......................................................................................................71 SECTION E:
Inspection and Acceptance...............................................................................71 E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013).......................................71 E.2 INSPECTION AND ACCEPTANCE OF DELIVERABLES................................................71 SECTION F:
Deliveries or Performance.................................................................................72 F.1 Period of Performance (SEPT 2013)...............................................................................72 F.2 Place of Delivery Reports................................................................................................72 F.3 Place of Performance......................................................................................................72 F.4 Hours of Operation..........................................................................................................73 F.5 Federal Holidays..............................................................................................................73 SECTION G:
Contract Administration Data............................................................................74 G.1 BPA CALL CONTRACTING OFFICERS REPRESENTATIVE.......................................74 G.2 2052.215-70 Key Personnel (Jan 1993)..........................................................................75 SECTION H - Special Contract Requirements...........................................................................76 H.1 GOVERNMENT FURNISHED EQUIPMENT/PROPERTY/SOFTWARE.........................76
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 7 of 82 SECTION I: Contract Clauses..................................................................................................77 I.1 RESERVED.....................................................................................................................77 I.2 RESERVED.....................................................................................................................77 I.3 52.217-8 OPTION TO EXTEND SERVICES (NOV 1999)...............................................77 I.4 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000)...........77 I.5 52.232-19 AVAILABILITY OF FUNDS FOR THE NEXT FISCAL YEAR (APR 1984).....77 I.6 TRAVEL APPROVALS AND REIMBURSEMENT...........................................................77 I.7 OPTION FOR ACQUISITION OF EVALUATED OPTIONAL FEATURES NOT PROCURED AT TIME OF AWARD OF CONTRACT (IT REQUIREMENTS)........................78 I.8 52.252-2 Clauses Incorporated by Reference (FEB 1998)..............................................78 SECTION J:
List of Documents, Exhibits and Other Attachments.........................................79 Appendices.................................................................................................................................80 Performance Requirements Summary (PRS).........................................................................80 VIP Group Members...............................................................................................................81 Severity Levels and Priority Codes.........................................................................................81 After Hour Call Center Service Procedure..............................................................................82
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 8 of 82 SECTION B: Services and Price / Costs B.1 Brief Description of Work (a) The title of this project is: GLINDA BPA Call for End User Computing Services (b) Summary work description: The Contractor shall provide the U.S. Nuclear Regulatory Commission (NRC) with an integrated set of End-User Computer Services.
B.2 Contract-Line-Items (CLINs)
CLIN 0001: Call Wide Responsibilities: Labor-Hour (L-H) (PWS Section C.3.1)
CLIN Base Period: (Phase-In) 0001 Base Period:
0001 Option Period 1:
1001 Option Period 2:
2001 Option Period 3:
3001 Option Period 4 4001 CLIN 0002: End-User Management and Deployment: Firm-Fixed-Price (FFP) (PWS Section C.3.2)
CLIN Base Period: (Phase-In) 0002 Base Period:
0002 Option Period 1:
1002 Option Period 2:
2002 Option Period 3:
3002 Option Period 4 4002 CLIN 0003: Help Desk Services - Call Center Operations: Firm-Fixed-Price (FFP) (PWS Section C.3.3.1)
CLIN Base Period: (Phase-In) 0003 Base Period:
0003 Option Period 1:
1003 Option Period 2:
2003 Option Period 3:
3003 Option Period 4 4003 CLIN 0004: Help Desk Services - Onsite Deskside Services NRC Headquarters: Firm-Fixed-Price (FFP) (PWS Section C.3.3.2)
CLIN Base Period: (Phase-In) 0004 Base Period:
0004 Option Period 1:
1004
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 9 of 82 Option Period 2:
2004 Option Period 3:
3004 Option Period 4 4004 CLIN 0005: Help Desk Services - TTC Deskside Support Regions: Firm-Fixed-Price (FFP)
(PWS Section C.3.3.2)
CLIN Base Period: (Phase-In) 0005 Base Period:
0005 Option Period 1:
1005 Option Period 2:
2005 Option Period 3:
3005 Option Period 4 4005 CLIN 0006: Help Desk Services - Region I Deskside Support: Firm-Fixed-Price (FFP) (PWS Section C.3.3.2)
CLIN Base Period: (Phase-In) 0006 Base Period:
0006 Option Period 1:
1006 Option Period 2:
2006 Option Period 3:
3006 Option Period 4 4006 CLIN 0007: Help Desk Services - Region II Deskside Support: Firm-Fixed-Price (FFP) (PWS Section C.3.3.2)
CLIN Base Period: (Phase-In) 00076 Base Period:
00076 Option Period 1:
10076 Option Period 2:
20076 Option Period 3:
30076 Option Period 4 40076 CLIN 0008: Help Desk Services - Region III Deskside Support: Firm-Fixed-Price (FFP) (PWS Section C.3.3.2)
CLIN Base Period: (Phase-In) 00086 Base Period:
00086 Option Period 1:
10086 Option Period 2:
20086 Option Period 3:
30086 Option Period 4 40086
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 10 of 82 CLIN 0009: Help Desk Services - Region IV Deskside Support: Firm-Fixed-Price (FFP) (PWS Section C.3.3.2)
CLIN Base Period: (Phase-In) 00096 Base Period:
00096 Option Period 1:
10096 Option Period 2:
20096 Option Period 3:
30096 Option Period 4 40096 CLIN 00010: OPTIONAL Advanced Application Support: Firm-Fixed-Price (FFP) (PWS Section C.3.3.3.3)
CLIN Base Period:
0010 Option Period 1:
1010 Option Period 2:
2010 Option Period 3:
3010 Option Period 4 4010 CLIN 00011: Travel Costs (to be reimbursed in accordance with FAR 31.205-46)
CLIN Base Period:
00011 Option Period 1:
10011 Option Period 2:
20011 Option Period 3:
30011 Option Period 4 40011 CLIN 0012: Additional Regional and TTC Support-Region I: Labor Hour (LH) (PWS Section C.3.3.2.5.1)
CLIN Base Period:
0012 Option Period 1:
1012 Option Period 2:
2012 Option Period 3:
3012 Option Period 4 4012 CLIN 0013: Additional Regional and TTC Support-Region II: Labor Hour (LH) (PWS Section C.3.3.2.5.1)
CLIN Base Period:
0013 Option Period 1:
1013 Option Period 2:
2013 Option Period 3:
3013
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 13 of 82 SECTION C: Statement of Work C.1
Background
The NRCs IT services support a nationally distributed internal user community as well as external users and the public. The NRCs headquarters, located in Rockville, Maryland, houses approximately seventy-five percent (75%) of the NRCs personnel, numbering roughly forty five hundred (4,500) staff (both Contractor and Federal employee). Additionally, the NRC has major locations (Regional Offices) in King of Prussia, Pennsylvania (Region I); Atlanta, Georgia (Region II); Lisle, Illinois (Region III); Arlington, Texas (Region IV); and a Technical Training Center (TTC) in Chattanooga, Tennessee. Regional Offices and the TTC vary in size; however on average each region supports two hundred (200) staff with TTC being smaller (currently at around 60 users). Finally, Resident Inspectors and other personnel are located in approximately sixty (60) offices throughout the United States with an average staffing at each office of four (4) personnel.
The NRC currently procures the services within the scope of this BPA Call through NTT DATA Services Federal Government, Inc., under a single award indefinite-delivery, indefinite-quantity (IDIQ) contract (NRC-33-11-325), the NRCs Information Technology Infrastructure and Support Services (ITISS) contract. The ITISS contract will expire no later than April 30, 2017.
Additionally, the NRC is undergoing incremental changes to better align its broader activities and investments with evolving industry requirements. Currently the NRC is conducting an internal assessment of all NRC-wide capabilities and services under an initiative called Project Aim. This initiative is evaluating NRCs programs with the goal of realigning the NRCs cost model and the necessity, quality, timeliness and delivery standardization of NRCs services.
The BPA Call and the successful contractor shall help re-shape and re-balance the in-scope services within the context of the NRCs broader goals.
The NRC is also in the process of planning for and addressing a range of additional requirements and mandates, which will impact and shape the services provided under this BPA Call. The 2010 Federal Data Center Consolidation Initiative (FDCCI), Cloud-First mandate, Green IT, and other requirements have resulted in a number of initiatives including ongoing data center consolidation, cloud migration planning, and ongoing planning and implementation of a more Agile-oriented DevOps system delivery model.
Additional background and current state information are provided in Section C.3 within each required service area.
C.2 Objective The contractor shall provide the NRC with a broad range of Information Technology (IT) services using a common IT Infrastructure Library (ITIL)-based delivery framework and approach.1 The contractor shall be responsible for providing an integrated set of end-user computing services described further below.
During the life of this BPA call, the contractor shall transition the existing ITISS contractor support activities, identify immediate opportunities to improve the efficiency and effectiveness of the activities, and support incremental transformation of the services, resources, and processes over time as an embedded function of its ongoing activities.
1 More information about ITIL can be found here: https://www.axelos.com/best-practice-solutions/itil/what-is-itil
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 14 of 82 C.3 Scope of Work The scope of work in this BPA Call involves providing and assisting with some of the most highly visible services that OCIO provides to the NRC. Through this BPA Call, the Contractor shall provide support in the following topic areas:
Call Wide Responsibilities
End-User Management and Deployment
Help Desk Services For all services within the scope of this PWS, the NRC envisions:
1.
An initial transition in a manner that minimizes delivery disruption 2.
During transition, immediate and straightforward opportunities to improve efficiency or enhance the delivery model will be evaluated and, if approved, immediately implemented 3.
Incremental transformation of the existing services and resource approach to more efficient and/or effective approaches 4.
Collaborative Integration - All GLINDA BPA contractors shall collaborate as needed to increase their services value to NRC 5.
Regional support includes both the regional main offices and their associated remote offices.
The following information provides additional insight into the system lead/administration associated with major systems that may need to be interacted with during the period of performance. As described in this PWS or by BPA Call COR direction, Operating Level Agreements (OLA) regarding the system interactions may be created and/or revised by NRC during the period of performance. In collaboration with the BPA Call COR, the Contractor shall provide input, which may include recommended oral and/or written content, to the aforementioned OLA and MOU activities for OLA and MOUs that involve the topics within this PWS (ex. OLAs and MOUs for Call Center Operations, Deskside Support OLAs and MOUs, etc.). Additional, more detailed interaction information will be clarified in the BPA Call postaward timeframe. Also, NRC reserves the right to add and/or remove the technologies that it elects to utilize during the period of performance.
Automated Call Distribution (ACD) System (Cisco Unified Communications Manager):
End-User Computing
Information Technology Service Management (ITSM) System (including Change and Configuration Management) / Remedy v8.0 & Kinetic: End-User Computing
IT Asset Management System (Remedy): End-User Computing
Systems Management Software (System Center and Configuration Manager - SCCM):
GLINDA SNCC Area
Virtual Private Network (VPN): GLINDA SNCC Area
SharePoint (currently used by End-User Computing for document repository purposes only): The SharePoint service will be maintained via separate to be determined GLINDA call order. End-User Computing SharePoint Site specific actions (adding documents, folders, creating and/or revising individual pages, managing specific SharePoint site permissions) are End-User Computing.
Additional requirements related to each topic area is provided in the sub-sections below.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 15 of 82 C.3.1 Call Wide Responsibilities C.3.1.1 Service and Resource Planning The Contractor shall:
Provide access to a broad set of integrated end-to-end technical planning and service capabilities delivered via consistent, predictable, and industry-leading practices
Work with the ITISS contractor in accordance with FAR clause 52.237-3 in their contract to transition activities within the scope of this BPA call with minimal operational disruption
Upgrade and incrementally transform the agencys IT operational environment to leverage current and emerging solutions, services, and delivery approaches
Continuously and proactively identify and implement opportunities for the agency to operate its IT operations more efficiently (e.g. reduction of duplication, standardization, increased resource utilization, cost avoidance, etc.)
Gain real-time visibility into operational delivery and its associated performance The Contractor shall establish the in-scope operational services as close to a utility model as appropriate. Specific objectives related to each topic area are provided in their respective sections within this PWS.
C.3.1.2 Delivery Management As a core component of its delivery under this BPA call the Contractor shall define, implement, and use a single, integrated delivery management approach that provides the mechanisms necessary for successful service delivery. The Contractor shall:
Define and implement an over-arching service strategy consistent with ITIL Version 2011 practices and integrated into the NRCs own IT Service Management framework under development. The Contractor should assume that they will begin providing End-User Computing services prior to the completion of the IT Service Management Framework. Even when the framework is completed, the framework is likely to be a "living" framework and will undergo continual improvement throughout the Period of Performance based on current NRC operating conditions.
Maintain an over-arching, service level-driven performance monitoring and management approach that enables tracking of resource times and efforts at the request level
Comply with the NRCs current and evolving change control processes and related governance/board functions
Provide automated mechanisms to authorized NRC personnel for ongoing activity and status reporting
Validate and update current system, configuration, and asset data
Collaborate with the Service Delivery Integration Team to successfully address requirements listed in this PWS. The Service Delivery Integration Team exists to ensure that all GLINDA vendors are a unified in delivering OCIO services to NRC. The Service Delivery Integration Team will include a contractor that is conflicted out of participating in the GLINDA BPA. That vendor will participate and contribute to Daily Operational Calls with the BPA Call COR and their designees.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 16 of 82 C.3.1.3 Project Management Throughout the BPA Calls Period of Performance, for reasons known (which are described in each support area of this PWS) and currently unknown (ex. Introduction of new / upgraded End-User technologies resulting from unforeseen new OMB mandates, unforeseen new regulations, adapting to a rapidly changed nuclear power industry environment, and/or Contractor recommendations, etc.), the Contractor shall have Project Managers capable of beginning and completing the implementation of minor and major technical and/or operational changes. The aforementioned technical and/or operational changes shall be completed according to BPA Call COR approved schedule, quality standards, requirements, and budget.
In addition, the Contractor shall:
Develop plans consistent with industry standard accepted project and change management practices (e.g. PMIs PMBOK) addressing the ten (10) PM areas of knowledge unless stated otherwise
Ensure coordination with related functions and stakeholders across the project lifecycle
Use the NRCs Project Repository and Reporting tool, Project Management Methodology 2.0 (PMM2) to store project related information C.3.1.3.1 Financial Management and Related Reporting The Contractor shall provide ongoing visibility into the historical, current, and forecasted budget and execution status across all areas of the task. The Contractor shall:
Maintain detailed cost tracking associated with specific service types, dimensions, and codes as provided by the NRC
Provide detailed monthly financial data in summarized and raw structured (e.g. CSV) formats as defined and approved by the BPA Call COR C.3.1.4 Product Management When reviewing the Product Management requirements in the subsections below, NRC notes that its IT Asset Management Program policies and processes are currently in the process of being revised.
C.3.1.4.1 Hardware Inventory Management In the process of properly executing the requirements set forth in this BPA Call, the Contractor shall handle a large quantity of IT equipment. As a result, the Contractor shall track assets and related configuration information for the specific assets that they are in the process of interacting with using the NRCs integrated asset management platform and processes (which is currently Remedy). NRC will have a storage space at NRC Headquarters that the Contractor will have access to. NRC will maintain ownership, management, and oversight of hardware maintenance agreements. However, NRC anticipates allowing the Contractor a reasonable level of access to the maintenance agreements so that the Contractor can perform the work described in this PWS. The Contractor shall, for the specific assets that they are in the process of interacting with:
Maintain asset tracking processes for the capture and/or update of asset related data
Capture hardware, software, configuration, and other asset data in the agency-designated repository
Accurately maintain IT assets to include but not limited to systems, software, and hardware throughout the NRC (e.g. headquarters, regional offices, etc.)
Conduct periodic scheduled audits of select asset data for accuracy/currency C.3.1.4.2 Software Distribution Management The Contractor shall handle and distribute large quantities of Government Furnished software
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 17 of 82 licenses throughout NRC. Thus, the Contractor shall distribute software licenses in accordance with the NRCs software license management policies and related platforms. Specifically, the Contractor shall:
Ensure software licenses are only distributed once proper approval is received
Collaborate with the Service Delivery Integration Team regarding license transfer, removal, and/or re-installation
Collaborate with the Service Delivery Integration Team to help identify licenses on machines prior to the machine being re-imaged and/or formatted, so that the Service Delivery Integration Team can ensure the license, and/or any installed license tracking software, is properly preserved for future NRC use
Retrieve software licenses from IT assets that NRC identifies as no longer needing the software C.3.1.4.3 Image Management In addition to managing the software licenses and their distribution, the Contractor shall manage the PC image library that NRC uses. The Contractor shall create and maintain through the Governments Change Control processes a Government approved base image (also commonly referred to as a master or gold image) that will, by default, be used on computers throughout the entire NRC. In addition, if asked by the BPA Call COR to do so, the Contractor shall maintain a separate Government approved base image that is compatible with Apple desktops and/or laptops (currently there is roughly over a dozen Apple desktops / laptops in the NRC). For NRC offices that have a unique portfolio of software and/or needs, once receiving authorization from the BPA Call COR to do so, the Contractor shall establish and maintain a Government approved, office-specific image that shall be applied to computers being utilized by the NRC office in question. Usage of office-specific images is a generally new approach for the NRC.
Regardless of the images target audience, the Contractor shall ensure that all software (including security updates) comply with applicable NRC security and testing policies to ensure that the software in question does not conflict with other software used by the agency. (Note:
The GLINDA SNCC BPA Call contractor will be required to maintain the Release and Deployment lab that will be used to test images. The Release and Deployment Lab, currently known as the Enterprise Test and Deployment Environment (EDTE) is currently available and maintained by the incumbent. EDTE is expected to operate at existing service levels during SNCC's award and transition, and should be available to use by the Contractor.) The Contractor shall perform the testing, which encompasses desktops, laptops, other end-user IT components, as well as additional hardware and/or software components (within reason) that impact the standard image. Unless otherwise specified by the BPA Call COR, NRC will provide software licenses used to support the images. In addition to NRC security and testing policies, NRC requires that other federal policies such as but not limited to FISMA, FDCCI, NIST publications, and DISA Security Technical Implementation Guides need to be complied with in order to complete the requirements in this area successfully. Furthermore, the Contractor shall, with written approval from the BPA Call COR, utilize next generation antivirus and malware protection software into the image. Finally, the Contractor shall ensure that the images remain compatible with cloud service offerings (ex. Office 365, etc.) that NRC utilizes. NRC anticipates that throughout the Period of Performance, the NRC will increase its utilization of cloud offerings. - Security Requirements provides further insight and specificity into NRC security policies that the Contractor shall comply with while delivering all work under this BPA Call.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 18 of 82 C.3.1.5 End User Service Transitions and Notable Changes Support In addition to the Contractors initial transition in and its concluding transition out of providing services via this BPA Call, the Contractor shall support (up to and including actual performance of) notable end user service changes and transitions. A tangible example of this service could be, but is not limited to, helping the NRC transition an end user service from NRC data centers to the cloud. In such a situation, the Contractor shall, through the BPA Call COR, work with other NRC stakeholders to ensure successful completion of this task. Furthermore, the Contractor shall proactively ensure that the processes, policies, and procedures it establishes to collaborate with NRC are revised to reflect the notable change and/or transition.
While the end user service transitions and notable changes described within are still undergoing NRCs IT planning and governance processes, the demand for collaboration in this area is high enough to where the Contractor shall provide a Transition Manager as a Key Position. The requirements of the Transition Manager Key Position are described further within this PWS.
C.3.1.6 Help Desk Service Catalog Administration In addition to the IT service management system, NRC considers the NRC Service Catalog to be critical to successfully operating the types of IT services that are available to users and ensuring such services are readily accessible in a standardized manner. While the NRC Service Catalogs scope covers all of OCIOs services, for this call the Contractor shall, in collaboration with the BPA Call COR and their designees, ensure that help desk services are accurately reflected in the NRC Service Catalog and kept updated in the system, which uses a combination of Drupal and Kinetic technologies (which NRC reserves the right to change during the Period of Performance). by working with the appropriate service owners.
In managing the Help Desk Service Catalog, the Contractor shall work with other NRC IT service providers and the service integrator to deliver the Service Catalog service. NRC will provide the Contractor with a set of Help Desk process flows and a Development environment when the Contractor transitions into performing the work in this PWS. NRC notes that process flows are established for all of the current Help Desk services in the Service Catalog. Also, NRC notes that all of the Help Desk services are accounted for in the current Help Desk Service Catalog. In addition, the NRC Service Catalog currently resides outside of the ITSM.
The Contractor shall ensure that process flows for each Help Desk service is established, maintained, and kept updated. The Contractor shall ensure that process flows can be successfully utilized by non-technical users with only basic computer knowledge. When creating process flows, the Contractor shall also create form pages or other ways to provide input, if appropriate for the specific process in question, that allows the user to successfully input needed information in order to answer the incident or service request. When creating form pages or other ways to provide input, the Contractor shall factor in basic design elements to ensure the form / input is designed in a way that facilitates usage by non-technical users with only basic computer knowledge. Unless otherwise specified by the BPA Call COR, for incident and service request tickets the Contractor shall ensure that optional input fields are used when possible so that the user can move forward in the process even if they only have limited information. In addition, the Contractor shall comply with applicable NRC change and configuration management policies before making Help Desk Service Catalog changes publically available to end-users.
The Contractor shall manage the Helpdesk Service Catalog and ensure it runs successfully and consistently throughout the period of performance. The Contractor shall enhance, manage and
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 19 of 82 operate the Service Catalog considering ease of use and functionality. Over the period of performance of the BPA Call, the BPA Call COR will provide the Contractor in writing requests for additional and/or more detailed requirements and updates to NRCs Help Desk Service Catalog. The Contractor shall ensure that all requested requirements/updates are completed within the timeframe established by the BPA Call COR.
C.3.1.6.1.1 Service Delivery Lifecycle Management (SDLM) Toolset Support The Contractor shall provide services to manage the day-to-day operational maintenance and administration of the Nuclear Regulatory Commissions (NRC) Service Delivery Lifecycle Management (SDLM) toolset (which is currently Remedy, but could be replaced by a different toolset in the future) Production, Test, and Development environments to include the database configuration and any services, tasks, or activities directly related to the SDLM toolset. This does not include SDLM design and design validation activities (evaluating configuration changes in pre-production to resolve production design issues, reviewing new versions of the SDLM tools, etc.), infrastructure (installing or configuring routers and switches, building Virtual Machines (VMs), changing firewall rules, etc.), or server related support activities (adding memory or storage, adjustments/fine-tuning to the database platforms, backups/restores, etc.) - those are designated as outside of the scope of the GLINDA EUC BPA Call.
The GLINDA EUC in scope items include:
Provide administration services, to include but not limited to:
o Data Architecture documentation, including integrations and customizations, o
User maintenance to include adding and removing user licenses, o
Periodically evaluate licensing to insure the proper mix of floating and fixed licenses are maintained, o
Maintain all internal end user support workflow data, to include but not limited to:
email templates,
escalations,
reporting services,
operations ranking (server group), and
Flashboards or dashboards (graphical representations of data) (if used).
o Establish archiving requirements that align with NRC requirements, and o
Ensure internal engines are functional, to include but not limited to:
Approval engine,
Assignment engine,
Escalation engine,
Normalization,
Reconciliation,
Service Failover (after upgrade to 9.x), and
SLM collector.
Perform application administration duties, to include but not limited to:
o Maintain Foundational Data (Organizations, Locations, Support Groups, People, Product and Operational Categories, Assignments), and o
Maintain application specific functions, to include but not limited to:
Incident Management (Decision trees, templates),
Change Management (Approval mappings, templates),
Service Level Management (Business times, goal types, service targets),
Task Management (Templates, Assignments), and
Any new application level administration added to the 9.x product not currently in 8.x.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 20 of 82
Establish a cooperative, consulting relationship with the other layers in the NRC operating model (see Figure 1 - page 5) o Make recommendations for Remedy upgrades based on BMC Remedy updates and information, and o
Maintain contact with BMC and provide, as appropriate, vendor demos.
Ensure the Remedy SQL Server database is operational and performing optimally - employ standard DBA maintenance practices, to include but not limited to:
o Re-indexing, o
Properly sizing the databases, o
Properly locating the databases and indexes, o
Periodically checking the DB integrity, o
Validating backups (testing the ability to restore from backups),
o Testing failover, o
Setting backup retention policy, and o
Establishing, maintaining, updating, and testing an approved disaster recovery plan.
Quickly fix any operational issues - following NRC policies and procedures for service level management and change management.
C.3.2 End-User Management and Deployment Throughout a users tenure with NRC, they will have an ever-changing access needs to NRC IT resources. In order to keep up with this shifting need for resources, NRC will have to provision and de-provision various aspects of its IT portfolio to ensure the user has what they need when they need it, without over-allocating resources in an inefficient manner. The Contractor shall provide services to NRC that answer its end-user management and deployment needs in the following areas:
Account Management
Service and Network Management and Deployment
Hardware and Software Management and Deployment Requirements for each of these topics are described below in greater detail.
C.3.2.1 Account Management The Contractor shall create, configure, modify, manage and/or delete an estimated 5,500 user accounts. Specifically, the Contractor shall:
Validate user authorization for the account, account creation, as well as recovery and revocation, and reporting and auditing.
Use the IT service management application to document requests for account creation, deletion, deactivation, and other general account management issues.
Develop, and, with the BPA Call CORs approval, implement, a single process for administering electronic access accounts.
Collect account information from sources such as application accounts and pass that information through the IT service management tickets for action by the appropriate OCIO designated administrator.
Establish and maintain Government approved processes to ensure that new accounts have proper privileges established with cloud service offerings, such as but not limited to Office 365, which NRC utilizes upon initial creation. NRC is operating some services in a hybrid cloud environment, meaning that some users will be accessing a program through a cloud service offering, whereas other users may be accessing the same program through a NRC data center based configuration. As a result, the Contractor shall factor this hybrid cloud environment into their account access processes.
Reset token password and Personal Identification Numbers (PIN) as
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 21 of 82 requested/required.
Respond to audits and data calls that may ask for account information (such as, but not limited to, age of accounts, granted access privileges, revoked access privileges)
Perform all of the aforementioned activities in a way to where the activities can be audited in a reasonably straightforward manner.
Hours of operation: 7:00 a.m. - 6:00 p.m. ET, Monday through Friday C.3.2.2 Service and Network Management and Deployment The Contractor shall establish a process that allows network and cloud services resources to be provisioned to the user. The Contractor shall ensure this process is compatible with existing NRC network and cloud/data center policies, processes, and systems. Likewise, for those who no longer have a need, network and cloud services resources need to be de-provisioned as well to ensure efficient usage of limited resources and strong network security. As a result, the Contractor shall also establish a process to de-provision network and cloud services resources from a user. The Contractor shall ensure this process is also compatible with NRC network and cloud/data center policies, processes, and systems. Once the Contractor has developed network and cloud services management and deployment processes and has received written approval from the BPA Call COR, the Contractor shall execute those processes in a manner that is consistent and encourages positive feedback from stakeholders if NRC elects to request such feedback.
Besides network and cloud services resources, a NRC user may have a need to have a diverse portfolio of agency IT services provisioned to them. The Contractor shall establish a process, or processes as appropriate, to ensure that IT services can be provisioned, or de-provisioned, to users with a need in a prompt manner. When establishing the process or processes, the Contractor shall ensure they are aligned with existing OCIO operational policies, processes, and systems. Once the service management and deployment processes are established to the BPA Call CORs approval, the Contractor shall execute those processes in a manner that is consistent with the Service Level Agreements in this BPA Call and emphasizes customer service.
C.3.2.3 Hardware and Software Management and Deployment NRC is currently planning to implement a revised approach to how it provisions hardware and software throughout the agency. This approach currently consists of providing a base level of hardware and software to all of its users. Then, it would collaborate with offices to provide office-specific hardware and software configurations (ex. Specific office-wide program installations, specific computer models for an office, etc.).
The Contractor shall establish hardware and software management and deployment processes that are aligned with the above plan. In addition, the Contractor shall ensure that the hardware and software management and deployment processes are aligned with NRC IT asset management, configuration management, and software license management policies, processes, and systems. Furthermore, such processes shall integrate fully with other Help Desk Service efforts.
C.3.2.3.1 Additional Hardware and Software Management and Deployment Requirements In addition to the above requirements, when it comes to hardware and software management and deployment, as well as hardware and software de-installation, the Contractor shall, in accordance with the SLRs defined in Section C.3.5:
Provision a diverse portfolio of Government Furnished end-user computing devices. The diverse portfolio includes desktops, laptops, thin clients, as well as other devices, including those not available at the time of publication. In limited circumstances, upon written
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 22 of 82 approval from the BPA Call COR, this may involve going to resident inspector offices.
Provide a solution for recovery of lost or stolen hardware (examples include, but are not limited, to Computrace or LoJack) to recover equipment that is missing from inventory. The Contractor shall immediately notify NRC Division of Facilities and Security and the BPA Call COR through the phone number provided upon award (subject to change during the BPA Call Term) and e-mail when it is notified that hardware is lost / stolen. In addition, through close collaboration with the BPA Call COR and NRC Security (both Division of Facilities and Security, as well as Information Security Personnel), the Contractor shall use the aforementioned remote locator / wipe technologies to locate and/or remotely wipe the machine.
With written approval from the BPA Call COR, prepare and install new office IT equipment.
Comply with written requests from the BPA Call COR regarding relocating sites and/or individual users.
Arrange or conduct site surveys relating to the move of either a single person or multiple people from one NRC location to another NRC location, which may be an office or cubicle.
Arrange or conduct site preparation. The most common scenario would be moving either a single person or multiple people from one NRC location to another location, which may be an office or cubicle.
Execute equipment / software installation in accordance with NRC policies, processes, and procedures.
Execute equipment / software de-installation, including hard drive wiping, in accordance with NRC policies, processes, and procedures
Perform integration services as it pertains to end-user management and deployment
Update IT asset inventory information for the specific assets they are in the process of interacting with
Execute setup, software installation, and testing of new computers prior to delivery to users.
Install the appropriate NRC approved image on all new computers that are received at the NRC.
Notify the BPA Call COR regarding inoperable computers and follow a consistent process to ensure the inoperable computer is replaced.
Ensure unassigned computers and software licenses, due to personnel departing or an extended leave of absence, are removed from the installation location and placed into the NRCs inventory.
Maintain and facilitate the usage of a portfolio of temporary loaner devices (laptops, lightweight laptops, tablets, internet access, etc.) for mobile domestic and international travel and/or for temporary usage while primary hardware device is being repaired.
o Important Note: The Contractor shall maintain a separate portfolio of loaner devices (to be provided by the NRC to the Contractor as designated for official travel to high risk locations for travel by NRC employees). These devices must never be connected to the NRC Network. As a result, the Contractor shall maintain this portfolio in a way that minimizes the possibility of these high risk devices accidentally being provided to someone for usage on the NRC network.
C.3.2.3.2 Computer and Hardware Refresh Information In addition to managing and deploying NRC-owned computers to new users, the Contractor shall also provision refreshed computers provided by NRC to existing NRC users. The Contractor shall provision refreshed computers by executing a BPA Call COR-approved approach that minimizes operational disruption. Currently, NRC currently uses a combination of Windows Easy Transfer combined with the Contractor manually searching for user files and Outlook Archive Files (NRC reserves the right to change the technologies associated with this action during the term of the BPA Call). The Contractor shall ensure that the refreshed
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 23 of 82 computer has been properly imaged and is ready for immediate use once it is in the possession of the NRC user. The Contractor shall use existing NRC configuration and asset management systems to ensure that user machines are refreshed in accordance to when the computers warranty expires.
To better prepare the Contractor for satisfying the computer refresh requirements, out of roughly 5,500 users, it is currently expected that approximately 74% of those end-user computers may require refresh within first two years of this BPA Call. After this initial refresh, the hardware refresh rate for laptops and desktops is currently expected to be every four years.
Currently, when it comes to end-user machines, NRC operates in a majority desktop environment, but plans on transitioning to a majority laptop environment moving forward. In addition, with the exception of less than 10 users (mostly VIP), NRC users do NOT have both a desktop and laptop. The image below describes when and how many currently deployed devices were put into service:
Personal printers will not be refreshed once they have reached end of life, unless they are for reasonable accommodation.
C.3.2.3.3 Data Storage Device Sanitation Services The Contractor shall perform data storage device sanitation services on the IT components that it disposes of for the NRC. The Contractor must provide a certification of sanitization to the BPA Call COR. The Contractor shall provide certification for each item that is degaussed and the certification must be current. Techniques used to sanitize media must be appropriate to the media type and must be in accordance with NRC security policies, processes, and procedures.
Other guidance / reference resources include the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53; NIST SP 800-88; National Security Agency (NSA) Central Security Service (CSS) Policy Manual 9-12; International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27002, Information technology - Security techniques - Code of practice for information security management; and Committee on National Security Systems Policy (CNSSP) No. 26, National Policy on Reducing the Risk of Removable Media.
C.3.3 Help Desk Services Like other Government agencies and organizations, NRC utilizes Help Desk Services in order to assist users with answering questions and resolving incidents associated with the IT equipment that they use. NRC has a continued need for Help Desk Services. To give an idea of overall demand for these services, the three graphs below and on the following pages provide further insight into the number of Incident and Service Request tickets the Help Desk received throughout the past three years. An incident ticket typically involves a break/fix situation that needs to be resolved. A service request typically involves providing new functionality to the user (ex. new account request, new distribution list request, loaner equipment request, new software, etc.). NRC notes that the summer increase in tickets may possibly be from the increased personnel move requests, which are usually scheduled for the summer timeframe. Also, NRC notes that VIP tickets generally have the same trends as non-VIP tickets.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 27 of 82 C.3.3.1.1 Onsite Service Operations The Contractor shall provide Onsite Call Center Services at NRC Headquarters. The Contractor shall serve users of NRC IT equipment only. The Contractor shall follow the NRCs multi-tiered technical support system as described below:
Tier 1: Call tickets submitted by phone, email, or online through the NRC Service Catalog. The Contractor shall treat requests received through the NRC Service Catalog as higher priority than requests received through e-mail. The SLRs in Section C.3.5 describe NRCs expectations in greater detail. NRC notes that the Contractor shall perform Tier 1 Mobility Support services. However, after initially opening the support ticket, the Contractor shall transfer Tier 2 and higher Mobility Support tickets to Mobility personnel for resolution. In addition, NRC notes that there is NOT currently an automated linkage between the ITSM and NRCs e-mail system. NRC also notes that there is not an automated linkage between the ITSM and ACD. Currently, there is no backup in place for the ACD.
Tier 2: The Contractor shall escalate any Tier 1 tickets that cannot be resolved to Tier 2.
The SLRs in Section C.3.5 describe NRC expectations in detail.
Tier 3: The Contractor shall escalate any Tier 2 tickets that cannot be resolved to Tier 3.
Tier 3 Support may involve, at the BPA Call CORs direction, coordinating with other NRC contractors if the issue is in their subject area (ex. network vendor for network incidents, desktop vendor for hardware warranty issues, etc.). From an end-user computing perspective, the Contractor shall provide Tier 3 support regarding the images it creates. The Contractor shall provide Tier 3 support in a way that fully utilizes existing resources in an efficient and effective manner.
From a functional support perspective, the Contractor shall provide the following help desk services using the NRCs enterprise IT service management system. The Government reserves the right to change the service management system as necessary to meet NRCs mission.
The Contractor shall log each request into a central repository for the purpose of tracking status, trending, auditing, and reporting. The Contractor shall log the request in such a way that will allow the user the review the status of their request on demand from a NRC Network webpage. As of November 2017, the capability only partially exists because both Kinetic and Remedy are used, with Kinetic being the one users can see. The Contractor shall, via the BPA Call COR, collaborate with the Service Delivery Integration Team regarding the requirements associated with this capability. NRC will provide the infrastructure to enable the capabilitys usage.
The Contractor shall respond to requests for technical assistance via phone or electronically, diagnose and resolve routine hardware and software issues, and research questions using available information resources.
The Contractor shall provide incident and problem management for all issues reported to the help desk by creating, updating, and managing requests, in addition to identifying and escalating issues as appropriate.
The Contractor shall document resolutions in accordance with applicable NRC Standard Operating Procedures (SOPs,) and manage first call resolutions within the specified SLAs described in Section C.3.5.
The Contractor shall ensure proper closeout of tickets once resolution has been confirmed in accordance with applicable NRC SOPs.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 28 of 82 The Contractor shall use remote assistance (the current software tool is BOMGAR) to provide assistance to end users if the end users desktop is connected to the NRC network. The Contractor shall establish a process to identify the remote assistance access need and obtaining approval for that need. The Contractor shall assign severity levels to the service request based on the urgency of the request as it relates to business impact. The severity level determines how quickly the help desk will respond to the end user if the request is not resolved on the first call. The severity levels, priorities, and their impacts are defined in the Severity Levels and Priority Codes Appendix.
The Contractor shall provide on call after hours call center services outside of NRC business hours. The on call service shall collect the information identified in the After Hour Call Center Service Procedure Appendix (located at the very end of this document).
Regarding account administration, the Contractor shall create, configure, modify, manage and/or delete roughly 5,500 user accounts. Contractor duties shall include:
The Contractor shall validate user authorization for the account, account creation, as well as recovery and revocation, and reporting and auditing.
The Contractor shall use the IT service management application to document requests for account creation, deletion, deactivation, and other general account management issues.
The Contractor shall develop, and with written BPA Call COR approval, implement a process for administering electronic access accounts.
The Contractor shall collect account information from sources such as application accounts and shall pass that information through the IT service management tickets for action by the appropriate party(ies).
The Contractor shall reset token password and Personal Identification Numbers (PIN) as requested/required.
The Contractor shall perform the above account administration activities for the following systems (NOTE: The NRC may expand and/or update the list over the life of the BPA Call to accommodate new systems or system upgrades.):
NRC Network - Active Directory and Email
Secure Remote Access
Hard Disk Encryption (accounts and passwords)
Digital Credentials The Contractor shall manage end user usernames and passwords for all systems under the Contractors control using NRC provided tools (i.e. Avatier) for both on-site and off-site users.
The Contractor shall comply with all NRC policies and follow all NRC procedures regarding user naming convention, password creation, resets and maintenance.
Regarding remote access support, the Contractor shall research, test and coordinate resolutions for secure remote access issues within the NRC. The Contractor, as requested in writing by the BPA Call COR, shall document and/or update the Secure Remote Access Service (SRAS) procedures, policies and Frequently Asked Questions (FAQs) for NRC users.
Regarding outage support, the Contractor shall provide the following reporting services for any Severity 1 (see the Severity Levels and Priority Codes Appendix for definition) outage.
Reporting services are required 24x7.
Update the Call Center Status Line
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 29 of 82
Alert the BPA Call COR and others that they may designate
Prepare and send out NRC-wide alert messages using NRC-approved alert message templates
Send out periodic alert updates throughout the outage period. Frequency of updates will be pre-determined by the NRC
Send out resolved message when the service is restored When performing Call Center Services, the Contractor shall use the NRC Automated Call Distribution (ACD) system when operating the Computer and Telephone services of the help desk in support of the total call volume. The Contractor is not expected to maintain the ACD system or fix it when it down. The Contractor is responsible for the following ACD related services:
Telephony account management
Maintain workgroups and workgroup members by adding, modifying, and deleting profiles
Maintain detailed ACD call-flow (example: Visio) diagrams including workgroups, phone numbers, names, voice recordings and call flow paths
Create and maintain professional quality voice recording of Interactive Voice Response as a supplement to the CSCs pre-recorded voice recording As noted above in a few different places, NRC may change various systems (adding systems, retiring systems, replacing systems, etc.). As these changes are made, it is expected that the Contractor shall be able to work with NRC to accommodate and facilitate such changes. Such facilitation may include (but is not limited to) staying current on the system changes, creating new SOPs, and revising existing SOPs to ensure that quality customer support is provided at desired NRC service levels.
C.3.3.1.1.1 Offsite Computer Services Regarding offsite computers (offsite meaning outside of NRC Headquarters and Regional Offices), the Contractor shall provide incident resolution and troubleshooting assistance for NRC-owned off-site computers. These services shall be provided through remote access, or when the end user transports the equipment to the Contractor located at a government facility (i.e., Depot Service). The end user will be responsible for transporting the systems and devices to the NRC location. The NRC will pay for all shipping and receiving charges (if any) associated with the users shipping their remotely located systems and devices to and from the Contractor, with prior written approval from the BPA Call COR (who may need to obtain other approvals as necessary). In a limited set of circumstances, NRC may require in-person assistance for computers located offsite. Once approval is provided by the BPA Call COR, the Contractor shall deploy personnel from the closest NRC Regional Office (or HQ) to provide in-person assistance to computers located offsite.
The Contractor shall track and complete all repairs or replacements in the same manner as used for on-site (on-site meaning NRC Headquarters and Regional Offices). As background to the number of offsite computers being supported, Resident Inspectors and other personnel are located in offices throughout the United States and the average staffing at each office is 2-4 personnel. Section F.3 contains additional information regarding these office locations.
C.3.3.2 Onsite Deskside Services In addition to Call Center Services, the Contractor shall provide onsite Deskside Services to users who require it. The Contractor shall provide onsite Deskside Services to the NRC
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 30 of 82 Headquarters as well as all of the NRC Regional Offices described in the Place of Performance section. For the Regional Offices (which have an average of 300 staff each), a minimum of two Help Desk Services Personnel are needed at each location. The Contractor is welcome to propose more than two people if it believes such staffing levels is appropriate to meet each offices services demand. Additional requirements for this service offering are described further below.
C.3.3.2.1 Hours of Operations The Contractor shall provide Onsite Deskside Services during the following standard operating hours:
6:00 a.m. - 6:00 p.m. local time Monday through Friday, plus on call during the weekends In addition to the above mentioned time, in the past NRC has asked the Help Desk Contractor to augment its hours in a temporary surge capacity to provide advisory and technical expertise to NRC staff responding to events with highly unpredictable timing and demand efforts (ex. the 2011 Fukushima, Japan Nuclear Power Plant Incident caused by a severe earthquake). In such situations, the Contractor shall work with the BPA Call COR to execute an approach that answers the urgent need for surge capacity. The Contractor shall not implement any approach to answer the need for surge capacity until authorization is received in writing from the BPA Call Contracting Officer (CO)
The Contractor shall provide On-call services outside of standard operating hours, which includes, but is not limited to, weekends, Federal Holidays, as well as during times when the Governments local status is indicated as Closed by the Office of Personnel Management or the Federal Government body that makes such decisions in the location that the Regional Office is in. Generally, on-call services shall be limited to incidents categorized as Severity 1 incidents. If the incident cannot be categorized as Severity 1, then it can wait until regular service hours.
C.3.3.2.2 Deskside Services The Contractor shall install, connect, configure, upgrade, troubleshoot, diagnose, repair, and replace endpoint computing hardware and software. The NRC will provide all replacement parts and units. Endpoint hardware includes, but is not limited to, desktops, laptops, Apple desktops and laptops (roughly over a dozen), thin clients, and peripherals. Other hardware components may include memory, hard drives, removable storage media, DVD-ROMs, network interface cards, PIV readers, monitors, keyboards, docking stations, etc. (NOTE: Regarding VTC systems, End-User Computing is responsible for the desktop and/or laptop connected to the VTC, however the VTC equipment is NOT in End-User Computings scope). Endpoint software includes operating systems, application software, utility software, and NRC procured and/or developed standard system software (please see the Application Services section for more software assistance requirements). The Contractor may use remote assistance to help end users if the end users desktop is connected to the NRC network.
As directed by the BPA Call COR, the Contractor shall configure and install new computer systems to meet NRCs computer refresh requirement, to meet NRCs resource requirement, as well as when directed by the BPA Call COR. A new system for the purpose of this BPA Call is defined as a desktop/laptop/thin client system, docking station (when applicable), monitor(s), keyboard, mouse, and associated NRC approved software. Additional refresh-related equipment may include a limited number of personal printers to satisfy legally mandated reasonable accommodations.
The Contractor shall respond to and manage service tickets to troubleshoot and repair endpoint hardware and software components. This includes all activities necessary to
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 31 of 82 make the system fully operational and properly configured. Personal printer assistance is also included with deskside services but it should be noted that due to NRC policies, the number of personal printers is believed to be around 500 devices.
For NRC laptop configurations only, the Contractor shall decrypt (if needed), transfer, upgrade and/or reinstall the operating system, applications, data, settings, and any other information from the original hard drive to the new hard drive. The Contractor shall then ensure the proper operation of transferred software and encrypt the new drive in the case of hard drive upgrades, repair replacements, or reimages.
The Contractor shall ensure that files created or placed onto a machine by the user is retained on a reimaged machine, or if the machine has its hard drive replaced. The Contractor shall ensure this data retention occurs regardless of how long it has been since the user has logged into their account.
The Contractor shall install and configure NRC approved software products and upgrades. The software will be provided by the NRC. Software is defined to include all application software, utilities, device drivers, and operating systems. Approved NRC software, utilities, device drivers, and operating systems are found in NRCs Technical Reference Model (TRM). Only items listed in the TRM may be installed as proscribed in the production environment. Only items whereby proof of a valid and current license is made available can be installed.
The Contractor shall provide direct end-user assistance on the proper use and operation of desktop/laptop/thin client system hardware, mobile devices, software, peripherals, and network resources.
The Contractor shall relocate computers and peripheral equipment as required to service an end user request.
The Contractor shall develop and deliver a project plan to the BPA Call COR for their review and written indication of approval if there is a requirement for large scale relocation/movement of equipment. In Fall 2017, two floors in the Two White Flint North building at NRC Headquarters are being renovated. In addition, it is forecasted that additional renovations may take place in One White Flint North at NRC Headquarters.
During these renovations, users on these floors are moved out, and then moved back in after the renovations. NRC reserves the right to perform additional renovations both at NRC Headquarters and its other locations during the Period of Performance.
The Contractor shall ensure the end user has on demand access to the current disposition and expected turnaround time of the ticket.
The Contractor shall ensure proper closeout of tickets once resolution has been confirmed. The Contractor shall follow appropriate NRC SOPs.
C.3.3.2.3 Depot Service and Remote User Services The Contractor shall provide incident resolution, and troubleshooting assistance for Government owned, off-site computers. Generally, end-users in field offices are considered to be off-site end users. These services will normally be provided through remote access, or when the end user transports the equipment to the Contractor located at a government facility (i.e., Depot Service). The end user will be responsible for transporting the systems and devices to the NRC location. The NRC will pay for all shipping and receiving charges (if any) associated with the users shipping their remotely located systems and devices to and from the Contractor, with prior government approval.
In addition to Government owned, off-site computers, the Contractor shall provide Citrix
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 32 of 82 Remote Desktop Technical Assistance and Virtual Private Network (VPN) Technical Assistance.
In a limited set of circumstances, NRC may require in-person assistance for computers located offsite. Once approval is provided by the BPA Call COR, the Contractor shall deploy personnel from the closest NRC Regional Office (or HQ) to provide in-person assistance to computers located offsite.
C.3.3.2.4 Virus / Malware / Data Spill Response The Contractor shall simultaneously notify the BPA Call COR, the NRC Security Operations Center (SOC), and the Regional Information Systems Security Officer (ISSO) if the incident takes place outside of NRC Headquarters, in accordance with NRC Security procedures and Service Level Agreements of all virus, malware, and data spill incidents immediately upon identifying the incidents occurrence. NRC notes that antivirus and malware software solution selection are determined outside of the scope of this call order.
Under BPA Call COR direction, the Contractor shall diagnose and confirm the existence of software viruses/malware and/or data spill. The Contractor shall apply desktop troubleshooting methods to identify the incidents source of entry / cause where feasible.
Under BPA Call COR direction, the Contractor shall determine the extent of the spread of the virus and/or data spill to other systems and work with the SOC to eradicate the incident on all affected systems and removable media.
Under BPA Call COR direction, the Contractor shall restore the compromised system(s) back to the original operational state.
C.3.3.2.5 Regional Office System and Network Administration NRC administers the majority of its system and network infrastructure from NRC Headquarters.
However, there is a small percentage of server and network infrastructure that is currently in place at the Regional Offices. This small percentage is forecasted to get smaller over time as data center consolidation and increased usage of cloud computing services is implemented by NRC. Due to the shrinking infrastructure footprint at these locations, NRC envisions Regional Office Deskside Services to be a one-stop shop for IT service needs, particularly where somebody needs to be physically present to provide technical assistance to the infrastructure in question.
As a result, the Contractor shall, in coordination with the BPA Call COR and their designees provide system and network administration technical assistance to Regional Offices only. At NRC HQ, these services will be provided by separate contract(s). Upon the start of transition of the EUCS BPA Call from the ITISS contract, the Contractor shall establish communication process(es) to allow for standardized communication between EUCS personnel at the HQ and the Regional Offices. These communications should ensure consistent and quality service delivery of EUCS services.
C.3.3.2.5.1 Additional Regional and TTC Support When directed by the BPA Call COR, Lead Alternate COR, and/or Regional Alternate COR, the Contractor shall provide support in the Regional offices and TTC outside of the standard operating hours for Onsite Deskside Services. The additional support shall include, but is not limited to the following:
Power outage in the computer room.
Moving IT systems during facilities work, such as replacing carpets or painting.
System patching or application upgrades that must be done outside of standard operating hours because the systems must be shut down.
Emergency Regional site visits due to IT asset issue(s).
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 33 of 82
Planned or unplanned system outages.
Incident response which require extended hours of support.
COOP emergencies/exercises (e.g. Eagle Horizon)
C.3.3.2.6 Printer and Multi-Functional Device Services The NRC has a separate contract for printer and multi-functional copier assistance when expert technical assistance is needed (e.g., other than paper jams, cartridge replacements, etc.). The Contractor shall take calls and triage issues related to any network attached IT peripherals, e.g.
printers, scanners, etc. For all reported incidents, the Contractor shall record the incident, triage, and resolve any issues related to workstation configurations/settings. For incidents where networking issues appear to either be the source of, or contribute to, the incident in question, as with other pieces of network-connected hardware components the Contractor shall inform the BPA Call COR and collaborate with the GLINDA SNCC BPA Call Contractor to resolve the incident. For incidents related to physical printer issues, e.g. hardware failure or toner problem, the Contractor shall forward tickets to the NRCs managed print vendor and work with them as needed to resolve the incident.
C.3.3.2.7 Warranty Parts and Repairs The Contractor shall determine if the servicing equipment is under warranty by establishing and then following a NRC approved SOP. The Contractor shall coordinate all warranty parts and services under Original Equipment Manufacturer (OEM) to NRC. This performance may include coordinating with the BPA Call COR and a third party OEM approved vendor to execute the specific warranty work.
C.3.3.2.8 Non-Warranty Spare Parts and Repairs The NRC will provide an inventory of spare parts to the Contractor. While spare parts are generally not tracked in the asset management system, the BPA Call COR reserves the right to request that certain spare parts be tracked in the asset management system. The Contractor shall utilize the currently established a SOP around the management and usage of non-warranty spare parts that is approved by the BPA Call COR before being put into use. Once the SOP is put into use, the Contractor shall abide by the SOP and ensure any revisions are first approved by the BPA Call COR before operational adjustments are made.
The Contractor shall maintain the inventory list and notify the BPA Call COR when inventory needs replenishing. In addition, the Contractor shall provide parts inventory level recommendations to the BPA Call COR. However, the Contractor may NOT procure repair parts for usage under this BPA Call. NRC will provide the repair parts.
The BPA Call COR, the SDIT, their designees and the Contractor will support conducting a joint inventory as requested by the BPA Call COR.not later than 30 days after BPA Call award.
The Contractor shall provide tools and instruments necessary to maintain the systems and equipment.
The Contractor shall perform an initial triage on the non-warranty piece of hardware and identify if it will require a minor repair or major repair. If the non-warranty piece of hardware requires just a minor repair, the Contractor shall perform the repair using a best effort approach. If the hardware requires a major repair, it will most likely be replaced instead of performing the repair.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 34 of 82 The Contractor shall document in the inventory list as well as in the IT service management system if a spare part(s) is being used to resolve a specific Help Desk ticket.
The Contractor is responsible for managing the spare parts in accordance with established operating procedures. Established operating procedures includes auditing actual on-hand inventory with what is listed in the inventory list on a recurring basis to ensure there is no variance between the two pieces of data.
The Contractor shall coordinate procurement of additional non-warranty spare parts with the BPA Call COR. Since this BPA Call is a services call order, NRC will take the lead on procuring non-warranty spare parts that may be needed.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 35 of 82 C.3.3.2.9 Removal of Data from Equipment The Contractor shall remove all data from hard drives and other storage media before it is shipped to a vendor for warranty and/or other servicing purposes. The Contractor shall establish an SOP and then, once approved in writing by the BPA Call COR, consistently execute the SOP while completing this action.
C.3.3.2.10 Data Recovery The Contractor shall provide hard-drive data recovery services to NRC using an approach that is aligned with industry best practices and NRC policies, processes, and procedures.
C.3.3.3 Application Services With the exception of Section C.3.3.3.3, complying with the requirements in Section C.3.3.3 would be split between Tier 1 and Tier 2 Support (CLINs 0003 - 0009), depending on whether one or both tiers address the ticket in question. Complying with the requirements in Section C.3.3.3.3 is covered by CLIN 00010.
C.3.3.3.1 NRC Application Services Like other federal agencies, NRC has a suite of custom applications (ex. ADAMS) that are utilized by users on a daily basis. These custom applications are generally served by Operations and Maintenance (O&M) contracts and/or dedicated NRC Staff. For NRC Application Services under this BPA Call, the Contractor shall receive first contact by the end user. Once the Call Center identifies the incident or request as needing assistance from the NRC Application Services group, the Contractor shall create the ticket in the IT service management system and route it to the NRC Application POC for further action (POCs will be provided by the BPA Call COR).
Under this workflow, the Contractor will be held responsible for timely ticket creation, accurately documenting the end users inquiry in the ticket based on the end users own description of the inquiry, and accurate ticket routing in the IT service management system. The NRC Application Support group will be responsible for successfully resolving / completing the incident / service request ticket.
In the future, it is possible that for certain applications, the Call Center may be granted access to provide limited technical assistance, such as but not limited to, basic account management activities (ex. username / password resets). Such requirements would be included in this BPA Call by bilateral modification to the BPA Call and will be negotiated with the Contractor, Contracting Officer, and BPA Call COR.
C.3.3.3.2 Third Party Application Services The Contractor shall provide telephone assistance, remote assistance by connecting to users computer, personal assistance by visiting the users computer by a technician or a combination, depending on the situation for NRC-approved Commercial Off The Shelf (COTS) applications such as the following (NOTE: The NRC reserves the right to revise this list, including the expansion of it, in the future):
Microsoft Office 365 o
Word o
Excel o
PowerPoint o
OneNote o
Outlook o
Access
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 36 of 82 o
Visio o
Project
Microsoft Publisher
Microsoft InfoPath
Skype for Business
Adobe Acrobat
Internet Explorer
Google Chrome
SecureZIP Regarding the specifically above mentioned software, the Contractor shall provide technical assistance focused on installation, re-installation, uninstallation, or high level configuration (ex.
installing the ADAMS Add-On for Outlook, ensuring PDF files opened in Internet Explorer automatically open in Adobe Acrobat, etc.). For the above mentioned software, NRC owns the licenses and copies of the software. Also, as previously noted, NRC is operating some programs in a hybrid cloud environment, meaning that some users will be accessing a program through a cloud service offering, whereas other users may be accessing the same program through a NRC data center based configuration.
C.3.3.3.3 OPTIONAL TASK: Advanced COTS Application Services In addition to more standard types of application services (such as installation, removal, etc.),
the Contractor shall provide the NRC with access to an on-demand, third party service to provide detailed, advanced application assistance to users upon request through the phone, email, or a combination of both depending on the specific assistance request in question. The scope of this assistance shall initially be limited to NRC core applications listed in the prior section. In the context of this PWS, advanced application services means helping the user with utilizing detailed functionality of the application. A few examples of this detailed, advanced assistance include, but is not limited to:
Choosing and accurately implementing Excel formulas
Creating and editing an Excel PivotTable
Creating and moving messages to a Microsoft Outlook archive file
Creating, editing, and/or removing a macro in Microsoft Office
Performing Optical Character Recognition (OCR) on a PDF file with Adobe Acrobat Regarding demand for Advanced COTS Application Services, this would be a new service being provided to NRC, so demand metrics from prior years are unable to be provided in this topic area.
C.3.4 Security Compliance In the performance of its services under this BPA Call, the Contractor shall address and comply with a range of security requirements across all Service Areas. These security requirements are critical to the success of the NRC. Compliance with these requirements is expected to be achieved within the respective Task Areas that they apply to.
Additionally, to help ensure these requirements are addressed and appropriately integrated into the Task Areas of this BPA Call, the Contractor shall:
Designate a specific Task Area Lead to oversee implementation and maintenance of the security requirements identified in this section
Develop and utilize specific procedures that ensure the requirements are met when performing their services
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 37 of 82 C.3.4.1 Reserved C.3.4.2 Technical Security Compliance Requirements C.3.4.2.1 Protection Non-Public Information Contractor Agreement The Contractor shall:
1.
Ensure strict confidentiality of all Classified Information, Safeguards Information (SGI),
Sensitive Unclassified Non-Safeguards Information (SUNSI), and Controlled Unclassified Information (CUI) information/data that is provided by the Government during the performance of the BPA Call.
2.
Be responsible for coordinating with the BPA Call COR and their designees to ensure all applicable Federal privacy requirements are being met in accordance with NRC procedures.
3.
Be responsible for coordinating with the BPA Call COR and their designees to ensure applicable federal security requirements are being met in accordance with Federal and NRC policies.
C.3.4.2.2 Position Sensitivity Description The Contractor shall:
1.
Identify its personnel, subcontractors and consultants requiring NRC access approval and propose the level of Information Technology (IT) approval for each, using the NRC guidance in clause 4, SECURITY REQUIREMENTS FOR INFORMATION TECHNOLOGY LEVEL I OR LEVEL II ACCESS APPROVAL (Attachment 6) 2.
Ensure that its personnel, subcontractors and consultants who are assigned to perform the work herein for contract performance for periods of more than 30 calendar days at NRC facilities, are approved by the NRC for unescorted NRC building access using the guidance in clause 3, SECURITY REQUIREMENTS FOR BUILDING ACCESS APPROVAL (Attachment 5)
C.3.4.2.3 Information Security Awareness and Role-Based Training The Contractor shall:
1.
Ensure that its personnel, subcontractors and consultants complete NRC-provided mandatory security and privacy training prior to gaining access to NRC information systems and provide their completion certificate number to the BPA Call COR and Contractor. The training requirements are mandatory. Non-compliance may result in revocation of system access.
2.
Ensure that its personnel, subcontractors and consultants complete annual security and privacy refresher training. NRC will provide notification and instructions on completing this training.
3.
Maintain a listing by name and title of each contractor personnel, subcontractor and consultant working under this BPA Call that has completed the mandatory training. The list shall be provided to the BPA Call COR upon request.
4.
Ensure that its personnel, subcontractors and consultants complete specialized IT security training based on the role-based requirements. The Contractor is required to report training completed to ensure competencies that address this training.
5.
Ensure that training hours for its personnel, subcontractors and consultants to satisfy any training requirements are reported to the BPA Call COR in writing upon their completion of training.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 38 of 82 C.3.4.2.4 Rules of Behavior The Contractor shall ensure that:
1.
Its personnel, subcontractors and consultants comply with the NRC Rules of Behavior (RoB).
2.
All of its personnel, subcontractors and consultants, as users of NRC IT resources, read these rules and sign the accompanying acknowledgement form before accessing NRC data/information, systems and/or networks.
3.
The acknowledgement is signed annually by its personnel, subcontractors and consultants to reaffirm knowledge of, and agreement to adhere to the NRC RoB. These affirmations shall be provided to the BPA Call COR upon request.
4.
Ensure that its personnel, subcontractors and consultants with access to specific NRC systems sign additional Rules of Behavior specific to those systems.
Additionally, the OCIO will verify non-government furnished equipment to ensure that it meets the required standards as defined in the Rules of Behavior policy.
C.3.4.2.5 Information Security and Privacy The Contractor shall:
1.
Designate a specific person to be responsible for information security for Contractor personnel, subcontractors and consultants and have a segregated group with roles and responsibilities that will ensure compliance and oversight of IT security.
2.
Ensure its subcontractors, consultants and data transfer stakeholders (either internal or external to the Contractor firm) provide the same security and privacy protection where applicable. This requirement is important because in an age where business practices demand fast and easy transmission of information across borders - and the cloud -
those very activities can easily run afoul of the laws, regulations, and restrictions governing data transfers, whether relating to consumer, customer, employee, vendor, or other data.
3.
As new Federal security requirements or updates to existing requirements are made, apply those that are pertinent to the systems and processes they use in support of the NRC.
4.
Properly protect and handle information in accordance with the type of the information 5.
Only use NRC approved methods to send and receive information considered sensitive or classified.
Additionally, written approval is required from the BPA Call COR (who may need to obtain approvals before they provide their approval) prior to the use or storage of NRC Sensitive Information or sharing of NRC Sensitive Information by the Contractor with any subcontractor, person, or entity other than NRC. Requests for approval should be submitted to the BPA Call COR.
C.3.4.2.6 Controlling System Access The Contractor shall:
1.
Track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems, etc.) according to NRCs policy and the formal determination of which persons, computers, and applications have a need and right to access critical assets based on an approved classification.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 39 of 82 2.
Use PIV credentials in accordance with NIST FIPS 201, Personal Identity Verification (PIV) of all Federal employees and Contractors to provide user-based access to information systems.
3.
Ensure that all contractor personnel, subcontractors and consultants accessing systems processing NRCs information have user-based PIV card access 4.
Ensure the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks shall be enforced by the system through assigned access authorizations.
5.
Ensure separation of duties for Contractor systems used to process NRC information is enforced by the system through assigned access authorizations.
C.3.4.2.7 Security Incident Response Consistent with Federal Government Reporting requirements, all incidents must be reported to the United States Computer Emergency Readiness Team (US-CERT). To comply, the Contractor shall:
1.
Report any information security incident to the BPA Call COR and their designees within one (1) hour of discovery. NRC will report information security incident that also becomes a privacy incident when the incident involves the suspected or actual loss of PII, to the United States Computer Emergency Readiness Team (US-CERT) within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of discovery.
2.
Ensure any incident the US-CERT and/or NRC designates as a major incident shall be reported to the NRC BPA Call COR, who will then ensure it is reported to Congress within seven (7) days of discovery.
3.
Handle incidents per federal, department and NRC regulations. The Contractor shall complete incident reports to the BPA Call COR according to applicable regulations.
4.
Investigate, manage and report incidents internal to the contractor security boundaries.
5.
Facilitate and manage the processing of all security incidents for the NRC enterprise.
6.
Collaborate with other contractors, if necessary, for incidents that cross BPA Call boundaries.
7.
Notify the BPA Call COR in writing within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the discovery or disclosure of successful exploits of the vulnerability, which can compromise the security of the Systems (including the confidentiality or integrity of its data and operations, or the availability of the system).
C.3.4.2.8 Security Standards Where applicable, the Contractor shall:
1.
Develop and apply appropriate security controls to meet NRC information security requirements, as defined in Attachment 4 - NRC Security Standards. The public available NRC standards can be accessed utilizing the accession numbers at, http://www.nrc.gov/reading-rm/adams.html. Non-publicly available standards will be provided upon request.
2.
Coordinate with the BPA Call COR to assess and establish/update each of the above listed criteria within 30 days of contract award or when a Significant Change has been made to its system, as defined by the NRC CIO.
3.
Coordinate with the BPA Call COR to assess alternative ways to improve NRC information security requirements as defined in NRC Security Standards.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 40 of 82 4.
Coordinate with the BPA Call COR to develop and establish/update strategy for reducing legacy systems or applications risk to an acceptable levels, as defined and approved by the NRC CIO.
C.3.4.2.9 System Security Requirements All information systems that input, store, process, and/or output Government information must be provided an Authority to Operate (ATO) signed by the CIO, or Designated Approving Authority. Where applicable, the Contractor shall:
1.
Comply with NRC policies, procedures, and guidance for security Assessment and Authorization (A&A) activities.
2.
Provide access, when requested by the BPA Call COR, in order to verify compliance with the requirements for an Information Technology security program. For systems not located on NRC premises, the Government reserves the right to conduct on-site inspections. The Contractor shall make appropriate personnel available for interviews and provide all necessary documentation during this review.
3.
Take an active role in the support of the Assessment and Authorization lifecycle for all systems the Contractor supports. This includes attendance at all appropriate meetings with the BPA Call COR (e.g., kickoff, findings), development of corrective action plans, remediation of findings, as well as providing reports to the BPA Call COR.
4.
Support the NRC continuous monitoring methodology based on NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Contractor shall continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. All Contractor systems shall participate in Information Security Continuous Monitoring (ISCM) and Reporting as defined in the NRC IT Policy.
Additionally, if the Contractor is developing an NRC information system, system component, or information system service, the Contractor shall also:
1.
Follow a documented development process that: (i) explicitly addresses security requirements; (ii) identifies the standards and tools used in the development process.
2.
Produce design specification and security architecture that is consistent with and supportive of NRC security architecture and accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components.
C.3.4.2.10 Interconnection Security Agreements Any Interconnection Security Agreements (ISA) between NRC and nonNRC information systems shall be established only through controlled interfaces and via approved service providers. The controlled interfaces shall be accredited at the highest security level of information on the network. Connections with other Federal agencies shall be documented based on interagency agreements; memoranda of understanding, service level agreements or interconnect service agreements.
C.3.4.2.11 System Authorization and Assessment Where applicable, the Contractor shall:
1.
Comply with Authority To Operate (ATO) requirements as mandated by Federal laws and policies, including making available any documentation, physical access, and logical access needed to support this requirement
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 41 of 82 2.
Coordinate with the BPA Call COR to create, maintain, and update all applicable ATO documentation as defined by NRC Information Security procedures.
3.
Allow NRC employees (or NRC CISO-designated third-party contractors) to conduct Security Assessment activities to include control reviews in accordance with NIST SP 800-53/NIST SP 800-53A and NRC procedures and standards.
4.
Mitigate all applicable security risks found during the ATO process and continuous monitoring activities.
Prior to authorizing a system or application using public cloud services, the NRC will work with the Contractor to implement customer and shared responsibility controls and conduct a thorough review of the security assessment package to determine that it is complete, consistent, and compliant with FedRAMP requirements. To support this, the Contractor shall:
1.
Give the BPA Call COR and their designees access to the Contractors facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract, regardless of location.
2.
Submit A&A packages to the BPA Call COR at least 90 days before the ATO expiration date for security review and verification of security controls.
The 90 day security review process is independent of the system production date and therefore it is important to build the security review into project schedules. Security reviews may include onsite visits that involve physical or logical inspection of the Contractor environment to ensure controls are in place. ATO extensions will only be granted in extenuating circumstances.
C.3.4.2.12 Security Controls Compliance Assessment Where applicable, the Contractor shall:
- 1) Not publish or disclose in any manner, without the COs written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government.
- 2) Afford the Government access to the Contractors facilities, installations, technical capabilities, operations, documentation, records, and databases within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of notification. The program of inspection shall include, but is not limited to authenticated and unauthenticated:
a) Operating system/network vulnerability scans, b) Web application vulnerability scans, c)
Database application vulnerability scans Automated scans can be performed by Government personnel, or personnel acting on behalf of the Government, using Government operated equipment, and Government specified tools.
C.3.4.2.13 Common Security Configurations Where applicable, the Contractor shall:
- 1) Apply approved security configurations standard to all IT system components that is used to process information on behalf of NRC.
- 2) Configure its computing systems that contain NRC data, and using NRC approved or established configuration settings. NRC order of precedence for the applicability of configuration standards is as follows:
a) NRC Standards.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 42 of 82 b) Defense Information Systems Agency (DISA) finalized standards, checklists, and guidance.
c)
Center for Internet Security (CIS) finalized Benchmarks.
d) Vendor provided guidance.
e) Industry Best Practice.
- 3) Ensure consistent quality is built into security compliance and deviation process for managing (track, report on, correct) the security configuration of laptops, servers, workstations and network infrastructure devices.
- 4) Work with the BPA Call COR and their designees to acquire, interface or integrate NRC and the DHS Continuous Diagnostics and Mitigation (CDM) security vulnerability monitoring and assessment tools within their system boundary to provide agency-wide view of its security risk posture.
- 5) Ensure IT applications operated on behalf of NRC are fully functional and operate correctly on systems configured in accordance with the above configuration requirements.
- 6) Use Security Content Automation Protocol (SCAP)-validated tools to ensure its products operate correctly with baseline configurations and do not alter applied settings.
- 7) Test applicable product versions with all relevant and current updates and patches installed.
- 8) Ensure currently supported versions of IT products meet the latest baseline major version, and subsequent major versions.
- 9) Ensure IT applications designed for end users run in the standard user context without requiring elevated administrative privileges.
- 10) Ensure hardware and software installation, operation, maintenance, update, and patching will not alter the configuration settings or requirements specified above.
- 11) Ensure servers, desktops, and laptops operated on behalf of NRC (1) include Federal Information Processing Standard (FIPS) 201-compliant (see http://csrc.nist.gov/publications/PubsFIPS.html), Homeland Security Presidential Directive 12 (HSPD-12) card readers; and (2) comply with FAR Subpart 4.13, Personal Identity Verification (PIV).
- 12) Ensure Microsoft Windows-based software uses the Windows Installer Service for installation to the default appropriate OS Program Files directory, and is able to silently install and uninstall, under central administrator control.
- 13) Ensure all subcontractors (at all tiers) performing work under this BPA Call comply with the requirements contained in this clause.
- 14) Ensure most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks is enforced by the system through assigned access authorizations.
- 15) Ensure separation of duties for contractor systems used to process NRC information are strictly enforced through assigned access authorizations.
- 16) Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, workstations and network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 43 of 82
- 17) Ensure all IT components and applications are in compliance with approved configuration standards or have an approved deviation from standards
- 18) Ensure that systems components and applications are fully functional and operate correctly as intended on systems with the security configuration checklists, guidelines or standards approved by the NRC.
- 19) Only allow fully vendor supported hardware and applications with approved security configurations Information systems provided to the NRC by contractors that process CUI shall meet the requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf. Contractor shall work with the NRC to identify security requirements for detailed description of the systems security architecture, controls, and/or the provision of supporting test data.
C.3.4.2.14 Security for Encryption Device encryption shall occur before the use of a laptop computer/mobile device. Where applicable, the Contractor shall:
- 1) Use encryption that complies with FIPS 140-2, Security Requirements for Cryptographic Module, (as amended) to protect all instances of NRC sensitive information during storage and transmission.
- 2) Verify that the selected encryption product has been validated under the Cryptographic Module Validation Program (see http://csrc.nist.gov/cryptval/) to confirm compliance with FIPS 140-2. The Contractor shall provide a written copy of the validation documentation to the BPA Call COR.
- 3) Use the Key Management Key (see Chapter 4 of FIPS 201) on the NRC Personal Identity Verification (PIV) card; or alternatively, the Contractor shall establish and use a key recovery mechanism to ensure the ability for authorized personnel to decrypt and recover all encrypted information. The Contractor shall notify the BPA Call COR of personnel authorized to decrypt and recover all encrypted information.
- 4) Securely generate and manage encryption keys to prevent unauthorized decryption of information in accordance with FIPS 140-2.
- 5) Ensure the encryption standard referenced in Section C.3.1.4.3 is applied to all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive NRC information.
C.3.4.2.15 Patching Where applicable, the Contractor shall:
- 1) Consistent with Department of Homeland Security (DHS) Binding Operational Directive 15-01, Critical Vulnerability Mitigation Requirements for Federal Civilian Executive Branch Departments and Agencies Internet-Accessible Systems, patch all critical and high vulnerabilities immediately or, at a minimum, within 30 days of patch release. NRC currently utilizes regular maintenance windows. In addition, NRC patches are subject to NRCs change and configuration management processes. For critical and high vulnerability patching, the BPA Call COR reserves the right to request an "out of cycle" patch release.
- 2) Apply patches to all systems, even systems that are properly air gapped or are physically isolated from unsecured networks.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 44 of 82
- 3) Develop and apply appropriate automated patching solution to meet NRC information security requirements where practical, as defined and approved by the NRC Chief Information Officer (CIO).
C.3.4.2.16 Tracking and Correcting Security Deficiencies Where applicable, the Contractor shall:
- 1) Track and correct any applicable information security deficiencies, conditions, weaknesses, findings, and gaps identified by audits, reviews, security control assessments, and tests, including those identified in:
a) Chief Financial Officer (CFO) audits b) FISMA audits c)
NRC evaluations and tests d) Inspector General (IG) audits and reviews e) A-123 audits f)
NRC Security Operations Center (SOC) continuous monitoring activities such as, but not limited to, vulnerability and compliance scanning of all the NRC information systems g) Other applicable reviews and audits
- 2) Mitigate critical, high-risk, and moderate-risk deficiencies within 30 days; low risk deficiencies within 120 days from the date deficiencies are formally identified.
C.3.4.2.17 Security Tools Implementation Where applicable, the Contractor shall coordinate with the BPA Call COR and their designees to understand their specified requirements in administering, managing, configuring, maintaining, acquiring, interfacing, integrating and/or tuning NRCs defined security tools devices and application systems, servers and sensors for systems/applications they host or maintain.
C.3.4.2.18 Return of NRC and NRC-Activity-Related Information The Contractor shall coordinate with BPA Call COR to ensure return of all original (and at least one duplicate copy of those information types specified by NRC) of all NRC-provided and NRC-Activity-Related Information (including but not limited to all records, files, and metadata in electronic or hardcopy format), including but not limited to any of the following:
- 1) Provided by NRC or obtained by the Contractor while conducting activities in accordance with the contract
- 2) Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity
- 3) Received from the Contractor by any other related organization and/or any other component or separate business entity.
C.3.4.2.19 Verified Secure Destruction of NRC and NRC-Activity-Related Information The Contractor shall coordinate with the BPA Call COR to execute secure destruction of all active and archived originals and/or copies of all NRC and NRC-activity-related files and information, (including but not limited to all records, files, and metadata in electronic or hardcopy format), by procedures approved by the BPA Call COR in advance. NRC and NRC-activity-related files includes but is not limited to:
- 1) Provided by NRC or obtained by the Contractor while conducting activities in accordance with the contract
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 45 of 82
- 2) Distributed for any purpose by the Contractor to any other related organization and/or any other component or separate business entity
- 3) Received from the Contractor by any other related organization and/or any other component or separate business entity.
C.3.4.2.20 Return of NRC-Owned or Leased Computing Equipment In accordance with NRC policies and federal government regulation, the Contractor shall coordinate with the BPA Call COR to return all NRC-owned or leased computing and information storage equipment within a time period approved by the BPA Call COR.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 46 of 82 C.3.5 Service Level Requirements In accomplishing the above activities and other Help Desk duties, the Contractor shall complete the activities in accordance with the service level requirements outlined in the sections below. Within the first month of Transition, the Contractor shall meet with the BPA Call COR to verify and validate the service level requirements (SLRs) outlined below. The Contractor and the BPA Call COR will collaboratively work together to develop a final set of SLRs as well as the effective date when the SLRs are to take effect. In addition, factors such as but not limited to hang-ups, business-hour/day rollovers, when a repair becomes a replace, etc. have been considered by NRC when coming up with these SLRs.
C.3.5.1 Delivery Related Service Level Requirements The Contractor shall meet or exceed the delivery related service level requirements while delivering the work described in this BPA Call.
These service level requirements are in addition to the other service level requirements described within Section C.3.5 as a whole.
Definition Performance Standard Acceptable Quality Level (AQL)
Method of Surveillance Federal and NRC-Level Policy and Standards Compliance The Contractor shall comply with all applicable Federal and NRC-level policies and documented technical and process standards in the performance of its services.
100% Compliance Monthly BPA Call COR Report (NRC internal)
On-Time Project Milestone Completion For all in-scope projects managed by the Contractor, the Contractor shall achieve the agreed upon project milestones by the date agreed to by the BPA Call COR.
<5% Variation NRC Designated and Provided Repository On-Time Submission of Recurring Reporting For all recurring reports, the Contractor shall submit reports and/or data as applicable on the days and intervals agreed to by the BPA Call COR.
<10% Variation Monthly BPA Call COR Report (NRC internal)
End User Satisfaction (NOTE: Historically, End User Satisfaction Survey Response Rates have averaged at around 16%.)
End Users surveyed should be very satisfied or satisfied, based on a 10% survey response rate of all tickets closed / resolved in the Reporting Period
>90% Compliance BPA Call COR Approved Recurring End User Satisfaction Survey System Financial and Resource Information Accuracy The Contractor shall provide accurate financial and resource reporting and data to the NRC.
100% Accuracy of Dollars, Hours, and Associated Category Assignments Reconciliation Error Rate (NRC internal)
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 47 of 82 C.3.5.2 Security Service Level Requirements The Contractor shall provide its resources and services in a manner that enables achievement of the Service Level Requirements described below. These objectives are intended to convey the outcomes the NRC desires as a result of successful assistance from the Contractor.
Area Performance Standard AQL Frequency Method of Surveillance Critical and high-risk deficiencies mitigated within 30 days, From the date deficiencies are formally identified or within a specified time period previously defined and approved by NRC CIO.
100%
Moderate-risk deficiencies shall be mitigated within 30 days, from the date deficiencies are formally identified or within a specified time period previously defined and approved by NRC CIO.
95%
Tracking and Correcting Security Deficiencies Low-risk deficiencies shall be mitigated within 120 days from the date deficiencies are formally identified or within a specified time period previously defined and approved by NRC CIO.
95%
Monthly System Records Plan of Actions and Milestones Incident Records NRC Security Audits and Assessments BPA Call COR Oversight Common Security Configurations Percentage of system components that are in compliance with approved configuration standard or deviation 98%
Monthly System Records NRC Security Audits and Assessments BPA Call COR Oversight Percentage of PII incidents reported to BPA Call COR in one hour.
Security Incident
Response
Percentage of major incidents reported to BPA Call COR within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of discovery 100%
Daily System Records Incident Records BPA Call COR Oversight Encryption Standards Percentage of required devices, components and interfaces compliant with NRC encryption standards 100%
Monthly System Records NRC Security Audit BPA Call COR Oversight
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 48 of 82 Area Performance Standard AQL Frequency Method of Surveillance Controlling Access Percentage of Contractor personnel accessing NRCs systems with user-base PIV card access or NRC approved access mechanism.
100%
Weekly System Records NRC Security Audits and Assessments BPA Call COR Oversight System Changes Ensure changes to systems are properly approved by the NRC Designated Approving Authority (DAA) or the configuration control board (CCB) before those changes are deployed to the NRC production environment, in accordance with NRC policy MD 12.5 100%
Weekly System Records Change Management System Configuration Management System NRC Security Audit C.3.5.3 Call Center Service Level Requirements The Contractor shall operate the Call Center in accordance with the Service Level Requirements described in the table below. These requirements are in addition to the other Service Level Requirements mentioned Section C.3.5 as a whole.
Definition Performance Standard Service Measure AQL Method of Surveillance Speed to Answer Calls (NOTE: Hang-ups are factored into the End User Calls Abandonment Rate SLR below.)
End User Calls to the CSC are answered within one minute or less.
Measure of the time a phone call enters the service desk queue to the time a live agent takes the call and works with user.
All CSC calls are included in this measure, not just calls that resulted in ticket creation and/or revision.
At least 95% of calls shall be answered by a live agent within 1 minute or less.
Formula:
Number of calls answered within performance target
÷ Total number of calls answered during measurement interval =
Service level attained Incident Records Automated Call Distribution (ACD) System
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 49 of 82 End User Calls Abandonment Rate All End User Calls to the CSC are answered in a timely fashion to ensure the end user doesnt hang up while waiting.
Number of calls to the CSC that are abandoned.
The metric starts when the End User chooses the Call Center in the ACD, and stops when a CSC representative answers the call.
Abandonment Rate is less than or equal to 5% per business day.
Formula:
Number of Abandoned Calls / Total Number of Calls to CSC Automated Call Distribution (ACD) System End User Call Blocking Rate (NOTE: "Call Blocking" is interpreted to mean that the ACD or other piece of related system hardware does not place the customer in the queue, and/or does not place the end user in contact with the Operator.
Typically "call blocking" results in the End Users call being involuntarily ended.)
All End User Calls shall either be answered promptly or automatically placed in a queue to be answered by the next available representative.
Number of calls that do not make it into the queue if they are not promptly answered by a representative.
Blocking rate is less than 1% per business day.
Formula:
Number of Blocked Calls /
Total Number of Calls to CSC Automated Call Distribution (ACD) System
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 50 of 82 Average Speed to Answer CSC E-mails (NOTE:
Currently, the Call Center Representative manually reviews each e-mail received and manually creates a ticket in the ITSM.)
End User E-mails to the CSC Inbox are answered within four business hours.
Duration between when message was received and when it was addressed.
90% or greater of all e-mails to the CSC Inbox shall be answered within four business hours of the message entering the CSCs Inbox.
Formula:
Average duration between when the message appeared in CSCs Inbox versus when it was read.
Performance Monitoring and Statistics Incident Records Service Catalog Response Time CSC inquiries made via the Service Catalog are answered within one business hour.
Duration between when the Service Catalog Inquiry was received and when it resulted in ticket creation (excluding approval time).
90% or greater of all Service Catalog Inquiries to the CSC shall be converted into a created ticket within one business hour of the message entering the CSCs queue.
Formula:
Average duration between when the inquiry appeared in CSCs queue versus when it was read.
Performance Monitoring and Statistics Incident Records Ticket Creation / Update Speed (NOTE: Currently, the Call Center Representative manually enters when the call was received into the ticket.)
The Call Center representative shall promptly create a ticket upon receiving end user communication (either over the phone or via e-mail), or update an Duration between when the End User interaction ended and when the ticket was created / updated 95% or greater of all ticket creations or updates as a result of end user communication shall take place within five minutes of the end of the end users communication Automated Call Distribution System Performance Monitoring and Statistics Incident Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 51 of 82 existing ticket depending on the end user communication.
(excluding Severity 1 incidents)
Formula:
Average duration between the end of end user call and/or reading end user e-mail and creation/revision of ticket.
Incident and Service Request Ticket Routing Accuracy The incident and service request ticket describing the End Users incident shall be routed to the right group for resolution.
The categorization at the incident and service request tickets opening shall match the categorization at the incident tickets closing.
95% or greater of all incident and service request tickets shall have matching opening and closing categorization.
Formula:
Number of incident tickets with the same opening and closing categorizations / Total incident tickets created.
Performance Monitoring and Statistics Incident Records Re-Work Ticket If the same incident persists after initially being marked as Successfully Resolved, the ticket shall not be marked as Closed.
Duration between when the incident was marked as Successfully Resolved and when it was reported again by the same user.
An incident ticket can be marked as Closed if additional user inquiry about the same incident is not received within five business days of being marked as Successfully Resolved.
Performance Monitoring and Statistics Incident Records Account Detail Records Important Note: NRC is aware of gamesmanship tactics associated within this metric, and will be very closely reviewing this metric to ensure it is accurately reported.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 52 of 82 C.3.5.4 Non-VIP Service Level Requirements The Contractor shall assist non-VIP Personnel in accordance with the Service Level Requirements described in the table below.
Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method Non-VIP Incident Resolution (NOTE: If a specific request or support ticket is covered by another more detailed SLR, then the Contractor shall only reflect that tickets performance with the specific SLR in question, NOT this overarching SLR).
The incidents reported by End Users shall be resolved by Help Desk Services in a very timely manner.
Elapsed time from date /
time a request is logged with service desk to resolution Unless otherwise described in this SLR listing, non-VIP incidents shall have a workaround identified within 4 business hours and shall be resolved within 8 business hours.
Performance Monitoring and Statistics Incident Records Account Detail Records End User Surveys Severity 1 Incident Resolution Incidents that are mission critical or affect a significant number of users are resolved in a very timely manner.
Elapsed time from when the incident was reported to when the incident was resolved.
90% of Severity 1 incidents shall be resolved within two business hours or less. It is assumed that hot spares will be on standby in order to meet this SLR.
Performance Monitoring and Statistics Incident Records Account Detail Records End User Surveys
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 53 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method Incident / Service Request Resolution / Closure Notice Notification of Incidents /
Service Request Resolution and/or Closure shall promptly take place.
Elapsed time from when the incident was resolved /
service request was closed and when the End User was formally notified of such a status 95% or greater of all resolution / closure notifications shall be sent to the End User within 20 minutes of the customer assistance resulting in such a status. Automated e-mails from the IT service management system once the ticket has been closed /
resolved is acceptable.
Formula Duration between conclusion of customer assistance and when the customer receives the automated e-mail from the IT service management system.
Performance Monitoring and Statistics Incident Records Account Detail Records End User Surveys
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 54 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method NRC Account and Laptop Encryption Password Reset All requests to reset NRC Account or Laptop Encryption passwords are addressed in a very quick manner.
Duration between when the incident ticket was created and when it was resolved.
99% or greater of tickets in this category shall be successfully resolved within one business hour of the ticket being created.
Formula:
Duration between when NRC Account and Laptop Password Reset categorized tickets are created and marked as Successfully Resolved is tracked. For every ticket that takes less than or equal to one business hour to resolve, it will be marked as compliant.
Compliant tickets / Total tickets in this category =
% used for SLR compliance.
Account Detail Records Incident Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 55 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method NRC Application Specific Password Resets Requests to reset account passwords associated with NRC specific applications are routed within one business hour.
Duration between when the incident ticket was created and when it routed to the correct POC for resolution.
90% or greater of tickets in this category shall be successfully routed within one business hour of the ticket being created.
Formula:
Average duration between when NRC Application Password Reset categorized tickets are created and when they are resolved.
Account Detail Records Incident Records First Contact Resolution The End Users incident shall be resolved during the first time the incident ticket is created.
Number of incident tickets marked as Successfully Resolved during the first time the incident was experienced.
65% or greater of all incidents within Period 1 and 85% or greater of all incidents within the subsequent years shall be marked as Successfully Resolved during a users first contact about the incident, unless the incident is indicated to be part of a larger NRC problem.
Formula:
Number of incident tickets marked as Successfully Resolved by a Tier 1 Call Representative / Total number of incident tickets that could have been resolved on First Contact.
Performance Monitoring and Statistics Incident Records Account Detail Records End User Survey
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 56 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method Time To Repair E-mail Client End Users may request the service during normal operating hours and obtain the service within two business hours.
Elapsed time from date /
time a request is logged with service desk to resolution 95% or greater of these requests shall be diagnosed and/or repaired within 2 business hours of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records Account Detail Records Time to perform file restoration End Users may request the service during normal operating hours and obtain the service within four business hours.
Elapsed time from when the request is logged with the service desk to resolution OR from when the incident was discovered through operational self-analysis.
It is assumed that incidents discovered through self-analysis will result in a ticket being created.
95% or greater of these requests shall be resolved within 4 business hours of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records Account Detail Records End User Survey Time to provide additional capacity for individual End Users may request additional capacity during Time to add space to individual user accounts 95% or greater of these requests shall be resolved Incident Records Account Detail Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 57 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method user accounts normal operating hours and obtain the additional capacity (upon NRC management approval) within two business hours.
(up to NRCs standard increase per request) within 2 business hours of being approved by NRC Management.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Time to repair user machine / implement acceptable workaround while the user machine repair is taking place End Users may request service during normal operating hours and obtain the service within four business hours.
Elapsed time from date /
time a request is logged with service desk to resolution 95% or greater of these requests shall be diagnosed and/or the user shall be provided with an acceptable workaround within 4 business hours of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records Asset Inventory Database Desktop Management Software Reporting Time to provide working solution to software related incidents and End Users may request service during normal operating hours and Elapsed time from date /
time a request is logged with service desk to 95% or greater of these requests shall be provided with a working solution Incident Records Review of Desktop Management Software
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 58 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method problems on user machine obtain the service within four business hours.
resolution within 4 business hours of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Statistics Time to perform software installation / de-installation End Users may request service during normal operating hours and obtain the service within eight business hours.
Elapsed time from date /
time a request is logged with service desk to fulfillment (exclusive of approval wait time) 95% or greater of these requests shall be completed within 8 business hours of being reported, excluding the approval wait time and end user availability.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records Review of Desktop Management software statistics Change records Time to distribute loaner equipment (NOTE: While this SLR relies on loaner equipment being in stock, End Users may request equipment during normal operating hours and obtain the equipment Elapsed time from date /
time a request is logged with service desk to fulfillment (exclusive of 95% or greater of these requests shall be addressed within 4 business days of being Incident Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 59 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method in the past NRC has NOT run out of stock. The Contractor shall collaborate with the BPA Call COR to ensure that NRC continues to NOT run out of loaner equipment stock, based on actual demand.)
(upon NRC management approval) within four business days.
approval wait time) reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Time to repair or replace other Government Approved End User assets and associated peripherals End Users may request service during normal operating hours and obtain the service within 8 business hours.
Elapsed time from date /
time a request is logged to resolution (excluding approval wait time) 95% or greater of these requests shall be repaired or replaced within 8 business hours of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records New Desktop Management and Deployment A new desktop will be provisioned for NRC use within five business days.
(NOTE: 10 machines or more will be considered a project and shall have a unique schedule.)
Elapsed time from when the management and deployment request was filed and when the request is completed.
A new desktop will be provisioned for use within 5 business days or less from when the management and deployment request was filed.
Performance Monitoring and Statistics Incident Records Account Detail Records End User Surveys New Employee Management and deployment A new employee will have their computer successfully provisioned for them on Day 1.
The new employee management and deployment request shall be marked as Completed 95% or greater of all new employee management and deployment requests shall be installed and Performance Monitoring and Statistics Incident Records Account Detail Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 60 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method prior to the new employees first day (excluding special projects).
ready for the employees use one business day prior to the employees first day in the position.
Formula:
Ticket Completion Date -
New Employees Start Date End User Surveys Move or Decommission Desktop A desktop will be moved or decommissioned in accordance with NRC policies within five business days. (NOTE:
15 machines or more will be considered a project and shall have a unique schedule.)
Elapsed time from when the request was filed and when the request is completed 90% or greater of all move / decommission requests shall be completed within 5 business days from when the request was filed.
Performance Monitoring and Statistics Incident Records Account Detail Records End User Surveys Desktop Replacement Identification and Planning End-user machines needing to be refreshed will be proactively identified so that refresh planning can be conducted and executed.
BPA Call COR Notification will take place once the specific machine has been in-service for the specified amount of time.
If In-Service Date is on or after Day 1 of award:
One calendar year prior to warranty expiration date If In-Service Date is prior to Day 1 of award:
Identification and Planning to begin promptly upon identifying the equipment in question System Records Configuration Management System BPA Call COR Oversight Endpoint Protection Security Software Engine and Security Subcomponents Updated endpoint protection security software and security subcomponents should be Elapsed time from when the update is released by the manufacturer and when the updates 95% or greater of all endpoint protection security software engine and security Performance Monitoring and Statistics Change / Configuration Management Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 61 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method deployed in a timely manner.
deployment begins.
subcomponent update files shall be placed into NRCs change control process for deployment within 14 days or less of being released.
Virus Definition File Update Updated virus definition files shall be deployed in a prompt manner.
Elapsed time from when the virus definition file is released by the manufacturer and when the files deployment begins.
95% or greater of all virus definition files shall be placed deployed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or less of being released.
Performance Monitoring and Statistics Change / Configuration Management Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 62 of 82 C.3.5.5 VIP Service Level Requirements The Contractor shall support NRC VIP Personnel in accordance with the Service Level Requirements described in the table below. A strong majority of the VIP Personnel in question are located at NRC Headquarters in Rockville. For the VIP Personnel located outside of NRC Headquarters, they are typically located NRC Regional Offices. In extremely rare circumstances, VIP Support has been provided outside of the aforementioned locations (ex. a teleworking VIP). The BPA Call COR will negotiate such extremely rare circumstances with the Contractor prior to such support being provided.
Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method VIP Incident Resolution (NOTE: If a specific request or support ticket is covered by another more detailed SLR, then the Contractor shall only reflect that tickets performance with the specific SLR in question, NOT this overarching SLR).
The VIP incidents reported by End Users shall be resolved by Help Desk Services within four business hours.
Elapsed time from date /
time a request is logged with service desk to resolution Unless otherwise described in this SLR listing, VIP incidents shall have an acceptable workaround identified within 2 business hours AND be resolved within 4 business hours.
Performance Monitoring and Statistics Incident Records Account Detail Records End User Surveys VIP Time to complete service requests (not including those covered in other service descriptions)
Service requests received during normal operating hours are resolved within four business hours.
Elapsed time from date /
time a request is logged to resolution (excluding approval wait time) 95% or greater of these requests shall be completed within 4 business hours of being requested.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Service Request Records Account Detail Records End User Surveys
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 63 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method VIP Time To Repair E-mail Client End User may request the service during normal operating hours and obtain the service within one business hour.
Elapsed time from date /
time a request is logged with service desk to resolution 95% or greater of these requests shall be diagnosed and/or repaired within 1 business hour of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records Account Detail Records VIP Time to provide additional capacity for individual user accounts End Users may request additional capacity during normal operating hours and obtain the additional capacity (upon NRC management approval) within one business hour.
Time to add space to individual user accounts (up to NRCs standard increase per request) 95% or greater of these requests shall be resolved within 1 business hour of being approved by NRC Management.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records Account Detail Records VIP Time to repair user End Users may request Elapsed time from date /
95% or greater of these Incident Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 64 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method machine / implement acceptable workaround while the user machine repair is taking place service during normal operating hours and obtain the service within two business hours.
time a request is logged with service desk to resolution requests shall be diagnosed and/or the user shall be provided with an acceptable workaround within 2 business hours of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Asset Inventory Database Desktop Management Software Reporting VIP Time to provide working solution to software related incidents and problems on user machine End Users may request service during normal operating hours and obtain the service within two business hours.
Elapsed time from date /
time a request is logged with service desk to resolution 95% or greater of these requests shall be provided with a working solution within 2 business hours of being reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records Review of Desktop Management Software Statistics VIP Time to perform software installation / de-installation End Users may request service during normal operating hours and Elapsed time from date /
time a request is logged with service desk to 95% or greater of these requests shall be completed within 4 Incident Records Review of Desktop Management software
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 65 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method obtain the service within four business hours.
fulfillment (exclusive of approval wait time) business hours of being reported, excluding the approval wait time and VIP availability.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained statistics Change records VIP Time to distribute loaner equipment (NOTE:
While this SLR relies on loaner equipment being in stock, in the past NRC has NOT run out of stock.
The Contractor shall collaborate with the BPA Call COR to ensure that NRC continues to NOT run out of loaner equipment stock, based on actual demand.)
End Users may request equipment during normal operating hours and obtain the equipment (upon NRC management approval) within two business days.
Elapsed time from date /
time a request is logged with service desk to fulfillment (exclusive of approval wait time) 95% or greater of these requests shall be addressed within 2 business days of being requested.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained Incident Records VIP Time to repair or replace other Government Approved End User assets and associated End Users may request service during normal operating hours and obtain the service within Elapsed time from date /
time a request is logged to resolution (excluding approval wait time) 95% or greater of these requests shall be repaired or replaced within 4 business hours of being Incident Records
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 66 of 82 Definition Desired Outcome Service Measure Acceptable Quality Level (AQL)
Monitoring Method peripherals four business hours.
reported.
Formula:
Number of instances within performance target
÷ Total number of instances during measurement interval =
Service level attained
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 67 of 82 C.3.6 Transition and Associated Management Once the BPA Call is awarded and the Contracting Officer executes a letter to start transition, the Contractor shall negotiate a transition plan with the current ITISS Contractor in accordance with clause 52.237-3 in the ITISS contract.
Service/Delivery Objectives The Contractors transition and associated management services shall assist with the successful transition of existing services, capabilities, and agreements. The NRC defines successful transition as the actual performance of seamlessly continuing to provide services while identifying and capturing opportunities to increase service effectiveness, as well as leveraging the transition as an opportunity to make systemic changes to service delivery where required. Success in this specific context is defined as continuing to deliver existing IT services at the SLRs described in this document with no downtime (unless scheduled and previously approved by the BPA Call COR) once the incumbent ceases operation of the existing IT service in question.
There may be a Transition-In Period and a Transition-Out Period, depending on incumbencies.
The start date of April 9, 2018 is an estimated date of award. The Transition-In Period may be up to the first ninety (90) calendar days of the BPA Call. Depending upon procurement time, the Transition-In Period may be a shorter length of time, if Transition-In cannot begin by the estimated date of award. The Contractor shall be at full performance levels, as defined as satisfactorily meeting all SLRs, at the end of Transition-In Phase.
C.3.6.1 Transition-In Responsibilities Ongoing tasks that fall within the scope of this BPA Call but are currently provided under existing Indefinite-Delivery, Indefinite-Quantity (IDIQ) or other vehicles will be transitioned to this BPA Call.
Accordingly, the Contractor shall establish a transition team to implement a standard transition process to be used during the start-up period and to prepare for the transition of underlying support areas. The Contractor shall provide advisory and technical expertise to align at a minimum the following transition responsibilities:
Over-arching transition management including coordination, risk management, problem resolution, and reporting of status on transition activities
Human capital transition management including on-boarding, clearance processing, incumbent personnel transfer, and training as required
Work-stream management including establishing processes and mechanisms for knowledge and skills transfer as well as identifying and implementing straightforward process improvements The Contractor shall provide a transition team to address the requirement that is experienced in transitioning mission critical IT services and the equipment that support such services. To protect the incumbent and NRC, transition team members will be required to sign personal Non-Disclosure Agreements (NDAs) with the incumbent and its sub-contractors so that any incumbent propriety or business sensitive information is appropriately protected.
C.4 Key Personnel The Contractor shall provide five (5) individuals to be Key Personnel for this BPA Call as identified below. Each of them may only serve in one Key Personnel position under the BPA Call.
All Key and Non-Key Personnel will need to be able to successfully obtain a NRC IT-I clearance at a minimum. The BPA Call COR will identify during post-award if higher clearances are needed for specific roles. However, if the BPA Call COR identifies that a specific role needs to have an active clearance on Day 1, then charges for the person fulfilling that role cannot be made until the
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 68 of 82 clearance is successfully adjudicated. While each Key Personnel heading contains the functional title as it applies to this specific Call Order, the Contractor may propose the BPA labor category it deems most appropriate for these positions. The Contractor should provide Key Personnel whose resumes demonstrate that they meet or exceed the following education, certification and experience requirements:
C.4.1 BPA Call Project Manager or Equivalent
ITIL Foundations Level (or higher) Certification.
At least 10 years of experience managing Contracts associated with the Help Desk Topic Areas described in this PWS
Experienced in managing projects where the project team members and end users are dispersed over more than one location C.4.2 Transition Manager or Equivalent In addition to facilitating the transition of services listed within this PWS with the incumbent, this individual shall act as the primary Contractor Point of Contact for notable changes and transitions in end user services (such as, but not limited to, the movement of end-user services from NRC data centers to the cloud). When the individual is not participating in notable end user changes and transitions, the Contractor can utilize the individuals support as they deem appropriate.
Desired credentials:
ITIL Foundations Level (or higher) Certification
Experience working with the Help Desk Topic Areas described in this PWS
Experience participating in Help Desk Transitions C.4.3 Call Center (Tier 1) Manager or Equivalent Desired credentials:
ITIL Foundations Level (or higher) Certification
Experience working with Help Desk Topic Areas described in this PWS, with an emphasis on Call Center Operations C.4.4 Deskside Services (Tier 2) Manager or Equivalent Desired credentials:
ITIL Foundations Level (or higher) Certification
Experience working with Help Desk Topic Areas described in this PWS, with an emphasis on Deskside Service Operations C.4.5 Service Catalog Manager or Equivalent Desired credentials:
ITIL Foundations Level (or higher) Certification.
Experience working with Help Desk Topic Areas described in this PWS.
Experience in collaborating with Service Owners and Service Providers to design and build both IT and Business Services for a Service Catalog. Experience with design, build /
develop, test, and deploy IT Service Management (ITSM) system changes and enhancements (both standard as well as custom).
Experience in collaborating with other ITSM related areas to facilitate end-to-end service workflow and system integration.
C.5 Deliverables In meeting the requirements described in this PWS, the Contractor shall complete the deliverables identified in the table below.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 69 of 82 Topic Area Deliverable Description Deliverable Due Date Participation in Integrated Operations Meeting with the BPA Call COR and their designees To occur on a weekly basis during a time scheduled by the BPA Call COR Weekly Status Report By COB Monday of the following week Monthly Status Report By COB 5 business days after the end of the month Meeting Agenda, Minutes, and Action Items
Agenda: Two (2) business days prior to the meeting
Minutes and Action Items:
Three (3) business days after meetings Project Management NOTE: Project management practices shall stress continuous and open communication with NRC and other GLINDA contractors.
Coordination shall be conducted on both formal and informal basis.
Project Plans (Schedule, Communications, Risk, and QA)
(NOTE: NRC forecasts the potential for more than one project to be executed under End-User Computing at any single time.)
Draft: 15 business days after initiation of the project in question
Final: 15 business days after receiving written comments from the BPA Call COR Finalized Service Level Requirements
Within 60 calendar days of the first Transition Working Session Meeting (6/4/18).
Operational Reports (Performance, Utilization, Incident, etc. Summaries, Metrics, and Analyses)
Daily, as directed by the BPA Call COR
Weekly, as directed by the BPA Call COR
Monthly, as directed by the BPA Call COR Operational Data (Raw data, logs, etc.)
Within 1 business hour of request (self-service functionality encouraged)
Daily, as directed by the BPA Call COR
Weekly, as directed by the BPA Call COR
Monthly, as directed by the BPA Call COR Delivery Management Operational SOP(s) describing the actions that the Contractor will consistently execute in delivering the services and meeting the requirements described in this PWS.
Draft: COB 60 business days after Transition Go Live / End Date
Final: 20 business days after receiving written comments from the BPA Call COR
Updates and revisions made
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 70 of 82 Topic Area Deliverable Description Deliverable Due Date every six months Revision of Data Architecture Documents
As necessary based on changes Recommendations Regarding Current Floating vs Fixed Remedy License Usage
30 days after modification execution Recommendations Regarding Remedy System Enhancements and/or Upgrades
30 days after modification execution Process documentation related to administration and Operation off the SDLM toolset
60 days after modification execution Standard Operating procedures for all activieis performed related to administration and operation of the SDLM toolset
60 days after modification execution PC Image Creation
As specified by the BPA Call COR PC Software Update Packages (both security and non-security in nature)
Administered to user machines on a monthly basis in accordance with applicable NRC policies
If BPA Call COR deems an update as urgently needed, an out of cycle occurrence shall be executed PC Image Updates
Every three months and as required and approved through the NRC Change Management processes
If BPA Call COR deems an update as urgently needed, an out of cycle occurrence shall be executed Image Management Tier 3 Image Assistance
As specified by BPA Call COR and established Service Level Requirements Offsite Call Center Concept of Operations (CONOPS)
Due within One Calendar Year from BPA Call Award Call Center Operations Establishment of Offsite Call Center Operations
As Directed by BPA Call COR C.5.1 Performance Standards The BPA Call COR will complete the Comment Form as part of each review. NRC will have three workdays to review deliverables. The BPA Call COR may request for additional time to review document with substantial content.
Deliverables require no more than two content revisions.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 71 of 82
Deliverables cover all instructions provided by the BPA Call COR.
C.6 Inspection and Acceptance of Deliverables The BPA Call COR will have five (5) business days to complete the review of each deliverable and accept or reject the deliverable by giving written notice. When the BPA Call COR fails to complete the review within the review period, the Contractor may deem the deliverable to have been accepted by the BPA Call COR unless an extension of the review period is requested by the BPA Call COR and mutually agreed upon with the Contractor. In the event of BPA Call COR rejection of any deliverable, the Contractor shall be so notified in writing by the BPA Call COR and given the specific reason(s) for the rejection. The Contractor shall have three (3) business days to correct the rejected deliverable and return it to the BPA Call COR for review.
The amount payable by the NRC for a particular invoice will be reduced by the disincentive fees described in the table below for the associated CLIN for each unacceptable deliverable or missed SLR performance level, regardless of contactor performance on other CLINs. Disincentive fees may not be earned back by the Contractor.
Task or Deliverable Metric Type Performance Standard Performance Indicator Surveillance Method Disincentive Timeliness of Deliverables Efficiency Deliverables shall be submitted in accordance with the delivery requirements required by the PWS.
100% of the reports are submitted on time.
BPA Call COR Tracking /
End User Complaints 1% of the firm-fixed-price portion of the invoice may be deducted for every five (5) business days late, up to a maximum of 15% of the firm-fixed-price portion of the invoice.
Notwithstanding the foregoing, the Government may terminate the BPA Call for cause if the Contractor fails to provide final deliverables by the due date.
Service Level Requirement (SLR)
Compliance Efficiency The Contractor shall meet or exceed the Service Level Requirements described in this document.
As described by each Service Level Requirement in this document.
As described by each Service Level Requirement in this document.
2% of the firm-fixed-price portion of the invoice may be deducted for every missed SLR, up to a maximum of 15% of the firm-fixed-price amount of the invoice.
Notwithstanding the foregoing, the Government may terminate the BPA Call
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 72 of 82 for cause if the Contractor fails to provide final deliverables by the due date.
Accuracy of Deliverables Quality Reports and Other Deliverables are Correct when submitted.
No more than 5 Errors per Sheet BPA Call COR Review for completion and accuracy Deliverables received that have more than five missing requirements will result in rejection of the deliverable as incomplete and returned to the Contractor. NRC shall not inspect the entire deliverable, rather NRC shall identify, if present, the first five missing requirements and return the deliverable to the Contractor. Each time the deliverable is returned, 2% of the firm-fixed-price amount of the invoice for each instance in which a deliverable is determined to be incomplete, up to a maximum (for all instances of returned documents) of 15% of the awarded of the firm-fixed-price amount of the invoice.
NOTE REGARDING ABOVE TABLE: Reports are not counted as late when, on a case by case basis, the BPA Call COR approves later report submission. Also, on a case by case basis, the BPA Call COR may elect to deem a SLR metric compliant even if the compliance number is not in alignment with the standards described in this PWS.
C.7 Section 508 - Electronic and Information Technology Standards In order to help the NRC comply with Section 508 of the Rehabilitation Act of 1973, as amended (29 U.S.C. § 794d)(Section 508), the Contractor shall ensure that its deliverables (both products and services) under this BPA Call are 1) in conformance with and 2) support the requirements of the Section 508 standards (36 CFR Part 1194, which may be found at access-board.gov), unless an exception applies (see below).
The Contractor shall:
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 73 of 82
Address Section 508 standards requirements throughout the product and service lifecycle.
Some example lifecycle activities include:
o Planning o
Staff resource selection (do they have the needed experience, skills and understanding of how to address Section 508 requirements applicable to their role?)
o Requirements documentation o
Market research for products and services o
Alternatives analysis o
Product design, development, configuration, testing and maintenance o
Service design, development, maintenance and documentation o
Document and Web content authoring, validation and publishing o
Testing and validation o
Product and service documentation and support
Provide Contractor personnel training and maintain Contractor personnel awareness such that they know how the Section 508 standards apply to their roles and their deliverables.
Provide electronic document deliverables (including those specified in section C.5) that are Section 508 standards conformant.
When authoring tools (such as Microsoft Word, Camtasia, Adobe Dreamweaver, etc.) are configured they must be configured in a way that enables support for the accessibility of authored content.
When operating systems and platforms (such as Web browsers) are configured they must be configured to support conformance to the Section 508 standards.
Provide support services that accommodate the communication needs of end-users with disabilities.
The following information is provided to highlight or clarify some requirements of the Section 508 standards:
The Section 508 standards apply when developing, procuring, maintaining, or using electronic and information technology (EIT).
Some examples of EIT include: Software and operating systems; Web-based Internet information and applications; telecommunications products; video and multimedia products; self-contained/closed products, such as kiosks; desktop and portable computers, including laptops, smart phones, and tablets; computer peripherals such as screens, keyboards, and mice; hardware such as servers, printers, scanners, private branch exchanges (PBX);
documents that are posted to a Website (ex. PDF, Word, Excel, PowerPoint); and product information, documentation, and support. The term does not include any equipment that contains embedded information technology that is used as an integral part of the product, but the principle function of which is not the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. An example is HVAC equipment such as thermostats or temperature control devices.
EIT products must conform to the standards in 36 CFR Part 1194 (at access-board.gov) or equivalent facilitation must be provided that gives substantially equivalent or greater access to and use of the product for people with disabilities.
Some acceptable alternative standards for equivalent facilitation o
Websites: Conformance to the Web Content Accessibility Guidelines (WCAG) 2.0, levels A and AA.
o Adobe Portable Document Format (PDF) files: Conformance to ISO 14289-1 (PDF/UA-1)
Exceptions to conformance to the Section 508 standards:
o EIT operated as part of a National security system
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 74 of 82 o
EIT that is acquired by a contractor incidental to a contract (with no access by NRC employees or the public) o EIT accessibility standards criteria that would require a fundamental alteration in the nature of a product or its components (BPA Call COR approval required) o EIT located in spaces frequented only by service personnel for maintenance, repair, or occasional monitoring of equipmentnot including any features or functionality that can be accessed remotely, such as by a Web interface o
When development, procurement, maintenance, or use of EIT that meets the Section 508 standards would impose an undue burdenA very high threshold (BPA Call COR approval required). Then individuals with disabilities must be provided access to and use of information and data by an alternative means that meets NRC-identified needs.
The Section 508 standards are expected to be updated in 2016 or early 2017 and the Contractor shall ensure that their product and service deliverables under this BPA Call are in conformance with and support the requirements of the updated standards. The updated standards are expected to include the following changes, among others:
Software and electronic content will be required to conform to the World Wide Web Consortiums Web Content Accessibility Guidelines (WCAG) 2.0, Level A and Level AA Success Criteria and Conformance Requirements.
Eight additional consensus standards will be referenced.
Additional documentation requirements for exceptions.
New accessibility requirements for public-facing content, requiring conformance to WCAG 2.0 Level A and Level AA Success Criteria and Conformance Requirements specified for Web pages or, where applicable, ISO 14289-1 (PDF/UA-1). Public-facing content subject to this provision would include, for example: agency websites; electronic documents, images or video posted on agency websites; and agency social media sites or postings.
Content regardless of form or formatincluding draft electronic documentswould be covered under this proposed section when public facing.
New accessibility requirements for nonpublic-facing content: An agencys non-public facing content will be required to meet the accessibility requirements of WCAG 2.0 Level A and Level AA Success Criteria or PDF/UA 1 when such content (a) constitutes agency official business, and (b) falls within one or more of eight categories of communication. The eight proposed categories are:
o Emergency notifications; o
Initial or final decisions adjudicating administrative claims or proceedings; o
Internal or external program or policy announcements; o
Notices of benefits, program eligibility, employment opportunities or personnel actions; o
Formal acknowledgements or receipts; o
Questionnaires or surveys; o
Templates or forms; and o
Educational or training materials.
C.8 Release and Ownership of Publications Any documents generated by the Contractor shall not be released for publication or dissemination without CO and BPA Call COR prior written approval. In addition, all documentation developed in support of Agency initiatives or projects are the property of the NRC.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 75 of 82 SECTION D: Packaging and Marking D.1 MARKING DELIVERABLES The Contractor shall include the GLINDA BPA number and the BPA Call number on, or adjacent to, all exterior mailing or shipping labels of deliverable items called for by the BPA Call, except for reports. Mark deliverables for the BPA Call COR. Additional deliverable markings may be outlined in awarded work packages.
SECTION E:
Inspection and Acceptance E.1 INSPECTION AND ACCEPTANCE BY THE NRC (SEP 2013)
Inspection and acceptance of the deliverable items to be furnished hereunder shall be made by the NRC Contracting Officers Representative (COR) at the destination, accordance with FAR 52.247-34 - F.o.b. Destination.
BPA Call Deliverables: Please see the following sections for BPA Call deliverables:
See section C.5 of the Performance Work Statement.
E.2 INSPECTION AND ACCEPTANCE OF DELIVERABLES The BPA Call Contracting Officers Representative (COR) will have five (5) business days to complete the review of each deliverable and accept or reject the deliverable by giving written notice. When the Government fails to complete the review within the review period, the deliverable shall become acceptable, unless an extension of the review period is requested and mutually agreed upon. In the event of rejection of any deliverable, the Contractor shall be so notified in writing by the BPA Call COR and given the specific reason(s) for the rejection. The Contractor shall have three (3) business days to correct the rejected deliverable and return it to the BPA Call COR for inspection. The Contractor shall be allowed one resubmission of deliverables, any other resubmissions shall be at the Contractors time and expense.
Payment of the Contractors price shall be a result of the Governments acceptance of the Contractors deliverables and performance level. The payment for every invoice will be reduced by the disincentive fees described in Section C.7 Required Performance Metrics for the associated CLIN for each unacceptable deliverable or missed SLR performance level, regardless of Contactor performance on other CLINs. Disincentive fees may not be earned back by the Contractor after the one resubmission allowance. Furthermore, if subsequent resubmissions lead to a project delay for the Government, the Contracting Officer reserves the right to equitability, downward adjust the price to be paid. The CO and/or BPA Call COR shall notify the Contractor of such an adjustment prior to the adjustment occurring.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 76 of 82 SECTION F:
Deliveries or Performance F.1 PERIOD OF PERFORMANCE (SEPT 2013)
This BPA call is anticipated to commence on or about April 9, 2018 and will expire at the end of one year. There are also four (4) one-year option periods. The NRC anticipates the following activities to occur in the base year period of performance:
Base Period - April 9, 2018 to April 8, 2019
- a. First two months - Contractor personnel initiate and complete NRC Security Processing.
- b. May 1, 2018 - June 30, 2018 - Transition-in period for BPA Call Awardee and Transition-Out period for ITISS Contractor. The transition process may start earlier or later depending on the security processing which may take up to six weeks to complete.
Option Period 1 - April 9, 2019 to April 8, 2020 Option Period 2 - April 9, 2020 to April 8, 2021 Option Period 3 - April 9, 2021 to April 8, 2022 Option Period 4 - April 9, 2022 to April 8, 2023 F.2 Place of Delivery Reports The items to be furnished hereunder shall be delivered, with all charges paid by the Contractor, to:
BPA Call COR and BPA Call Alternate COR F.3 Place of Performance Contractor work shall be primarily performed the NRC headquarters complex. Government space may be assigned for this support. Unless explicitly stated in the BPA Call, Contractor personnel may telework. NRC meetings with the Contractor will be conducted at the NRC headquarters complex unless specified otherwise on a case-by-case basis by the BPA Call COR.
Contractor Local travel costs are not reimbursable. Local travel shall be considered within fifty (50) miles of the NRC Headquarters and within fifty (50) miles from each Regional Office Buildings.
Information on the NRC locations can be found on the website at http://www.nrc.gov/aboutnrc/locations.html. The NRC has its Headquarters in Rockville, Maryland, and a number of other offices around the United States as follows:
The headquarters complex (http://www.nrc.gov/aboutnrc/locations/hq.html) in Rockville, Maryland, houses the NRC headquarters staff, contractors, and our Public Document Room (http://www.nrc.gov/reading-rm/pdr.html). There are approximately 4,300 ITI users at this location.
The Region I Office (http://www.nrc.gov/about-nrc/locations/region1.html) in King of Prussia, Pennsylvania, oversees the NRCs regulatory activities in the northeastern United States. There are approximately 200 ITI users at this location.
The Region II Office (http://www.nrc.gov/about-nrc/locations/region2.html) in Atlanta, Georgia, oversees the NRCs regulatory activities in the southeastern United States. There are approximately 265 ITI users at this location.
The Region III Office (http://www.nrc.gov/about-nrc/locations/region3.html) in Lisle, Illinois, oversees the NRCs regulatory activities in the northern mid-western United States. There are approximately 200 ITI users at this location.
The Region IV Office (http://www.nrc.gov/about-nrc/locations/region4.html) in Arlington, Texas, oversees the NRCs regulatory activities in the western and southern Midwestern United States.
There are approximately 200 ITI users at this location.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 77 of 82 The NRC Technical Training Center (http://www.nrc.gov/aboutnrc/locations/training.html) in Chattanooga, Tennessee, provides training for the staff in various technical disciplines associated with the regulation of nuclear materials and facilities. There are approximately 60 ITI users at this location.
The NRC also has onsite inspectors permanently stationed at each reactor licensee that it regulates (https://www.nrc.gov/reactors/operating/list-power-reactor-units.html). These Resident Inspectors require broadband access to the NRC network and use applications that are hosted at the NRC headquarters complex, the NRCs regional offices, and on the Internet.
The NRC also supports an application support facility in Rockville, Maryland. This facility is provided by an application development support contractor. There are approximately 75 ITI users at this location.
F.4 Hours of Operation The Contractor shall operate the Call Center according to the following time:
7:00 a.m. - 9:00 p.m. ET Monday through Friday, plus on call during the weekends The Contractor shall provide Onsite Deskside Services during the following standard operating hours:
6:00 a.m. - 6:00 p.m. local time Monday through Friday, plus on call during the weekends The Contractor shall provide Account Management change during the following hours:
7:00 a.m - 6:00 p.m. ET Monday through Friday F.5 Federal Holidays Federal Holidays are identified at https://www.opm.gov/policy-data-oversight/snow-dismissal-procedures/federal-holidays/#url=2016
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 79 of 82 (3) Review and, where required by the BPA Call, approve technical reports, drawings, specifications, and technical information to be delivered by the Contractor to the Government under the BPA Call.
(c) Technical direction must be within the general PWS in the BPA Call. The BPA Call COR does not have the authority to and may not issue any technical direction which:
(1) Constitutes an assignment of work outside the general scope of the BPA Call.
(2) Constitutes a change as defined in the "Changes" clause of the GSA Schedule contract against which the GLINDA BPA was awarded.
(3) In any way causes an increase or decrease in the total estimated contract cost or the time required for contract performance.
(4) Changes any of the expressed terms, conditions, or specifications of the BPA Call.
(5) Terminates the BPA Call, settles any claim or dispute arising under the BPA CALL, or issues any unilateral directive whatever.
(d) All technical directions must be issued in writing by the BPA Call COR or must be confirmed by the BPA Call COR in writing within ten (10) working days after verbal issuance. A copy of NRC Form 445, Request for Approval of Official Foreign Travel, which has received final approval from the NRC must be furnished to the contracting officer.
(e) The Contractor shall proceed promptly with the performance of technical directions duly issued by the BPA Call COR in the manner prescribed by this clause and within the BPA Call CORs authority under the provisions of this clause.
(f) If, in the opinion of the Contractor, any instruction or direction issued by the BPA Call COR is within one of the categories defined in paragraph (c) of this section, the Contractor may not proceed but shall notify the contracting officer in writing within five (5) working days after the receipt of any instruction or direction and shall request that contracting officer to modify the BPA Call accordingly. Upon receiving the notification from the Contractor, the contracting officer shall issue an appropriate contract modification or advise the Contractor in writing that, in the contracting officer's opinion, the technical direction is within the scope of this article and does not constitute a change under the "Changes" clause.
(g) Any unauthorized commitment or direction issued by the BPA Call COR may result in an unnecessary delay in the Contractor's performance and may even result in the Contractor expending funds for unallowable costs under the BPA Call.
(h) A failure of the parties to agree upon the nature of the instruction or direction or upon the action to be taken with respect to the instruction or direction is subject to 52.233 Disputes in the GSA contract against which the GLINDA BPA was awarded.
(i) In addition to providing technical direction as defined in paragraph (b) of the section, the BPA Call COR shall:
(1) Monitor the Contractor's technical progress, including surveillance and assessment of performance, and recommend to the contracting officer changes in requirements.
(2) Assist the Contractor in the resolution of technical problems encountered during performance.
(3) Review all costs requested for reimbursement by the Contractor and submit to the contracting officer recommendations for approval, disapproval, or suspension of payment for supplies and services required under this BPA Call.
G.2 2052.215-70 Key Personnel (Jan 1993)
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 81 of 82 provided under this BPA Call and shall comply with the provisions of the FAR Government Property Clause under this BPA Call and FAR Subpart 45.5, as in effect on the date of this BPA Call. The Contractor shall investigate and provide written notification to the NRC Contracting Officer (CO) and the NRC Division of Facilities and Security, Physical Security Branch of all cases of loss, damage, or destruction of Government property in its possession or control not later than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after discovery. The Contractor must report stolen Government property to the local police and a copy of the police report must be provided to the CO and to the Division of Facilities and Security, Office of Administration.
(d) All other equipment/property required in performance of the call shall be furnished by the Contractor.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 82 of 82 SECTION I:
Contract Clauses I.1 RESERVED I.2 RESERVED I.3 52.217-8 OPTION TO EXTEND SERVICES (NOV 1999)
The Government may require continued performance of any services within the limits and at the rates specified in the contract. These rates may be adjusted only as a result of revisions to prevailing labor rates provided by the Secretary of Labor. The option provision may be exercised more than once, but the total extension of performance hereunder shall not exceed 6 months. The Contracting Officer may exercise the option by written notice to the Contractor within 1 day of expiration of the BPA Call.
(End of clause)
I.4 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000)
(a) The Government may extend the term of this BPA Call by written notice to the Contractor within the then-current BPA Call period of performance; provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 14 days before the BPA Call expires. The preliminary notice does not commit the Government to an extension.
(b) If the Government exercises this option, the extended BPA Call shall be considered to include this option clause.
(c) The total duration of this BPA Call, including the exercise of any options under this clause, shall not exceed 5 years.
I.5 52.232-19 AVAILABILITY OF FUNDS FOR THE NEXT FISCAL YEAR (APR 1984)
Funds are not presently available for performance under this BPA Call beyond The Government's obligation for performance of this BPA Call beyond that date is contingent upon the availability of appropriated funds from which payment for BPA Call purposes can be made. No legal liability on the part of the Government for any payment may arise for performance under this BPA Call beyond until funds are made available to the Contracting Officer for performance and until the Contractor receives notice of availability, to be confirmed in writing by the Contracting Officer.
I.6 TRAVEL APPROVALS AND REIMBURSEMENT (a) All foreign travel must be approved in advance by the NRC on NRC Form 445, Request for Approval of Official Foreign Travel, and must be in compliance with FAR 52.247-63 Preference for U.S. Flag Air Carriers. The Contractor shall submit NRC Form 445 to the NRC no later than 30 days before beginning travel.
(b) The Contractor must receive written approval from the BPA Call COR before taking travel that was unanticipated in the Schedule (i.e., travel not contemplated in the PWS, or changes to specific travel identified in the PWS).
(c) The Contractor will be reimbursed only for travel costs incurred that are directly related to this BPA Call and are allowable subject to the limitations prescribed in FAR 31.205-46.
(d) It is the responsibility of the Contractor to notify the contracting officer in accordance with the Limitations of Cost clause of this BPA Call when, at any time, the Contractor learns that travel expenses will cause the Contractor to exceed the estimated costs specified in the Schedule.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 83 of 82 (e) Reasonable travel costs for research and related activities performed at State and nonprofit institutions, in accordance with Section 12 of Pub. L. 100-679, must be charged in accordance with the Contractor's institutional policy to the degree that the limitations of Office of Management and Budget (OMB) guidance are not exceeded. Applicable guidance documents include OMB Circular A-87, Cost Principles for State and Local Governments; OMB Circular A-122, Cost Principles for Nonprofit Organizations; and OMB Circular A-21, Cost Principles for Educational Institutions.
I.7 OPTION FOR ACQUISITION OF EVALUATED OPTIONAL FEATURES NOT PROCURED AT TIME OF AWARD OF CONTRACT (IT REQUIREMENTS)
The Government may exercise the option to acquire the evaluated optional features stated elsewhere in this BPA Call at unit prices specified therein. The Contracting Officer may exercise this option by written notice to the Contractor at any time prior to the expiration of the BPA Call.
Delivery of the evaluated optional features added by exercise of the option shall be in accordance with the delivery schedule set forth elsewhere in this BPA Call.
I.8 52.252-2 Clauses Incorporated by Reference (FEB 1998)
This contract incorporates one or more clauses by reference, with the same force and effect as if they were given in full text. Upon request, the Contracting Officer will make their full text available.
Also, the full text of a clause may be accessed electronically at this/these address(es):
http://www.acquisition.gov/far 52.227-14 RIGHTS IN DATA--GENERAL AUG 1999 52.227-16 ADDITIONAL DATA REQUIREMENTS JUN 1987 52.227-17 RIGHTS IN DATASPECIAL WORKS DEC 2007 52.232-18 AVAILABILITY OF FUNDS APR 1984 52.237-3 CONTINUITY OF SERVICES JAN 1991 52.232-22 LIMITATION OF FUNDS APR 1984
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 84 of 82 SECTION J:
List of Documents, Exhibits and Other Attachments Attachment Number Title End User Computing Services Cost/Price Quotation Spreadsheet - 5 Pages Management Directive 12.5 - NRC Cybersecurity Program - 81 Pages Current NRC Cybersecurity Technologies List - 3 Pages Cybersecurity Standards - Document List - 2 Pages Clause 3 - Security Requirements for Building Access Approval -2 Pages Clause 4 - Security Requirements for Information Technology Level I or II Access Billing Instructions for Labor-Hour or Time-and-Materials Contracts - 8 Pages Billing Instructions for Firm-Fixed-Price Contracts NRC Multimedia Consent Form 0 Operations Meeting Reports: October 2016 1 Operations Meeting Reports: November 2016 2 Operations Meeting Reports: December 2016 3 Operations Meeting Reports: January 2017 4 Operations Meeting Reports: February 2017 5 Operations Meeting Reports: March 2017 6 Operations Meeting Reports: April 2017 7 Operations Meeting Reports: May 2017 8 Operations Meeting Reports: June 2017 9 Operations Meeting Reports: July 2017 0 Operations Meeting Reports: August 2017 1 Operations Meeting Reports: September 2017 2 Operations Meeting Reports: October 2017 3 IT Service Framework - High Level (Draft) 4 Project Management Methodology 2.0 Summary 5 Service Catalog Index (Redacted)
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 85 of 82 Appendices Performance Requirements Summary (PRS)
The BPA Call COR and the designated reviewer(s) will complete the Comment Form as part of each review. NRC shall have three workdays to review deliverables. The BPA Call COR may request for additional time to review document with substantial content.
1.
Deliverables require no more than two content revisions.
2.
Deliverables cover all instructions provided by the COR or the Subject Matter Expert for technical content.
3.
The disincentive for all standards is the Contractors interim and/or final Contractor Performance Assessment Report may reflect missed AQLs.
Required Service Performance Standards Acceptable Quality Level (AQL)
Method of Surveillance Deliverables Missing deadline by 5 workday without prior authorization 100%
Weekly status review against the Integrated Project Schedule.
Deliverables Comments are captured by the Contractor 95% of total change Review of updates to deliverables Schedule delays from when an acquisition package was submitted late. The BPA Call COR was not notified of this potential risk.
Missing deadlines by 5 workdays without prior authorization 95%
Weekly status review against the Integrated Project Schedule.
Preliminary deliverables are accurate and comprehensive.
Discussions during meetings are accurately captured.
Review of deliverables and review of Meeting Minutes Final deliverables are accurate and comprehensive for BPA Calls under ITISS.
The new Contractor is able support the system subsequent to implementation without assistance from the Legacy Contractor after Phase II transition.
100%
Traceability between as-is requirements and the to-be requirements Reviewer can locate requirements within the Requirements Matrix 10 deviations are permitted.
Review of the Final Requirements Document.
All functional requirements must met the SMART objectives:
specific, measureable, attainable, realizable, and traceable All requirements can be verified during the User Acceptance Testing Review of the Final Requirements Document.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 86 of 82 VIP Group Members The following NRC offices and individuals will be part of the VIP Group:
Commissioners and all Commissioner Staff Positions
Deputy Executive Directors for Operations (DEDOs) and both permanent as well as temporary assistants
Executive Director for Operations (EDO) and both permanent as well as temporary assistants
Secretary of the Commission (SECY) and both permanent as well as temporary assistants The size of the group is roughly 60 people. The Contractor shall deliver services to the VIP Group in accordance with the VIP Service Level Requirements previously mentioned. NRC reserves the right to change the membership of this group at any time during the Period of Performance and will work with the Contractor to ensure this change is communicated clearly and that the Contractor is given time to adjust their operations accordingly.
Severity Levels and Priority Codes Service requests shall be categorized by the impact of problem as described in the table on the following page.
Level Impact Severity 1 Global Failure; Work halted or a potential halt of work for multiple end users on a floor, building or entire Region Examples: Multiple end users in building cannot log onto Local Area Network (LAN) or cannot access email Severity 2 Entire Division / Office Failure: Work halted for an entire office or division Example: The division / office is unable to access a critical application Severity 3 Single complete failure; Work halted for single end user Examples: Individual end user cannot access LAN; end users computer will not boot Severity 4 Single problem for an end user; end user still able to work Examples: End Users spell check will not run Severity 5 Service Requests & procedural questions Examples: Relocate PC; install additional Random Access Memory (RAM);
install software upgrade When submitting a Help Desk ticket, the end user has an option to identify a Priority Code to indicate the priority of the ticket. This code allows the Help Desk technician to appropriately prioritize tickets by Severity Level and then by Priority Code.
Example:
If Ticket A has Severity Level 3 with Priority Code 3, and Ticket B has Severity Level 3 with Priority Code 1, then Ticket B will be serviced prior to Ticket A.
The Priority Codes are further described in the table below.
NRC-HQ-10-17-A-0007 / 31310018F0015 / P000032 End User Computing Services Page 87 of 82 Priority Code Impact Priority 1 Executive (VIP) is experiencing an impact to productivity or requires special attention End User is experiencing significant productivity loss Existing new employee is completely inoperable Priority 2 End User is requesting faster than average response based on actual business need End User is requesting scheduled service that has a hard deadline for resolution or fulfillment Priority 3 End User is experiencing average operational impact from problem or request and does not have above average or extenuating circumstances Priority 4 (default)
End User has made a service request in advance of need that is easily handled Usually a severity 4 request End User agrees that this is a Priority 4 request After Hour Call Center Service Procedure The Contractor shall take Help Desk calls and record the following information about each call received:
Name of caller
Phone number of the caller
Date & Time of call
NRC building name, address and room number
NRC Office
Location of emergency and nature of emergency
Scope of emergency, if the emergency involves reporting an equipment alarm (like server backup power supply malfunctioning), signaling a possible equipment failure, the location of the alarm
Who was contacted for resolution and time of contact
Any other information stipulated to be collected by the BPA Call COR For a building related emergency, immediately after the conclusion of the incoming telephone call reporting a building-related emergency, the Contractor shall:
Call the designated engineer or property manager responsible for responding to after-hours building emergencies for the building in which the emergency has occurred and
Call a NRC management representative for the building in which the emergency has occurred.
The NRC will provide the Contractor with a list of property management contacts for call triaging and routing purposes.
For VIP Group members and NRC individuals traveling on official business who call after hours, the Contractor shall follow, and establish if need be, a BPA Call COR approved process for promptly providing assistance to the individual in question.